Question & Answer
Question
What is the support matrix for hardware, operating systems, browsers, hypervisors, middleware, HSMs, and KMIP across the different releases of IBM Security Guardium Key Lifecycle Manager?
Answer
Supported hardware
- IBM Security Guardium Key Lifecycle Manager V4.2 traditional and earlier versions
- IBM Security Guardium Key Lifecycle Manager V4.2 container and earlier versions
IBM Security Guardium Key Lifecycle Manager V4.2 traditional and earlier versions
System component |
Minimum values1 |
Recommended values2 |
System memory (RAM) | 4 GB | 8 GB |
Processor speed | Linux and Windows systems
1.0 GHz single processor AIX systems |
Linux and Windows systems
3.0 GHz dual processors AIX systems |
Disk space | ||
Disk space free for IBM Security Guardium Key Lifecycle Manager and prerequisite products such as Db2 | 16 GB | 30 GB |
Disk space free in "/tmp" or "C:\temp" | 4 GB | 4 GB |
Db2 disk space free in "/home" directory or system drive for Db2 | 7 GB | 25 GB |
Disk space free in /var directory for Db2 | 1 GB on Linux and UNIX operating systems | 1 GB on Linux and UNIX operating systems |
See Disk space requirements for log files. |
All file systems must be writable.
1 Minimum values: These values enable a basic use of IBM Security Guardium Key Lifecycle Manager.
2 Recommended values: You must use larger values that are appropriate for your production environment. The most critical requirements are to provide adequate system memory, and free disk and swap space. Processor speed is less important.
Disk space requirements for log files
Consider the following disk space requirements for log files before you install IBM Security Guardium Key Lifecycle Manager.
Log file name | Log file location | Maximum number of log files | Maximum size of each log file | Disk space requirements |
sklm_audit.log | <WAS_HOME>\products\sklm\logs\audit | 1 | No limit | - |
sklm.log/debug | <WAS_HOME>\products\sklm\logs | 100 | 100 MB | 10 GB |
agent.log | <WAS_HOME>\products\sklm\logs | 30 | 100 MB | 3 GB |
replication_audit.log1 | <WAS_HOME>\products\sklm\logs\replication | 100 | 1 GB per log file | - |
1 Only if you have configured replication.
Note: To avoid db2diag log files overflow, back up the db2diag log files regularly or modify the level of logging. For more information, see diaglevel - Diagnostic error capture level configuration parameter.
On Linux and UNIX operating systems, you must install your Db2 product in an empty directory. If the directory that you specify as the installation path contains subdirectories or files, your Db2 installation might fail.
On Linux and UNIX operating systems, 4 GB of free space is required in the $HOME
directory.
On Linux and UNIX operating systems, minimum 16 GB of free space is required in the /
and /opt
directory.
Installing into mapped network drives/mounted partitions is not supported.
If installation locations of more than one system component fall on the same Windows drive/UNIX partition, the cumulative space to contain all those components must be available in that drive/partition.
