Topic
  • 13 replies
  • Latest Post - ‏2012-10-31T03:31:31Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Trouble in making SOAP requests to IBM Datapower appliance (XI50)

‏2012-10-31T02:05:25Z |
Hello I am trying to make SOAP calls through curl command to the XML management Interface of the Datapower device, but unable to do so.

I am logged into the default domain of XI50 device and have the following settings for XML Management Interface as follows:
1. On the GUI navigate to Network -> Management -> XML Management Interface
2. Set The Admin State to enabled
3. Local IP address: 0.0.0.0
4. Port Number : 5550
5. Access Control List: xml-mgmt
6. Enabled Services: SOAP Configuration Management (checked)
AMP Endpoint (checked)

I make the following call:
curl -k -u username:password -d @get-status.xml https://Device IP:5550/service/mgmt/current -v

But get the following message:
  • About to connect() to Device IP port 5550 (#0)
  • Trying Device IP...
  • Connection timed out
  • couldn't connect to host
  • Closing connection #0
curl: (7) couldn't connect to host

The content of the get-status.xml file is:

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<dp:request domain="default"
xmlns:dp="http://www.datapower.com/schemas/management">
<dp:get-status class="CPUUsage"/>
</dp:request>
</env:Body>
</env:Envelope>

Can you please help me out and let me know if I am missing out anything obvious here?

Thanks a lot.
Updated on 2012-10-31T03:31:31Z at 2012-10-31T03:31:31Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:10:29Z  
    Check show xml-mgmt on the appliance and I think you need to contact network team for checking the FW
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:16:29Z  
    > 1. On the GUI navigate to Network -> Management -> XML Management Interface
    > 2. Set The Admin State to enabled
    > 3. Local IP address: 0.0.0.0
    > 4. Port Number : 5550
    > 5. Access Control List: xml-mgmt
    > 6. Enabled Services: SOAP Configuration Management (checked)

    You need to enable soma endpoint too..

    xi50# show xml-mgmt

    xml-mgmt up

    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:27:00Z  
    Yes, that has been enabled too. I am not able to execute show xml-mgmt on the terminal but I can see it has been enabled through the GUI as seen in the attachment.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:32:20Z  
    > 1. On the GUI navigate to Network -> Management -> XML Management Interface
    > 2. Set The Admin State to enabled
    > 3. Local IP address: 0.0.0.0
    > 4. Port Number : 5550
    > 5. Access Control List: xml-mgmt
    > 6. Enabled Services: SOAP Configuration Management (checked)

    You need to enable soma endpoint too..

    xi50# show xml-mgmt

    xml-mgmt up

    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm
    Oh.. are you suggesting I need to enable SOAP Management URI, SOAP Configuration Management (v2004), SLM Endpoint too? But the document on XML Management(http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf) Suggests the following (on page 15/53):

    Important: Never activate the check box Enable any (*) SOAP Management URI.
    Activating it could lead to problems using SOAP Management (SOMA), because any
    URI is accepted by the device. What can happen is that the device uses the SOAP
    v2004 specifications instead of the current SOAP Management implementation, which
    might cause trouble with the requests sent to the box. For example, they could be
    rejected although they are valid.

    Thanks.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:34:05Z  
    Yes, that has been enabled too. I am not able to execute show xml-mgmt on the terminal but I can see it has been enabled through the GUI as seen in the attachment.
    > deepti_ragha wrote:
    > Yes, that has been enabled too. I am not able to execute show xml-mgmt on the terminal but I can see it has been enabled through the GUI as seen in the attachment.

    You should be able to execute show xml-mgmt if you are privileged user.Since you are sending the request to default domain you need to have more than read access. I am not sure how your users have been set up via RBM or local.

    If you have enable SOMA service you should other errors apart from connection timeout.
    How you are firing the request? From linux server?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:37:31Z  
    Oh.. are you suggesting I need to enable SOAP Management URI, SOAP Configuration Management (v2004), SLM Endpoint too? But the document on XML Management(http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf) Suggests the following (on page 15/53):

    Important: Never activate the check box Enable any (*) SOAP Management URI.
    Activating it could lead to problems using SOAP Management (SOMA), because any
    URI is accepted by the device. What can happen is that the device uses the SOAP
    v2004 specifications instead of the current SOAP Management implementation, which
    might cause trouble with the requests sent to the box. For example, they could be
    rejected although they are valid.

    Thanks.
    > deepti_ragha wrote:
    > Oh.. are you suggesting I need to enable SOAP Management URI, SOAP Configuration Management (v2004), SLM Endpoint too? But the document on XML Management(http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf) Suggests the following (on page 15/53):
    >
    > Important: Never activate the check box Enable any (*) SOAP Management URI.
    > Activating it could lead to problems using SOAP Management (SOMA), because any
    > URI is accepted by the device. What can happen is that the device uses the SOAP
    > v2004 specifications instead of the current SOAP Management implementation, which
    > might cause trouble with the requests sent to the box. For example, they could be
    > rejected although they are valid.

    v2004 is legacy URL mgmt/service/2004.You don't have to enable the Amp, but if you keep enabling other services there will not be any harm,
    mode any+soma+v2004+amp+slm ( I have enabled all services in my appliance).

    By doing so you will at least able to find if there is Firewall issue or not.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:39:22Z  
    > deepti_ragha wrote:
    > Yes, that has been enabled too. I am not able to execute show xml-mgmt on the terminal but I can see it has been enabled through the GUI as seen in the attachment.

