Upload
ibm-ims
View
136
Download
4
Embed Size (px)
Citation preview
Topics
• DataPower support for IMS
• Inbound access to IMS
• Access to IMS databases
• Outbound support for IMS callout
• Security considerations
© 2015 IBM Corporation 2© 2015 IBM Corporation 2
DataPowerDataPowerDataPowerDataPower
The WebSphere DataPower Integration Appliance is a purpose built hardware platform that
delivers rapid data transformations for cloud and mobile applications, supports secured and
scalable business integration, and provides an edge of network security gateway in a single
drop-in appliance.
Integration appliance
Includes all features of
© 2015 IBM Corporation 3
http://tinyurl.com/cffhmzc
ftp://ftp.software.ibm.com/software/systemz/pdf/aiseminars/Using_WebSphere_DataPower_SOA_appliances_to_extend_the_value_of_System_z.pdf
Includes all features of
the Security and
Acceleration appliances
DataPower...
• Why an Appliance for SOA?
• Hardened, specialized hardware for helping to integrate, secure & accelerate SOA
– Many functions integrated into a single device
• Higher levels of security assurance certifications require hardware
• Enables run-time SOA governance and policy enforcement
• Higher performance with hardware acceleration
• Addresses the divergent needs of different groups:
– enterprise architects, network operations, security operations, identity
management, web services developers
© 2015 IBM Corporation 4© 2015 IBM Corporation 4
management, web services developers
• Simplified deployment and ongoing management
• Proven Green / IT Efficiency Value
– Appliance performs XML and Web services security processing as much as 72x
faster than server-based systems
– Impact: Same tasks accomplished with reduced system footprint and power
consumption
• http://tinyurl.com/cffhmzc
• ftp://ftp.software.ibm.com/software/systemz/pdf/aiseminars/Using_WebSphere_DataPower_SOA_appliances_to_extend_the_value_of_System_z.pdf
EvolutionEvolutionEvolutionEvolution
Many integration standards are XML-based which may result in additional data processing and security requirements
IBM DataPower is positioned to meet the additional security requirement and to move data processing cycles from the mainframe to the mid-tier layer.
© 2015 IBM Corporation 5
http://tinyurl.com/b4gdlkz
Enterprise Integration and Enablement
• Enterprise Integration
• Provides a Multi-Protocol Gateway (MPG)
– Connects client requests that are transported over one or more protocols to a
remote destination that uses the same or a different protocol� Supports the FTP, HTTP, HTTPS, IMS™, MQ, NFS, SFTP, TIBCO EMS, and
WebSphere® JMS protocols
JSON
© 2015 IBM Corporation 6© 2015 IBM Corporation 6
DataPower Security
• Supports authentication, authorization, and auditing
• Example
– Create a policy to extract the user identity (who are you?)� Can come from:
� SOAP message, XML content, HTTP header, custom template (XSL stylesheet), …
� Using extraction methods such as:
� HTTP authentication header, password-carrying UsernameToken from the WS-Security header, derived-key UsernameToken element from the WS-Security header, binarySecurityToken element from the WS-Security header, …
© 2015 IBM Corporation 7© 2015 IBM Corporation 7
– Authenticate� Options include;
� Using a Lightweight Directory Access Protocol (LDAP)-enabled directory server, such as IBM Tivoli Directory Server, using IBM Tivoli Access Manager for e-business, using a DataPower AAA Info file (an XML file that contains authenticated identities and values related to them), using a custom template
– Map the credentials (optional)� Interoperability between systems (DataPower device and system in charge
of authorization) might require mapping between credentials� Possibilities include: IBM Tivoli Federated Identity Manager, DataPower AAA Info file, XPath query,
Custom template, WS-SecureConversation, …
DataPower Security …
• Example …
– Extract the resource (what do you want to do?)� Methods to identify the resource include: recovering the resource from local name of the requested
in the message, HTTP operation, XPath expression
– Map the resource (optional)� Might be needed for interoperability between DataPower and the system in charge of authorization.
