Introduction

The Disaster Recovery Mode function secure-restore in IBM® WebSphere® DataPower® enables administrators to restore an appliance with the backup previously created by a secure-backup. Both secure-backup and secure-restore were new with 3.8.1. The secure-restore function executes on an appliance that has a valid network configuration and storage definition. But the secure-restore overwrites this valid configuration information with the restored backup files and then reboots the appliance. Before placing the device into service it is best practice to verify some configuration information restored from the backup.

Passwords

Generally, appliance backups are done automatically. After a secure-restore, user and administrator passwords are set to their value at the time of the secure-backup.

People might not know what their passwords were at the time the backup was done, and the backup data would be useless if no administrator knows their password and could not log on to manage the device. Therefore, when the secure-restore is done, the administrator id admin has its password reset to admin. All other user ids and passwords are restored to the backup values.

The administrator should immediately log in using the admin id, which will require the default password to be changed. Then the admin id can be used to reset any user or administrator password on the appliance. A list of user ids defined on the appliance can be used to proactively warn users that their passwords have been changed. From the Command Line Interface (CLI) enter co; show usernames, or from the Web GUI click Administration => Manage User Account to get the list of user ids defined on the appliance.

Network configuration

If the secure-restore is done on the same appliance in the same network where the secure-backup was done, and if no network changes have occurred since the backup, then the network configuration after the secure-restore will not require any modification. However, if any network changes occurred after the backup was done, or if the secure-restore was done on a different appliance, the network configuration will need to be changed. For example, if the secure-restore is done in a test area or otherwise physically secure location, then after the restore reboots the appliance, the network configuration will be incorrect for the test area location.

Therefore the administrator should immediately log into the CLI via the serial port or SSH (Secure Shell) and confirm that the network configuration is correct for the location of the appliance. This confirmation should include at least a show interface and show name-server command. To view the network interface from the CLI enter co; show interface, or from the Web GUI click Network => Interface => Ethernet Interface.

RAID Devices

A secure-restore requires that the appliance have at least as much storage as the backed-up appliance. However if the restore is being done to upgrade an appliance at end of life or after a disaster, the replacement appliance will most likely have a larger storage capacity than the the backed-up appliance. In the case of a larger RAID device, the restored configuration might include information that contradicts the new appliance’s configuration. The administrator should verify the configuration data by browsing some files on the RAID device.

For an installation that had an existing backup and restore method for data on the RAID device, the secure-backup might have been done without a backup of the RAID device data. In this case, the backed-up configuration includes definitions for a RAID device but it does not include the RAID data itself, which could result in a RAID device that needs to be reconfigured and then have the RAID data restored using the existing restore method.

The administrator should immediately log in to the appliance to browse some data on the RAID device to confirm that the RAID device is configured correctly. To view the directory name used for the RAID device from the CLI enter co; show raid-volume, or from the Web GUI click Objects => System Settings => Hard Disk Array. Figure 3 shows a RAID directory name of myraid. To view files on the RAID device from the CLI, enter co; dir local:///myraid, or from the Web GUI click Control Panel => File Management => local: => myraid.

iSCSI Devices

If multiple iSCSI volumes exist on an appliance, the secure-restore assumes that the volumes are configured identically to the backed-up appliance. If there is a mismatch in the iSCSI volume configuration, the secure-restore will restore the data to the wrong iSCSI volume, reboot the appliance, and use the previous iSCSI configuration information, which will point to iSCSI volumes that weren't restored.

For example, if two iSCSI volumes Logical Unit Number (LUN) 0 and LUN 1 are configured on the appliance being backed up, but the secure-restore was done on an appliance with LUN 1 and 2, then the data would be restored to iSCSI volumes LUN 1 and 2 but the rebooted appliance would point to iSCSI volumes LUN 0 and 1.

