tag:blogger.com,1999:blog-37125772419329598082024-03-14T01:17:06.280-05:00Integration Yay!Technical articles based on IBM Messaging Integration Middleware.
Popular keywords: APIM, DataPower, MQ, Message Broker, IIB, IBM Integration Bus, WSRR, WebSphere Service Registry and Repository, Web Services, Web APIs, XML, SOAP, JSON.Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-3712577241932959808.post-41601040089732129212018-02-27T05:03:00.002-06:002018-03-01T05:05:08.860-06:00How to setup SNMP v3 on DataPowerI'm creating this entry because I needed to setup SNMP to my current client and didn't find much information on the internet, so, as I always say: <i>"human´s knowledge belongs to the world"</i>. :)<br />
<br />
The environment consist of 2 IDGs devices and one Linux Red Hat server as a consumer. The current DataPower firmware is IDG.7.6.0.4.<br />
<br />
The only page for SNMP is the one below. The most important part is the user configuration which I will show you right after:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4_dtKKEGgzXa2pgvEuNm8BFofur1eEccN4RSowDy4xFuW3Ewyz6fAFVoEntmHP9ofZhdfHRqvkqvaF86krsR0hcBqtD4vzik9T9seAIs5-zuqLXrMfPWwKxNhv86wqC3VLUMllypL4Vh/s1600/SNMP+DP+webpage+screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="699" data-original-width="1050" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4_dtKKEGgzXa2pgvEuNm8BFofur1eEccN4RSowDy4xFuW3Ewyz6fAFVoEntmHP9ofZhdfHRqvkqvaF86krsR0hcBqtD4vzik9T9seAIs5-zuqLXrMfPWwKxNhv86wqC3VLUMllypL4Vh/s640/SNMP+DP+webpage+screenshot.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
See that the "Local IP Address" is my outbound interface. Port is the default one, 161, SNMP version is the v3 and security level is "Authentication, No privacy". Those are the values I used as an example, you can change it if needed. Attention, this is only to make sure DataPower is configured correctly. This is not a SNMP tutorial. :)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZDFJtb8EKjIb7Epdr-645UIHpIrvlLKixpPSoB1sC9JIVxvFGDzecRew4nFIwGaN9H2F4VBRoMlvNnFHZjcYuQJgPBHCTv8vUG-W8il6EiIt0K7Wrn5jK0ll04u8s-krIk1FJJaM0fOgi/s1600/SNMP+DP+user+webpage+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="824" data-original-width="1350" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZDFJtb8EKjIb7Epdr-645UIHpIrvlLKixpPSoB1sC9JIVxvFGDzecRew4nFIwGaN9H2F4VBRoMlvNnFHZjcYuQJgPBHCTv8vUG-W8il6EiIt0K7Wrn5jK0ll04u8s-krIk1FJJaM0fOgi/s640/SNMP+DP+user+webpage+2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnf_Yq31wQ74WnqUrsD94YDTXHp9uTSBtXmi8fEDpWzN5WYYmHhbKhJzpX_2TVJCwI4qOdOeyLU0PdeVmryyBreebW7JC3IHap3G9_2IbNxn-LEZft5RGZ7lv4PDv5NwV8VuWVgEuJM1Z/s1600/SNMP+DP+user+webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="695" data-original-width="874" height="508" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnf_Yq31wQ74WnqUrsD94YDTXHp9uTSBtXmi8fEDpWzN5WYYmHhbKhJzpX_2TVJCwI4qOdOeyLU0PdeVmryyBreebW7JC3IHap3G9_2IbNxn-LEZft5RGZ7lv4PDv5NwV8VuWVgEuJM1Z/s640/SNMP+DP+user+webpage.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now go to your server (Linux Red Hat with snmp-net) and run:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<i> #snmpgetnext -v 3 -u snmp-pooling -a MD5 -A "snmppooling" -x DES -X "snmppooling" -l authNoPriv 10.136.51.214 .1.3.6.1.4.1.14685.3.2.15.1.2</i></div>
<div>
<br /></div>
<div>
#SNMPv2-SMI::enterprises.14685.3.2.15.1.2.1 = STRING: "admin"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi597WmCiEcKilmnWll0Mp_n6Y4mseoer9wsOGX4qL9oo1Pv3fhh0VbOrcVEm5LviQ7qwa_83V6SJ0z7Xm9NmDisYCvR6NVgCkQ53p2l-Hx-oLRQyaO1AvgNDKTShqxZGrw6V4rjnuUGVwt/s1600/putty_screenshot_example_snmp_dp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="279" data-original-width="1165" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi597WmCiEcKilmnWll0Mp_n6Y4mseoer9wsOGX4qL9oo1Pv3fhh0VbOrcVEm5LviQ7qwa_83V6SJ0z7Xm9NmDisYCvR6NVgCkQ53p2l-Hx-oLRQyaO1AvgNDKTShqxZGrw6V4rjnuUGVwt/s640/putty_screenshot_example_snmp_dp.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
See that the password: <i>snmppooling </i>was setup in the previous page of DataPower. Replace also the IP address from the command below by your DataPower IP address. The <i>.1.3.6.1.4.1.14685.3.2.16.1.2</i> is the ObjectID value, you can get it opening the .txt files from SNMP Setting > Enterprise MIBs tab. See screenshot:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcp98NYmRgl8uUR3Wg7m7XS9l4woHERza1UyZKFUf1rUqr5y1Dk9fxH4fMOMfbGfBd8WamdqE9vPQ1wtQQa2i7cjPm5TwNm1wymxUNSYp4kL9xhVlUL-XlhEEK7Z2_BbjBaLiZoB4Jjvm6/s1600/MIBs+screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="1042" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcp98NYmRgl8uUR3Wg7m7XS9l4woHERza1UyZKFUf1rUqr5y1Dk9fxH4fMOMfbGfBd8WamdqE9vPQ1wtQQa2i7cjPm5TwNm1wymxUNSYp4kL9xhVlUL-XlhEEK7Z2_BbjBaLiZoB4Jjvm6/s640/MIBs+screenshot.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can open such file in the MibBrowser, you can get more details about this tool here: <a href="http://integrationyay.blogspot.de/2014/04/datapower-testing-snmp-using.html">http://integrationyay.blogspot.de/2014/04/datapower-testing-snmp-using.html</a>, loading the file in this free tool, you will see the Object ID values in a more friendly way.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
See an example screenshot:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-hbPzbYGwShirIaaaP2SkbzATK63j4WaRSrOav1U1jbjFVI4iWBnnsDZcdpPGLq7sdTgUtKv_l5YDbYcAqZVj2ipctMZYn0o2fa-UyKNDwoMakqVk-U5Sg3WAgHF-xwzwKI0iLayHNXfA/s1600/MibBrowser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="854" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-hbPzbYGwShirIaaaP2SkbzATK63j4WaRSrOav1U1jbjFVI4iWBnnsDZcdpPGLq7sdTgUtKv_l5YDbYcAqZVj2ipctMZYn0o2fa-UyKNDwoMakqVk-U5Sg3WAgHF-xwzwKI0iLayHNXfA/s640/MibBrowser.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Leandro Takedahttp://www.blogger.com/profile/17121666287686531345noreply@blogger.com0tag:blogger.com,1999:blog-3712577241932959808.post-15556226671616534782015-06-15T11:27:00.000-05:002015-06-18T12:29:23.647-05:00DataPower: How to duplicate, rename, and bulk delete objects?<div class="MsoNormal">
<h3>
Introduction</h3>
</div>
<div class="MsoNormal">
Did you know that all the objects that exist in a domain are there just because of a single configuration file? Did you know that you can wipe out all the objects by simply deleting the content of this file? Did you know that you can manipulate all the objects using your favorite text editor?</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If you answered yes to any of the above questions, you are done and don't need to spend any more time at this article. If not, take a seat, relax, and enjoy these tips as you become a DataPower cheater.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h3>
Understanding the case</h3>
</div>
<div class="MsoNormal">
While booting, DataPower will look for all the .cfg files spread over all the domains. These .cfg files contain instructions on what objects and configuration should be loaded to the memory for execution time. Actually, the only reason why you have the objects in place when you restart your domain or recycle the entire box is because of these .cfg files that are storing details of almost everything for you.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Take a moment to analyze any .cfg file you may have in the default or any other existing domain. Usually they are named after the domain name, so if you have a domain called Sandbox, you will have one config:///Sandbox.cfg file. The .cfg file of the default domain falls into an exception and will be called autoconfig.cfg.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Take a moment there, start reading some lines, you will soon realize that all the objects you have created using any DataPower interface will be there. Created a new Crypto Profile? It will be there. Created a new Deployment Policy? It will also be there. Defined a password for a local user? Nah, that will not be there, and honestly, I don't know where this information is stored. :-)</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h3>
Usage</h3>
</div>
<div class="MsoNormal">
I particularly use this a lot. Duplicating, triplicating and sometimes quadruplicating Deployment Policies used to kill me back in the day. That was because I used to do all that using the WebGUI. If you have already done that you know what I am talking about. Imagine a scenario which you need to create one Deployment Policy for each environment, let's say one for UNIT, one for INTG, one for PERF, and one (or more) for PROD. I would imagine you would keep the one for UNIT that you supposedly created first open in one browser tab and visually refer to it when creating the others. That means a lot of eyes work from left to right and MANY clicks to add the Modified Configurations. So after dying a few times, I decided to investigate a less time consuming way to do this, and that was when I had this idea to do this through the .cfg file.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
