IBM Support

Defects 38242 and 38898 - Potential AIX system crash when CA eTrust is already installed and Guardium is then installed

Flashes (Alerts)


Abstract

Defects 38242 and 38898 - Potential AIX system crash when CA eTrust is already installed and Guardium is then installed

The problem can happen in the following scenarios
- when upgrading Guardium software using the live upgrade method
- with a fresh installation of the Guardium software

Content

Specifically, a crash occurs within the K-TAP module when a pointer gets corrupted.

Remediation:

IBM have produced a new AIX S-TAP installer. Where the CA product is installed and running the following can be run

For all STAPs r57269 and above.

Installing STAP for the first time on AIX:


  • 1) If system is running with storage keys: disable storage keys
    • skctl -k off -u off
      /usr/sbin/bosboot -a

      reboot

    2) If you wish to use GIM - install GIM

    3) This step has been amended Feb 2018 as follows due to new information that has come to light
    • The storage keys on AIX need to be disabled before the installation of the STAP, and it will allow KTAP to be loaded. When the Storage keys are disabled, the load order is not important and hence there is no need to perform the Original step 3) below
      • Original step 3) was this :- There is no need to follow this step now
        -------------------- not needed now --------------
        Stop CA user process - Your System Administrator should be aware of the exact commands to use - the following is an example only
        • bash-3.2# /opt/CA/AccessControl/bin/secons -s
          CA ControlMinder secons v12.80.0.1432 - Console utility
          Copyright (c) 2013 CA. All rights reserved.
          CA ControlMinder is now DOWN !

          bash-3.2# ps -ef | grep CA
          root 4129172 3998270   0 11:11:01  pts/0  0:00 grep CA
          bash-3.2#
        -------------------- not needed now --------------




      •  
    • 4) Install and configure STAP/KTAP. (either via GIM or using a standalone shell installer)

      Once the STAP is installed make a check that K-TAP module is loaded first before the CA kernel module
      • The genkex command displays loaded kernel module in the order in which they have been loaded with the most recently loaded module at the top of the list.

        for example - below the ktap is listed AFTER the SEOS- hence was loaded BEFORE the SEOS

        • genkex  | grep -E "ktap|SEOS"  

          f1000000c0456000   4c4000
          /opt/CA/AccessControl/bin/SEOS_syscall
          6720000    90000 /etc/drivers/guardium/aix_ktap57269.64


          If the KTAP module is not listed after the SEOS then
          reboot
          and check again that it is listed AFTER the SEOS with the genkex command

          verify that STAP is communicating and fully functional



        •  


    5) Verify the boot order in /etc/inittab is KTAP load (via /etc/rc), then seos (CA eTrust) , then S-TAP - for example
     
    • bash-3.2# grep -E "^rc|^seos|^utap" /etc/inittab

      rc:23456789:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks
      rctcpip:23456789:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons
      rcnfs:23456789:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons
      rcitm2:2:once:/etc/rc.itm2 > /dev/console 2>&1
      rcitm6:2:once:/etc/rc.itm6 start > /dev/console 2>&1
      rcitm5:2:wait:/etc/rc.itm5 > /dev/console 2>&1
      rcitm4:2:wait:/etc/rc.itm4 > /dev/console 2>&1
      rcitm3:2:wait:/etc/rc.itm3 > /dev/console 2>&1
      rcitm1:2:wait:/etc/rc.itm1 > /dev/console 2>&1
      rcml:2:once:/usr/ml/aix71/rc.ml > /dev/console 2>&1
      rcwpars:2:once:/etc/rc.wpars > /dev/console 2>&1 # Corrals autostart
      seos:2:once:/opt/CA/AccessControl/rc.SeOS.base
      utap:2345:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini

    6) Reboot the system


    7) check the Guardium and CA have been loaded correctly - for example
    • bash-3.2# genkex | grep -E "ktap|SEOS"
      f1000000c0456000   4c4000 /opt/CA/AccessControl/bin/SEOS_syscall
              6720000    90000 /etc/drivers/guardium/aix_ktap57269.64
      bash-3.2#
      bash-3.2# ps -ef | grep stap
         root 4587664 3343152   0 11:45:47  pts/0  0:00 grep stap
         root 3080900       1   0 11:21:52      -  0:00
      /usr/local/guardium/guard_stap/guard_stap
      /usr/local/guardium/guard_stap/guard_tap.ini



    •  

    8) If needed - Restart CA user process - Your System Administrator should be aware of the exact commands to use - the following is an example only

    • /opt/CA/AccessControl/bin/secons
      ....



    •  
    9) Start the server applications and verify related logs on the Guardium Appliance.



  •  


Upgrading STAP on AIX:


  • Basically do steps 3/4/5 above. (in this case step 4 is an upgrade and not a fresh install )

    In a live upgrade the new KTAP Kernel Module will replace the existing KTAP Kernel Module and so will be installed correctly BEFORE the SEOS



  •  


Rebooting AIX:


  • On EVERY REBOOT, please make certain that KTAP loads first, before the CA kernel module - with the genkex command as in 4. above

 

Document information

More support for: IBM Security Guardium

Component: --

Software version: 8.0.1, 8.1, 8.2, 9.0, 9.1, 10.0, 10.1, 10.5

Operating system(s): AIX

Reference #: 1666631

Modified date: 06 November 2018