Cisco ACE XML Gateway Migration Guide by Layer7Tech

VIEWS: 13 PAGES: 36

More Info
									Version 1.0




Cisco ACE XML Gateway
(AXG) to Layer 7 Gateway
Migration Guide




                    i
Copyright © 2005-2011 Layer 7 Technologies Inc.

The Layer 7 Installation and Maintenance Manuals, the Layer 7 Policy Manager User Manual, the
Layer 7 Policy Authoring User Manual, the SecureSpan™ XML VPN Client User Manual, and the Layer 7
Enterprise Service Manager User Manual are the copyright of Layer 7 Technologies Inc. All rights
reserved.

SecureSpan and CloudSpan are trademarks of Layer 7 Technologies Inc. (registration pending), and is
protected by law in Canada, the United States, and other countries.

All other trademarks and tradenames belong to their respective owners.
Layer 7 Technologies Inc. reserves the right to change the information in this Manual without notice.
The content in this Manual is confidential. No part of this Manual may be copied, transmitted, or saved
for non-personal purposes without the written permission of Layer 7 Technologies Inc.
Contents
     List of Figures ...................................................................................................................... ii
     List of Tables ....................................................................................................................... ii
     Chapter One: Introduction ................................................................................................... 1
          Background ..................................................................................................................................... 1
          About Layer 7 Technologies ........................................................................................................... 1
          Why Layer 7? ................................................................................................................................... 1
     Chapter Two: Mapping AXG Handlers, Routes, and Service Descriptors ............................3
          Introduction ..................................................................................................................................... 3
               Understanding Published Services ......................................................................................... 3
               Understanding Policies ............................................................................................................ 3
          Creating a Virtual Service ............................................................................................................... 4
          Request Message Specification ..................................................................................................... 7
          Transformation Extensions ............................................................................................................. 9
          Response Message Specification .................................................................................................. 9
     Chapter Three: Identity and Access Control ..................................................................... 11
     Chapter Four: Using the AXG to L7 Migration Utility ......................................................... 13
          Technical Overview ....................................................................................................................... 13
                    Dependencies ................................................................................................................. 13
          Installing the Migration Utility ....................................................................................................... 13
              Preparation ............................................................................................................................. 14
          Using the Migration Utility ............................................................................................................. 15
              Using a Browser ..................................................................................................................... 15
              Using the Command Line ...................................................................................................... 17
          Migration Utility Specifics ............................................................................................................. 18
          Sample Policy After Migration ...................................................................................................... 23
     Chapter Five: Migration Methodology ............................................................................... 25
                Step 1: Capture requirements............................................................................................... 25
                Step 2: Deploy the Layer 7 Gateway ..................................................................................... 25
                Step 3: Install the AXG migration utility ................................................................................ 25
                Step 4: Export target AXG configuration ............................................................................... 26
                Step 5: Run the Migration Utility with the AXG export.......................................................... 26
                Step 6: Review services created ........................................................................................... 26
                Step 7: Test ............................................................................................................................ 26
                Step 8: Migrate to production ............................................................................................... 26
                Step 9: Monitor and report .................................................................................................... 26
     Chapter Six: Additional Information .................................................................................. 27
          Contacting Layer 7 Technologies ................................................................................................. 27
          Other Layer 7 Resources .............................................................................................................. 27
              User Documentation .............................................................................................................. 27



                                                                                                                                                             i
Contents




                       Support Portal ........................................................................................................................ 28
                       Solutions Architects ............................................................................................................... 28
                       Professional Services ............................................................................................................ 29
                       Sample Policies ...................................................................................................................... 29
           Index ................................................................................................................................. 31



List of Figures
           Figure 1: Types of services you can publish ......................................................................................... 5
           Figure 2: Allowing requests for operations not in the WSDL ............................................................... 5
           Figure 3: Setting a custom resolution path .......................................................................................... 6
           Figure 4: Associating a port with a specific service.............................................................................. 7
           Figure 5: Manage Global Resources dialog .......................................................................................... 8
           Figure 6: Compare Expression assertion .............................................................................................. 8
           Figure 7: Apply XSL Transformation assertion...................................................................................... 9
           Figure 8: Route via HTTP(S) assertion ................................................................................................ 10
           Figure 9: Using the Access Control assertions ................................................................................... 11
           Figure 10: Accessing the migration utility from a browser ................................................................ 15
           Figure 11: Authenticating a user ......................................................................................................... 15
           Figure 12: Cisco AXG configuration export ......................................................................................... 15
           Figure 13: Migration results ................................................................................................................ 16
           Figure 14: Reviewing global resources ............................................................................................... 17
           Figure 15: Using the cURL command ................................................................................................. 17
           Figure 16: Review migration results (command line) ........................................................................ 17
           Figure 17: Sample policy after migration ............................................................................................ 23




List of Tables
           Table 1: Contacting Layer 7 Technologies .......................................................................................... 27
           Table 2: Layer 7 Documentation ......................................................................................................... 27




ii
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                                                               Chapter One:
                                                                                Introduction

Background
                            On August 1, 2010, Cisco announced the end-of-sale and end-of-life dates for the
                            Cisco ACE XML Gateway:
                            http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7314/end_of_lif
                            e_c51_609816.html

                            A couple of important dates to note:
                            •   As of January 30, 2011, the Cisco ACE XML Gateway is no longer for sale from
                                Cisco.

