Archive for the ‘dpbuddy’ Category

Build Complete Certificate and Key Inventory with DPBuddy

Posted on 06/21/2020 , Alexander,

DPBuddy 3.5 supports in-depth inventory and analysis of your X.509 certificates and keys:

  • Inventory of all your certificates, keys and password aliases across all of your appliances and domains.
    In addition to DataPower, the inventory includes certificates from TLS endpoints.
  • Reports in Excel and text format
  • Certificate deduplication -- find all places where a given certificate is used
  • See audit records of all changes -- who changed what when
  • See how each of your crypto objects is used by other DataPower objects
  • See expiration for passwords/password aliases (in addition to certificates' expiration)
  • Ensure compliance and best practices: identify self-signed certificates, weak keys/algorithms, unapproved signers
  • Get alerted on certificate expiration, invalid signatures, revocation, policy violations


Automating Crypto Deployment with DPBuddy

Posted on 05/24/2020 , Alexander,

DPBuddy 3.5 supports fully automated deployment of X.509 certificates and keys with the following capabilities:

  • Deployment from standalone files in various formats (PEM, DER, PKCS8, etc.), encrypted and unencrypted.
  • Deployment from Java keystores/truststores in various formats (JKS, PKSC12, etc.). You can specify a list of aliases to deploy a subset of certs/keys from a keystore.
  • Deployment directly from TLS endpoints to DataPower.
  • Automatic deployment of issuers/CA certs. DPBuddy can also download the issuer from the certificate's AIA extension if exists (all certs issued by known CAs will have that extension).
  • Auditing of all changes to crypto objects directly on DataPower. You can see who changed what when using DPBuddy's crypto reporting task.
  • Keystores and key passwords can be stored encrypted in DPBuddy's conf file or provided directly on the command line.
  • Deployment is automatically validated to make sure all crypto objects and password aliases are up.

We've also developed a framework for integrating with your Key Management System of choice, such as Hashicorp Vault or AWS Key Management Service.

DPBuddy copies keys/cert files to DataPower (as PEM files) and creates DataPower crypto objects. The names derived either from filenames or from the names (aliases) in the keystore.

DPBuddy automatically determines if the source is a key or a cert and creates the crypto objects of the appropriate type.

DataPower Buddy Release 3.4

Posted on 05/30/2018 , Alexander Ananiev,

We're pleased to announce the availability of DataPower Buddy 3.4.

This release provides support for DataPower firmware upgrades, extensive configuration reporting and diffing, DataPower operational analytics and many other features.

Please see release notes for more information.

Download PBuddy 3.4 from this page and follow our Quick Start Guide.

DataPower Buddy Roadmap

Posted on 05/29/2018 , Alexander Ananiev,

Next DPBuddy release will provide improved operational analytics and certificate management. We're also working on improved configuration reports and configuration diff.

We're also planning on implementing native plugins for Maven and Gradle.

What else would you like to see in the upcoming versions of the product? Please let us know.

Running DPBuddy from Docker

Posted on 05/05/2018 , Alexander Ananiev,

You can now use our DPBuddy docker image that comes pre-installed with Java, Apache Ant and DPBuddy.
Simply run "docker pull myarch/dpbuddy:3.4" and follow our documentation.

DPBuddy Cookbook

Posted on 10/09/2017 , Alexander Ananiev,

Our cookbook contains quick examples/samples/code snippets to help with the most common DataPower development and administration tasks. The cookbook is a live document and it is frequently updated with new information.

Collecting and Analyzing DataPower Logs with DPBuddy and Elastic Stack

Posted on 08/30/2017 , Alexander Ananiev,

Please follow this link.

Automating DataPower Firmware Upgrades with DPBuddy

Posted on 01/29/2017 , Alexander Ananiev,

How to Deal with Generated DataPower Policies

Posted on 07/25/2016 , Alexander Ananiev,

How to Manage and Remotely Tail DataPower Logs

Posted on 07/25/2016 , Alexander Ananiev,

DataPower Buddy Release 3.3

Posted on 06/08/2016 , Alexander Ananiev,

We're pleased to announce the availability of DataPower Buddy 3.3.

New Tasks/Commands and Notable New Feature


DataPower Buddy Release 3.3 Beta

Posted on 03/15/2016 , Alexander Ananiev,

We're pleased to announce the availability of DataPower Buddy 3.3 Beta.

