Overview of IBM WebSphere DataPower SOA Appliances

What this session is about

This session introduces the concept of SOA appliances. You will explore the DataPower product line and examine various use cases.

Session objectivesAfter completing this session, you should be able to:

•Explain the role of XML in a service-oriented architecture (SOA)

•Define and describe common use cases for the IBM WebSphere DataPower SOA Appliances

•Compare and contrast features in the IBM WebSphere DataPower SOA Appliance product line

XML-aware networking•Identify the uses of XML within an SOA

•Explain the disadvantages and threats with deploying XML-based applications in the enterprise

•Describe the features in an XML-aware network layer that mitigate the risks of deploying XML-based applications

Role of XML in SOA•Extensible Markup Language (XML) provides a text-based, human-readable scheme for describing information in a structured format.

•Its simplicity and self-describing nature makes XML popular as an interoperable data format.

•XML is becoming the way to:–Exchange data between disparate systems within and outside of an enterprise system.–Enable application functions as interoperable services.

•XML is also the foundation for a number of SOA specifications.

Notes:

Extensible Markup Language (XML) is a way of encapsulating and describing data in a text-based, human readable manner.

Since XML is text-based, practically any computer system in existence can process the data format. Compare and contrast this scheme with proprietary binary formats. Being human-readable ensures that future developers have a chance of deciphering the data format, years after the original developers have retired.

In short, XML provides a self-describing container for data that is widely compatible today and tomorrow.

For these reasons, XML is a natural choice within an SOA implementation, and for a number of specifications that define SOA.

Uses of XML in SOA

Notes:

1.The Web Services Description Language (WSDL) provides an interoperable, platform-independent format for describing the interface and binding details of a network service. Since WSDL documents are also XML documents, they can be consumed by virtually any computer system regardless of operating system, programming language, or hardware differences.

2.One of the more popular messaging formats for encapsulating an operation call is SOAP. The SOAP specification defines an XML-based envelope format for holding the message payload and processing instructions through the body and header elements, respectively. As XML messages, a wide range of systems can invoke and provide service functionality by consuming and producing SOAP messages, regardless of the implementation differences between the client and the server.

3.Additional information about messages can also be encapsulated in an XML format. For example, the Web services security specifications provide a standard for encoding security metadata in a SOAP message header. A wide range of security packages support these security tokens, allowing the exchange of security information.

4.Security servers might choose to attach authentication, authorization, or additional security characteristics on an incoming message as it passes through servers in the enterprise. Security assertions reduce the number of security checks from internal applications and abstract security decisions from application developers.

5.Applications can retrieve and store information to data stores using an XML stream or XML messages. The use of XML abstracts the actual implementation of the data store itself. It provides information as a service.

Some SOA specifications based on XML

Notes:

WSDL: Web Services Description Language

XSLT: XSL Transformations

XPath: XML Path Language

SAML: Security Assertion Markup Language

Disadvantages and threats with XML•As a text-based, human-readable protocol, XML tends to be more verbose.–Parsing, processing, and transforming XML data incurs significant overhead for application servers

.•XML introduces new threats and security exposures–Most companies disable XML validation due to performance costs.–Traditional network security devices do not protect against a new class of XML-based attacks, such as:

•Entity expansion and recursion.•Malicious include.•XML encapsulation

.•Dealing with XML-based applications becomes a compromise between performance and security.

Notes:

Entity expansion and recursion attacks use entity declarations in an XML document header that references itself. As an XML parser resolves the

recursive reference, the size of the entity expands exponentially, consuming all available memory and processing power on a server.

Malicious includes add a URL reference into an XML document. The reference itself guesses at the name and location of privileged information, such as a UNIX password file.

XML encapsulation exploits the CDATA reference, which attaches arbitrary non-XML data into an XML document. Within the CDATA reference, malicious users can embed arbitrary code or system commands. A poorly designed service might inadvertently execute the code or the command.

