© 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.

© 2013 IBM Corporation

Intro to DataPowerIBM WebSphere SOA Appliances


Introduction to IBM WebSphere DataPower SOA Appliances

2

Agenda

What is a DataPower Appliance?

Models and Features

Additional Use Cases

Success stories

How to learn more

simpler solutions for a smarter planetsimpler solutions for a smarter planet



Why IBM DataPower?

DATAPOWER IS A PURPOSE BUILT PLATFORM THAT PROVIDES HIGH SECURITY AND EXCEPTIONAL PERFORMANCE

– There is no third party sofware (OS, Java, DB, etc) present on the system nor can such programs be executed. So general vulnerabilities found in other platforms built up on such stacks are not there on DataPower.

– Entirely configuration based ensuring that security holes are not introduced inadvertently.– XML acceleration and cryptographic acceleration help in providing near wire speed throughput.

Security is not compromised for performance.

UNPARALLELED INVESTMENTS TO INNOVATION– IBM Software Group invests over $6 Billion annually on Research and Development– WebSphere Business Unit within IBM invests over $1 Billion annually on R&D alone, far surpassing

any perceived competitors in the marketplace– IBM develops, defines, and participates in defining and developing open standards and conforms to

the same to protect investments.

GLOBAL REACH AND SCALE OF BUSINESS OPERATIONS

- IBM has a global presence -- doing business in more than 170 countries -- making us an ideal partner to scale geographically- dispersed solution implementations, operations, and teams. We are uniquely positioned to support international operations.



4

The IBM WebSphere DataPower organization makes appliances

Simple architecture: – microcode firmware + purpose-built hardware

Delivered from the factory with everything you need to connect to the network and start working

– No need to provision anything but the Ethernet network and CAT cables to get started

All computationally-significant components sealed within a temper-proof casing

– Chips– Memory– Boards and cards– Flash-based file system (signed and encrypted)– Parsing and xform accelerators (patented)– Cryptographic accelerators (patented)



5

Guiding philosophy is to take rote, repeatable integration tasks and lock them down in the appliance form factor, including:

– Services gateway functions– Web application gateway functions– Service Bus (ESB) functions– B2B gateway functions– Edge optimization functions

Appliance “lock down” means:– Removing need for commodity code– Removing reliance on general purpose

operating systems and run times– Porting to purpose-built firmware– Simplicity = BIG TCO SAVINGS

But simple does NOT mean lacking in functionality



6

Over 1,800 worldwide installations and growing fast

Used by 95% of top global insurances firms

SaaS providers, ASPs, regulators, etc.

Agencies and ministries

Defense and security organizations

Crown corporations

Insurance

Government

Banking

Telecommunications

Utilities, Power, Oil and Gas

Airlines

Retailers

Many, many, more

All of the big 5 Canadian banks

Numerous regional banks and credit unions

SaaS providers, ASPs, regulators, etc.



7

Returns are typically found by:– Accelerating project timelines (and

beginning to realize new revenues earlier)• Drop-in deployment, even to sensitive networks• Configuration of tasks that would otherwise be

coded

– Reduction of project resource requirements

• Configuration of tasks that would otherwise be coded

• No tuning required for performance

– Reduction of existing server footprint or deferment of the need to scale up

• Offloading of resource-intensive functions to a platform purpose-built to do them at low resource penalties

– Lowering ongoing operations costs• Simple architecture and low-touch maintenance

model• Centralization of rote, repeatable integration tasks

Returns are based on implementation and maintenance cost reductions

Do Nothing

Adopt WDP

DataPower appliances offer a classic SOA business case



8

Why use an appliance?

