Category Archives: DPBuddy

DataPower Buddy Release 3.5.2

We’re pleased to announce the release of DPBuddy 3.5.2, our annual maintenance update of the tool.

All DPBuddy’s dependencies (third-party libraries used by DPBuddy) have been refreshed.
This includes removing and updating libraries with security vulnerabilities.

DPBuddy has been tested with all the recent versions of Java, up to Java 19. Java 8 is the lowest-supported Java version.

We have thoroughly tested DPBuddy 3.5.2 against the most recent DataPower firmware releases, including 10.5.

Comprehensive Certificate, Key and Password Inventory with DPBuddy

DPBuddy 3.5 supports in-depth inventory and analysis of your X.509 certificates and keys:

  • Inventory of all your certificates, keys and password aliases across all of your appliances and domains.
    In addition to DataPower, the inventory includes certificates from TLS endpoints.
  • Reports in Excel and text format
  • Certificate deduplication — find all places where a given certificate is used
  • See audit records of all changes — who changed what when
  • See how each of your crypto objects is used by other DataPower objects
  • See expiration for passwords/password aliases (in addition to certificates’ expiration)
  • Ensure compliance and best practices: identify self-signed certificates, weak keys/algorithms, unapproved signers
  • Get alerted on certificate expiration, invalid signatures, revocation, policy violations


Read the rest of this post »

Automating Crypto Deployment with DPBuddy

DPBuddy 3.5 supports fully automated deployment of X.509 certificates and keys with the following capabilities:

  • Deployment from standalone files in various formats (PEM, DER, PKCS8, etc.), encrypted and unencrypted.
  • Deployment from Java keystores/truststores in various formats (JKS, PKSC12, etc.). You can specify a list of aliases to deploy a subset of certs/keys from a keystore.
  • Deployment directly from TLS endpoints to DataPower.
  • Automatic deployment of issuers/CA certs. DPBuddy can also download the issuer from the certificate’s AIA extension if exists (all certs issued by known CAs will have that extension).
  • Auditing of all changes to crypto objects directly on DataPower. You can see who changed what when using DPBuddy’s crypto reporting task.
  • Keystores and key passwords can be stored encrypted in DPBuddy’s conf file or provided directly on the command line.
  • Deployment is automatically validated to make sure all crypto objects and password aliases are up.
  • Crypto Identity Credential objects are created automatically for cert-key keypairs from a keystore.

We’ve also developed a framework for integrating with your Key Management System of choice, such as Hashicorp Vault or AWS Key Management Service.

DPBuddy copies keys/cert files to DataPower (as PEM files) and creates DataPower crypto objects. The names derived either from filenames or from the names (aliases) in the keystore.

DPBuddy automatically determines if the source is a key or a cert and creates the crypto objects of the appropriate type.

Read the rest of this post »

DPBuddy Cookbook

Our cookbook contains quick examples/samples/code snippets to help with the most common DataPower development and administration tasks. The cookbook is a live document and it is frequently updated with new information.

DataPower Buddy Release 3.3 Beta

We’re pleased to announce the availability of DataPower Buddy 3.3 Beta.

This release introduces support for defining configuration properties/variables using HOCON (Human-Optimized Config Object Notation) format. HOCON is a superset of JSON, it is quite flexible (e.g., it supports comments, includes, substitutions) and it is more readable than raw JSON. HOCON provides a powerful alternative to defining environment-specific properties using prefix-based notation. The prefix-based mechanism, however, is still fully supported, so the use of HOCON is completely optional.

Other notable features of this release include:

  • Support for restore/import of multiple domains (or all of the domains). This could be useful for keeping multiple production appliances in sync.
  • Support for secure restore. This can also be used to maintain a DataPower cluster in sync or in a DR situation.
  • Support for appliance reboot/restart. Both secure restore and restart/reboot commands can optionally wait for the appliance to come back online.
  • Password encryption inside configuration files using open-source Jascrypt tool.
  • Under the hood, DPBuddy now streams files to the appliance during copy/import/restore, so these commands are now performed much faster and with lower memory requirements.
  • “Add” and “update” configuration transformation functions now support repeaters (loops). This can be used to generate environment-specific load-balancing group configuration with variable number of back-end servers.
  • Many minor changes and bug fixes. For example, passwords are now automatically masked when environment transformations run in verbose mode.
  • CLI help has been improved to make the use of CLI easier.

This release could also provide support for firmware 7.5; this feature will be finalized once 7.5 becomes available.

The general availability of DPBuddy 3.3 is expected in April 2016. Meanwhile, please let us know if you’re interested in evaluating the beta version.

DPBuddy Release 3.2.4 (Improved Auditing)

We’re pleased to announce that DataPower Buddy 3.2.4 is now available. The focus of this release is on improved audit and logging.

DPBuddy now generates an audit log file in JSON format, in addition to the XML format supported in earlier releases. This file can be easily tailed, analyzed with jq and/or uploaded to an enterprise SIEM tool. DPBuddy now uses logback framework for auditing and logging. This provides a lot of flexibility in configuring log file location, rollover policies, appenders and other parameters.

Other new features include:

  • DPBuddy now captures import failures in the audit log.
  • backup command now supports the new option/attribute, “failIfNoDomain”. If set to “false”, “backup” will not fail if the target domain does not exist.
  • Better error handling. A root cause of an error now reported automatically, without having to run the tool in verbose mode.
  • Bug fixes.

To upgrade to this release, you can simply download and un-archive the distribution and point your DPBUDDY_HOME environment variable to the new location. If you’re using DPBuddy from Apache Ant, you will also need to add <pathelement location=”${dpbuddy.home}/conf”/> to the DPBuddy library’s “taskdef” in your Ant files, otherwise, you will see verbose logging output in the console.

You can download DPBuddy 3.2.4 from this page.

DataPower Buddy Release 3.2.3 (Firmware 7.2)

We’re pleased to announce that DPBuddy 3.2.3 is now available. This release provides the support for DataPower firmware 7.2 and bug fixes.

An up-to-date version of Java 7 is required when using DPBuddy with firmware 7.2, otherwise you may encounter SSL-related error when trying to connect to DataPower. This is due to the bug in earlier versions of openjdk.

Other new features include:

  • “quiet” in “delConfig” task now suppresses all deletion errors, including the ones caused by an object being referenced by another object. This is to provide a workaround for the bug in firmware v7.2 which causes DataPower to retain references from objects that have been deleted.
  • “resetDomain”, “restartDomain” and “wsrrSynchronize” now support “domain” and other common attributes/options; these attributes/options were ignored in earlier versions.

You can download DPBuddy 3.2.3 trial from this page.