Methods include: Datapower AAA Info file, XPath query, custom template, etc.
– Authorize� Credentials and resources, which both might have been remapped, are
submitted to the authority in charge of dealing with authorization
© 2015 IBM Corporation 8© 2015 IBM Corporation 8
submitted to the authority in charge of dealing with authorization� Authority could be: the DataPower device itself, an external access manager, LDAP server,
DataPower AAA Info file, custom template, …
– Perform post processing (optional)� Tasks might be set as a final step of the AAA policy. For instance, it is possible to add a WS-Security
UserName token in the message
– Perform auditing (optional)� Consists of logging information that might assert that both authentication and authorization have
succeeded or failed
http://www.redbooks.ibm.com/redpapers/pdfs/redp4364.pdf
DataPower to/from IMS Security
• Connection level security between DataPower and IMS Connect
• Secure sockets with: SSL/ AT-TLS support
• Per request
– Access to transactions� IMS Connect provides RACF =(Y|N) option
� If Y, userid and password are authenticated/authorized
� OTMA security based on OTMASE parameter or /SEC OTMA command)� USERID access to the IMS transaction (TIMS, GIMS, etc.)
© 2015 IBM Corporation 9© 2015 IBM Corporation 9
– Access to databases� IMS Connect (same as above)� ODBM
� Passes security information from IMS Connect or uses userid from jobcard
� IMS security based on ODBASE and either APSB/RAS security
– Access from Transactions (callout)� IMS Callout Front-side Handler in DataPower
� Configured with SAF userid/password for Resume Tpipe request
� Outbound� Datapower V7 (and IMS 13) can pass the PST userid (associated with the calling IMS Transaction)
DataPower to/from IMS SecurityDataPower to/from IMS SecurityDataPower to/from IMS SecurityDataPower to/from IMS Security
Access to TXN
Client-Bid
SAF/RACF secure environment
IMS security:User validationto access IMS
Access to IMS/OTMA
AT/TLS
GU,IOP -Userid/PW Authentication
- PassTicket- Trusted user- Default User
Exit routines
RACF=Y|NOTMASE=
(OTMA)Msg-levelSSL Proxy Service
SSL
Non-SSL
connection
IMS
DataPower
© 2015 IBM Corporation 10
IMSODBM
IMS Connect
Access to PSB
ICAL
to access IMSresources
Can pass useridoutbound
Resume TPIPEsecurity
ISRT,ALT
Access to DB
ODBASE=
ISIS=
Userid/PW
IMS universaldrivers
IMS ConnectObject
IMS
Front Side Handler
Resume TPIPE SAF identity
Outbound request/response
Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...Enterprise Integration and Enablement ...
� IMS Integration (XI50, XI50B,
XI50z, XI52, XB60, XB62...)
• Three interfaces to get to IMS:
• IMS Connect Client
• Access to IMS applications using a DataPower embedded
© 2015 IBM Corporation 11
a DataPower embedded IMSClientConnect handler to
IMS Connect
• Soap
• Access to IMS web services via the IMS SOAP Gateway
• MQ Client
• Access to IMS applications using an MQ server on system z and the MQ Bridge for IMS
http://www.redbooks.ibm.com/redbooks/pdfs/sg247988.pdf
IMS Integration
• DataPower provides WS-enablement to IMS applications
• User codes schema-dependent WTX data map to perform request/response
mapping
• “IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol
© 2015 IBM Corporation 12© 2015 IBM Corporation 12
Data
Po
wer
CCB / TCP
Client
SOAP/HTTP
IMS
O
T
M
A
Appl1IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
IMS Integration – IMS Connect client
• Accessing IMS as a service provider
– DataPower Release 3.6.1� First implementation of an IMS Connect client
� Support for CM1 (synchronous), Sync_level = None
– DataPower Release 3.8.0� Automatic chunking and de-chunking
� Support for client sending and receiving IMS messages larger than 32KB using the Web Service Proxy service or the IMS Connect object
© 2015 IBM Corporation 13© 2015 IBM Corporation 13
Web Service Proxy service or the IMS Connect object
� Support for automatically processing the LL/ZZ headers for each of the message segments.
