The Disaster Recovery Mode function
IBM® WebSphere® DataPower® enables administrators to
restore an appliance with the backup previously created by a
secure-restore were new with 3.8.1. The
secure-restore function executes on an appliance that has a
valid network configuration and storage definition. But the
secure-restore overwrites this valid configuration
information with the restored backup files and then reboots the appliance.
Before placing the device into service it is best practice to verify some
configuration information restored from the backup.
Generally, appliance backups are done automatically. After a
secure-restore, user and administrator passwords are set to
their value at the time of the
People might not know what their passwords were at the time the backup was
done, and the backup data would be useless if no administrator knows their
password and could not log on to manage the device. Therefore, when the
secure-restore is done, the administrator id
admin has its password reset to
admin. All other
user ids and passwords are restored to the backup values.
The administrator should immediately log in using the
id, which will require the default password to be changed. Then the
admin id can be used to reset any user or administrator
password on the appliance. A list of user ids defined on the appliance can
be used to proactively warn users that their passwords have been changed.
From the Command Line Interface (CLI) enter
co; show usernames, or from the Web GUI click
Administration => Manage User Account to get the
list of user ids defined on the appliance.
Figure 1. Web GUI list of users defined on an appliance
secure-restore is done on the same appliance in the
same network where the
secure-backup was done, and if no
network changes have occurred since the backup, then the network
configuration after the
secure-restore will not require any
modification. However, if any network changes occurred after the backup
was done, or if the
secure-restore was done on a different
appliance, the network configuration will need to be changed. For example,
secure-restore is done in a test area or otherwise
physically secure location, then after the restore reboots the appliance,
the network configuration will be incorrect for the test area
Therefore the administrator should immediately log into the CLI via the
serial port or SSH (Secure Shell) and confirm that the network
configuration is correct for the location of the appliance. This
confirmation should include at least a
show interface and
show name-server command. To view the network interface from
the CLI enter
co; show interface, or from the Web GUI click
Network => Interface => Ethernet Interface.
Figure 2. Ethernet interfaces defined to an appliance
secure-restore requires that the appliance have at least as
much storage as the backed-up appliance. However if the restore is being
done to upgrade an appliance at end of life or after a disaster, the
replacement appliance will most likely have a larger storage capacity than
the the backed-up appliance. In the case of a larger RAID device, the
restored configuration might include information that contradicts the new
appliance’s configuration. The administrator should verify the
configuration data by browsing some files on the RAID device.
For an installation that had an existing backup and restore method for data
on the RAID device, the
secure-backup might have been done
without a backup of the RAID device data. In this case, the backed-up
configuration includes definitions for a RAID device but it does not
include the RAID data itself, which could result in a RAID device that
needs to be reconfigured and then have the RAID data restored using the
existing restore method.
The administrator should immediately log in to the appliance to browse some
data on the RAID device to confirm that the RAID device is configured
correctly. To view the directory name used for the RAID device from the
co; show raid-volume, or from the Web GUI click
Objects => System Settings => Hard Disk Array.
Figure 3 shows a RAID directory name of
myraid. To view files
on the RAID device from the CLI, enter
co; dir local:///myraid, or from the Web GUI click
Control Panel => File Management => local: =>
Figure 3. Web GUI view of the hard disk array
Figure 4. Web GUI view of RAID file names
If multiple iSCSI volumes exist on an appliance, the
secure-restore assumes that the volumes are configured
identically to the backed-up appliance. If there is a mismatch in the
iSCSI volume configuration, the
secure-restore will restore
the data to the wrong iSCSI volume, reboot the appliance, and use the
previous iSCSI configuration information, which will point to iSCSI
volumes that weren't restored.
For example, if two iSCSI volumes Logical Unit Number (LUN) 0 and LUN 1 are
configured on the appliance being backed up, but the
secure-restore was done on an appliance with LUN 1 and 2,
then the data would be restored to iSCSI volumes LUN 1 and 2 but the
rebooted appliance would point to iSCSI volumes LUN 0 and 1.
The administrator should immediately log in to the appliance to browse some
data on the iSCSI device to confirm that the iSCSI volumes are configured
correctly. To view the directory name of each iSCSI volume from the CLI,
co; show iscsi-volume, or from the Web GUI click
Object => Network Settings => iSCSI Volume.
Clicking on each volume name shows the mount point directory name --
similar to RAID devices, as shown in Figure 3 above. In this case
myiscsi-1 are the directory mount
points, as shown in Figure 4 above.
Figure 5. iSCSI volume listing
If the customer is running the TAM libraries and has at least one TAM object configured, it's possible for them to run into issues with the SSL keystore if multiple devices are using the same files. The TAM configuration file, keystore and password stash file should be unique for each object. Here are a few scenarios where a customer could see problems:
- If after the restore both appliances are up and a TAM object on one of the appliances refreshes the keystore file, the corresponding object on the other appliance will fail to transition up from the down state because the SSL key will no longer match with the version on the policy server.
