2. DataPower SOA Appliance
An SOA Appliance…
creates customer value through extreme
SOA performance, connectivity, and
security.
Simplifies SOA and accelerates time to value
Helps secure SOA XML implementations
Governs and enforces SOA/Web Services policies
DataPower SOA Appliances redefine the boundaries of middleware extending the
SOA Foundation with specialized, consumable, and dedicated SOA
Appliances that simplify and combine superior performance, hardened
security, and integration for SOA implementations.
2
3. Why an Appliance for SOA?
Hardened, specialized hardware for helping to integrate, secure & accelerate SOA
Many functions in a single device
Service level management, dynamic routing, policy enforcement, transformation
Higher levels of security assurance certification
FIPS 140-2 Level 3, Common Criteria EAL4
Higher performance with hardware acceleration facilitates security enforcement
•
Addresses the divergent needs of
different groups
– Enterprise architects, network operations,
security operations, web services developers
•
Simplified deployment and ongoing
management
– Drop-in appliance, secures traffic in minutes,
integrates with existing operations
3
4. What is DataPower ?
•
•
•
•
Provides the flexibility of software in a hardware footprint
Is quick to deploy – configuration NOT coding or programming
Typically takes days to integrate NOT weeks or months
Is a 1U 19” Rack Mounted appliance
–
•
•
Looks like a router
Has minimal components and has no stack of software. Consequently
DataPower is highly secure
As attack points are minimised
–
–
DataPower is undergoing accreditation to Common Criteria EAL4
This is globally recognised check by an impartial third party that warrants the security claims
made by IBM
4
5. What Does DataPower Address ?
•
•
XML is the language of Web Services and SOA
XML is pervasive – in a matter of years, it will fuel every application, device, and
document found in enterprise networks
•
XML challenges
– XML is very ‘Verbose’
• XML is bandwidth intensive
• Has a direct impact on Application Server performance
• XML processing requires significant processor cycles and memory
resources
– XML is effectively ‘Human readable’ Text
• It has no native security mechanisms
• It is readily understood and vulnerable to interception
• Security can be implemented on the application server but this is additional
XML processing and adds to the performance problem
– SOA is not just Web Services and XML
• Customers need to integrate existing legacy systems, messaging formats
and protocols into the SOA architecture.
• The ability to ‘transform’ legacy systems into the XML format is needed.
5
6. What Does DataPower Address ?
•
XML Performance
– How ? – by offloading XML processing from the Application Server to
DataPower in optimised hardware
– Thereby greatly reducing the required number of Application Servers
•
XML Security
– How ? – by offloading XML security to DataPower
– Provide standards based security – WS Security
•
Integrating XML and legacy systems
– How ? – by using DataPower to transform XML to legacy message
formats and protocols e.g
• XML < > Cobol Copybook (brings a Mainframe into SOA
Architecture)
• XML > HMTL (renders HTML content to Portal very rapidly)
• XML < > MQ Messaging
All of this is done at WIRESPEED
6
7. WebSphere DataPower SOA
Appliance Product Line
XM70
XB60
High volume, low latency messaging
Enhanced QoS and performance
Simplified, configuration-driven approach to LLM
Publish/subscribe messaging
High Availability
B2B Messaging (AS2/AS3)
Trading Partner Profile Management
B2B Transaction Viewer
Unparalleled performance
Simplified management and configuration
XA35
–
–
–
Offload XML processing
No more hand-optimizing XML
Lowers development costs
XS40
Enhanced Security Capabilities
Centralized Policy Enforcement
Fine-grained authorization
Rich authentication
XI50
Hardware ESB
“Any-to-Any” conversion at wire-speed
Bridges multiple protocols
Integrated message-level security
7
8. WebSphere DataPower Basic Use Cases
Internet
DMZ
Trusted Domain
Application
Consumer
1 B2B Gateway
3 Low Latency Gateway
Application
