DataPower SOMA: Automatic Domain Backup Policy

Huy M Huynh
Kaiser Permanente - Emerging Technologies & System Design
Middleware Solution Lead

1 Introduction
In this document, we will go through the process of creating an automatic backup agent
in WebSphere DataPower using the WebSphere DataPower schedule rule that creates a
backup of the domain(s) through SOMAvia the XML management interface and ftp it off
the deviceoffload to an FTP server. Although there areThere are, however, other ways to
do backup via such as macro scripts, and managing software (manual process)etc, but
none of these offer an on-device automatic automated mechanism. Therefore, tThis
document offers an alternative solution to auto backup WebSphere DataPower
configurations by using XML Management Interface, decode the SOMA SOAP binary64
response, and send the response to an ftp FTP server, which all happen within WebSphere
DataPower.

2 Creating the Scheduled Backup Policy

The instructions below will create an XML Firewall and a Firewall Policy that will
perform the backup through using custom transformation. In addition to that, it will also
guide you to the createion of an XML Manager tohat will manage all the required
security of the XML Management Interface and to create afor the scheduled rule to
automaticallyhat executes the backup Firewall Policy.

1. Create an XML Firewall with loopback proxy, Non-XML Request Type, and a new
processing policy. You may also want to set the front-end IP address to 127.0.0.1 for
enhanced security purpose. However, by doing so, it will disable the on demand
backup functionality. For example, if it the FSH is set to listen to an actually IP, the
backup can be done on demand through an external user by invoking the service on
avia HTTP Get GET (browser) or PostPOST.
2. Create a new Firewall Policy with a Client to Server rule.
a. Create a match all (*) action.
b. Add a Transform action with Input: INPUT and Output: NULL, and select the
following stylesheet file

Table 1 This stylesheet sends a request to the XML Management Interface requesting for a backup
zip. The response will be in a format of SOAP with the payload will contain the backup content
encoded in base64. It will then decode the backup content and ftp FTP it off the device.
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:dp="http://www.datapower.com/extensions"
xmlns:mgmt="http://www.datapower.com/schemas/management" extension-element-
prefixes="dp"
xmlns:date="http://exslt.org/dates-and-times">
<!-- Author Zachary Huynh -->
<!-- This transformation will extract and decode the backup xml or zip in the soap body
then ftp it to a server-->

<xsl:output method="xml"/>

<xsl:template match="/">
<xsl:call-template name="putFile">
<xsl:with-param name="BackUpFile">
 <!-- Perform a domain backup request call through XML Management Interface
-->
<dp:url-open target="https://127.0.0.1:999" response="responsecode">
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<dp:request domain="default"
xmlns:dp="http://www.datapower.com/schemas/management">
<dp:do-backup format="ZIP">
<dp:user-comment>Entire System Backup</dp:user-comment>
<!-- List of domains to backup -->
<dp:domain name="default"/>
<dp:domain name="a"/>
<!-- <><><><><><><><>><>< -->
</dp:do-backup>
</dp:request>
<!-- ************************************* -->
</env:Body>
</env:Envelope>
</dp:url-open>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<!-- function putFile will decode the encoded binary64 backup of domains response and
ftp it to a location -->
<xsl:template name="putFile">
<xsl:param name="BackUpFile"/>

<xsl:if test="$BackUpFile='' ">

<xsl:message dp:type="backup" dp:priority="alert">Backup request
fails</xsl:message>
<dp:reject/>
</xsl:if>

<!-- Extract the export content string -->

<xsl:variable name="encBackUpFile" select="string($BackUpFile//mgmt:file)"/>

<!-- Send it to an FTP Server -->

<xsl:variable name="date" select="substring-before(date:date-time(),':')"/>
<xsl:variable name="fileDate" select="concat('czaqdp1Backup', $date)"/>
<xsl:variable name="filename" select="concat($fileDate,'a.zip')"/>
<xsl:variable name="ftp-put-url"
select="concat('ftp://username:password@someftpserver/%2Flogs/dpbackup/',
$filename)"/>
<dp:url-open target="{$ftp-put-url}" response="responsecode" data-type="base64">
<xsl:value-of select="$encBackUpFile"/>
 </dp:url-open>
</xsl:template>
</xsl:stylesheet>
b. Add a Results action with Input set to NULL and Output is OUTPUT

Afterward, yYour XML Policy should look like this:

3. Create a client (forward) SSL Proxy Profile that will work with XML Management
Interface. Depending on your system setting of the XML Management Interface
configuration, you may need to obtain the certificate thats being used by the XML
Management Interface use. By default, this certificate is the same as the Web-GUI so y.
You can use a browser such as IE to download the certificate at the login page and it is a
one-way SSL configuration.

4. Create a new XML Manager

a. Leave everything as default, and create a new User Agent with client SSL
Proxy Profile created in the previous step and with basic authentication for XML
Management Interface using the username and password that have access right to
XML Management Interface.
The XSLT that makes the XML Management Interface call via a url-open
extension function call will require https HTTPS and basic auth. During
processing, the created XML Managers User Agent will automatically handle the
initiation of SSL and authenticate using basic auth. By doing this, you will avoid
having to put any of this information in the XSLT.

b. Click on the SSL Proxy Profile Policy tab and add the created client SSL Proxy
Profile that contains the Validation Credentials that has the XML Management
Interface certificates
c. Click on the Basic-Auth Policy and add the username/password that has access
right to the XML Management Interface

d. Select the configured User Agent for this XML Manager

e. Then select the Scheduled Processing Policy Rule tab.
f. Select the rule that do does the backup and set the time interval to execute this
rule. Hint: The name of the processing rule can be grabbed obtained from the
Firewall Policy editor.
 g. Click on the XML Parser tab and edit the Parser limit so it can allow for a large
XML response from XML Management Interface. Below is an example setting:

To test this, simply click Apply and a. A zip file containing the backup will be created on
the FTP server every interval you set on the XML Manager Scheduled Processing Policy
Rule. Or to test the on-demand backup (make sure you set the XML Firewall Local
Address as on of the device IP in order for this to work), simple use a browser and call
the listening address. The entire backup process usually may takes more than 2 minutes
so be patiencepatient.