DataPower

 View Only

 Looking for a xsl or soma script forf exporting certificates from a Datapower domain

John Parker's profile image
John Parker posted Mon September 29, 2025 10:10 AM

From time to time I need to set up a new Datapower.  The hardest part is usually getting all of the certificates and keys loaded.  I was wondering if anyone had a XSL or SOMA script that would export all of the certificates and keys from a Datapower ?

Ivan Heninger's profile image
Ivan Heninger posted Mon September 29, 2025 11:15 AM

To load files onto a DP you can do something like this rest-mgmt:
curl -X PUT \
  -u <username>:<password> \
  -H "Content-Type: application/json" \
  -d '{ "file": { "name": "myFile.txt", "content": "<base64_encoded_file_content>" } }' \
  https://<datapower-ip>:<port>/mgmt/filestore/default/local/myFile.txt

or this xml-mgmt:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <dp:request xmlns:dp="http://www.datapower.com/schemas/management">
      <dp:set-file name="local:///my_file.xml">
        <!-- Base64 encoded content of your file goes here -->
        VGhpcyBpcyB0aGUgY29udGVudCBvZiBteSBmaWxlLg==
      </dp:set-file>
    </dp:request>
  </soapenv:Body>
</soapenv:Envelope>

Joseph Morgan's profile image
Joseph Morgan IBM Champion posted Mon September 29, 2025 09:35 PM

You're not going to be able to export any of the keys unless you put them somewhere in a local:// directory.  Though that works when it comes to crypto, it doesn't protect your keys like when they are in the cert:// directory.

Another problem you might face is, even though you can use a tool like KumbaSoft's DPAA to extract every certificate from every appliance you have in a few clicks, it doesn't necessarily preserve the certificate as it is actually stored within DataPower.  That is, suppose the certificate is in a PFX, P7B, etc., you'll only get the certificates in a PEM/CRT/CER format and not a PFX, P7B, etc. file.

But, when you have certs/keys in files you can access from the local file system (jump server, whatever), @Ivan Heninger has provided a couple of ways to upload a file. 

And now that DataPower has made drag & drop possible, you can get them in pretty quickly compared to the old UI.  Of course, DPAA also supports drag and drop, but into 1, 10, or 100 appliances in one operation!   

Either way, you'll have to have the cert/keys, pfx, p7b, p12 files accessible locally or in some protected jump server.

Ajitabh Sharma's profile image
Ajitabh Sharma posted Tue September 30, 2025 12:48 AM

It depends on what form factor of DataPower you are dealing with. If it is a physical appliance, you may find it hardest. SOMA scripts and other equivalent solutions might take you so far. For private keys you got to rely on external database containing it. Another option is to keep secure backup and restore it wherever you want. 

For virtual VM based appliance, it is a matter of taking snapshot and storing it wherever you want. As the filesystem is contained, the restore should work just fine. 

For CI/CD based appliance, it is easiest. Manage your cert and keys in some safe repo and load it into configmaps as required. One configmap can be referred from many appliance pods hence there is little need for duplication. 

John Parker's profile image
John Parker posted Tue September 30, 2025 11:43 AM

Ok, I didn't think there was an easy way to export them off Datapower, but I wanted to ask, just in case I was missing something.

Thanks to everyone for their responses!

Related Content