� When using the IMS Connect configuration, support for an extra 4-byte LLLL header field in the response message and supports for receiving this LLLL header, processing it properly, and sending it back to the client in the response message.
– DataPower Release 3.81� Support for CM1 (synchronous), Sync_Level=Confirm
IMS Integration – IMS Connect client...
• Components:
© 2015 IBM Corporation 14© 2015 IBM Corporation 14
IMS Integration – IMS Connect client...
• An IMS Connect Handler object defines a handler service that receives IMS Connect
requests and forwards them to the appropriate DataPower service
Command Purpose
aclAssigns an Access Control List (ACL). The access control list allows or denies access to this
service based on the IP address of the client
admin-state Sets the administrative state of an object. Enabled (active) or disabled (inactive)
ebcdic-input Sets the encoding for input headers as EBCDIC or ASCII.
local-addressSpecifies the local address for the service. This is the local IP address or host alias on which the
service listens. The default value is 0.0.0.0.
© 2015 IBM Corporation 15© 2015 IBM Corporation 15
persistent-connectionsControls the negotiation of persistent connections. When enabled, the IMS Connect Handler
negotiates with the remote IMS Connect target to establish a persistent connection.
port Specifies the local listening port for the service. The default is 3000.
ssl Assigns an SSL Proxy Profile.
summary Specifies a brief, object-specific comment.
IMS Integration IMS Integration IMS Integration IMS Integration –––– IMS Connect client...IMS Connect client...IMS Connect client...IMS Connect client...
• The IMS Connect configuration handles the IMS protocol communications from a DataPower service to IMS applications
• The configuration contains settings that affect the behavior of the connection
admin-state Sets the administrative state of an object.
client-id-prefix Sets the two-letter prefix for the generated client ID. (default is DP)
clientid Specifies the name of the IMS client identifier.
datastore Sets the name of the data store.
ebcdic-conversion Controls EBCDIC header conversion.
encoding-scheme Sets the Unicode encoding scheme.
exit-program Sets the exit program.
Indicates whether the response message includes an extra 4-byte (LLLL) response message header specifying the total response
© 2015 IBM Corporation 16
port Sets the port on the target IMS Connect.
segment-size Sets the maximum segment size when a message is split when sending to an IMS Connect server.
summary Specifies a brief, object-specific comment.
sync-level Controls the acknowledgement (ACK) to the IMS Connect server after receiving the response. 0x00 =none, 0x01= confirm
tran-code Sets the transaction code to invoke.
username Sets the RACF identifier.
expect-llllIndicates whether the response message includes an extra 4-byte (LLLL) response message header specifying the total response
message size back from IMS Connect.
group Sets the RACF® security group.
hostname Specifies the host of the target IMS Connect.
irm-timer Sets the wait time to return data.
lterm-name Sets the logical terminal name.
password Sets the connection password.
IMS Integration – IMS Connect client...
• The IMS Connect URL
• dpims://IMSConnect /?parameters
• dpimsssl:// IMSConnect/?parameters
Where: IMSConnect specifies the name of an enabled IMS Connect configuration on
the appliance
?parameters specifies any overrides
© 2015 IBM Corporation 17© 2015 IBM Corporation 17
• An example of an IMS Connect URL is:
– dpims://xxx.xxx.xxx.xxx:nnnn/?TranCode=IVTNO;DataStoreID=IMS1;PersistentS
ocket=0�
• Or it can define host, port, DataStoreID, and PersistetnSocket in an IMS-object:
– dpims://IMSConnectObject/?TranCode=IVTNO
IMS Integration – IMS Connect client...
• The IMS Connect URL …
• Parameters - Use a question mark to denote the first query parameter and separate
subsequent query parameters with a semicolon.
