Ims DataPower and Security

DataPower and Security for IMS

© 2015 IBM Corporation 1

Suzie Wendler ([email protected])

Topics

• DataPower support for IMS

• Inbound access to IMS

• Access to IMS databases

• Outbound support for IMS callout

• Security considerations

© 2015 IBM Corporation 2© 2015 IBM Corporation 2

DataPowerDataPowerDataPowerDataPower

The WebSphere DataPower Integration Appliance is a purpose built hardware platform that

delivers rapid data transformations for cloud and mobile applications, supports secured and

scalable business integration, and provides an edge of network security gateway in a single

drop-in appliance.

Integration appliance

Includes all features of


http://tinyurl.com/cffhmzc

ftp://ftp.software.ibm.com/software/systemz/pdf/aiseminars/Using_WebSphere_DataPower_SOA_appliances_to_extend_the_value_of_System_z.pdf

Includes all features of

the Security and

Acceleration appliances

DataPower...

• Why an Appliance for SOA?

• Hardened, specialized hardware for helping to integrate, secure & accelerate SOA

– Many functions integrated into a single device

• Higher levels of security assurance certifications require hardware

• Enables run-time SOA governance and policy enforcement

• Higher performance with hardware acceleration

• Addresses the divergent needs of different groups:

– enterprise architects, network operations, security operations, identity

management, web services developers


management, web services developers

• Simplified deployment and ongoing management

• Proven Green / IT Efficiency Value

– Appliance performs XML and Web services security processing as much as 72x

faster than server-based systems

– Impact: Same tasks accomplished with reduced system footprint and power

consumption

• http://tinyurl.com/cffhmzc

• ftp://ftp.software.ibm.com/software/systemz/pdf/aiseminars/Using_WebSphere_DataPower_SOA_appliances_to_extend_the_value_of_System_z.pdf

EvolutionEvolutionEvolutionEvolution

Many integration standards are XML-based which may result in additional data processing and security requirements

IBM DataPower is positioned to meet the additional security requirement and to move data processing cycles from the mainframe to the mid-tier layer.


http://tinyurl.com/b4gdlkz

Enterprise Integration and Enablement

• Enterprise Integration

• Provides a Multi-Protocol Gateway (MPG)

– Connects client requests that are transported over one or more protocols to a

remote destination that uses the same or a different protocol� Supports the FTP, HTTP, HTTPS, IMS™, MQ, NFS, SFTP, TIBCO EMS, and

WebSphere® JMS protocols

JSON


DataPower Security

• Supports authentication, authorization, and auditing

• Example

– Create a policy to extract the user identity (who are you?)� Can come from:

� SOAP message, XML content, HTTP header, custom template (XSL stylesheet), …

� Using extraction methods such as:

� HTTP authentication header, password-carrying UsernameToken from the WS-Security header, derived-key UsernameToken element from the WS-Security header, binarySecurityToken element from the WS-Security header, …


– Authenticate� Options include;

� Using a Lightweight Directory Access Protocol (LDAP)-enabled directory server, such as IBM Tivoli Directory Server, using IBM Tivoli Access Manager for e-business, using a DataPower AAA Info file (an XML file that contains authenticated identities and values related to them), using a custom template

– Map the credentials (optional)� Interoperability between systems (DataPower device and system in charge

of authorization) might require mapping between credentials� Possibilities include: IBM Tivoli Federated Identity Manager, DataPower AAA Info file, XPath query,

Custom template, WS-SecureConversation, …

DataPower Security …

• Example …

– Extract the resource (what do you want to do?)� Methods to identify the resource include: recovering the resource from local name of the requested

in the message, HTTP operation, XPath expression

– Map the resource (optional)� Might be needed for interoperability between DataPower and the system in charge of authorization.

Methods include: Datapower AAA Info file, XPath query, custom template, etc.