This release introduces support for defining configuration properties/variables using HOCON (Human-Optimized Config Object Notation) format. HOCON is a superset of JSON, it is quite flexible (e.g., it supports comments, includes, substitutions) and it is more readable than raw JSON. HOCON provides a powerful alternative to defining environment-specific properties using prefix-based notation. The prefix-based mechanism, however, is still fully supported, so the use of HOCON is completely optional.

Other notable features of this release include:

  • Support for restore/import of multiple domains (or all of the domains). This could be useful for keeping multiple production appliances in sync.
  • Support for secure restore. This can also be used to maintain a DataPower cluster in sync or in a DR situation.
  • Support for appliance reboot/restart. Both secure restore and restart/reboot commands can optionally wait for the appliance to come back online.
  • Password encryption inside configuration files using open-source Jascrypt tool.
  • Under the hood, DPBuddy now streams files to the appliance during copy/import/restore, so these commands are now performed much faster and with lower memory requirements.
  • "Add" and "update" configuration transformation functions now support repeaters (loops). This can be used to generate environment-specific load-balancing group configuration with variable number of back-end servers.
  • Many minor changes and bug fixes. For example, passwords are now automatically masked when environment transformations run in verbose mode.
  • CLI help has been improved to make the use of CLI easier.

This release could also provide support for firmware 7.5; this feature will be finalized once 7.5 becomes available.

The general availability of DPBuddy 3.3 is expected in April 2016. Meanwhile, please let us know if you're interested in evaluating the beta version.

DPBuddy Release 3.2.4 (Improved Auditing)

Posted on 10/12/2015 , Alexander Ananiev,

We're pleased to announce that DataPower Buddy 3.2.4 is now available. The focus of this release is on improved audit and logging.

DPBuddy now generates an audit log file in JSON format, in addition to the XML format supported in earlier releases. This file can be easily tailed, analyzed with jq and/or uploaded to an enterprise SIEM tool. DPBuddy now uses logback framework for auditing and logging. This provides a lot of flexibility in configuring log file location, rollover policies, appenders and other parameters.

Other new features include:

  • DPBuddy now captures import failures in the audit log.
  • backup command now supports the new option/attribute, "failIfNoDomain". If set to "false", "backup" will not fail if the target domain does not exist.
  • Better error handling. A root cause of an error now reported automatically, without having to run the tool in verbose mode.
  • Bug fixes.

To upgrade to this release, you can simply download and un-archive the distribution and point your DPBUDDY_HOME environment variable to the new location. If you're using DPBuddy from Apache Ant, you will also need to add <pathelement location="${dpbuddy.home}/conf"/> to the DPBuddy library's "taskdef" in your Ant files, otherwise, you will see verbose logging output in the console.

You can download DPBuddy 3.2.4 from this page.

DataPower Buddy Release 3.2.3 (Firmware 7.2)

Posted on 06/28/2015 , Alexander Ananiev,

We're pleased to announce that DPBuddy 3.2.3 is now available. This release provides the support for DataPower firmware 7.2 and bug fixes.

An up-to-date version of Java 7 is required when using DPBuddy with firmware 7.2, otherwise you may encounter SSL-related error when trying to connect to DataPower. This is due to the bug in earlier versions of openjdk.

Other new features include:

  • "quiet" in "delConfig" task now suppresses all deletion errors, including the ones caused by an object being referenced by another object. This is to provide a workaround for the bug in firmware v7.2 which causes DataPower to retain references from objects that have been deleted.
  • "resetDomain", "restartDomain" and "wsrrSynchronize" now support "domain" and other common attributes/options; these attributes/options were ignored in earlier versions.

You can download DPBuddy 3.2.3 trial from this page.

DataPower Buddy Release 3.2.2

Posted on 05/27/2015 , Alexander Ananiev,

We're pleased to announce that DPBuddy 3.2.2 is now available. The main feature of this release is the ability to create domains with a single command, including automatic deletion of a domain:

dpbuddy createDomain -domain domain_name -delete -maxCheckpoints 5

Other new features include:

  • Full support for the latest versions of DataPower firmware, including
  • copy now supports "excludes" attribute; "includes" defaults to "include all" similar to the standard Ant copy command.
  • All transformations now support "verbose" attribute so you can see the list of changes performed by transformations without having to run DPBuddy/Ant in "verbose" mode.
  • Support for DataPower deployment variables in the import command.
  • Cleanup of the logic used by environment-specific property resolution mechanism.
  • "overwriteFiles" attribute of the import command now defaults to "false" for XML import files.

The release also contains several important bug fixes.

You can download DPBuddy 3.2.2 trial from this page.