My UNIT deployment policy was the following:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">deployment-policy "Service-UNIT-DeploymentPolicy"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointHostname&Value=.*" "change" "" "unit-server.datapower.com"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointPort&Value=.*" "change" "" "80"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/multiprotocol-gateway?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/ws-proxy?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">exit</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So to duplicate something similar for my INTG environment, I just copied it and pasted it on the line below, changing the parameters pertaining to the new environment, such as name, hostname, port, etc:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">deployment-policy "<b>Service-UNIT-DeploymentPolicy</b>"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointHostname&Value=.*" "change" "" "<b>unit-server.datapower.com</b>"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointPort&Value=.*" "change" "" "80"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/multiprotocol-gateway?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/ws-proxy?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">exit</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">deployment-policy "<b>Service-INTG-DeploymentPolicy</b>"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointHostname&Value=.*" "change" "" "<b>intg-server.datapower.com</b>"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/wsm/wsm-endpointrewrite?Name=.*&Property=WSEndpointRemoteRewriteRule/RemoteEndpointPort&Value=.*" "change" "" "80"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/multiprotocol-gateway?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;"> modify "*/*/services/ws-proxy?Property=DebugMode" "change" "" "off"</span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">exit</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Once done, it was just a matter of restarting the domain and the Deployment Policies were replicated.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h3>
Other related tips...</h3>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h4>
Use it to find out the right CLI command to perform a specific action</h4>
</div>
<div class="MsoNormal">
Don't remember exactly the CLI command to create a crypto object? Just go to the .cfg file and try to find a reference for it, when you find it, that is the command you are looking for. That is because the .cfg is nothing more, nothing less than CLI commands grouped in a single place.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h4>
Use it to delete a massive amount of objects</h4>
</div>
<div class="MsoNormal">
For example, you created a bunch of Web Service Proxies or Multi Protocol Gateway. By default, when you create these objects you are rewarded with a lot of child objects that will not go away even after you remove their parents, such as matches, processing actions, slm policies, etc. Good news is that they are named after their parents, so you can sort them out easily and quickly select them for removal.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h4>
Changing object names</h4>
</div>
<div class="MsoNormal">
In general, you cannot change object names in DataPower. Gave it the wrong name? Delete it and recreate it. As an alternative to this, go to the .cfg file and rename it there. Once done, restart the domain and voilà!</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<h3>
Recommendations</h3>
</div>
<div class="MsoNormal">
</div>
<ul>
<li>Be careful. Make sure you know what you are doing before playing with this file. Rule of thumb, always have a backup of it in case something goes wrong.</li>
<li>Some words are reserved, and the default interfaces won't be there to tell you that, so be careful. Rule of thumb, avoid naming objects that can be confused with an existing command, for example when naming an Alias object, use "xmlAlias" instead of only "xml", as it may be parsed incorrectly by the interpreter when loading the objects to the memory.</li>
<li>And last but not least, BE CAREFUL, not sure if I have already said that.</li>
</ul>
<br />
<div class="MsoNormal">
<h3>
Conclusion</h3>
</div>
<div class="MsoNormal">
The possibilities are endless, you can optimize a lot of your time after mastering on this. Duplicating, bulk deletion, searching for commands, are just the obvious things you can do while playing with the .cfg files. The limit here is your imagination, so if you think of something cool that the knowledge present in this article enabled you to do, don't hesitate to share it with us in the comments section below. Happy .cfg'ing!</div>
<div>
<br /></div>
Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com3tag:blogger.com,1999:blog-3712577241932959808.post-86922680292628224102015-02-13T13:17:00.002-06:002015-02-27T17:23:07.172-06:00DataPower: Keeping your appliances less prone to attacksChances are if you have your DataPower appliances facing the Internet, you have suffered or are suffering right now brute force attacks. Don't you think so? Check your logs...<br />
<br />
This problem becomes more evident when you have default ports open to the Internet, let's say ports 22, 80, 443, 5550, 9090, etc...<br />
<br />
This happens because there are thousands of robots out there scanning for all IPs and ports open all around the world. They use something called brute force technique.<br />
<br />
Brute force is a type of attack that tries to get access to servers by repeating different combinations of credentials. It may also make use of a dictionary with the most commonly used passwords out there, like 123456, password, qwerty, abc123, etc.<br />
<br />
Let's take a look at this real case scenario:<br />
<br />
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T043514Z [network][error] : tid(2): TCP connection attempt refused from 159.226.43.96 to X.X.X.X port 80</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T043515Z [network][error] : tid(2): TCP connection attempt refused from 159.226.43.96 to X.X.X.X port 80</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T063841Z [auth][error] : User '/etc/init.d/iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T063841Z [auth][error] : User 'service iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T063841Z [auth][error] : User '/tmp/init.d/iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T072620Z [auth][error] : User 'service iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T072628Z [auth][error] : User 'chmod 777 148080' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T072636Z [auth][error] : User 'cd /tmp' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T073442Z [network][error] : tid(2): TCP connection attempt refused from 78.101.49.77 to X.X.X.X port 80</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T073443Z [network][error] : tid(2): TCP connection attempt refused from 78.101.49.77 to X.X.X.X port 80</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T084505Z [auth][error] : User 'service iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T084513Z [auth][error] : User 'chmod 777 148080' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T084521Z [auth][error] : User 'cd /tmp' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T120039Z [network][error] : tid(2): TCP connection attempt refused from 199.217.118.79 to X.X.X.X port 10000</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T120350Z [network][error] : tid(2): TCP connection attempt refused from 112.221.251.221 to X.X.X.X port 80</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T124135Z [auth][error] : User '/etc/init.d/iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T124135Z [auth][error] : User 'service iptables stop' failed to log in.</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px;">
20150213T124135Z [auth][error] : User '/tmp/init.d/iptables stop' failed to log in.</div>
<br />
Someone trying to login with the user id "service iptables stop" or "chmod 777 148080", looks suspicious, right? LOL<br />
<br />
By observing this behavior for a few months now, I noticed that most IPs are from China. On the connection attempts I received today however, just one is from China (159.226.43.96), then we have one from Qatar (78.101.49.77), one from United States (199.217.118.79), and one from Korea (112.221.251.221). Before you are start blaming these countries, keep in mind that it is really simple to fake an IP like that in order to hide the real source of the attacks.<br />
<br />
What I want to say here is that blocking IPs with ACLs will barely provide a solution, even if you block huge ranges of IPs of a given country. It may work for the short term, but will fail on the long term as other IPs will rise. Trust me, I tried! :-)<br />
<br />
The truth is you are never 100% safe, what you can do is to try to understand how these robots work and come up with a strategy to deceive or avoid them. Some robots are more intelligent than others, so they will spend some time performing a full port scan in a certain IP in order to determine what the open ports are, and then direct an specific attack for specific services. For example, if port 22 is open, it will start with user id and password, and only after it succeeds it will try actual OS commands. If port 80 is open, it will probably try to exploit some recently discovered vulnerabilities pertaining to Web Servers.<br />
<br />
Your best bet to avoid this kind of attack is to just eliminate the default ports from your configuration, as well as limiting the number of ports open to the Internet, for example, there is hardly the need to leave the administration related services, such as SSH, SOMA, and WebGUI, open to the Internet, when most of the companies have VPN services that would allow administrators to access those interfaces from a more secured environment.<br />
<br />
EDIT: <a href="http://www.orangespecs.com/about/" target="_blank">Dan Zrobok</a> also wrote a very interesting article about security titled <a href="http://www.orangespecs.com/six-common-security-issues-found-in-datapower-environments/" target="_blank">Five Common Security Issues Found in DataPower Environments</a>. We highly recommend this reading as he mentions other very important topics on Firmware Currency, Administrative Accounts, TLS Cipher Suites and Protocol Versions, and Exception Information Leaks (when you give more information in the error message than needed).<br />
<br />
By having all this information in mind, you are not only keeping your device safer, but you are also implementing best practices that are used in the most secure enterprises around the globe.<br />