– Authorize� Credentials and resources, which both might have been remapped, are

submitted to the authority in charge of dealing with authorization


submitted to the authority in charge of dealing with authorization� Authority could be: the DataPower device itself, an external access manager, LDAP server,

DataPower AAA Info file, custom template, …

– Perform post processing (optional)� Tasks might be set as a final step of the AAA policy. For instance, it is possible to add a WS-Security

UserName token in the message

– Perform auditing (optional)� Consists of logging information that might assert that both authentication and authorization have

succeeded or failed

http://www.redbooks.ibm.com/redpapers/pdfs/redp4364.pdf

DataPower to/from IMS Security

• Connection level security between DataPower and IMS Connect

• Secure sockets with: SSL/ AT-TLS support

• Per request

– Access to transactions� IMS Connect provides RACF =(Y|N) option

� If Y, userid and password are authenticated/authorized

� OTMA security based on OTMASE parameter or /SEC OTMA command)� USERID access to the IMS transaction (TIMS, GIMS, etc.)


– Access to databases� IMS Connect (same as above)� ODBM

� Passes security information from IMS Connect or uses userid from jobcard

� IMS security based on ODBASE and either APSB/RAS security

– Access from Transactions (callout)� IMS Callout Front-side Handler in DataPower

� Configured with SAF userid/password for Resume Tpipe request

� Outbound� Datapower V7 (and IMS 13) can pass the PST userid (associated with the calling IMS Transaction)

DataPower to/from IMS SecurityDataPower to/from IMS SecurityDataPower to/from IMS SecurityDataPower to/from IMS Security

Access to TXN

Client-Bid

SAF/RACF secure environment

IMS security:User validationto access IMS

Access to IMS/OTMA

AT/TLS

GU,IOP -Userid/PW Authentication

- PassTicket- Trusted user- Default User

Exit routines

RACF=Y|NOTMASE=

(OTMA)Msg-levelSSL Proxy Service

SSL

Non-SSL

connection

IMS

DataPower


IMSODBM

IMS Connect

Access to PSB

ICAL

to access IMSresources

Can pass useridoutbound

Resume TPIPEsecurity

ISRT,ALT

Access to DB

ODBASE=

ISIS=

Userid/PW

IMS universaldrivers

IMS ConnectObject

IMS

Front Side Handler

Resume TPIPE SAF identity

Outbound request/response

Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...

� IMS Integration (XI50, XI50B,

XI50z, XI52, XB60, XB62...)

• Three interfaces to get to IMS:

• IMS Connect Client

• Access to IMS applications using a DataPower embedded


a DataPower embedded IMSClientConnect handler to

IMS Connect

• Soap

• Access to IMS web services via the IMS SOAP Gateway

• MQ Client

• Access to IMS applications using an MQ server on system z and the MQ Bridge for IMS

http://www.redbooks.ibm.com/redbooks/pdfs/sg247988.pdf

IMS Integration

• DataPower provides WS-enablement to IMS applications

• User codes schema-dependent WTX data map to perform request/response

mapping

• “IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol


Data

Po

wer

CCB / TCP

Client

SOAP/HTTP

IMS

O

T

M

A

Appl1IMS

Connect

Appl2

Appl3

IMS

O

T

M

A

Appl4

Appl5

Appl6

User exit

(e.g..

HWSSM

PL0)

IMS Integration – IMS Connect client

• Accessing IMS as a service provider

– DataPower Release 3.6.1� First implementation of an IMS Connect client

� Support for CM1 (synchronous), Sync_level = None

– DataPower Release 3.8.0� Automatic chunking and de-chunking

� Support for client sending and receiving IMS messages larger than 32KB using the Web Service Proxy service or the IMS Connect object


Web Service Proxy service or the IMS Connect object

� Support for automatically processing the LL/ZZ headers for each of the message segments.

� When using the IMS Connect configuration, support for an extra 4-byte LLLL header field in the response message and supports for receiving this LLLL header, processing it properly, and sending it back to the client in the response message.

– DataPower Release 3.81� Support for CM1 (synchronous), Sync_Level=Confirm

IMS Integration – IMS Connect client...