– TranCode=code
– DataStoreID=ID
– ExitID=ID
– ClientIDPrefix=prefixIf not blank. The default is a two-character blank string.
– ClientID=ID
© 2015 IBM Corporation 18© 2015 IBM Corporation 18
– ClientID=ID
– RACFUserID=ID
– RACFGroupName=groupname
– Password=password or PassTicket
– LtermName=Lterm
– Timer=duration (appropriate wait time for IMS to return data to the IMS Connect server)
– EncodingScheme=scheme
– PersistentSocket=value
– EBCDIC=value
– synclevel=value
– ExpectLLLL=value
DataPower – IMS DB feature
• IMS DB feature easily exposes IMS data as a service to remote applications
• Requires one of the following DataPower models and Firmware 6.0:
• XG45 or XG45 Virtual Edition (with Database
© 2015 IBM Corporation 19© 2015 IBM Corporation 19
• XG45 or XG45 Virtual Edition (with Database Integration Module feature)
• XI52, XI52 Virtual Edition or XI50B (with Database Connectivity feature)
• WebSphere DataPower B2B Appliance XB62
DataPower to IMS DB – “Information as a Service”
• DataPower provides a standard WS façade to IMS
• SOAP or REST call is mapped to a JDBC (DRDA) invocation
• Exposes database content (information) as a service
• Leverages extensive Web Services security and management capabilities of DataPower to more securely expose critical data to the enterprise
© 2015 IBM Corporation 20© 2015 IBM Corporation 20
Data
Po
wer
Client
SOAP or REST DRDA
DataPower to IMS DB
• Access to IMS DB leverages existing and proven technology
• IMS Universal JDBC driver
• IMS DRDA server: IMS Connect/ODBM
• IMS Catalog
DataPowerXG45, XI52,
© 2015 IBM Corporation 21© 2015 IBM Corporation 21
XG45, XI52,
XI50B, XB62
IMS
Universal
JDBC
Driver
Routing/
data
transformation
SQL
sends /
receives
DRDA
sends /
receives
ODBMIMS
Connect
IMS DB
IMSCatalog
DRDA/DDM DLIclient
IMS 12
DataPower Operational Considerations...
• IMS DB
• Create a Multi-Protocol Gateway (MPG) Configuration
– Define a Front Side Protocol Handler, e.g., HTTP/HTTPS front side handler
• Configure an “SQL Data Source” object (DB connection)
– IMS database is an SQL data source
– Connection user name/ password are specified
• Configure the back-end URL
• Define an MPG “Policy”
© 2015 IBM Corporation 22© 2015 IBM Corporation 22
• Define an MPG “Policy”
– Create one or more “Rule”(s) for the policy
• Apply the changes, and save the configuration
IMS Open DB Security
• The IMS Universal JDBC driver provides access to IMS data
• Access to IMS DBs use IMS Connect and ODBM
– IMS Connect provides authentication of the userid/password sent in by the IMS Universal drivers
• IMS Connect to ODBM
• RACF=Y
– IMS Connect authenticates the Userid/Password/Group� Passes a RACF Object (RACO) to ODBM
© 2015 IBM Corporation 23© 2015 IBM Corporation 23
� Passes a RACF Object (RACO) to ODBM– ODBM uses this information for security
• RACF=N
– IMS Connect bypasses authentication and does not pass a RACO– ODBM used the ODBM Job Userid/Group
IMS Open DB Security…
• ODBM to IMS
• Security information is sent from IMS Connect or, if no userid, then userid/group
from the ODBM jobcard is used
– ODBM and RRS=Y � ODBM uses the ODBA interface to
IMS
� Creates and passes ACEE in the Thread TCB
– In IMS, ODBASE parameter is in effect
• ODBM and RRS=N
– ODBM uses the CCTL interface to IMS (like CICS)
� Pass Userid/Group in PAPL
