IBM(R) Database Encryption Expert for Linux(R), UNIX(R), and Windows(R), Version 1.1.3, README Document revision date: 10/15/08 CONTENTS 1.0 ABOUT THIS README FILE 2.0 NEW FEATURES 3.0 PREREQUISITES 3.1 Security Server minimum hardware requirements 3.2 Hardware on which the Agent software has been tested 3.3 Hardware on which the Encryption Expert Security Server has been tested 3.4 Operating systems on which the Agent software has been tested 3.5 Operating systems on which the Encryption Expert Security Server has been tested 3.6 Supported file systems 3.7 DB2 versions that have been tested with Encryption Expert 3.8 IDS versions that have been tested with Encryption Expert 4.0 INSTALLATION INSTRUCTIONS 4.1 Overview 4.2 Security Server prerequisite package installation 4.3 Security Server installation 4.4 Agent installation 5.0 KNOWN ISSUES 5.1 Security Server issues 5.2 Agent issues 6.0 RESOLVED ISSUES 7.0 HOW TO GET HELP 8.0 NOTICES 8.1 Other notices 8.2 Trademarks and service marks 1.0 ABOUT THIS README FILE Welcome to IBM(R) Database Encryption Expert for Linux(R), UNIX(R), and Windows(R), Version 1.1.3, README file. This README file contains information about installing Encryption Expert, as well as known issues regarding its use. Version 1.1.3. Subsequent versions might require additional maintenance. 2.0 NEW FEATURES - Agents for Windows 2000, XP, Server 2003, Server 2003R2 - Added syslog support - Agents for Solaris 9 and 10 on Sun UltraSparc platforms - Support for multiple failover servers - Support for IDS 11.10 FC2 and IDS 11.50 3.0 PREREQUISITES 3.1 Security Server minimum hardware requirements - 4 GB of RAM - 80 GB of disk space* * The actual amount of disk space required to install the Security Server software is considerably less. The extra space is used to accommodate log files, which can quickly proliferate and consume large amounts of disk space. This requirement comprises all the directories used by the Security Server, including /opt/IBM, /var/log, /home (voradmin, db2fenc1, dasusr1), and /tmp. 3.2 Hardware on which the Agent software has been tested - AIX: PowerPC 4 (64-bit) - AIX: PowerPC 5 (64-bit) - Linux: Intel x86_64 - Linux: AMD Opteron (64-bit) - Windows x86 32-bit: Pentium 4 or later - Windows x86 64-bit: AMD Opteron, Intel Xeon 64, or later - Solaris Sun Blade 100 UltraSparc lli 64-bit (1-way) - Solaris Sun Fire 280R UltraSparc lll 64-bit (2-Way) - Solaris Sun Fire V880 UltraSparc lll 64-bit (8-way) - Solaris Sun Fire V440 UltraSparc lli 64-bit (4-way) - Solaris Sun Fire V490 UltraSparc IV 64-bit (8-way) 3.3 Hardware on which the Encryption Expert Security Server has been tested - Linux: Intel x86_32 3.4 Operating systems on which the Agent software has been tested - AIX 5.2 TL10, APAR IZ21543 (request APAR from IBM) - AIX 5.3 TL6, APAR IZ20619 (request APAR from IBM) - AIX 5.3 TL6 SP3 (includes APAR IZ07461) - AIX 5.3 TL6 SP7 (includes APAR IZ20619) - AIX 5.3 TL7, APAR IZ07461 (request APAR from IBM) - AIX 5.3 TL7 SP4 (includes APAR IZ07461) - AIX 5.3 TL8, APAR IZ15965 (request APAR from IBM) - Linux (64-bit): Red Hat Advanced Server 4.0 Update 4 - Solaris 9 - Solaris 10 update 2 Note: The APARS listed above are required in order to run both the DB2 Database Backup Agent and the File System Agent on the same AIX(R) system. The operating system can kernel panic while attempting to backup an encrypted database if the APAR is missing or the wrong APAR is installed. APARs are not required when the DB2 Database Backup Agent and File System Agent are run on different systems. (4026, 6267) - Windows 2000 Server with SP4 - Windows 2000 Server Professional with SP4 - Windows 2000 Advanced Server with SP4 - Windows 2000 Advanced Server with MSCS - Windows Server 2003, Standard Edition, with SP1 or SP2 - Windows Server 2003, Enterprise Edition, with MSCS - Windows XP with SP1 or SP3 - Windows XP with SP2 and Microsoft update KB885894 - Windows Server 2003, 64-bit Enterprise Edition, with SP1 - Windows Server 2003, 64-bit Enterprise Edition, with MSCS - Windows XP, 64-bit Edition 3.5 Operating systems on which the Encryption Expert Security Server has been tested - Linux (32-bit): Red Hat Advanced Server 4.0 Update 4 3.6 Supported file systems - Windows: NTFS - AIX: JFS, JFS2, NFS, VxFS - Solaris: UFS, NFS, VxFS - RedHat: EXT3, NFS, VxFS 3.7 DB2 versions that have been tested with Encryption Expert - v8.1.2 FixPack 15 - v9.1 FixPack 3 - v9.5 FixPack 1 3.8 IDS versions that have been tested with Encryption Expert - IDS 11.10 FC2 - IDS 11.50 4.0 INSTALLATION INSTRUCTIONS 4.1 Overview IBM Database Encryption Expert includes the following two components: -Security Server The Security Server stores encryption keys, policies, and audit logs. You