Professional Documents
Culture Documents
Consumer
Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload
Securely connect apps/services within the enterprise, while optimizing delivery of the workload and
providing integration including XML offload, message validation/filtering, message/transport protocol
transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing &
intelligent load distribution
Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior
performance, hardened security, increased ROI and reduced TCO
Provides high levels of certified Security assurance
e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization,
Audit
Simplified maintenance model
Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process
Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold
Virtual appliance provides deployment flexibility & reduced cost for development and test environments
5 2013 IBM Corporation
DataPower appliances used across a variety of scenarios
Consumer
Application or Service
DataPower DataPower
System z
IBM Integration
1 Security Gateway 4 Internal Security Enforcement Bus
(Web Services/Apps/APIs)
Secure, control, integrate & optimize multiple applications without code changes
Lower cost and complexity
Enable new business with unmatched performance
Secure
Control
Integrate
Route & Optimize
Service Providers
Encrypted and
In-the-Clear Signed Request
Request
Cobol/
MQ
Clients Malicious Appl
8 Request Cobol/MQ 2013 IBM Corporation
DataPower Family
Banking
Majority of the big US and European
banks
All of the big 5 Canadian banks
Numerous regional banks and credit
unions
Insurance
Used by 95% of top global insurances
firms
SaaS providers, ASPs, regulators, etc.
Secure access to
Web and legacy Mission-critical data
Authentication
applications
Authorization
User Federation
Converged
security z/OS RACF for
enforcement User I&A
F
Authorization
Rocksolid F
I I
Cert/keys
R
DataPower Internet R
E
W DMZ E
W
Intranet
platform A A
L
L
L L
Leverages
enterprise
security and
policy managers
Protect data and other resources on Protect data in the network using
the appliance and protected servers cryptographic security protocols
System availability Data End Point Authentication
Protect against unwanted access, Verify who the secure end point claims to be
denial of service attacks, and other Data Origin Authentication
unwanted intrusion attempts from the Verify that data was originated by claimed
network sender
Only allow valid messages through Message Integrity
Identification and Authentication Verify contents were unchanged in transit
Verify identity of network users Data Confidentiality
Authorization Conceal clear-text using encryption
Protect data and other system
13 13
Page 2010 IBM Corporation
resources from unauthorized access
Protection of data plus XML & JSON threat protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
Message-level, Field-level, Headers JSON Threat Protection
Security standards: OAuth, WS-Security, WS-Policy, WS- Label - Value Pairs
SecurityPolicy, SAML, XACML, WS-Trust, M Label String Length (characters)
Value String Length (characters)
Number Length (characters)
Threat Protection
XML Threat Protection Maximum nesting depth (levels)
Entity Expansion/Recursion Attacks Message/Data Tampering Maximum document size (bytes)
Public Key DoS Message Snooping
XML Flood XPath or SQL Injection
Resource Hijack XML Encapsulation
Dictionary Attack XML Virus
Replay Attack Mmany others
HTTP Headers
WS-Security Tokens LDAP/Active Directory
WS-SecureConversation System/z NSS (RACF, SAF)
WS-Trust IBM Security Access Manager
Kerberos Kerberos
X.509/SSL WS-Trust
SAML Assertion Netegrity SiteMinder
IP Address RADIUS
LTPA Token SAML LDAP/ActiveDirectory
System/z NSS Add WS-Security
HTML Form LTPA
IBM Security Access Manager Generate z/OS ICRX Token
OAuth Verify Signature
Netegrity SiteMinder Generate Kerberos
Custom Custom
SAML Generate Spnego
XACML Generate SAML
Extract Map OAuth Generate LTPA
Identity Authenticate Identity Custom Map Tivoli Federated Identity
Extract Map
Resource Resource
URL
XPath
SOAP Operation
HTTP Operation
Custom
Protocol Firewall
HTTP(s)
Domain Firewall
Partner Internet Security ESB Proprietary Apps
Apps HTML, JSON, XML, SOAP Gateway Data
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security Incoming access control;
ACL
WS-Security Policy Threat protection
SaaS
WS-Trust
SAML Tivoli (TAM)
OAuth 2.0 MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
Solution
Implemented WebSphere DataPower to form the Web
services backbone
Through content-based routing, security policy Identity Mgmt
Benefits
Secure SOA on standards-based platform