“IBM ESBs [including DataPower] have the broadest set of supported runtime protocols, connectivity options, mediation capabilities, security, commercial data standards, and service monitoring and management — hands down." - Forrester

Hardened, high-performance hardware

Many functions integrated into a single device

Enables run-time SOA governance and policy

enforcement

Addresses divergent needs of different groups

Simplified deployment and ongoing management

Proven Green / IT Efficiency Value

• Tightly integrated hardware and firmware• High performance• Security without performance bottlenecks• Simplicity • connectivity requires:

• service level management• routing, policy, transformation

• dynamically control • service availability• security• performance• endpoint selection

• enterprise architects• network operations• security operations• identity management• web services developers

• Example: Appliance performs XML and

Web services security processing as much

as 72x faster than server-based systems• Impact: Same tasks accomplished with

reduced system footprint and power

consumption

• reduces need for in-house SOA skills &

accelerates time to SOA benefits



9

Agenda


Models and Features


Success stories

How to learn more




10

Integration Appliance XI52 High density 2U form Consumable hardware ESB “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement

Service Gateway XG45 Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic

routing Lightweight ESB functions (optional module)

B2B Appliance XB62 High density 2U form B2B Messaging (AS1/AS2/AS3/ebMS) Trading Partner Profile Management B2B Transaction Viewer

Integration Blade XI50B/XI50z Functionally equivalent to XI52 Form factor flexibility XI50B: BladeCenter form factor XI50z: zEnterprise BladeCenter Extension

(zBX) form factor



1111

Internet Trusted Domain

Consumer

6 Runtime SOA Governance

7 Web Service Management

8 Legacy Integration

1 Secure Gateway (Web Services, Web Applications)

2 B2B Gateway

3 Edge Optimization

Application

Application

System z

DMZ

Deploy WebSphere DataPower Appliances in a variety of use cases

4 Internal Security

5 Enterprise Service Bus



12

AAA

Employ flexible AAA (Authenticate, Authorize, Audit) Policies

ExtractIdentity

HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom

Authenticate

ExtractResource

URLSOAP OperationHTTP OperationCustom

LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom

Authorize Audit &Post-Process

MapIdentity

MapResource

LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom

Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

input output



13

The SOA appliances simplify and centralize key functions

Higher cost: Application servers must be updated individually

Before SOA Appliances

Secure, route, transform all applications instantly

No changes to applications

After SOA Appliances

High speed routing, transformation, and securing of messages to multiple applications without coding changes

Reduced complexity resulting in lower hardware, software, maintenance and administration costs, improved productivity

Increased flexibility that enables new functionality may be delivered to the business more quickly

Routing

Transformation

New XML standard

Access control update

Security Processing

Change purchase order schema



14

Proxying and Enforcement• Terminate incoming connection

• Terminate transport-level security

• Enforce Service Level Agreement policies

• Inspect message content, filter, pattern-match

• Enforce security policies on message content

• Call out to Access Control List(s)

• Detach binaries and call out to virus checker

• Transform content (XSLT, XML-to-XML)

• Establish a new connection to pass results

Connection from client

New connection to target

ACLVirus

Scanner

Partner App

Internal App

1U form factor• 4x 1Gbps Ethernet ports

• 2x 10Gbps Ethernet ports



ConsumerProvider

SOAP / HTTP(s)

MQ QueueManager

Cobol / MQ

Format & transport bridging

Message Format & Transport Protocol Mediation Example

2U form factor– Simplified “drop in” deployment– Configure your integrations– Integrates smoothly into any “shop”, .Net, Java, Legacy

Content based routing

Message enrichment

Message transformation

Transport protocol translation

Security– AAA, Threat protection– Message validation & filtering

Centralized management and monitoring point– Traffic control / Rate limiting

Intelligent load distribution

Outside World Internal NetworkDMZ

Pro

toc

ol

Fir

ew

all

HTTP(s)FTP(s)

SFTP(SSH)WMQ(s)WS JMS

TIBCO EMS

ODBC

Do

ma

in F

ire

wa

ll

ACL

DB

LDAP

Packaged AppsProprietary Apps

Data


Data

Internet

JMSEMS

FTP NFS


Data


Data


Data

DataPower

HTTPWMQ

IMS Connect

Enhanced Security

DMZ

SaaS

Partner Apps

Browsers

ESB HUB Scenario



16

All of the capabilities of the XG45 to proxy and enforce policies

Partner Management functions:– Define partners with the web management console– Associate partners with network endpoints– Attach metadata about the partners to their definitions