    You should be able to execute show xml-mgmt if you are privileged user.Since you are sending the request to default domain you need to have more than read access. I am not sure how your users have been set up via RBM or local.

    If you have enable SOMA service you should other errors apart from connection timeout.
    How you are firing the request? From linux server?
    I am puzzled too, that I am unable to execute commands. But I have another account (different userid) in other domain(not default) and there I execute commands. May be I need to search around a little on why that is happening.

    I am executing the command from cygwin, could that cause any issue?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:44:18Z  
    I am puzzled too, that I am unable to execute commands. But I have another account (different userid) in other domain(not default) and there I execute commands. May be I need to search around a little on why that is happening.

    I am executing the command from cygwin, could that cause any issue?
    > deepti_ragha wrote:
    > I am puzzled too, that I am unable to execute commands. But I have another account (different userid) in other domain(not default) and there I execute commands. May be I need to search around a little on why that is happening.
    You need enabled the other services too like any,soma,etc etc too.

    xi50# show xml-mgmt

    xml-mgmt up
    --------
    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm
    xi50# co
    Global configuration mode
    xi50(config)# show xml-mgmt

    xml-mgmt up
    --------
    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm

    >
    > I am executing the command from cygwin, could that cause any issue?
    Unless your appliance in DMZ or behind FW the request should work
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T02:56:32Z  
    > deepti_ragha wrote:
    > I am puzzled too, that I am unable to execute commands. But I have another account (different userid) in other domain(not default) and there I execute commands. May be I need to search around a little on why that is happening.
    You need enabled the other services too like any,soma,etc etc too.

    xi50# show xml-mgmt

    xml-mgmt up
    --------
    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm
    xi50# co
    Global configuration mode
    xi50(config)# show xml-mgmt

    xml-mgmt up
    --------
    admin-state enabled
    ip-address 0.0.0.0
    port 5550
    acl xml-mgmt up
    slm-peering 10
    mode any+soma+v2004+amp+slm

    >
    > I am executing the command from cygwin, could that cause any issue?
    Unless your appliance in DMZ or behind FW the request should work
    Still unable to execute the commands (says Unknown command or macro (co)).

    Tried enabling the services, but still facing the same issue.

    I am not sure if the appliance is behind the firewall (It is at a remote location). I tried doing a packet capture(through wireshark) while sending the request from my machine and could see 3 TCP SYN messages. I also ran a packet capture on the appliance through the web GUI by going to Control Panel -> Troubleshooting -> Packet Capture, but I couldnt see those requests here on the device. Does it all point to the appliance being behind the firewall?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T03:12:12Z  
    Still unable to execute the commands (says Unknown command or macro (co)).

    Tried enabling the services, but still facing the same issue.

    I am not sure if the appliance is behind the firewall (It is at a remote location). I tried doing a packet capture(through wireshark) while sending the request from my machine and could see 3 TCP SYN messages. I also ran a packet capture on the appliance through the web GUI by going to Control Panel -> Troubleshooting -> Packet Capture, but I couldnt see those requests here on the device. Does it all point to the appliance being behind the firewall?
    > deepti_ragha wrote:
    > Still unable to execute the commands (says Unknown command or macro (co)).

    Your access is the problem. I have created a dummy user in my appliance and got the same error when I gave read access to default and and full access to developing domain.

    Unauthorized access prohibited.
    login: temp1
    *Password: *********
    xi52# show xml-mgmt
    Unknown command or macro (show xml-mgmt)
    xi52# co
    Unknown command or macro (co)
    xi52#

    Hope this helps,
    Kumar
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T03:19:18Z  
    > deepti_ragha wrote:
    > Still unable to execute the commands (says Unknown command or macro (co)).

    Your access is the problem. I have created a dummy user in my appliance and got the same error when I gave read access to default and and full access to developing domain.

    Unauthorized access prohibited.
    login: temp1
    *Password: *********
    xi52# show xml-mgmt
    Unknown command or macro (show xml-mgmt)
    xi52# co
    Unknown command or macro (co)
    xi52#

    Hope this helps,
    Kumar
    Oh ok. Thanks a lot. Is this also the reason that I am unable to make SOAP calls?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T03:27:04Z  
    Oh ok. Thanks a lot. Is this also the reason that I am unable to make SOAP calls?
    > deepti_ragha wrote:
    > Oh ok. Thanks a lot. Is this also the reason that I am unable to make SOAP calls?

    If you don't have access you should get authentication error. The reason you are request timeout can be
    1) You haven't enabled any,soma, etc etc services enabled.
    2) FW is not open.

    When you did packet you should be able to see the xml-request in the capture.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Trouble in making SOAP requests to IBM Datapower appliance (XI50)

    ‏2012-10-31T03:31:31Z  
    > deepti_ragha wrote:
    > Oh ok. Thanks a lot. Is this also the reason that I am unable to make SOAP calls?

    If you don't have access you should get authentication error. The reason you are request timeout can be
    1) You haven't enabled any,soma, etc etc services enabled.
    2) FW is not open.

    When you did packet you should be able to see the xml-request in the capture.
    As per your suggestion I have enabled the any,soma services now. The packet capture does not show any xml requests on the appliance. Looks like the firewall issue. Thanks a lot for your inputs.