Product Documentation
Abstract
This document summarizes the recommended hardware and supported databases and operating system platforms for IBM Guardium v10.5.
Content
Links:
Guardium v10.1.x system requirements and supported platforms (prior to v10.5 ): http://www-01.ibm.com/support/docview.wss?uid=swg27051083
Guardium v10.6 system requirements and supported platforms: http://www.ibm.com/support/docview.wss?uid=ibm10719695
GUARDIUM v10.5
The Guardium products related to the specifications are: Database Activity Monitor; Advanced Compliance Workflow Automation; Enterprise Integrator; Vulnerability Assessment (VA), Entitlement Reports, Data-Level Access Control; and, Central Manager and Aggregator.
Cross-Platform Security
Guardium’s cross-platform Database Activity Monitoring (DAM) solution is ideal for heterogeneous environments because it supports all major DBMS data sources and protocols running on all major operating systems.
Disclaimer:
Not all functionality is available in all configurations. For more information, contact an IBM Security Sales Representative at: https://www.ibm.com/connect/ibm/us/en/?lnk=fcw
This table shows all data sources and versions currently supported in v10.5.
| Data source | Supported Versions | Notes |
| Oracle (including ASO/SSL) | 11gR1, 11gR2, 12.1, 12.2, 19c | Oracle 11gR1, 11gR2 SSL encryption supported by Windows S-TAP.
Oracle 11gR1, 11gR2, 12.1 ASO supported by Windows S-TAP. Oracle 12.1 ASO/SSL supported on AIX, Solaris, Linux and HP-UX. UID chain not supported for Oracle ASO encrypted sessions from ATAP. Query Rewrite not supported for Oracle 12.1 and above. Guardium Client IP and Analyzed Client IP are not supported in Oracle SSL traffic. |
| Oracle RAC (including ASO/SSL) | 11gR1, 11gR2, 12.1, 12.2 | Oracle 11gR1, 11gR2 SSL encryption supported by Windows S-TAP.
Oracle 11gR1, 11gR2, 12.1 ASO supported by Windows S-TAP. Oracle 12.1 ASO/SSL supported on AIX, Solaris, Linux and HP-UX. UID chain not supported for Oracle ASO encrypted sessions from ATAP. Query Rewrite not supported for Oracle 12.1 and above. |
| Oracle Exadata (including ASO/SSL) | 11gR2, 12.1, 12.2 | Oracle 11gR2 SSL encryption supported by Windows S-TAP.
Oracle 11gR2, 12.1 ASO supported by Windows S-TAP. Oracle 12.1 ASO/SSL supported on AIX, Solaris, Linux and HP-UX. UID chain not supported for Oracle ASO encrypted sessions from ATAP. Query Rewrite not supported for Oracle 12.1 and above. |
| Microsoft MS-SQL Server | 2012, 2014, 2016 | Windows Platform only The "Always Encryption" option in MS SQL Server 2016 is supported, except for the Redact (scrub) function. For the Redact (scrub) function within MS-SQL Server 2016, Guardium can parse SQL statements but the encrypted columns cannot be read. |
| IBM DB2 (Linux, UNIX) | 9.7, 10.1, 10.5 (including BLU acceleration), 11 DB2 Warehouse |
The versions of DB2 required in order to use DB2 Exit are: V97FP9, V101, V105 or higher. The versions of DB2 required in order to capture UID chain using DB2 Exit are V97FP10, V101FP4, V105FP3 or higher. For DB2 LUW, LDAP authentication is supported from the Guardium datasource. No special setup is required on the datasource connection. |
| IBM DB2 (Windows) | 9.7, 10.1, 10.5, 11 | SSL Encryption supported only using DB2 EXIT |
| IBM DB2 Purescale | 9.8, 10.1, 10.5, 11 | SSL Encryption supported only using DB2 EXIT |
| IBM PureData System for Transactions | ||
| IBM PureData System for Operational Analytics | ||
| IBM PureData Systems for Analytics | ||
| IBM DB2 for i | 7.1, 7.2, 7.3 | |
| IBM DB2 for z/OS | 11, 12 |
S-TAP Prerequisites for DB2 for z/OS V12.
