2. IBM Corporation 2
Why use an Appliance for connectivity?
• Purpose-built, fine-tuned, secure, and consumable hardware platform
• Fast performance with multiple layers of specialized hardware & software acceleration
Many functions incorporated in a single device
Service level management
Dynamic routing and load distribution
Transport and message level security
Policy enforcement
Transport and message transformation
Business to Business Partner Profile Management
Simplified maintenance model
Drop-in appliance form-factor
Secures traffic in minutes
Push-button flash upgrade process
Integrates with existing operations
Provides high levels of certified security assurance
Transport Protocol Security (SSL/TLS)
Message Level Security
Authentication, Authorization, Audit (AAA)
FIPS 140-2 Level 3
3. IBM Corporation 3
Potential Benefits for reduction in development labor
Use cases Description Current environment
estimated development
hours
DataPower
estimated
development
hours
B2B Protocol
Handling
Integrate internal and external business partners
based on industry standard B2B protocols and
message formats
200 20
B2B Partner
Profile Manager
Onboard and manage new partners for B2B
integration through gateway
10 5
B2B
Transaction
Manager
B2B transaction audit and management capability
for review, resend and problem resolution
10 5
Security AAA Consumer identification, authentication,
authorization, and auditing security capabilities
360 18
Security Threat
Protection
Non-repudiation, integrity, confidentiality and
general threat protection security capabilities
1080 51
Routing Service virtualization of identity via dynamic content
and context based routing
140 20
Protocol
Bridging
Service virtualization of protocol via bridging (e.g.
HTTP to/from MQ)
140 20
Message
Transformation
Service virtualization of interface via message
transformation to/from any format including XML
120 40
Service Level
Management
Monitor against thresholds based on SLAs between
parties and support taking action when thresholds
are crossed
280 40
4. IBM Corporation 4
Become the leading Multi-Channel Gateway Platform for Developers,
Customers, Partners and IBM Products to secure, integrate, control
and optimize the delivery of Applications, APIs and Data across a
variety of digital business channels in a growing landscape of
public, private and hybrid cloud environments in addition to on
premise setups.
DataPower Team
DataPower’s Core Strategic Vision
5. IBM Corporation 5
What is IBM DataPower?
• IBM® DataPower® Gateway appliance has
been established as the leading security &
integration gateway device for the industry
• DataPower gateway appliances help Secure,
Control, Integrate and Optimize the delivery of
full range of Mobile, Web, API, SOA, Cloud,
and B2B applications and services
IBM DataPower Gateway
6. IBM Corporation 6
IBM DataPower - Converged Multi-Channel
Gateway
Business
Channels
Users DEVELOPERSPARTNERS
CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
Enforcement
Solutions
Applications
and Systems
DataPower
Appliance
ISAM for
DataPower
7. IBM Corporation 7
IBM DataPower Gateway
• Extend the capabilities by providing a multitude of functions:
– IBM DataPower Gateway (IDG) provides gateway functionality and is a security enforcement
point. Also supports intelligent load distribution and dynamic routing via the Application
Optimization module. IDG is used for service level management and monitoring, and is
available in two form factors: 2U Rack mounted physical appliance and a Virtual appliance
running on VMWare and Citrix, and elastic cloud environments (SoftLayer and Amazon AWS)
– IBM DataPower Gateway with Integration Module extends the IDG platform supporting a
wide range of integration and message mediation and transformation protocols, including
mainframe integration and enablement. The Integration Option is available for both physical
and virtual form factors.
– IBM DataPower Gateway with the ISAM Module IBM Security Access Manager for
DataPower is a new access management software module for IBM DataPower Gateways that
provides web access management and strong authentication enforcement for mobile
workloads integrated into the DataPower platform.
