Setup a Active/Passive Datapower cluster.
Install the two Datapower appliances with two different IP addresses. Create a VIP (Virtual IP address) that is in the same subnet as the two datapower appliances.
Log into the WebGUI of Datapower appliance A. Navigate to Network ->Ethernet Interface, click on the ethernet where Datapower A is installed. Navigate to the tab called: “Standby Control”
Configure Standby Control to look like to following, just replace your own VIP and Priority can be set to anything beteen 0-255 (it must just be bigger than Datapower B’s priority to be the active appliance)
Do the same for Datapower B, but change the priority to lower than Datapower A.
Now that your Active/Passive Cluster is up we will look at how to test an Active Passive Cluster.
Thys Michels Blog 
Hi Michel,
Can you recommend you some solution for management a cluster of datapower?
I have 2 datapower in cluster, but is dificult management each domain and each object.
I need some tool or utility that automatically syncronize the cluster.
Thanks.
Marcos
Hi Marcos, the recommended IBM way to Datapower appliances in a cluster is to use:
1. ITCAM SE for Datapower
2. WAS V7
In both of the products you can add multiple appliances to a managed set that can propagate configurations to all appliances in a managed set.
If Datapower is installed as ESB in intranet zone and as security gateway in DMZ zone (2+2 devices ) do we need to open up he port in intranet zone so that DMZ one can invoke the services deployed on ESB appliance. Pls let me know what is the recommended way?
Yes you need to open the VIP (Virtual IP) port for the DMZ device to have access to the ESB cluster…you can secure it with https connection. So no worries about punching a hole in your firewall and other users that does not have the right credentials get access to it.
In an active /passive setup , for SSL certificates, when the CA returns the signed CERTIFICATE, do we need to place this certificate on both the active and passive boxes. is that correct?
How would you setup 2 Datapower devices in active-active scenario to route ftp traffic from internet via Datapower in DMZ to backoffice apps on intranet?
To setup 2 Datapower appliances in active active cluster you specify the priority of the 2 appliances as the same. Then you will create a Multi-Protocol Gateway with an FTP FSH (FrontSide Handler) that will point to your VIP and send the file to to your backend (BackSide Handler). Please let me know if you need more information.
Hi Michels,
Thanks for the detailed steps. It is really informative for guys like us.
I have couple of questions.
If we already have a load balancer (a cisco load balancer) in front of two DataPower devices one configured as active and one as passive in the Cisco load balancer how this would work ?
or does it work at all in that scenario?
Second question is that we have seen instances where the Active device is not dead but almost dead but the load balancer still thinks that the Active is up as it is not fully down and keeps sending the traffic to Active instead of switching to the passive.Even when we reboot the primary as the devices comes back within seconds the load balancer doesn’t even do the switch to the passive.
Can you please suggest how to handle that scenario ,is there a way we can do a get or post from the Cisco load balancer into the datapower for a specific file or something and if it doesn’t respond or based on the response can deem it to be down ..or something like that..Looking forward to your answer
Question 1: That is a strange configuration. What is customer trying to do here ? When using StandbyControl behind LB, the LB would send traffic to the advertised VIP of the active box. If the active box goes down for some reason, the standby would become active and advertise VIP and the load balancer would start sending traffic to it.
On a different note, the case for not using LB becomes stronger with self-balancing where you get fault tolerance and use all the boxes efficiently. And with recovery, the tolerance becomes even higher and we claim High Availability (to a degree).
Question 2: We need to understand this scenario better (what does “almost dead” mean ?) Again, the LB does not know about the health of the boxes in this scenario. It just knows the advertised VIP. It sends to the VIP and whoever is active will receive packets to the VIP. Only way to make the other box get the second box to become active. As in question 1, need to find out if they really need Active/Passive in front of LB, or behind it.
Thanks Michael for the update.
We currently do not have the stand by control setting configured.All the load balancer does is a standard “Heart Beat” message(probably a TCP polling) directly to the FSH in the primary DataPower. If it can’t get a response to the “Heart Beat” message then this Load balancer sends the traffic to the secondary.