                            •   Cisco will no longer provide maintenance releases or bug fixes after January 30,
                                2012.

                            Additional details and other important dates are available from Cisco at the link
                            above.


About Layer 7 Technologies
                            Layer 7 is a leading provider of API security and governance for SOA, web- and cloud-
                            oriented integration. The Layer 7 SecureSpan Gateway helps organizations control
                            how they expose their data and applications to other divisions, partners, third-party
                            developers and cloud services. Layer 7 customers include leading companies in the
                            insurance, banking and telecom industries, as well as large public sector
                            organizations.


Why Layer 7?
                            Layer 7 offers a proven migration path for existing users of the Cisco ACE XML
                            Gateway. We have helped many customers move their Cisco policies to the fully-
                            supported, industry-leading Layer 7 SecureSpan Gateway. The Layer 7 solution
                            enables customers to:

                            •   Choose the form factor that is best suited to their deployment environment

                                •   The Layer 7 SecureSpan Gateway is available in multiple form factors:
                                    hardware appliance, software, virtualized appliance (VMWare, Amazon
                                    Machine Image, Xen, etc.)




Chapter One: Introduction                                                                                          1
                           Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




    •   Quickly create and more easily maintain new policies

        •   The Layer 7 SecureSpan Gateway includes a Policy Manager that provides a
            drag-and-drop editor to compose and maintain policies to shared services.

        •   These policies serve to:

            •   Establish trust and identity sources with existing infrastructure
            •   Implement authentication & authorization

            •   Ensure message confidentiality, and data integrity

            •   Enforce SLA conformance and service availability
            •   And much more …

        •   The Layer 7 SecureSpan Gateway supports a wide variety of built-in policy
            assertions, as well as an extensible custom assertion API, to handle any
            policy requirement that an organization may have.

    •   Migrate policies according to their own project schedules

        •   The Layer 7 SecureSpan Gateway can be deployed alongside existing Cisco
            ACE XML Gateways allowing customers to gradually migrate policies, thereby
            minimizing any disruptions to services.




2                                                                 Chapter One: Introduction
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                          Chapter Two:
                         Mapping AXG Handlers, Routes,
                               and Service Descriptors

Introduction
                        This chapter describes how AXG concepts such as virtual service, handler, route,
                        service descriptors map to the Layer 7 Gateway solution. The following are two
                        fundamental Gateway equivalents:

                        •    published services

                        •    policies


                        Understanding Published Services
                        In the Layer 7 Gateway, a published service is similar to a virtual service in the AXG. A
                        published service contains properties that are used by the Gateway at runtime to
                        determine which service an incoming message should use. A key property of a
                        published service is a policy. Each published service can have only one policy, but a
                        policy can include other policies.


                        Understanding Policies
                        The Layer 7 Gateway is a Policy Enforcement Point. At runtime, the Layer 7 Gateway
                        receives messages and applies applicable policies as it processes the messages. A
                        Layer 7 Gateway policy contains policy assertions that are organized in a logical tree
                        structure that is evaluated sequentially based on the outcome of previous assertions.
                        The Layer 7 Policy Manager provides a graphical environment to make policy
                        construction as easy as drag-and-drop. But at their core, policies are simply XML files
                        that you can share, export, import, or manipulate programmatically.

                        Layer 7 policies define the behaviour to be used for message validation, access
                        control, routing, transformation, rate limiting, encryption, signatures, and any other
                        aspect of runtime message processing.

                        There are five types of policies:
                        •    Service Policy: This is the main policy associated with a published service. Each
                             published service has one and only one service policy. For more information, see
                             Working with Service Policies in the Layer 7 Policy Authoring User Manual.
                        •    Policy Fragment: This is a policy that can be inserted into other policies in any
                             published service. A policy fragment can be thought of as a boilerplate to save



Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors                                              3
                                   Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




               time and help maintain consistency when authoring a policy. For more
               information, see Working with Policy Fragments in the Layer 7 Policy Authoring
               User Manual.

           •   Global Policy: These are policies that are always run before or after every service
               policy. They can be used to configure global behaviours such as auditing or
               logging. Similar to policy fragments, global policies can help ensure consistency
               and reduce errors. For more information, see Working with Global Policies in the
               Layer 7 Policy Authoring User Manual.
           •   Audit Sink Policy: This is a special policy that can be configured to direct audit
               messages to an external database, message queue, or other location. It is
               created by enabling the audit sink. For more information, see Working with the
               Audit Sink Policy in the Layer 7 Policy Manager User Manual.

           •   Internal Use Policies: This is a special preconfigured policy designed for a special
               purpose. Currently, there are three prepackaged internal use policies. For more
               information, see Working with Internal Use Policies in the Layer 7 Policy
               Authoring User Manual.