IBM Security Guardium Key Lifecycle Manager V4.2 container and earlier versions
The containerized IBM Security Guardium Key Lifecycle Manager application consists of two containers:
Database - PostgreSQL container
System component | Minimum values | Recommended values |
System memory (RAM) | 4 GB | 8 GB |
Processor speed | 2.0 GHz | 8.0 GHz |
Persistent Storage (Volume) | 40 GB (Storage type: File) | 60 GB (Storage type: File) |
Database - Db2 container
System component | Minimum values | Recommended values |
Persistent Storage (Volume) | 40 GB (Storage type: File) | 60 GB (Storage type: File) |
IBM Security Guardium Key Lifecycle Manager application container
System component | Minimum values | Recommended values |
System memory (RAM) | 4 GB | 8 GB |
Processor speed | 1.0 GHz | 4.0 GHz |
Persistent Storage (Volume) | 20 GB (Storage type: File) | 40 GB (Storage type: File) |
Supported operating systems
- IBM Security Guardium Key Lifecycle Manager V4.2 traditional and earlier versions
- IBM Security Guardium Key Lifecycle Manager V4.2 container and earlier versions
IBM Security Guardium Key Lifecycle Manager V4.2 traditional and earlier versions
IBM Security Guardium Key Lifecycle Manager | ||||||||
Platform | Operating System | V3.0 | V3.0.1 | V4.0 | V4.1 | V4.1.1 | V4.2 | V4.2.1 |
AIX | AIX 7.1 TL4 SP6 POWER 7, 81 | YES | YES | YES | NO | NO | NO | NO |
AIX 7.1 TL5 POWER 7, 81 | YES | YES | YES | NO | NO | NO | NO | |
AIX 7.2 POWER 7, 81 | YES | YES | YES | YES4 | YES4 | YES4 | YES4 | |
AIX 7.2 POWER 9 | NO | NO | YES3 | YES3,4 | YES3,4 | YES3,4 | YES3,4 | |
AIX 7.3 TL1 SP1 POWER 10 | NO | NO | NO | NO | NO | YES | YES | |
Linux2 | SUSE Linux Enterprise Server (SLES) 12 x86-64 | YES | YES | YES | YES | YES | YES | YES |
SUSE Linux Enterprise Server (SLES) 12 System z | YES | YES | YES | YES | YES | YES | YES | |
SUSE Linux Enterprise Server (SLES) 15 x86-64 | NO | NO | NO | NO | YES | YES | YES | |
SUSE Linux Enterprise Server (SLES) 15 System z | NO | NO | NO | NO | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 8.2 - 8.4 System z,
Red Hat Enterprise Linux (RHEL) Server 8.6, 8.8 System z
|
NO | NO | NO | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 9.2 System z | NO | NO | NO | NO | YES5 | YES5 | YES | |
Red Hat Enterprise Linux (RHEL) Server 8.2 - 8.4 x86-64,
Red Hat Enterprise Linux (RHEL) Server 8.6, 8.8 x86-64
|
NO | NO | NO | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 9.2 x86-64 | NO | NO | NO | NO | YES5 | YES5 | YES | |
Red Hat Enterprise Linux (RHEL) Server 8.2 - 8.4 (PowerPC Little Endian (LE)), Red Hat Enterprise Linux (RHEL) Server 8.6, 8.8 (PowerPC Little Endian (LE)) |
NO | NO | NO | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 9.2 (PowerPC Little Endian (LE)) | NO | NO | NO | NO | YES5 | YES5 | YES | |
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 System z | YES | YES | YES | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 x86-64 | YES | YES | YES | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 (PowerPC Little Endian (LE)) 64 bit1 | YES | YES | YES | YES | YES | YES | YES | |
Red Hat Enterprise Linux (RHEL) Server 6.7 - 6.10 x86-64(EOS OS) | YES | YES | YES | NO | NO | NO | NO | |
Ubuntu 16.04 LTS x86_64 (EOS OS) | NO | YES | YES | YES | NO | NO | NO | |
Ubuntu 18.04 LTS x86_64 (EOS OS) | NO | NO | NO | NO | YES | YES | YES | |
Ubuntu 20.04 x86_64 | NO | NO | NO | NO | NO | YES | YES | |
Ubuntu 22.04 x86_64 | NO | NO | NO | NO | NO | YES | YES | |
Windows | Windows Server 2012 Standard Edition x86-64 | YES | YES | YES | YES | YES | YES | YES |
Windows Server 2012 R2 Standard Edition x86-64 | YES | YES | YES | YES | YES | YES | YES | |
Windows Server 2016 Standard Edition x86-64 | YES | YES | YES | YES | YES | YES | YES | |
Windows Server 2019 Standard Edition x86-64 | NO | NO | NO | YES | YES | YES | YES | |
Windows Server 2022 Standard Edition x86-64 | NO | NO | NO | NO | NO | YES | YES |
1 - Supported hardware includes POWER9 in POWER8 mode.
2 - For information about the Linux packages, see Linux packages.
3 - Supports POWER9 in POWER9 mode
4 - Supported only with AIX 7.2 TL3 and later.
5 - Support for RHEL 9.x is available only after upgrade of Db2 to version 11.5.9. Support for RHEL 9.x with the default bundled Db2 version is not available.
Notes:
-
Do not install IBM Security Guardium Key Lifecycle Manager on systems with hardened operating system. You can harden the operating system after the installation completes.
