Use cases of the DomainZipFile file for different levels of security in patterns.
The DomainZipFile.zip file can be used in the Basic Runtime, Basic Runtime Sample, and Advanced Runtime patterns.
SSL is not required to connect the pattern script packages to the DataPower® appliance. If you do not use SSL, you do not have to create a DomainZipFile.zip file, unless you require a cli script to customize the DataPower domain created by the pattern. In this case, if you do not use server authentication as a minimum, the data will not be encrypted. This is a security risk because user and password information is passed to DataPower during the scripting client over a http connection, and this is protected by the certificates in the DomainZipFile.zip file.
If the DataPower host is not configured to validate the client certificate, you do not have to use Mutual Authentication between the script client and the DataPower appliance. It is recommended that you use Server Authentication at a minimum.
The case scenarios in this topic describe different levels of security.
It is recommended for the security reasons outlined that this option only be used for development scenarios. If you do not wish to use any SSL:
Set the parameters for SCP_host to Unset
. If you are
using the Basic Runtime or Advanced Runtime Patterns, SCP_host is
in the SOA Policy Gateway 2.0.0.0 - Security Package Script. If you
are using the Basic Runtime Sample pattern, SCP_host is in the SOA
Policy Gateway 2.0.0.0 script. This sets the script in the pattern
so that it does not retrieve the DomainZipFile.zip file
using SCP.
Unsetin the same script packages from step 1:
It is recommended for the security reasons outlined that this option only be used for development scenarios. If you do not want to use SSL but require a cli script:
Set the parameters for SCP_host to Unset
. If you are
using the Basic or Advanced Runtime Patterns, SCP_host is in the SOA
Policy Gateway 2.0.0.0 - Security Package Script. If you are using
the Basic Runtime Sample pattern, SCP_host is in the SOA Policy Gateway
2.0.0.0 script. This sets the script in the pattern so that it does
not retrieve the DomainZipFile.zip file using
SCP.
Unsetyou do not require a DomainZipFile.zip file, unless you have a cli script you which want to run in the Basic Runtime and Advanced Runtime patterns.
Put the cli script file you want to use in the root of the DomainZipFile.zip file. An example structure of the DomainZipFile.zip file is as follows:
/cli.cli
This file is run at the end of the DataPower Domain script package. cli.cli is an example file name. The file name must not contain any spaces.
Examine the SSL proxy profile for the XML Management Interface, and locate the CryptoProfile. The Crypto Profile will contain the identification credentials that contain the certificates used to protect the XML Management Interface.
Add these certificates to the DomainZipFile.zip file.
Unsetas the value for the following parameters in those scripts:
Optional: If a cli script is required:
Put the cli script file you want to use in the root of the DomainZipFile.zip file. An example structure of the DomainZipFile.zip file is as follows:
/cli.cli
This file is run at the end of the DataPower Domain script package. cli.cli is an example file name. The file name must not contain any spaces.
Add these certificates to the DomainZipFile.zip file.
The client certificate and client key file can contain the data in the certificate or key file before the line in the file that reads: -----BEGIN CERTIFICATE-----.
Unset:
The curl commands used by the script packages assume that the file type is .pem, so that the --key-type and --cert-type are set to PEM by default. The certificate and key files may contain this content before -----BEGIN CERTIFICATE----- in the particular certificate or key file.
Optional: If a cli script is required, using the Basic Runtime or Advanced Runtime patterns:
Put the cli script file you want to use in the root of the DomainZipFile.zip file. An example structure of the DomainZipFile.zip file is as follows:
/cli.cli
This file is run at the end of the DataPower Domain script package. cli.cli is an example file name. The file name must not contain any spaces.