Creating a Virtual Service
           The Layer 7 Gateway distinguishes between two types of published services:

           •   SOAP Web Services

           •   REST, Web API, or Other Services.

           The main distinction between these two types of services is that the first one has a
           WSDL property while the second does not. The WSDL document associated with a
           SOAP Web Service is used for message classification at runtime and to return WSDL
           documents to front-end requestors. Note that the Layer 7 Gateway can still process
           SOAP messages from a published service of type REST, Web API, or Other Service.




4                          Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                        Figure 1: Types of services you can publish

                        As AXG does not easily process existing WSDLs when creating virtual services, it is
                        common for AXG users to create a virtual service for a SOAP service but without using
                        the WSDL of that service. To achieve the same approach in the Layer 7 Gateway, you
                        can use either Publish REST, Web API or Other Service or Create WSDL, then
                        complete the wizard without providing WSDL elements. This will leave you with a
                        “placeholder” WSDL associated with the published service. To prevent resolution
                        failures caused by this placeholder WSDL, ensure that the [Allow requests intended
                        for operations not supported by the WSDL] check box is selected in the service
                        properties:




                        Figure 2: Allowing requests for operations not in the WSDL




Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors                                        5
                             Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




    The exposed local path of a virtual service is specified in the service properties in the
    Custom resolution path field as shown in Figure 3. Note that you can assign
    resolution paths that include the ‘*’ wildcard character to allow one service to be
    resolved for a number of different entry point URIs. This is especially relevant to REST
    services but can also be useful in grouping together SOAP entry points in one virtual
    service that should be processed using similar rules. These are examples of valid
    custom resolution paths:

        /servicename/*
        /*/something




    Figure 3: Setting a custom resolution path

    The resolution path is only one of the criteria used by the classification process to
    determine which virtual service to use for an incoming message. The Gateway also
    uses the following to resolve the service:

    •   service OID

    •   URI (e.g., custom resolution path)

    •   SOAPAction

    •   SOAP payload namespace

    If more than one service has an identical combination of these four criteria, then a
    resolution conflict occurs. This classification behaviour is customizable.

    •   To learn more about the classification logic used by the Gateway, please refer to
        Understanding the Service Resolution Process in the Layer 7 Installation and
        Maintenance Manual.

    •   To learn how to customize the classification logic, refer to Managing Service
        Resolution in the Layer 7 Policy Manager User Manual.
    Note that the port that a service receives requests on is not a property of the service
    itself. Instead, ports are globally declared at the Gateway level. If a port is configured
    to receive service message traffic, all published services on the Gateway have the
    ability to receive message from this port by default. You can change this default
    behaviour in two ways:




6                     Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                        In the [Advanced] tab of the Listen Port Properties, you can create a fixed association
                        between the port and a specific service.




                        Figure 4: Associating a port with a specific service

                        In the service policy, you can validate which port the request came from and enforce
                        that a specific port be used. This lets you restrict the use of a specific service from
                        one or many ports without reserving a port to a single service.

                        For more information on publishing virtual services using the Layer 7 Policy Manager,
                        see Chapter 5, “Working with Services” in the Layer 7 Policy Manager User Manual.


Request Message Specification
                        How a request message is validated by the Layer 7 Gateway is determined by the
                        policy associated with the service. If a WSDL document is associated with the
                        service, then validations for SOAP version, SOAPAction, and SOAP body message
                        name and URI are performed automatically. If no WSDL document is associated with
                        a service or if additional validations are required, you can add the appropriate
                        validation assertions using the Layer 7 Policy Manager.

                        For example, to validate an XML Schema, use the Validate XML Schema assertion
                        and set the target message to “Request”. XML Schemas that have dependencies can
                        be imported from file or URL and their dependencies are automatically imported in
                        the global resources table of the Layer 7 Gateway. The links between those global
                        resources are automatically resolved and can be viewed using the Manage Global
                        Resources task in the Policy Manager.




Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors                                               7
                           Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




    Figure 5: Manage Global Resources dialog

    You can also use context variables to validate properties of the incoming request. For
    example, to validate that the SOAPAction HTTP header of the incoming request has a
    specific value, you can use the variable ${request.http.header.soapaction} in the
    Compare Expression assertion as illustrated below.




    Figure 6: Compare Expression assertion

    In Figure 6, “MySOAPAction” is the SOAPAction header value that is being validated
    against the incoming request. Consult the Layer 7 Policy Authoring Manual for
    additional information on validating any aspect of requests and responses.




8                   Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




Transformation Extensions
                        Transformation extensions on both request and response messages are achieved in
                        policy. For example, to transform a request message, you would add the Apply XSLT
                        Transformation assertion, specify the XSL transformation to apply, and then
                        associate it with the request. The same can be done to a response message by
                        adding the assertion after a routing assertion (doing this normally populates the
                        response context).