Easily reuse Web services throughout enterprise
Boosts productivity of IT staff
Substantially shorten time to market for new services
17
Centralized Service Governance & Policy Enforcement
Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
DataPower can subscribe or poll web services information from WSRR
Automatically expose services and policies in DataPower via WSRR subscription
Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
Retrieve WSDLs by specific version number
Dynamically retrieve run-time routing information from WSRR
Complete SOA Governance solution
WSRR for web service life-cycle policy management
DataPower for web service run-time policy enforcement
WSRR (Policy Administration
Point) ITCAM for
SOA
(Policy
Monitoring
Point)
Service Level Monitoring (SLM) to protect your services and applications from
over-utilization and enforce quota
Frequency based on concurrency OR based on messages per time period
Take action when exceeding a custom threshold:
Notify (or log), Shape (or delay), Throttle (or reject)
19
Application Optimization Example
Public Enterprise
Slow
Response
(>10s)
High Load
User
WAS Application
Improved Load
1
1
User
20 WAS Application
Application Optimization Example PUT /joe/todos HTTP/1.1
Host: joe.org
Content-Type:
Manage Traffic with Application Fluency application/json
Content-Length: 69
2. DataPower enables application aware traffic management { "Task" : "AddEntry",
"Detail": Waste time." }
DataPower
Improved Load
2
1
1
User
WAS Application
DataPower
Improved Load
2
1 3
1
Improved
Response
User Time
21 WAS Application
Application Optimization Example
Cache at the edge(s)
4. Application results are cached at the edge using XC10 caching grid OR locally on-box
DataPower
2
Low Load
1 3
1
Fast 4
User Response
REST
WAS Application
DataPower XC10
22
Using XC10 As a Side Cache For DataPower
1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI. Easily integrates into the existing business process
No code changes to the client or back-end application
Simply add the side cache mediation
Significantly reduces the load on the back-end system by
eliminating redundant requests
Improve client observed response time
DataPower XI Appliances
1 Large Response Time
Improved Load
3
User 5
Improved
Client Response
Time 2 Provider
4
REST
23 DataPower XC10
DataPower XI52 + XC10: Travel and Transportation
24
Agenda
Message Oriented,
Legacy Apps
Worklight, WAS ND
SSL Offload
e.g. REST (JSON/XML) Threat Protection e.g. SOAP
Rate Limiting Web Apps, Services
over HTTPS over HTTPS
Validation, Filtering
now with Native JSON Support**
Authentication
Authorization
Security Token Translation
Transformation
Content-Based Routing
Intelligent Load Distribution
now with On Demand Router for WAS ND**
Response Caching Locally or to XC10 **
Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices **
Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**
Multi-device development
IBM Worklight
** Available in IBM API Management 2.0
34 2013 IBM Corporation
Agenda
Protocol Firewall
Domain Firewall
HTTP
WMQ(s) WMQ
WS JMS
Enhanced TIBCO EMS DataPower Packaged Apps
Partner Internet Security Proprietary Apps
Apps DMZ LDAP
Gateway IMS Connect
Data
ACL
FTP
ODBC JMS NFS
SaaS DB
EMS
Packaged Apps
Packaged Apps Proprietary Apps
Proprietary Apps Data
Data
Integration Scenario
Content based routing
AAA, Threat protection Intelligent content based routing
Message enrichment
Message validation & filtering Intelligent load distribution
Message transformation
Traffic control / Rate limiting Local and distributed caching
Transport protocol translation
Cobol / MQ
SOAP / HTTP(s)
MQ Queue Provider
37 2013 IBM Corporation
Consumer Manager
UK Government Agency
enables integration capabilities using DataPower
Challenge
Data held in the back-end systems vital to delivering Other UK Other EU
citizen services, fraud detection across various layers of Departments Countries
the Governments across the EU
Vulnerable back-end services
Security
Capacity/ SLA Government
Consistent usability experience for internal or external network
service consumers Internal Users
Solution
DataPower in key network zones within and outside of
the department
Thorough content-based validation, routing, and security Integration Layer
policy enforcement
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Ease of integration
Security assurance of the architecture
Secure SOA on standards-based platform Core Services
Consistent experience and policy for all users
38 2013 IBM Corporation
Core Data
Security & Integration Scenario Financial Firm
39
39
Agenda
Benefits
Create customer interaction and value through innovative Q Q
business strategy.
