Configure the appliance

  1. Overview
  2. Security
  3. Users and groups
  4. Ethernet interfaces
  5. DNS Server
  6. Map IP addresses to host names
  7. Date and time settings
  8. Email delivery
  9. Restart the appliance


Overview

After you have initialized the appliance using the serial console, configure the appliance using the user interface to enable the appliance functions.

The initialization process using the serial console prepares the appliance to be administered using the user interface.


Security Overview

Appliance security

Some of the key features that make the appliance a secure foundation are:

The appliance is contained in a tamper resistant case

There is an intrusion detection switch in the chassis that is continuously monitored. If the switch is triggered, the appliance does not start. The appliance must be returned to IBM before the appliance can be started again. Additional elements, such as the tamper-resistant screws on the case are also included to discourage opening the case. The design of the appliance ensures that we can access the customer replaceable items from the rear of the appliance without opening the case.

There is no access to the operating system through a shell

There is no command shell in the operating system of the appliance. By design, no command interpreters are included on the appliance to reduce security vulnerabilities. There is only one operating system user ID on the appliance. We cannot externally log on to the appliance with a user ID, because there is no shell available.

No user provided logic can be run on the appliance

The appliance does not provide any ability for a user to upload an executable script or code. The only exception to this statement is a system firmware update, in which we can run a script to install updated firmware on the appliance. These system updates are signed by the firmware manufacturer as a precaution. No user provided untrusted software can be run on the appliance.


Data grid security

We can control access to the information that is contained in the data grids. If you do not enable security on the data grid, any application can access the information in the data grid. We can enable security in general on a data grid, to allow anyone that has a user account and password on the appliance to access the data grid. We can also restrict access to a set of users or user groups by enabling authorization on the data grid.


Transport Layer Security (TLS)

You can use TLS to secure the data grids and user interface by configuring a keystore, truststore, and certificate alias. TLS settings apply to all appliances in the collective.


Users and user groups

We can define permissions for users and user groups both for the appliance administration and the data grid security.


Configure Transport Layer Security (TLS)

We can configure Transport Layer Security (TLS) by modifying or replacing the keystore and truststore, and choosing the certificate alias for the configuration.

The TLS settings apply to the user interface and data grids. The settings are applied to all of the appliances in the collective.

  1. Required for WebSphere Application Server:

    Add the appliance public certificate to the WebSphere Application Server default truststores.

    • If we are using the default appliance truststore:

      Run the addXC10PublicCert.py script from the was_root/bin directory on the dmgr. Use the following command:

        wsadmin -lang jython -f addXC10PublicCert.py

    • If we are using custom keys for the appliance:

      Run the addXC10PublicCert.py script from the was_root/bin directory on the dmgr with the -certPath command line option. The value of the -certPath command line option is the disk location of the public certificate that corresponds to the alias configured for the keystore on the appliance.

        wsadmin -lang jython -f addXC10PublicCert.py -certPath ./trustStore.jks

  2. Required for WebSphere Application Server:

    Download the appliance truststore and WebSphere Application Server public certificates and run the keytool utility to add the certificate to the truststore. This tool updates the appliance truststore to include the certificates from WebSphere Application Server.

    1. If we are using the default appliance truststore, download the active truststore. Click...

      Note the location of where you saved the file on disk. For example: /downloads/trustStore.jks

    2. Extract the WebSphere Application Server public certificate.

      1. In the WebSphere Application Server administrative console, click...

          Security | SSL certificate and key management | Keystores and certificates | Keystore usages | Root certificates keystore | DmgrDefaultRootStore | Personal certificates

      2. Click the checkbox next to a certificate in the root keystore. Specify a fully-qualified file name of the certificate to extract, such as:

          /certificates/public.cer

      3. Run...

          cd /java_home/bin
          keytool -import 
                  -noprompt 
                  -alias "example alias" 
                  -keystore /downloads/trustStore.jks  
                  -file /certificates/public.cer 
                  -storepass xc10pass 
                  -storetype jks

      4. If you have additional certificates to import, repeat the steps to extract the certificates and run the keytool utility again.