• Components:



• An IMS Connect Handler object defines a handler service that receives IMS Connect

requests and forwards them to the appropriate DataPower service

Command Purpose

aclAssigns an Access Control List (ACL). The access control list allows or denies access to this

service based on the IP address of the client

admin-state Sets the administrative state of an object. Enabled (active) or disabled (inactive)

ebcdic-input Sets the encoding for input headers as EBCDIC or ASCII.

local-addressSpecifies the local address for the service. This is the local IP address or host alias on which the

service listens. The default value is 0.0.0.0.


persistent-connectionsControls the negotiation of persistent connections. When enabled, the IMS Connect Handler

negotiates with the remote IMS Connect target to establish a persistent connection.

port Specifies the local listening port for the service. The default is 3000.

ssl Assigns an SSL Proxy Profile.

summary Specifies a brief, object-specific comment.

IMS Integration IMS Integration IMS Integration IMS Integration –––– IMS Connect client...IMS Connect client...IMS Connect client...IMS Connect client...

• The IMS Connect configuration handles the IMS protocol communications from a DataPower service to IMS applications

• The configuration contains settings that affect the behavior of the connection

admin-state Sets the administrative state of an object.

client-id-prefix Sets the two-letter prefix for the generated client ID. (default is DP)

clientid Specifies the name of the IMS client identifier.

datastore Sets the name of the data store.

ebcdic-conversion Controls EBCDIC header conversion.

encoding-scheme Sets the Unicode encoding scheme.

exit-program Sets the exit program.

Indicates whether the response message includes an extra 4-byte (LLLL) response message header specifying the total response


port Sets the port on the target IMS Connect.

segment-size Sets the maximum segment size when a message is split when sending to an IMS Connect server.

summary Specifies a brief, object-specific comment.

sync-level Controls the acknowledgement (ACK) to the IMS Connect server after receiving the response. 0x00 =none, 0x01= confirm

tran-code Sets the transaction code to invoke.

username Sets the RACF identifier.

expect-llllIndicates whether the response message includes an extra 4-byte (LLLL) response message header specifying the total response

message size back from IMS Connect.

group Sets the RACF® security group.

hostname Specifies the host of the target IMS Connect.

irm-timer Sets the wait time to return data.

lterm-name Sets the logical terminal name.

password Sets the connection password.


• The IMS Connect URL

• dpims://IMSConnect /?parameters

• dpimsssl:// IMSConnect/?parameters

Where: IMSConnect specifies the name of an enabled IMS Connect configuration on

the appliance

?parameters specifies any overrides


• An example of an IMS Connect URL is:

– dpims://xxx.xxx.xxx.xxx:nnnn/?TranCode=IVTNO;DataStoreID=IMS1;PersistentS

ocket=0�

• Or it can define host, port, DataStoreID, and PersistetnSocket in an IMS-object:

– dpims://IMSConnectObject/?TranCode=IVTNO


• The IMS Connect URL …

• Parameters - Use a question mark to denote the first query parameter and separate

subsequent query parameters with a semicolon.

– TranCode=code

– DataStoreID=ID

– ExitID=ID

– ClientIDPrefix=prefixIf not blank. The default is a two-character blank string.

– ClientID=ID


– ClientID=ID

– RACFUserID=ID

– RACFGroupName=groupname

– Password=password or PassTicket

– LtermName=Lterm

– Timer=duration (appropriate wait time for IMS to return data to the IMS Connect server)

– EncodingScheme=scheme

– PersistentSocket=value

– EBCDIC=value

– synclevel=value

– ExpectLLLL=value

DataPower – IMS DB feature

• IMS DB feature easily exposes IMS data as a service to remote applications

• Requires one of the following DataPower models and Firmware 6.0:

• XG45 or XG45 Virtual Edition (with Database


• XG45 or XG45 Virtual Edition (with Database Integration Module feature)

• XI52, XI52 Virtual Edition or XI50B (with Database Connectivity feature)

• WebSphere DataPower B2B Appliance XB62

DataPower to IMS DB – “Information as a Service”

• DataPower provides a standard WS façade to IMS

• SOAP or REST call is mapped to a JDBC (DRDA) invocation

• Exposes database content (information) as a service

• Leverages extensive Web Services security and management capabilities of DataPower to more securely expose critical data to the enterprise


Data

Po

wer

Client

SOAP or REST DRDA

DataPower to IMS DB

• Access to IMS DB leverages existing and proven technology

• IMS Universal JDBC driver

• IMS DRDA server: IMS Connect/ODBM

• IMS Catalog

DataPowerXG45, XI52,


XG45, XI52,

XI50B, XB62

IMS

Universal

JDBC

Driver

Routing/

data

transformation

SQL

sends /

receives

DRDA

sends /

receives

ODBMIMS

Connect

IMS DB

IMSCatalog

DRDA/DDM DLIclient

IMS 12

DataPower Operational Considerations...