                        Figure 7: Apply XSL Transformation assertion


Response Message Specification
                        Interaction with the endpoint of a backend service is also described in policy through
                        one of the routing assertions. You use a routing assertion to send a message to that
                        endpoint (typically the incoming request message) and optionally receive a response
                        message from that endpoint. For example, for a backend HTTP-based service, you
                        would use the Route via HTTP(S) assertion. In the assertion properties, you will define
                        the backend target to communicate with: URL, timeout values, last mile security,
                        injection of additional HTTP headers, etc. You can also specify multiple endpoints in
                        the properties and set the Gateway to load-balance between those backend
                        endpoints.




Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors                                          9
                             Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




     Figure 8: Route via HTTP(S) assertion

     Once this assertion is executed, the transaction context has a response and you can
     add validations to the response messages (for example, using the Validate XML
     Schema assertion). All assertions located below the routing assertion in a policy will
     have access to the response message for validation purposes.




10                   Chapter Two: Managing AXG Handlers, Routes, and Service Descriptors
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                                   Chapter Three:
                                      Identity and Access Control

                          The Layer 7 Gateway is configured with one or more identity providers that can be
                          used to control access to services based on the requestor’s identity. The built-in
                          Internal Identity Provider (IIP) can be used to manage information about identities
                          such as shared secrets, certificates and attributes.

                          In addition to the IIP, you can use the Layer 7 Policy Manager to configure external
                          identity providers using LDAP and PKI. For more information, refer to the following
                          topics in the Layer 7 Policy Manager User Manual:

                              LDAP Identity Providers
                              Federated Identity Providers

                          Also available from Layer 7 are custom plug-in modules for proprietary Identity and
                          Access Management solutions such as Oracle Access Manager, CA/Netegrity
                          SiteMinder, OpenSSO, and more. For more information on these, please contact
                          Layer 7.

                          To control access to a service or service operation, use the assertions from the
                          Access Control category of the Policy Manager. These assertions allow you to specify
                          the access control mechanism, which identity provider to use, test group
                          memberships, test identity attributes to use, etc. You can combine these assertions
                          to achieve specific behaviours based on different identity attributes as illustrated
                          below.




                          Figure 9: Using the Access Control assertions

                          For more information, see Chapter 4, “Access Control Assertions” in the Layer 7
                          Policy Authoring User Manual.




Chapter Three: Identity and Access Control                                                                       11
     Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




12                      Chapter Three: Identity and Access Control
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                    Chapter Four:
              Using the AXG to L7 Migration Utility

                          Layer 7's Cisco AXG Migration Utility can automate some migration of Cisco AXG
                          configuration to the Layer 7 Gateway. Some manual configuration of the Gateway will
                          still be necessary after running the utility.

                          The Cisco AXG Migration Utility can be customized to meet a broad range of customer
                          needs. Please contact Professional Services at Layer 7Technologies to discuss your
                          specific Cisco AXG configuration and migration requirements.


Technical Overview
                          The migration utility is deployed as a service on the Gateway, with a migration policy
                          that is imported to the service. The policy publishes a web form that can be used to
                          upload an export of Cisco AXG configuration to the service. Exports can also be
                          posted to the service from the command line (e.g., using cURL, or a similar command
                          line utility). The policy parses the uploaded export and uses the Gateway
                          Management Service to create Gateway service proxies for each Cisco AXG virtual
                          service (i.e., a handler and one or more related service descriptors) contained in the
                          export. The policy also imports any XML schemas contained in the Cisco AXG export
                          to the Gateway’s global resource repository.

                          The Gateway service proxies that are created will have active policies that include
                          functional policy assertions that directly support Cisco AXG capabilities configured in
                          the export. The policies will also include informational comments that describe the
                          migrated virtual services and actionable comments that describe configuration that
                          may still need to be done.

                          Dependencies
                          The migration utility requires the For Each Loop modular assertion, which is available
                          from Layer 7 Technical Support.


Installing the Migration Utility
                          1. Contact Layer 7 Technical Support for the For Each Loop modular assertion and
                             Cisco AXG Migration Utility. This can be done via email: support@layer7tech.com.
                          2. Deploy the For Each Loop modular assertion to the target Gateway.

                               a.   Use SFTP to move the For Each Loop assertion to the target Gateway as the
                                    ssgconfig user.




Chapter Four: Using the AXG to L7 Migration Utility                                                             13
                              Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




         b.   Using a privileged shell, copy the For Each Loop assertion from the
              /home/ssgconfig directory to the /opt/SecureSpan/Gateway/runtime
              /modules/assertions directory. For more information on the privileged shell,
              see Using the Privileged Shell in the Layer 7 Installation and Maintenance
              Manual.
         c.   Change the ownership of the For Each Loop assertion in the assertions
              directory with this command:
              chown layer7.layer7 *

         d.   Restart the Gateway process with this command:
              service ssg restart

     3. Publish the Gateway Management Service on the target SSG.

         a.   Connect to the target Gateway using the Layer 7 Policy Manager.

         b.   Start the Publish Internal Service Wizard. For information on the different
              ways to start this wizard, see Publish Internal Service Wizard in the Layer 7
              Policy Manager User Manual.
         c.   Choose Gateway Management Service from the drop-downlist and then click
              [Finish].