-Version 10.1.3 S-TAP: Support for DB2 v12 is in the base code
-Version 10 S-TAP: PTF UI36827 (APAR PI58287). -Version 9.1 S-TAP PTF UI36830 (APAR PI58287) Common Collector (CQC 1.1) requires PTF UI36781 (APAR PI58175). For more information on S-TAP and collector level compatibility, see this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21699982 |
| IMS for z/OS | 12, 13, 14, 15 | Version 10 S-TAP Prerequisites for IMS v15: PTF UI44191 Version 9.1 S-TAP does not support IMS v15 |
| Datasets for z/OS | 2.1, 2.2, 2.3 | Version 10 S-TAP Prerequisites for zOS 2.3: PTF UI55620 Version 9.1 S-TAP Prerequisites for zOS 2.3: PTF UI51198 |
| IBM Informix | 11.50, 11.70, 12.10 | Informix Exit supported with 12.10 Informix Exit supported by UNIX/Linux only |
| Oracle MySQL and MySQL Cluster | 5.5, 5.6, 5.7,8.0 |
Share Memory traffic is not supported by Windows S-TAP
Mysql 8.0.3 is supported in v10.5 Unix stap (requires Snif Patch P4031 or above)
|
| SAP Sybase ASE | 15.7, 16.0 | SSL encryption supported excluding HP-UX, SunOS-5.10-i386_64, and SunOS-5.11-i386_64
Guardium Client IP and Analyzed Client IP are not supported in Sybase encrypted traffic. Windows does not support SSL for Sybase ASE |
| SAP Sybase IQ | 16.0 | Sybase IQ does not support SSL for any platform. Sybase IQ 16 TLS supported only on Linux. Guardium does not support Sybase IQ running on Windows |
| IBM Netezza | 5,0, 6.0, 6.02, 7.0, 7.1, 7.2 | |
| PostgreSQL | 9, 9.1, 9.2, 9.3, 9.4, 9.5 | SSL encryption supported (9.4 and 9.5). Windows does not support encryption for PostgreSQL PostgreSQL bind variables supported |
| Teradata | 13.10, 14, 14.10, 15, 15.10, 16 | Supported by UNIX/Linux only |
| IBM BigInsights | 4.1, 4.2 | Supported by UNIX/Linux only |
| Cloudera | 4.4, 5.3, 5.8 | Supported by UNIX/Linux only |
| Aster | 6, 6.2 | Supported by UNIX/Linux only, SSL encryption not supported |
| Cassandra | 3.0.2, 3.5, 3.11 | Supported by UNIX/Linux only Cassandra Compression supported |
| CouchDB | 1.2.2, 1.5.1 | |
| Greenplum DB | 4.3.4 | Supported by UNIX/Linux only |
| Horton Works | 2.1, 2.2, 2.3, 2.5 | Supported by UNIX/Linux only |
| MariaDB | 5.5, 5.6, 10.1.12, 10.1.22 | Supported by UNIX/Linux only |
| MemSQL | 5.1.0, 6 | Supported by UNIX/Linux only |
| MongoDB | 3.0, 3.2, 3.4, 3.6 | |
| MongoDB mgo.v2 | 2.6.8, 3.2.1, 3.4.2 | Supported by UNIX/Linux only |
| SAP HANA | 1.0 | Supported by UNIX/Linux only |
| HP Vertica | 7.2.3, 8.0 | Supported by UNIX/Linux only |
| FTP | ||
Host-Based Monitoring
Unique in the industry, S-TAPs are lightweight software probes that monitor both network and local database protocols (shared memory, named pipes, etc.) at the OS level of the database server. S-TAPs minimize any effect on server performance by relaying all traffic to separate Guardium appliances for real-time analysis and reporting, rather than relying on the database itself to process and store log data. S-TAPs are often preferred because they eliminate the need for dedicated hardware appliances in remote locations or available SPAN ports in your data center.
This table shows all OS platforms and versions for which S-TAPs are currently available.
| OS Type | Version | Notes |
| AIX | 6.1, 7.1, 7.2 | |
| z/OS | 2.1.x, 2.2, 2.3 | For Data Sets S-TAP, APAR# PI84769 is required to support 2.3 |
| HP-UX | 11.11 PA-RISC 11.23 PA-RISC, 11.23 IA-64 11.31 PA-RISC, 11.31 IA-64 |
|
| Red Hat Enterprise Linux (includes Oracle Linux) |
4, 5, 6, 7, 6.9 | Little endian and Big endian supported on Power 8 (RHEL 7.1 PPC64LE) |
| Red Hat Enterprise Linux for System z | 5.4, 6.x, 7 | |
| SuSE Enterprise Linux | 11 - 32-bit, 64-bit 12 - 64-bit |
SLES 11 PPC64 (Big Endian system only) SLES 12 PPC64LE (Little Endian system only) |
| SuSE Enterprise Linux for System z | 11, 12 | |
| Solaris - SPARC | 10, 11 | Not supported for Solaris release 11.4 and later |
| Solaris - Intel | 10, 11 | Not supported for Solaris release 11.4 and later |
| Windows Server | 2012, 2012 R2, 2016 Datacenter Edition, 2016 Essentials Edition, 2016 Standard Edition | |
| IBM i | 6.1, 7.1, 7.2, 7.3 | |
| Ubuntu | 10.4 (SP3 & 4), 12.04, 14.04, 16.04 | DB2, Informix, MySQL, PostgreSQL only |
| OpenSSL for UNIX S-TAP | OpenSSL 1.0.2k | |
| CentOS for UNIX S-TAP | CentOS 6.x, 7.x | |
| TLS 1.2 |
* Supports network activity monitoring, local activity via Enterprise Integrator
What data source is supported by what Guardium product?
