WebSphere DataPower appliance manager overview
WebSphere DataPower appliance manager provides a set of capabilities for managing sets of appliances. DataPower appliance manager can be used to manage appliances with a 3.6.0.4 or higher level of firmware.
IBM WebSphere DataPower SOA Appliances are purpose-built, easy-to-deploy network devices that simplify, help secure, and accelerate XML and Web services deployments.
The first time we use DataPower appliance manager, we must add...
- Appliances
- Managed sets
- Firmware versions
Verify that each appliance to add has a 3.6.0.4 or higher level of firmware. Also verify that the Appliance Management Protocol (AMP) endpoint is enabled for each appliance. If the XML Management interface AMP endpoint was disabled during installation, use the DataPower WebGUI to enable the AMP endpoint.
For security reasons, the DataPower appliance manager does not include Crypto material, such as keys and certificates, in the shareable settings and domain versions that it creates. Therefore, after we add or replace an appliance, we must manually add any Crypto material to apply for that appliance.
The DataPower WebGUI is different from the WAS administrative console used to administer the DataPower appliance manager. The DataPower WebGUI is a separate user interface on the DataPower appliance used to configure the appliance.
Managed sets
A managed set is a collection of appliances that share the same hardware type, model type, and feature license set. A managed set synchronizes sharable appliance settings, managed domains, and firmware across multiple appliances.
A managed set can contain one or more appliances. An appliance is not actively managed unless it is a member of a managed set. We must first add an appliance to the DataPower appliance manager, and then add the appliance to a managed set.
Sharable appliance settings
Sharable appliance settings are the global attributes for an appliance that can be shared with other appliances. For example, NTP configuration and SNMP configuration are sharable appliance settings, but appliance-specific settings, such as IP address and role-based management attributes are not sharable appliance settings,
Sharable appliance settings are not managed until an appliance is added to a managed set. After adding an appliance to a managed set, any changes that we make to the sharable appliance settings, using the DataPower WebGUI or command line interface, are synchronized from the master appliance to all of the subordinate appliances in the managed set.
Master appliances
The master appliance is the appliance in the managed set used to synchronize sharable appliance settings and managed domains for all appliances within the managed set. Each managed set must have at least one master appliance. Each managed set might also have subordinate appliances.
All subordinate appliances are synchronized with the master appliance, and have the same sharable appliance settings and managed domains as the master appliance. We use the DataPower WebGUI or command line interface to change the sharable appliance settings, or a managed domain on a master appliance. The DataPower command line interface is a command line user interface on the DataPower appliance used to configure the appliance.
Sharable appliance settings and managed domains on subordinate appliances are automatically overwritten whenever a change is made to the master appliance. If we use the DataPower WebGUI or the DataPower command line interface to change the sharable appliance settings, or a managed domain on a master appliance, the appliance manager detects the change, and propagates the changes to the remaining appliances in the managed set. Therefore, if the sharable appliance settings or a managed domain is changed on a subordinate appliance, making the sharable appliance settings or a managed domain different from what is on the master appliance, the appliance manager automatically overwrites the changes on the subordinate appliance with the sharable appliance settings, or managed domain values that are on the master appliance.
Ensure any changes that we make to the shareable appliance settings or a managed domain on a master appliance can be used for all of the appliances in the managed set.
Managed domains
DataPower supports the use of application domains to partition configuration information into self contained units that are easier to manage. Because an application domain consists of resources configured to provide and support one or more services, we can use domains to group configuration information on a appliance. For example, we might set up a domain for a set of business applications because we want to keep their DataPower appliance configuration separate from the DataPower appliance configuration for the other applications on that appliance.
A managed domain is a domain on the master appliance that has been added to a managed set in the DataPower appliance manager. The DataPower appliance manager uses the managed domain to synchronize configuration changes to the subordinate appliances that are part of the managed set.