– IBM DataPower Gateway with Business to Business (B2B) Module provides a high-
throughput, secure entry point at the edge for B2B traffic into enterprises. The B2B options
build on the capabilities of IDG, offering partner profile management, and inter-enterprise
messaging and document support. The B2B option is available in both physical appliance and
virtual form factors
NOTE: Other modules are: Application Optimization (routing and load balancing);
Tibco (connectivity to Tibco EMS)
8. IBM Corporation 8
Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance
(Establish a new connection to pass results)
• Cache data on-box or in centralized, shared XC10 grid
Connection from client
ACL
Virus
Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0,
WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAP
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security
WS-Security Policy
WS-Trust
SAML
OAuth 2.0
Internet
SaaS
Partner
Apps
Browsers
ProtocolFirewall
Security
Gateway
Packaged Apps
Proprietary Apps
Data
HTTP(s)
ESB
ISAM
MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
DomainFirewall
ACL
Security
Gateway
Internal
Consumer
Incoming access control;
Threat protection
Outgoing access control;
SAML injection etc
Internal
Security
Web Service Request
SAML, LTPA,
Kerberos
10. IBM Corporation 10
• Data format & language
– JavaScript
‒ JSON
‒ JSON Schema
‒ JSONiq
‒ REST
‒ SOAP 1.1, 1.2
‒ WSDL 1.1
‒ XML 1.0
‒ XML Schema 1.0
‒ XPath 1.0
‒ XPath 2.0 (XQuery only)
‒ XSLT 1.0
‒ XQuery 1.0
• Security policy enforcement
‒ OAuth 2.0
‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries
‒ XACML 2.0
‒ Kerberos, SPNEGO
‒ RADIUS
‒ LDAP versions 2 and 3
‒ Lightweight Third-Party Authentication
(LTPA)
‒ Microsoft Active Directory
‒ FIPS 140-2 Level 3 (w/ optional HSM)
‒ SAF & IBM RACF® integration with
z/OS
‒ Internet Content Adaptation Protocol
‒ W3C XML Encryption
‒ W3C XML Signature
‒ S/MIME encryption and digital
signature
‒ WS-Security 1.0, 1.1
‒ WS-I Basic Security Profile 1.0, 1.1
‒ WS-SecurityPolicy
‒ WS-SecureConversation 1.3
Supported standards & protocols
• Transport & connectivity
– HTTP, HTTPS, WebSocket Proxy
– FTP, FTPS, SFTP
– WebSphere MQ
– WebSphere MQ File Transfer Edition
(MQFTE)
– TIBCO EMS
– WebSphere Java Message Service (JMS)
– IBM IMS Connect, & IMS Callout
– NFS
– AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62)
– DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security
‒ SSL versions 2 and 3
‒ TLS versions 1.0, 1.1, and 1.2
• Public key infrastructure (PKI)
‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP
‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12
‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management
‒ Simple Network Management Protocol
(SNMP)
‒ SYSLOG
‒ IPv4, IPv6
• Open File Formats
‒ Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)
‒ VMware Virtual Machine Disk Format
(VMDK)
Link to DataPower Information Center
• Web services
– WS-I Basic Profile 1.0, 1.1
– WS-I Simple SOAP Basic Profile
– WS-Policy Framework
– WS-Policy 1.2, 1.5
– WS-Trust 1.3
– WS-Addressing
– WS-Enumeration
– WS-Eventing
– WS-Notification
– Web Services Distributed
Management (WSDM)
– WS-Management
– WS-I Attachments Profile
– SOAP Attachment Feature 1.2
– SOAP with Attachments (SwA)
– Direct Internet Message
Encapsulation (DIME)
– Multipurpose Internet Mail
Extensions (MIME)
– XML-binary Optimized Packaging
(XOP)
– Message Transmission Optimization
Mechanism (MTOM)
– WS-MediationPolicy (IBM standard)
– Universal Description, Discovery,
and Integration (UDDI versions 2
and 3), UDDI version 3 subscription
– WebSphere Service Registry and
Repository (WSRR)
11. IBM Corporation 11
Protection of data plus XML & JSON threat
protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
Security standards: OAuth, WS-Security, WS-Policy, WS-
SecurityPolicy, SAML, XACML, WS-Trust, …
Use WS-SecurityPolicy to define security requirements for your web services
– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services
– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization
• PEP, PDP
DataPower security is policy driven
XML Threat Protection
• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
JSON Threat Protection
• Label - Value Pairs
‒ Label String Length (characters)
‒ Value String Length (characters)
‒ Number Length (characters)
• Threat Protection
‒ Maximum nesting depth (levels)
‒ Maximum document size (bytes)
12. IBM Corporation 12
VISA International
Provide Greater Agility, Flexibility & Adaptability
Solution
Implemented DataPower Security Gateway XG45 to form the backbone
of Web services infrastructure
Through content-based message routing, security policy enforcement &
data encryption, the XG45 helps to ensure safe & efficient flow of
confidential customer data between Web site & backend systems
Integrated seamlessly into existing heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Secure SOA on standards-based platform
Easily reuse Web services throughout enterprise
Boosts productivity of IT staff
Substantially shorten time to market for new services
WebSphere DataPower Security
Gateway XG45
WebSphere Application Server
Challenge
Consistently & securely delivery of online services to members that
could be shared, integrated & flexible to meet specific needs
Web services infrastructure needed to support highly secure data
routing with daily high volume & sensitive nature of information
13. IBM Corporation 13
Multi-channel gateway for Mobile workloads
• ISAM for DataPower module provides the reverse proxy
component that enables
– Centralized user authentication & coarse-grained
