IBM WebSphere DataPower prerequisite configuration

To enable Trust Protection Platform to provision certificates on supported DataPower devices over an HTTPS connection, you must complete the following high-level tasks:

  1. Enable the REST and XML Management interfaces on the DataPower Gateway (Network > Management).

  2. Ensure that network connectivity exists between Trust Protection Platform servers and the API interfaces of the DataPower Gateway (ports 5554 and 5550 by default). For example, you might need to open the firewall.

  3. Ensure that the user account used by the DataPower driver to interact with the device has the least privilege access required for the provisioning mode you intend to use:

    For Basic provisioning mode:

    */*/config/rmi-view-details?Access=r+x

    */*/config/save-config?Access=x

    */*/crypto/cert?Access=r+w+a+d

    */*/crypto/crypto-export?Access=x

    */*/crypto/key?Access=r+w+a+d

    */*/file/cert?Access=r+w+a+d

    */*/file/sharedcert?Access=r+w+a+d

    */*/file/temporary?Access=r+d

    For Advanced provisioning mode, which includes all of the Basic provisioning mode access, plus:

    */*/crypto/idcred?Access=r+w+a+d

    */*/crypto/profile?Access=r+w+a

    */*/crypto/ssl-client?Access=r+w+a

    */*/crypto/ssl-server?Access=r+w+a

    */*/crypto/sslproxy?Access=r+w+a

    */*/crypto/valcred?Access=r+w+a+d

    Additionally, when using HTTPS connection mode:

    */*/login/rest-mgmt?Access=x

    */*/login/xml-mgmt?Access=x

    Additionally, when using SSH connection mode:

    */*/login/ssh?Access=x

To enable Trust Protection Platform to provision certificates on supported DataPower devices using SSH, you must complete the following high-level tasks:

  1. Enable SSH access to the DataPower SSL module.

    To learn how to do this, visit:

    http://www-01.ibm.com/support/docview.wss?uid=swg21469023.

  2. Trust Protection Platform uses the Secure Shell (SSH) protocol to manage certificates on supported DataPower devices.
  3. Configure the SFTP staging server to receive connections from both Trust Protection Platform and the DataPower device.

The DataPower appliance does not allow files to be uploaded directly to it. Files have to be downloaded by the device so once the needed files are staged on the SFTP server, Trust Protection Platform logs in to the device and initiates the download. The SFTP server needs to always be on and available.

  1. If necessary, open the firewall to allow SSH connections from Trust Protection Platform to the DataPower device.

    The default SSH port is port 22.

  2. In the Trust Protection PlatformPolicy Tree, create a Device object for the DataPower device.

    For more information, see Managing device objects.

  3. In the Trust Protection PlatformPolicy Tree, create and configure an Application object for the DataPower device.

    For more information on creating application objects, see Managing application objects. For details on the object’s settings, see Creating an IBM WebSphere DataPower application object.

  4. In the Trust Protection PlatformPolicy Tree, associate the DataPower Application object with the certificates installed on the DataPower device.

    For more information, see Associating a certificate with an application from the certificate object.