In IMS, the ISIS parameter to
© 2015 IBM Corporation 24© 2015 IBM Corporation 24
– In IMS, ODBASE parameter is in effect� ODBASE=Y invokes APSB security
� IMS uses RACF to verify the Userid using the AIMS or Axxxxxxx resource class
� The ISIS parameter is not used
� ODBASE=N invokes RAS
� IMS uses the ISIS parameter to determine the RACF call using the IIMS or Ixxxxxxxresource class
� ISIS=N – No RACF checking
� ISIS=R – RACF call
� ISIS=C – DFSRAS00 exit
� ISIS=A – RACF call and DFSRAS00 exit
– In IMS, the ISIS parameter to determine the RACF call using the IIMS or Ixxxxxxx resource class
� ISIS=N – No RACF checking� ISIS=R – RACF call� ISIS=C – DFSRAS00 exit� ISIS=A – RACF call and DFSRAS00 exit
IMS Open DB Security
• Example
PSB Schedule Time
PSB 1 UseridA
UseridB
ODBM
UseridB
IMS
Connect
ODBM
Client
IMS Universal JDBC Driver
AuthenticatedUseridB
UseridA
DataPower
© 2015 IBM Corporation 25© 2015 IBM Corporation 25
25
ODBM
UseridA
PSB1
And PSB2 UseridA
End user
UseridB
PSB2
UseridB
PSB 2 UseridA
Authenticated
UseridB
Can only access PSB2Can only access PSB2
Use of resource classes AIMS or IIMS|JIMS is based on use of SAF/APSB versus RAS
Or optionally the DFSRAS00 exitdecision when using RAS
Use of resource classes AIMS or IIMS|JIMS is based on use of SAF/APSB versus RAS
Or optionally the DFSRAS00 exitdecision when using RAS
DataPower – IMS Callout support
• IMS Callout feature allows IMS transactions to easily consume external web services via DataPower , with minimal application updates required
• IMS Callout functionality requires one of the following DataPower models and Firmware 6.0:
© 2015 IBM Corporation 26© 2015 IBM Corporation 26
• WebSphere DataPower Integration Appliance
XI52, XI52 Virtual Edition
• WebSphere DataPower Integration Blade XI50B
• WebSphere DataPower B2B Appliance XB62
DataPower – IMS Callout support …
• DataPower adds value to standard IMS connect usage patterns
• Initial service provider support
– An “IMS Connect” back-end handler that natively connects to IMS Connect as
service provider
• Enhanced capability with V6.0
– An “IMS Callout” front-side handler that natively connects to IMS Connect as
service consumer
© 2015 IBM Corporation 27© 2015 IBM Corporation 27
service consumerD
ata
Po
wer
TCP/IPClient
TCP/IP
Provider scenario
Callout scenario
IMS
OTMA
Appl1IMS
ConnectAppl2
Appl3
IMS
OTMA
Appl4
Appl5
Appl6
User exit (e.g..
HWSSMPL1)
User exit (HWSDPWR1)
IMS Callout Support
• Supports the IMS synchronous callout capability – DL/I ICAL – Allows IMS applications to synchronously invoke external web services
• The IMS callout connection is a DataPower “Front Side Handler” – Retrieves IMS callout messages, interfaces with DataPower services and send
response data back to IMS
• The handler internally creates one or more IMS Connect dedicated persistent
socket connections to the host system
© 2015 IBM Corporation 28© 2015 IBM Corporation 28
socket connections to the host system
• The handler communicates with IMS Connect via a new DataPower dedicated
user message exit HWSDPWR1
IMS Callout Support ...IMS Callout Support ...IMS Callout Support ...IMS Callout Support ...
Response
DataPower XI52, XI50B, XB62
WS
Proxy
MPG
Transformation
IMS
Callo
ut F
ron
t Sid
e
Han
dle
r
Transformation
Request
Outbound Rule
Inbound Rule
IMS 12
IMS
Application
..