2 Secure Gateway
(Web Services,
Web Applications)
Consumer
4 Internal Security
5 Enterprise Service Bus
6 Web Service Management
7 Legacy Integration
8 XML Acceleration
System z
8
9. XML Accelerator XA35
Purpose-built hardware for presentation-tier transformation
• “The Original” DataPower XML Appliance
• Defines high performance architecture for all
DataPower SOA Appliances
• Processes XML operations at “wire-speed”
• Ideal in an XSL-intensive HTTP presentation tier
• XML Pipeline processing accelerates XML/XSLT/XPath evaluation,
increasing throughput and decreasing latency by offloading XML
operations to the network
• Innovative drag-and-drop policy editor accelerates time to value and
simplifies configuration and deployment
• Logical application domains allow individual “sandboxes” and facilitate
configuration management through import/export features
• Multiple management interfaces serve varying needs of an organization,
including browser-based WebGUI, command line CLI, and scriptable
Web Services
9
10. XML Security Gateway XS40
Purpose-built hardware for assuring confidentiality, authenticity, and nonrepudiation
• Native support for WS-Security policy enforcement
• Extremely secure hardware design
• Integrate with a variety of authentication and
authorization systems for real-time protection
• Ideal in front-line DMZ or internal security gateway
• XML/SOAP Firewall capabilities enable Layer 7 filtering on any content,
metadata or network variable in a message
• Web Application Firewall service offers additional security, threat
mediation, and content processing for other URL encoded HTTP-based
applications
• Easily configurable field-level security options allow flexible enforcement
of confidentiality, authenticity, and non-repudiation requirements
• Low latency architecture leverages hardware-acceleration for
cryptographic operations
10
11. Hardware Device for Improved Security
•
Sealed network-resident appliance
– Optimized hardware, firmware, embedded OS
– Single signed/encrypted firmware upgrade only
– No arbitrary software
– High assurance, “default off” locked-down configuration
– Security vulnerabilities minimized (few 3 party components)
– Hardware storage of encryption keys, locked audit log
– No USB ports, tamper-proof case
•
Third party certification
– FIPS 140-2 level 3 HSM (option)
– Common Criteria EAL4
“The DataPower [XS40]... is the most hardened ... it looks
and feels like a datacenter appliance, with no extra ports
or buttons exposed… "
- InfoWorld
11
12. XML security threats are growing
DataPower provides hardened real-time protection
•
•
•
•
•
•
•
•
•
•
•
•
•
•
XML Entity Expansion and Recursion
Attacks
XML Document Size Attacks
XML Document Width Attacks
XML Document Depth Attacks
XML Wellformedness-based Parser
Attacks
Jumbo Payloads
Recursive Elements
MegaTags – aka Jumbo Tag Names
Public Key DoS
XML Flood
Resource Hijack
Dictionary Attack
Message Tampering
Data Tampering
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Message Snooping
XPath Injection
SQL injection
WSDL Enumeration
Routing Detour
Schema Poisoning
Malicious Morphing
Malicious Include – also called
XML External Entity (XXE)
Attack
Memory Space Breach
XML Encapsulation
XML Virus
Falsified Message
Replay Attack
…others
12
13. Gartner: Web Services Security Best Practices
Provide System Security
Inspect ALL traffic
Transform all messages
Mask internal resources
Implement XML filtering
Secure logging
Protect against XML DoS
Require good authentication
mechanisms
Provide Message Security
Sign all messages
Validate messages
(Inbound+Outbound)
Time-stamp all messages
Ask for Compatibility
SSL MA, SAML, x.509.
WS-Security
WS-* extensions
•
•
•
Build Expertise/Design From Strength
Educate Business Leaders
Build Centralized Infrastructure
–
–
–
–
•
•
•
SSL is key
Use management/security platforms
Manage your identities
You may need PKI
Trust (Really) Your Partners
Use OTS Web Services with Caution
Monitor and Control
“Therefore, enterprises should
investigate tools such as security
gateways, SSL concentrators and
accelerators, and wire-speed SOAP/XML
inspection hardware.”
