Solved IBM Datapower on Linux

DustinB3403

Does anyone have any experience with Datapower on Linux?

Simply put, it should be an installation through RPM, which I have all of the RPM. What I'm getting hung up on is the LUKS partitions which are apparently required, but not specified what needs to be done to configure these.

From IBM:

Resource requirements on Linux hosts
To install the DataPower Gateway, the host must meet the following requirements.
To install the RPM packages, the host must be running a supported 64-bit version of Linux.
2 GiB of free storage must be available on /opt.
5 GiB of free storage must be available on /var.
At least two free loop devices are needed, with another loop device when RAID storage is used.
RAID storage, if used, must be configured in the datapower.conf file.

I'm not using raid, here I'm showing the disk layout and the loop devices.

The installation which is a simply yum install xxx.image.x86_64.rpm xxx.common.x86_64.rpm

Which I then should have a stopped "datapower.service", but the service keeps crashing because it's looking for these LUKS partitions.

Nov 07 15:17:52 appconnect.localdomain systemd[1]: datapower.service: Scheduled restart job, restart counter is at 183.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Automatic restarting of the unit datapower.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Nov 07 15:17:52 appconnect.localdomain systemd[1]: Stopped DataPower Service.
-- Subject: Unit datapower.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit datapower.service has finished shutting down.
Nov 07 15:17:52 appconnect.localdomain systemd[1]: Starting DataPower Service...
-- Subject: Unit datapower.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit datapower.service has begun starting up.
Nov 07 15:17:53 appconnect.localdomain kernel: loop0: detected capacity change from 0 to 3774873600
Nov 07 15:17:55 appconnect.localdomain bash[105464]: Thu Nov 07 2024 15:17:55 ERR dpControl [pre-start][105464] Cannot unlock LUKS partition 'var_opt_ibm_datapower_datapower_img': Function not implemented (error 38)
Nov 07 15:17:57 appconnect.localdomain systemd[1]: datapower.service: Control process exited, code=exited status=38
Nov 07 15:17:57 appconnect.localdomain datapower-control[105506]: Thu Nov 07 2024 15:17:57 ERR dpControl [post-stop][105506] Cannot open lockfile '/var/opt/ibm/datapower/datapower.img.lck': No such file or directory
Nov 07 15:17:57 appconnect.localdomain datapower-control[105506]: Thu Nov 07 2024 15:17:57 ERR dpControl [post-stop][105506] Cannot close LUKS partition 'var_opt_ibm_datapower_datapower_img': No such device (error 19)
Nov 07 15:17:58 appconnect.localdomain datapower-control[105506]: Thu Nov 07 2024 15:17:58 ERR dpControl [post-stop][105506] No Datapower loop mounts were found. Please reboot the system and verify tha the Datapower service starts up co>
Nov 07 15:17:58 appconnect.localdomain systemd[1]: datapower.service: Control process exited, code=exited status=3
Nov 07 15:17:58 appconnect.localdomain systemd[1]: datapower.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit datapower.service has entered the 'failed' state with result 'exit-code'.
Nov 07 15:17:58 appconnect.localdomain systemd[1]: Failed to start DataPower Service.
-- Subject: Unit datapower.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit datapower.service has failed.
--
-- The result is failed.
Nov 07 15:17:58 appconnect.localdomain systemd[1]: datapower.service: Service RestartSec=100ms expired, scheduling restart.
Nov 07 15:17:58 appconnect.localdomain systemd[1]: datapower.service: Scheduled restart job, restart counter is at 184.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Automatic restarting of the unit datapower.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Nov 07 15:17:58 appconnect.localdomain systemd[1]: Stopped DataPower Service.
-- Subject: Unit datapower.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit datapower.service has finished shutting down.
Nov 07 15:17:58 appconnect.localdomain systemd[1]: Starting DataPower Service...
-- Subject: Unit datapower.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit datapower.service has begun starting up.
Nov 07 15:17:59 appconnect.localdomain kernel: loop0: detected capacity change from 0 to 3774873600
Nov 07 15:18:01 appconnect.localdomain bash[105509]: Thu Nov 07 2024 15:18:01 ERR dpControl [pre-start][105509] Cannot unlock LUKS partition 'var_opt_ibm_datapower_datapower_img': Function not implemented (error 38)

DustinB3403

Okay for anyone still around, I was able to get this sorted, it appears that the initial file I was using was either corrupted or maybe a patch for an existing installation.