<br />
Have other ideas to prevent attacks, share with us!Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com1tag:blogger.com,1999:blog-3712577241932959808.post-64483347819985974162014-11-26T11:29:00.000-06:002014-12-02T14:08:45.866-06:00DataPower: How to send logs to a remote syslog serverWell, here's my first post to this blog. From time to time, I'll try to share some things I learned over the past few years I'm enjoying working with DataPower. Thanks to Bruno Neves for inviting me to colaborate to this blog!<br />
<br />
I will start with a little thing, so simple, but I consider it so important: to send DataPower log information to a remote server. Because we don't want to keep DataPower system logs in DataPower filesystem only, right? We never know when an appliance will crash!<br />
<br />
DataPower offers a variety of options to send logs elsewhere. We can send them to a SOAP client, via email (SMTP), to a NFS system... Here, we will send log information to a syslog server. The key object to achive this is the <b>Log Target </b>object. It's located at <i>default</i> domain (of course, your user account must have the right privileges to deal with it).<br />
<br />
<h3>
Configure a syslog server</h3>
<br />
First things first! We need a syslog server, right? Here, I will show how to set up a syslog server in a machine running Ubuntu. It's quite simple using <i>rsyslog</i> service. First, you need to allow <i>rsyslog </i>to accept incoming syslog information from clients. For that, you have to change the <i>rsyslog.conf</i> file, as showed bellow:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">$></span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: Courier New, Courier, monospace;">sudo vi /etc/rsyslog.conf</span><br />
<br />
Uncomment the lines that allow incoming traffic over UDP or TCP protocols. I chose TCP, so I remove comments from these lines below to allow traffic over TCP using port 514:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"># provides TCP syslog reception</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ModLoad imtcp</span><br />
<span style="font-family: Courier New, Courier, monospace;">$InputTCPServerRun 514</span><br />
<div>
<br /></div>
<div>
Now, we will define the file name pattern for our log files. I decided to store the files at /var/log/rsyslog/<datapower_name>, and they must be named with the date (year-month-day) plus DataPower name. So, I had to add the following lines to the end of the file:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">$template DailyPerHostLogs, "/var/log/rsyslog/%HOSTNAME%/%$YEAR%%$MONTH%%$DAY%-%HOSTNAME%.log</span><br />
<span style="font-family: Courier New, Courier, monospace;">dtp* -?DailyPerHostLogs</span><br />
<div>
<br /></div>
If you want to change the file name pattern, that's fine. Go to <a href="http://www.rsyslog.com/doc/master/configuration/properties.html">http://www.rsyslog.com/doc/master/configuration/properties.html</a> and look for other options.<br />
<br /></div>
Now we have to allow the user <i>syslog</i> to write on our log directory:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">$></span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: Courier New, Courier, monospace;">sudo chown syslog:syslog rsyslog</span><br />
<br />
Save these changes and restart <i>rsyslog </i>service:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">$></span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: Courier New, Courier, monospace;">sudo service rsyslog restart</span><br />
<br />
<h3>
Configure a Log Target on DataPower</h3>
<br />
Now it's time to setup a syslog client on DataPower, by creating a new Log Target object. I will explain how to do that via Web GUI. Later you can play around and try to do that with SSH or XML.<br />
<ul>
<li>On <i>default </i>domain, look for "Log Target" or go to <i><b>Objects </b>> <b>Logging Configuration</b> > <b>Log Target</b></i>;</li>
<li> A list of Log Targets will be displayed. You must have at least one, the <i>default-log</i> object, which throws log entries to the default system log. Don't change it, unless you really know what you're doing! Click <b>Add</b> to create a new object;</li>
<li>Change the following properties:</li>
<ul>
<li><b>Name</b>: it's the name of the object. I named it "<i>Syslog-LogTarget</i>" (you can go with anything else);</li>
<li><b>Target Type</b>: select "<i>syslog-tcp</i>";</li>
<li><b>Local IP Address</b>: the IP address of your DataPower device. In my case, it's "<i>192.168.75.128</i>" (which is set up in a Host Alias object);</li>
<li><b>Local Identifier</b>: identifies who's sending the log info for the syslog server. I went with"<i>dtp6</i>";</li>
<li><b>Remote Host</b>: the IP address where the syslog server is running. For me, it's "<i>192.168.75.133</i>";</li>
<li><b>Remote Port</b>: the port where the syslog server is running. It should be "<i>514</i>", unless you set up a different port on <i>rsyslog.conf</i> file;</li>
</ul>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsN59JDtGJZW4Ybz9maWzXTJRKEy2j2qCevNmqyDMI43ELKcqlvEaN5h3lO7pphBBa_H5KoLynyC893nF3Yofj-OewXWn-7bZGSq1KWI-Wx-VBIvkAZL8d7pdKdkYRIj5RqZluoBAbAz1_/s1600/Remote-LogTarget.png" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsN59JDtGJZW4Ybz9maWzXTJRKEy2j2qCevNmqyDMI43ELKcqlvEaN5h3lO7pphBBa_H5KoLynyC893nF3Yofj-OewXWn-7bZGSq1KWI-Wx-VBIvkAZL8d7pdKdkYRIj5RqZluoBAbAz1_/s1600/Remote-LogTarget.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Log Target configuration with syslog-tcp as target type</td></tr>
</tbody></table>
<div>
<ul>
<li>We also have to define what type of info will be sent to our syslog server. Go to the <b>Event subscriptions</b> tab. A list of events must be provided. Here, we will send all types of information, with a log level of "<i>notice</i>". You may want to have a more filtered log. If you do, select different events;</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUTYmJOooWGCr2xWgVn_SEsM_xfdVdQMdnHgqwl77LCKJ0kughjrI2RaVnlr3o4Kld3RpOYH9X4hrZrx5PRJLIU08oymCSrTmklS7COiNBXg94y1rzD2eD638zqNmGINGnh2cb0fYM3wXQ/s1600/Remote-LogTarget-EventSubsc.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUTYmJOooWGCr2xWgVn_SEsM_xfdVdQMdnHgqwl77LCKJ0kughjrI2RaVnlr3o4Kld3RpOYH9X4hrZrx5PRJLIU08oymCSrTmklS7COiNBXg94y1rzD2eD638zqNmGINGnh2cb0fYM3wXQ/s1600/Remote-LogTarget-EventSubsc.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adding event subscriptions to Log Target</td></tr>
</tbody></table>
<div>
<br /></div>
<ul>
<li>Save these changes (by clicking <b>Apply</b>).</li>
</ul>
</div>
<br />
<div>
At this point, you should start seeing your logs being sent to your syslog server. You will notice that the file is named with the date stamp and your DataPower identifier.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$> cd /var/log/rsyslog/dtp6</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$> ls</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">20141125-dtp6.log</span></div>
</div>
</div>
<div>
<br /></div>
<div>
Now, use <span style="font-family: Courier New, Courier, monospace;">tail -F *</span> while interacting with DataPower and watch the magic happen.<br />
<br />
I hope this helps. Let me know your thoughts. Feel free to comment here.</div>
<div>
<br /></div>
<div>
Cheers!</div>
Unknownnoreply@blogger.com12tag:blogger.com,1999:blog-3712577241932959808.post-57296380063128316922014-10-20T17:52:00.000-05:002014-10-21T16:18:26.164-05:00DataPower: The Interoperability Test ServiceHate having to create an XML Firewall service configured as loopback every time you want to test a single stylesheet using DataPower extension functions? Well, you may have more options available to you…<br />
<br />
Since version 5.0, IBM released a capability called Interoperability Test Service (IOP). One of the features this mode supports is the ability to listen to requests containing a stylesheet file along with its equivalent request, then it processes the instructions present on the stylesheet against its request, and finally sends the output of the stylesheet back as the result.<br />
<br />
To use the IOP, you first need to enable the service at Objects > Device Management > Interoperability Test Service.<br />
<br />
For the second step, you will need a client to send requests to the service you have just enabled. IBM thinking about on making our lives easier, made available two clients that can be found at <a href="http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FWebSphere+DataPower+SOA+Appliances&fixids=5.0.0.0-ResourceKit&source=dbluesearch&function=fixId&parent=ibm/WebSphere" target="_blank">Resource Kit 5.0</a>.<br />
<br />
After downloading it, just extract it to your local file system, and then refer to the files DPInteropClient.jar or dp-interop-client.sh (depending on your preference, operating, system, etc).<br />
<br />
The Resource Kit 5.0 comes with some samples that can be used for testing. The first scenario we will cover here will be the conversion of an XML file into the base 64 by using the dp:encode extension function:<br />
<br />
<b>The XML message to be converted to base 64</b><br />
<span style="font-family: Courier New, Courier, monospace;">$ cat message.xml</span><br />
<span style="font-family: Courier New, Courier, monospace;"><msg>Hello World!</msg></span><br />
<br />
<b>The XSLT used to encode the message into base 64</b><br />
<span style="font-family: Courier New, Courier, monospace;">$ cat toBase64.xsl</span><br />
<span style="font-family: Courier New, Courier, monospace;"><xsl:stylesheet version="1.0" </span><br />
<span style="font-family: Courier New, Courier, monospace;"> xmlns:xsl="http://www.w3.org/1999/XSL/Transform"</span><br />
<span style="font-family: Courier New, Courier, monospace;"> xmlns:dp="http://www.datapower.com/extensions"</span><br />