Legend for Column 4 - Guardium Products
| Data Protection for Databases | = DPD |
| Data Protection for Data Warehouses | = DPDW |
| Data Protection for Big Data | = DPBD |
| Data Protection for z/OS (DB2) | = DPz/OS (DB2) |
| Data Protection for z/OS (IMS) | = DPz/OS (IMS) |
| Data Protection for z/OS (Data Sets) | = DPz/OS (Data Sets) |
| Data Protection for Files | = DPF |
| Company | Monitored Product Name | Data Source Type | Guardium Product covering |
| IBM | IBM DB2 | Database | DPD |
| IBM | IBM DB2 Purescale | Database | DPD |
| IBM | IBM PureFlex | Database | DPD |
| IBM | IBM DB2 for i | Database | DPD |
| IBM | IBM Informix | Database | DPD |
| IBM | IBM DB2 for z/OS | Database | DPz/OS (DB2) |
| IBM | IBM DB2 Analytic Accelerator for z/OS | Data Warehouse | DPz/OS (DB2) |
| IBM | IBM DB2 Warehouse | Data Warehouse | DPDW |
| IBM | IBM IMS | Database | DPz/OS (IMS) |
| IBM | IBM z/OS Data Sets (VSAM, XDAP, BDAM, BSAM, QSAM, BPAM, ISAM, OAM) | File System | DPz/OS (Data Sets) |
| IBM | IBM PureData System for Transaction (PDTX) | Database | DPD |
| IBM | IBM PureApplication System | Database | DPD |
| Oracle | Oracle Database | Database | DPD |
| Oracle | Oracle Database RAC | Database | DPD |
| Oracle | Oracle Database BDA | Database | DPD |
| Oracle | Oracle Sun MySQL | Database | DPD |
| Oracle | Oracle Sun MySQL Cluster | Database | DPD |
| MariaDB Foundation | MariaDB | Database | DPD |
| SAP | SAP Sybase ASE | Database | DPD |
| SAP | SAP Sybase IQ | Database | DPD |
| Microsoft | MS SQL Server | Database | DPD |
| Microsoft | MS SQL Server Cluster | Database | DPD |
| PostgreSQL | PostgreSQL | Database | DPD |
| SAP | SAP HANA | In-memory Database | DPD |
| SAP | SAP HANA Appliance | In-memory Data Warehouse | DPDW |
| Microsoft | Microsoft Analytics Platform System (APS) | Data Warehouse | DPDW |
| Teradata | Teradata | Data Warehouse | DPDW |
| Oracle | Oracle Exadata | Data Warehouse | DPDW |
| IBM | IBM Netezza | Data Warehouse | DPDW |
| IBM | IBM PureData for Analytics | Data Warehouse | DPDW |
| IBM | IBM PureData System for Operational Analytics (PDOA) | Data Warehouse | DPDW |
| IBM | IBM BLU Acceleration | Data Warehouse | DPDW |
| EMC | GreenPlum DB | Data Warehouse | DPDW |
| HP | HP Vertica | Data Warehouse | DPDW |
| Teradata | Teradata Aster DB | Hadoop | DPBD |
| IBM | IBM BigInsights | Hadoop | DPBD |
| Cloudera | Cloudera | Hadoop | DPBD |
| EMC | GreenPlum HD | Hadoop | DPBD |
| EMC | Pivotal | Hadoop | DPBD |
| HortonWorks | HortonWorks | Hadoop | DPBD |
| MongoDB | MongoDB | NoSQL | DPBD |
| Apache SW | CouchDB | NoSQL | DPBD |
| Apache SW | Cassandra | NoSQL | DPBD |
| DataStax | DataStax Enterpise | NoSQL | DPBD |
| MemSQL Inc. | MemSQL | NoSQL | DPBD |
| Generic | HTTP | Application protocol | DPD |
| IBM | IBM InfoSphere Optim Archival | Database Tool | DPD |
| IBM | IBM Master Data Management | Database Tool | DPD |
| IBM | IBM Data Stage | Database Tool | DPD |
| Generic | FTP | File System Protocol | DPF |
| Microsoft | Windows File Share (WFS) | File System Protocol | DPF |
| Microsoft | MS File System | File System | DPF |
| RedHat | RedHat File System | File System | DPF |
| Ubuntu | Ubuntu File System | File System | DPF |
| Novell | SuSe File System | File System | DPF |
| IBM | AIX File System | File System | DPF |
| HP | HP-UX File System | File System | DPF |
| IBM | AIX GPFS | File System | DPF |
Supported Data source platforms for IBM Guardium Vulnerability Assessment (VA)
| Data source | Supported Versions |