can configure a cluster of two or more Security Servers. The Security Server components should be installed on dedicated hosts that are not running other applications. You should install the Security Server software first. -Agents The Encryption Expert Database Backup Agent and File System Agent are installed on your database server environments. The agents will need to communicate over your network to the Security Server. There are two types of agents included with Encryption Expert: the Database Backup Agent for encrypting DB2 and IDS backups, and the File System Agent for protecting online database files. The File System Agent works with any DB2-related file managed by the host's native file system; it does not support raw device I/O. The agent installation utility is used to install both agents. For proper operation, the Security Servers and agents require that the their system clocks be closely synchronized. It is strongly recommended that you set up all the hosts running Encryption Expert with NTP. 4.2 Security Server prerequisite package installation You must install the Vormetric prerequisite package before installing the Encryption Expert Security Server. This package provides necessary JBoss(R) Application Server software and some common Apache utilities. The prerequisite package is available at: http://www.vormetric.com/ibmEE/ Download the prerequisite package, untar the file, and run the installation script, install_eet_prereq. 4.3 Security Server installation Encryption Expert 1.1.3 is an upgrade release. The installation utility automatically initiates the Security Server upgrade feature if the utility detects an existing Encryption Expert 1.1.2 Security Server installation. After you have installed the prerequisite software, you can install the Security Server. You will need root privilege or a user with sudo authority to run the IBM Database Encryption Expert Security Server installation program. The Encryption Expert installation utility temporarily stores Security Server file in /tmp. There must be about 500MB of free space available to hold the temporary installation files. You can specify an alternate directory to store the temporary installation files by setting and exporting the InstallAnywhere IATEMPDIR environment variable. For example, in the bash shell, enter "export IATEMPDIR=/" in the same terminal window in which you will run the Security Server installation utility. Run the installation utility by entering: # ./install_eet_server.bin or # ./install_eet_server.bin -i console 4.4 Agent installation The Encryption Expert agents are incompatible with Security- Enhanced Linux (SELinux). Disable SELinux before installing Encryption Expert agent software on a Linux system. (6032) You will need root privilege or a user with sudo authority to run the IBM Database Encryption Expert agent installation program. To install agent software: - Register the agent on the Security Server - Log onto the agent system as Administrator, root, or sudo to root - Run install_eet_agent.bin or install_eet_agent.bin -i console During console mode installation of Encryption Expert agent software, both the file and database agents are selected by default. 1- [X] Db2 Agent 2- [X] FileSystem Agent Please choose the Features to be installed by this installer. : It is recommended that you press enter at this prompt to install both agents. Entering a number will deselect the particular agent. For example entering "1" will deselect the Database Backup Agent and only install the File System Agent. 5.0 KNOWN ISSUES 5.1 Security Server issues 1. The Encryption Expert File System Agent might be incompatible with other security software running on the same system. If other security software, such as SELinux and AppArmor, is running on the system, disable it before installing and using Encryption Expert. Compatibility with other security software is untested. (6032) 2. Never unguard a guardpoint that is protecting DB2 data files while there are open connections to the DB2 database. The Encryption Expert management console will allow you to remove a guardpoint even while there is active IO within the guardpoint. While the Encryption Expert File System Agent will not complete the unguard action until all file handles are closed, unguarding open database files could lead to hanging connections and possible corrupted files (6730). You may want to use the "db2 list applications" command on the guarded DB2 host to determine if any applications have an open database connection before unguarding. Also, unguarding does not convert encrypted data back to clear text data, so you should backup your database before unguarding, or use the dataXform utility to convert the data to cleartext. 