     4. Publish a REST service on the target Gateway.

         a.   Start the Publish REST, Web API, or Other Service Wizard. For information on
              the different ways to start this wizard, see Publish REST, Web API, or Other
              Service Wizard in the Layer 7 Policy Manager User Manual.
         b.   In the Service Name field, enter AXG Migration.

         c.   In the Gateway URL field, enter axg/migration.

         d.   Click [Finish] to close the wizard.
     5. Import the Cisco AXG Migration Utility policy to the published REST service.

         a.   On the Policy Editor toolbar, click                .

         b.   Navigate to the Cisco AXG Migration Utility policy that you received from
              Layer 7 Technical Support.

         c.   On the Policy Editor toolbar, click                     .


     Preparation
     In preparation for using Layer 7's Cisco AXG Migration Utility, you should export and
     uncompress your Cisco AXG configuration. The current version of the utility was
     tested against exports of entire Cisco AXG sub-policies containing multiple handler
     groups and handlers.

     Note: Do not select the option to export configuration as WS-Policy.



14                                          Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                          When exporting Cisco AXG configuration, a file with a .ppf extension is created. This is
                          a compressed file that contains XML. This file must be uncompressed using an
                          industry standard compression utility (for example, 7-Zip).


Using the Migration Utility
                          The Cisco AXG Migration Utility can be run from either a web browser or from a
                          command line.


                          Using a Browser
                          1. In the browser, navigate to your migration service on the target Gateway.




                               Figure 10: Accessing the migration utility from a browser

                          2. Provide basic authorization credentials for an administrative user in the target
                             Gateway’s Internal Identity Provider,




                               Figure 11: Authenticating a user

                          3. Browse for the uncompressed Cisco AXG configuration export prepared above.




                               Figure 12: Cisco AXG configuration export




Chapter Four: Using the AXG to L7 Migration Utility                                                             15
                             Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




     4. Click {Submit] and review the migration results:




         Figure 13: Migration results

     5. Review the service proxies associated policies that were created by the migration
        (click           on the toolbar, if necessary).




     6. Review the global XML schema resources that were imported by the migration,
        using the Manage Global Resources task. For details, see Managing Global
        Resources in the Layer 7 Policy Authoring User Manual.




16                                       Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                               Figure 14: Reviewing global resources


                          Using the Command Line
                          1. Open a command shell (for example, the Privileged Shell from the Gateway main
                             menu—see Using the Privileged Shell in the Layer 7 Installation and Maintenance
                             Manual).

                          2. Navigate to the directory containing the uncompressed Cisco AXG configuration
                             export prepared above.

                          3. Using cURL (or a similar command line utility), execute the following command
                             (or a similar command):
                               curl -k -u admin:7layer --data-binary @sample_export.xml -H "Content-
                               Type: text/xml" https://dev.l7tech.com:8443/axg/migration >
                               results.html




                               Figure 15: Using the cURL command

                          4. Review the migration results (piped to file with the above command).




                               Figure 16: Review migration results (command line)



Chapter Four: Using the AXG to L7 Migration Utility                                                          17
                                    Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




           5. Review the service proxies associated policies that were created by the migration
              (click           on the toolbar, if necessary).

           6. Review the global XML schema resources that were imported by the migration,
              using the Manage Global Resources task. For details, see Managing Global
              Resources in the Layer 7 Policy Authoring User Manual


Migration Utility Specifics
           The following is a detailed description of what the Cisco AXG Migration Utility will do:

           1. Extract and load each XML schema found in the Cisco AXG export to the
              Gateway’s global resource repository.
               •   The source URL (a.k.a. System ID) will be set to: axg/<AXG XSD bundle
                   name>/<AXG original file name>/<index position in AXG XSD bundle>

               Note: The Layer 7 Gateway expects that every global XML schema
               resource has a unique target namespace. If the Cisco AXG export
               contains redundant XML schemas, you will need to manually resolve
               target namespace conflicts using the Manage Global Resources task
               after migration is complete. Alternatively, you may contact Layer 7 to
               customize the migration utility to only import one XML schema for a
               given target namespace.

           2. Create a SOAP or REST proxy for each handler found in the Cisco AXG export
              using these settings:
               •   Name set to: axg_<AXG handler name>

               •   Proxy disabled

               •   URI set to: <AXG handler transport URI>

               •   Allowed HTTP methods set to: <AXG handler transport method>

               •   For a SOAP proxy, the WSDL is set to a default WSDL as a place holder for
                   when an actual WSDL is made available for the service

               •   For a SOAP proxy, allow requests intended for operations not supported by
                   the WSDL is selected

               •   For a SOAP proxy, the SOAP version is set to: <AXG handler transport SOAP
                   version>

               Note: Many Cisco AXG environments contain a handler per each distinct
               operation of a service. By comparison, the Layer 7 Gateway normally
               creates one proxy and conditional policy for all operations of a service.
               When replacing Cisco AXG, it is recommended that you consider
               collapsing the many proxies per handler that are created by the
               migration utility to fewer proxies per service.