I think by configuring the stand by control and defining the priority we would avoid the problem when the primary device is unresponsive.as we can simply log in to the secondary device and increase the priority so that the traffic moves to the secondary.
We will setup a VIP in between the Load Balancer and the DataPower devices and configure the stand by control and that should solve the problem
For question 2 I meant Dead means that the device is unresponsive like 100% CPU or memory and we can’t even log in but the TCP pings are successfull and in that event the load balancer’s heart beat messages pass and the traffic is stil being routed to the bad device.
With the stand by control we also would alleviate the problem though manually by upping the priority in the secondary device I guess.
The other thing we are trying to acheive is automatic failover in the event like the one I described above (like when the device is 100% on CPU and we can’t login etc) by sending a http get to both the devices and expecting a token
Thanks again for your blog as it pointed us in the right direction
When an internal client on my corporate network uses an external service then uses the web proxy and virtual ip configured in the cluster DataPower, however, from the DataPower to the external service the internet traffic is not originating from the virtual ip it´s originating from the ip specifies an interface node.
What should I set for the DataPower generate traffic from the virtual IP to the Internet and not from the specific ip of one of the nodes?
Hello,
Thanks for the above info, but I’m seeing something strange. I have an active-standby configuration following instructions above. I have a host alias on each datapower pointing to the VIP. I’ve deployed a Web Service proxy listening on the VIP to each device. Odd that when one of the boxes reboots, the network interface seems to lose it’s IP, i.e. when I view the network interface in the web GUI there is no longer an IP address in the field. At this point, the log says the application couldn’t deploy, and it has to do with the interface not being ready. Do I need to have an alternate “listening” application (i.e. another handler) on the local interface in addition to listening on the VIP? I’m wondering if the datapower tries to optimize away interfaces that it thinks aren’t being used. I’m running 4.0.2.2 on an 9235 XS40.
Sounds like the configured network interface is not saved to the firmware and lost during datapower reboot. Did you click ‘Save Config’ to save changes to firmware?
Please look at this fix: http://www-01.ibm.com/support/docview.wss?rs=2362&uid=swg1IC69678
Are you on the latest firmware?Can you see your error code?Or provide any more log info?
I have not seen that error before.
Hi Michael,
Could you recommend us possible soulutions for the below issue for which are looking for solutions.
What we have now: We have two XI50 devices in active-active mode having identical configuration which are being load balanced by f5’s BIG-IP
LTM device in production environment.Devices have a MPGW object with associated MQ FSH with enabled admin state and both MPGW objects
get messages from the GET queue and process them accordingly. With this set up the messages are going out of order due to some operational constarints in our backend environment.
What we are looking for: To keep the messages in order, the thought is to have MPGW’s admin state enabled only on one Datapower device and to keep the admin state of the MPGW disabled on the other device, so that all messages goes to single datapower and messages remain in synch. When the DP with active MPGW is unresponsive and not able to process messages, the other datapower MPGW component’s admin state should be enabled (whose admin state is disabled) so that it should start processing messages automatically.
Thanks in advance.
Thanks,
RK
what is the recommended way to load balance backend services. Options –
a. Use a load balancer group object of the XML manager
b. Use an external load balancer
Why?
Hi Suresh,
The internal load balancer has intelligent application optimization file where you can set the percentage of load that must be sent to a clustered WAS configuration. This gives Datapower the capability to talk to the configuration manager in WAS and spray load across your multiple servers in a preconfigure way.