<span style="font-family: Courier New, Courier, monospace;"> extension-element-prefixes="dp"></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <xsl:template match="/"></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <xsl:value-of select="dp:encode(., 'base-64')"/></span><br />
<span style="font-family: Courier New, Courier, monospace;"> </xsl:template></span><br />
<span style="font-family: Courier New, Courier, monospace;"></xsl:stylesheet></span><br />
<br />
<b>The IOP client sending both the XSLT and message to be encoded along with the result from DataPower:</b><br />
<span style="font-family: Courier New, Courier, monospace;">$ ../../clients/dp-interop-client.sh -x toBase64.xsl -i message.xml -h [dphostname] -p [port]</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> Creating the XSLT request...</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> Sending the request to http://dphostname:port/</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> No basic authentication is provided.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>SGVsbG8gV29ybGQh</b></span><br />
<br />
Another interesting feature available is the ability to test XPath syntaxes. For example, take into account the following XML (not included in the Resource Kit):<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">$ cat bookstore.xml </span><br />
<span style="font-family: Courier New, Courier, monospace;"><?xml version="1.0" encoding="UTF-8"?></span><br />
<span style="font-family: Courier New, Courier, monospace;"><bookstore></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><book category="COOKING"></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><title lang="en">Everyday Italian</title></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>Giada De Laurentiis</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><year>2005</year></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><price>30.00</price></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></book></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><book category="CHILDREN"></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><title lang="en">Harry Potter</title></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>J K. Rowling</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><year>2005</year></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><price>29.99</price></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></book></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><book category="WEB"></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><title lang="en">XQuery Kick Start</title></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>James McGovern</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>Per Bothner</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>Kurt Cagle</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>James Linn</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>Vaidyanathan Nagarajan</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><year>2003</year></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><price>49.99</price></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></book></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><book category="WEB"></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><title lang="en">Learning XML</title></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><author>Erik T. Ray</author></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><year>2003</year></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><price>39.95</price></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></book></span><br />
<span style="font-family: Courier New, Courier, monospace;"></bookstore></span><br />
<br />
Now use the following XPath expression against it (this expression will select the title and price of all books on the category "WEB" that are priced above 39.95:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">/bookstore/book[@category=\"WEB\" and price>39.95]/(title|price)</span><br />
<br />
To apply the above XPath expression to the IOP client command, use the following:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">$ ../../clients/dp-interop-client.sh -t xpath -e "/bookstore/book[@category=\"WEB\" and price>39.95]/(title|price)" -i bookstore.xml -h [dphostname] -p [port]</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> Creating the XPath request...</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> Sending the request to http://dphostname:port/</span><br />
<span style="font-family: Courier New, Courier, monospace;">>> No basic authentication is provided.</span><br />
<span style="font-family: Courier New, Courier, monospace;">Found 2 nodes:</span><br />
<span style="font-family: Courier New, Courier, monospace;">-- NODE --</span><br />
<span style="font-family: Courier New, Courier, monospace;"><title lang="en">XQuery Kick Start</title></span><br />
<span style="font-family: Courier New, Courier, monospace;">-- NODE --</span><br />
<span style="font-family: Courier New, Courier, monospace;"><price>49.99</price></span><br />
<div>
<br /></div>
Cool, huh?<br />
<br />
Besides XSLT and XPath testing, you can also use this tool to test FFD requests and perform schema validation. For more details, refer to the <a href="http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/topic/com.ibm.dp.doc/interopTest_abstract_tutorial.html" target="_blank">Interoperability Test Service page at the DataPower Information Center</a>.<br />
<br />
I remember that in the past, there used to be a DataPower plugin for Eclipse that enabled you to do practically the same stuff, but for some reason I think it was discontinued by IBM. Have you ever heard of it? Had a chance to use it? How do you compare it with this new method available?Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com2tag:blogger.com,1999:blog-3712577241932959808.post-64620628315799150222014-10-20T13:09:00.002-05:002014-10-20T17:53:06.684-05:00DataPower: No more XG45, XI52, XB62 and XI50BYou read it correctly folks, as of November 21st, 2014, there will be no more DataPower Service Gateway XG45, no more DataPower Integration Appliance XI52, and no more DataPower B2B Appliance XB62. No reason to be scared though, even with that scary headline I put on purpose (I am sorry about that).<br />
<br />
As usual, every October IBM releases some news regarding the next firmware version that becomes available every November. This time IBM announced the firmware version 7.1 and with it, its intention to unify the family of appliances into a single product, the IBM DataPower Gateway.<br />
<br />
The IBM DataPower Gateway will come equipped with the same functions the current XG45 comes with. If advanced functions are needed, such as B2B features available only on the current XB62, a software module can be installed to satisfy the requirement.<br />
<br />
This is actually good news for companies that already have XG45 and/or XI52 appliances and were planning to acquire more appliances to support B2B functions. With the version 7.1, it will now be possible to install the new software module on the current appliances and take advantage of the B2B functions previously available only on the XB62 appliances.<br />
<br />
The DataPower family of appliances is downsizing again, in both models and colors (remember the good times?). From the green XA35, the yellow XS40, the blue XI50, the purple XB60, and the silver XM70, passing through the XG45, XI52, XB62, all black, to only one Gateway Appliance now (color TBD, but I can bet it will be black as well). In spite of that, no feature was left behind, every thing that could be done a few years back can still be done on the current offerings, and that is what really matters for us, DataPower lovers.<br />
<br />
Please refer to the <a href="http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/4/897/ENUS214-394/index.html&lang=en&request_locale=en" target="_blank">official IBM Announcement</a> describing the new offerings in details.Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com20tag:blogger.com,1999:blog-3712577241932959808.post-91091350186704307452014-07-16T18:24:00.002-05:002014-07-16T18:24:38.355-05:00IIB: WebSphere MQ no longer required to run IBM Integration BusAs you may know, the IBM Integration Bus is the successor of the WebSphere Message Broker. You may also know that to install the WebSphere Message Broker you also need to install a copy of the WebSphere MQ. And this is also true for the latest final version of the IBM Integration Bus, the version 9.<br /><br />What you may not know is that the upcoming version of the IBM Integration Bus, the version 10, will no longer require a pre-installation of the WebSphere MQ, based on the current version of the IBM Integration Bus, the V10 Open Beta.<br /><br />WebSphere MQ license is still part of the IBM Integration Bus package, but its installation will be required in only a few cases, such as when you want to use an MQ Input or MQ Output nodes in one of your flows.<br /><br />To see what else is new in this fairly new version, you can refer to the latest <a href="http://www-01.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bb23850_.htm" target="_blank">release notes</a> of the product published by IBM back in May.Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com1tag:blogger.com,1999:blog-3712577241932959808.post-15583820726293891022014-06-16T11:08:00.000-05:002014-06-16T11:17:37.437-05:00DataPower: IBM technotes are now providing GatewayScript sample code in addition to XSLTWith the recent release of the GatewayScript for the DataPower family of appliances, IBM is now writing technotes that, in addition to XSLT, also contain a sample of code for the new GatewayScript format.<br />
<br />