authorization
– Advance session management, & web SSO
– Enforcement of context based access & mobile SSO policies
– Strong authentication including one-time password and multi-
factor authentication
ISAM Module
ISAM for
Mobile
DataPower
IBM
MobileFirst
Mobile
Application
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway
14. IBM Corporation 14
14
Challenge
–Missing out on new opportunities in mobile advertising
–Aggressive growth in mobile creating new opportunities
–Differentiation with Sprint profile information
–How to increase topline revenue
–Increase in competition from non-traditional companies – no longer
just the other carriers
Solution
–WebSphere DataPower Integration Appliance XI52 and XC10 Caching Appliance for
mobile access control and security, wirespeed performance & consistent operational
environment
–Deployed as a Mobile gateway, providing schema validation & trust formations
–Augmented existing infrastructure
Benefits
–Fast speed to market
–Low development cost
–Well established operational support (within Sprint)
–Deployed within secured Sprint network
–Secure connectivity to dependent systems
–Sprint controlled data security
–Scalable as volumes grow
–Ability to maintain a consistent interface to clients regardless of backend changes
Enterprise Application
Integration
Web Services
Gateway
Platform
XI52
Adapters
Back-office
Systems
Back-office
System
Web
Services
SOAP
Service
Consumers
XI52
Message
Broker
Custom
Code
XC10
Customer Testimonial: http://www.youtube.com/watch?v=0hpZcnrG26Q
15. IBM Corporation 15
Multi-channel gateway for API workloads
Assemble business APIs easily
Provide Secure or Open APIs
Control APIs at a fine-grained level
Explore API documentation
Interactively exercise APIs
Provision application keys
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway (DataPower)
Analyze API usage
Manage private, partner, public app developers
Provide self-service app developer onboarding
API configurations are deployed to the gateway,
which provides the enforcement point for runtime
policies to control API traffic.
16. IBM Corporation 16
Improved User Experience: Pattern-based
Configuration
Reduce time-to-value, increase productivity & quality of DataPower solutions
Pattern captures a tested solution to a common recurring problem
Built-in, intuitive, new interface for creating & deploying common DataPower configuration patterns
• Reduce time to value through accelerated user configuration & deployment for both new & experienced users
• Increase developer productivity by leveraging working examples of common use cases
• Improve quality through reuse of configuration created by skilled roles
Pre-built and user-defined patterns
• Ten new pre-built web application & web services patterns
Deploy new
service from
a pattern
Create service
pattern for
reuse
Browse patterns
17. IBM Corporation 17
Supports on-premise & cloud deployment
Purpose-built, DMZ-ready
appliances provide physical security
High density 2U rack-mount design
8 x 1 and 2 x 10 GbE ports
Cryptographic acceleration card
Trusted platform module
Customized intrusion detection
Optional HSM (FIPS 140-2 Level 3 certified)
Virtual appliances provide
deployment flexibility
Support multiple hypervisors and
cloud environments
− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on SoftLayer
(x86 nodes)
− IBM SoftLayer bare metal instances using
supported hypervisors
VirtualPhysical
18. IBM Corporation 18
New Cloud Offerings
Secure Gateway for Bluemix
Applications
Easier DevOps with new REST API
Secure. Integrate. Control. Optimize.
GatewayScript Enhancements
Robust Platform Security
7.2
Features
Deploy DataPower Gateways on Amazon
EC2 and SoftLayer CCI to provide
enhanced cloud elasticity for cloud
workloads.
Enhanced hybrid cloud integration to
securely connect between IBM Bluemix
applications and on-premise services
protected using DataPower Gateways
Protect mission-critical applications from
security vulnerabilities with enhanced TLS
protocol support using Elliptic Curve
Cryptography, Server Name Indication, and
Perfect Forward Secrecy
New REST-based management API to build
deployment and automation scripts, enabling
easier devops for continuous software
delivery and quicker problem resolution.
Enhanced Mobile and API security
Easily transform between XML and JSON
messages to quickly integrate System of
Records data sources with Systems of
Engagement interfaces
Increased mobile and API security for
protecting mission-critical transactions with
JSON Encryption, JSON Signature, JSON
Key, and JSON Token
Available
June 19th,
2015
Announce
May 26th, 2015
19. IBM Corporation 19
19
Summary
IBM DataPower Gateway provides these
benefits for security and integration needs
within an enterprise:
• Ease of Use: Solves complex security and integration
challenges in a secure, easy to consume and extremely low
TCO network device. DataPower appliances are configuration
driven not program driven which simplifies deployment
• Performance: DataPower is a network device that operates at
wire speed. Greater processing power is realized with every
new firmware release. This is even more critical with the
advent of mobile.
• Flexibility: Secure, integrate, bridge and version applications
without application modification
• Reduce Time to Market: Dramatically decrease the “time to
deploy” in your environment. Being a configuration-driven
platform, most deployments are “uncrate, rack, configure and
deploy”
• Lower TCO: Customers’ own data has shown that DataPower
can be 7X-8X less expensive to operate in the data center
than traditional alternatives.
