Datapower: Automatic Backup Domain Policy

DataPower SOMA: Automatic Domain Backup Policy

Huy M Huynh

Kaiser Permanente - EmergingTechnologies & System Design

Middleware Solution Lead

1 Introduction

In this document, we will go through the process of creating an automatic backup agent in WebSphere DataPower using the WebSphere DataPower schedule rule that creates a backup of the domain(s) through SOMAvia the XML management interface and ftp it off the deviceoffload to an FTP server. Although there areThere are, however, other ways to do backup via such as macro scripts, and managing software (manual process)…etc, but none of these offer an on-device automatic automated mechanism. Therefore, tThis document offers an alternative solution to auto backup WebSphere DataPower configurations by using XML Management Interface, decode the SOMA SOAP binary64 response, and send the response to an ftp FTP server, which all happen within WebSphere DataPower.

2 Creating the Scheduled Backup Policy

The instructions below will create an XML Firewall and a Firewall Policy that will perform the backup through using custom transformation. In addition to that, it will also guide you to the createion of an XML Manager tohat will manage all the required security of the XML Management Interface and to create afor the scheduled rule to automaticallyhat executes the “backup” Firewall Policy.

1. Create an XML Firewall with loopback proxy, Non-XML Request Type, and a new processing policy. You may also want to set the front-end IP address to 127.0.0.1 for enhanced security purpose. However, by doing so, it will disable the “on demand” backup functionality. For example, if it the FSH is set to listen to an actually IP, the backup can be done “on demand” through an external user by invoking the service on avia HTTP Get GET (browser) or PostPOST.

2. Create a new Firewall Policy with a Client to Server rule.

a. Create a match all (*) action.

b. Add a Transform action with Input: INPUT and Output: NULL, and select the following stylesheet file

Table 1 This stylesheet sends a request to the XML Management Interface requesting for a backup zip. The response will be in a format of SOAP with the payload will contain the backup content encoded in base64. It will then decode the backup content and ftp FTP it off the device.

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:dp="http://www.datapower.com/extensions"
xmlns:mgmt="http://www.datapower.com/schemas/management" extension-element-prefixes="dp"
xmlns:date="http://exslt.org/dates-and-times"
<!-- Author Zachary Huynh -->
<!-- This transformation will extract and decode the backup xml or zip in the soap body then ftp it to a server-->
<xsl:output method="xml"/>
<xsl:template match="/"
<xsl:call-template name="putFile"
<xsl:with-param name="BackUpFile"
<!-- Perform a domain backup request call through XML Management Interface -->
<dp:url-open target="https://127.0.0.1:999" response="responsecode"
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
<env:Body>
<dp:request domain="default"
xmlns:dp="http://www.datapower.com/schemas/management"
<dp:do-backup format="ZIP"
<dp:user-comment>Entire System Backup</dp:user-comment>
<!-- List of domains to backup -->
<dp:domain name="default"/>
<dp:domain name="a"/>
<!-- < -->
</dp:do-backup>
</dp:request>
<!-- ************************************* -->
</env:Body>
</env:Envelope>
</dp:url-open>
</xsl:with-param>
</xsl:call-template>
</xsl:template>
<!-- function putFile will decode the encoded binary64 backup of domains response and ftp it to a location -->
<xsl:template name="putFile"
<xsl:param name="BackUpFile"/>
<xsl:if test="$BackUpFile='' "
<xsl:message dp:type="backup" dp:priority="alert"Backup request fails</xsl:message>
<dp:reject/>
</xsl:if>
<!-- Extract the export content string -->
<xsl:variable name="encBackUpFile" select="string($BackUpFile//mgmt:file)"/>
<!-- Send it to an FTP Server -->
<xsl:variable name="date" select="substring-before(date:date-time(),':')"/>
<xsl:variable name="fileDate" select="concat('czaqdp1Backup', $date)"/>
<xsl:variable name="filename" select="concat($fileDate,'a.zip')"/>
<xsl:variable name="ftp-put-url"
select="concat('ftp://username:password@someftpserver/%2Flogs/dpbackup/',$filename)"/>
<dp:url-open target="{$ftp-put-url}" response="responsecode" data-type="base64"
<xsl:value-of select="$encBackUpFile"/>
</dp:url-open>
</xsl:template>
</xsl:stylesheet>

b. Add a Results action with Input set to NULL and Output is OUTPUT

Afterward, yYour XML Policy should look like this:

3. Create a client (forward) SSL Proxy Profile that will work with XML Management Interface. Depending on your system setting of the XML Management Interface configuration, you may need to obtain the certificate that’s being used by the XML Management Interface use. By default, this certificate is the same as the Web-GUI so y. You can use a browser such as IE to download the certificate at the login page and it is a one-way SSL configuration.

4. Create a new XML Manager

a. Leave everything as default, and create a new User Agent with client SSL Proxy Profile created in the previous step and with basic authentication for XML Management Interface using the username and password that have access right to XML Management Interface.

The XSLT that makes the XML Management Interface call via a url-open extension function call will require https HTTPS and basic auth. During processing, the created XML Manager’s User Agent will automatically handle the initiation of SSL and authenticate using basic auth. By doing this, you will avoid having to put any of this information in the XSLT.

b. Click on the SSL Proxy Profile Policy tab and add the created client SSL Proxy Profile that contains the Validation Credentials that has the XML Management Interface certificates

c. Click on the Basic-Auth Policy and add the username/password that has access right to the XML Management Interface

d. Select the configured User Agent for this XML Manager

e. Then select the Scheduled Processing Policy Rule tab.

f. Select the rule that do does the backup and set the time interval to execute this rule. Hint: The name of the processing rule can be grabbed obtained from the Firewall Policy editor.

g. Click on the XML Parser tab and edit the Parser limit so it can allow for a large XML response from XML Management Interface. Below is an example setting:

To test this, simply click Apply and a. A zip file containing the backup will be created on the FTP server every interval you set on the XML Manager Scheduled Processing Policy Rule. Or to test the “on-demand” backup (make sure you set the XML Firewall Local Address as on of the device IP in order for this to work), simple use a browser and call the listening address. The entire backup process usually may takes more than 2 minutes so be patiencepatient.