3. DB2 deadlocks can appear in the embedded Security Server database if the Security Server is improperly shutdown, such as an abrupt interruption of power to the Security Server system. Please refer to the DB2 documentation for information on DB2 deadlock recovery. (6396) 4. If a guard point is busy it cannot be unguarded. A guard point is busy when someone is in the guard point or a directory or file in the guard point is being used in some manner. The Security Server GUI reports that the guard point is unguarded, though the guard point is still mounted on the agent and access controls are still enforced. If this should occur, check for activity in the guard point using a command like fuser. Stop all access to the guard point. Reboot the agent system if you cannot determine, or do not want to determine, who or what is accessing the guard point. (6168, 6152, 7395) 5. The Management Console dashboard displays the number of administrators that are currently logged into the Security Server Web interface. If an administrator closes the Web interface without logging out, the number of administrators is not decremented until the inactivity timeout interval for that user is reached. (6182) 6. You cannot delete a policy while it is applied to a File System Agent guard point or a database agent host. Attempts to delete an active database agent policy result in the following error message: "The Security Server failed to persist data into the repository database. Refer to cgss.log and server.log for details. Call support if necessary." This message should read: "The Security Server could not delete policy "". Hosts are guarded by the policy." Ensure that a policy is not in use before you attempt to delete it. (6157) 7. The installation utility cannot display non-IBM license terms when the graphic display is exported to an Omni-X windows server. A blank, grey box is displayed when you click the "Read non-IBM terms" button. To view non-IBM terms, export the graphic display to a different X-windows server, or, run the installation utility with the "-i" option. This option is described in the IBM Database Encryption Expert User’s Guide. (6372) 8. Enabling audit in either a File System Agent or a Database Backup Agent policy can generate duplicate log entries and generate messages that do not normally appear in the log. This can result in large log files. (6341) 9. Long directory paths might not display correctly in the Management Console because the Remote Object Chooser does not provide a horizontal scroll-bar with which to display long paths. If you are unable to display and select long paths, enter the paths manually. (6219) 10. Set the correct time and time zone of every system in a Security Server configuration before installing any Encryption Expert software. Once set, maintain the correct time by configuring each system to access an NTP server at regular intervals. Incorrect times can make it difficult to sequence log entries, can prevent SSL communication between the Security Server and agent, and can prevent the Security Server from applying policy updates to agent systems. If Encryption Expert software is installed and you need to set the Security Server time, stop the Encryption Expert Security Server (i.e., /etc/init.d/cgss stop), set the clock, and then restart the Encryption Expert Security Server (i.e., /etc/ init.d/cgss start). (5987) 11. If you encounter "java.lang.OutOfMemory" errors in the / server/jboss-4.0.4.GA/server/default/log/cgss.log file, restart the server with the "cgss" utility (i.e., /etc/ init.d/cgss restart). (6537) 12. Long paths might adversely affect the Management Console Log window. A long path might conceal the timestamp and ID information, and can cause the window banner to display incorrectly, making navigation and refreshing the display difficult. (6418) 13. Large logs take longer to display than small logs. Purge old log data from the Management Console Log window if you want the log data to display quicker. (3652) 14. The "Include subfolder" option which you set in a policy to exclude a resource is not functioning properly. If you must exclude a subfolder from a policy, apply guard point protection to the subfolders instead. (6031) 15. The maximum number of users allowed in a user set is 55. "The Security Server fails to persist data into the repository database" error message is shown if you add more than 55 users to a user set. (6608) 16. Log Source and Message search in the Management Console are case sensitive. (6560) 17. Do not use custom action sets in File System Agent policies. Encryption Expert 1.1.2 supports custom action sets. Encryption Expert 1.1.3 does not. Custom action sets do not match correctly during policy