Enhanced Qualities of Service– Onboard persistent transaction store– Search messages by partner, time, etc– Replay messages if necessary– ebXML/ebMS, AS1, AS2, and AS3 protocol bindings

for greater reliability across traditionally unreliable protocols

Additional protocols supported– SFTP (SSH)– TIBCO EMS is available as an option– ODBC

Additional formats supported– PKCS7 is included in base

Additional transformation engines supported– DataGlue – WTX/FFD is included in base

ebMS /

2U form factor• 8x 1Gbps Ethernet ports

• 2x 10Gbps Ethernet ports

• More memory

• More storage



IBM WebSphere DataPower Virtual EditionDeployment flexibility & reduced cost for development and test environments

What’s New? WebSphere DataPower XG45 and XI52 physical appliance functionality in a “virtual appliance” form-factor running on VMware hypervisor

Features/Business Value Industry-leading workload security, optimization, and integration functionality similar to the corresponding physical DataPower appliance models, with three exceptions:

No Hardware Security Module (HSM) support for FIPS compliance

No cryptographic hardware acceleration support

Not part of Common Criteria certification effort in progress for physical appliances Powered by a purpose-built platform including an embedded, optimized DataPower Operating System Ability to upgrade and downgrade firmware similar to physical appliances Seamless configuration migration between physical and virtual appliances

Client Benefits A flexible, cost effective choice for non-production environments A production solution for environments not suitable for physical appliance deployment Offers ability to use virtual appliances for development/test environments and physical appliances for staging, production and disaster recovery

What’s New? WebSphere DataPower XG45 and XI52 physical appliance functionality in a “virtual appliance” form-factor running on VMware hypervisor

Features/Business Value Industry-leading workload security, optimization, and integration functionality similar to the corresponding physical DataPower appliance models, with three exceptions:

No Hardware Security Module (HSM) support for FIPS compliance

No cryptographic hardware acceleration support

Not part of Common Criteria certification effort in progress for physical appliances Powered by a purpose-built platform including an embedded, optimized DataPower Operating System Ability to upgrade and downgrade firmware similar to physical appliances Seamless configuration migration between physical and virtual appliances

Client Benefits A flexible, cost effective choice for non-production environments A production solution for environments not suitable for physical appliance deployment Offers ability to use virtual appliances for development/test environments and physical appliances for staging, production and disaster recovery



18

Agenda

simpler solutions for a smarter planet


Models and Features


Success stories

How to learn more



Many people who have used DataPower to secure & optimize customer access from laptops are now allowing mobile browser access.

A global furniture retail business with web applications wants to enable customer mobile access to their hosted web content (i.e shopping cart data). They are looking to extend access to these web applications from mobile browsers but want to ensure the access is protected.

Mobile Browser Applications

Browser Application



REST Proxy

Provider

JSON / XML / SOAPREST

JSON or XML / HTTP(s)

Mobile Consumer

SSL offload

Enforcement point for centralized security policies– Authentication, Authorization, Audit– Threat protection for XML and JSON– Message validation and filtering

Centralized management and monitoring point– Traffic control / Rate limiting

Routing / Intelligent load distribution to Provider

RESTful façade to non-REST Provider

REST Service Gateway for Mobile Apps

Provider

HTTP(s) GETHTTP(s) GET

JSON or HTML/XHTML

Mobile Consumer

XML

Application Acceleration for Mobile Apps

Offload heavy lifting of message transformation from the Provider

Transform to a format best suited for the requesting Mobile App

– JSON for native/hybrid app– HTML/XHTML for browser based



WebSphere DataPower provides mobile operations with:

Ease of Use: Solves complex security and integration challenges in a secure, easy to consume and extremely low TCO network device. DataPower appliances are configuration driven not programming driven which simplifies deployment

Performance: DataPower is a network device that operates at wire speed. Greater processing power is realized with every new firmware release.