-
Before you install IBM Security Guardium Key Lifecycle Manager on a UNIX or an AIX operating system, ensure that Bash shell (bash) is installed. Also, ensure that it is the default shell. Starting IBM Security Guardium Key Lifecycle Manager 4.2, for AIX operating system, Bash shell is not required.
-
Before you install IBM Security Guardium Key Lifecycle Manager on an AIX operating system, ensure that the necessary libraries that are described in this technote are installed: Required gtk libraries for IBM Installation Manager on AIX.
-
For V4.1 and earlier versions, before you install IBM Security Guardium Key Lifecycle Manager on a Linux operating system, ensure that C shell (csh) is installed. Starting V4.1.1, csh is not a requirement.
-
Access requirements: Install IBM Security Guardium Key Lifecycle Manager as an administrator (root user). You can install IBM Security Guardium Key Lifecycle Manager as a non-root user on Linux operating systems only.
-
For RHEL 8 operating system, IBM Security Guardium Key Lifecycle Manager will support only even digit minor release versions. For example, RHEL 8.6, RHEL 8.8, RHEL 8.10. This is primarily due to very short support lifecycle provided by RedHat for odd digit minor release versions.
Linux packages
On Linux operating systems, IBM Security Guardium Key Lifecycle Manager (GKLM) requires the compat-libstdc++
package, which contains libstdc++.so.6
. It also requires the libaio
package, which contains the asynchronous library that is required for Db2® database servers.
- libstdc package
To determine whether you have the package, run the following command:
rpm -qa | grep -i "libstdc"
find installation_media -name compat-libstdc++* rpm -ivh full_path_to_compat-libstdc++_rpm_file]
- libaio package
To determine whether you have the package, run the following command:
rpm -qa | grep -i "libaio"
find installation_media -name libaio* rpm -ivh full_path_to_libaio_rpm_file
- Ensure that 64-bit libaio package is installed before running db2setup. Db2 installation requires this package.
- For GKLM V4.1.1 and V4.1 installation in graphical mode, ensure that a VNC package (for example, tigervnc) and a terminal emulator (for example, xterm) are installed.
- For GKLM V4.1 silent installation, ensure that the tsch package is installed.
Requirements for Linux on System z operating system
Before you install IBM Security Guardium Key Lifecycle Manager on Linux on System z operating system, complete the following steps:
- Check whether the following libraries are present on the system, which are necessary for Db2® installation.
- libpam.so.0
- libaio.so.1
- libstdc++.so.6.0.8
- libstdc++33
- ksh93
If the system does not contain the necessary libraries, run the following command:yum install <library_name>
If a library has any issues, use the following command to remove a library:yum remove <library_name>
- Install the IBM XL/XL C++ runtime environment:
- Extract the setup.
- Run ./install.
- Run the following command if an error message is displayed about missing libraries:
yum install <missing_lib_name>
- Create a link between the libraries that are installed by running the following commands:
ln -s /opt/ibm/lib/* /usr/lib/ ln -s /opt/ibm/lib64/* /usr/lib64/
- Set the
LD_LIBRARY_PATH
by using the following command:LD_LIBRARY_PATH=/opt/ibm/lib:/opt/ibm/lib64:/usr/lib64; export LD_LIBRARY_PATH
- Ensure that the /tmp directory has all the permissions. To provide the permissions, run the following command.
chmod 777 /tmp
Requirements for Linux on PowerPC operating system
Before you install IBM Security Guardium Key Lifecycle Manager on Linux on PowerPC Little Endian (LE) operating system, ensure that your system meets the requirements.
- Install IBM XL/XL C++ environment.
- Extract the setup in a directory.
tar -xvf <setup_name>
- Run ./install.
- Extract the setup in a directory.
- After you install the package, create a link between the libraries that are installed by running the following steps.
ln -s /opt/ibm/lib/* /usr/lib/ ln -s /opt/ibm/lib64/* /usr/lib64/
- Set the
LD_LIBRARY_PATH
by using the following command.LD_LIBRARY_PATH=/opt/ibm/lib:/opt/ibm/lib64:/usr/lib64; export LD_LIBRARY_PATH
- Before you start the installation process, ensure that the /tmp directory has all the permissions. To provide the permissions, run the following command.
chmod 777 /tmp
Disabling Security Enhanced Linux
IBM Security Guardium Key Lifecycle Manager on Linux operating systems might have functional problems when the Security Enhanced Linux (SELINUX) setting is enabled.