| Oracle | 11gR1, 11gR2, 12.1,
12.2 STIG benchmark coverage (VA only) |
| Microsoft SQL Server | 2012, 2014, 2016 |
| IBM DB2 (LUW) | 9.5, 9.7, 10.1, 10.5, 11.1 |
| IBM DB2 for i | 6.1, 7.1, 7.2, 7.3 |
| IBM DB2 for z/OS | 9, 10, 11 |
| IBM Informix | 11.50, 11.70, 12.10 |
| Sun MySQL | 5.5, 5.6, 5.7 |
| SAP Sybase ASE | 15.7, 16 |
| SAP Sybase IQ | 15.4, 16 |
| IBM Netezza | 5,0, 6.0, 6.02, 7.0, 7.1, 7.2 |
| PostgreSQL | 9, 9.1, 9.2, 9.3, 9.4, 9.5 |
| Teradata | 13.10, 14, 14.10, 15, 15.10, 16 |
| Aster | 5, 6, 6.1 |
| MongoDB | 2.6, 3.0, 3.2, 3.4 |
| SAP HANA | 1.0, 2 |
| Amazon RDS data sources |
Appliance deployment on cloud
| Appliance deployment on cloud | Guardium appliance images for on cloud deployment
May 2017 http://www.ibm.com/support/docview.wss?uid=swg27049576 Cloud Deployment Guides for: Amazon AWS EC2; IBM Softlayer; Google; Microsoft Azure, Oracle Deploy IBM Guardium VA on Amazon RDS December 2017 http://www.ibm.com/support/docview.wss?uid=swg27050667 Additional Section or row for VA for Cloud - PaaS Amazon RDS - Oracle Amazon RDS – MS-SQL Server Amazon RDS – MySQL Amazon RDS - PostgreSQL |
Client-side requirements for UNIX S-TAP and Windows S-TAP
UNIX/Linux S-TAP: https://www.ibm.com/support/knowledgecenter/SSMPHH_10.5.0/com.ibm.guardium.doc.stap/stap/choose_setup.html
Windows S-TAP: https://www.ibm.com/support/knowledgecenter/SSMPHH_10.5.0/com.ibm.guardium.doc.stap/stap/windows_choose_setup.html
What Guardium features work with nonSQL databases?
| Platform/Feature | Hadoop | MongoDB | Cassandra | CouchDB |
| DAM | Yes | Yes | Yes | Yes |
| Exceptions | Yes | Yes | Yes | |
| Blocking | Yes (HIVE &IMPALA) | Yes | Yes | No |
| Redaction (Extrusion) | No | Yes | Yes | No |
| Discovery & Data Classification | No | No | No | No |
| Instance Discovery | No | Yes | No | Yes |
| SSL | No | Yes | No | No |
| Kerberos | Yes | Yes | No | No |
| Failed Logins | Yes (Hue only) | Yes | Yes | Yes |
| VA | No | Yes | No | No |
| Encryption | Yes | Yes | No | No |
| Query Rewrite | No | No | No | No |
End of Service
Guardium supports database and operating system versions up to their End-of-Service (EOS), Premier, or Mainstream support end dates. For IBM, they are published in http://www-01.ibm.com/software/support/lifecycle/ . For other vendors, contact your vendor representative to confirm their support end dates. IBM offers optional extended service support after EOS. Contact your IBM representative for further information. Guardium will support the hardware system it is running on up to the End-of Marketing (EOM) date plus 5 years or end of support date, whichever is sooner.
Supported web browsers
Internet Explorer 9 (IE9) and above on Windows 7. And turn off Compatibility View setting of Internet Explorer.
Firefox ESR 24 and above
Chrome 28 and above
Minimum screen resolution - 1366 x 768
Flexible Deployment
Guardium is available as a hardware or software offering, ensuring the solution can be easily deployed in a wide variety of environments. As a hardware offering, the solution is delivered with licensed software fully loaded and tested on a physical appliance provided by IBM (hardware appliance), When delivered as a software offering, the solution is delivered as software images ready to be deployed by the user on their own hardware (software appliance), either directly or as virtual appliances. While the software images can be installed on any VMware product, the VMware ESX server is the recommended platform for a virtual solution. Only VMware and Hyper-V are supported by Guardium.