ICAL
(synchronous)
IMS
Connect
HWSDPR1
TPIPE
Serv
ices
© 2015 IBM Corporation 29
29
MPG
IMS
Callo
ut F
ron
t Sid
e
IMS Callout Front Side Handler
SendsICAL responses
Async
sends /
receives
IMS application 1
:
ICAL
(synchronous)
IMS
Connect
HWSDPWR1
exit
TPIPE
IMS
Connect
API
Retrieve ICAL requests
Routing/
data
transformation
Resume
TPIPE
ACK
request
Response
ACKResponses
queue
Requests
queue
IMS Callout DataPower Dependencies
• IMS Connect – IMS 12 PTF UK91544 (APAR PM76086) and
IMS 13 PTF UK97704
– DataPower User Exit Installation - Object Code Only user exit HWSDPWR1 (new)
• Specified in the EXIT= parameter of the TCP/IP statement in the IMS Connect configuration file (HWSCFGxx)
• IMS 12
01 AIB. 02 AIBRID PIC x(8) VALUE 'DFSAIB '. 02 AIBRLEN PIC 9(9) USAGE BINARY. 02 AIBSFUNC PIC x(8). 02 AIBRSNM1 PIC x(8). 02 AIBRSNM2 PIC x(8). 02 AIBRESV1 PIC x(8). 02 AIBOALEN PIC 9(9) USAGE BINARY. 02 AIBOAUSE PIC 9(9) USAGE BINARY. 02 AIBRSFLD PIC 9(9) USAGE BINARY. 02 AIBRESV2 PIC x(8). 02 AIBRETRN PIC 9(9) USAGE BINARY. 02 AIBREASN PIC 9(9) USAGE BINARY.
© 2015 IBM Corporation 30© 2015 IBM Corporation 30
• IMS 12– PTF UK82636 (APAR PM73135) AIB User
Token field AIBUTKN(new)• DL/I ICAL user can specify a 1-to-8 byte name in
the AIB so that this ID can be included in the OTMA state data in the callout message.
• The ID can be used as a unique service identifier for data transformation mapping and service routing
• DataPower V6
02 AIBRETRN PIC 9(9) USAGE BINARY. 02 AIBREASN PIC 9(9) USAGE BINARY. 02 AIBERRXT PIC 9(9) USAGE BINARY. 02 AIBRESA1 USAGE POINTER. 02 AIBRESA2 USAGE POINTER. 02 AIBRESA3 USAGE POINTER. 02 AIBUTKN PIC x(8).02 AIBRESV4 PIC x(32). 02 AIBRSAVE OCCURS 18 TIMES USAGE
POINTER. 02 AIBRTOKN OCCURS 6 TIMES USAGE
POINTER. 02 AIBRTOKC PIC x(16). 02 AIBRTOKV PIC x(16). 02 AIBRTOKA OCCURS 2 TIMES PIC 9(9)
USAGE BINARY.
IMS Callout Support ...
• DataPower IMS Callout Front Side Handler retrieves and sends IMS ICAL
request to other DataPower services
– In addition to the message payload, it sets the two headers:
- ims-callout-service-id: IMS ICAL AIBUTKN field- ims-callout-correlation-token: Hex representation of ICAL correlation token
> Allows IMS to correlate a response to the associated request
– The DataPower administrator can access the header fields in the MPG policy
• Examples of use:
– service ID as the request identifier to select input/output transformation map
© 2015 IBM Corporation 31© 2015 IBM Corporation 31
– service ID as the request identifier to select input/output transformation map
– correlation token as the message ID in the outbound HTTP/SOAP request
• Operational considerations
1. Create a Multi-Protocol Gateway (MPG) Configuration
2. Configure IMS Callout Front Side Handler
3. Configure the back-end URL
4. Define an MPG “Policy”
�Create one or more “Rule”(s) for the policy5. Apply the changes, and save the configuration
DataPower Operational Considerations ...