• IMS DB

• Create a Multi-Protocol Gateway (MPG) Configuration

– Define a Front Side Protocol Handler, e.g., HTTP/HTTPS front side handler

• Configure an “SQL Data Source” object (DB connection)

– IMS database is an SQL data source

– Connection user name/ password are specified

• Configure the back-end URL

• Define an MPG “Policy”


• Define an MPG “Policy”

– Create one or more “Rule”(s) for the policy

• Apply the changes, and save the configuration

IMS Open DB Security

• The IMS Universal JDBC driver provides access to IMS data

• Access to IMS DBs use IMS Connect and ODBM

– IMS Connect provides authentication of the userid/password sent in by the IMS Universal drivers

• IMS Connect to ODBM

• RACF=Y

– IMS Connect authenticates the Userid/Password/Group� Passes a RACF Object (RACO) to ODBM


� Passes a RACF Object (RACO) to ODBM– ODBM uses this information for security

• RACF=N

– IMS Connect bypasses authentication and does not pass a RACO– ODBM used the ODBM Job Userid/Group

IMS Open DB Security…

• ODBM to IMS

• Security information is sent from IMS Connect or, if no userid, then userid/group

from the ODBM jobcard is used

– ODBM and RRS=Y � ODBM uses the ODBA interface to

IMS

� Creates and passes ACEE in the Thread TCB

– In IMS, ODBASE parameter is in effect

• ODBM and RRS=N

– ODBM uses the CCTL interface to IMS (like CICS)

� Pass Userid/Group in PAPL

In IMS, the ISIS parameter to


– In IMS, ODBASE parameter is in effect� ODBASE=Y invokes APSB security

� IMS uses RACF to verify the Userid using the AIMS or Axxxxxxx resource class

� The ISIS parameter is not used

� ODBASE=N invokes RAS

� IMS uses the ISIS parameter to determine the RACF call using the IIMS or Ixxxxxxxresource class

� ISIS=N – No RACF checking

� ISIS=R – RACF call

� ISIS=C – DFSRAS00 exit

� ISIS=A – RACF call and DFSRAS00 exit

– In IMS, the ISIS parameter to determine the RACF call using the IIMS or Ixxxxxxx resource class

� ISIS=N – No RACF checking� ISIS=R – RACF call� ISIS=C – DFSRAS00 exit� ISIS=A – RACF call and DFSRAS00 exit

IMS Open DB Security

• Example

PSB Schedule Time

PSB 1 UseridA

UseridB

ODBM

UseridB

IMS

Connect

ODBM

Client

IMS Universal JDBC Driver

AuthenticatedUseridB

UseridA

DataPower


25

ODBM

UseridA

PSB1

And PSB2 UseridA

End user

UseridB

PSB2

UseridB

PSB 2 UseridA

Authenticated

UseridB

Can only access PSB2Can only access PSB2

Use of resource classes AIMS or IIMS|JIMS is based on use of SAF/APSB versus RAS

Or optionally the DFSRAS00 exitdecision when using RAS

Use of resource classes AIMS or IIMS|JIMS is based on use of SAF/APSB versus RAS

Or optionally the DFSRAS00 exitdecision when using RAS

DataPower – IMS Callout support

• IMS Callout feature allows IMS transactions to easily consume external web services via DataPower , with minimal application updates required

• IMS Callout functionality requires one of the following DataPower models and Firmware 6.0:


• WebSphere DataPower Integration Appliance

XI52, XI52 Virtual Edition

• WebSphere DataPower Integration Blade XI50B

• WebSphere DataPower B2B Appliance XB62

DataPower – IMS Callout support …

• DataPower adds value to standard IMS connect usage patterns

• Initial service provider support

– An “IMS Connect” back-end handler that natively connects to IMS Connect as

service provider

• Enhanced capability with V6.0

– An “IMS Callout” front-side handler that natively connects to IMS Connect as

service consumer


service consumerD

ata

Po

wer

TCP/IPClient

TCP/IP

Provider scenario

Callout scenario

IMS

OTMA

Appl1IMS

ConnectAppl2

Appl3

IMS

OTMA

Appl4

Appl5

Appl6

User exit (e.g..

