How To
Summary
This document covers the options to migrate from the 8436 IDG appliances to the 8496 X3 or 8441 X2 appliance types running the 10.5.0 firmware.
Objective
The objective is to migrate the configuration from an IDG (X1) 8436 Machine Type that reached the end of support 30 June 2023 to an X3 8496 or X2 8441 Machine Types running the 10.5.0 firmware
Steps
Review the IBM DataPower Whitepaper: IBM DataPower Gateway X3 Model 8496-52X and 8496-53X Migration Using Secure Backup and Restore.
IDG migration to X3
Important: There was a change in the licensing for the ITX (formerly WTX) feature that was currently included with the IM (Integration Module) and B2B licenses.
This license has been separated to a stand-alone license and if you currently have the IM (includes licenses including odbc, binary transformation/dataglue etc.) or B2B licenses
This license has been separated to a stand-alone license and if you currently have the IM (includes licenses including odbc, binary transformation/dataglue etc.) or B2B licenses
Confirm it there is any ITX usage by generating an error report and search for ".dpa" and if there are any active configurations using these files you need to open a case with support to request the migration only firmware for the 10.5.0 and the ITX license activator.
Notes:
- The activator can only be provided if you have current ITX usage, to avoid delays upload an error report to the case which will allow the support team to confirm the ITX usage to be able to provide the activator tool as well as provide the correct migration only firmware as the image needs to match your licenses on the appliance.
- The migration only firmware is only available to the 10.5.0.6 level and if your X3 is running a higher level (such as 10.5.0.8) you will need to downgrade the X3 to match the 10.5.0.6 level then after the restore is complete upgrade the X3 to the final desired fix-pack level.
Best Practice Pre-Migration Checklist:
1. Clean up the appliance by checking for:
- Unused files or configurations
- Keys and certs that are needed and confirm if they are expired as expired certs can be removed during the upgrade even if the ignore expiry is set.
2. Stop all traffic to the appliance
3. Reboot the appliance
4. Confirm the Web-mgmt timeout is more than the default 600 seconds (such as 3600 seconds (1hour)) as the upload may take longer that 10 minutes resulting in a failed upload.
3. Reboot the appliance
4. Confirm the Web-mgmt timeout is more than the default 600 seconds (such as 3600 seconds (1hour)) as the upload may take longer that 10 minutes resulting in a failed upload.
5. Confirm the target X3 appliance is running the same level of the 10.5.0 level to match the migration firmware to allow the restore to work.
Notes:
- The available versions of the migration only firmware are: 10.5.0.2, 10.5.0.4, 10.5.0.5 and 10.5.0.6 as the 10.5.0.6 level was the last before the end of support for the 8436 IDG machine type.
- The 10.5.0.6 level is the last as this is the last version of the firmware when the IDG machines reached the end of support and due to hardware requirements no newer versions can be created.
- If your X3 is running a higher level than 10.5.0.6 (such as 10.5.0.8) you will need to downgrade the X3 to match the 10.5.0.6 level then after the restore is complete upgrade the X3 to the final desired fix-pack level.
Migration Methods:
There are two methods or migrating the configuration.
Method 1 | Export/Import method
With this method you do not need to match the firmware level with the target X3 and can choose what is imported (such as networking, domains etc).
This will not include:
- Private keys or certs - You need to import or re-create any needed private keys and certs
- User information - When restored only the admin user will be active and you will have to re-create the needed users and permissions
Method 2 | Secure backup
This method includes all the keys (not stored on the HSM), certs and user information at the time the backup was taken.
With the secure backup restore you CANNOT choose what to import and the whole configuration will be imported including the networking.
Important note for the 53X (HSM) model:
The keys stored on the HSM in the 8436 IDG 53X appliance CANNOT be moved by any method to either the X2 or X3 appliances as the HSM hardware (HSM2 to HSM3) are not compatible.