  3. Upload keystore and truststore information to the appliance.

    In the appliance user interface, click Appliance > Settings > Transport Layer Security (TLS). If you completed the steps for WebSphere Application Server, upload the updated /downloads/trustStore.jks file. After you upload a keystore or truststore, update the associated password. If we are using the default truststore, the password is xc10pass.

  4. Select the certificate alias for the collective.

  5. Specify the transport type. Choose one of the following transport type settings:

    • TLS supported: Data grids communicate with TCP/IP, SSL, or TLS. The user interface is accessible with HTTP and HTTPS.

    • TLS required: Data grids communicate with SSL or TLS only. The user interface is accessible with HTTPS only.

    • Data grid TLS disabled: Data grids communicate with non-secure connections. The user interface is accessible with HTTP and HTTPS.

  6. To require the client to send a trusted certificate to enable communication, select Enable client certificate authentication.

  7. Click Submit TLS settings to save the changes to the configuration.

The collective must restart to complete the TLS configuration changes.

Limited portions of the user interface are accessible when the collective is restarting. If we cannot access portions of the user interface, wait for an appropriate time and submit the request again. The Tasks panel shows completion for some TLS changes automatically by displaying a success status.

If you changed the certificate alias used by the appliance, you might need to restart the browser, log out and log back in to the user interface, or trust new certificates from a browser prompt.

If the user interface seems to be unavailable when client authentication is enabled, verify that you have a trusted client certificate imported into the browser. If a trusted client certificate is not imported into the browser, we cannot access the user interface. After you successfully log on to the user interface, the task indicates the success of the TLS configuration. Best practices


Configure user interface security

  1. Navigate to the Settings panel using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to...

        Appliance | Settings

    • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Security.

  3. Set your security permissions.

    1. Set the Allow new users to create their own accounts field. The default value for this field is Disabled. This field specifies if a user is able to create their own account. When this field is Enabled, a Register button appears on the login screen.

    2. Set the Allow password reset from the serial console field. The default value for this field is Disabled.

      Disabled Configure an SMTP server and an email address for the xcadmin user. These configurations ensure that if the xcadmin password is lost, then there is a way to reset the password. If this field is disabled and these configurations are not made, then it is impossible to reset a lost xcadmin password and the appliance must be returned to IBM for remanufacturing.
      Enabled We can reset the password for the xcadmin user using a serial connection without any other credentials required and without an SMTP message. If this option is selected, the physical access to your appliance is even more important than typical. With physical access to the machine, any user is able to gain administrator access to the appliance.

    3. Configure the appliance to authenticate users with a LDAP directory.

After successfully completing these steps, you have specified how the appliance handles certain security-related scenarios and whether external authentication is used for access to the user interface.

Configure users and groups to provide access to the user interface. You also use users and groups to provide access to data grids.


Configure the appliance to authenticate users with an LDAP directory

We can optionally use a LDAP directory to authenticate users with your appliance.

Using an LDAP server to authenticate users is optional. If you choose to use an external LDAP server, then match all of your appliance users with the users in the specified LDAP directory. The user name attribute is used to authenticate the appliance users with the LDAP directory. Users that are not in the LDAP directory cannot be authenticated.

We can set up your LDAP to use the secure port. The secure sockets layer (SSL) certificate of the LDAP server must be issued by a publicly trusted certificate authority (CA), which is already in the <JAVA_HOME>/jre/lib/security/cacerts file. WebSphere DataPower XC10 appliance does not support using self-signed certificates.

  1. Navigate to the Settings panel. Use one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.

    • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Security.

  3. Configure the appliance to authenticate users with an LDAP directory.

    1. To enable LDAP authentication, select the check box next to Enable LDAP authentication. The Enable LDAP authentication check box is not selected by default. Selecting this check box enables the appliance to use the specified LDAP server to authenticate users at login.

    2. Enter the JNDI provider URL. Example for non-SSL LDAP:

      ldap://mycompany.com:389/ 
      or

      ldap://mycompany.com/ 
      If a port is not explicitly specified, the default port number is 389. Example for SSL LDAP:

      ldaps://mycompany.com:636/ 
      or

      ldaps://mycompany.com/ 
      If a port is not explicitly specified, the default port number is 636.