Integrate various suppliers using standards based
interfaces securely. Customer & Product related
Graphical configuration driven appliance; short learning application and systems on Z
curve
IMS Application
CCB / MQ IMS
DataPower
MQ Server
SOAP/HTTP O
MQ T
M
Brdg A
Client
DRDA
DB2
44 2013 IBM Corporation
Enhanced value for System z & IMS
New integration capabilities between DataPower and IMS
IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required
IMS Callout
IMS
App1
SOAP / REST IMS O
TCP/IP T App2
Connect M
A
DataPower
Service Provider
Service Consumer
DataPower
Client
Challenge
AS2, File and Web Services based interfaces to 100s of B2B customers.
Messages are exchanged at least once a day
Secure proxy solution in the DMZ
Complex incumbent supplier chain
Benefits
Create customer interaction and value through innovative business strategy.
Integrate various suppliers using standards based interfaces securely.
Graphical configuration driven appliance; short learning curve
49
UK Logistics and Distribution
External Internal
Systems Systems
Internal
System
External Internal
Systems Systems
Internal
System
50
DataPower Appliances Benefits
IBM Redbooks:
http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
YouTube:
http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
DataPower Podcasts:
http://www.ibm.com/podcasts/software/websphere/datapower/index.rss
52
www.ibm.com/software/integration/datapower 2013 IBM Corporation
We love your Feedback!
Dont forget to submit your Impact session and speaker feedback!
Your feedback is very important to us we use it to improve next years
conference
Go to the Impact 2013 SmartSite (http://impactsmartsite/com):
Use the session ID number to locate the session
Click the Take Survey link
Submit your feedback
Industry Pains:
HIPAA Security requirements
Smarter Business Outcomes:
for transporting data over the
Reliable and secure routing of customer sensitive data
Internet
HL7 v3.0 XML threat protection Easy to use and maintain; no additional skill needed
Complexity of B2B for XML Messages with attachments are authenticated, authorized,
and virus scanned
healthcare
Partner A Partner B
Transaction
5
Viewer
Browser
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
58
Agenda
62
Application Optimization
Application Optimization (AO) is about leveraging application knowledge in the network to better
optimize application behavior, conformance, and performance
Application Optimization
- Application Intelligence
- Application Security
- SSL Acceleration
System z
Consumer
Application
SOA Optimization
Application
Consumer - XML Intelligence
- XML Security
- Routing, Transformation, Mediation
63
Application Optimization
Self Balancing: Self balance across a cluster of appliances
Replace front-end IP load balancer
New support (introduced in firmware version 4.0.2) enables connections to be
preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems
Replace backend load balancer
Front-end IP load
balancers not needed
64
Application Optimization
Provides application-aware Intelligent Load Distribution
Auto-discovers application targets and distributes load using dynamic
feedback mechanism
Topology learning for WAS ND and VE
Uses intelligent weighted distribution algorithms based on current server load
Weighted Least Connection load balancing algorithm
Provides several options for enabling Session Affinity
Unclassified
Requests
Service
Providers
Any-To-Any Message Transformation
Transform the message format with ultimate flexibility
Leverage WebSphere Transformation Extender for data mapping
Input Output
Message Message
? ?