For example, a problem might occur with the TCP/IP connections on the server ports. Follow the steps provided in the Linux documentation to disable Security Enhanced Linux.
IBM Security Guardium Key Lifecycle Manager V4.2 container and earlier versions
IBM Security Guardium Key Lifecycle Manager V4.2 container and earlier versions | |
Operating system/Architecture |
|
Container Platform |
|
Helm |
|
Storage |
|
Supported browsers
The following browser support applies to all active versions of IBM Security Guardium Key Lifecycle Manager:
Browser | Supported Versions |
Google Chrome1 | 86 and later |
Microsoft Edge1 | 44 and later |
Firefox ESR | 24.0 and later |
Microsoft Internet Explorer | 9.0, 10.0, 11.0
(Only supported on Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2)
|
Browser | Supported versions | ||
Google Chrome | 109.0 and later | ||
Microsoft Edge | 110.0 and later | ||
Firefox ESR | 102.8 and later | ||
Microsoft Internet Explorer | 11.0 and later |
Supported hypervisors
IBM Security Guardium Key Lifecycle Manager | ||||
Hypervisor | V3.0 - V3.0.1 | V4.0 - V4.1 | V4.1.1 | V4.2-V4.2.1 |
VMware ESXi 7.x | NO | YES | YES | YES |
Red Hat KVM as delivered with Red Hat Enterprise Linux (RHEL) and its RHEV equivalent 7.0, 8.0 and 9.0 | YES | YES | YES | YES |
IBM z/VM Hypervisor 6.1 - 6.4 and 7.1 | NO | NO | YES | YES |
IBM PowerVM Hypervisor (LPAR, DPAR, Micro-Partition) any supported version | NO | NO | YES | YES |
Supported middleware
Release | Middleware | |||
Database | IBM WebSphere Application Server (WAS) | WebSphere SDK Java Technology Edition | ||
Requirements (Only for V4.1 traditional and earlier) | See the Db2 requirements section | See the WebSphere Application Server requirements section | None | |
V4.2.1 | For traditional | IBM Db2 Standard Edition 11.5.9.0* |
WAS Liberty:
|
|
For container1 |
|
WAS Liberty:
|
|
|
V4.2 | For traditional |
IBM Db2 Standard Edition
|
WAS Liberty:
|
|
For container1 |
|
WAS Liberty:
|
|
|
V4.1.1 | For traditional |
IBM Db2 Standard Edition
|
WAS Liberty:
|
|
For container1 |
|
WAS Liberty:
|
1.8.0_26 SR6 FP26*
|
|
V4.1 | For traditional | IBM Db2 Standard Edition
|
WAS traditional:
|
|
For container1 |
|
WAS Liberty:
20.0.0.9
|
1.8.0_261 SR6 FP15*
|
|
V4.0 | IBM Db2 Advanced Workgroup Server Edition
|
WAS traditional:
|
|
|
V3.0/V3.0.1 |
IBM Db2 Advanced Workgroup Server Edition
|
WAS traditional:
|
|
|
For more information about the Java SDK version shipped with IBM WebSphere Application Server, see Verify Java SDK version shipped with IBM WebSphere Application Server fix packs. |
2 - You must first install GKLM with the default bundled IBM Db2 version, then upgrade to this version. For instructions, see the relevant topic:
db2 connect to <databasename>
db2 bind db2schema.bnd blocking all grant public sqlerror continue
db2 terminate
db2stop
db2start
Db2 requirements
The database stores the data of IBM Security Guardium Key Lifecycle Manager. Before you install IBM Security Guardium Key Lifecycle Manager, ensure that the database requirements are met.
IBM Security Guardium Key Lifecycle Manager requires DB2® Advanced Workgroup Server Edition, Version 11.1.2.2 and the future fix packs on the same system on which the IBM Security Guardium Key Lifecycle Manager server runs.Note
- You must use IBM Security Guardium Key Lifecycle Manager to manage the database. To avoid data synchronization problems, do not use tools that the database application might provide.