Both master appliances and subordinate appliances can also have unmanaged domains. The DataPower appliance manager does not make configuration changes to unmanaged domains.
The DataPower appliance manager synchronizes managed domains from the master appliance to the subordinate appliances in the managed set. However, it is possible that the managed domain might not be completely functional on all of the subordinate appliances. For example, the managed domain might not be completely functional on a subordinate appliance if a service object, such as an XML firewall, in the managed domain has a listening port conflict on that subordinate appliance.
Versions of sharable appliance settings
Whenever the appliance manager detects that we have used the DataPower WebGUI or DataPower command line interface to change the sharable appliance settings for a master appliance, the appliance manager automatically creates a new version of the sharable appliance settings. This new version of the sharable appliance settings is called a settings version. The newest settings version is, by default, the active version for the managed set. This new settings version is automatically copied to all of the appliances in the managed set.
We can deploy any version of the sharable appliance settings to a managed set. Whenever we deploy a settings version, the deployed version becomes the active version until the sharable appliance settings are changed, or we deploy a different settings version. If we have more than one version of sharable appliance settings for a managed set, we can complete these tasks.
Changes to sharable appliance settings only apply for appliances that are members of the same managed set. Changes are not propagated to appliances that are members of a different managed set.
- Copy a version of sharable appliance settings to another managed set. The sharable appliance settings are applied to all appliances in this other managed set.
After the initial copy of the sharable appliance settings, the two managed sets are managed independently. Therefore, future changes to the sharable appliance settings in one managed set are not reflected in the other managed set.
- Delete an inactive version of sharable appliance settings. We cannot delete an active version. We can also specify the maximum number of versions to keep.
- Deploy a version of the sharable appliance settings. We deploy a version of the sharable appliance settings to make a different version active. When the different version becomes the active version, that version is deployed to all of the members of the managed set.
Versions of managed domains
When we change a managed domain on a master appliance, the appliance manager automatically detects the change and creates a new version of the managed domain. The newest version of the managed domain is, by default, the active version for the managed set. This new version of the domain is automatically copied to all appliances in the managed set. We can deploy any version of a managed domain to a managed set, and that deployed version automatically becomes the active managed domain for that managed set.
When a managed domain is deleted from a master appliance, the domain is automatically recreated on the master appliance. To delete a managed domain, we must convert the managed domain to an unmanaged domain.
When we have multiple versions of a managed domain, we can perform the following tasks:
- Copy a version of the managed domain to another managed set. The domain is applied to all of the appliances in the managed set.
After the initial copy of the managed domain, the two managed sets are managed independently. Therefore, future changes to the sharable appliance settings in one managed set are not reflected in the other managed set.
- Delete an inactive version of the managed domain.
We cannot delete an active version. We can also specify the maximum number of versions to keep.
- Deploy a version of the managed domain.
We deploy a version of a managed domain to make that version the active version. The active version is then deployed to all members of the managed set.
Firmware
Firmware version files must be obtained from the IBM support website and are specific to appliance types, model types, and licensed features. When a firmware version is loaded to an appliance, it must be compatible with the appliance type, model type, and licensed features. DataPower appliance manager manages appliances with a 3.6.0.4 or higher level of firmware. A firmware file is typically in a scrypt2 format.
Versions of firmware
The appliance manager automatically determines the firmware version, intended model type, appliance type, and licensed features provided by libraries in the firmware. The appliance manager allows the firmware types to be deployed only to matching appliances.
A firmware version must exist in the DataPower appliance manager before that version can be deployed to appliances. If the firmware version running on an appliance is not in this file, a managed set that includes that appliance can only contain that single appliance, because the appliance manager cannot deploy that firmware version to any other appliance.
When we deploy a particular version of firmware, that version becomes the active version. When we have more than one version of firmware, we can perform the following tasks:
- Deploy a version firmware to the managed set.