An example of this, would be <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21672961" target="_blank">a technote published last week</a> that describes how to remove the Content-Type header that DataPower automatically adds to the responses. For the XSLT example they provided the following solution:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><xsl:template match="/"><br /> <dp:remove-http-response-header name="Content-Type"/> <br /></xsl:template></span><br />
<br />
Now for the GatewayScript, the following code was provided:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">var hm = require('header-metadata');<br />hm.current.remove('Content-Type');</span><br />
<br />
For experienced DataPower developers, the first solution seems simpler, as it requires only one line of code to perform that action (ignoring of course the opening and closing of the <xsl:template> element).<br />
<br />
The GatewayScript solution though, may look simpler for those used to the JavaScript language, which the GatewayScript is based on.<br />
<br />
What would have been your choice if you were assigned to solve this issue? XSLT or GatewayScript?Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com0tag:blogger.com,1999:blog-3712577241932959808.post-76935807482072439472014-05-13T18:41:00.001-05:002014-05-13T18:42:08.812-05:00DataPower: Meet the new features that will be available on firmware V7.0We are exactly one month away from the general availability of the new DataPower firmware V7.0. Although we have already mentioned the capability that <a href="http://integrationyay.blogspot.com/2014/04/datapower-what-to-expect-from-new.html" target="_blank">will change the course of our lives forever</a> (just kidding), the new firmware will also bring to the table many other cool features that many clients have been asking as <a href="http://www.ibm.com/developerworks/rfe/" target="_blank">enhancements</a>, like the following:<br />
<ul>
<li>A dedicated virtual appliance edition for developers</li>
<li>SFTP support for XG45</li>
<li>GatewayScript (JavaScript enablement in the processing policy)</li>
<li>Improved API Management</li>
<li>Network Link Aggregation for redundancy and increased throughput</li>
<li>WebSocket Proxy for low-latency communication</li>
<li>Support for Sterling Multi-Enterprise Integration Gateway (MEIG)</li>
<li>GTID or Global Transaction ID to ease troubleshooting of chained services</li>
<li>Citrix XenServer support for additional deployment flexibility</li>
</ul>
<br />
Yesterday IBM released a new <a href="http://www.slideshare.net/ibmdatapower/ibm-datapower-appliances-whats-new-in-2014-v70" target="_blank">slide deck detailing each of the new features</a>. Highly recommended if you/your company have been waiting for any of these features to be available.<br />
<br />Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com0tag:blogger.com,1999:blog-3712577241932959808.post-10991358348210177912014-05-08T18:09:00.001-05:002014-06-06T12:37:57.771-05:00DataPower: 5 secrets that you may not have knownOkay, let's go straight to the point, starting with a few questions:<br />
<ol>
<li><b>Is it possible to disable a Multi-Protocol Gateway or a Web Service Proxy?</b></li>
<b>
</b>
<li><b>Is it possible to export a certificate from the cert: directory?</b></li>
<b>
</b>
<li><b>Is it possible to increase the number of transactions in the probe history?</b></li>
<b>
</b>
<li><b>Can a Front Side Handler object be created automatically when creating a Web Service Proxy?</b></li>
<b>
</b>
<li><b>Can a service have higher priority over others?</b></li>
</ol>
<br />
You might have answered yes to at least one of these questions, but would you be surprised if I told you that the answer for every single one is yes?<br />
<br />
Follow the link below to see more details about each of the secrets above.<br />
<br />
<a name='more'></a><b><br />1. Is it possible to disable a Multi-Protocol Gateway or a Web Service Proxy?</b><br />
<br />
Yes, just go to <b>Objects > Service Configuration > Multi-Protocol Gateway (or Web Service Proxy)</b>, click on the service you wish to disable, and then on the <b>Main</b> tab change the <b>Administrative State</b> to <i>"disabled"</i>.<br />
<br />
This screen will contain some other options that you don't normally see when you access the Multi-Protocol Gateway and Web Service Proxy objects through the main screen, so for your own good, explore this new way to configure these objects as much as you can.<br />
<br />
<br />
<b>2. Is it possible to export a certificate from the cert: directory?</b><br />
<br />
Yes, to do this you have to go to <b>Administration > Miscellaneous > Crypto Tools</b>, then navigate to the <b>Export Crypto Object</b> tab.<br />
<br />
In the <b>Object Name</b> property, just provide the name of the <b>Cerypto Certificate Object</b> that is referring to the certificate in the cert: you want to export.<br />
<br />
In the <b>Output File Name</b> property, specify any name followed by <i>.xml</i> (hold that thought, we are still in middle of the process).<br />
<br />
After clicking in <b>Export Crypto Object</b>, a new file with the specified file name will be placed under the <i>temporary:</i> directory.<br />
<br />
Now it is time for the trick…<br />
<ol>
<li>Open a text editor of your preference (XMLSpy, Notepad++, Notepad, Text Edit, etc)</li>
<li>Feed the first line of a new text file with the following content:<br /><br /><span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;">-----BEGIN CERTIFICATE-----<br /><br /></span></span></li>
<li>Open the <i>.xml</i> file that was created during the Export Crypto Object process </li>
<li>Copy the content that is under the element <i>/crypto-export/certificate</i> into your new text file in your local editor (see in bold):<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"><br /><br /><?xml version="1.0" encoding="utf-8"?><br /><crypto-export version="1"><br /> <certificate version="1"><b>MIIEYjCCA0qgAwIBAg[...]IQOHO9nj6QowsSATEWDs==</b></certificate><br /></crypto-export><br /><br /></span></span>
</li>
<li>Finish the work in your new text file with the content:<br /><br /><span style="font-family: "Courier New",Courier,monospace;">-----END CERTIFICATE-----<br /><br /></span></li>
<li>The final file should look similarly to this:<br /><br /><span style="font-family: "Courier New",Courier,monospace;">-----BEGIN CERTIFICATE-----<br />MIIEYEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0<br />jCCA0qgAwIBAgIISQOHO9nj6QowDQYJKoZIhvcNAQEFBQAwejE</span><br /><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New",Courier,monospace;">[...]</span><br />aW4xEjAQBgNVBBAgIISQOHO9nj6QowDQYJKoZIhvcNAQEFBQAw<br />ejELMAkGA1UW50ZWdyYXRpb24gVGVjaG5vbG9naWVzMRYwFAYD<br />VQQDEw1zZ2EuYXZuZXWEWw==<br />-----END CERTIFICATE-----<br /><br /></span></li>
<li>Save the file using extension <i>.cer</i>, <i>.pem</i>, etc</li>
<li>Done! You have exported a certificate from DataPower under the <i>cert:</i> directory.</li>
</ol>
<br />
Before you ask, yes, DataPower is still safe and private keys cannot be exported following this method. <br />
<br />
<br />
<b>3. Is it possible to increase the number of transactions in the probe history?</b><br />
<br />
Yes, to do that, just go to <b>Objects > Service Configuration > Multi-Protocol Gateway (or Web Service Proxy)</b>, click on the service you wish to change this setting, then navigate to the <b>Probe Settings</b> tab.<br />
<br />
Under this tab you have the option to configure the <b>Probe setting</b>. The default is <i>off</i>, but setting this to <i>on</i>, you will see a new property called <b>Transaction History</b>. There you can configure any value between <i>10</i> and <i>250</i>.<br />
<br />
You can also set the <b>Probe setting</b> property to <i>unbounded</i>. This option will automatically record the latest <i>250</i> transactions that passed through your service (it is the same as setting the option to <i>on</i> and the transaction history to <i>250</i>).<br />
<br />
<br />
<b>4. Can a Front Side Handler object be created automatically when creating a Web Service Proxy?</b><br />
<br />
Yes, but you don't wanna do that... Believe it or not, it can be slower than creating them separately...<br />
<br />
The reason for that is because the process of creating a regular Web Service Proxy object using its regular interface is super practical and easy (and so is the Front Side Handler).<br />
<br />
Another reason you may want to avoid doing this is because many companies have standards on the name of the DataPower objects, so if DataPower starts creating objects by itself, there is a great chance that you will be out of compliance with these standards.<br />
<br />
But if you just want to know how to that (maybe to bet it against your friends), here is how you do it:<br />
<ol>
<li>Go to <b>Objects > Service Configuration > Web Service Proxy > Add</b></li>
<li>Under the <b>Dynamic Endpoints</b> tab, locate the property <b>Auto-create Source Protocols</b> and switch it to <i>on</i>. This will only work for <b>HTTP</b> Front Side Handlers (another reason to go with the traditional method)</li>
<li>Once you are done with the rest of the configuration, hit <i>Apply</i> and come back here to tell us how DataPower created it (what IP and port did it pick?), as we weren't brave enough to try this out yet.</li>
</ol>
<br />
<b>5. Can a service have higher priority over others?</b><br />
<br />
Yes, and this is a very interesting one...<br />
<br />
Under high load, you may want to make sure that the service responsible for the makePayment operation will have higher priority over the service responsible for checkAddress, right? To accomplish this final secret, you will have to:<br />
<br />
<ol>
<li>Go to <b>Objects > Service Configuration > Multi-Protocol Gateway (or Web Service Proxy)</b>, and then select the service you want to make the priority higher</li>