I've documented the process, copied below for reference. I won't be sharing IBMs RPM's on this post. You should be able to get these directly from IBM's website free of charge, but your mileage may vary.

Installing IBM Datapower on CentOS 8/9 or Rocky Linux 8/9 to your Hypervisor/Cloud Provider

Minimum System Requirements
• 4 vCPU
• 16 GiB RAM
• 80 GiB Disk Space
• 4 Network Interfaces – with DHCP or Statically Assigned IPs
• 2 Available Loop devices – Documented Below
• Default Partitioning will work, can be configured to meet any security requirements (separate LV for VAR for example)
• Installation without a GUI recommended with these below features
◦ “Server Installation” Option
Guest Agents (Drivers for Hypervisor/Cloud recommended)
Remote Management for Linux recommended – SSH and or Cockpit
• Root only account – User accounts are unnecessary
• Security Policy to adhere to any State/Fed requirements (may effect Installation Destination configuration – not documented here).

Configure Timezone and any other settings as required – no specific documentation needed

Sample User: root
Password: your-password

Upon installation check for updates and install a few required repositories.

sudo dnf update -y
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf update -y
sudo dnf search schroot
sudo dnf install schroot ipvsadm kmod telnet -y

Post installation of dependencies we need to confirm our loop devices are configured.

Confirm what loop devices exist (likely there is only 1) so we’ll need to create some with the below.

List your loop devices:

ls -l /dev/loop*
brw-r-----  1 rootls  disk 7,  0 Jul 24 17:49 /dev/loop-control

We only have the loop-control device, so create two more loop devices with the below.

mknod -m660 /dev/loop1 b 7 8
mknod -m660 /dev/loop2 b 7 8

Confirm the devices are listed.

ls -l /dev/loop*
brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop1
brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop2
crw-rw----. 1 root disk 10, 237 Nov 27 07:51 /dev/loop-control

Now transfer or download the Datapower and LibgCrypt RPMs to this system using something line wget or WinSCP depending on access. You can find libgcrypt here (https://rpmfind.net)

Once transferred, you may have to decompress the installation files.

tar -xf idg_lx10540.cd.ASL.prod.tar

Now we can install the program

sudo yum install idg_lx.10540.image.x86_64.rpm idg_lx10540.common.x86_64.rpm

Once installed, you’ll connect to the system via telnet on the system’s loopback address

telnet 127.0.0.1 2200
Initial login is: admin
Initial Password is: admin

Confirm to all prompts with Y and then run/create and confirm a new password

You must restart the DataPower Gateway to make the Common Criteria policies effective.

idg# configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit
Global mode
Modify Web management service configuration

Now you can go to the web console via your computer and using the primary IP address. In our example
https://ip-address:9090

You’ll use the login password you created while connected via SSH. You’ll have to create yet another new password.

Once the password is updated, you’ll be able to login and complete the setup by accepting the license agreement.

After accepting the licensing agreement the system will need to reboot. After logging in via SSH you’ll need to restart the web interface.

telnet 127.0.0.1 2200
admin
<password>
idg<config> 
idg <config> configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit

That's the complete installation process from start to finish. The last step would be to setup initialization of the datapower service upon restart. I'll be working on this sometime this week probably so that the environment is fault tolerant.

EddieJennings

I've never dealt with Datapower, but I suspect there's a configuration file related to datapower-control that may need some editing.

