Now that file data should be store in a database via <dp:url-open ...>, but not in UTF-8 but its original encoding.
While there is a solution for this kind of problem (slides 6-8 in this WSTE webcast)the conversion to and from UTF-8 are overhead at least.
In addition the filename of the file uploaded is not available by DataPower convert-http action.
One solution is making use of swaform tool which even is able to deal with binary file data in file upload fields (see slide 16 of this WSTE webcast).
Another solution is making use of stylesheet fileupload.xsl attached in this posting:
A 64bit des:encrypt-blk() call takes roughly 3ms, which means that you do not want to apply that on big data.
The implementation works of 01-strings, hexTObin and other conversion functions included.
This reminds me 5.5 years back when I worked in Smartcard development department in Boeblingen Lab.
The person responsible for side channel attacks left IBM and I was the first who raised the hand for the equipment:
two oscilloscope cards for the server (100MHz, 2GHz)
a special card reader with high precision probe
many smartcards, some secure, others less secure, for adjustment
software for doing side channel attacks.
What was easy to do was to break triple DES on cards without randomization counter-measure based on statistical analysis of several thousand measurements.
What I heard about is the single request break of RSA private keys in early smardcards. The code for doing exponentiation in that cards was "efficient", it did compute
x^(2*n) by (x^n)^2 and
x^(2*n+1) by ((x^n)^2)*x
So the single bits of the private key could be directly seen on the oscilloscope by long (odd exponent) or short (even exponent) areas of high power consumtion.
We did not have the equipment to cut reader power based on some runtime condition or at a specific clock cycle of computation.
But the certification agencies (and real attackers) had.
Once we got a complaint from a cert agency that a specific pattern on the oscilloscope would leak information.
They claimed that the pattern corresponds to a specific part of the OS code.
Using the oscilloscope I was able to disprove that statement.
I just added code that created spikes at specific locations in the OS code.
Then running the request the oscilloscope proved that the pattern of the complaint belonged to a totally different part of the OS code. Now how to generate a "spike"? That was easy -- just power on the (hardware) random generator and immediately power it off with the next command.
But that was long ago, before IBM sold its smartcard business and I joined DataPower development 4.5 years ago.
demonstrated that arrows from Unicode "Arrows" range 2190-21FF as well as other Unicode characters can be part of function names.
The attached and described stylesheet povides useful conversion functions in addition to dp:radix-convert() (see func:bin⇉hex() for a nice XPath technique). Here a conversion of type "...⇉..." preserves leading '0's, while a conversion of type "...┈⇢..." does not preserve leading '0's (like dp:radix-convert() ).
b64 (base64), hex, bin (01-strings) and dec (number) can be converted by these function calls:
stylesheet classes.xsl which generated that diagram is attached and discussed a little bit.
You might be interested in "graph extraction" from XML data and Depth-First-Search traversal of the extracted graph which was used to generate the "block" hierarchy diagram. Also the simple and nice heuristic which allows
to allocate exactly the vertical space needed for a node in the diagram is interesting -- in "XML speak" instead of "graph speak"
the EXSLT support of several XSLT 1.0 processors is compared.
In the attached archive stylesheet exslt.xsl is used to display tabular, interlinked output detailing the support.
With DataPower firmware 3.8.2 a bunch of new EXSLT functionality has become available.
Eg. the Math package is completely implemented since then.
If you just want to lookup DataPower EXSLT support for firmware 3.8.2 and higher take this link: attachment_14686524_382.html
These three functions ARE supported in DataPower firmware (even in pre 3.8.2 firmware) and are just incorrectly reported as unsupported:
func:function, func:result, dyn:evaluate
Attached to that posting is a correctly formatted multipart/signed sample message (with CRLFs) and the stylesheet.
This sytelsheet is a nice demonstration of these features: * accessing Non-XML input
* UTF-8 validate input (needed for safety, OK for scenario since ASCII is a subset of UTF-8) * having a func:function doing some preparation work (eliminate soft line breaks, split at '=3D') * having a recursive func:function doing the rest.
Important for the recursive function is doing only what needs to be done in the stylesheet and rely on efficient extension functions (regexp:replace) where possible.
Last, but not least, it demonstartes how you can map a unicode code point to a parsed charecter entity inside a stylesheet by mapping (for ISO-8859-1 sample).
The response returned from backend contains a 12 byte Non-XML prefix before XML. This stylesheet strips the Non-XML data, verifies the binary prefix correctness, and does XML validation for the rest. 004SA.xsl
This is an export containing both stylesheet for request/response policies, and a simulation of AS/400 backend by netcat (nc) tool is described and used for a full roundtrip verification.
and did numerous postings on develoerWorks DataPower forum making use of coproc2 service for demonstration.
