IBM Support

Migrating a physical DataPower appliance to a virtual edition

How To


Summary

Because you cannot use the secure backup-restore procedure between a physical DataPower appliance and DataPower Gateway Virtual Edition, you must perform an export operation followed by an import operation for each domain unless your configuration is defined remotely and loaded at startup.

Objective

Migration is a good time to clean up. Before migration, perform the following tasks so that you will have a clean system after migration.

  • Review the configuration of the default domain to determine whether there are any services defined. If you have services defined, consider migrating them to application domains.
  • Review the configuration of the services in each application domain. If an application domain contains many unrelated services, consider migrating them to other application domains.
  • Remove unused services and their artifacts.

The strategy you use to migrate can differ based on whether your configuration is remotely stored and loaded at startup, the number of applications domains, and the amount of cleanup you want to do after migration.

  • When domain configuration is remotely stored and loaded at startup, you might need to make only small changes to networking and local users.
  • When there are only a few application domains, you can create a backup of the entire system and then import this export package.
  • When there many application domains, consider scripting each step in this procedure.

Environment

  • Ensure that the source and target systems are at the same firmware version with the same modules. When you are setting up a nonproduction system, you might not need to purchase and activate some modules. For more information about modules, see Available modules by product.
    • By default a DataPower Gateway appliance (Type 8436 or Type 8441) has no add on features, but you might have purchased and activated the following modules that you will also need on the target system. If you purchased the Tenant Module, you must set up another target system.
      • Application Optimization Module
      • B2B Module
      • Integration Module
      • TIBCO EMS Module
    • By default, an XG45 appliance (Type 7198 or Type 2426) has no add on features, but you might have purchased and activated the following modules that you will also need on the target system.
      • Application Optimization Module
      • B2B Module
      • Data Integration Module, which requires the Integration Module but is part of the B2B Module
    • By default, an XI52 appliance (Type 7199 or Type 2426) needs the Integration Module, but you have purchased and activated the following modules that you will also need on the target system. If you purchased the Database Connectivity Module, the Integration Module already contains these features.
      • Application Optimization Module
      • B2B Module
      • TIBCO EMS Module
    • By default, an XB62 appliance (Type 7199 or Type 2426) needs the B2B Module, but you might have purchased and activated the following modules that you will also need on the target system.
      • Application Optimization Module
      • TIBCO EMS Module
  • The target system is sized with appropriate file system, CPU, and memory resources, which is part of capacity planning.
  • Relevant cryptographic files for keys and certificates are securely stored on a remote server. If you do not have access to these cryptographic files, you must re-create them and upload them to the target system. With the crypto tools, you can export and import certificates but you cannot export and import keys.

Steps

  1. Prepare the source system by completing the following steps.
    1. If not already obfuscating passwords in the persisted configuration, prepare the source systems to export the password associated with objects in each domain. You must set the same treatment and passphrase on the target system.
      1. Access the Domain Settings configuration.
      2. From the Password treatment list, select Masked.
      3. In the Passphrase field, enter and confirm the passphrase that obfuscates passwords.
    2. When exporting local user accounts to avoid re-creating them on the target system, you must use the CLI to edit each local user when you do not want the account owner to change the account password on the initial log in. For illustrative purposes, providing the command sequence for the test user account when already in Global configuration mode – entered with the configure terminal command. 
      (config)# user test
Modify User configuration
(config user test)# suppress-password-change on
(config user test)# exit
(config)#
      Repeat this edit for each local account. After you edit all local account, ensure that you persist the configuration with the write memory command.
  2. Prepare the target system by completing the following steps.
    1. In the default domain, upload the cryptographic files for certificates and keys that the management interfaces need. If you created export packages for certificates, import them.
    2. In the default domain, define the network and the management interfaces. Although you can export these objects from the source system and import them to the target system, you might need to edit these objects after the import operation to have a working system.
      • The network consists of the following objects that you should not import from the export package.
        • System Settings
        • Network Settings
        • Ethernet Interface
        • VLAN Interface
        • Link Aggregation Interface
        • DNS Settings
        • Host Alias for network interfaces
        • NTP Service
        • Time Settings
        • NFS Client Settings
        • NFS Static Mounts
        • NFS Dynamic Mounts
        • SMTP Server Connection
        • SNMP Settings
      • Management consists of the following objects that you should not import from the export package. Remember to define your own SSL profile to secure connections to the DataPower Gateway.
        • Telnet Service
        • SSH Service and the ssh Access Control List
        • Web Management Service and the web-mgmt Access Control List
        • XML Management Interface and the xml-mgmt Access Control List
        • REST Management Interface and the rest-mgmt Access Control List
        • Web B2B Viewer Management and the web-b2b-viewer Access Control List
    3. In the default domain, create the application domains. After creating an application domain, access it and complete the following steps as appropriate.
      • Upload the cryptographic files for certificates and keys that the services need. If you created export packages for certificates, import them.
      • Define the Domain Settings configuration to use the same treatment and passphrase as the source system.
      • Define the SMTP Server Connection configuration for the domain.
      • Define the Web Services Management Agent configuration to ensure that the following settings are proportional to the allocated memory of the target system.
        • Maximum records to buffer
        • Maximum buffer memory
  3. Create export packages for each domain on the source DataPower Gateway.
    1. Create an export package that includes only the necessary objects in the default domain. In other words, ensure that you exclude any of the previously listed items that you already explicitly defined as well as the Tenant object.
    2. Create an export package for each application domain.
  4. Import the export packages to the target system. These packages were created on the source system.
    1. Import the export package for the default domain. Do not select Restore. For object that report as new or existing, you might need to deselect those that are for objects that are not appropriate for the default domain. These are object configuration associated with services; for example, processing policies, processing rules, and processing actions. The following object classes should report as new and are for configuration that can be defined in only the default domain or referenced by objects that you should define in only the default domain.
      • B2B Persistence
      • Domain Availability
      • Host Alias
      • Identification Credentials
      • Interoperability Test Service
      • Failure Notification
      • Language
      • Log Category
      • Log Target
      • ODR Connector Group
      • On Demand Router
      • Password Map Alias
      • Quota Enforcement Server
      • RADIUS Settings
      • SSH Client Profile
      • SSL Server Profile
      • SSL Proxy Profile (deprecated)
      • SSL Server Profile
      • SSL SNI Server Profile
      • Throttle Settings
      • User Account
      • User Group
      • Validation Credentials

      Other objects that report as new or existing probably are not appropriate in the default domain and should be considered for import into an application domain that contains the appropriate service.

    2. Import the export package for each application domain.
  5. As needed, make configuration adjustments.

Additional Information

What to do next

  • You might receive message that an object failed to import or you might receive a message about startup error. If you receive these types of message, review the configuration on the source system to determine whether the object was excluded from the export erroneously or a required module was not activated. If the error is correct, determine the approach to resolve.
    • Create the object of the target system.
    • Access the object of the source system and click Export to create an object-specific export package of its full configuration. Then, access the target system and import this export package.
  • If you receive any startup errors, review the configuration on the source system to determine whether the object was excluded from the export erroneously or a required module was not activated.
  • If you changed the password treatment to Masked in the Domain Settings configuration, change the treatment back to None obfuscated.
  • In each domain, access the Statistics Setting configuration to enable statistics.
  • Review the following configuration in each domain, access each XML Manager configuration to ensure that the XML and JSON parser limits are proportional to the memory allocation of the target system.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"2018.4","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
21 February 2020

UID

ibm11071632

Page Feedback