The administrator should immediately log in to the appliance to browse some data on the iSCSI device to confirm that the iSCSI volumes are configured correctly. To view the directory name of each iSCSI volume from the CLI, enter co; show iscsi-volume, or from the Web GUI click Object => Network Settings => iSCSI Volume. Clicking on each volume name shows the mount point directory name -- similar to RAID devices, as shown in Figure 3 above. In this case myiscsi-0 and myiscsi-1 are the directory mount points, as shown in Figure 4 above.

TAM Configuration

If the customer is running the TAM libraries and has at least one TAM object configured, it's possible for them to run into issues with the SSL keystore if multiple devices are using the same files. The TAM configuration file, keystore and password stash file should be unique for each object. Here are a few scenarios where a customer could see problems:

1. If after the restore both appliances are up and a TAM object on one of the appliances refreshes the keystore file, the corresponding object on the other appliance will fail to transition up from the down state because the SSL key will no longer match with the version on the policy server.
2. If the new device's hostname is different from the old device, and a TAM object on the new device attempts to automatically refresh the keystore, the refresh may fail because the DN configured for the object will not match the device's hostname.
3. If a TAM object on the original device refreshed the keystore or password stash file after the secure backup was created, the object will not come up after it is restored. This can affect both the cases where the restore occurs on the same device or a different device.

In all cases, the best practice is to generate a unique set of files (config, keystore and stash) for each TAM object.

WebSphere MQ

MQ messages are consumed either in destructive mode (the default) or in 'browse' mode. The default, destructive, mode causes each message to be de-queued as it is read. So, if the DP appliances are doing their MQ business this way, then each appliance will see roughly half the messages that arrive on the queue.

The other mode (called browsing the queue), lets the application (DP appliance in this case) see the messages, but does not de-queue them. If two applications (or appliances) are browsing the same queue, each will see all the messages on that queue.

In either case, the best practice is to review the resulting post-restore MQ configuration objects and adjust according to desired behavior.

Resources

• WebSphere DataPower SOA Appliances developer resources page
  Technical resources to help you use WebSphere DataPower SOA Appliances to simplify, secure, and accelerate XML and Web services deployments within an SOA..
  
  
• WebSphere DataPower SOA Appliances product page
  Product descriptions, product news, training information, support information, and more.
  
  
• WebSphere DataPower SOA Appliances product library
  Product announcements, case studies, white papers, and more.
  
  
• WebSphere DataPower SOA Appliances documentation
  Complete documentation for the DataPower XA35, XS40, XI50, XB60, and XM70 Appliances.
  
  
• WebSphere DataPower SOA Appliances support
  A searchable database of support problems and their solutions, plus downloads, fixes, problem tracking, and more.
  
  
• WebSphere DataPower SOA Appliances forum
  Get answers to your technical questions and share your expertise with other WebSphere DataPower users.
  
  
• WebSphere DataPower SOA Appliance Handbook
  This retail book shows you how to use DataPower Appliances from the network, security, and ESB perspectives. The book describes installation, configuration, management, monitoring, configuration, build, deployment, DataPower as a network device, and DataPower services, especially the "big three" of XML Firewall, Web Service Proxy, and Multi-Protocol Gateway.
  
  
• IBM Redbook: IBM WebSphere DataPower SOA Appliances, Part I: Overview and getting started
  DataPower SOA appliances are purpose-built, easy-to-deploy network devices that simplify, secure, and accelerate your XML and Web services deployments while extending your SOA infrastructure. This IBM Redbook describes DataPower architecture, use cases, deployment scenarios, and implementation details, as well as best practices for SOA message-oriented architecture in a production ESB legacy environment.
  
  
• IBM Redbook: IBM WebSphere DataPower SOA Appliances Part II: Authentication and Authorization
  This IBM Redbook includes the following DataPower authentication and authorization topics: basic concepts, creating policies, using Tivoli Access Manager, and using LDAP directories.
  