HWSSMPL1)

User exit (HWSDPWR1)

IMS Callout Support

• Supports the IMS synchronous callout capability – DL/I ICAL – Allows IMS applications to synchronously invoke external web services

• The IMS callout connection is a DataPower “Front Side Handler” – Retrieves IMS callout messages, interfaces with DataPower services and send

response data back to IMS

• The handler internally creates one or more IMS Connect dedicated persistent

socket connections to the host system


socket connections to the host system

• The handler communicates with IMS Connect via a new DataPower dedicated

user message exit HWSDPWR1

IMS Callout Support ...IMS Callout Support ...IMS Callout Support ...IMS Callout Support ...

Response

DataPower XI52, XI50B, XB62

WS

Proxy

MPG

Transformation

IMS

Callo

ut F

ron

t Sid

e

Han

dle

r

Transformation

Request

Outbound Rule

Inbound Rule

IMS 12

IMS

Application

..

ICAL

(synchronous)

IMS

Connect

HWSDPR1

TPIPE

Serv

ices


29

MPG

IMS

Callo

ut F

ron

t Sid

e

IMS Callout Front Side Handler

SendsICAL responses

Async

sends /

receives

IMS application 1

:

ICAL

(synchronous)

IMS

Connect

HWSDPWR1

exit

TPIPE

IMS

Connect

API

Retrieve ICAL requests

Routing/

data

transformation

Resume

TPIPE

ACK

request

Response

ACKResponses

queue

Requests

queue

IMS Callout DataPower Dependencies

• IMS Connect – IMS 12 PTF UK91544 (APAR PM76086) and

IMS 13 PTF UK97704

– DataPower User Exit Installation - Object Code Only user exit HWSDPWR1 (new)

• Specified in the EXIT= parameter of the TCP/IP statement in the IMS Connect configuration file (HWSCFGxx)

• IMS 12

01 AIB. 02 AIBRID PIC x(8) VALUE 'DFSAIB '. 02 AIBRLEN PIC 9(9) USAGE BINARY. 02 AIBSFUNC PIC x(8). 02 AIBRSNM1 PIC x(8). 02 AIBRSNM2 PIC x(8). 02 AIBRESV1 PIC x(8). 02 AIBOALEN PIC 9(9) USAGE BINARY. 02 AIBOAUSE PIC 9(9) USAGE BINARY. 02 AIBRSFLD PIC 9(9) USAGE BINARY. 02 AIBRESV2 PIC x(8). 02 AIBRETRN PIC 9(9) USAGE BINARY. 02 AIBREASN PIC 9(9) USAGE BINARY.


• IMS 12– PTF UK82636 (APAR PM73135) AIB User

Token field AIBUTKN(new)• DL/I ICAL user can specify a 1-to-8 byte name in

the AIB so that this ID can be included in the OTMA state data in the callout message.

• The ID can be used as a unique service identifier for data transformation mapping and service routing

• DataPower V6

02 AIBRETRN PIC 9(9) USAGE BINARY. 02 AIBREASN PIC 9(9) USAGE BINARY. 02 AIBERRXT PIC 9(9) USAGE BINARY. 02 AIBRESA1 USAGE POINTER. 02 AIBRESA2 USAGE POINTER. 02 AIBRESA3 USAGE POINTER. 02 AIBUTKN PIC x(8).02 AIBRESV4 PIC x(32). 02 AIBRSAVE OCCURS 18 TIMES USAGE

POINTER. 02 AIBRTOKN OCCURS 6 TIMES USAGE

POINTER. 02 AIBRTOKC PIC x(16). 02 AIBRTOKV PIC x(16). 02 AIBRTOKA OCCURS 2 TIMES PIC 9(9)

USAGE BINARY.

IMS Callout Support ...