<li>Under the <b>Main</b> tab, change the <b>Service Priority</b> property from the default <i>Normal</i> to <i>High</i>.</li>
<li>Done, that is it!</li>
</ol>
<br />
You think that we missed anything that could have been part of this post? Please feel free to add other tricks below!<br />
<br />Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com6tag:blogger.com,1999:blog-3712577241932959808.post-47671727044541967162014-04-15T18:03:00.001-05:002014-04-17T23:09:52.791-05:00DataPower: What to expect from the new GatewayScript?GatewayScript is what is called a new capability that will be available in the upcoming DataPower firmware version 7.0. A lot of attention has been put into this topic recently and it will be present in <a href="http://www.slideshare.net/ibmdatapower/data-power-sessions-at-ibm-impact-2014" target="_blank">at least four different presentations at Impact 2014</a> by the end of this month.<br />
<br />
The GatewayScript expands the number of programming languages currently available in DataPower. GatewayScript is completely based on JavaScript language and brings to the table all the power that its base language has to offer.<br />
<br />
It does not mean that the available programming languages, such as XSLT and XQuery, were lacking power. The main idea on bringing a new programming language to the table is to leverage common programming skills, speeding up DataPower adoption and making it even more popular.<br />
<br />
New ways to debug code have also been made available for the GatewayScript functionality, making it possible to add break points, print variable values, explore stack trace, etc.<br />
<br />
Performance is not supposed to be an issue with the new available language, as the code will be compiled, cached and reused on demand. IBM keeps promising wire-speed for processing.<br />
<br />
Examples will be provided with the new firmware in order to give us a better idea on what exactly can be accomplished with this new capability. They will be located under <i>store:///gatewayscript/example-*.js</i>.<br />
<br />
In the morning of April 15th, Tony Ffrench (STSM DataPower Architect), Tim Smith (DataPower Architect) and Ozair Sheikh (DataPower Product Line Manager), gave a very rich presentation at the <a href="http://www.websphereusergroup.org/" target="_blank">WebSphere User Group</a> website, about the new capabilities that will be available on the new firmware version. If you did not have a chance to attend to this webinar, you can download the presentation used by them right <a href="http://wcc.on24.com/event/77/51/87/rt/1/documents/slidepdf/gwc_webcast_dp_mobile_final_v3.pdf" target="_blank">here</a>.<br />
<br />
To see the official IBM announcement of the new firmware version 7.0, click <a href="http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS214-117&appname=USN" target="_blank">here</a>. <br />
<br />
<b>EDIT: On April 17th, the replay of the above presentation has been made available by the WebSphere User Group website. To watch it, just click <a href="http://www.websphereusergroup.org/alexisstreet/go/gallery/item/1534769?type=video" target="_blank">here</a>. </b>Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com3tag:blogger.com,1999:blog-3712577241932959808.post-74719342356417864012014-04-15T17:05:00.000-05:002014-04-15T17:18:01.010-05:00The IBM Integration Middleware and the Heartbleed exploitWondering if the IBM Integration Middleware is affected by the Heartbleed exploit? Good news for you! In general the answer is no, but there are exceptions...<br />
<br />
According to the official IBM Security Bulletins released so far, Cast Iron
version 7.x and two MQ Support Pacs are affected. The recommendation for people who
work with any of these tools is to keep watching the <a href="http://www.ibm.com/support/" target="_blank">IBM Support Portal</a> as well as the <a href="http://www.ibm.com/blogs/PSIRT" target="_blank">IBM Product Security Incident Response Team (PSIRT)</a> for
more security bulletin updates.<br />
<br />
See the official IBM Security Bulletins for each technology:<br />
<ul>
<li>IBM WebSphere DataPower<br /><a href="http://www-304.ibm.com/support/docview.wss?uid=swg21669672" target="_blank">http://www-304.ibm.com/support/docview.wss?uid=swg21669672</a></li>
<li>IBM WebSphere MQ<br /><a href="http://www-01.ibm.com/support/docview.wss?uid=swg21669839" target="_blank">http://www-01.ibm.com/support/docview.wss?uid=swg21669839</a></li>
<li>IBM WebSphere Message Broker and IBM Integration Bus<br /><a href="http://www-01.ibm.com/support/docview.wss?uid=swg21670215" target="_blank">http://www-01.ibm.com/support/docview.wss?uid=swg21670215</a></li>
<li>IBM WebSphere Cast Iron<br /><a href="http://www-01.ibm.com/support/docview.wss?uid=swg21669994" target="_blank">http://www-01.ibm.com/support/docview.wss?uid=swg21669994</a></li>
</ul>
<br />
Besides the need of reissuing certificates that may have been compromised, there should also be an effort to revoke them. Imagine revoking and reissuing new certificates for 66% of the Internet... The Certificate Authorities might be laughing really loud by now with this unforeseen profit about to enter their books... <br />
<br />Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com0tag:blogger.com,1999:blog-3712577241932959808.post-14617687892658711582014-04-06T02:48:00.000-05:002015-08-25T11:49:55.743-05:00DataPower: How to configure SSL mutual authentication?<span style="font-family: Arial, Helvetica, sans-serif;">That should be a mandatory question when interviewing a
DataPower candidate if you want to give him/her a hard time. I can say that
most of them will fail to answer it correctly based on my experience in the
field.</span><br />
<br />
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">It is not entirely their fault though. The way that
DataPower presents the objects responsible for configuring mutual
authentication can be tricky if you are trying to learn it by yourself.</span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">The main reason that could lead us, DataPower professionals,
to a confusion is the fact that the SSL Proxy Profile object has a parameter
called “Direction” that can be set as “Forward”, “Reverse” and <b>“two-way”.</b></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"> </span></span><br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></div>
<h4>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Is “two-way” and mutual authentication the same thing?</span></span></h4>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><br />
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">The first impression is that the “two-way” option could be a
representation of mutual authentication, it is because the definition of mutual
authentication suggests that <b>both</b>
client and server authenticate to each other, or in other words, they perform two-way
authentication.</span></span><br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Although it could make sense, setting the direction to
“two-way” has nothing to do with the set up of mutual authentication. SSL mutual authentication is independent of
the SSL Proxy Profile direction parameter. You can perfectly have mutual
authentication using Forward or Reverse as the direction, there is nothing
wrong with that.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The “two-way” direction simply enables DataPower to act as a
client </span><b style="font-family: Arial, Helvetica, sans-serif;">or</b><span style="font-family: Arial, Helvetica, sans-serif;"> server using a single SSL
Proxy Profile. And that is all, no mutual authentication here!</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">But then how to configure mutual authentication in the box,
device, appliance (or whatever you may call it)? The answer is, as usual: it
depends…</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<h4>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">DataPower acting as Server</span></span></h4>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"></span></span><br />
<div class="MsoNormal">
</div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">If DataPower is acting as the server and you want it to
authenticate the client certificate, you can set the direction parameter of the
SSL Proxy Profile to “Reverse”, and then on the Reverse Crypto Profile, you
have to set up a Validation Credential that will contain a copy of the client
certificate (or root CA) to be validated against.</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Ah, now it starts to make sense on why the Validation
Credential is not a required parameter on the Reverse Crypto Profile, and it is