    3. Enter the JNDI base DN (users). Example:

      CN=users,DC=mycompany,DC=com

    4. Enter the JNDI base DN (groups). Example:

      DC=mycompany,DC=com

    5. Enter the Search filter (users). Example:

      (&(sAMAccountName={0})(objectcategory=user)) or uid={0}

      A user ID is embedded in the place holder "{0}". "{0}" is replaced by the login user ID that you entered in the login screen.

    6. Enter the JNDI security authentication. This field is optional unless your LDAP server does not permit anonymous LDAP queries. Example:

      CN=Administrator,CN=users,DC=mycompany,DC=com

    7. Enter the password. This field is the JNDI security credentials, and is optional unless your LDAP server does not permit anonymous LDAP queries.

  4. Test the LDAP authentication settings that you configured. We can test the settings you used to configure authentication with an LDAP server. This section allows us to perform LDAP queries to look for specified users and groups.

    1. Click Test LDAP authentication settings to expand this section.

    2. To test a user name, enter a user name in the LDAP user name field, and click the associated Test LDAP query button. Example:

      test_user@us.ibm.com

      If the query is successful, then a message is displayed as follows: Found LDAP User DN: <user information>. If the query is not successful, then an error message is displayed.

    3. To test a group name, enter a group name in the LDAP group name field, and click the associated Test LDAP query button. Example:

      Test Group

      If the query is successful, then a message is displayed as follows: Found LDAP Group DN: <user information>. If the query is not successful, then an error message is displayed.

You have specified an LDAP directory for external authentication when accessing the user interface. Understanding how to control user access to different areas of your environment is an important part of your security solution.


Users and groups

Users and user groups are provided so that we can manage the level of access for each individual to your appliance. Use user groups to apply permissions to groups of users.

We can manage your users and user groups using the appliance user interface.


Create a user

You need a user name and password to log in to the user interface. Use these steps to create new accounts to allow users to access and administer your appliance.

If we are using LDAP to authenticate users, the user that is being registered must first exist in the LDAP repository.

To create a user using the appliance user interface:

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.

    • From the Home panel, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the add icon ( ) to begin adding a new user.

  3. Enter an ID in the User name field. The value for this field can be up to 64 characters in length and cannot be blank. All alphanumeric characters can be used, and the following special characters: !@#%^*&-+=. This field cannot be changed after you have created the user. If we are using LDAP authentication, the user that is being registered must exist in the LDAP repository.

  4. Optional: Enter the name of the user in the Full name field. This field is used for display purposes in the user interface. If you do not enter a value for this field, the user name is displayed. After you have created the user, only the user can edit the field. The administrator cannot change the value of this field after the user is created.

  5. Enter the password for the user in the Password field. The password can use the same characters available for the User name field. If SMTP is enabled, we can leave the password field blank when a user is created, and a password is automatically generated. If LDAP authentication is enabled, the Password field is not displayed because the password from the LDAP registry is used for authentication. Reenter the same password for the user in the Verify Password field.

  6. Enter a valid email address for the user in the Email address field. This field specifies the email address used to provide a new password if the user forgets their password and additional notifications. The email address is required when a SMTP server is used. 

  7. Click OK.

You have a new user account that we can use to log on to the user interface. When a user is first created only the default permissions are assigned.


Manage users

After you create a user, manually modify the user settings if additional permissions are required. We can also use these steps to modify a user if the information has changed.

When you create a user, the user has the default permissions. If the user account needs additional permissions, then add these permissions manually after the initial user creation. If a user account was created using the self-registration function, then only a subset of the user information is available. The remaining information needs to be added by a user that is assigned the appliance administration permission.

To modify a user using the appliance user interface.

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.

    • From theHome panel, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the User name for the user you intend to modify. The display name and the user name cannot be modified after the user has been created.

  3. We can edit the password and email address for the user. To change the password, click [edit] for the field. Enter a new password to change the password.