- If the new device's hostname is different from the old device, and a TAM object on the new device attempts to automatically refresh the keystore, the refresh may fail because the DN configured for the object will not match the device's hostname.
- If a TAM object on the original device refreshed the keystore or password stash file after the secure backup was created, the object will not come up after it is restored. This can affect both the cases where the restore occurs on the same device or a different device.
In all cases, the best practice is to generate a unique set of files (config, keystore and stash) for each TAM object.
MQ messages are consumed either in destructive mode (the default) or in 'browse' mode. The default, destructive, mode causes each message to be de-queued as it is read. So, if the DP appliances are doing their MQ business this way, then each appliance will see roughly half the messages that arrive on the queue.
The other mode (called browsing the queue), lets the application (DP appliance in this case) see the messages, but does not de-queue them. If two applications (or appliances) are browsing the same queue, each will see all the messages on that queue.
In either case, the best practice is to review the resulting post-restore MQ configuration objects and adjust according to desired behavior.
- WebSphere DataPower SOA Appliances developer resources page
Technical resources to help you use WebSphere DataPower SOA Appliances to simplify, secure, and accelerate XML and Web services deployments within an SOA..
DataPower SOA Appliances product page
Product descriptions, product news, training information, support information, and more.
- WebSphere DataPower SOA Appliances product library
Product announcements, case studies, white papers, and more.
- WebSphere DataPower SOA Appliances documentation
Complete documentation for the DataPower XA35, XS40, XI50, XB60, and XM70 Appliances.
- WebSphere DataPower SOA Appliances support
A searchable database of support problems and their solutions, plus downloads, fixes, problem tracking, and more.
- WebSphere DataPower SOA Appliances forum
Get answers to your technical questions and share your expertise with other WebSphere DataPower users.
- WebSphere DataPower SOA Appliance Handbook
This retail book shows you how to use DataPower Appliances from the network, security, and ESB perspectives. The book describes installation, configuration, management, monitoring, configuration, build, deployment, DataPower as a network device, and DataPower services, especially the "big three" of XML Firewall, Web Service Proxy, and Multi-Protocol Gateway.
- IBM Redbook: IBM WebSphere DataPower SOA Appliances, Part I:
Overview and getting started
DataPower SOA appliances are purpose-built, easy-to-deploy network devices that simplify, secure, and accelerate your XML and Web services deployments while extending your SOA infrastructure. This IBM Redbook describes DataPower architecture, use cases, deployment scenarios, and implementation details, as well as best practices for SOA message-oriented architecture in a production ESB legacy environment.
- IBM Redbook: IBM WebSphere DataPower SOA Appliances Part II:
Authentication and Authorization
This IBM Redbook includes the following DataPower authentication and authorization topics: basic concepts, creating policies, using Tivoli Access Manager, and using LDAP directories.
- IBM Redbook: IBM WebSphere DataPower SOA Appliances Part III: XML
This IBM Redbook describes how to use a DataPower appliance to secure incoming Web Services within an SOA environment, how to integrate your DataPower appliance with WebSphere Message Broker, and how to protect against security attacks by implementing the XML Denial of Service (XDoS) provided by DataPower appliances.
- IBM Redbook: IBM WebSphere DataPower SOA Appliances Part IV:
Management and Governance
This IBM Redbook describes how to integrate a DataPower appliance with other products such as WebSphere Registry and Repository, IBM Tivoli Composite Application Manager for SOA, and Tivoli Composite Application Manager System Edition.
WebSphere developer resources
Technical information and resources for developers who use WebSphere products. developerWorks WebSphere provides product downloads, how-to information, support resources, and a free technical library of more than 2000 technical articles, tutorials, best practices, IBM Redbooks, and online product manuals.
- developerWorks WebSphere application connectivity developer
How-to articles, downloads, tutorials, education, product info, and other resources to help you build WebSphere application connectivity and business integration solutions.
- Most popular WebSphere trial downloads
No-charge trial downloads for key WebSphere products.
- WebSphere forums
Product-specific forums where you can get answers to your technical questions and share your expertise with other WebSphere users.
- WebSphere on-demand demos
Download, watch, and learn what WebSphere products and WebSphere-related technologies can do for your company.
- developerWorks WebSphere weekly newsletter
The developerWorks newsletter gives you the latest articles and information only on those topics that interest you. In addition to WebSphere, you can select from Java, Linux, Open source, Rational, SOA, Web services, and other topics. Subscribe now and design your custom mailing.
- WebSphere-related books from IBM Press
Convenient online ordering through Barnes & Noble.
- WebSphere-related events
Conferences, trade shows, Webcasts, and other events around the world of interest to WebSphere developers.
Join a conversation with developerWorks users and authors, and IBM editors and developers.
- developerWorks Webcasts
Free technical sessions by IBM experts that can accelerate your learning curve and help you succeed in your most difficult software projects. Sessions range from one-hour Webcasts to half-day and full-day live sessions in cities worldwide.
Listen to interesting and offbeat interviews and discussions with software innovators.
- developerWorks on
Check out recent Twitter messages and URLs.