How To
Summary
This document will cover the options to migrate from the 8441 IDG X2 appliances to the 8496 X3 appliance type.
Objective
The objective is to migrate the configuration from an IDG (X2) 8441 machine type to an IDG X3 8496 machine type
Steps
IDG X2 8441 migration to IDG X3 8496
Important notes:
1) There has been a change in the licensing for the ITX (formerly WTX) feature that was currently included with the IM (Integration Module) and B2B licenses. This license has been made into a separate license and if you currently have the IM (includes licenses such as odbc, binary transformation/dataglue etc) or B2B licenses
Confirm it there is any ITX usage by generating an error report and search for ".dpa" or "tx" and if there is any active configurations using these you will need to open a case with support to request the migration tool as well as the ITX license activator.
Note: When opening a case please include an error report to allow support to confirm the ITX usage to be able to provide the activator tool as well as to be able to confirm the licenses and provide the correct migration tool.
2) The X3 appliance does not have the two built in 10GB ports (eth0 and eth1) and if a configuration is moved to the X3 containing configuration for these interfaces then the network will be reported in a bad state until the eth0 and eth1 interfaces are deleted from the configuration.
The best practice is to confirm if you are using the two built in 10GB ports (eth0 and eth1) on the X2 and if so these interface configurations will need to be moved to the 4-port module (eth20-23) if any ports are available and the configuration deleted on the eth0 and eth1 interfaces before the migration.
Best Practice, Pre-Migration Checklist:
1. Clean up the appliance by checking for:
- Unused files or configurations
- Keys and certs that are needed and confirm if they are expired as expired certs can be removed during the upgrade even if the ignore expiry is set.
2. Stop all traffic to the appliance
3. Reboot the appliance
4. Confirm the Web-mgmt timeout is more than the default 600 seconds as the upload may take longer that this.
3. Reboot the appliance
4. Confirm the Web-mgmt timeout is more than the default 600 seconds as the upload may take longer that this.
Migration Methods:
There are two methods or migrating the configuration.
Method 1 | Export/Import method
With this method you do not need to match the firmware level with the target X3 and can choose what is imported (such as networking, domains etc).
This will not include:
- Private keys or certs - You will need to import or re-create any needed private keys and certs
- User information - When restored only the admin user will be active and you will need to re-create the needed users and permissions
See the technote: Back up, Export, and Import the configuration for an IBM DataPower appliance
Method 2 | Secure backup
This method will include all the keys (not stored on the HSM), certs and user information at the time the backup was taken.
With the secure backup restore you CANNOT choose what to import and the whole configuration will be imported including the networking.
Important note for the 53X (HSM) model: The keys stored on the HSM will not be included in the secure backup and these keys will need to be manually moved (see this page for cloning the keys) or new keys generated.
Confirm if any keys are stored on the HSM, as when keys are created there is an option to store them in the HSM or in the standard crypto location. If any are stored in the HSM those will need to either be imported (if the keys are stored elsewhere) or new ones generated.
Confirm the secure backup mode is enabled on the IDG and X3
Confirm if any keys are stored on the HSM, as when keys are created there is an option to store them in the HSM or in the standard crypto location. If any are stored in the HSM those will need to either be imported (if the keys are stored elsewhere) or new ones generated.
Confirm the secure backup mode is enabled on the IDG and X3
- WebGUI: system settings
- CLI: show system
Confirm the "backup mode" is "secure" if it is listed as "normal" open a case with support and provide the "show system" command output from any appliance that needs to have the secure backup mode enabled.
Confirm the X2 and X3 appliances are upgraded to the same 10.5.0.x level (minimum level is 10.5.0.1).
See the Upgrade Knowledge Collection for details on upgrading the X2 to 10.5.0
See the Upgrade Knowledge Collection for details on upgrading the X2 to 10.5.0
Make sure to confirm the ITX usage as noted above and if there is active ITX usage you will need to apply the new ITX license activator before proceeding with the migration.
Note: Once the license is activated on the X2 running below 10.0.1.9 you will see a license named "illegal" in the device features and this is expected.
Before proceeding in applying the secure restore on the X3, ensure that either of the following is true to avoid duplicate IP's on your network:
- The IDG and X3 are not on the same network
- The IDG powered is off
Perform the secure restore on the X3
Note: The secure restore will reset the admin user password to the default of admin and will require this be changed on the first login.
See the IBM Documentation for information for the secure backup/restore
See the IBM Documentation for information for the secure backup/restore
Notes: After the restore there are a couple of cleanup steps that may be needed:
1. Check the "Entitlement ID" on the "system settings" WebGUI page or the "show system" CLI command as this will be set to what was in this field in the X2 and update this to match the serial number of the X3 as that is the correct entitlement number to use when opening cases or renewing the support.
2. Check the "test hardware" command and not if there are any "illegal" interfaces listed as these could be from the eth0/eth1 interfaces on the X2 that the X3 does not have.
If you see the "illegal" interfaces you can remove them with the CLI commands:
config
no ethernet eth0
no ethernet eth1
Another less-common way to avoid duplicate IP's on your network, is to perform the secure restore to an appliance using a private network with your workstation. This will also allow for you to directly log in to the device after the restore is complete, and review the configuration. Then the switch-over from the IDG X2 can be very short.
See this link for the example of pre-building and appliance using a private network
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMVY","label":"IBM DataPower Gateway X2"},"ARM Category":[{"code":"a8m50000000CdqTAAS","label":"DataPower-\u003EMGMT (MM)-\u003EMigration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
29 June 2023
UID
ibm16826741