  4. View the user activity. The following user activity can be viewed from the user account screen:

    • Current Status: This field shows the status of the user. The following list contains the possible user statuses:

      • : Active in the last 5 minutes

      • : Inactive for more than 5 minutes

      • : User has not logged in yet

    • User Groups: This field lists all the user groups in which the user is a member.

      Type in the group name to add a user to a group. As you type the user group name, a list of user groups matching what you have typed is displayed. Click the user group name to add the user to the group. Typing in the user group name does not add the user to the group. Adding a user to a user group results in the user being assigned the permissions of the user group. The previous level of permissions assigned to the user is not retained. To remove a user from a user group, click the [remove] link next to the group we want to the user to be removed from. If a user is removed from all groups (besides the Everyone group), then the user retains the permissions that are assigned to the last group from which they were removed.

  5. Modify the permissions for this user.

    We can select or clear these permissions to control the level of access that a user is assigned. User permissions cannot be modified if a user is a member of a group, not including the Everyone group. If a user is a member of a group, then the user has the permissions defined by that group. If a user is a member of multiple groups, then the user has the sum of the permissions defined by these groups. When you change the permissions defined for the group, the changes are propagated to all the members of the group. The following permissions are available for each user.

    • Appliance administration
    • Appliance monitoring
    • Data grid creation

You have successfully modified a user account. After you have modified the user, we can add the user to a user group. We can add a layer of security to the appliance by using a LDAP server for authentication.


Removing a user

A user name and password are required to be able to log in to the user interface. If you no longer need a specific user, however, we can remove that user from appliance.

When you delete a user, all the resources owned by that user are automatically transferred to you. Use these steps to remove a user account from the appliance using the appliance user interface.

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.

    • From the Home page, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the <user_name> of the user to select the user you intend to delete.

    The Administrator user account, xcadmin, cannot be deleted.

  3. Click the delete icon () to begin deleting the user. A message box is displayed requesting confirmation that this user can permanently be deleted.

  4. Click OK.

You removed a user account from the appliance.


Registering a new user account

We can create your own user account when the administrator enables the Allow new users to create their own accounts option. Use this task to create a user account from the login screen.

To register a new user account, the Allow new users to create their own accounts field must be set to Enabled.

  1. Access the WebSphere DataPower XC10 appliance login screen.

  2. Click the Register... button to begin creating a user account.

  3. Enter a login ID in the User Name field.

    The value entered for this field is used as both the user name and the display name for the user. The value for this field can be up to 64 characters in length. All alphanumeric characters can be used. The following special characters are also available:

      !@#%^*&-+=

    If LDAP is used to authenticate users, the user that is being registered must exist in the LDAP repository.

  4. Enter a password for the user in the Password field.

    The password can use the same characters available for the User Name field. The Password field is required if a SMTP or LDAP server is not defined. If SMTP is enabled, we can choose to enter a password or to leave the field blank and have a generated password sent to your email address. If LDAP is used to authenticate users, the existing LDAP password is used and you do not need to enter a password.

  5. Reenter the same password for the user in the Verify Password field.

    The value you enter for this field must be identical to the value entered for the Password field. If these fields do not match, then an error is displayed when you click Register and must be resolved before the user can be created.

  6. Enter an email address in the Email address field. The email address is required when a SMTP server is used. 

  7. Click the Register button to complete the registration process.

After you have successfully completed these steps, you registered a user account that we can use to log in to the user interface. By default, we are assigned Appliance monitoring permissions only.


Create a user group

We can create user groups to better manage the access of your users to particular appliance resources.

Create user groups to quickly assign a collection of users access to a resource or group of resources. User groups are empty when they are first created. Manually add users to each new user group. Use the following steps to create a user using the appliance user interface.

  1. Navigate to Collective > User Groups.

  2. Click the add icon () to create a group.

  3. Enter a name in the Group name field. The value for this field can be up to 64 characters in length and cannot be blank. All alphanumeric characters can be used, and the following special characters: !@#%^*&-+= are also available.

  4. Enter any additional information in the Description field. This field can be used to include additional details about the user group.