just because mutual authentication is not always required for SSL traffic.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<b style="font-family: Arial, Helvetica, sans-serif;">08/25/2015 UPDATE:</b><span style="font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">This is actually the most basic way to configure the Reverse Crypto Profile to authenticate its clients. There are many variations to this configuration and depending on your requirement, you can make your mutual authentication scenario mandatory or optional.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">See below some variations of all the possible configurations and an explanation of each scenario:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Scenario 1:</b><br />Reverse Crypto Profile <b>WITH ValCreds</b><br />Client Authentication is Optional <b>OFF</b><br />Always Request Client Authentication <b>OFF</b><br /><b>Results:</b><br />Client certificate is required because of the ValCreds configured in the Reverse Crypto Profile. Authentication is performed by the ValCreds. If certificate is not provided, the SSL handshake will fail because the option Client Authentication is Optional is set to OFF.<br /><b>Mutual Authentication is mandatory.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 2:</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Reverse Crypto Profile <b>WITH ValCreds</b><br />Client Authentication is Optional <b>OFF</b><br />Always Request Client Authentication <b>ON</b><br /><b>Results:</b><br />Client Certificate is required because of the ValCreds configured in the Reverse Crypto Profile. Authentication is performed by the ValCreds. If certificate is not provided, the SSL handshake will fail because the option Client Authentication is Optional is set to OFF.<br />M<b>utual Authentication is mandatory.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 3:</b><br />Reverse Crypto Profile <b>WITH ValCreds</b><br />Client Authentication is Optional <b>ON</b><br />Always Request Client Authentication <b>OFF</b><br /><b>Results:</b><br />Client certificate will be asked because of the ValCreds configured in the Reverse Crypto Profile. If provided, authentication will be performed by the ValCreds. If certificate is not provided, the connection will still be established because the option Client Authentication is Optional is set to ON.<br /><b>Mutual Authentication is optional.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 4:</b><br />Reverse Crypto Profile <b>WITH ValCreds</b><br />Client Authentication is Optional <b>ON</b><br />Always Request Client Authentication <b>ON</b><br /><b>Results:</b><br />Client certificate will be asked because of the ValCreds configured in the Reverse Crypto Profile. If provided, authentication will be performed by the ValCreds. If certificate is not provided, the connection will still be established because the option Client Authentication is Optional is set to ON.<br /><b>Mutual Authentication is optional.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 5:</b><br />Reverse Crypto Profile <b>WITHOUT ValCreds</b><br />Client Authentication is Optional <b>OFF</b><br />Always Request Client Authentication <b>OFF</b><br /><b>Results:</b><br />Client certificate is not required because there is no ValCred set in the Reverse Crypto Profile and the option Always Request Client Authentication is set to OFF.<br /><b>Mutual Authentication is not enabled.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 6:</b><br />Reverse Crypto Profile <b>WITHOUT ValCreds</b><br />Client Authentication is Optional <b>OFF</b><br />Always Request Client Authentication <b>ON</b><br /><b>Results:</b><br />Client Certificate is required because the option Always Request Client Authentication is set to ON. Authentication will be performed by the Processing Policy. If certificate is not provided, the SSL handshake will fail because the option Client Authentication is Optional is set to OFF.<br /><b>Mutual Authentication is mandatory.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 7:</b><br />Reverse Crypto Profile <b>WITHOUT ValCreds</b><br />Client Authentication is Optional <b>ON</b><br />Always Request Client Authentication <b>OFF</b><br /><b>Results:</b>Client certificate is not required because there is no ValCred set in the Reverse Crypto Profile and the option Always Request Client Authentication is set to OFF.<br /><b>Mutual Authentication is not enabled.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Scenario 8:</b><br />Reverse Crypto Profile <b>WITHOUT ValCreds</b><br />Client Authentication is Optional <b>ON</b><br />Always Request Client Authentication <b>ON</b><br /><b>Results:</b>Client certificate will be asked because the option Always Request Client Authentication is set to ON. Authentication will be performed by the Processing Policy. If certificate is not provided, the SSL connection will be established as the option Client Authentication is Optional is set to ON, however the authentication may fail during the Processing Policy.<br /><b>Mutual Authentication is optional.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">DataPower acting as Client</span></h4>
</div>
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Now, when DataPower is acting as Client, it is a different
story… For this case, you are going to choose the direction “Forward” on the
SSL Proxy Profile and then on the Forward Crypto Profile you will have to set
an Identification Credential object to force DataPower to identify itself to the
backend it is calling. Simple like that!</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">At this point, you might also have noticed that in the
Forward Crypto Profile, the Identification Credential parameter is not
required, once again because mutual authentication is not always required to
SSL traffic.</span></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><br />
<h3>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Why then SSL Proxy Profile “two-way”?</span></span></h3>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">
</span></span><br />
<div class="MsoNormal">
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">So, you could be asking yourself now, why in earth do we
have the option of “two-way” direction in the SSL Proxy Profile, is it just to
confuse us?</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Well, there is actually a plausible reason for that… Some of
us fight everyday to keep our DataPower configuration as simple as we can, having
this “two-way” option allow us to have a single SSL Proxy Profile referring to
one Reverse Crypto Profile and one Forward Crypto Profile at the same time. It
basically means less objects to be configured, yay!</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Once all of them are configured correctly, you will never
have to worry about which crypto object to select in order to allow a front or
backside connection to be established properly, as the “two-way” object will
automatically select the correct Crypto Profile (Forward or Reverse) to use
according to the direction of the transaction.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">So now, if you had a chance to give a different name for the
“two-way” direction of the SSL Proxy Profile, what would that be?</span></div>
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>06/23/2015 UPDATE:</b> As of firmware version 7.2, DataPower is deprecating the Proxy Profile object. This object must be replaced by the <b>SSL Server Profile</b> or the <b>SSL Client Profile</b>, depending on whether DataPower is acting as a server or as a client. In addition to these two objects, there is a new object called <b>SSL SNI Server Profile</b>, which enables the SNI (Server Name Indication) feature. In short, the SNI feature on the SSL Client Profile will send the intended host name as part of the SSL handshake process with the server, so that the SNI-enabled server can select which certificate it should return to the client, given that the server is hosting multiple domains in the same IP and port combination.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">For more information on the <b>SNI</b> feature, go to <a href="https://en.wikipedia.org/wiki/Server_Name_Indication" target="_blank">https://en.wikipedia.org/wiki/Server_Name_Indication</a>.<br />For more information on the new <b>SSL Client Profile</b>, go to <a href="https://www.youtube.com/watch?v=nMud8cnd56w" target="_blank">https://www.youtube.com/watch?v=nMud8cnd56w</a>.<br />For more information on the new <b>SSL Server Profile</b> and the new <b>SSL SNI Server Profile</b>, go to <a href="https://www.youtube.com/watch?v=14DPPjl4u5w" target="_blank">https://www.youtube.com/watch?v=14DPPjl4u5w</a>.</span>Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com45tag:blogger.com,1999:blog-3712577241932959808.post-79654875945767985512014-04-06T02:25:00.001-05:002014-04-07T12:37:50.328-05:00DataPower: Testing SNMP using ManageEngine MibBrowser<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">Not sure if you are already aware of this tool, but it helped me a lot to prove whether DataPower was correctly configured for both SNMP Polling and Trap. The name of this tool is MibBrowser from the company ManageEngine, it is free and can be used to browse the DataPower MIB files, extract any information from the box (SNMP Polling) as well as can be used as a lightweight SNMP server to listen to the SNMP traps sent by the device. See the images below for details:</span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b> </b></span></span><br />
<br />
<h3>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>1. SNMP Polling</b></span></span></h3>
<h3>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
</h3>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" target="_blank"><img alt="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" height="336" width="640" /></a></span></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b> </b></span><span style="font-size: small;"> </span></span><br />
