DataPower: Automatic Backup Domain Policy

DataPower SOMA: Automatic Domain Backup Policy
Huy M Huynh
Kaiser Permanente - Emerging Technologies & System Design
1 Introduction
In this document, we will go through the process of creating an automatic backup agent
in WebSphere DataPower using the WebSphere DataPower schedule rule that creates a
backup of the domain(s) via the XML management interface and offload to an FTP
server. There are, however, other ways to do backup such as macro scripts, managing
software (manual process)…etc, but none of these offer an on-device automated
mechanism. This document offers an alternative solution to auto backup WebSphere
DataPower configurations by using XML Management Interface, decode the SOAP
binary64 response and send the response to an FTP server.
2 Creating the Scheduled Backup Policy
The instructions below will create an XML Firewall and a Firewall Policy that will
perform the backup using custom transformation. In addition, it will also guide you to the
creation of an XML Manager that will manage all the required security of the XML
Management Interface and for the scheduled rule that executes the “backup” Firewall
Policy.
1. Create an XML Firewall with loopback proxy, Non-XML Request Type, and a new
processing policy. You may also want to set the front-end IP address to 127.0.0.1 for
enhanced security purpose. However, by doing so, it will disable the “on demand”
backup functionality. For example, if the FSH is set to listen to an actually IP, the backup
can be done “on demand” through an external user by invoking the service via HTTP
GET (browser) or POST.
2. Create a new Firewall Policy with a Client to Server rule.
a. Create a match all (*) action.
b. Add a Transform action with Input: INPUT and Output: NULL, and select the
following stylesheet file
Table 1 This stylesheet sends a request to the XML Management Interface requesting for a backup
zip. The response payload will contain the backup content encoded in base64. It will then decode the
backup content and FTP it off the device.
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:dp="http://www.datapower.com/extensions"
xmlns:mgmt="http://www.datapower.com/schemas/management" extension-elementprefixes="dp"
xmlns:date="http://exslt.org/dates-and-times">


<xsl:output method="xml"/>
<xsl:template match="/">
<xsl:call-template name="putFile">
<xsl:with-param name="BackUpFile">

<dp:domain name="default"/>
<dp:domain name="a"/>

</dp:do-backup>
</dp:request>

</env:Body>
</env:Envelope>
</dp:url-open>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template name="putFile">
<xsl:param name="BackUpFile"/>
<xsl:if test="$BackUpFile='' ">
<xsl:message dp:type="backup" dp:priority="alert">Backup request
fails</xsl:message>
<dp:reject/>
</xsl:if>

<xsl:variable name="encBackUpFile" select="string($BackUpFile//mgmt:file)"/>

<xsl:variable name="date" select="substring-before(date:date-time(),':')"/>
<xsl:variable name="fileDate" select="concat('czaqdp1Backup', $date)"/>
<xsl:variable name="filename" select="concat($fileDate,'a.zip')"/>
<xsl:variable name="ftp-put-url"
select="concat('ftp://username:password@someftpserver/%2Flogs/dpbackup/',$filename)"/>
<dp:url-open target="{$ftp-put-url}" response="responsecode" data-type="base64">
<xsl:value-of select="$encBackUpFile"/>
</dp:url-open>
</xsl:template>
</xsl:stylesheet>
b. Add a Results action with Input set to NULL and Output is OUTPUT
Your XML Policy should look like this:
3. Create a client (forward) SSL Proxy Profile that will work with XML Management
Interface. Depending on your XML Management Interface configuration, you may need
to obtain the certificate that’s being used by the XML Management Interface. By default,
this certificate is the same as the Web-GUI. You can use a browser such as IE to
download the certificate at the login page.
4. Create a new XML Manager
a. Leave everything as default, and create a new User Agent with client SSL
Proxy Profile created in the previous step with basic authentication for XML
Management Interface using the username and password that have access right to
XML Management Interface.
The XSLT that makes the XML Management Interface call via url-open extension
function call will require HTTPS and basic auth. During processing, the created
XML Manager’s User Agent will automatically handle the initiation of SSL and
authenticate using basic auth. By doing this, you will avoid having to put any of
this information in the XSLT.
b. Click on the SSL Proxy Profile Policy tab and add the created client SSL Proxy
Profile that contains the Validation Credentials that has the XML Management
Interface certificates
c. Click on the Basic-Auth Policy and add the username/password that has access
right to the XML Management Interface
d. Select the configured User Agent for this XML Manager
e. Then select the Scheduled Processing Policy Rule tab.
f. Select the rule that does the backup and set the time interval to execute this rule.
Hint: The name of the processing rule can be obtained from the Firewall Policy
editor.
g. Click on the XML Parser tab and edit the Parser limit so it can allow for a large
XML response from XML Management Interface. Below is an example setting:
To test this, simply click Apply. A zip file containing the backup will be created on the
FTP server every interval you set on the XML Manager Scheduled Processing Policy
Rule. Or to test the “on-demand” backup (make sure you set the XML Firewall Local
Address as on of the device IP in order for this to work), simple use a browser and call
the listening address. The entire backup process may take more than 2 minutes so be
patient.

Download Report

DataPower: Automatic Backup Domain Policy

Paperzz.com

Your Paperzz