<XML/> TEXT binary <XML/> TEXT binary
67
WebSphere TX Design Studio
Integration
Transport Protocol Translation
Integrate disparate transport protocols with extreme ease
No dependencies between inbound front-side and outbound back-side
Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns
WebSphere
HTTP(s) JMS
WebSphere TIBCO
MQ, MQ FTE EMS
FTP(s) Database
DB2, SQL Server,
Oracle, Sybase,
SFTP
IMS NFS
68
Agenda
70
IMS Integration
Web Services Enablement for IMS-based Services
IMS Application
IMS
MQ Server
DataPower
O
SOAP/HTTP T
CCB / MQ MQ M
Brdg A
Client
71
IMS Integration
Web Services Enablement for IMS-based Services (contd)
IMS IMS
Appl1
Connect O
T Appl2
M
DataPower
A Appl3
SOAP/HTTP
CCB / TCP
User exit IMS
Appl4
Client (e.g.. O
HWSSM T Appl5
M
PL0) A Appl6
72
IMS Integration
IMS Connect Reverse Proxy
IMS IMS
Appl1
Connect O
T Appl2
IMS Connect TCP M
DataPower
A Appl3
73
DB2 Integration
Information as a Service
DB2
DataPower
SOAP/HTTP
DRDA
Client
74
CICS Integration
Web Services Security and Management for CICS Web Services
Client
75
CICS Integration
Web Services Enablement for CICS Applications
CICS Application
DataPower
CICS
MQ Server
SOAP/HTTP
CCB / MQ
CICS
Client Brdg
76
Agenda
Partner A Partner B
WS Client 4
SOAP Internet AS2 Data
Store
3
2
Web Service Web Service
Process Proxy
6
Transaction 7
Viewer
Browser
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and
sending data over any of the 16 supported protocol handlers. When Services are tied together in
front of or behind a B2B Gateway Service they are handled like pre and post processes.
78
MQ FTE Integration Pattern Inbound File to Message
Enterprise
Browser
(Admin)
XB62
Trading Partner
Queue Server
Queue Manager
2a Manager
B2B Source
4
1
Gateway
Service
2 MQFTE Agent
Data
Internet Network
Queue Target
Store
3 5
Queue Manager Agent
Profile 6
Data Manager
Mgmt Store
XB60
Transaction
Applications
Viewer DB (DB2 or Oracle)
Logger
MQ
Explorer
Browser
(Partner view)
Browser
(LOB User)
79
ebXML with CPPA Pattern
DMZ
Public Network
WebSphere DataPower Secured
Network
B2B Appliance
3
2 ebXML
ebMS 1 Collaboration Partner
(ebXML)) Agreement
Collaboration
Entries
Protocol
Internet ebMS Collaboration
Agreement EntryPartner
(Ack) CPAIdAgreement Entries
/ Collaboration Applications
CPAId / Collaboration
4 CPAId
Internal / Collaboration
Collaboration
PartnerCollaboration
Internal Profile
External Partners PartnerCollaboration
Internal Profile
External Collaboration
Partner Profile
PartnerCollaboration
External Profile
Partner Profile
External Collaboration
Partner Profile
Transaction
Viewer Browser
80
Health Level 7 3.x to 2.x Transform Pattern
Partner B
Partner A Hospital
Regional Healthcare Center
B2B Appliance
B2B Hub
B2B Gateway
AS2 Process
Service
AS2 (HL7 V3)
1
2
AS2/MDN
5 Profiles
Any Transport
External Profile
HL7 V3
HL7 V2.x
Hospital Healthcare
Applications
Internal Profile 4
Regional
Internet 3 Center
Any Transport
HL7 V3.x
Validate XML and
Transform to any
V.2.x format
6
Transaction
Healthcare Viewer
Applications
81
Securing HL7 over the Internet with Integration to the WebSphere
Healthcare Connectivity Pack
Healthcare Provider
Browser
(Admin) 5 Clinical Trials
HL7/MLLP System
XB62
Trading Partner
2a HL7/MQ 4 XML/HTTP
AS2 B2B
(HL7)) Gateway
1 Service
Internet
2
WebSphere Billing
3 MQ
WebSphere Healthcare System
AS2 Profile Connectivity Pack
Data
(MDN)) Mgmt Store
HL7/MLLP
Transaction
HL7/MLLP
Viewer Patient
Administration
System
Browser Pharmacy
(Partner view)
82