18                                               Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                          3. Create an active policy for each proxy.

                               a.   Informational comments will be added for:
                                    •     AXG handler's sub-policy

                                    •     AXG handler's group

                                    •     AXG handler's name

                                    •     AXG handler's default service descriptor's name

                                    •     Whether the AXG handler has branched routing to multiple service
                                          descriptors (i.e., dynamic routing)
                               b.   Actionable comments (i.e. TODO comments) will be added for:

                                    •     AXG handler's default log level

                                    •     Name of any access provisions attached to the AXG handler

                                    •     Whether inbound request and/or outbound response schema validation
                                          exists

                                    •     Whether dynamic routing exists
                                    •     Whether dynamic route selectors must be configured

                                    •     Whether dynamic route stop processing assertions must be removed

                                    •     Whether HTTP route passwords must be set
                               c.   If the AXG handler is set to log request messages on error:

                                     i.    An Audit Messages in Policy assertion is added to the beginning of the
                                           policy (after comments):
                                              •   Audit level is set to WARNING

                                              •   Save request = Always

                                    ii.    An Audit Messages in Policy assertion will be added to the end of the
                                           policy:

                                              •   Audit level is set to INFO

                                              •   Save request = Never
                               d.   For a SOAP proxy, policy assertions will be added to check the SOAP version
                                    of the request.

                                    Note: Once a valid WSDL has been added to the SOAP proxy, these
                                    verifications are done automatically and this part of the policy is no
                                    longer necessary.

                               e.   For a SOAP proxy, policy assertions will be added to check the SOAP action of
                                    the request.




Chapter Four: Using the AXG to L7 Migration Utility                                                                19
                              Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




          Note: Once a valid WSDL has been added to the SOAP proxy, these
          verifications are done automatically and this part of the policy is no
          longer necessary.

     f.   If the AXG handler is configured to perform XML schema validation of the
          inbound request:

                i.      Informational comments will be added for:

                        •   The name of the element to be schema validated (normally the
                            root element of the message body).

                        •   The namespace of the element.

                        •   The name of the AXG XSD bundle resource containing the root
                            schema and dependencies.

                        •   The original file name of the AXG root schema.

          ii.        A Validate XML Schema assertion will be added:
                        •   Targeting the request message

                        •   Configured to select the previously uploaded root schema from
                            the Gateway’s global resource repository.

          Note: The migration utility does not currently check for outbound
          request schema validation configured in one or more of the AXG
          handler's associated service descriptors. This capability can be
          added through customization of the migration utility.

     g.   Route via HTTP to backside service(s).

                i.      If the AXG handler included branched routing to multiple service
                        descriptors:

                        a) Conditional logic folders will be added to evaluate routing to
                           each non-default service descriptor.

                            1) Informational comments will be added for the name of the
                               AXG service descriptor.
                            2) Actionable comments will be added for :

                                 •    The AXG route's selector configuration.

                                 •    Whether HTTP route passwords must be set.
                                 •    To remove the Stop Processing assertion.

                            3) A Stop Processing assertion is added to ensure this route is
                               not selected until appropriate selector logic has been
                               added to policy.




20                                          Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                                 4) An assertion will be added to make sure that routing has
                                                    not already been attempted and failed for an earlier route
                                                    destination.

                                                 5) A Route via HTTP(S) assertion will be added configured as
                                                    follows:

                                                      •    Target URL set to the AXG service descriptor's back
                                                           side endpoint

                                                      •    Connection and read timeouts set to the AXG service
                                                           descriptor's timeout

                                                      •    Basic authorization user name set, if set in Cisco AXG

                                                      •    Pass-through of all HTTP request headers, if set in
                                                           Cisco AXG

                                             b) If no non-default service descriptor was selected, requests will
                                                be routed based on the default service descriptor's AXG
                                                configuration.

                                                 1) An assertion will be added to make sure that routing has
                                                    not already been attempted and failed for an earlier route
                                                    destination.

                                                 2) A Route via HTTP(S) assertion will be added configured as
                                                    follows:

                                                      •    Target URL set to the AXG service descriptor's back
                                                           side endpoint

                                                      •    Connection and read timeouts set to the AXG service
                                                           descriptor's timeout

                                                      •    Basic authorization user name set, if set in Cisco AXG

                                                      •    Pass-through of all HTTP request headers, if set in
                                                           Cisco AXG

                                    ii.   Otherwise requests will be routed based on the default service
                                          descriptor's AXG configuration.

                                               a) A Route via HTTP(S) assertion will be added configured as
                                                  follows:

                                                      •    Target URL set to the AXG service descriptor's back
                                                           side endpoint

                                                      •    Connection and read timeouts set to the AXG service
                                                           descriptor's timeout
                                                      •    Basic authorization user name set, if set in Cisco AXG




Chapter Four: Using the AXG to L7 Migration Utility                                                              21
                         Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                            •   Pass-through of all HTTP request headers, if set in
                                Cisco AXG

     h.   If the AXG handler is configured to perform XML schema validation of the
          outbound response:

          i.    Informational comments will be added for:
                   •   Name of the element to be schema validated (normally the root
                       element of the message body)

                   •   Namespace of the element
                   •   Name of the AXG XSD bundle resource containing the root
                       schema and dependencies

                   •   Original file name of the AXG root schema

          ii.   A Validate XML Schema assertion will be added configured as follows:

                   •   Targets the response message.