  5. Click OK.

After successfully completing these steps, you have a new user group to help manage the permissions for your appliance users. We can add users to the group you created.


Manage user groups

When you first create a user group, the user group does not have any users designated as members. Manually add users to the group unless LDAP authentication is enabled.

To add or remove a user from a user group using the appliance user interface.

  1. Navigate to Collective > User Groups.

  2. Click the <group_name> to select a group to modify.

  3. To modify the description of the user group, click the existing description and enter the changes to make.

  4. To add a user to the group, then type the user to add and then click the <user_name>

    As you type the user name, a list of users matching what you have typed is displayed. Click the user name to add the user to the group. Typing in user name does not add the user to the group. Adding a user to a user group results in the user being assigned the permissions of the user group. The previous level of permissions assigned to the user is not retained.

    If LDAP Authentication is enabled, then we cannot modify the membership of a group within the WebSphere DataPower XC10 appliance.

  5. Modify the permissions assigned to the group.

    The following permissions are available to be applied to a user group:

    • Appliance administration

    • Appliance monitoring

    • Data cache creation

  6. To remove a user from the group, Click the [remove] link next to the user we want to remove. No confirmation is required to remove the user, therefore use appropriate caution when we are managing your user group. If a user is removed from all groups, besides the Everyone group, then the user retains the permissions that assigned to the last group from which they were removed.

You have completed the modifications to your user group.


Removing a user group

We can remove a user group from WebSphere DataPower XC10 appliance if the user group is no longer needed.

To remove a user group from the appliance using the appliance user interface.

  1. Click Collective > User Groups.

  2. Click <user_group_name> to select the user group that you intend to remove.

    The Everyone user group cannot be removed.

  3. Click the remove icon () to begin removing the group.

  4. Click OK to confirm that the selected user group can be removed.

Each user group member is removed from the group, and the user group is deleted.


User permissions

User permissions are defined to determine which panels are viewable for each user and to determine the user access to a particular object.

The permissions that assigned to your users define which administrative tasks for WebSphere DataPower XC10 appliance they are able to perform. In addition to determining which of the administrative pages are displayed, the content of the Welcome page is dynamically generated to display different content for users assigned different level of access. When users initially register, they have the appliance monitoring permissions. An appliance administrator must assign data grid creation or appliance administration permissions.

Table 1. Viewable panels for each permission level
Permission View Welcome page Create data grids Delete data grids View monitor menu View tasks View and create collectives and zones Modify appliance settings Manage users and user groups
Appliance monitoring Yes No No Yes Yes No No No
Data grid creation Yes Yes Yes No Yes No No No
Appliance administration Yes Yes Yes Yes Yes Yes Yes Yes


Ethernet interfaces

During the initial serial connection, you configured the mgmt Ethernet interface to connect the appliance to your network. We can define additional private Ethernet ports in the user interface.

The number of Ethernet interfaces that can be managed by the appliance vary depending on which type of appliance we are using. See the following diagrams for more information about the Ethernet interfaces:

Ethernet interfaces must be configured on the same network and must be reachable. If you choose to configure additional network interface cards (NIC), each NIC configured provides one extra gigabit of bandwidth. The total amount of bandwidth is limited by the network capacity.

If we are using eth1 or eth2, then your switch must be enabled for auto-negotiation.

For the type 7199-92x appliance, use either the 1 gigabit or 10 gigabit Ethernet ports for the data grid. Use either all 1 gigabit ports or all 10 gigabit ports. We cannot change between the port types after your initial configuration. Connect the management port at MGMT0 (L).

If you edit the Ethernet interfaces for a stand-alone appliance, you must clear the configuration and restart the appliance after changing the settings. If the appliance is in a collective, we cannot update the Ethernet interfaces.

  1. Edit the Ethernet interfaces on a stand-alone appliance. Navigate to the Settings panel.

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Ethernet Interfaces.

  3. Enable or disable an Ethernet interface by selecting or clearing the Enabled check box. The mgmt interface cannot be disabled.