• Operational Characteristics – Configuration of an IMS Callout front side handler includes the following
properties: • IMSHost, IMSPort, DataStoreName, TPipe(s), UserID, Password, Group,
RetryErrorLimit, RetryInterval
– DataPower administrator can enable/disable an IMS Callout front side
handler
© 2015 IBM Corporation 32© 2015 IBM Corporation 32
• Operational States– An IMS Callout front side handler has the following “opstates”:
• Up: resume tpipe processing is in operation
• Down: no active processing
• Pending: in recovery mode (detected IMS Connect and/or IMS outage)
• Operational Recommendations
– When not in use, the administrator should disable the IMS Callout front side handler
IMS Application Considerations
• ICAL is a DL/I call verb
• Leverages the AIB interface
• Uses the SENDRECV subfunction
– REQ_area is the Request data area for sending data
– RESP_area is the Response data area for returned data� REQ and RESP messages are not recoverable
req-area and resp-area do not specify LLZZ, data can be > 32K
© 2015 IBM Corporation 33© 2015 IBM Corporation 33
� req-area and resp-area do not specify LLZZ, data can be > 32K� IMS Connect and OTMA handle buffer and segmentation internally
• Timeout support
– Optional user specified timeout value in the DLI call to control the time an IMS
application waits for a response
– Can terminate the request and free the dependent region
– Late responses are logged and discarded
Call AIBTDLI USING ICAL,aib,REQ_area,RESP_area
IMS Application Considerations ...IMS Application Considerations ...IMS Application Considerations ...IMS Application Considerations ...
• AIB • AIBID = DFSAIBbb• AIBLEN = AIB length
• AIBSFUNC = SENDRECV• AIBRSNM1 = 8 byte OTMA Descriptor name
• AIBRSFLD = Timeout value• 4 byte field for time value 100th seconds. System default is 10 sec.
• AIBOALEN = REQ_area length• As an input parameter: 4 byte field contains the length of the request area• As an output parameter: Actual length of the response message
• AIBOAUSE = RESP_area length• As an input parameter: 4 byte field contains the length of the response area• As an output parameter: Length of the response message.
DFSYDTx member of IMS.PROCLIB
•TYPE: Destination type
•TMEMBER: OTMA Target Client
•TPIPE: Destination Name
•SYNTIMER=timeout
Note ICAL overrides this value
•...
� OTMA Descriptor
© 2015 IBM Corporation 34
• As an output parameter: Length of the response message.
• AIBRETRN = AIB Return code• AIBREASN = AIB Reason code.
• AIBERRXT = 2 byte sense code from external application
01 AIB.
02 AIBRID PIC x(8) VALUE 'DFSAIB '.
02 AIBRLEN PIC 9(9) USAGE BINARY.
02 AIBRSFUNC PIC x(8) VALUE 'SENDRCV'.
02 AIBRSNM1 PIC x(8) VALUE ‘TESTDPWR'.
02 AIBOALEN PIC 9(9) USAGE BINARY VALUE +12.
02 AIBOAUSE PIC 9(9) USAGE BINARY.
01 CALLOUT-MSG.
02 CA-DATA PICTURE X(12) VALUE ‘HELLO WORLD ’
01 SCA-RESPONSE.
02 SCA-DATA PICTURE X(12).
CALL 'AIBTDLI' USING ICAL, AIB, CALLOUT-MSG , SCA-RESPONSE.
COBOL example
D TESTDPWR TYPE=IMSCON TMEMBER=HWS1
D TESTDPWR TPIPE=DPTEST1 ...