                   •   Configured to select the previously uploaded root schema from
                       the Gateway’s global resource repository

          Note: The migration utility does not currently check for outbound
          request schema validation configured in one or more of the AXG
          handler's associated service descriptors. This capability can be
          added through customization of the migration utility.




22                                    Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




Sample Policy After Migration
                          The following is an example of a policy after the Cisco AXG Migration Utility has run:




                          Figure 17: Sample policy after migration




Chapter Four: Using the AXG to L7 Migration Utility                                                                23
     Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




24               Chapter Four: Using the AXG to L7 Migration Utility
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                                           Chapter Five:
                                                 Migration Methodology

                         The specific methodology used to migrate an AXG deployment to the Layer 7 Gateway
                         is highly customizable and can be tailored to address the current use of AXG, new
                         use cases moving forward, and additional components that interact with the
                         Gateway. The following is a suggested methodology that you can use as a starting
                         point.


                         Step 1: Capture requirements
                         Before you start, capture the existing behavior of the AXG devices. Some questions
                         you might consider:

                         •   What services are they processing?

                         •   What are the inputs/outputs?
                         •   What throughput are you designed to handle?

                         •   What external components must be integrated (LDAP, Databases, IAM, Syslog,
                             BI, etc)?

                         Described environments (Development, Staging, Production). Any new requirements
                         should also clearly be defined.


                         Step 2: Deploy the Layer 7 Gateway
                         Deploy the Layer 7 Gateway in each environment:

                         •   Configure network

                         •   Configure integration with external components such as LDAP, Queue managers,
                             Databases, IAM, Anti-virus, etc).
                         •   Provision administrative accounts

                         •   Import trusted certificates, private keys

                         Please refer to the Layer 7 Installation and Maintenance Manual for deployment
                         instructions.


                         Step 3: Install the AXG migration utility
                         The Layer 7 Gateway solution has its own mechanism for the migration of service and
                         policy configurations across environments. For this reason, the AXG-L7 migration




Chapter Five: Migration Methodology                                                                           25
                              Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




     utility is normally installed only on the first target environment (typically a
     development or staging environment).

     Once the AXG configuration is migrated and tested on that environment, you can use
     the Layer 7 Enterprise Service Manager to promote these services to other
     environments such as production.


     Step 4: Export target AXG configuration
     Select the handlers that you want to migrate at this stage and export them as PPS
     files.


     Step 5: Run the Migration Utility with the AXG
     export
     If you only have a single PPS to import, you should use the web interface to feed it to
     the migration utility. If you have a large number of PPS files, you can script the import
     to automate this step.


     Step 6: Review services created
     Review created services placeholders in the Layer 7 Gateway. Review comments
     produced by the utility, tweak service properties and policies as appropriate. You can
     also adjust policies so that repetitive logic is moved to policy fragments to optimize
     maintainability. Behaviour that is always applied can be moved to global policies. If
     the number of services makes this step too tedious, consider adjusting the style
     sheet used by the migration utility so that is done automatically.


     Step 7: Test
     At this point, you are ready to make end-to-end testing in your development
     environment. Use the Layer 7 monitoring and auditing to capabilities to verify that the
     defined behavior is met. If you need to make adjustments to the migration style
     sheet here, you can go back to step 5. You may proceed to the next step once all your
     tests come back positive.


     Step 8: Migrate to production
     Using the Enterprise Service Manager, migrate the new services and policies to the
     production environment.


     Step 9: Monitor and report
     Monitor traffic, produce reports and verify that key performance indicators stay within
     defined thresholds.


26                                                         Chapter Five: Migration Methodology
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                                                                  Chapter Six:
                                                        Additional Information

Contacting Layer 7 Technologies
                              At Layer 7 Technologies, our commitment to exceptional service culminates in the
                              advanced level of technical support that we provide for our Layer 7 products.
                              Table 1: Contacting Layer 7 Technologies

                                              Sales     sales@layer7tech.com

                                            Support     support@layer7tech.com

                                               Web      www.layer7tech.com



Other Layer 7 Resources
                              Layer 7 Technologies provides a wealth of resources to help you:

                              •   User Documentation

                              •   Support Portal

                              •   Solution Architects

                              •   Professional Services

                              •   Samples


                              User Documentation
                              The Layer 7 products are supported by the following documentation:
                              Table 2: Layer 7 Documentation
   Documentation                    Target Product(s)     Format(s)          Description

   Layer 7 Installation and         Gateway, XML          PDF and print      Installation and upgrade information for
   Maintenance Manual               VPN Client, and                          the Layer 7 products, including Gateway
                                    Policy Manager                           maintenance, operations, monitoring, and
                                                                             troubleshooting information and
                                                                             instructions.
                                                                             There are separate editions of this manual
                                                                             for the appliance (including virtual) and
                                                                             software Gateways.