Flexibility: Secure, integrate, bridge and version applications without application modification

Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy”

Lower TCO: Customers’ own data has shown that DataPower can be 7X-8X less expensive to operate in the data center than traditional alternatives.



22

Protect your data with cryptography and XML threat protection

See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks

XML Threat Protection

Use DataPower to help resolve compliance issues

Easily sign, verify, encrypt, decrypt any content

Configurable XML Encryption and Digital Signatures– Message-level– Field-level– Headers

Entity Expansion/Recursion Attacks

Public Key DoS

XML Flood

Resource Hijack

Dictionary Attack

Replay Attack

Message/Data Tampering

Message Snooping

XPath or SQL Injection

XML Encapsulation

XML Virus

…many others



23

Payment Card Industry – History

•Initial specifications adopted December 2004•1.1 Specifications adopted September 2006•1.2 Specifications adopted October 2008•1.2.1 specifications adopted August 2009•2.0 specifications adopted October 2010•As of January 2011, every institution must abide by 2.0 specifications

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.



To Whom Does PCI DSS Apply?

All merchants & service providers that store, process, use, or transmit cardholder data

Retail (e-commerce & brick & mortar)

Hospitality (restaurants, hotels, casinos)

Convenience Stores (gas stations, fast food)

Transportation (airlines, car rental, travel agencies)

Financial Services (credit card processors, banks, insurance companies)

Healthcare/Education (hospitals, universities)

Government (where payment cards are accepted)



PCI DSS Requirements “The Digital Dozen”

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security – Connected Entities and Contracts

PCI DSS Ver. 1.1



26

Agenda

simpler solutions for a smarter planet


Models and Features


Success stories

How to learn more



Online Service Provider Scalable & Secure Online Transactions

Challenge To deploy a more scalable infrastructure for supporting secure

online transactions and enhancing the scalability, manageability & reliability of IT environment

WebSphere DataPower Integration Appliance XI50

WebSphere DataPower XML Security Gateway XS40

Solution Implemented WebSphere DataPower Integration Appliance &

WebSphere DataPower XML Security Gateway The XI50 provides protocol mediation functions & accepts front-

end requests via TIBCO EMS. The solution secures, transforms & routes Web services calls to the appropriate endpoint

The XS40 deployed in the DMZ as a security-enforcement offers a full range of Web service security functions.

Benefits Increased scalability and security for high volume credit card

authorization services, without performance degradation. Faster to implement than software-only solution with

significantly lower maintenance costs.



Large Outdoor Retailer Web Service Enabled Credit Card Repository

Challenge To quickly deploy a more secure infrastructure for storing and

accessing credit card data in order to meet PCI DSS Compliance deadlines

Solution Implemented WebSphere DataPower Integration Appliance with

licensed ODBC option The XI50 provides a web service interface to the back end

DB2v9 Database that holds customer credit card information Tivoli Systems Automation for Multiplatform (TSA) provides DB

redundancy, on-box load balancing provides redundancy for DataPower

Solution will accommodate significant growth

Benefits Met PCI DSS Compliance deadlines Improved application integration flexibility through use of SOA

standards and componentry WebSphere DataPower Integration

Appliance XI50 Tivoli Systems Automation for

Multiplatform DB2 v9

DB2v9

SOAP Messages

SQL Statements



29

Agenda


Models and Features


Success stories

How to learn more




30

How to learn more

YouTube http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel

IBM.com http://www-01.ibm.com/software/integration/datapower/

Redbooks:

– Appliance architectural patterns http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf

– B2B Gateway appliance http://www.redbooks.ibm.com/redbooks/pdfs/sg247745.pdf

– The programmatic management interface http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf

© 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.

Documents

Transcript of © 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.