-- John Pescatore, Gartner
13
14. Access Control Integration Framework
(AAA)
Transport Headers
URL
SOAP Method
XPath
Input Message
Extract
Resource
WS-Security
SAML
X.509
Kerberos
Proprietary Tokens
Extract
Identity
LDAP
ActiveDirectory
SAML
Tivoli
CA eTrust/Netegrity
RSA
Entrust
Novell
RACF
Authenticate
Map
Resource
LDAP
ActiveDirectory
SAML
Tivoli
CA eTrust/Netegrity
RSA
Entrust
Novell
Proprietary
Authorize
SAML Assertion
Credential Mediation
IDS Integration
Monitoring
Audit &
Accounting
Output Message
Authenticate, Authorize, Audit
Map
Credentials
External Access Control Server or
Onboard Identity Management Store
14
15. Web Application Firewall
•
•
•
•
•
•
•
URL-encoded HTTP application protection
in addition to XML Web Services firewall
security
Protection for static or dynamic HTMLbased applications
Supports browser-based clients and
HTTP/HTTPS backend servers
Wizard-driven configuration
Cross-site scripting and SQL Injection
protection
AAA framework support for web
applications
General name-value criteria boundary
profiles for:
– Query string and form parameters
HTML Input Conversion Maps for form
processing and handling
Cookie watermarking (sign and/or encrypt)
Rate limiting and traffic throttling/shaping
HTTP header stripping, injection and rewriting
HTTP protocol and method filtering
Content-type filtering
Dynamic routing and load balancing
Session handling policies
SSL Acceleration & Termination (Link)
XML and non-XML processing policies
Customizable error handling
– HTTP headers
– Cookies
15
16. Integration Appliance XI50
Purpose-built hardware for Enterprise Service Bus functionality
• Web Service virtualization for legacy applications
• Enforce high levels of security independent of
protocol or payload format
• Integrate with enterprise monitoring systems
• Service level management options to shape traffic
!
Advanced protocol-bridging seamlessly supports a wide array of
transports, including HTTP, WebSphere MQ, WebSphere JMS, Tibco
EMS, FTP, NFS
Any-to-any “DataGlue” engine supports XML and Non-XML (Binary)
payloads, promoting asset reuse and enabling integration without coding
Direct database access enables message-enrichment and data-as-aservice messaging patterns (DB2, Oracle, MS-SQL, Sybase)
High performance architecture creates low-cost, easily-scalable ESB
solution for Smart SOA needs
16
17. The ESB Cost Explosion - background
A significant and growing problem with bus installations around the world.
In medium to large organizations
running significant transaction volumes,
the footprint of their ESB becomes very
large and expensive, very quickly.
Business
Partners
Internet
Access
Wireless
Access
Intranet
Portal
ESB
Internet
Portal
Wireless
Portal
DMZ
Midrange
System Z
Internal Trusted
Networks
DB2
Unix
IMS
w2k
Logging
Monitoring /
Management
SCM
Directory /
IDM
CRM
17
18. The ESB Cost Explosion – Root
causes
1. The resource requirements of today’s services (mostly XML-based)
–
Software mediation solutions written on general-purpose platforms require shocking
amounts of CPU and memory to process messages and perform the basic bus
functions:
• Message Parsing and Interpretation
• Message Transformation
• Message Routing
2. The minimal headroom purchased because of HA requirements.
–
Companies quickly use up extra capacity purchased initially in order to maintain high
availability for this critical part of their network.
Nevertheless the problem is often still hidden by the HA deployment initially
Companies are often taken by surprise by how quickly they “hit the wall”
–
–
It doesn’t take much!
•
•
At somewhere between 20-60 TPS the infrastructure needs to be at least doubled.
you don’t have to be a F500 company to get hit
18
19. The ESB Cost Explosion - Solution
The DataPower module, deployed in an Architected ESB Federation pattern, is designed to
bring the “commodity” work of an ESB to the network layer.
