@Sorin Tapalaga,
It's all about the order in which the GIM bundles and appliance version upgrades are performed. If your GIMs are still using SHA1, even after transitional bundle of a GIM using a GIM version with default SHA256 (Unix v11.5_r115368 or Windows v11.5.258 or later) on appliance with P530 or later, you should open a case with support. They can help determine why and provide recommendations to fix your environment. Unfortunately it's not something that can be easily determined through this channel.
------------------------------
Wendy Zemba
Sr. Consultant, Data Protection
Converge Technology Solutions
wendy.zemba@convergetp.comNeed help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
------------------------------
Original Message:
Sent: Fri July 26, 2024 08:38 AM
From: Sorin Tapalaga
Subject: upgrade GI 11.5 to 12
Hi Wendy,
I already have a situation when despite I upgraded all GIM agents using transitional package, the communication algorithm remained SHA 1 (the only benefit of transitional package was the ability to install new bundles signed 256)
Thanks
Sorin
------------------------------
Sorin Tapalaga
Original Message:
Sent: Tue July 23, 2024 08:36 AM
From: Wendy Zemba
Subject: upgrade GI 11.5 to 12
Hi @Sorin Tapalaga,
You do have to consider the GIM SHA256 situation, but it sounds like maybe all of your GIMs are using SHA256 now, in which case you should be fine with your planned migration strategy. If you have GIMs still running SHA1, you should upgrade them using the transitional bundle first.
------------------------------
Wendy Zemba
Sr. Consultant, Data Protection
wendy.zemba@convergetp.com
Converge Technology Solutions
Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
Original Message:
Sent: Sat July 20, 2024 01:19 AM
From: Sorin Tapalaga
Subject: upgrade GI 11.5 to 12
Hi
I want to prepare to upgrade GDP from 11.5 to 12 p10
If I choose to create a parallel environment with 12 p10 and gradually retire 11 by changing GIM_URL of GIM on 11 to 12 MU
The question is : can I move 11.x GIM and STAP to new build 12 p10 appliance?
I ask this because I had a previous experience/ IBM ticket when an appliance was upgraded from 11.5 to 11.0p530 WITHOUT GIM or STAP client connected and IBM code logic assumed that new STAP will all be SHA256 and when I wanted to move GIM clients from another 11.0p530 MU (which was upgraded with connected GIM clients) the change GIM_URL did not succeeded because GIM clients used SHA 128 communication on first MU (upgraded with connected clients) and when tried to connect to new MU (upgraded without connected clients) did not succeed to connect due to SHA 256 certificate on new MU
Thanks
Sorin
------------------------------
Sorin Tapalaga
------------------------------