© 2007 IBM Corporation 2007 IBM developerWorks DataPower – IBM China Software Development Lab Matt Lee

© 2007 IBM Corporation

2007 【 IBM developerWorks 開發者大會】

DataPower – 硬體與軟體的完美結合

IBM China Software Development LabMatt Lee

2 © 2007 IBM Corporation


IBM developerWorks| Oct 2007

Agenda

What is “Appliance” Why do we need Appliance DataPower

– What’s DataPower SOA Appliance?

– Use cases DataPower and Web2.0 Summary




What is “Appliance”

Wikipedia:

– Appliance may refer to a device with a narrow function:

– Home appliance, routine household tasks, using electricity or some other energy input.

– Small appliances– Major appliances

– In medicine and dentistry, custom-fitted appliances to an individual for the purpose of correction of a physical or dental problem such as prosthetic, orthotic appliances, and dental braces.

– Computer appliance, a computing device with a specific function and limited configuration ability

– Fire apparatus, a fire engine or fire truck in British English




What is “Appliance” Cont.

Software Appliance

– Software application combined with just enough operating system (JeOS) for it to run optimally on industry standard hardware (typically a server) or in a virtual machine.

Virtual Appliance

– software appliance packaged in a virtual machine format as a virtual appliance

Hardware Appliance

– Software appliance on a piece of hardware prior to delivery to the customer




Why do we need Appliance?

Customers want an easier way to

– Install

– Configure

– Deploy solutions Customers also wants a solution

– All tested together

– Easier to maintain With Hardware, we

– Improve the performance, takes DataPower as an example




DataPower




IBM’s acquisition of DataPower

Software

Skills &Support

An SOA Appliance…

WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized,

consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations.

Simplifies SOA with specialized devices Accelerates SOA with faster XML throughputHelps secure SOA XML implementations

Creating customer value through extreme SOA performance and security




IBM SOA Appliance Product LineSpecialized network devices simplify, help secure & accelerate SOA

Accelerates XML processing and transformation

Increases throughput and reduces latency

Lowers development costs

The ESB appliance

Transforms messages (Binary to XML, Binary to Binary, XML to Binary)

Bridges multiple protocols (e.g. MQ, HTTP)

Routes messages based on content and policy

Integrates message-level security and policy functions

Help secure SOA with XML threat protection and access control

Combines Web services security, routing and management functions

Drop-in, centralized policy enforcement

Easily integrates with exiting infrastructure and processes

XML Accelerator XA35

XML Security Gateway XS40

Integration Appliance XI50




IBM SOA Appliance Deployment Summary

XMLXMLXSLXSL

InternetInternet

XMLXMLHTMLHTMLWMLWML

XA35XA35 ClientClientoror

ServerServer

XS40XS40

Tivoli Access

Manager------------Federated

Identity Manager

HTTP XML REQHTTP XML REQ

HTTP XML RESPONSEHTTP XML RESPONSE

Web Services Web Services ClientClient

LEGACY REQLEGACY REQ

LEGACY RESP LEGACY RESP REP

LY Q

REPLY

Q

XI50XI50

IP FirewallIP FirewallInternetInternet

Web TierWeb Tier

SecuritySecurity

Integration & Management TiersIntegration & Management Tiers

Application ServerApplication Server

Application Server Web ServerApplication Server Web Server

DataPower XS40

DataPower XS40

Tivoli Access Manager

WebSphere App Server

MQ Server

Web service client

Nortel L7 Module

Tivoli NetView

DataPower XS40

DataPower XS40



MQ Server

Web service client

Nortel L7 Module

Tivoli NetView

DataPower XS40

DataPower XS40



MQ Server

Web service client

Nortel L7 Module

Tivoli NetView

ITCAM for SOA

`

Client




Why an Appliance for SOA? Integrated

– Many functions integrated into a single device

– Addresses the divergent needs of different groups (architects, operators, developers)

– Integrates well with other IBM SWG and standards-based products Hardware reliability

– Dual power supplies, no spinning media, self-healing capability, failover support Security

– Higher levels of security assurance certifications require hardware (HSM, government criteria)

– Inline application-aware security filtering and intrusion protection Higher performance with hardware acceleration

– Wire-speed application-aware parsing and processing

– Ability to perform costly XML security operations without slow downs Consumabilty

– Simplified deployment and management: up in minutes, not hours

– Reduces need for in-house SOA skills & accelerates time to SOA benefits




Typical DataPower Use Cases Monitoring and control

– Example: centralized ingress management for all Web Services using ITCAM SOA Deep-content routing and data aggregation

– Example: XPath (content) routing on Web Service parameters Functional acceleration

– Example: security processing; WSS encryption, decryption, authentication, signatures Application-layer security and threat protection

– Example: XML Denial-of-Service protection Protocol and message bridging

– Example: Convert to WS to legacy Cobol/MQ

Service Providers

Clients

In-the-clear SOAP/HTTP

MaliciousSOAP/HTTP

In-the-clear SOAP/HTTP

SOAP

SOAP

SOAP

Cobol/MQ Appl

Cobol/MQ

Encrypted and Signed SOAP/HTTP




Use Case: Monitoring and Control

Service Requester

Service Provider

Centralized monitoring

Enforcement point for centralized policies

– WS Registry and Repository integration

– Support for WS-Policy forthcoming

ITCAM SOA

Centralized monitoring and management point for all WS traffic

– Out-of-the-box service-level monitoring and throttling

– ITCAM SOA provides dashboard

– Centralized logging




Web Services Management Service Level Management

WSM

Configure and install in minutes Hierarchical Service Level at WSDL, service, port, operational level Flexible actions when reaching a threshold: notify/alert, shape, throttle Threshold for both overall requests and failures Graphical display