  
• IBM Redbook: IBM WebSphere DataPower SOA Appliances Part III: XML Security Guide
  This IBM Redbook describes how to use a DataPower appliance to secure incoming Web Services within an SOA environment, how to integrate your DataPower appliance with WebSphere Message Broker, and how to protect against security attacks by implementing the XML Denial of Service (XDoS) provided by DataPower appliances.
  
  
• IBM Redbook: IBM WebSphere DataPower SOA Appliances Part IV: Management and Governance
  This IBM Redbook describes how to integrate a DataPower appliance with other products such as WebSphere Registry and Repository, IBM Tivoli Composite Application Manager for SOA, and Tivoli Composite Application Manager System Edition.
  
  
• developerWorks WebSphere developer resources
  Technical information and resources for developers who use WebSphere products. developerWorks WebSphere provides product downloads, how-to information, support resources, and a free technical library of more than 2000 technical articles, tutorials, best practices, IBM Redbooks, and online product manuals.
  
  
• developerWorks WebSphere application connectivity developer resources
  How-to articles, downloads, tutorials, education, product info, and other resources to help you build WebSphere application connectivity and business integration solutions.
  
  
• Most popular WebSphere trial downloads
  No-charge trial downloads for key WebSphere products.
  
  
• WebSphere forums
  Product-specific forums where you can get answers to your technical questions and share your expertise with other WebSphere users.
  
  
• WebSphere on-demand demos
  Download, watch, and learn what WebSphere products and WebSphere-related technologies can do for your company.
  
  
• developerWorks WebSphere weekly newsletter
  The developerWorks newsletter gives you the latest articles and information only on those topics that interest you. In addition to WebSphere, you can select from Java, Linux, Open source, Rational, SOA, Web services, and other topics. Subscribe now and design your custom mailing.
  
  
• WebSphere-related books from IBM Press
  Convenient online ordering through Barnes & Noble.
  
  
• WebSphere-related events
  Conferences, trade shows, Webcasts, and other events around the world of interest to WebSphere developers.
  
  
• developerWorks blogs
  Join a conversation with developerWorks users and authors, and IBM editors and developers.
  
  
• developerWorks Webcasts
  Free technical sessions by IBM experts that can accelerate your learning curve and help you succeed in your most difficult software projects. Sessions range from one-hour Webcasts to half-day and full-day live sessions in cities worldwide.
  
  
• developerWorks podcasts
  Listen to interesting and offbeat interviews and discussions with software innovators.
  
  
• developerWorks on Twitter
  Check out recent Twitter messages and URLs.
  
  

About the authors

Joe Furbee is a Software Test Specialist with IBM Software Services for WebSphere. He has testing experience with WebSphere middleware, SOA implementations, CRM Siebel, and education software. While working on WebSphere DataPower SOA Appliances, he has been involved in multi-box management, zSystem enterprise integration, and special customer issues.

John Majikes is a Senor Software Engineer on the WebSphere DataPower Team. He has worked on various mainframe hardware, marketing, and software development projects. John is currently pursing a Ph.D. in Software Engineering at North Carolina State University.

Rate this article

Comments

Back to top

Table of contents

• Introduction
• Passwords
• Network configuration
• RAID Devices
• iSCSI Devices
• TAM Configuration
• WebSphere MQ
• Resources
• About the authors
• Comments

Next steps from IBM

Rational Tester for SOA Quality is an automated web services testing and SOA testing tool that supports Web services SOAP, HTTP(S), JMS, WS-Security, UDDI, and RESTful standards.

---

• Try: The no-charge Rational Service Tester for SOA Quality helps quality assurance professionals validate web service based SOA application..
• Article: See the whats new with Rational Service Tester for SOA Quality, and its Generic Service Client, which provides a single client to interact with any SOA service type.
• Tutorial: Get hands-on experience with this Transport for SOAP feature tutorial using Rational Tester for SOA Quality.
• Buy: Rational Service Tester for SOA Quality

Dig deeper into WebSphere on developerWorks

IBM SmartCloud trial. No charge.

Unleash the power of hybrid cloud computing today!

---

Public and private solutions in one trial.

Special offers