• DataPower IMS Callout Front Side Handler retrieves and sends IMS ICAL

request to other DataPower services

– In addition to the message payload, it sets the two headers:

- ims-callout-service-id: IMS ICAL AIBUTKN field- ims-callout-correlation-token: Hex representation of ICAL correlation token

> Allows IMS to correlate a response to the associated request

– The DataPower administrator can access the header fields in the MPG policy

• Examples of use:

– service ID as the request identifier to select input/output transformation map



– correlation token as the message ID in the outbound HTTP/SOAP request

• Operational considerations

1. Create a Multi-Protocol Gateway (MPG) Configuration

2. Configure IMS Callout Front Side Handler

3. Configure the back-end URL

4. Define an MPG “Policy”

�Create one or more “Rule”(s) for the policy5. Apply the changes, and save the configuration

DataPower Operational Considerations ...

• Operational Characteristics – Configuration of an IMS Callout front side handler includes the following

properties: • IMSHost, IMSPort, DataStoreName, TPipe(s), UserID, Password, Group,

RetryErrorLimit, RetryInterval

– DataPower administrator can enable/disable an IMS Callout front side

handler


• Operational States– An IMS Callout front side handler has the following “opstates”:

• Up: resume tpipe processing is in operation

• Down: no active processing

• Pending: in recovery mode (detected IMS Connect and/or IMS outage)

• Operational Recommendations

– When not in use, the administrator should disable the IMS Callout front side handler

IMS Application Considerations

• ICAL is a DL/I call verb

• Leverages the AIB interface

• Uses the SENDRECV subfunction

– REQ_area is the Request data area for sending data

– RESP_area is the Response data area for returned data� REQ and RESP messages are not recoverable

req-area and resp-area do not specify LLZZ, data can be > 32K


� req-area and resp-area do not specify LLZZ, data can be > 32K� IMS Connect and OTMA handle buffer and segmentation internally

• Timeout support

– Optional user specified timeout value in the DLI call to control the time an IMS

application waits for a response

– Can terminate the request and free the dependent region

– Late responses are logged and discarded

Call AIBTDLI USING ICAL,aib,REQ_area,RESP_area

IMS Application Considerations ...IMS Application Considerations ...IMS Application Considerations ...IMS Application Considerations ...

• AIB • AIBID = DFSAIBbb• AIBLEN = AIB length

• AIBSFUNC = SENDRECV• AIBRSNM1 = 8 byte OTMA Descriptor name

• AIBRSFLD = Timeout value• 4 byte field for time value 100th seconds. System default is 10 sec.

• AIBOALEN = REQ_area length• As an input parameter: 4 byte field contains the length of the request area• As an output parameter: Actual length of the response message

• AIBOAUSE = RESP_area length• As an input parameter: 4 byte field contains the length of the response area• As an output parameter: Length of the response message.

DFSYDTx member of IMS.PROCLIB

•TYPE: Destination type

•TMEMBER: OTMA Target Client

•TPIPE: Destination Name

•SYNTIMER=timeout

Note ICAL overrides this value

•...

� OTMA Descriptor


• As an output parameter: Length of the response message.

• AIBRETRN = AIB Return code• AIBREASN = AIB Reason code.

• AIBERRXT = 2 byte sense code from external application

01 AIB.

02 AIBRID PIC x(8) VALUE 'DFSAIB '.

02 AIBRLEN PIC 9(9) USAGE BINARY.

02 AIBRSFUNC PIC x(8) VALUE 'SENDRCV'.

02 AIBRSNM1 PIC x(8) VALUE ‘TESTDPWR'.

02 AIBOALEN PIC 9(9) USAGE BINARY VALUE +12.

02 AIBOAUSE PIC 9(9) USAGE BINARY.

01 CALLOUT-MSG.

02 CA-DATA PICTURE X(12) VALUE ‘HELLO WORLD ’

01 SCA-RESPONSE.

02 SCA-DATA PICTURE X(12).

CALL 'AIBTDLI' USING ICAL, AIB, CALLOUT-MSG , SCA-RESPONSE.

COBOL example

D TESTDPWR TYPE=IMSCON TMEMBER=HWS1

D TESTDPWR TPIPE=DPTEST1 ...

