Download pdf - Intorduction to Datapower

DataPower Introduction

DataPower SOA Appliance

2

DataPower SOA Appliances redefine the boundaries of middleware extending the

SOA Foundation with specialized, consumable, and dedicated SOA

Appliances that simplify and combine superior performance, hardened

security, and integration for SOA implementations.

An SOA Appliance…

Simplifies SOA and accelerates time to value

Helps secure SOA XML implementations

Governs and enforces SOA/Web Services policies

creates customer value through extreme

SOA performance, connectivity, and

security.

Why an Appliance for SOA?

• Addresses the divergent needs of different groups

– Enterprise architects, network operations, security operations, web services developers

• Simplified deployment and ongoing management

– Drop-in appliance, secures traffic in minutes, integrates with existing operations

3

Hardened, specialized hardware for helping to integrate, secure & accelerate SOA

Many functions in a single device

Service level management, dynamic routing, policy enforcement, transformation

Higher levels of security assurance certification

FIPS 140-2 Level 3, Common Criteria EAL4

Higher performance with hardware acceleration facilitates security enforcement

What is DataPower ?

• Provides the flexibility of software in a hardware footprint

• Is quick to deploy – configuration NOT coding or programming

• Typically takes days to integrate NOT weeks or months

• Is a 1U 19” Rack Mounted appliance – Looks like a router

• Has minimal components and has no stack of software. Consequently

DataPower is highly secure

• As attack points are minimised – DataPower is undergoing accreditation to Common Criteria EAL4

– This is globally recognised check by an impartial third party that warrants the security claims

made by IBM

4

What Does DataPower Address ?

• XML is the language of Web Services and SOA

• XML is pervasive – in a matter of years, it will fuel every application, device, and document found in enterprise networks

• XML challenges

– XML is very ‘Verbose’

• XML is bandwidth intensive

• Has a direct impact on Application Server performance

• XML processing requires significant processor cycles and memory resources

– XML is effectively ‘Human readable’ Text

• It has no native security mechanisms

• It is readily understood and vulnerable to interception

• Security can be implemented on the application server but this is additional XML processing and adds to the performance problem

– SOA is not just Web Services and XML

• Customers need to integrate existing legacy systems, messaging formats and protocols into the SOA architecture.

• The ability to ‘transform’ legacy systems into the XML format is needed.

5

What Does DataPower Address ?

• XML Performance

– How ? – by offloading XML processing from the Application Server to

DataPower in optimised hardware

– Thereby greatly reducing the required number of Application Servers

• XML Security

– How ? – by offloading XML security to DataPower

– Provide standards based security – WS Security

• Integrating XML and legacy systems

– How ? – by using DataPower to transform XML to legacy message

formats and protocols e.g

• XML < > Cobol Copybook (brings a Mainframe into SOA

Architecture)

• XML > HMTL (renders HTML content to Portal very rapidly)

• XML < > MQ Messaging

All of this is done at WIRESPEED

6

– Offload XML processing

– No more hand-optimizing XML

– Lowers development costs

7

Hardware ESB

“Any-to-Any” conversion at wire-speed

Bridges multiple protocols

Integrated message-level security

Enhanced Security Capabilities

Centralized Policy Enforcement

Fine-grained authorization

Rich authentication

WebSphere DataPower SOA

Appliance Product Line

B2B Messaging (AS2/AS3)

Trading Partner Profile Management

B2B Transaction Viewer

Unparalleled performance

Simplified management and configuration

High volume, low latency messaging

Enhanced QoS and performance

Simplified, configuration-driven approach to LLM

Publish/subscribe messaging

High Availability

XM70

XA35

XI50

XB60

XS40

WebSphere DataPower Basic Use Cases

8

Internet Trusted Domain

Consumer

Consumer

4 Internal Security

5 Enterprise Service Bus

6 Web Service Management

7 Legacy Integration

8 XML Acceleration

3 Low Latency Gateway 1 B2B Gateway

2 Secure Gateway

(Web Services,

Web Applications)

Application

Application

System z

DMZ

XML Accelerator XA35

Purpose-built hardware for presentation-tier transformation

9

• XML Pipeline processing accelerates XML/XSLT/XPath evaluation, increasing throughput and decreasing latency by offloading XML operations to the network

• Innovative drag-and-drop policy editor accelerates time to value and simplifies configuration and deployment

• Logical application domains allow individual “sandboxes” and facilitate configuration management through import/export features

• Multiple management interfaces serve varying needs of an organization, including browser-based WebGUI, command line CLI, and scriptable Web Services

• “The Original” DataPower XML Appliance

• Defines high performance architecture for all DataPower SOA Appliances

• Processes XML operations at “wire-speed”