evaluation. Instead, select the individual actions, such as read, f_rm, and all_ops, in every policy. Other sets, such as resource, user, and process sets, work as expected. If you upgrade from 1.1.2 to 1.1.3, and the 1.1.2 installation contains custom action sets, the custom action sets will also appear in the 1.1.3 installation, but they cannot be modified or deleted. (6917) 18. Stop the Network Information Service (NIS) directory service before installing the Encryption Expert Security Server software. If NIS is running, the installer can fail to generate necessary database instances and their user accounts. If you experience problems installing the Security Server, check for the NIS process, ypbind. If it is running, stop it using either "service ypbind stop" or "/etc/init.d/ ypbind stop", install the Security Server, and then restart the NIS process using "service ypbind start" or "/etc/init.d/ ypbind start". (6589) 19. Unicode character-encoded directories cannot be selected in the Remote File Browser and they cannot be guarded. Verify that the systems hosting File System Agents are using English language UTF-8 character encoding before attempting to configure guard points. Run "locale charmap" on the host systems. It should return "UTF-8". Also, you can run "echo $LANG". It should return "en_US.UTF-8". (7314, 6056) 20. If you install the DB2 Database Backup Agent while DB2 is running, you cannot create a database in a guarded directory. DB2 can return a message like "SQL1052N The database path "xxx" does not exist." when you try to create a database in a guard point. Restart DB2 after installing the Database Backup Agent to refresh the DB2 configuration and permit database creation in the guard point. (7897) 21. The Guard window that opens when you click the Guard button on the Guard FS tab of the Management Console for Windows hosts does not display the Network Drive checkbox. It shows only the Auto Mount checkbox, which is a UNIX-only feature. (7615) 22. The Encryption Expert 1.1.3 server does not display the version number for 1.1.2 agents in Version column of the Host window. 1.1.3 agents are displayed correctly. (8498) 23. When restoring a Security Server configuration with the restore_config utility on a system other than the system on which it was made, the host name in the HA configuration still shows the original system name as the primary server. Run ./server/bin/re_sign_cert to update the server information. (7811) 24. When a host is registered with the Security Server, the host name is cached in JBoss. If you recycle an IP address, but change the host name, you will be able to successfully register the host, but the Security Server will fail to communicate with the host because JBoss continues to associate the recycled IP address with the cached host name. A "socket opened - socket closed" error is generated in the vmd log. Refresh the JBoss cache by restarting the Security Server with "cgss restart". (8183) 25. The red rectangle status indicator in the Guard FS tab can remain displayed for Solaris 10 hosts indefinitely, though the server and File System Agent can communicate and exchange policy information. This is a display issue only. Restart vmd on the agent system to display the correct status indicator. (8790) 26. The tooltip pop-up for the red rectangle status indicator displays "Error". Ignore this pop-up. The red rectangle icon is displayed when the policy is not yet applied to a File System Agent or the agent system is unavailable. Typically, these are not error conditions. (8922) 5.2 Agent issues 1. Default file system audit log configuration is set to ERROR. This will show deny audit messages only. Permitted audit messages will not be sent to the Security Server log. If permitted audits are required, set logging level to INFO. 2. The Encryption Expert Security Server might be incompatible with other security software that is running on the same system. If other security software, such as SELinux, is running on the system, disable it before installing and using Encryption Expert. Compatibility with other security software is untested. (6032) 3. The Linux File System Agent displays "mv: warning: security context no "persevered destination/source_name":not a support operation" if SELinux is activated. Please disable SELinux. (6032) 4. A system panic can occur if you guard an automount directory with the agent logging level set to DEBUG and the Netdump service running. Please change to a lesser log level for automount directories.