The AO option has two key functional features: – Self-balancing is ability for two or more DataPower appliances to distribute load amongst themselves. *This removes the requirement to place traditional server load balancers (SLBs) such as F5, Cisco and Citrix in front of a cluster of DataPower appliances – Intelligent Load Distribution – new load balancing capabilities for distributing load to * backend WebSphere Network Deployment and other non-WebSphere Application Server environments • Dynamically create load balancing groups by interrogating WebSphere Application Server Network Deployment cells • Retrieve weights from WebSphere Application Server Network Deployment cells for load distribution decisions • Out of the box support for session affinity with WebSphere Application Server Network Deployment members • Session affinity with non-WebSphere Application Server application servers
Get more info here: http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/381DataPowerAppIntel/player.html
I have the same problem as Javier, is this issue resolved? – thx
All outbound traffic from the appliance will use the physical IP of the interface.
Hi Thys
We have a standby Control configuration whereby priority on two XB60 devices is set to the same value, does this mean we running active/active? Is priority the only distinguishing factor between active/active and active/passive set-up?
Thanks
Sisanda
Hi Thys
Ever seen Active / Active XB60’s for doing B2B ? IBM has info on running Active / Passive standby groups for HA but that results in an expensive bit of kit sitting there doing nothing and our customer is interested in seeing it doing some work. The metadata store sync is the issue…
Cheers Marcus
I should say customer may well sacrifice HA (as the B2B protocols like AS2 give a fair amount of guaranteed delivery) and just go for a bunch of independent XB datapowers behind a load balancer.
Hi Sisanda, if failover is not critical for your organization then a Active Passive Configuration is the way to go but if no downtime is acceptable then Active Active config is the way to go.
@Marcus yes I have implemented a few XB60’s for doing B2B. I agree running an XB60 in Active/Passive is very expensive. Yes the Metadata store needs to be synced for failover and they do get filled up or out of sync.
AS2 is guaranteed but not very well supported so you may have problem accommodating all incoming requests.
I agree a single XB60 in front of an Edge/Ace/Datapower Load balancer is a good alternative. It all depends on your usecase.
Note: When not going for the Active/Active config you have to punch more holes in the firewall for incoming requests.
Thanks Thys,
I’d just like to echo Sisanda’s comment that you glossed over – does setting the Standby priority the same result in active/active in a standby mode, or just a problem !
The only place in IBM documentation I can find reference to active/active is with respect to Application Optimization option and NEVER together with the words B2B….
I imagine trying to keep two B2B metadata databases on two active / active XB60s in a standby group syncronised could easily result in chaos.
And AO is almost as expensive as having a second passive XB sitting around 🙂
Thanks again for your replies.
Hi, first off, I love your stuff and am a frequent visitor!
Thanks for providing all this useful knowledge! 🙂
I have a customer that want to utilize the passive box for test. How would additional setup NIC’s be affected by an active/passive setup. My expectation would be that they would not get affected at all but continue running as “nothing happened”…
They would want one separate IP for the test environment on one of the boxes. They do understand the risks of “playing around” on a production box (although the passive one).
Any thoughts?
Regards,
Karl
Hi All,
This is part of my POC activity related to DMZ setup in WebSphere Datapower SOA Appliance (XI52).
We have two Datapower Appliances with XI52…
The requirement is to host some web services based application in datapower and publish over the internet to access from outside (public internet)…
This service will be load balance with two datapower boxes as load balance and high availability….
This web service based application need to be publish over the internet using DMZ IP Address with SSL Certificate..
I need some clarification on below mentioned points to moving forward with correct approach :-
1) Network team will provide the DMZ IP
2) Please confirm – DO I need to configure this DMZ IP in Datapower Ethernet Interface (for example eth10)???????
3) Datapower Eth11 on both datapower box – Local intranet ip is configured…
4) Application optimizer need to be setup using VIP to redirect traffic from DMZ IP to both datapower (eth11) intranet ip’s (load balance and HA)
5) All the DMZ IP traffic need to route to Application Optimizer ip using Network NATing
6) For Name reslution, DNS need to configure with DMZ IP to publish web service over the internet using naming convention…
The overall flow like it is –
Internet —–> Domain/Application Firewall—>DMZ IP (port 443) ——> AO VIP ——–> Datapower Intranet IP on both boxes…..