Use Case: Deep-Content Routing/Aggregation

Route based on

– IP information

– SSL parameters

– HTTP headers

– XPath on XML/SOAP

Load balancing Enrich and aggregate messages with

data from

– A remote Web Service

– A database

Service Providers

DataPower

XPath RoutingUnclassified

Requests

Message enrichment

SQL

DB




Use Case: Application-layer Security and Threat Protection

Filter based on:

– IP criteria

– SSL information

– HTTP header

– XPath on SOAP/XML XDoS protection Well-formedness checking Schema validation

Service Originator

Service Provider

XDoS protection

Access is blocked

Malicious SOAP/XML

Message security

– WS-Secure Conversation

– WS-Trust

– WS-Policy (coming) Access control

– TAM, TFIM, RSA, Netegrity, Oblix,..

– SAML 2.0 (partial)

– LDAP, RADIUS, XKMS




XML ThreatsSecurity Risks Growing

XML well-formedness checking XML schema validation XML Entity Expansion and

Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based

Parser Attacks Jumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag

Names Public Key DoS XML Flood Dictionary Attack

Message Tampering Data Tampering Message Snooping XPath Injection SQL injection Routing Detour Schema Poisoning Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack …others




Access Control AAA Framework Diagram - Authenticate, Authorize, Audit

Extract Identity

Extract Resource

Authenticate

AuthorizeAudit &

Accounting

SAMLWS-SecuritySSL client certHTTP Basic-Auth

SAML assertionNon-repudiationMonitoring

Web Service URISOAP op nameTransfer amount

DataPower AAA Framework

SOAP/XML

Message

SOAP/XML

Message

External Access Control Server or On-Board Policy

Map Credentials

Map Resource




Use Case: Bridging

Application formats– EDI

– Cobol CopyBook

– CORBA

– CICS

– ISO 8583

– CSV

– ASN.1

– ebXML

– Web 2.0

Transport protocols

– HTTP

– MQ

– SSL

– Compression

Clients Cobol/MQ Application

(eg. IMS, CICS)

DataPower

Format and transport bridging

Cobol/MQRequest

MQ QueueManager

XSLT

– XPath 1.0 (with some 2.0)

– XSLT 1.0 (with some 2.0)

– Internal schema support

– External schema support

SOAP/HTTPRequest




DataGlue’s “any-to-any” Transformation

InputInputMessageMessageFormatFormat

XML

OutputOutputMessageMessageFormatFormat

Text

Binary

Other

Binary

XML

Text

Other

Transform Disparate Data Formats (XML, Binary, Text, etc.) Broker data between previously siloed systems Simplifies Reuse of and Connectivity to existing systems Promotes loose coupling Transformation of data on the wire enables integration without coding




DataPower and Web2.0




Web

Enterprise

RESTJSON

XML RSS

ATOM

DB2

LegacyCICSIMS

J2EE

App ServerWAS, CE, Tomcat

WPS, ESB, Portal

SOAPWS-* JMS

MOM

Bridging Web (WOA) and Enterprise SOA?

This is what Web 2.0

means to us (for now)




Web 2.0 Case Study:A Simple (yet Complex) “Todo List” Web Service

Web Service (SOAP) Provider

SOAPClients

GetHandle

AddTask

ShutDown













Web 2.0 Case Study - DataPower SOA Value


SOAPClients

GetHandle

AddTask

ShutDown

GetHandle

AddTask

ShutDown

Can add DataPower to enable management, acceleration, app-level threat protection, routing, and more




Web 2.0 Case Study – JSON-RPC Bridging


AJAXClients

JSON SOAPGetHandle

AddTask

ShutDown

GetHandle

AddTask

ShutDown

…{"Task": "Dry cleaning: shirt, pants, and 20% discount coupon“}…

Perform format translation from JSON to SOAP (and vice versa)




Web 2.0 Case Study – Simplified REST Bridging


RESTClients

SOAPGetHandle

AddTask

ShutDown

Hide underlying “conversational” exchange from the REST interface

POST /jerry/todos HTTP/1.1Host: cuomo.orgAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Content-Type: text/xmlContent-Length: 62<Item> Have fun: try the scenic drive up the Outer Banks</Item>




Another type of REST request to add another task




A REST request to get the task list in text




A REST request to get the task list in XML




Web 2.0 Case Study – ATOM Interface


ATOMFeed

Reader

HTTP GET /jerry/todos

SOAPgetList

Provide ATOM feed interface to back-end Web Service







Web 2.0 Case Study Summary


DataPower

SOAPClients

AJAXClients

RESTClients

ATOMReader

Enabled SOAP, JSON-RPC, REST, and ATOM interfaces with zero changes to backing Web Service using today’s DataPower XI50




Summary – What we have discussed today:

What is “Appliance” Why do we need Appliance DataPower

– What’s DataPower SOA Appliance?

– Use cases DataPower and Web2.0

Documents

© 2007 IBM Corporation 2007 IBM developerWorks DataPower – IBM China Software Development Lab Matt Lee