The coproc2 service itself (MPGW export attached in this posting) is unchanged since first posting.
A one-line (bash) shell-script client (coproc2) and a Java client (coproc2.java) are available.
Today I posted new coproc2 client coproc2swa, another (bash) shell-script client usable in Linux and Cygwin under Windows (tested!). http://www.ibm.com/developerworks/forums/thread.jspa?threadID=387511 ... # This file is an all-in-one solution in that it # # 1) is the coproc2swa client for processing SWA data with coproc2 service # ("bash" script, in "preamble") # # 2) is a SWA file itself(!) and can be used as sample input # # 3) allows to inspect SWAfile by -preamble/-epilogue/-print (cids) # # 4) contains four demo stylesheets which may be referenced by "cid..." # # attman.xsl # - accessing attachment manifest and content-types # # pgm1st.xsl # - output first "image/x-portable-greymap" attachment (binary data!) # # xml1st.xsl # - output first "text/xml" attachment # # zipit.xsl # - return zip of all "text/xml" and "image/x-portable-greymap" attachments ...
The demo I like most is cid:zipit.xsl (invoked by "coproc2swa cid:zipit.xsl ~/bin/coproc2swa http://dp3-l3:2223 -s >z.zip").
It just determines all attachments of type "text/xml" and "image/x-portable-greymap" from SWA file,
adds them to archive "archive-zip" and returns that archive as result (binary data) !
Today I want to show a little tool we use in Böblingen Lab to keep track of our DataPower boxes (Level 2 and Level 3 support, as well as some Techsales boxes).
This tool is most useful if you have often changing firmware versions on different boxes (like in development or support).
Also boxes with different hardware features can easily be tracked with this.
Here I only have selected my Level-3 support boxes to restrict the screenshot size.
As you can see you get a timestamp, and then for every box (clickable) all of its version information in the left section. In the right section all feature information is provided (Y/N means that the feature is licensed, but the installed firmware does not provide support for it).
Click on the picture to see the details!
Here is the screenshot of all Boeblingen boxes (nearly full rack):
This is the display when a box is inaccessible (I intentionally rebooted dp5-l3 for this):
The solution is intentionally not installed on one of our boxes, but on a normal Linux server.
Below described solution can be used for Windows systems, too, by adaption or making use of cygwin (search for "cygwin cron").
Our boxesBB page gets updated every ten minutes automatically by a cron job, see the output of "crontab -l":
This is the shell script executed to generate the updated view. Since this solution is outside a DataPower box "xsltproc" is used for the stylesheet processing.
#!/bin/bash cd `dirname $0` xsltproc create_script.xsl empty.xml >script sh script sleep 15 xsltproc generate.xsl empty.xml >/var/www/html/myBoxesBB.html
The solution allows to configure which boxes should be tracked.
For each box you specify its name, the password of the admin user (may be any user with XML mgmt access rights), opionally the port of the XML management interface if different to default 5550.
The gport entry specifies the port on the serial console the box can be accessed by.
And this is the stylesheet to create the complete status page based on the results retrieved for all the boxes by the generated bash script.
The shell script is necessary because xsltproc does not allow for dp:url-open() calls ... ;-) The generated HTML page does not know on the intervals the page gets refreshed by crontab. To keep the display current it refreshes itself every minute.
Customer wanted to know how to store files (retrieved by scheduled rule) locally on DataPower box.
Solution consists of: * scheduled rule * dp:url-open to retrieve file * base64 encode it (either its serialization for XML, or the binaryNode response for Non-XML) * use set-file XML management operation to store the file * access XML management interface from within a stylesheet to execute the request
> How can i count number of requests passing through the processing policy.
for those policies which are tied to specific stylesheets you may look
up "Status-->XML Processing-->Stylesheet Executions" in WebGUI.
You get the exact counts of stylesheet executions for 10 sec, 1 min, 10 min, 1 hour and 1 day.
You may reset the counters to 0 by flushing the corresponding XML manager's stylesheet cache.
> is there any Dp:element , XSL element or function available.
This seems to indicate that you want to access these counts from within a stylesheet?
You can access above mentioned counters via XML management interface:
$ doSoma admin StatusStylesheetExecutions.xml dp3-l3.boeblingen.de.ibm.com:5550 | \ > xpath++ "/*/*/*/*/*[contains(URL,'coproc2.xsl')]" - Enter host password for user 'admin': ------------------------------------------------------------------------------- <StylesheetExecutions xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:dp="http://www.datapower.com/schemas/management">