Error Conditions - IMS

• The IMS ICAL is informed of error conditions using AIB return and reason codes

• IMS Version 12 Application Programming APIs manual

– http://tinyurl.com/cgj8tah

Web Service

0

IMS Connect IMS

IMS Application

1

Resume TPIPE

ICAL SENDRECV TESTDPWRRequest

X1

DataPower


Response 4

1 ICAL SENDRECV TESTDPWR

HELLO FROM IMSHELLO FROM IMS

HELLO FROM WEB SERVICE

HELLO

FROM WEB

SERVICE

HELLO

FROM IMS

HELLO FROM WEB SERVICE

3

Data

Transformation

2ACK

X3

X1

X2

X4

X5 X6

X5: external server already committed before time outX6: external server already committed, but IMS fails to process the response

X1: ICAL cannot be sent outX2: ICAL time outX3: late ACK received after time out

X4: XML converter in error

Data

Transformation

Examples of where some errors might occur:

Security Enhancements with DataPower V7

• DataPower IMS Callout Front Side Handler retrieves and sends IMS ICAL request to other DataPower services

– In addition to the message payload, it sets the headers:

- ims-callout-service-id: IMS ICAL AIBUTOKN field

- ims-callout-user-id: IMS PSTUSID associated with the calling transaction- ims-callout-correlation-token: Hex representation of ICAL correlation token

> Allows IMS to correlate a response to the associated request

The DataPower administrator can access the header fields in the MPG policy


– The DataPower administrator can access the header fields in the MPG policy

• Examples of use:


– Userid as the requester for the target distributed service service

– correlation token as the message ID in the outbound HTTP/SOAP request.

IMS 13, IMS Connect 13, DataPower V7

Extracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform Action


Double click on the Transform action icon to specifya stylesheet that will be used to direct the message for transformation and routing

Extracting Extracting Extracting Extracting UserIDUserIDUserIDUserID using a using a using a using a stylesheetstylesheetstylesheetstylesheet (Transform): example (Transform): example (Transform): example (Transform): example

<?xml version="1.0" encoding="UTF-8" ?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions" extension-element-prefixes="dp">

<xsl:template match="/">

<xsl:message dp:priority="info">

Correlation token :

<xsl:value-of select="dp:request-header('ims-callout-correlation-token')" />

</xsl:message>

- <xsl:message dp:priority="info">



User ID :

<xsl:value-of select="dp:request-header('ims-callout-user-id')" />

</xsl:message>


Service ID :

<xsl:value-of select="dp:request-header('ims-callout-service-id')" />

</xsl:message>

</xsl:template>

</xsl:stylesheet>

Securing IMS Callout Request Flow with SSL Proxy

• The IMS Callout FSH support 3 types of connections to IMS Connect

• Non-SSL, SSL with AT-TLS (recommended), IMS Connect SSL

IMSDataPower

Routing/

dataIMS Callout FSH

Non-SSL

connection

8888


IMS application 1

:

ICAL

(synchronous)

IMS

Connect

TPIPE

data

transformation

SSL ProxyService

IMS Connect SSL

8899S

9999Serv

ices / A

pplic

ation

SSL with AT-TLS

8888

2-waySSL Proxy

Operational Considerations for SSL Proxy

• Operational Characteristics

• Configure IMS Callout FSH to communicate with DataPower SSL Proxy

• Configure SSL Proxy to communicate with IMS Connect with

– IMS Connect SSL enabled: specify SSL port or– AT-TLS enabled to listen on IMS Connect port


Summary

• DataPower enhances IMS connectivity capabilities

• Enables connectivity with any IMS environment

– IMS transactions can be both service consumers and providers of web or HTTP

services

– IMS database content can be exposed as a service

• Allows IMS to leverage DataPower's flexibility


• Allows IMS to leverage DataPower's flexibility

– Support for rapid data transformations for cloud and mobile applications, secured

and scalable business integration, and edge of network security gateway in a

single drop-in appliance.

• Resource: DataPower and IMS

– http://www-01.ibm.com/support/docview.wss?uid=swg27038927&aid=1

Technology

Ims DataPower and Security