• Ideal in an XSL-intensive HTTP presentation tier

XML Security Gateway XS40

Purpose-built hardware for assuring confidentiality, authenticity, and non-

repudiation

10

• Native support for WS-Security policy enforcement

• Extremely secure hardware design

• Integrate with a variety of authentication and authorization systems for real-time protection

• Ideal in front-line DMZ or internal security gateway

• XML/SOAP Firewall capabilities enable Layer 7 filtering on any content, metadata or network variable in a message

• Web Application Firewall service offers additional security, threat mediation, and content processing for other URL encoded HTTP-based applications

• Easily configurable field-level security options allow flexible enforcement of confidentiality, authenticity, and non-repudiation requirements

• Low latency architecture leverages hardware-acceleration for cryptographic operations

Hardware Device for Improved Security

• Sealed network-resident appliance

– Optimized hardware, firmware, embedded OS

– Single signed/encrypted firmware upgrade only

– No arbitrary software

– High assurance, “default off” locked-down configuration

– Security vulnerabilities minimized (few 3 party components)

– Hardware storage of encryption keys, locked audit log

– No USB ports, tamper-proof case

• Third party certification

– FIPS 140-2 level 3 HSM (option)

– Common Criteria EAL4

11

“The DataPower [XS40]... is the most hardened ... it looks

and feels like a datacenter appliance, with no extra ports

or buttons exposed… "

- InfoWorld

XML security threats are growing

DataPower provides hardened real-time protection • XML Entity Expansion and Recursion

Attacks

• XML Document Size Attacks

• XML Document Width Attacks

• XML Document Depth Attacks

• XML Wellformedness-based Parser Attacks

• Jumbo Payloads

• Recursive Elements

• MegaTags – aka Jumbo Tag Names

• Public Key DoS

• XML Flood

• Resource Hijack

• Dictionary Attack

• Message Tampering

• Data Tampering

• Message Snooping

• XPath Injection

• SQL injection

• WSDL Enumeration

• Routing Detour

• Schema Poisoning

• Malicious Morphing

• Malicious Include – also called XML External Entity (XXE) Attack

• Memory Space Breach

• XML Encapsulation

• XML Virus

• Falsified Message

• Replay Attack

• …others

12

Gartner: Web Services Security Best Practices

“Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware.”

-- John Pescatore, Gartner

• Build Expertise/Design From Strength

• Educate Business Leaders

• Build Centralized Infrastructure

– SSL is key

– Use management/security platforms

– Manage your identities

– You may need PKI

• Trust (Really) Your Partners

• Use OTS Web Services with Caution

• Monitor and Control

13

Provide System Security Inspect ALL traffic

Transform all messages

Mask internal resources

Implement XML filtering

Secure logging

Protect against XML DoS

Require good authentication mechanisms

Provide Message Security Sign all messages

Validate messages (Inbound+Outbound)

Time-stamp all messages

Ask for Compatibility SSL MA, SAML, x.509.

WS-Security

WS-* extensions

Access Control Integration Framework

(AAA) Authenticate, Authorize, Audit

14

External Access Control Server or

Onboard Identity Management Store

Authenticate

Authorize

Ou

tpu

t M

essag

e

Extract

Resource

Extract

Identity

Inp

ut

Messag

e

Audit &

Accounting

Transport Headers

URL

SOAP Method

XPath

WS-Security

SAML

X.509

Kerberos

Proprietary Tokens

SAML Assertion

Credential Mediation

IDS Integration

Monitoring

Map

Resource

Map

Credentials

LDAP

ActiveDirectory

SAML

Tivoli

CA eTrust/Netegrity

RSA

Entrust

Novell

Proprietary

LDAP

ActiveDirectory

SAML

Tivoli

CA eTrust/Netegrity

RSA

Entrust

Novell

RACF

Web Application Firewall

• URL-encoded HTTP application protection

in addition to XML Web Services firewall

security

• Protection for static or dynamic HTML-

based applications

• Supports browser-based clients and

HTTP/HTTPS backend servers

• Wizard-driven configuration

• Cross-site scripting and SQL Injection

protection

• AAA framework support for web

applications

• General name-value criteria boundary

profiles for:

– Query string and form parameters

– HTTP headers

– Cookies

15

HTML Input Conversion Maps for form processing and handling

Cookie watermarking (sign and/or encrypt)

Rate limiting and traffic throttling/shaping

HTTP header stripping, injection and rewriting

HTTP protocol and method filtering

Content-type filtering

Dynamic routing and load balancing

Session handling policies

SSL Acceleration & Termination (Link)

XML and non-XML processing policies

Customizable error handling

Integration Appliance XI50

16

• Web Service virtualization for legacy applications

• Enforce high levels of security independent of protocol or payload format

• Integrate with enterprise monitoring systems

• Service level management options to shape traffic

Advanced protocol-bridging seamlessly supports a wide array of transports, including HTTP, WebSphere MQ, WebSphere JMS, Tibco EMS, FTP, NFS

Any-to-any “DataGlue” engine supports XML and Non-XML (Binary) payloads, promoting asset reuse and enabling integration without coding

Direct database access enables message-enrichment and data-as-a-service messaging patterns (DB2, Oracle, MS-SQL, Sybase)

High performance architecture creates low-cost, easily-scalable ESB solution for Smart SOA needs !