Web services as a security risk•One of the disadvantages of Web services is its ability to easily expose back-end systems to business partners and customers.–Web services often leverage HTTP, a widely supported and unblocked protocol in most company networks.

•Traditional Web servers and proxy servers do not inspect XML and SOAP traffic for attacks.

Notes:

Many corporations allow inbound communications through port 80 in order to serve static Web pages or results from dynamic Web sites (Web applications). Calls to Web applications are considered lower in risk because they do not represent arbitrary calls to applications on the system itself. That is, an attacker might succeed in disrupting service on an application server, but the server system itself is not compromised.

Web services provide application functionality from a wide range of clients through the exchange of XML messages. Improper designs can expose sensitive applications that are otherwise not meant to be accessed by external users.

The holes in both IP firewalls represent unfiltered traffic that passes freely through an HTTP transport. Gateway servers within the demilitarized zone (DMZ) also do not inspect or validate incoming XML traffic, due to the performance penalties from performing such checks.

Solution: Integrate an XML-aware network layer•Address performance and securityconcerns with XML-awarenetwork devicesthat accelerate andsecure XML processing.–These network devices complementyour existing networkinfrastructure.–XML-aware network devices alsooffload processor-intensiveXML processing andsecurity tasks from your applicationinfrastructure.

•SOA appliances provide a quick way to deploy an XML-aware network layer.

Notes:

The core issue is that traditional network architectures were not designed to handle XML-based traffic. Software-based solutions perform adequately with XML data, but it is not as fast as a dedicated hardware solution. Most hardware network devices simply do not understand XML data. SOA appliances provide a solution to both issues: a high-performance, hardware-based XML processing device.

SOA appliances in detail•SOA appliances are purpose-built, easy-to-deploy network devices that accelerate and secure your XML and Web services deployments.

•Compared to software solutions, SOA appliances are:–Simpler to manage–Easier to scale–Easier to secure–Quicker to deploy–More robust against attacks–Provide lower total cost of ownership (TCO)

•IBM WebSphere DataPower SOA appliances are one of the leaders in the SOA appliance space.

DataPower SOA appliances : Built for security

•Sealed network-resident devices in a tamper-proof case

•No USB ports; auxiliary storage holds non-critical data only

•Optimized hardware, firmware, and embedded operating system

•Single signed and encrypted firmware image prevents attackers from installing arbitrary software

•By default, appliances ship with a locked-down configuration

•Secure hardware storage of encryption keys and locked audit log

•Minimized security vulnerabilities by using few third-party software components, and not on top of another operating system

DataPower SOA appliances: Purpose-built solution

DataPower SOA appliances provide both performance and security

•As a hardware solution, DataPower processes XML data near wire speed.

•DataPower appliances protect networks against traditional and new XML-based attacks

.•With DataPower, there is no compromise: you get both performance and security in one package.

Use cases for SOA appliances

1. Securing Web services–Provide secure access of back-end systems to business partners and customers 2. Legacy integration and hub mediation–Enable mainframe or legacy applications as Web services

3. Web services management–Monitor and shape Web service traffic through service level management

4. Portal acceleration–Speed up XML-to-HTML rendering for dynamic content generation

Use case 1: Securing Web services

•Traditional network security devices do not secure XML or SOAP-based traffic.–By design, IP Firewalls do not distinguish between Web browser traffic and

application calls over HTTP.–Externally facing Web services are not protected against XML-based attacks.

•Augment your existing network security infrastructure with XML-aware network devices as an XML firewall.

–First level:•Deploy an XML security gateway to efficiently screen potential XML-based atacks at wire speed.–Second level:•Leverage existing application servers security for additional processing.

Notes:

Standard IP firewalls protect the edge of your corporate network.

Complementing your existing network security infrastructure are a cluster of IBM WebSphere DataPower SOA appliances. These devices become a centralized gateway for all XML-based applications, including Web services. The DataPower appliances screen incoming and outgoing traffic for XML-based attacks, SOAP message validity, and compliance to WSDL messages. IBM WebSphere DataPower SOA appliances can act as a security policy enforcement point (PEP), authenticating and authorizing incoming application requests.