SOA Network Infrastructure
History tells us that selecting universal, repetitive
functions and moving them to purpose-built
appliances reduces solution costs, both in terms of
increased performance / reduced processing costs,
and reduced complexity of deployment (network
devices are configured, not coded).
19
20. Processing rule actions for ESB
Programmer-friendly functions within the purely-configuration message flow.
WAIT
20
21. Processing rule actions for ESB
Fan-out (Fan-in)
FTP
Notification
Fire and Forget
HTTP
JMS
HTTP
Composition
JMS
MQ
21
22. Content-based Routing
Select destination based on transaction metadata
•
Dynamically determine route from transaction context and/or message
content
– Analyze originating URL, protocol headers, transaction attributes, etc.
– Analyze legacy or XML content
•
Leverage a routing table for real-time decisions
– Quickly deploy routing changes, including protocol conversions
•
Retrieve routing information from other systems
– E.g., databases, web servers, file servers, etc.
Unclassified
Requests
Service
Providers
22
23. Protocol Mediation
Independently bridge inbound and outbound protocols
First-class support for message and transport protocol bridging
Protocol mediation with simple configuration:
–
HTTP MQ WebSphere JMS FTP Tibco EMS
Request-response and sync-async matching
Configurable for fully guaranteed, once-and-only-once delivery
WebSphere
JMS
http(s)
3rd Party
Messaging
WebSphere
MQ
Database
FTP(s)
sFTP
DB2, SQL Server,
Oracle, Sybase,
IMS
NFS
24
24. Web Services Management
Service Level Management protects application resources
•
•
Defined as action in the policy pipeline
Configure policies based on:
– Any parameter: WSDL; Service Endpoint; Operation; Credential
– Request; Response; Fault; XPath
•
•
Enforce same thresholds across a pool of devices
Configure service level to trigger action:
– Notify (Alert)
– Shape (Slow Down)
– Throttle (Reject)
•
•
•
Supports WSDM and other Web services management standards
Allows subscription to SLM for alerts, logging, etc.
Notify other applications such as billing, audit, etc.
25
25. System z Integration
• Broad integration with System z
• Connect to existing applications over
WebSphere MQ
• Transform XML to/from COBOL Copybook
for legacy needs
• Natively communicate with IMS Connect
• Integrate with RACF security from
DataPower AAA
• Service enable CICS using WebSphere MQ
• Virtualize CICS Web Services
27
26. Business to Business (B2B)
Appliance XB60
Purpose-built B2B hardware for simplified deployment, exceptional
performance and hardened security
• Extend integration beyond the enterprise with B2B
• Hardened Security for DMZ deployments
• Easily manage and connect to trading partners
using industry standards
• Simplified deployment and ongoing management
• Trading Partner Management for B2B Governance; B2B protocol policy
enforcement, access control, message filtering, and data security
• Application Integration with standalone B2B Gateway capabilities supporting B2B
patterns for AS2, AS3 and Web Services
• Full featured User Interface for B2B configuration and transaction viewing;
correlate documents and acknowledgments displaying all associated events
• Simplified deployment, configuration and management providing a quicker time to
value by establishing rapid connectivity to trading partners
28
27. DataPower B2B Appliance XB60
- B2B Components
The DataPower B2B Appliance extends your
ESB beyond the enterprise by supporting the
following B2B functionality:
•
•
B2B Gateway Service
– AS2 and AS3 packaging/unpackaging
– EDI, XML and Binary Payload routing
– Front Side Protocol Handlers
– Trading Partner Profile Management
• Multiple Destinations (Back Side
Protocol Handlers)
• Certificate Management (Security)
– Hard Drive Archive/Purge policy
B2B Viewer
– B2B transaction viewing
– Transaction resend capabilities
– Acknowledgement correlation
