2844 – Introducing Application Optimization in

WebSphere DataPower SOA Appliances

Adolfo Rodriguez, PhD, STSM, DataPower ArchitectAdolfo Rodriguez, PhD, STSM, DataPower Architect

Agenda

• DataPower: A Brief History

• Application, DMZ, and ESB Trends

• What is Application Optimization (AO)?

Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance

1

– Dynamic Configuration

– Intelligent Load Distribution

– Session Affinity

– Application Versioning

– Self-Balancing and HA in Local Multi-Appliance Scenarios

• Summary

conformance, and performance

DataPower SOA Appliances Product Family

Integration Appliance XI50 XML Security Gateway XS40

B2B Appliance XB60� B2B Messaging (AS2/AS3)

� Trading Partner Profile Management

� B2B Transaction Viewer

� Unparalleled performance

� Simplified management and config

Low Latency Appliance XM70� High volume, low latency messaging

� Enhanced QoS and performance

� Simplified, configuration-driven approach to LLM

� Publish/subscribe messaging

� High Availability

2

Integration Appliance XI50 � Hardware ESB

� “Any-to-Any” Conversion at wire-speed with WS-TX

� Bridges multiple protocols

� Integrated message-level security

XML Security Gateway XS40� Enhanced Security Capabilities

� Centralized Policy Enforcement

� Fine-grained authorization

� Rich authentication

Typical DataPower Use Cases

• Monitoring and control

– Example: centralized ingress management for all Web Services using ITCAM SOA

• Deep-content routing and data aggregation

– Example: XPath (content) routing on Web Service parameters

• Functional acceleration

– Example: XSLT, WS Security

• Application-layer security and threat protection

– Example: XML Denial-of-Service protection, WS Security

• Protocol and message bridging

In-the-clear SOAP/HTTP

3

• Protocol and message bridging

– Example: Convert to WS to legacy Cobol/MQ

Service Providers

Clients

In-the-clear SOAP/HTTP

MaliciousSOAP/HTTP

Service Provider

SOAP

SOAP

SOAP

Cobol/MQ Appl

Cobol/MQ

Encrypted and Signed SOAP/HTTP

Why an Appliance for SOA?

• Integrated

– Many functions integrated into a single device

– Addresses the divergent needs of different groups (architects, operators,

developers)

– Integrates well with other IBM SWG and standards-based products

• Hardware reliability

– Dual power supplies, no spinning media, self-healing capability, failover support

• Security

4

• Security

– Higher levels of security assurance certifications require hardware (HSM,

government criteria)

– Inline application-aware security filtering and intrusion protection

• Higher performance with hardware acceleration

– Wire-speed application-aware parsing and processing

– Ability to perform costly XML security operations without slow downs

• Consumability

– Simplified deployment and management: up in minutes, not hours

– Reduces need for in-house SOA skills & accelerates time to SOA benefits

The DataPower Secret Sauce

Specialized compiler technology creates

optimized executable object code from

transformations (eg. XSLT) that execute

natively on hardware

Everything is viewed as a transformation that is

extensible via DataPower custom extension functions

5

XSLT) that execute natively on hardware

High-performing throughput-optimized

engine yields wire-speed capabilities

Purpose-built hardware to execute SOA workloads and

transformations

Packet Filter

Packet Filter

intranet [Software + appliances]Internet

DMZ [Appliances ONLY]

datacenter

users

internaluser

identityfederation

application-awaretransformations

Security policy

enforcement

monitoringDataPowerXS40

IHS plugin, Proxy Server,Edge Server

XDoSprotection

QoS policyenforcement

WebSphere VE (XD)

WebSeal

SSL offload

extensible rules

Today’s DMZ

666

Packet Filter

Packet Filter

ESB

center

intrusiondetection

loadbalancing

WAN and connectionoptimization load

balancing

caching

intrusionprevention

trafficshaping

trafficshaping

ISS

NEPs

caching

NEPs

datacenter

offload

Fine grainAccess control

XI50, WESB, WMB

Increased processing

requirements in the DMZ

clouds

threats

WSJ2EEWebREST

Appliance Hygiene

Packet Filter

Packet Filter

intranet [Software + appliances]Internet

DMZ [Appliances ONLY]

datacenter

users

internaluser

SOA/XML

SOA/XML

Today’s DMZ

777

Packet Filter

Packet Filter

ESB

center

datacenter

clouds

threats

Web Application

IP/TCP(packets/conns)

