IBM Guardium

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi @Sorin Tapalaga,

You do have to consider the GIM SHA256 situation, but it sounds like maybe all of your GIMs are using SHA256 now, in which case you should be fine with your planned migration strategy. If you have GIMs still running SHA1, you should upgrade them using the transitional bundle first.

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi Wendy,

I already have a situation when despite I upgraded all GIM agents using transitional package, the communication algorithm remained SHA 1 (the only benefit of transitional package was the ability to install new bundles signed 256)

Thanks

Sorin

Hi @Sorin Tapalaga,

You do have to consider the GIM SHA256 situation, but it sounds like maybe all of your GIMs are using SHA256 now, in which case you should be fine with your planned migration strategy. If you have GIMs still running SHA1, you should upgrade them using the transitional bundle first.

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi @Sorin Tapalaga,

You do have to consider the GIM SHA256 situation, but it sounds like maybe all of your GIMs are using SHA256 now, in which case you should be fine with your planned migration strategy. If you have GIMs still running SHA1, you should upgrade them using the transitional bundle first.

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi Sorin,
Please consider to move to p20, there is some important bugs removed from code between 10 and 20

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin

Hi Sorin,
Please consider to move to p20, there is some important bugs removed from code between 10 and 20

Hi

I want to prepare to upgrade GDP from 11.5 to 12 p10

If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU

The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?

I ask this because I had a previous experience/ IBM ticket  when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU  (which was upgraded with connected GIM clients) the change  GIM_URL  did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU

Thanks

Sorin