Error Conditions - IMS
• The IMS ICAL is informed of error conditions using AIB return and reason codes
• IMS Version 12 Application Programming APIs manual
– http://tinyurl.com/cgj8tah
Web Service
0
IMS Connect IMS
IMS Application
1
Resume TPIPE
ICAL SENDRECV TESTDPWRRequest
X1
DataPower
© 2015 IBM Corporation 35© 2015 IBM Corporation 35
Response 4
1 ICAL SENDRECV TESTDPWR
HELLO FROM IMSHELLO FROM IMS
HELLO FROM WEB SERVICE
HELLO
FROM WEB
SERVICE
HELLO
FROM IMS
HELLO FROM WEB SERVICE
3
Data
Transformation
2ACK
X3
X1
X2
X4
X5 X6
X5: external server already committed before time outX6: external server already committed, but IMS fails to process the response
X1: ICAL cannot be sent outX2: ICAL time outX3: late ACK received after time out
X4: XML converter in error
Data
Transformation
Examples of where some errors might occur:
Security Enhancements with DataPower V7
• DataPower IMS Callout Front Side Handler retrieves and sends IMS ICAL request to other DataPower services
– In addition to the message payload, it sets the headers:
- ims-callout-service-id: IMS ICAL AIBUTOKN field
- ims-callout-user-id: IMS PSTUSID associated with the calling transaction- ims-callout-correlation-token: Hex representation of ICAL correlation token
> Allows IMS to correlate a response to the associated request
The DataPower administrator can access the header fields in the MPG policy
© 2015 IBM Corporation 36© 2015 IBM Corporation 36
– The DataPower administrator can access the header fields in the MPG policy
• Examples of use:
– service ID as the request identifier to select input/output transformation map
– Userid as the requester for the target distributed service service
– correlation token as the message ID in the outbound HTTP/SOAP request.
IMS 13, IMS Connect 13, DataPower V7
Extracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform ActionExtracting UserID: Policy and Transform Action
© 2015 IBM Corporation 37
Double click on the Transform action icon to specifya stylesheet that will be used to direct the message for transformation and routing
Extracting Extracting Extracting Extracting UserIDUserIDUserIDUserID using a using a using a using a stylesheetstylesheetstylesheetstylesheet (Transform): example (Transform): example (Transform): example (Transform): example
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions" extension-element-prefixes="dp">
<xsl:template match="/">
<xsl:message dp:priority="info">
Correlation token :
<xsl:value-of select="dp:request-header('ims-callout-correlation-token')" />
</xsl:message>
- <xsl:message dp:priority="info">
© 2015 IBM Corporation 3838
- <xsl:message dp:priority="info">
User ID :
<xsl:value-of select="dp:request-header('ims-callout-user-id')" />
</xsl:message>
- <xsl:message dp:priority="info">
Service ID :
<xsl:value-of select="dp:request-header('ims-callout-service-id')" />
</xsl:message>
</xsl:template>
</xsl:stylesheet>
Securing IMS Callout Request Flow with SSL Proxy
• The IMS Callout FSH support 3 types of connections to IMS Connect
• Non-SSL, SSL with AT-TLS (recommended), IMS Connect SSL
IMSDataPower
Routing/
dataIMS Callout FSH
Non-SSL
connection
8888
© 2015 IBM Corporation 39© 2015 IBM Corporation 39
IMS application 1
:
ICAL
(synchronous)
IMS
Connect
TPIPE
data
transformation
SSL ProxyService
IMS Connect SSL
8899S
9999Serv
ices / A
pplic
ation
SSL with AT-TLS
8888
2-waySSL Proxy
Operational Considerations for SSL Proxy
• Operational Characteristics
• Configure IMS Callout FSH to communicate with DataPower SSL Proxy
• Configure SSL Proxy to communicate with IMS Connect with
– IMS Connect SSL enabled: specify SSL port or– AT-TLS enabled to listen on IMS Connect port
© 2015 IBM Corporation 40© 2015 IBM Corporation 40
Summary
• DataPower enhances IMS connectivity capabilities
• Enables connectivity with any IMS environment
– IMS transactions can be both service consumers and providers of web or HTTP
services
– IMS database content can be exposed as a service
• Allows IMS to leverage DataPower's flexibility
© 2015 IBM Corporation 41© 2015 IBM Corporation 41
• Allows IMS to leverage DataPower's flexibility
– Support for rapid data transformations for cloud and mobile applications, secured
and scalable business integration, and edge of network security gateway in a
single drop-in appliance.
• Resource: DataPower and IMS
– http://www-01.ibm.com/support/docview.wss?uid=swg27038927&aid=1