(6549) 5. If defining a directory as a resource, some operations might fail with the error: "The file access permissions do not allow the specified action." It is recommended to either set the guard point at the resource directory, or specify the files explicitly. (6547) 6. The mv command fails when crossing key boundaries (entering/ exiting a guard point). Instead, use "cp -r" command to copy or move a file. (6499) 7. Veritas Cluster service and VxFS are not currently supported. (6235) 8. You cannot guard AIX automount directories if the host system is configured for Direct Map automount. You should use an indirect mount method. (604) 9. Configuring multiple wildcards in a resource set can cause incorrect matches during policy evaluation. Only use one wildcard in a directory for a resource set. (6443, 431) 10. The "vmsec -status" command can show an incorrect status after deleting a host and the host certificates. (6287) 11. Setting a policy to audit permitted actions can adversely impact application performance, especially when the network connection between the Security Server and File System Agent is lost. It is recommended to use audit to monitor denied or suspicious I/O operations only. (6663) 12. If you attempt to guard a non-existent directory with the File System Agent, multiple redundant errors will be written to the log. (6458) 13. The AIX File System Agent can sometimes return an incorrect number of AUTHBIN entries. (6410) 14. File system is full error messages are not reported correctly when restoring a backup with Encryption Expert. Restoring a DB2 backup without Encryption Expert on a full file system returns "file system is full". Restoring a backup with Encryption Expert on a full file system returns "A system error (reason code = "2") occurred. Subsequent SQL statements cannot be processed.". Verify available file system space if you get this error message when restoring a backup. (6635) 15. The File System Agent tries to increase the priority of the thread responsible for processing audit messages. AIX 5.2 does not support increasing thread priorities and attempts to do so generate the following message in the eetvmd_root.log file. "Failed to strengthen priority of the vmd, may face scheduling problems." Ignore this message. AIX 5.3 supports priority increases and does not generate this message. (7363) 16. A DB2 database can be locked into a "restore pending state" after attempting to restore the database with a policy that denies restore operations. The recommended procedure for resetting the database state is to have a user with restore permission restore the database. The database will resume normal operation after it is restored. (7611) 17. The Encryption Expert library that is used to generate a DB2 backup is also embedded in the backup. Normally, the embedded library is used to restore the backup. However, when restoring old backups, or whenever you have problems restoring any backup, include the current library on the command line. Because of the internal changes that have occurred between Encryption Expert v.1.1.1, v.1.1.2, and 1.1.3, do not use the embedded library to restore backups made with a previous version. Instead, specify the current library on the DB2 restore command line. (7675) The typical DB2 syntax for restoring backups is: db2 restore db dbname from source_loc taken at time to target_loc compress comprlib lib For example: db2 restore db sample from /db2back taken at 20080220210650 to /db2data compress comprlib /opt/IBM/DB2TOOLS/ LUWEncryptionExpert/agent/db2/libeetdb2.so 18. You must configure compression and/or encryption even if the backup rule denies backup requests. That is, if you leave the rule set to Deny, you must still apply compression and/or encryption. Failure to do so will result in the following message: "You must use compression, encryption or both when defining a backup rule." It requires fewer steps to enable compression than to configure encryption keys. (5253, 3646, 7219) 19. The File System Agent may be unable to unguard the Informix database directory, /opt/IBM/Informix, on UNIX systems. This can occur even when Informix and Informix processes are not running. The Security Server does not report the user or process that is obstructing the release of the guard point. If you cannot determine and stop the user or process, reboot the agent system in order to remove the guard point and release the directory. (8410) 20. vmsec password does not work when there is no network connection to the Security Server, and both Cached on Host and Stored on Server symmetric keys are configured in policies that are applied to the same File System Agent. vmsec password will return you to the command prompt but you will not be able to access protected data until the Security Server connection is restored. (8365) 21. To guard network mapped drives on a Windows host, use complete Universal Naming Convention (UNC) name for each file path. For