DataPower services can forward information about the principal, in the form of security tokens or assertions. Application servers consume these security artifacts and enforce role-based security in the application.

Use case 2: Legacy integration and hub mediation•DataPower SOA Integration Appliance XI50 features any-to-any transformation

.–The DataGlue engine within the DataPower SOA appliance uses XSL transforms to manipulate non-XML data.

–Quickly provide a Web service endpoint to COBOL applications without the use of complex connectors.

•As a gateway to legacy systems, Integration Appliance XI50 provides:–Protocol bridging–Data transformation

•DataPower SOA appliances can efficiently transform, route, and log messages among XML applications and Web services.

Notes:

With the Integration Appliance XI50, you do not need to modify your existing legacy applications. The DataPower SOA appliance acts as an IBM WebSphere MQ client to your existing GET and PUT queues on Message Broker. With a multi-protocol gateway DataPower service, Web service clients can now access your legacy applications.Content-based routing

Notes:

1.A DataPower SOA appliance service endpoint receives an XML message representing a purchase order.

2.The document processing policy in the service routes the message to the latest version of the order fulfillment application, on the first application server.

3.This application server receives the bulk of the purchase orders.

4.A second message arrives at the same service endpoint. The message is sent from a client that uses the older version of the order fulfillment application. The routing action redirects the order to the previous version of the order fulfillment application, on the second application server.

Use case 3: Web service managemet•In addition to monitoring against XML-based threats, XML-aware networks need to enforce service level agreements (SLA).

–Record the amount and duration of Web services requests–Notify system administrators if service levels are not met–Automatically reduce traffic frequency in order to avoid overloading back-end

systems–Limiting or blocking traffic from a particular host

•DataPower SOA appliances can enforce an SLA in addition to a security policy –Service levels and monitoring can be applied at the endpoint, service, or operation level.

Enforce service level agreements with DataPower SOA appliances

Notes:In the first case, one particular client sends more than 500 requests within a minute. According to the service level management policy, requests from the client are blocked for a fixed time period.

In the second case, another client makes more than 100 requests within a minute. Instead of blocking all subsequent requests, the policy reduces the rate of requests to a fixed frequency threshold for a certain time period.

Use case 4: Accelerate dynamic Web sites•Dynamic Web sites use XML to pass information flexibly between application layers.

–Sites use XML to encapsulate data between different application layers.–In the final step, the presentation layer transforms the XML data into an HTML

Web page.

•However, XSL transformation creates performance problems on the Portal server.

•Offload processor-intensive XML transformation to the DataPower SOA appliance, significantly freeing up resources on the application server.

–Include XML-PI (processing instructions) in raw XML response from Portal server.

–The XML parser within DataPower SOA appliance automatically applies the XSL transformation without additional configuration.

Notes: Within an SOA, XML is widely becoming the choice for encapsulating data between different systems. As a text-based protocol, XML suffers from performance issues compared to fine-tuned binary data formats. On the other hand, portal systems need to support a wide variety of clients, including Web browsers and mobile phones. Such systems use

XSL transforms to convert the raw XML output into an HTML Web page, WML mobile phone Web page, or CHTML mobile phone page.

IBM WebSphere DataPower SOA Appliances provides an easy drop-in solution for offloading XML processing from portal servers. First, disable XSL transformation on the portal server. On most software packages, this task can be accomplished without affecting individual portlets or Web applications. Configure the portal server to specify a transformation style sheet in the processing instructions section of an XML document, XML-PI. As the PI header is part of the XML specification, any standards-based parser can apply the style sheet to the XML data. A DataPower XSL accelerator service would automatically transform the document as it parses the XML data.Accelerate dynamic Web sites

Notes:

The final presentation layer rendering is offloaded from the portal server to the DataPower SOA appliance. Specified in the XML-PI (processing instruction) header, the XML parser within the DataPower SOA appliance automatically retrieves an XSL transform from a local directory or from a remote file server. The service applies the transform to the raw XML response. No additional configuration is necessary for the DataPower SOA appliance service.