21. IBM Corporation 21
Where can I get more information?
• IBM DataPower Gateway product
page on ibm.com
• IBM DataPower Gateway product
documentation
• IBM DataPower Gateway user
forums:
– External forum
• YouTube Channel: IBM
DataPower Gateways
• Slideshare: IBM DataPower
Gateway
• Twitter: @IBMGateways
• LinkedIn groups: IBM DataPower
Gateway
• DeveloperWorks blog: IBM
DataPower Gateway
• IBM Security Access Manager
product page on ibm.com
22. IBM Corporation 22
Available Now: DataPower Handbook,
Second Edition, Volume 1
Known as the ‘‘‘‘bible’’’’ of
DataPower planning,
implementation, and usage.
New content to cover
previous six years of new
products/features, including
9006/7.1!
Volume 1 consists of Chap 1
DataPower Intro, Chap 2
Setup Guide, new Preface and
two invaluable new
appendices for physical and
virtual appliances.
Available in softcover and e-book formats
24. IBM Corporation 24
Public/Private
Cloud
Trusted ZoneDemilitarized Zone
(DMZ)
Mobile enhancements (1 of 2)
• Provide enhanced message-level security for mobile, API, and web
workloads
‒ JSON Web Encryption for message confidentiality
‒ JSON Signature for message integrity
‒ JSON Web Token to assert security assertions for Single Sign On (SSO).
‒ JSON Web Key (JWK) to represent cryptographic key
• Provides end-to-end security between Mobile application and System
of Record applications
• Secure sensitive data (credit card data) between multiple untrusted or
unmanaged systems without compromising the data and support PCI
compliance
DataPower
Systems of
Record
Mobile
Application
25. IBM Corporation 25
Mobile enhancements (2 of 2)
• GatewayScript enhancements to transform between
XML and JSON messages
– Easily integrate System of Records data sources with
Systems of Engagement interfaces
• GatewayScript can be used to build a microservices
architecture that can quickly adapt to changes
required to support your digital marketing strategy
Systems of
Engagement
Systems of
Record
Mobile
Application
JSON XML
JSON <-> XML
26. IBM Corporation 26
Platform Security Enhancements
• Protect mission-critical applications from security
exposures with enhanced TLS protocol support by
using Elliptic Curve Cryptography (ECC), Perfect
Forward Secrecy (PFS), and Server Name Indication
(SNI)
– ECC provides robust security without compromising
performance to help prevent security vulnerabilities
– PFS helps prevent security exposures of prior traffic
when crypto keys are compromised
– SNI extends the TLS protocol to provide connectivity to
multiple hosts on the same machine
DataPower
Service
Provider
Mobile
Application
TLS TLS
27. IBM Corporation 27
New management API using REST architecture
• Quickly build DataPower automation and
deployment migration scripts for easier devops by
using the new REST-based management API.
– Accelerate adoption of DevOps to quickly make
configuration changes to support continuous delivery
– Easily integrate with build tools such as Urban Code
Deploy
Development
Test
Production
Build Server
REST API
REST API
REST API
28. IBM Corporation 28
Enhanced product integration
• Enhanced reliability of IMS transactions with support for
IMS Commit mode 0.
• Supports distributed caching with IBM WebSphere
eXtreme Scale 8.6+ to provide increased response time
and better application performance.
• IBM Security Access Manager (ISAM) migration tools for
easier promotion between ISAM products
DataPower
IMSMobile
Application
ISAM for
Mobile
WebSphere
Extreme Scale
ISAM Module
29. IBM Corporation 29
DataPower Gateway for Cloud
• Current: DataPower Virtual Edition
supports SoftLayer bare metal
instances
– Similar deployment and licensing
model to on-premise virtual
environments
• New Support: DataPower Virtual
Edition includes support for
SoftLayer CloudLayer Computing
Instance (CCI) and Amazon Elastic
Compute Cloud (EC2)
– Enhanced cloud elasticity for
DataPower Gateways in cloud
environments.
– Scale workloads at lower costs
when computing requirements
change
– BYOL model using Passport
Advantage (PPA) – perpetual or
monthly licensing options available
Bare
Metal Server
Cloud Computing
Instance
Amazon EC2
New
New
30. IBM Corporation 30
Hybrid cloud integration using Secure
Gateway Service
• Enhanced hybrid cloud
integration using Secure
Gateway service to securely
connect between IBM Bluemix
applications and on-premise
services protected using
DataPower Gateways
‒ Quickly setup connectivity
without making enterprise
firewall changes while still
allowing controlled access from
cloud services
‒ Supports multiple gateways
instances, load balancing and
fault tolerance
‒ Manage and monitor gateway
instances and usage
Bluemix
On Premise
Datacenter
ServicesRuntimes
New