ebook img

DataPower SOA Appliance Administration, Deployment, and Best PDF

300 Pages·2011·5 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DataPower SOA Appliance Administration, Deployment, and Best

Front cover DataPower SOA Appliance Administration, Deployment, and Best Practices Demonstrates user administration and role-based management Explains network configuration, monitoring, and logging Describes appliance and configuration management Gerry Kaplan Jan Bechtold Daniel Dickerson Richard Kinard Ronnie Mitra Helio L. P. Mota David Shute John Walczyk ibm.com/redbooks International Technical Support Organization DataPower SOA Appliance Administration, Deployment, and Best Practices June 2011 SG24-7901-00 Note: Before using this information and the product it supports, read the information in “Not ices” on pagexiii. First Edition (June 2011) This edition applies to DataPower firmware version 3.8.2. © Copyright International Business Machines Corporation 2011. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contact an IBM Software Services Sales Specialist , Start BIG, ... JUST START Start SMALL architectural knowledge, skills, research and development . . . that's IBM Software Services for WebSphere. Our highly skilled consultants make it easy for you to design, build, test and deploy solutions, helping you build a smarter and more efficient business. Our worldwide network of services specialists wants you to have it all! Implementation, migration, architecture and design services: IBM Software Services has the right fit for you. We also deliver just-in-time, customized workshops and education tailored for your business needs. You have the knowledge, now reach out to the experts who can help you extend and realize the value. For a WebSphere services solution that fits your needs, contact an IBM Software Services Sales Specialist: ibm.com/developerworks/websphere/services/contacts.html Contact an IBM Software Services Sales Specialist iii iv DataPower SOA Appliance Administration, Deployment, and Best Practices Contents Contact an IBM Software Services Sales Specialist. . . . . . . . . . . . . . . . . . .iii Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiv Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv The team who wrote this book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Now you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . xviii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Stay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xix Chapter 1. Securing user access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Device initialization considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3.1 Setting up the master administrator password . . . . . . . . . . . . . . . . . . 4 1.3.2 Enabling Disaster Recovery Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.5 Authentication and credential mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.5.1 Locally managed users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.5.2 Locally defined user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.5.3 Using local user repository for contingency . . . . . . . . . . . . . . . . . . . 13 1.5.4 Pros and cons of using the local user repository . . . . . . . . . . . . . . . 13 1.5.5 RBM policy files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.6 Remote authentication servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.5.7 Single sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.5.8 Login processing summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.6 Audit logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.6.1 Obtaining the audit log using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.6.2 Copying the audit log using SOMA. . . . . . . . . . . . . . . . . . . . . . . . . . 25 1.7 Preferred practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 1.8 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Chapter 2. Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.2 Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.3 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.1 Network interface configuration and routing . . . . . . . . . . . . . . . . . . . 31 2.3.2 VLAN sub-interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 © Copyright IBM Corp. 2011. All rights reserved. v 2.3.3 Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.3.4 Host alias, static hosts, and domain name system. . . . . . . . . . . . . . 39 2.3.5 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.6 Load balancing a back-end destination. . . . . . . . . . . . . . . . . . . . . . . 41 2.3.7 Intelligent Load Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.3.8 Self-Balancing services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.3.9 Load balancer health checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.3.10 Standby Control and high availability . . . . . . . . . . . . . . . . . . . . . . . 45 2.4 Preferred practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4.1 Avoid using 0.0.0.0 as a listener. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4.2 Separating management traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4.3 Specify port values less than 10,000 . . . . . . . . . . . . . . . . . . . . . . . . 47 2.4.4 Persistent timeout consideration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.4.5 Disable chained persistent connections . . . . . . . . . . . . . . . . . . . . . . 47 2.4.6 Configure network settings to be portable. . . . . . . . . . . . . . . . . . . . . 48 2.4.7 Multiple default gateways will create multiple default routes. . . . . . . 48 2.4.8 Standby Control preferred practices. . . . . . . . . . . . . . . . . . . . . . . . . 48 2.4.9 Management interface and default route . . . . . . . . . . . . . . . . . . . . . 50 2.4.10 Enabling “No Delay Ack” to avoid latency with other systems . . . . 50 2.4.11 Streaming large messages and flow control. . . . . . . . . . . . . . . . . . 52 2.5 Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.5.1 Externalizing endpoints in a metadata document. . . . . . . . . . . . . . . 52 2.5.2 Disabling chained persistent connections for points of a service . . . 53 2.5.3 Port speed mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 2.5.4 Sample DNS workaround using static host. . . . . . . . . . . . . . . . . . . . 54 2.5.5 Sample CLI commands to capture DNS server responses. . . . . . . . 54 2.5.6 Verifying that Rapid Spanning Tree deployed properly for DataPower Standby Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.5.7 Example of deleting routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 2.5.8 Sample XSLT for adding DataPower transaction ID to an HTTP header for outgoing traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Chapter 3. Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.1 Application domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.1.1 The default domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.1.2 Domain use and benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.1.3 Segregating projects and LOBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.1.4 Number of domains on an appliance . . . . . . . . . . . . . . . . . . . . . . . . 