Purpose-built hardware for Enterprise Service Bus functionality

17

Internal Trusted

Networks

DMZ

Intranet

Portal

Wireless

Access

Internet

Access

Business

Partners

Internet

Portal

Wireless

Portal

Directory /

IDM

Logging

Monitoring /

Management

Midrange

DB2

IMS

System Z

SCM

CRM

w2k

Unix

ESB

In medium to large organizations

running significant transaction volumes,

the footprint of their ESB becomes very

large and expensive, very quickly.

The ESB Cost Explosion - background A significant and growing problem with bus installations around the world.

The ESB Cost Explosion – Root

causes 1. The resource requirements of today’s services (mostly XML-based)

– Software mediation solutions written on general-purpose platforms require shocking

amounts of CPU and memory to process messages and perform the basic bus

functions:

• Message Parsing and Interpretation

• Message Transformation

• Message Routing

2. The minimal headroom purchased because of HA requirements.

– Companies quickly use up extra capacity purchased initially in order to maintain high

availability for this critical part of their network.

– Nevertheless the problem is often still hidden by the HA deployment initially

– Companies are often taken by surprise by how quickly they “hit the wall”

It doesn’t take much!

• At somewhere between 20-60 TPS the infrastructure needs to be at least doubled.

• you don’t have to be a F500 company to get hit

18

The ESB Cost Explosion - Solution

19

The DataPower module, deployed in an Architected ESB Federation pattern, is designed to bring the “commodity” work of an ESB to the network layer.

SOA Network Infrastructure History tells us that selecting universal, repetitive

functions and moving them to purpose-built

appliances reduces solution costs, both in terms of

increased performance / reduced processing costs,

and reduced complexity of deployment (network

devices are configured, not coded).

Processing rule actions for ESB

20

Programmer-friendly functions within the purely-configuration message flow.

WAIT

Processing rule actions for ESB

21

Fan-out (Fan-in)

Notification Fire and Forget

Composition

MQ

JMS

HTTP

HTTP

JMS

FTP

Content-based Routing Select destination based on transaction metadata

• Dynamically determine route from transaction context and/or message

content

– Analyze originating URL, protocol headers, transaction attributes, etc.

– Analyze legacy or XML content

• Leverage a routing table for real-time decisions – Quickly deploy routing changes, including protocol conversions

• Retrieve routing information from other systems

– E.g., databases, web servers, file servers, etc.

22

Service Providers

Unclassified Requests

Protocol Mediation Independently bridge inbound and outbound protocols

24

First-class support for message and transport protocol bridging

Protocol mediation with simple configuration:

– HTTP MQ WebSphere JMS FTP Tibco EMS

Request-response and sync-async matching

Configurable for fully guaranteed, once-and-only-once delivery

http(s)

FTP(s)

sFTP

WebSphere

MQ

WebSphere

JMS

Database DB2, SQL Server,

Oracle, Sybase,

3rd Party

Messaging

IMS NFS

Web Services Management Service Level Management protects application resources

• Defined as action in the policy pipeline

• Configure policies based on:

– Any parameter: WSDL; Service Endpoint; Operation; Credential

– Request; Response; Fault; XPath

• Enforce same thresholds across a pool of devices

• Configure service level to trigger action:

– Notify (Alert)

– Shape (Slow Down)

– Throttle (Reject)

• Supports WSDM and other Web services management standards

• Allows subscription to SLM for alerts, logging, etc.

• Notify other applications such as billing, audit, etc.

25

System z Integration

• Broad integration with System z

• Connect to existing applications over WebSphere MQ

• Transform XML to/from COBOL Copybook for legacy needs

• Natively communicate with IMS Connect

• Integrate with RACF security from DataPower AAA

• Service enable CICS using WebSphere MQ

• Virtualize CICS Web Services

27

Business to Business (B2B)

Appliance XB60 Purpose-built B2B hardware for simplified deployment, exceptional

performance and hardened security

28

• Extend integration beyond the enterprise with B2B

• Hardened Security for DMZ deployments

• Easily manage and connect to trading partners using industry standards


• Trading Partner Management for B2B Governance; B2B protocol policy enforcement, access control, message filtering, and data security