DustinB3403

@EddieJennings said in IBM Datapower on Linux:

I've never dealt with Datapower, but I suspect there's a configuration file related to datapower-control that may need some editing.

So there is a configuration file, but there is no reference at all within the conf file (/var/ibm/datapower/datapower.conf) regarding the LUKS partition.

IThomeboy80

Never had the privilege to deal with Datapower on Linux. Though it looks very interesting.

DustinB3403

Okay for anyone still around, I was able to get this sorted, it appears that the initial file I was using was either corrupted or maybe a patch for an existing installation.

I've documented the process, copied below for reference. I won't be sharing IBMs RPM's on this post. You should be able to get these directly from IBM's website free of charge, but your mileage may vary.

Installing IBM Datapower on CentOS 8/9 or Rocky Linux 8/9 to your Hypervisor/Cloud Provider

Minimum System Requirements
• 4 vCPU
• 16 GiB RAM
• 80 GiB Disk Space
• 4 Network Interfaces – with DHCP or Statically Assigned IPs
• 2 Available Loop devices – Documented Below
• Default Partitioning will work, can be configured to meet any security requirements (separate LV for VAR for example)
• Installation without a GUI recommended with these below features
◦ “Server Installation” Option
Guest Agents (Drivers for Hypervisor/Cloud recommended)
Remote Management for Linux recommended – SSH and or Cockpit
• Root only account – User accounts are unnecessary
• Security Policy to adhere to any State/Fed requirements (may effect Installation Destination configuration – not documented here).

Configure Timezone and any other settings as required – no specific documentation needed

Sample User: root
Password: your-password

Upon installation check for updates and install a few required repositories.

sudo dnf update -y
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf update -y
sudo dnf search schroot
sudo dnf install schroot ipvsadm kmod telnet -y

Post installation of dependencies we need to confirm our loop devices are configured.

Confirm what loop devices exist (likely there is only 1) so we’ll need to create some with the below.

List your loop devices:

ls -l /dev/loop*
brw-r-----  1 rootls  disk 7,  0 Jul 24 17:49 /dev/loop-control

We only have the loop-control device, so create two more loop devices with the below.

mknod -m660 /dev/loop1 b 7 8
mknod -m660 /dev/loop2 b 7 8

Confirm the devices are listed.

ls -l /dev/loop*
brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop1
brw-rw----. 1 root root  7,   8 Nov 27 08:10 /dev/loop2
crw-rw----. 1 root disk 10, 237 Nov 27 07:51 /dev/loop-control

Now transfer or download the Datapower and LibgCrypt RPMs to this system using something line wget or WinSCP depending on access. You can find libgcrypt here (https://rpmfind.net)

Once transferred, you may have to decompress the installation files.

tar -xf idg_lx10540.cd.ASL.prod.tar

Now we can install the program

sudo yum install idg_lx.10540.image.x86_64.rpm idg_lx10540.common.x86_64.rpm

Once installed, you’ll connect to the system via telnet on the system’s loopback address

telnet 127.0.0.1 2200
Initial login is: admin
Initial Password is: admin

Confirm to all prompts with Y and then run/create and confirm a new password

You must restart the DataPower Gateway to make the Common Criteria policies effective.

idg# configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit
Global mode
Modify Web management service configuration

Now you can go to the web console via your computer and using the primary IP address. In our example
https://ip-address:9090

You’ll use the login password you created while connected via SSH. You’ll have to create yet another new password.

Once the password is updated, you’ll be able to login and complete the setup by accepting the license agreement.

After accepting the licensing agreement the system will need to reboot. After logging in via SSH you’ll need to restart the web interface.

telnet 127.0.0.1 2200
admin
<password>
idg<config> 
idg <config> configure terminal;web-mgmt;admin-state enabled;local-address 0 9090;exit

That's the complete installation process from start to finish. The last step would be to setup initialization of the datapower service upon restart. I'll be working on this sometime this week probably so that the environment is fault tolerant.