Confirm if any keys are stored on the HSM as when keys are created there is an option to store them in the HSM or in the standard crypto location. If any are stored in the HSM those need to either be imported (if the keys are stored elsewhere) or new key/certs generated.
You will need:
The keys stored on the HSM in the 8436 IDG 53X appliance CANNOT be moved by any method to either the X2 or X3 appliances as the HSM hardware (HSM2 to HSM3) are not compatible.
Confirm if any keys are stored on the HSM as when keys are created there is an option to store them in the HSM or in the standard crypto location. If any are stored in the HSM those need to either be imported (if the keys are stored elsewhere) or new key/certs generated.
You will need:
The current 8436 migration only firmware for use on the IDG appliance).
To request the migration only 10.5.0 firmware, open a case with the support team to request the migration firmware and include an error report or the output of the "show license" command to ensure the correct migration firmware image is provided.
Confirm the secure backup mode is enabled on the IDG and X3
- WebGUI: system settings
- CLI: show system
Confirm the "backup mode" is "secure" if it is listed as "normal" open a case with support and provide the "show system" command output from any appliance that needs to have the secure backup mode enabled.
Confirm the X3 appliance is upgraded to the 10.5.0 level to match the firmware level of the migration only 10.5.0 firmware.
Confirm if there is active ITX usage.
Confirm if there is active ITX usage.
If there is active ITX usage you need to apply the new ITX license activator before proceeding with the migration only 10.5.0.x firmware.
Notes:
Notes:
- After the license is activated, you will see a license named "illegal" in the device features and this is expected.
- The minimum firmware required on the IDG appliance to load the migration only 10.5.0 firmware is 2018.4.1.x or 10.0.1.x. and no interim upgrade is needed.
When ready the next step is to "upgrade" the IDG using the migration only 10.5.0 firmware provided by support.
When the upgrade is complete then create and download the secure backup then roll back/boot switch to the original firmware level as it is NOT supported to run production or testing on the migration only firmware.
Notes:
- The "upgrade" to the migration only firmware takes longer than normal (40+ minutes) do not power off the appliance during this process.
- Much of the upgrade occurs while the network is not active, so no progress monitor is available.
If you would like to watch the upgrade progress, you may issue the upgrade command from the serial console after uploading the new firmware from the WebGUI.
Example for the 10.5.0.1 firmware after uploading the image using the WebGUI:
idg# config
idg# dir image:
idg(config)# dir image: (note the image name)
File Name st Modified available to image:
------------- ---------- -------------
idg10501.scrypt3 2:30:03 PM 1338927656
idg(config)# flash
idg(config-flash)# boot image accept-license idg10501.scrypt3
Before proceeding in applying the secure restore on the X3
Ensure that either of the following is true to avoid duplicate IP's on your network:
- The IDG and X3 are not on the same network
- The IDG is powered off
Perform the secure restore on the X3
Notes:
1) The secure restore will reset the admin user password to the default of admin and will require this be changed on the first login.
See the IBM documentation for information for the secure backup/restore
1) The secure restore will reset the admin user password to the default of admin and will require this be changed on the first login.
See the IBM documentation for information for the secure backup/restore
2) The secure restore will also update the "Entitlement ID" on the system settings page to what was in this field on the appliance the backup was taken from.
To avoid confusion check to make sure the Entitlement ID is updated to list the serial number of the X3.
To avoid confusion check to make sure the Entitlement ID is updated to list the serial number of the X3.
Another less-common way to avoid duplicate IP's on your network is to perform the secure restore to an appliance using a private network with your workstation. This also allows for you to directly log in to the device after the restore is complete, and review the configuration. Then the switch-over from the IDG can be very short.
See this link for pre-building and appliance using a private network
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHQVK","label":"IBM DataPower Gateway X3"},"ARM Category":[{"code":"a8m50000000CdqTAAS","label":"DataPower-\u003EMGMT (MM)-\u003EMigration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 May 2024
UID
ibm16618141