Could you please suggest the correct approach to publish the web service over the internet using DMZ in Datapower XI52…
Thanks,
WanKhe
Hey are using WordPress for your site platform?
I’m new to the blog world but I’m trying to get started
and set up my own. Do you need any html coding knowledge to make your own blog?
Any help would be really appreciated!
Have you ever thought about adding a little bit more than just your
articles? I mean, what you say is valuable and everything.
Nevertheless just imagine if you added some great visuals or videos to give your posts more, “pop”!
Your content is excellent but with images and videos, this blog could definitely be one of the very best
in its niche. Superb blog!
I’d like to find out more? I’d love to find out some additional information.
Thanks for finally writing about >Datapower Cluster Active/Passive Setup | Thys Michels Blog <Loved it!
Howdy! I understand this is sort of off-topic but I needed to
ask. Does operating a well-established website like yours
take a massive amount work? I am brand new to blogging but I do write in my journal daily.
I’d like to start a blog so I can share my personal experience and views online.
Please let me know if you have any kind of recommendations or tips for new aspiring bloggers.
Thankyou!
I’m not sure why but this website is loading incredibly
slow for me. Is anyone else having this problem or is it a issue on my end?
I’ll check back later on and see if the problem still exists.
Hi, I would like to subscribe for this weblog to get newest updates, therefore where can i do it please
help.
I couldn’t resist commenting. Very well written!
Thank you for the auspicious writeup. It if truth be told used to be a leisure account it.
Glance complex to more delivered agreeable from you!
By the way, how could we be in contact?
Having read this I thought it was extremely enlightening.
I appreciate you finding the time and effort to put this content together.
I once again find myself spending a significant amount of time both reading and posting comments.
But so what, it was still worthwhile!
1)How can we do AO(Application Optimization) on 2 datapower boxes..where 2 boxes stand in External DMZ and pointing to Internal DMZ.
Do we have to setup and active-active or active-passive.
2) Can we setup AO if the both boxes stand in different SUBNET (VLAN)? I see we need same ipaddres range for load balancer as well VIP?
3) What is the best way to load balance if boxes are in different IP Range (VLAN)?
Ne pas payer avec de l’argent réel pour votre amusement plus longtemps,
de profiter de cette incroyable Equideow Hack d’obtenir tout dans le jeu gratuitement.
They also offer high quality video for artists in the web or television. This video clip manufacturing company
dedicates their creativity and also abilities in providing compelling
and vibrant songs as well as advertising and marketing video clip
manufacturing. They also supply other video clip production services.
Mark Hawkins is an expert graphic designer and also video clip
creator with over 15 years of experience. He focuses on 3D
animation and also modeling, video and audio modifying, aesthetic effects,
and also more. Generate the video clip of your life with live occasion video production services from Core Studios.
excellent points altogether, you just gained
a new reader. What could you suggest about your
submit that you simply made some days in the past?
Any positive?
Every weekend i used to visit this website, as i wish for
enjoyment, as this this website conations really fastidious funny material too.
Hi Michel,
With the above configuration, what if the virtual ip has an issue and goes down? Isn’t it a single point of failure?? Is there a way to avoid it?
Every weekend i used to visit this web page, because i want enjoyment, as
this this site conations actually good funny data too.
Привет все, это мой первый
посетить в этом сайта и статья является искренне плодотворным в
пользу меня, сохранить размещения эти содержание.
Hi team,
Have a nice day.
2 DataPower appliances are running with same configuration using stand by control concept.
I gave priority is same for both appliances. Now, is it gives any effect in production?
can you provide suitable answer.
appreciate if any one gives answer quickly
Hi team,
I am stuck with an issue.We have 4 Data Powers in DMZ 2DPs in web layer and 2DPs in app layer.
F5 LB——DP1 and DP2——DP3 and DP4—.
We have to route the request from DP1 and DP2 to both data powers DP3 and DP4 .
All the data powers are in active state.
Please help us.
Thanks in advance.
I need to route all the traffic to one datapower only .Second datapower should work only when first one goes down