Chapter Six: Additional Information                                                                                  27
                                                       Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




     Documentation                 Target Product(s)     Format(s)          Description

     Policy Manager User           Policy Manager        PDF and print      Comprehensive user instructions for the
     Manual                                                                 Policy Manager.

     Policy Manager Help           Policy Manager        Program-based.     Comprehensive user instructions for the
     System                                              Accessed from      Policy Manager.
                                                         the Policy
                                                         Manager [Help]
                                                         menu.

     SecureSpan XML VPN            SecureSpan XML        PDF and print      Comprehensive user instructions for the
     Client User Manual            VPN Client                               SecureSpan XML VPN Client.

     SecureSpan XML VPN            SecureSpan XML        Program-based.     Comprehensive user instructions for the
     Client Help System            VPN Client            Accessed from      SecureSpan XML VPN Client.
                                                         the XML VPN
                                                         Client [Help]
                                                         menu.

     Custom Assertion              Gateway               PDF                Instructions for installing and configuring
     Installation Manual                                                    the optional custom assertion packages on
                                                                            the Gateway. User instructions for the
                                                                            custom assertions are provided in the
                                                                            Policy Manager documentation.

     Read Me file                  Gateway, XML          Text file on the   Release-based information. Also includes a
                                   VPN Client, and       Installation CD.   copy of the End User license agreement.
                                   Policy Manager

     Secure Implementation         All                   PDF                Describes how to use the Layer 7 product
     Guide                                                                  suite to comply with version 2.0 of the
                                                                            Payment Card Industry Security Standards
                                                                            Council’s Data Security Standards (PCI
                                                                            DSS).



                             Support Portal
                             The Layer 7 support portal can be used to download virtual appliance images,
                             software installers, documentation, and other resources. You can access the Layer 7
                             support portal via http://layer7tech.com/portal/.


                             Solutions Architects
                             Contact your local Solutions Architect for advice on how to proceed with your AXG
                             replacement, to answer any technical questions about the capabilities of the Layer 7
                             Gateway solution, and for assistance with a pilot or POC project. You can reach your
                             local solutions architect by emailing sales@layer7tech.com.




28                                                                                 Chapter Six: Additional Information
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




                           Professional Services
                           The Layer 7 Professional Services engineers will assist you in the implementation
                           phase of your Layer 7 Gateway solution and for specialized training engagements.
                           Layer 7 Professional Services can be contacted via support@layer7tech.com.


                           Sample Policies
                           Through the Layer 7 support engineers and professional services, you can get a
                           number of sample policies and scripts to speed up the implementation of any Layer 7
                           Gateway implementation projects. For more information, please contact
                           support@layer7tech.com.




Chapter Six: Additional Information                                                                            29
     Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




30                              Chapter Six: Additional Information
Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




Index

                        A                                                              using.............................................. 15
                        Access control .................................. 11             browser ..................................... 15
                        Audit sink policy .................................. 4           command line ........................... 17

                        B                                                           P
                        Browser access to utility .................. 15             Policies ................................................ 3
                                                                                      audit sink policy .............................. 4
                        C                                                             global policy .................................... 4
                        Command line access to utility ....... 17                     internal use policy .......................... 4
                        Contact Layer 7 ................................ 27           policy fragment ............................... 3
                        Creating                                                      service policy .................................. 3
                          virtual service .................................. 4      Policy fragment ................................... 3
                                                                                    Professional Services ....................... 29
                        G                                                           Published services ............................. 3
                        Global policy ........................................ 4
                                                                                    R
                        I                                                           Request message specification ........ 7
                        Identity control ................................. 11       Resources ......................................... 27
                        Internal use policy ............................... 4       Response message specification ...... 9
                        L                                                           S
                        Layer 7 Resources                                           Sample Policies ................................ 29
                          professional services ................... 29              Sample policy after migration .......... 23
                          sample policies ............................ 29           Service policy ...................................... 3
                          solutions architects ..................... 28             Solutions Architects ......................... 28
                          support portal ............................... 28         Specify
                          user documentation .................... 27                  request message ............................ 7
                        Layer 7 Technologies                                          response message ......................... 9
                          about ............................................... 1   Support Portal .................................. 28
                          contacting ..................................... 27
                          resources ...................................... 27       T
                          why us? ............................................ 1    Transformation extensions ................ 9
                        M                                                           U
                        Migration Utility                                           Understanding
                          installing ....................................... 13       policies ............................................ 3
                          methodology ................................. 25            published services.......................... 3
                          preparation ................................... 14        User Documentation ........................ 27
                          sample policy ............................... 23
                                                                                    V
                          specifics........................................ 18
                          technical overview ....................... 13             Virtual service ..................................... 4




Index                                                                                                                                      31
     Cisco AXG Gateway to Layer 7 Gateway Migration Guide, v1.0




32                                                        Index

								
To top