We deploy a version of firmware to roll back, or upgrade the firmware on the appliances to a specific version. Whenever a new version is deployed, that version becomes the active version for the managed set, and is deployed to all of the appliances in that managed set.
The firmware versions, in the DataPower appliance manager, can be used with multiple managed sets if the appliance type and model type are the same and the licensed features are compatible.
- Delete a version of firmware.
We cannot delete an active version of firmware. As an alternative to deleting firmware versions, we can configure the maximum number of versions of any one object to keep.
Do not use the DataPower 3.6.0.28, 3.6.0.29, or 3.6.0.30 level of firmware for a managed set. These firmware levels might cause the DataPower appliance manager to unnecessarily create new shareable appliance settings versions, or domain versions, and then synchronize these new versions across the managed set.
Set up and administer a managed set
To create at least one managed set, complete the following tasks. These tasks make it possible for the DataPower appliance manager to manage the appliances in a managed set:
- Add one or more DataPower appliances to the appliance manager.
- Create the firmware version in the appliance manager that we want used on all of the appliances in the managed set. We can have different firmware versions for different managed sets, or we can share the firmware versions between managed sets.
- Create a managed set for all of the appliances intended to share the same firmware version, shared appliance settings and managed domains.
After at least one managed set is created, we can complete the following tasks in any order:
- Add appliances to a managed set.
Do not add the same DataPower appliance to a managed set in two different DataPower appliance managers. If a DataPower appliance manager discovers another DataPower appliance manager is managing an appliance, the discovering DataPower appliance manager removes that appliance from its managed set. If this appliance is the only appliance in that managed set, the discovering DataPower appliance manager also removes all of the shareable settings and domain versions associated with that managed set. When this situation occurs, we cannot recover any historical versions of the shareable appliance settings and domains that do not exist on the other DataPower appliance manager.
For example, if we create the following managed sets:
- Managed set MS1 on DataPower appliance manager A containing DataPower appliance X.
- Managed set MS2 on DataPower appliance manager B that also contains DataPower appliance X.
When DataPower appliance manager A discovers that DataPower appliance manager B is also managing DataPower appliance called X, DataPower appliance manager A issues an error message to the deployment manager log file, that indicates that the appliance is being managed by DataPower appliance manager B, and removes appliance X from the managed set MS1. Because appliance X was the only managed appliance in MS1, DataPower appliance manager A removes all of the shareable appliance settings and domain versions associated with MS1. You will not be able to recover any historical versions that existed on DataPower appliance manager A, but do not exist on DataPower appliance manager B.
- Manage versions of the firmware, sharable appliance settings, and managed domains with roll back capability.
- Monitor appliance synchronization and operation status.
We can also use the administrative console to manage long running tasks for the DataPower appliance manager, view the status of these tasks, or delete one or more of these task. However, we cannot delete a task to stop the task from being completed. The only way to interrupt a running task, or prevent the appliance manager from running a task, is to shutdown the appliance manager. Shutting down the appliance manager terminates all running and queued tasks.
Propagating sharable appliance settings and managed domains from master to non-master appliances
If there are multiple appliances in the managed set, then the changes made to the active version of the sharable appliance settings are propagated to the subordinate appliances in the managed set. Likewise, changes made to the managed domains of master appliances are propagated to the subordinate appliances in the managed set.
The appliance manager also detects when subordinate appliances are available. For example, if sharable appliance settings are changed for the master appliance, but the subordinate appliances are not available, then the master appliance and the subordinate appliances cannot be synchronized. When the subordinate appliances are available, the appliance manager detects the change in status and initiates synchronization from the master appliance to the subordinate appliances in the managed set.
Related:
Secure Socket Layer communication with DataPower Add DataPower appliances to the DataPower appliance manager Add new firmware versions to the DataPower appliance manager Add a new managed set Modifying DataPower appliance manager settings Monitor tasks that DataPower appliance manager is handling Administer managed domain versions Manage versions of sharable appliance settings Administer DataPower appliance domains