example: \\10.2.32.203\ShareName\dirpath or \\ServerName.DomainName.com\ShareName\dirpath or \\ServerName\ShareName\dirpath When guarding a network mapped drive, enable the Network Drive toggle, then enter the UNC name in the guard point field. We recommend that you use the server IP address instead of the server DNS name. Security Server protection is still enforced even when the server name is used. (3200, 7947) 22. The IDS log does not display the cause of the failure when an IDS backup or restore operation is denied by a policy. This information is reported in the Security Server log. (7023) 23. If there is no network connection to the Security Server, and onbar is executed with the IDS Database Backup Agent, onbar will hang. Control-C does not return you to the onbar prompt. (7220) 24. Add the IDS oninit command to the Host Settings tab with either |trust| or |trustfrom| before running IDS. For example: |trust|/opt/bin/informix/oninit. If the oninit application is not trusted, User Not Authenticated errors and Process Not Available errors will be displayed in the Security Server log and you will not be able to perform tasks like run "create dbspace". (8363) 25. The IDS "Object ID" parameter is displayed in the documentation and Security Server log. This parameter is not used and is always set to 0. (8398) 26. UNIX and Windows users can run both run manual and automatic dataxform. However, after Windows users run automatic dataxform, the folder for the guard point remains in a "busy" state and it cannot be unguarded. Windows users must reboot the system after performing automatic dataxform in order to reset the state of the guard point and to unguard the folder. (8486) 27. The dataxform "--cleanup" option does not delete the dataxform_auto_lock file from Windows File System Agents. Delete this file manually. (8923) 6.0 RESOLVED ISSUES 1. Audit logs used to display the cached names of Linux File System Agent directories and required a restart to refresh the agent cache. Names are cached differently now and report the correct names. (6029) 2. The Security Server used to make just 10 attempts to push updates out to a File System Agent. If, after 10 attempts, the Security Server was still unable to push the updates to the File System Agent, you had to manually initiate the update process. Now the Security Server tries indefinitely to push updates to a host. 3. The File System Agent registration utility, register_host, no longer generates spurious SOAP error messages when run with the "clean" option. (6485) 4. DB2 8.2 and 9.1 no longer fails with unexpected EOF and bad page errors when inserting records into an encrypted DB from three sessions. (APAR-PK70475, 7494) 5. The v1.1.2 re_sign_cert utility no longer fails with a permissions error. (APAR-PK69345, 8228) 7.0 HOW TO GET HELP For a complete and up-to-date source of IBM Database Encryption Expert information, including information on issues discovered after this README was published, go to the following Web site: http://www.ibm.com/software/data/db2imstools/support.html If you are not able to find your answer searching the listed URL, call 1-800-IBM-SERV to speak to an IBM representative for assistance. 8.0 NOTICES This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10594-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this publication to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Licensees of this program who want to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation J74/G4 555 Bailey Avenue San Jose, CA 95141-1003 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. 8.1 Other notices Vormetric and CoreGuard are trademarks or registered trademarks of Vormetric, Inc., in the U.S.A. and other countries. Other names and products are trademarks or registered trademarks of their respective holders. This document contains Proprietary and Confidential Information of Vormetric, Inc. The information in this document is subject to change without notice and must not be construed as a commitment on the part of Vormetric, Inc. Vormetric, Inc., assumes no responsibility for any errors that may appear in this document. No part of this documentation may be reproduced without the express prior written permission of the copyright owner. The software described in this document is furnished under license and may be used or copied only in accordance with the terms of said license. 8.2 Trademarks and service marks The following terms are trademarks or service marks of the IBM Corporation in the United States or other countries or both: DB2 IBM AIX Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. (C) Copyright IBM Corporation 2007, 2008; Copyright Vormetric, Inc. 2007, 2008. All rights reserved.