<h3>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>2. SNMP Traps</b></span></span></h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinWGxCbIkjbvM2kfoiQsuMP8e9Hc3VJKa_wwb2mskR5UPoQdLE7-VKG2ON8yOJGQPS-DfJ56bv2uA-ycYm9SIQASQreQ0a7MIm8ytIElXx23TTqVQV_FZZVa8kDcrbbEfqkvWXv2ZRzCw/s1600/MibBrowser2.PNG" target="_blank"><img alt="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinWGxCbIkjbvM2kfoiQsuMP8e9Hc3VJKa_wwb2mskR5UPoQdLE7-VKG2ON8yOJGQPS-DfJ56bv2uA-ycYm9SIQASQreQ0a7MIm8ytIElXx23TTqVQV_FZZVa8kDcrbbEfqkvWXv2ZRzCw/s1600/MibBrowser2.PNG" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2p79dQwM_egwQnoQMzeCr-W396KVVbC8iN6begEGIlKgI4eUY2W0ytJLk2qvQTpPWiIw8C7JtM87tX11SoXiANUqG-gsQ0vYx_ZAoGZprgb-lhydYGeRWX4P9VIzgvsVpDIDxHfbqGNo/s1600/MibBrowser2.PNG" height="326" width="640" /></a></span></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">To download it, just go to <a href="http://www.manageengine.com/products/mibbrowser-free-tool/index.html" target="_blank">http://www.manageengine.com/products/mibbrowser-free-tool/index.html</a></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">This company seems to have some other interesting free networking tools, see the link below for the full list:<span style="color: blue;"> </span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: blue;"><a href="http://www.manageengine.com/free-software-download.html?plink=mibB" target="_blank">http://www.manageengine.com/free-software-download.html?plink=mibB</a></span> </span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">By the way, talking about other free tools, I have been using other two that have helped me in some matters, one of them is for keys/certificates management and the other is for LDAP browsing:<b> </b></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>Portecle </b>- Extracts and converts keys and certificates - <a href="http://portecle.sourceforge.net/" target="_blank">http://portecle.sourceforge.net/</a><b> </b></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>ADExplorer </b>- Connects to a LDAP server so you can verify every single LDAP object - <a href="http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx" target="_blank">http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx</a> </span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">Do you guys use any other tools to help somehow performing your day to day work?</span></span>
<!-- Blogger automated replacement: "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" --><!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F1.bp.blogspot.com%2F-ZTyiDb4eNC4%2FU0D_LGFPhSI%2FAAAAAAAADl0%2FTWw02jKlRYA%2Fs1600%2FMibBrowser1.PNG" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ztz4bUAtqpLzcuBWrWSYZZtGWlzC15i_PviEKrcOPaP__UVoFSZSWmkpbO0zWQkSvM-swGkszETGVZi7aKeshaeczr4L5X_2g2TLEQzbOjZrfaAwsatmi5FhdoGFQFLLN0Uitdz00-U/s1600/MibBrowser1.PNG" -->Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com0tag:blogger.com,1999:blog-3712577241932959808.post-14863374772623908902014-04-06T01:48:00.000-05:002015-12-02T10:28:07.910-06:00DataPower: Static routes and management interface <div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">(Read the whole article before making any changes to your environment) </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">I wanted to share with you some of my experience when configuring the DataPower appliances from scratch.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">As
you know, during the DataPower initialization process, there is a wizard
available that will make the initial configuration a lot easier. That
wizard asks you a few questions about your network and then directs
you to the WebGUI, so you can accept the license terms. Most of the times, since
the WebGUI is already up and running, people will never come back to the
configuration of the management interface to adjust it as they should,
in order to avoid unexpected behaviors in the future. But what
adjustment am I talking about here?</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">The static route of course! Right, you do not need to configure it in
order to make the WebGUI or any other management service, such as SSH
and SOMA, to work fine, however you do need to adjust it in order to
prevent DataPower from using such interface for application data
traffic.</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">The
trick here is the following, whenever you see a default route
configured for the management interface, you may be under the risk of
DataPower not behaving the way you are expecting it to. For example in
this case: </span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<br />
<span style="font-family: "courier new"; font-size: small;">xg45# show route</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "courier new"; font-size: small;"> Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol<br />
----------- --------------- ---------- ------- ------ ---------- --------------<br />
0.0.0.0/0 Ethernet mgt0 10.206.137.1 0 remote netmgmt<br />
0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt<br />
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local<br />
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">The
destination 0.0.0.0/0 is the default route. As you can see, there are
two default routes in the example above, one being used by the mgt0 interface
and the other being used by the eth11. The default route is added to the routing
table every time that there is a default gateway defined in the interface. So as
soon as you remove the default gateway, the default route will
disappear from the route table:</span><br />
<br /></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">xg45# show route<br />
</span><span style="font-family: "courier new";"><span style="font-family: "courier new" , "courier" , monospace;"> Destination</span> Device Int Type Device Int Gateway Metric Route Type Route Protocol<br />
----------- --------------- ---------- ------- ------ ---------- --------------</span></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "courier new"; font-size: small;"> 0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt<br />
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local<br />
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">By
removing that, you are explicitly telling DataPower to never use the
management interface for any outbound traffic. It also means that, as soon
as you remove the default gateway, <b>you *may* lose access to the box</b>, as
it will not know how to reply back to you [if you are not on
the same subnet of the device (/24) or the management service is not configured for all network interfaces (0.0.0.0)]. Technically you are not really
losing access, your requests are reaching the box, but the box does
not know how to get back to you.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">So,
how to fix that? By adding a static route is the answer. Before removing
the default gateway details from the management interface configuration, make sure to configure a static route that will teach the box how to
reach you back.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">If
your terminal is configured with static IP address and you want to
restrict the DataPower management interface to talk only to you, the
following command should do the trick:</span><br />
<br /></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
</div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "courier new"; font-size: small;">xg45(config-if[mgt0])# ip route 10.206.14.160/32 10.206.137.1</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><i><ip route> invokes the command to create the static route</i></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><i><10.206.14.160/32> is the final destination of the responses, or the IP address of your terminal</i></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><i><10.206.137.1> is the network gateway to be used to reach the final destination</i></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">And the final result:</span><br />
<br /></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">xg45(config-if[mgt0])# show route<br /> </span><span style="font-family: "courier new";"><span style="font-family: "courier new" , "courier" , monospace;">Destination De</span>vice Int Type Device Int Gateway Metric Route Type Route Protocol<br />
----------- --------------- ---------- ------- ------ ---------- --------------</span></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-family: "courier new"; font-size: small;"> 0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt<br />
10.206.14.160/32 Ethernet mgt0 10.206.137.1 0 remote netmgmt<br />
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local<br />
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local</span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
<span style="font-size: small;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">As
you can see above, the configuration of the final destination uses the
CIDR notation. The /32 means that such static route will only work for such
specific IP address (subnet mask 255.255.255.255). If you want to configure a static route to reach an specific subnet, you can use
different CIDRs to accomplish it. For example, you know that a specific
subnet is safe and want to allow all terminals on that subnet to manage
the box, you could use 10.206.14.0/24 (subnet mask 255.255.255.0).</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Now going back to the unexpected behaviors we mentioned earlier, when there is more than one default route, there is no default
route, makes sense? :-) With that said, if no static route is configured, DataPower will randomly select any
ethernet interface that has a default route set up and you will
start seeing application data traffic coming out of the management
interface, and management traffic coming out of the application data
interface at random basis. Sometimes you are going to experience
intermittent connectivity issues, as the gateway configured for the
management interface may not know how to route the request to the application
backend and vice-versa.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">In addition to what has been discussed so far, static routes can do much more! For example, you
may want to use one of the various ethernet interfaces available in the
appliance to segment traffic to different networks, but this a topic for
another post. :-)</span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Reference: IBM WebSphere DataPower SOA Appliance Handbook - <a href="http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194">http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194</a></span></span></div>
<div style="background: none repeat scroll 0% 0% white; line-height: normal; margin-bottom: 0pt;">
</div>
Bruno R Neveshttp://www.blogger.com/profile/06753136071159835651noreply@blogger.com5