  4. Change the IP address/mask. Enter the IP address and the subnet mask in the following format <ip_address>/<subnet_mask>. The subnet mask must be entered using Classless Inter-Domain Routing (CIDR) notation. Example: 255.255.255.0 in long notation is 24 in CIDR notation.

  5. Change the Default gateway. The appliance uses source-based routing, not destination-based routing. A packet goes out to the destination on the same interface on which it was received. Each interface has its own routing table that is separate from the other interfaces. For each interface that needs to reach destinations beyond the local subnet, provide a default route that is directly reachable from that interface.

  6. Indicate if the provided IP address is a Private IP address.

  7. Change the Maximum Transmission Unit (MTU). This field specifies the maximum size in bytes that a protocol data unit can be when communicating using an Ethernet interface. The default value is 1500 bytes, which is also the maximum allowable value for this field.

  8. Change the Mode. The following Ethernet modes are available for your Ethernet interfaces:

    • Auto
    • 10baseT-HD
    • 10baseT-FD
    • 100baseTx-HD
    • 100baseTx-FD
    • 1000baseTx-FD

  9. Clear the configuration and restart the appliance by selecting the checkbox Enabled. This clears the configuration. A restart is required for the appliance processes to bind to the Ethernet interface.


Adding an aggregate interface

We can link multiple network interfaces into a single aggregate interface. An aggregate interface is made up of one or more Ethernet interfaces to act as a single logical unit. Use this feature to distribute traffic over your network. Link aggregation between switches provides increased connectivity, redundancy, and expanded bandwidth.

  1. Navigate to the Settings panel. To add an aggregate interface, navigate to the Settings panel, using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Aggregate Interfaces.

  3. Click Add a new aggreggate interface.

  4. Complete the form to describe the aggregate interface we want to add.

    Name

    Name of the interface.

    IP address/mask

    IP address that we want assigned to the aggregate interface. Enter the IP address and the subnet mask in the following format <ip_address>/<subnet_mask>.

    IPv4 and IPv6 addresses are both assigned using this property. Duplicate addresses are not permitted.

    Aggregation policy

    active-backup

    Active-backup policy for high availability. With this policy, only one Ethernet interface, as a member of an aggregate interface, is enabled at a time. If that Ethernet interface fails, another member resumes processing.

    LACP

    Specifies the Link Aggregation Control Protocol (LACP) policy for both high availability and bandwidth. Use the LACP policy only when its mode is not set to 'OFF'. By default, the selection logic is Stable, and the transmit hash mode is layer2.

    balance-tlb

    Specifies the balance-tlb policy for load balancing and high availability. This policy distributes outbound traffic according to the current load of each member. Inbound traffic flows to the Ethernet interface that is selected as the primary member. If the receiving Ethernet interface fails, another member resumes processing.

    Members

    Ethernet interface we want to add to the aggregate interface. By default, the first Ethernet interface added to the list is designated as the primary member.

    An Ethernet interface cannot be a member of more than one aggregate interface.

    Ensure that the Ethernet interface is disabled before we can add it to the aggregate interface. To disable the Ethernet interface, you must clear the Enabled checkbox on the Ethernet interfaces panel.

  5. Click OK.

    An aggregate interface is enabled by default. If we want to continue using your existing aggregate instead of your new one, then you must disable this aggregate interface first. To disable the aggregate interface, expand Aggregate interfaces and locate the new aggregate interface you just added. Clear the Enabled checkbox. If the aggregate interface is left enabled, the next time you restart the appliance, the new aggregate interface will be used to bind the data grids and this may lead to unexpected results.

    Any changes you make to the aggregate interfaces requires a restart before the change is used by the appliance. However, you must issue the clear-all command and then issue the device-restart command for changes to take affect.


Editing an aggregate interface

  1. Navigate to the Settings panel. To edit an aggregate interface, navigate to the Settings panel using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Aggregate Interfaces.

  3. We can add or remove the members of an existing aggregate interface. You are presented with a list of Ethernet interfaces that are members of this aggregate.

    We cannot remove a member if it is the only member, and we cannot remove a member if it is the primary.