The DataPower SOA appliance returns a properly formatted HTML Web page to the original client.

Introduction to DataPower SOA appliances

IBM WebSphere DataPower product line

Notes:

•IBM WebSphere DataPower Integration Appliance XI50http://www.ibm.com/software/integration/datapower/xi50/

•IBM WebSphere DataPower XML Security Gateway XS40http://www.ibm.com/software/integration/datapower/xs40/

•IBM WebSphere DataPower XML Accelerator XA35http://www.ibm.com/software/integration/datapower/xa35/

•IBM WebSphere DataPower Low Latency Appliance XM70http://www.ibm.com/software/integration/datapower/llm_xm70/

•IBM WebSphere DataPower B2B Appliance XB60http://www.ibm.com/software/integration/datapower/b2b_xb60/

XML Accelerator XA35 features

•Accelerate dynamic content generation–Transform XML data into any presentation layer format at wire speed

•Offload XML manipulation through industry standard API

–Perform XML processing and transformation on XA35 through the Java API for XMLParsing (JAXP)

XML Security Gateway XS40 features

•XML and Web services security provides:–XML denial-of-service protection –Field-level message encryption and digital signature–Web services access control at the operation, interface, or endpoint level–Service virtualization to abstract service endpoints within your network –Authentication, authorization, and auditing (AAA) framework supporting

a variety of user password, security token, and other identity information from requests

–Centralized policy management enforced by a cluster of SOA appliances –Service level management, policy management, and Web services management support

•Includes all XML acceleration features from XA35 appliance

Integration Appliance XI50 features

•Acceleration of existing integration hubs–Processor-intensive tasks such as XSLT processing, routing, and legacy-

to-XML conversion can be offloaded to the XI50.

•Mainframe modernization with Web services–XML-to-any conversion allows mainframe applications to be virtualized as Web services.

•Manage non-XML traffic as easily as XML data–Parse and transform arbitrary binary, flat text, and XML messages.–No custom programming needed to manipulate messages

.•Support for popular messaging systems–XI50 appliances acts as an IBM WebSphere MQ client.

•Includes all security and acceleration features from the XS40andXA35appliances, respectively.

WebSphere DataPower Low Latency XM70

•Low LatencyMessaging(LLM) appliance for high throughput messaging

•Enhanced QoS and performance with purpose-built hardware–High speed message routing and filtering–Optimized to bridge between leading standard messaging protocols such

as WebSphere MQ, Tibco, WebSphere JMS, HTTP, and HTTPS

•Simplified deployment, configuration, and management providing rapid configuration of LLM-based applications

•Govern low latency multicast and unicast messaging through consolidated processing point

Notes:

The XM70 appliance is deployed in environments such as financial markets that require rapid high-volume message exchange. It can exchange native LLM messages, XML, or FIX messages using IP multicast or unicast (point-to-point). It also contains functionality from the multi-protocol gateway to integrate with LLM and non-LLM protocols, such as JMS, MQ, and TIBCO EMS. The functionality is packaged into an appliance, providing simplified deployment, configuration, and management.

WebSphere DataPower B2B Appliance XB60

• Purpose-built B2B gatewayfor simplified deployment and hardened security

•Extend integration beyond the enterprise with a securely deployedB2B gateway in the DMZ

•Easily manage and connect to trading partners using industry standards

•Improve the performance and scalability of B2B interfaces

•Govern B2B integration points through consolidated trading partner management

Notes:

The XB60 enables exchange of B2B messages, specifically AS2 and AS3 messages with trading partners. It offloads B2B functionality from a trading manager such as WebSphere Partner Gateway. It can be deployed in the DMZ, providing B2B security and integration at the edge of the network. It includes the WS-proxy and multi-protocol gateway to provide enhanced messaging capabilities, such as trading binary documents.

Since it is deployed as a network device, it provides governance and management of B2B transactions within the enterprise.