Hello,

I am trying to automate some things that cannot be done with the REST API like creating password map aliases. I decided to try using Python's Paramiko library for the SSH capability. It works perfectly when connecting to a regular Linux server, however when I use it with Datapower I get this error:

Traceback (most recent call last):

File "setupDatapowerAppliance.py", line 211, in <module>

main()

File "setupDatapowerAppliance.py", line 198, in main

createSSHConnection(dpHost)

File "setupDatapowerAppliance.py", line 136, in createSSHConnection

stdin,stdout,stderr=ssh_client.exec_command('config')

File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 514, in exec_command

chan.exec_command(command)

File "/usr/local/lib/python3.6/site-packages/paramiko/channel.py", line 72, in _check

return func(self, *args, **kwds)

File "/usr/local/lib/python3.6/site-packages/paramiko/channel.py", line 257, in exec_command

self._wait_for_event()

File "/usr/local/lib/python3.6/site-packages/paramiko/channel.py", line 1226, in _wait_for_event

raise e

I have tried multiple command syntax but am stuck and before I use up any more time I'm curious if it's possible this might not work with Datapower's SSH implementation?

This is my code:

logging.debug("entered createSSHConnection")

ssh_client = paramiko.SSHClient()

ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

try:

ssh_client.connect(hostname=dpAppliance,username=dpUser,password=dpPassword)

except Exception as e:

logging.error("Error:" + str(e))

sys.exit(1)

stdin,stdout,stderr=ssh_client.exec_command('config')

Note that I took the username/password out of the ssl_client.connect string and it still seemed to connect, whereas on a regular Linux server it fails to connect without a user/pass. On Datapower it only fails when I try to execute a command, so I assume I'm not really logged in at all.

Thanks for any insight!

Hi Jennifer,

DataPower doesn't use SSH protocol authentication mechanism.

Connect to the DataPower SSH service without username, cause a line break to get prompted with DataPower's internal login prompt (which is not SSH protocol based but on the DP internal AAA mechanics).

Then send username and passwords and any CLI commands you like, each separated by line break.

To give you ideas how this approach works in shell scripting see the attached sample file to https://www.ibm.com/support/pages/node/622241

I think there is also a RFE out for several years that asks for SSH key-based login but that is also not in the product so far.

Thank you August. I was able to create a shell script to do this task but it was complicated by the fact that the password-map command acts differently depending on if there is an existing password map alias or not.

For example, when no password map aliases exist, this is the result:

# password-map

Please enter alias-name and plaintext passwords pairs

but if one does exist, this is the result:

password-map

A password-map already exists, overwrite? Yes/No [y/n]: n

Appending to current password map...

This is very strange behavior, it seems like password maps are linked under the surface (maybe an array?) instead of being individual objects. It was difficult to code for in DP SSH since I had to send all the commands at once. Essentially I had to first invoke password-map command as a check then parse the result to figure out if I needed to send a "create" password-map set of commands or an "append". This is very clunky in shell script but would be easier if Datapower used normal SSH and we could use Python & Paramiko.

I can post my script if it helps, maybe I am thinking about this in the wrong way but it was the only way I could be sure the script would work whether or not there was a password map in existence. I'm trying to figure out how we will automatically configure Datapower pods in Openshift when that time comes, and creating a password alias for the crypto objects (for SSL) is one of the first hurdles.

Thanks for any ideas, I'll also look for that RFE.

Regarding OCP, I think the idea would be to have the CR/CRD (config etc.) done upfront persisted in some place and the instance gets build from that central persisted artifact.

I use very non-OCP terms here, due to me still too old-school DP mindset yet.

The way you word it, it sounds as if you want to bring up the pod first and then update config - not sure if that is best or true in OCP. I feel if you change config in the CR/CRD, it gets reconciled and pod gets scrapped and new spun off with new config, as far as I understood so far?

Hi Jennifer, would you mind to share how did you do this task using paramiko? did you run any extra exec_command() calls for the DP authentication on shell? I am also trying to automate some of the DP works on python and just run into the same problem here. Thank you in advance for your help!

Hi Taylor,

I did not get it working with Paramiko. As a side note, Cyberak also has trouble logging into Datapower appliances for the same reason. I tried to have our InfoSec team use Cyberark to automatically rotate the Datapower admin passwords but they couldn't get it working.

I did make a shell script but due to the way password aliases are stored in an array it was difficult to make the script bulletproof enough for my taste using shell scripting. I can try to find it and email it to you if you are interested.

Hi Jennifer, I just found out that there might be some hope on the horizon.

DataPower's new March 2021 10.0.2.0 Continuous Delivery (CD) stream seems to introduce real SSH password or cert based login to CLI options! See https://www.ibm.com/docs/en/datapower-gateways/10.0.x?topic=management-defining-ssh-authentication-cli-sessions

Consider to evaluate!

P.S.: Please note that CD streams are pretty volatile requiring a fast upgrade cadence so are not necessarily something you can start using in every production environment directly, but might need to wait a bit longer until baked into a future LTS release. Nevertheless it might provide some hope and chance to evaluate already now.