Non-IBM Disclaimer

The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.

Friday, November 20, 2015

How to download certificates from DataPower to your desktop

Following a conversation on a DataPower developerworks forum, I have decided to write a dedicated post in my blog.

DataPower is a highly secured device. Until recently I was under the impression, that once a digital certificate was uploaded to DataPower, it cannot be downloaded. Boy, I was wrong. The following section is a step by step guide to download certificates from a DataPower appliance:


  1. Log into WebGUI.
  2. Create a new Certificate object, name it "FOO_Cert" and point to a certificate file located in the cert or sharedcert folder.
  3. Go to "Crypto Tools" and switch to "Export Crypto Object" tab.
  4. In the "Object Type" combo make sure "Certificate" is selected.
  5. In the "Object Name" type "FOO_Cert", certificate object created in the 1st step.
  6. In the "Output File Name" type FOO_Cert.xml
  7. Click "Export Crypto Object" button.
  8. Go to File Management and download the FOO_Cert.xml file from temporary folder.
  9. Remove all XML tags, leave only the base64 part, and save the file.
  10. The certificate is in the file!

 Tested on IDG Virtual Edition, XI52 physical appliance, and other appliances. Not tested on appliances with enabled Common Criteria.

 It can also be achieved using SOMA API function, and in one of my projects we've created a GUI for downloading certificates from DataPower.

 It is important to state that since there is nothing wrong having certificates and public keys freely accessible, this doesn't make DataPower vulnerable, especially hence one still needs credentials to log into the appliance.


 Fell free to reach out with any question.

Gosha
Posted by No comments:
Labels:

2 minutes latency OCSP query response

Once working with digital certificates you should take into consideration they might be revoked by the CA at any time. Therefore, PKIX and dates validation isn't enough.

DataPower can check certification revocation either by using CRL or OCSP techniques. The OCSP method is working fine on firmware v7.0.0.2.  However, after upgrading to v7.1.0.4 the dp:ocsp-validate-certificate() query takes near 2 minutes to get a result. The problem was tested on XI52 physical appliance and IDG virtual appliance.

APAR IT12248 has been opened to track the resolution of this defect.

UPD - a fix was provided in 7.0.0.13, 7.1.0.10, 7.2.0.6 and 7.5.0.0.
Posted by 2 comments:
Labels:

Thursday, November 19, 2015

Link aggregation and sub VLANs!

Today I have installed two brand new IBM DataPower Gateways 8436 appliances. A few interesting points from that experience:
  1. There are a few changes that should be applied to port configuration, prior connecting to the console for the first time. I had to make those changes both to the driver and to putty configuration.
  2. Both 10-gigabit interfaces were link-aggregated (Link Aggregation feature is available with DataPower appliances as of firmware v7) in transmit mode and two sub VLAN interfaces were configured on top of it. This enabled active-active high availability mode cross network interfaces within the same appliances. Guess what - it worked!

PS. My first physical IDG appliances! My first link aggregation! My first sub VLANs!

Bibliography:

  1. DataPower firmware v7 announcement letter
  2. Firmware v7 - Link aggregation and networking enhancements (PDF)
  3. Connecting to the serial console of a DataPower Gateway Appliance
  4. How to connect Datapower serial console using PC in windows platform?
Posted by No comments:
Labels: ,

Thursday, October 15, 2015

DataPower certification v7.1



Posted by No comments:
Labels: , ,
Subscribe to: Posts (Atom)