- For improved performance of Db2 Version 11.1.2.2 on AIX systems, ensure that you install and configure the I/O completion ports (IOCP) package that is described in the Db2 documentation - Configuring IOCP (AIX).
- If an existing copy of Db2 Advanced Workgroup Server Edition was installed as the root user at the correct version for the operating system, you can use the existing Db2 Advanced Workgroup Server Edition. IBM Security Guardium Key Lifecycle Manager installer does not detect the presence of Db2. You must specify the Db2 installation path.
SuSE Linux Enterprise Server Version 12 (System z) systems contain the libstdc++.6.so package. But, IBM Security Guardium Key Lifecycle Manager requires the libstdc++.5.so package for Db2 installation.
For more information about Db2 prerequisites, see Db2 documentation - db2prereqcheck - Check installation prerequisites.
Db2 kernel settings
To avoid performance issues, set the Db2 kernel parameters. The following is an example for a computer with 16 GB RAM:
#Example for a computer with 16 GB RAM
sysctl -w kernel.msgmni=16384
sysctl -w kernel.sem="250 1024000 100 4096"
echo "kernel.msgmni=16384" >>/etc/sysctl.conf
echo "kernel.sem=250 1024000 100 4096" >>/etc/sysctl.conf
- AIX systems
- None required.
- Linux systems
- For information about kernel settings, see Db2 documentation - Modifying kernel parameters (Linux).
- Window systems
- None required.
WebSphere Application Server requirements
IBM Security Guardium Key Lifecycle Manager includes and installs WebSphere Application Server. During installation, IBM Security Guardium Key Lifecycle Manager customizes WebSphere Application Server configuration and profiles to suit its operations. This customization might cause problems with products that use the same server when you uninstall IBM Security Guardium Key Lifecycle Manager. Therefore, you must consider the following aspects to avoid the issues:
- Do not install IBM Security Guardium Key Lifecycle Manager in a WebSphere Application Server instance that another product provides.
- Do not install another product in the instance of WebSphere Application Server that IBM Security Guardium Key Lifecycle Manager provides.
IBM Security Guardium Key Lifecycle Manager requires Java Runtime Environment. IBM Java Runtime Environment is included with WebSphere® Application Server.
Use of an independently installed development kit for Java™, from IBM® or other vendors, is not supported. For more information, see Java SE 8 in WebSphere Application Server traditional V9.
Supported HSMs/Cryptographic cards
IBM Security Guardium Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports.
For a list of the supported cryptographic cards, see IBM Java V8.0 Documentation - IBM PKCS11 Cryptographic Provider. In addition to this list, the cards that are listed in the following table are also supported.
HSMs/Cryptographic cards | IBM Security Guardium Key Lifecycle Manager Version | ||
IBM HPCS PKCS11 Client Library Version 2.5.12 or later | 4.1.1 and later | ||
Entrust nShield HSMs v13.3.2 (Compatible with mixed estates and nShield as a Service) | 4.2.0.1 | ||
Entrust nShield Connect XC 12.60 (Compatible with nShield as a service) | 3.0.1 and later |
Supported KMIP versions
IBM Security Guardium Key Lifecycle Manager | ||||
V3.0 - V4.0 |
V4.1.x.x |
V4.2 | V4.2.1 | |
Key Management Interoperability Protocol (KMIP)
|
3.0* | 3.0 | ||
2.1 | 2.1 | 2.1 | ||
2.0 | 2.0 | 2.0 | 2.0 | |
1.4 | 1.4 | 1.4 | 1.4 | |
1.3 | 1.3 | 1.3 | 1.3 | |
1.2 | 1.2 | 1.2 | 1.2 | |
1.1 | 1.1 | 1.1 | 1.1 | |
1.0 | 1.0 | 1.0 | 1.0 |
For more information about the supported KMIP profiles, see Key Management Interoperability Protocol (KMIP) profiles supported by IBM Security Guardium Key Lifecycle Manager.
* - GKLM 4.2 uses KMIP 3.0 specifications that is currently in draft mode.
Was this topic helpful?
Document Information
Modified date:
18 April 2024
UID
swg22008774