IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Mastering GIM connectivity: SHA1, SHA2, and transitional bundles demystified

By Saumitra Kulkarni posted 19 hours ago

  

Introduction:
IBM Guardium Installation Manager (GIM) is a centralized framework designed to simplify the deployment, update, and management of Guardium agents across enterprise environments. Acting as a bridge between the Guardium appliance (GIM Server) and monitored database servers (GIM Clients), GIM enables administrators to install, configure, and maintain modules like S-TAP, KTAP, and others with minimal manual intervention. With support for up to 4000 clients from a single Guardium system, GIM streamlines operations through both GUI and CLI interfaces, offering flexibility for interactive or automated (silent) installations. Whether you're working with SHA1, SHA2, or transitional bundles, mastering GIM connectivity is key to maintaining secure and efficient data activity monitoring.

Patch-Level SHA Compatibility Across Guardium Versions: 

Guardium Patch Compatibility: SHA1 vs SHA2

 Guardium Version  Patch Range  Default SHA Type  Notes
 11.0  p470, p525 and below  SHA1  All patches use SHA1
 11.0   p475, p530 and above  SHA2   All patches use SHA2, Can be   Converted to SHA1
 12.0  Base to p5  SHA2   All patches use SHA2
 12.0   p10 and above  SHA2   All patches use SHA2, Can be   Converted to SHA1
 12.1   All patches  SHA2   All patches use SHA2, Can be   Converted to SHA1
 12.2  All patches  SHA2   All patches use SHA2, Can be   Converted to SHA1


Frequently Asked Questions (FAQs)

 Question  Answer
 How can I check if my appliance uses SHA1 or SHA2?   Use the CLI command: 'show certificate GIM server' and look for the field 'Signature algorithm name'.
 Can SHA1 appliances be converted to SHA2?   Yes. While creating certificates we can specify SHA2.  
 Can the SHA2 appliances be converted to SHA1 ?  Yes. Use the CLI command '

replace certificate gim algorithm default_sha1'



Upgrade Process for SHA1/SHA2 Appliances and GIMs

Scenario 01 :

  • 11.0p470, 11.0p525 or below upgrading to 11.4, 11.5 patch under test

  • SHA1 GIMs - GIM Clients which are using SHA1 certificates to communicate with the appliance.

Scenario 02 : 

  • 11.0p470, 11.0p525 Upgrade to 12.0,12.1 patch under test -

  • SHA1 GIMs - GIMs which are using SHA1 certificates to communicate with the appliance.


Upgrading GIM Clients: SHA1 to SHA2 Certificate Transitions


Scenario 01: Appliance Upgrade from SHA1 Patch to SHA2 Patch
When upgrading from older appliances using SHA1 certificates to newer versions with SHA2 (SHA256) certificates, you must use a TRANSITIONAL GIM bundle. This bundle acts as a bridge, containing both SHA1 and SHA2 certificates to maintain communication during the transition. Without it, GIM clients with SHA1 certificates cannot authenticate with SHA2-enabled appliances, breaking connectivity.

Process: Install the SHA2 patch (e.g., p475 for v11.4, p530 for v11.5) on the appliance, then upgrade GIM clients using the transitional bundle.

Scenario 02: Appliance Upgrade from SHA2 Patch to Next SHA2 Patch
When both current and target versions already use SHA2 certificates (e.g., upgrading from p530 to p540), use a NORMAL (standard) GIM bundle. Since certificate types remain consistent, no special transitional handling is needed—the standard bundle directly replaces the existing installation.

Process: Install the target SHA2 patch, then upgrade GIM clients using the normal bundle for a straightforward upgrade.

0 comments
2 views

Permalink

https://community.ibm.com/community/user/blogs/saumitra-kulkarni/2025/11/06/gim-connectivity-simplified-sha1-sha2-transitional