– Transaction event correlation
– Role based access
•
Transaction Store
– B2B metadata storage
– B2B state management
B2B Gateway Service
Internal Partner
Destinations
Front Side
Handlers for
Integration
Transaction
Store
Front Side
Handlers
for Partner
Connections
External Partner
Destinations
Persistent
Storage
Persistent Storage
– Encrypted with a box specific key
– B2B document storage
•
DataPower B2B XB60
B2B Viewer
29
28. Low-Latency Appliance XM70
Purpose-built hardware for low-latency, network-based messaging and data feed
processing
• Drop-in messaging solution which plugs into existing
network infrastructure
• Enhanced QoS and performance with purpose-built
hardware
• Simplified, configuration-driven approach to low-latency,
publish/subscribe messaging and content-based routing
• High availability out of the box (two or more appliances)
• Low-latency unicast and multicast messaging, scaling to 1M messages / sec with
microsecond latency
• Destination, property and content-based routing, including native XML and FIX
parsers
• Optimized to bridge between leading standard messaging protocols such as MQ,
Tibco, WebSphere JMS and HTTP(S)
• Simplified deployment, configuration and management providing a quicker time to
value by rapidly configuring messaging destinations, connectivity and routing
30
29. Configuration & Administration
Fits into existing environments
Multiple administration consoles
IDE integration
Eclipse/Rational Application Developer
Altova XML Spy
WAS 7 Admin Console for Multi-box Management
Easy export/import for configuration promotion
Standard operational interfaces
WebGUI – 100% availability of functions in all consoles
CLI – Familiar to network operators
SOAP interface – Programmatic access to all config for easy scripting
SNMP
XI50
SNMP, syslog, etc.
Industry leading integration support across IBM and 3rd party application, security, identity
management, and networking infrastructure
31
30. IBM SOA Appliance Deployment
Summary
Web Tier
XML
HTML
WML
Client
or
Server
XML
XSL
XA35
Application Server Web Server
Internet
Security
Tivoli NetView
Tivoli NetView
Tivoli Access Manager
Tivoli Access Manager
Tivoli
Access
Manager
-----------Federated
Identity
Manager
XS40
Internet
WebSphere App Server
WebSphere App Server
IP Firewall
Application Server
DataPower XS40
DataPower XS40
Integration & Management Tiers
LEGACY REQ
Nortel L7 Module
Nortel L7 Module
DataPower XS40
DataPower XS40
HTTP XML REQ
MQ Server
MQ Server
LEGACY RESP
XI50
HTTP XML RESPONSE
ITCAM for
SOA
Web service
Web service
client
client
Tivoli NetView
Web Services
Client
Tivoli Access Manager
32
WebSphere App Server
DataPower XS40
31. IBM SOA Appliance Deployment
continued
Business to Business (B2B)
DMZ
AS2 Message
FW
XML/EDI/Binary
Internet
XB60
FW
FW
AS2 MDN
Trading
Partners
AS2, AS3, HTTP,
FTP, Web
Services, MQ
Receiver
WSRR
ITCAM for
SOA
Tivoli NetView
Trading Manger for
EDI Processing
Application
Server
Tivoli Access Manager
WebSphere App Server
Low Latency Messaging (LLM)
Receiver
DataPower XS40
RUM
(unicast)
Nortel L7 Module
DataPower XS40
Transmitter
MQ Server
RMM
XM70
RUM
Receiver
(multicast)
Web service
client
Transmitter
MQ/TIBCO
33
32. Summary – IBM Specialized Hardware for Smart SOA Connectivity
•
•
•
•
•
•
Hardened, specialized product for helping integrate, secure & accelerate SOA
Many functions integrated into a single device
Broad integration with both non-IBM and IBM software
Higher levels of security assurance certifications require hardware
Higher performance with hardware acceleration
Simplified deployment and ongoing management
www.ibm.com/software/integration/datapower
SOA Appliances: Creating customer value
through extreme SOA performance,
connectivity, and security
Simplifies SOA and accelerates time to value
Helps secure SOA XML implementations
Governs and enforces SOA/Web Services policies
34