    Ensure that the Ethernet interface is disabled before we can add it to the aggregate interface.

    1. To add more members, click Add more...
    2. Select the Ethernet interface, and click OK.

  4. Change the IP address and the subnet mask in the following format <ip_address>/<subnet_mask>. The subnet mask must be entered using Classless Inter-Domain Routing (CIDR) notation. For example, 255.255.255.0 in long notation is 24 in CIDR notation.

  5. Change the Default gateway. The appliance uses source-based routing, not destination-based routing. A packet goes out to the destination on the same interface on which it was received. Each interface has its own routing table that is separate from the other interfaces. For each interface that needs to reach destinations beyond the local subnet, provide a default route that is directly reachable from that interface.

  6. Change the Maximum Transmission Unit (MTU). This field specifies the maximum size in bytes that a protocol data unit can be when communicating using an Ethernet interface. The default value is 1500 bytes, which is also the maximum allowable value for this field.

  7. Click Edit to change the aggregation policy. Depending on the aggregation policy we are changing, we are presented with the following properties.

    Aggregation policy

    active-backup

    Active-backup policy for high availability. With this policy, only one Ethernet interface (as a member of an aggregate interface) is enabled at a time. If that Ethernet interface fails, another member takes over. By default, the first Ethernet interface added to the list is designated as the primary member.

    Primary member

    Specifies the Ethernet interface we want to designate as the primary member. By default, the first Ethernet interface added to the list is designated as the primary member.

    Aggregation policy

    LACP

    Specifies the Link Aggregation Control Protocol (LACP) policy for both high availability and bandwidth. Use the LACP policy only when its mode is not set to 'OFF'. By default, the selection logic is Stable and the transmit hash mode is layer2.

    Selection logic

    • Stable

      Specifies the Ethernet interface with the largest bandwidth. When you choose the stable setting, the Ethernet interface is selected again when an enabled aggregate interface has no members available. The stable setting is the default.

    • Bandwidth

      Specifies the Ethernet interface with the largest bandwidth. This Ethernet interface is selected again when another member is either added or removed or the aggregate interface is enabled or disabled.

    • Count

      Aggregate interface with the largest number of Ethernet interfaces as members.

    Hash policy

    • layer2

      Exclusive OR (XOR) result of MAC addresses to generate a hash.

    • layer2+3

      Specifies the XOR result of MAC addresses and IP addresses to generate a hash.

    • layer3+4

      Specifies the XOR result of IP addresses and port numbers to generate a hash.

    Aggregation policy

    balance-tlb

    Specifies the balance-tlb policy for load balancing and high availability. This policy distributes outbound traffic according to the current load of each member. Inbound traffic always flows over to the Ethernet interface that is selected as the primary member. If the receiving Ethernet interface fails, another member takes over.

    Primary member

    Specifies the Ethernet interface we want to designate as the primary member. By default, the first Ethernet interface added to the list is designated as the primary member.

  8. Click OK.

    When you edit an aggregate interface, the changes do not take effect until you restart the appliance. A restart is required for the appliance processes to bind to the Ethernet interface. Disable the modified aggregate interface before restarting the appliance. To disable the interface, expand Aggregate interfaces and locate the aggregate interface you just modified. Clear the Enabled check box. After disabling the aggregate interface, run the clear-all and device-restart commands in the command line interface. If you do not run these commands, changes will not take effect.


Deleting an aggregate interface

  1. Navigate to the Settings panel. To delete an aggregate interface, navigate to the Settings panel using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Click the remove icon () to remove the aggregate interface.

    When you delete an aggregate interface, the changes do not take effect until you restart the appliance. After deleting the aggregate interface, run the clear-all and device-restart commands in the command line interface. If you do not run these commands, WebSphere DataPower XC10 appliance continues to use this interface.


Manage the DNS Server

The DNS server is specified during appliance initialization. A DNS server is required for the appliance. DNS lookup services are used for communication.

The DNS servers must have forward and reverse DNS entries for the range of IP addresses being managed by the appliance, which uses the derived host name from the reverse lookup during deployment of a virtual system. If a reverse lookup fails because no host name is defined, then the deployment fails because it requires a host name rather than just an IP address.