WSJ2EEWebREST

Web Application

IP/TCP(packets/conns)

Packet Filter

Packet Filter

intranet [Software + appliances]Internet

DMZ [Appliances ONLY]

datacenter

internaluser

• SOA Support• XML Intelligence• XML Security

SOAOptimization

• SOA Integration• SOA Support• XML Intelligence

users

Deployment Trends

888

Packet Filter

Packet Filter

center

datacenter

• Web 2.0 Support• Application Intelligence• Application Security

DMZ Convergence ESB Convergence

• Application Integration• Web 2.0 Support• Application Intelligence

ApplicationOptimization

clouds

threats

Packet Filter

Packet Filter

intranet [Software + appliances]Internet

DMZ [Appliances ONLY]

datacenter

internaluser

Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance

users

Application Optimization Clearly Defined

999

Packet Filter

Packet Filter

center

SOA and Application

Optimization in the ESB

datacenter

SOA and Application

Optimization in the DMZ

clouds

threats

Dynamic Middleware Information

Dynamic Configuration (3.8.0, AO Option)

10

Clients

DataPower learns of deployed back-end

applications

WebSphere (or other) Service

Providers

Static vs Dynamic Configuration

• Static / Persisted Configuration

– LBGroup configuration saved in non-volatile storage

– Entered by an administrator or through SOMA

– Initial Runtime Configuration

– Static configuration is immediately available after a change is applied and before any dynamic population takes place.

• Dynamic Configuration

11

– Runtime only. (Does not show up on configuration panels)

– Overrides the static configuration when new information is retrieved

• Members added / disabled

• Member weights changed

• Session Affinity tables changed

– Shows up via the Load Balancer Group Status provider

Usability Model

• Create a static LBGroup configuration to verify connectivity, service configuration, and data flow.

• Install the ODCInfo Application on the DM of the WebSphere Cell.

• Verify the ODCInfo Installation

– ODCInfo verification script

– Browser: http://dm_host_name:9060/ODCInfo/ODCInfo?c=cluster_name

• Create WebSphere Cell object (points to ODCInfo app)

– Retrieves the WebSphere Cell information

12

– Retrieves the WebSphere Cell information

– One WebSphere Cell object can support multiple clusters

Configure the WebSphere Cell Object

13

Weight Information

Intelligent Load Distribution (3.8.0, AO Option)

14

Clients

DataPower performs dynamic back-side

routing and load distribution (leveraging

dynamic information from back-ends)

WebSphere (or other) Service

Providers

Load Balancer Group

15

New Config

Questions

Load Balancer Group Status Provider

16

Weighted Least Connections Algorithm

• Imposes weight infrastructure on top of Least Connections.

– The larger the weight, the larger the percentage of connections that will go to a given server.

– The smaller the number of connections, the more likely that a server will receive the next connection.

– member_wlc = constant * (member_connections / member_weight); The member with the lowest member_wlc

17

member_weight); The member with the lowest member_wlc receives the next connection attempt.

• Reference Count used to track number of connections on

each member

Session Affinity - Overview

• Cookies – the basis for persistent client state• Session Affinity - uses cookies to more efficiently provide the

persistent (session) information to an Application by forwarding every request within a session to the same server. – Required for efficient Session Management in application servers.

• A Session ID contains a name and a value– Session information (Ignored by DataPower)

– Routing information (Clone ID, Partition ID, or a hash value)

18

– Routing information (Clone ID, Partition ID, or a hash value)

• With Session Affinity enabled– If DataPower recognizes the session ID format and can resolve the

routing information, it uses the routing information to forward the request.

– If no session ID, or the routing information cannot be resolved, the request is load balanced.

Session Affinity

• Passive– Only available though WLM (ODCInfo) feedback

– Least aggressive

– Only applies to WebSphere servers (must understand cookie format)

– DataPower monitors and forwards the requests based on Partition ID or Clone ID contained in the Session ID.

• Active-Conditional– Applies to any back-end server

– Set-Cookie monitored on Reply. If present, DataPower inserts its own Set-Cookie (e.g. DPJSESSIONID)

19

Cookie (e.g. DPJSESSIONID)

– DataPower routes any subsequent request based on the DPJSESSIONID.