• Application Integration with standalone B2B Gateway capabilities supporting B2B patterns for AS2, AS3 and Web Services

• Full featured User Interface for B2B configuration and transaction viewing; correlate documents and acknowledgments displaying all associated events

• Simplified deployment, configuration and management providing a quicker time to value by establishing rapid connectivity to trading partners

DataPower B2B Appliance XB60

- B2B Components

• B2B Gateway Service

– AS2 and AS3 packaging/unpackaging

– EDI, XML and Binary Payload routing

– Front Side Protocol Handlers

– Trading Partner Profile Management

• Multiple Destinations (Back Side Protocol Handlers)

• Certificate Management (Security)

– Hard Drive Archive/Purge policy

• B2B Viewer

– B2B transaction viewing

– Transaction resend capabilities

– Acknowledgement correlation

– Transaction event correlation

– Role based access

• Persistent Storage

– Encrypted with a box specific key

– B2B document storage

• Transaction Store

– B2B metadata storage

– B2B state management 29

The DataPower B2B Appliance extends your

ESB beyond the enterprise by supporting the

following B2B functionality:

B2B Viewer

Transaction

StorePersistent

Storage

B2B Gateway Service

DataPower B2B XB60

External Partner

Destinations

Internal Partner

Destinations

Front Side

Handlers for

Integration

Front Side

Handlers

for Partner

Connections

Low-Latency Appliance XM70 Purpose-built hardware for low-latency, network-based messaging and data feed

processing

30

• Drop-in messaging solution which plugs into existing network infrastructure

• Enhanced QoS and performance with purpose-built hardware

• Simplified, configuration-driven approach to low-latency, publish/subscribe messaging and content-based routing

• High availability out of the box (two or more appliances)

• Optimized to bridge between leading standard messaging protocols such as MQ, Tibco, WebSphere JMS and HTTP(S)

• Low-latency unicast and multicast messaging, scaling to 1M messages / sec with microsecond latency

• Destination, property and content-based routing, including native XML and FIX parsers

• Simplified deployment, configuration and management providing a quicker time to value by rapidly configuring messaging destinations, connectivity and routing

Configuration & Administration Fits into existing environments

31

Multiple administration consoles

WebGUI – 100% availability of functions in all consoles

CLI – Familiar to network operators

SOAP interface – Programmatic access to all config for easy scripting

IDE integration

Eclipse/Rational Application Developer

Altova XML Spy

WAS 7 Admin Console for Multi-box Management

Easy export/import for configuration promotion

Standard operational interfaces

SNMP, syslog, etc.

Industry leading integration support across IBM and 3rd party application, security, identity management, and networking infrastructure

XI50

SNMP

IBM SOA Appliance Deployment

Summary

32

XML XSL

Internet

XML HTML WML

XA35 Client or

Server

XS40

Tivoli Access

Manager ------------ Federated

Identity Manager

HTTP XML REQ

HTTP XML RESPONSE

Web Services Client

LEGACY REQ

LEGACY RESP XI50

IP Firewall Internet

Web Tier

Security

Integration & Management Tiers

Application Server

Application Server Web Server

DataPower XS40

DataPower XS40

Tivoli Access Manager

WebSphere App Server

MQ Server

Web service

client

Nortel L7 Module

Tivoli NetView

DataPower XS40

DataPower XS40



MQ Server

Web service

client

Nortel L7 Module

Tivoli NetView

DataPower XS40

DataPower XS40



MQ Server

Web service

client

Nortel L7 Module

Tivoli NetView

ITCAM for SOA

IBM SOA Appliance Deployment

continued

Receiver

33

Low Latency Messaging (LLM)

Trading Partners

XB60

Business to Business (B2B)

DataPower XS40

DataPower XS40



MQ Server

Web service

client

Nortel L7 Module

Tivoli NetView

ITCAM for SOA

WSRR

Internet

AS2 Message

FW

FW

AS2 MDN

AS2, AS3, HTTP, FTP, Web Services, MQ

FW

XML/EDI/Binary

Application Server

Trading Manger for EDI Processing

DMZ

Receiver

Receiver

MQ/TIBCO

Transmitter

Transmitter

RUM

(unicast)

RMM

(multicast)

XM70 RUM

Summary – IBM Specialized Hardware for Smart SOA Connectivity

• Hardened, specialized product for helping integrate, secure & accelerate SOA

• Many functions integrated into a single device

• Broad integration with both non-IBM and IBM software

• Higher levels of security assurance certifications require hardware

• Higher performance with hardware acceleration


34

Simplifies SOA and accelerates time to value

Helps secure SOA XML implementations

Governs and enforces SOA/Web Services policies

SOA Appliances: Creating customer value

through extreme SOA performance,

connectivity, and security

www.ibm.com/software/integration/datapower