64 3.1.5 Domain resource consumption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.2 Domain structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.2.1 Local flash-based file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.2.2 Domain configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.2.3 Domain logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 vi DataPower SOA Appliance Administration, Deployment, and Best Practices 3.2.4 Domain monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.2.5 Shared resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.3 Domain persistence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.3.1 Saving configuration changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.2 Imported domain configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.4 Usage considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.4.1 Cross-domain file visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.4.2 Domain names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.4.3 Restarting and resetting domains. . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.4.4 Quiescing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.4.5 Cleaning up orphaned objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.4.6 Isolating the domain network interface . . . . . . . . . . . . . . . . . . . . . . . 76 3.4.7 Deleting domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 3.5 Preferred practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 3.6 Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Chapter 4. Simple Network Management Protocol monitoring. . . . . . . . . 81 4.1 Appliance monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.2 DataPower monitoring fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.3 Enabling statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.4 SNMP monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 4.4.1 SNMP protocol messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.4.2 Management information base (MIB) structure. . . . . . . . . . . . . . . . . 85 4.4.3 SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.4.4 DataPower status providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.4.5 SNMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.4.6 Configuring SNMP using the WebGUI . . . . . . . . . . . . . . . . . . . . . . . 89 4.4.7 Generating traps with SNMP log targets. . . . . . . . . . . . . . . . . . . . . . 97 4.5 Monitoring via the XML management interface. . . . . . . . . . . . . . . . . . . . . 99 4.5.1 Requesting device status and metrics . . . . . . . . . . . . . . . . . . . . . . 101 4.6 Appliance monitoring values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.6.1 General device health and activity monitors. . . . . . . . . . . . . . . . . . 104 4.6.2 Interface utilization statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 4.6.3 Other network status providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.7 SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.8 Certificate monitoring considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.9 Preferred practices and considerations. . . . . . . . . . . . . . . . . . . . . . . . . . 129 Chapter 5. IBM Tivoli Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 5.1 IBM Tivoli Monitoring environment architecture . . . . . . . . . . . . . . . . . . . 132 5.1.1 Tivoli Management Services components . . . . . . . . . . . . . . . . . . . 132 5.1.2 IBM Tivoli Composite Application Manager . . . . . . . . . . . . . . . . . . 134 5.1.3 IBM Tivoli Composite Application Manager for SOA. . . . . . . . . . . . 135 Contents vii 5.2 Monitoring DataPower appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 5.2.1 Monitoring DataPower application-level traffic . . . . . . . . . . . . . . . . 138 5.2.2 Monitoring hardware metrics and resource use . . . . . . . . . . . . . . . 141 5.2.3 IBM Tivoli Composite Application Manager for SOA DataPower agent comparisons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.3 Tivoli Composite Application Manager for SOA architecture . . . . . . . . . 150 5.3.1 IBM Tivoli Composite Application Manager for SOA agents. . . . . . 150 5.4 Monitoring DataPower service objects . . . . . . . . . . . . . . . . . . . . . . . . . . 153 5.4.1 Customizing for Multi-Protocol Gateway traffic monitoring. . . . . . . 153 5.4.2 Using latency logs for transaction monitoring. . . . . . . . . . . . . . . . . 154 5.5 Tivoli Composite Application Manager for SOA deployment scenarios . 155 5.5.1 Minimal deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.5.2 Multiple location, single agent deployment. . . . . . . . . . . . . . . . . . . 156 5.5.3 Multiple location, multi-agent deployment. . . . . . . . . . . . . . . . . . . . 157 5.5.4 Large multiple location deployment with health monitoring. . . . . . . 158 5.5.5 Complete IBM Tivoli Composite Application Manager for SOA enterprise architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 5.6 IBM Tivoli Composite Application Manager for SOA and DataPower’s built-in SLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Chapter 6. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 6.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 6.1.1 Message process logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 6.1.2 Publish and subscribe system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 6.1.3 Log targets and log categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 6.1.4 Storing log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 6.1.5 Email pager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 6.1.6 Audit logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 6.2 Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 6.3 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 6.4 Event logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 6.4.1 Create custom log categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 6.4.2 Create log targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 6.4.3 Create log message generators . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.5 Transaction logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.5.1 Log action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.5.2 Results action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 6.6 Usage considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 6.7 Preferred practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 6.7.1 Set log priority levels higher in production environments . . . . . . . . 173 6.7.2 Use the default domain for device-wide logging. . . . . . . . . . . . . . . 174 6.7.3 Suppress repeated log messages. . . . . . . . . . . . . . . . . . . . . . . . . . 174 6.7.4 Employ a load balancer for critical log targets . . . . . . . . . . . . . . . . 174 viii DataPower SOA Appliance Administration, Deployment, and Best Practices

Description:
ibm.com/redbooks. DataPower SOA Appliance. Administration, Deployment, and Best Practices. Gerry Kaplan. Jan Bechtold. Daniel Dickerson. Richard When a user logs in to a DataPower appliance, two important steps occur: 1 The device management IP address or an asterisk (*) for any.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.