The following table summarizes major hardware requirements for software appliances. The Guardium solution is designed to work on i86 Intel-based or AMD-based platforms (for example, x86_64). Only platforms and hardware that are officially supported by RedHat Linux 6.9 (64-bit) can be used as Guardium v10.1.32 platforms (note in Guardium v10.0 hardware supported by Redhat 6.5 is required), however, not all officially supported RedHat Linux platforms can be used. Platforms that require additional drivers or specialized post-install configuration are not supported at this time.
Minimum and Recommended Resources per software/virtual appliance
| Resource | Required Range * | Comments |
| Physical CPUs | Minimum: 4 cores
Recommended: 8 cores |
x86 (Intel or AMD) processors required |
| Virtual CPUs | Minimum 4 vCPUs
Recommended: 8 vCPUs |
|
| RAM | (64-bit)
Minimum: 24 GB (min) Maximum: motherboard max Recommended: 32 GB |
Guardium's features are memory intensive. To take full advantage of these features, it is recommended to have 32 GB of RAM and 8-core CPU.
For Central Managers in a large federated environment, the recommended memory is If using Ecosytem, 34 GB required. |
| Ports (NICs)
1 Gbit or 10 Gbit per second card recommended 10 Gbit per second card can be used in 64-bit system with sufficient memory |
1-4 | Each port can be an actual NIC, or a virtual switch that can be configured to use multiple NICs, optionally with failover IP teaming.
Optional: The third port may also be configured to team with the primary interface in order to provide failover IP teaming. Alternatively, the last port on the device may be configured as a secondary management interface with a different IP, NETMASK and GW from the primary. When using Inspection Engines to capture traffic (not Multiple network interfaces are supported on: (1) a Guardium hardware appliance; (2) a customer's software appliance (the customer installs Guardium software on their hardware appliance); or (3) VMware solution with ESX Server. |
| Disk Size | Minimum: 300 GB
Maximum:>2 TB Recommended: Collectors: 300-600 GB Aggregators: 600-1800 GB Guardium supports smaller HD disks for integrated warehouse configurations, using datamart interfaces (10.1.3 and later). |
Use of RAID is recommended.
RAID-10, RAID-0, RAID-1, RAID 0+1, RAID 1+0 are supported. Note: Larger disks may hold more audit records for longer periods of time, but are more likely to impact performance. At least 9 GB of free disk space on the /var partition is required. |
| Disk Size | >2 TB | Beginning with v10.1.2, disk partitions >2 TB are supported. However, certain conditions are required: 1. Configure the system into EFI/UEFI mode via the BIOS. 2. Then install v10.1.2, (a) during which the install should auto-detect the EFI bios support and use GPT (GUID Partition Tables) that allow >2 TB partitions. (b) Additionally the v10.1.2 install will also use EXT4 partition types by default, and thus avoid the previous EXT3 file size limitation of <2 TB. Note: To resize the hard drive of an existing appliance, the user needs to rebuild their system. |
| Disk Speed | 7200 RPM to 15,000 RPM | To use 7200 RPM, scale back the sizing ratio by 70%.
Example: If you are using 7200 RPM disk, which is slow, you should reduce your sizing by 70%. If your sizing calls for 10 S-TAPs to a collector, if you are running with 7200 RPM drives, drop that to 3 S-TAPs to a collector. |
* Refer to IBM configuration tables for physical ranges.
Application Monitoring
Guardium identifies potential fraud by tracking activities of end-users who access critical tables via multi-tier enterprise applications rather than direct access to the database. This is especially important for applications that use connection pooling where all user traffic is aggregated within a few database connections, thereby masking the identity of end-users.
Guardium offers out-of-the-box support for the major off-the-shelf enterprise applications (see table below), and provides built-in tools to configure and add end-user identification for niche application and home-grown applications. Note: for most applications, some basic configuration is needed, to tailor the solution to your environment.
| Supported Enterprise Applications | Supported Application Server Platforms (for other enterprise & custom developed applications) |
| Oracle E-Business Suite | IBM WebSphere |
| PeopleSoft | BEA WebLogic |
| Siebel | Oracle Application Server (AS) |
| SAP | JBoss Enterprise Application Platform |
| Cognos | + Others based on customer demand |
| Business Objects Web Intelligence | |
| + Others based on customer demand |
Was this topic helpful?
Document Information
Modified date:
18 February 2020
UID
swg27047801