• Active– Applies to any back-end server

– Most Aggressive

– Private Cookie (DPJSESSIONID) monitored on Request.

• If present, Request is routed to the corresponding server

• If not present, a Set-Cookie with the private cookie value (DPJSESSIONID) is inserted into the Reply

• The first request is load balanced. All subsequent requests are forwarded to the same server as the first request.

Passive Session Affinity Flow

drouter_xi50

aocServer1

aocClustercid3

cid8

aocServer1:8080

aocServer2:8080

CID/Host:Port Table

P_A.1

P_A.2

cid3

cid8

PID/CID Table

Version23

20

drouter_xi50aocServer2

Client

PID/CID Table

Version25

Req (JSESSIONID=PAKZZ:P_A.1)

Req (JSESSIONID=PAKZZ:P_A.1, WS_HAPRT_WLMVERSION=Version23)

Reply (WS_HAPRT_WLMVERSION=Version25, $WSPT=PID:CID;)

Reply()

Active-Conditional Session Affinity Flow

drouter_xi50

ServerLeft

Client

xyzCluster

21

drouter_xi50

ServerRight

Req ()

Req ()

Reply(SetCookie: JSESSIONID=…)

Reply (SetCookie: JSESSIONID= … ; SetCookie: DPJSESSIONID=PBC5YS:-2342213232;)

Active Session Affinity Flow

drouter_xi50

ServerLeft

Client

xyzCluster

22

ServerRight

Req ()

Req ()

Reply()

Reply (SetCookie: DPJSESSIONID=PBC5YS:-2342213232;)

Session Affinity Configuration

Enable

Switch

23

Switch

Use for non-WebShere

backends

Insertion Cookie

Information

Application version

information

Ve

rsio

n 1

Application Version Routing (3.8.1)

24

Clients

DataPower performs back-side application version routing *and*

load ramping

WebSphereService

Providers

Ve

rsio

n 2

Enabling Application Version Routing

25

Active/Passive failover of

distributor using standby control

����

Front-end IP load balancers not needed for AO workloads

Self Balancing and HA of Co-located Appliances

26

Service Provider

Self balancing (IP spraying)

����Clients

Failure of target appliances are masked

by appropriate weighted distribution

Enabling Self Balancing

8000

10000

12000

14000

Self Balancing DataPower Appliances

LVS with strict round robin

Tra

nsactions p

er

Second

Round Robin

Scaling Self-Balancing

Cluster TPS TPS per Host0

2000

4000

6000

8000

Direct to 1 DP 2 DP Appliances 3 DP Appliances

Tra

nsactions p

er

Second

DataPowerSelf Balancing

Fronting IP Sprayer

Sysplex Distributor

IP Sprayer

DataPower

z/OS

z/LinuxUnder

development

Distribution and High Availability Options

29

Clients

Tier 1 distribution

options

Tier 2 distribution

options

Self Balancing

DataPowerILD (ODC)

DataPower Tier

Any service provider

on p, x, or z

DataPowerload distribution

WebSphereon p, x, or z

Red = Connection distribution; White = Request distribution

Quiesce Support (3.8.1)

• Operational maintenance of DataPower appliances due to– Upgrade firmware– Promote configuration packages

Service ProviderClients

30

– Promote configuration packages– Apply dynamic configuration changes

• Design goals– Ensure all existing transactions complete without error – Indicate administrator quiesced state– Various levels of granularity

• FSPH (configuration changes)• Service object (configuration changes)• Application domain (configuration promotion)• Entire appliance (firmware upgrades and proactive recycles)

• Usage model– Prevent new connections from arriving at an appliance through external load balancer

configuration– Special hooks automatically remove quiesced targets from self-balanced sets

We Value Your Feedback !

• Please complete the session survey for this session by:

• Accessing the SmartSite on your smart phone or computer at: http://imp2010.confnav.com

– Surveys / My Session Evaluations

• Visiting any onsite event kiosk

31

– Surveys / My Session Evaluations

• Each completed survey increases your chance to win an Apple iPod Touch with daily drawing sponsored by Alliance Tech

Copyright and Trademarks

© IBM Corporation 2009. All rights reserved. IBM, the IBM logo, ibm.com and the globe design are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the Web at "Copyright and trademark information"

32

on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. Other company, product, or service names may be trademarks or service marks of others.