  1. Navigate to the Settings panel.

    • From the menu bar at the top of the appliance user interface, navigate to...

        Appliance | Settings

    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Domain Name Servers.

  3. Optional: Click the <ip address> to modify an existing DNS server.

  4. Select Click to add to add a new DNS server. A DNS server is configured during the initialization of the appliance.

  5. Optional: Click the remove icon () to remove a DNS server.

After successfully completing these steps, you have defined a DNS server to be used for lookups during communication. We can also set DNS servers with the command line interface. See Using the command line interface to run operations on the appliance for more information.


Map IP addresses to host names

Before address information can be used to create a connection in a TCP/IP network protocol, the IP address must be associated with a host name. We can resolve an IP address to a host name by editing the etc/hosts file on the appliance. We can edit the etc/hosts file from the user interface.

Edit the etc/hosts file from the appliance user interface.

  1. Navigate to the Settings panel.

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand IP addresses to Host names.

  3. Click the Create mapping to specify the IP address and host name.

  4. Click OK to create the mapping. This mapping edits the etc/hosts file on the appliance.

  5. Optional: To remove a mapping, click the remove icon ().

After successfully completing these steps, you have edited the etc/hosts file which associates an IP address with a host name.


Manage date and time settings

Use Network Time Protocol (NTP) servers to maintain a synchronized time and date across the appliances in your collective. Configuring a NTP server is important when we are using a collective. The NTP server helps to correlate the log files between the different appliances in the collective, ensuring that the dates and times in the log entries are consistent.

  1. Navigate to the Settings panel. To manage your date and time settings, navigate to the Settings panel using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Date and Time.

  3. Select the correct time zone from the The current time zone is drop-down menu.

  4. Click Click to add to add a new NTP server. By default, no NTP servers are configured.

  5. Click and drag the name of the server to reorder your NTP servers. The first available NTP server in the list is used to maintain synchronization.

  6. Click the remove icon () to delete an NTP server.

  7. Restart the appliance for your changes to become effective.

You have defined an NTP server to maintain clock synchronization across the appliances in your collective.


Email Delivery

The mail delivery function on the appliance is used for resetting user passwords. When the user requests a new password, the appliance sends the user an email with the new password.

An SMTP server must be configured for use with the appliance. The mail delivery function is used to send a new password if a user has forgotten their password. If a user forgets their password and an SMTP server is not configured, then that user does not receive their new password.

  1. Navigate to the Settings panel.

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Home panel, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Mail Delivery.

  3. Add an SMTP server.

    Provide the IP address or host name for the SMTP server to be used for WebSphere DataPower XC10 appliance. If a host name is used for this field, then the host name must be able to be resolved by the DNS servers defined for the appliance.

  4. Add a reply-to address. The email address for the administrator should be used for this field.

You have specified an SMTP server and reply-to address to be used for password resets. A Forgot your password? link displays on the appliance login screen so users can reset their passwords.


Restart the appliance from the user interface

  1. Click Tasks to verify that any running processes have completed.

  2. Restart the appliance

    • From the appliance user interface...

        Appliance | Settings | Home | Customize settings link in the Step 1: Set up the appliance | Power | Restart the appliance

    • From the appliance user interface...

        Appliance | Troubleshooting | Home | Customize settings link in the Step 1: Set up the appliance | Power | Restart the appliance

    During a restart, all the software on the appliance is stopped then the appliance is restarted. We can choose to restart the appliance immediately or we can choose to wait until all the active tasks have completed before restarting the appliance.

  3. Click Shut down the appliance to turn off the appliance.

    During shutdown, all the software on the appliance is stopped and the appliance is halted. We can choose to shut down the appliance immediately or we can choose to wait until all the active tasks have completed before shutting down the appliance. To suspend the power to the appliance, use the physical power switch on the back of the appliance to turn off the appliance.

After successfully completing the steps, the appliance has either shut down or has restarted based on your selection.

+

Search Tips   |   Advanced Search