3. 3
DataPower Gateways …
3
IBM DataPower Gateways provide a low startup cost,
helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances that
combine superior performance and hardened security in
physical and virtual form factors
INTEGRATE Systems of Engagement with Systems of
Record
CONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
4. Single security and integration gateway platform to
provide security, integration, control & optimized
access to a full range of Mobile, API, Web, SOA,
B2B, & Cloud workloads
B2B
Simplify mobile security with single,
purpose-built gateway; control
mobile traffic and accelerate delivery
Web
Simplify web security with single,
purpose-built gateway; control traffic and
accelerate delivery for intranet and
internet web applications
Cloud
DataPower gateway functionality in a
virtual appliance form factor, supports
multiple hypervisor & cloud environments
IBM DataPower
GatewayAPI
Easily secure, control, publish,
monitor & manage your APIs
SOA
Secure, integrate, control &
manage SOA workloads in the
DMZ and Trusted zones
Extend Connectivity & Integration beyond the
enterprise with DMZ-ready B2B edge capabilities
Mobile
Gateway for the Multi-channel Enterprise
5. IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, integration, control and
optimized access to a full range of
Mobile, Web, API, SOA, B2B, & Cloud workloads
Internet Trusted Domain
Consumer
Application or Service
DMZ
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 ESB / Integration Gateway
7 Internal Security Enforcement
8 Web Services Governance & Management
9 Legacy Integration
Consumer
Middleware
z System
DataPower Gateway DataPower Gateway
Common Use Cases
6. Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
Secure
Consumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
Integrate
Any-to-any message
transformation
Transport protocol
bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner
connectivity
Control OptimizeSecure
SSL / TLS offload
Hardware accelerated
crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Response caching
Intelligent load
distribution
Service level management
Quota enforcement, rate
limiting
Message accounting
Content-based routing
Failure re-routing
Integration with
management & visibility
platforms
Authentication,
authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering &
semantics validation
Message digital signature
Message encryption
Features
8. Deployment options
Purpose-built, DMZ-ready appliances
provide physical security
High density 2U rack-mount design
8 x 1 and 2 x 10 GbE ports
Cryptographic acceleration card
Trusted platform module
Customized intrusion detection
Optional HSM (FIPS 140-2 Level 3 certified)
Virtual appliances provide deployment
flexibility
Support multiple hypervisors and
cloud environments
− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on
SoftLayer (x86 nodes)
− IBM SoftLayer bare metal instances
using supported hypervisors
VirtualPhysical
9. Purpose-built hardware provides physical security
• Sealed, tamper-evident case
• No usable USB, VGA, other ports
• Intrusion detection switch
• Trusted Platform Module
• Encrypted flash drive
• FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys
Hardened firmware provides platform security for physical & virtual gateways
• Single signed and encrypted firmware by IBM
• No arbitrary software
• Optimized, embedded operating system
• High assurance, “locked-down” configuration
• Key materials are not exportable from the appliance *
Enterprise grade security requires a secure platform
10. DataPower gateway functionality in virtual appliance form
factor to rapidly secure, integrate, control & optimize
access to Mobile, API, Web, SOA & B2B workloads in
hypervisor & clouds platforms
Use for development, test or production
Supports multiple hypervisor & cloud platforms
VMware
Citrix XenServer
IBM PureApplication System W1500/W2500
IBM PureApplication Service on SoftLayer (x86)
IBM SoftLayer bare metal instances on x86 nodes
Seamless configuration migration between physical
and virtual appliances
Utilizes the same industry-proven & purpose-built
platform including an embedded, optimized DataPower
Operating System, that powers the physical appliances
x86
Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor
for cloud deployments
Virtual Edition
11. Deployment flexibility and elasticity – “Right size” the
deployment, quickly deploy where needed, & rapidly scale
Workload isolation - Projects can use their own instances
Unbounded memory scalability - Memory can be added to
instances without additional licensing
Low cost for Dev & Test environments - Developers &
Non-Production versions include add-on software modules at
no additional charge
Free disaster recovery - Warm or cold backup without
additional licenses when licensed for Production
Flexible licensing and entitlement
Sub-capacity licensing
Monthly licensing option
Entitlement to future product versions at no
additional charge with active maintenance (S&S)
x86
Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor
for cloud deployments
Virtual Edition Benefits
12. • Used by 95% of top global insurances
firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries
• Defense and security organizations
• Crown corporations
Insurance
Government
Banking
• Healthcare
• Retailers
• Utilities, Power, Oil and Gas
• Telecom
• Airlines
•
Many, many, more
• Majority of the big US and European
banks
• All of the big 5 Canadian banks
• Numerous regional banks and credit
unions
Over 14 years of innovation & over 2,000 global installations
DataPower Gateways
13. DataPower’ing IBM Bluemix!!!
• Security
• Control
• Filtering
• Content-Based Routing
• Load balancing
• Monitoring and Logging
Mobile
client
DataPowerDataPower
Bluemix
Tooling
VM
Application
Manager
Application
Manager
AppApp
AppApp
AppApp
AppApp
ServiceService
ServiceService
ServiceService
ServiceService
Open StackOpen Stack
External
Service
External
ServiceExternal
Services
External
Services
Internet
Did you know?
DataPower has been trusted to be the exclusive gateway
for Bluemix, IBM’s global Platform as a Service
16. DataPower security roles and objectives
• Protect data and other resources on the
appliance and protected servers
• System availability
– Protect against unwanted access, denial of
service attacks, and other unwanted
intrusion attempts from the network
– Only allow “valid” messages through
• Identification and Authentication
– Verify identity of network users
• Authorization
– Protect data and other system resources
from unauthorized access
Protect data in the network using
cryptographic security protocols
– Data End Point Authentication
• Verify who the secure end point claims to be
– Data Origin Authentication
• Verify that data was originated by claimed
sender
– Message Integrity
• Verify contents were unchanged in transit
– Data Confidentiality
• Conceal clear-text using encryption
IntranetIntranet
DMZDMZInternetInternet
Mission-critical data
F
I
R
E
W
A
L
L
F
I
R
E
W
A
L
L
Authentication
Authorization
User Federation
z/OS RACF for
User I&A
Authorization
Cert/keys
Secure access to
Web and legacy
applications
Converged
security
enforcement
Rocksolid
DataPower
platform
Leverages
enterprise
security and
policy managers
17. Applications
and Systems
Silos of security & control are impeding business agility
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
API
GATEWAY
B2B
GATEWAY
SOA
GATEWAY
WEB
ACCESS
PROXY
MOBILE
GATEWAY
Business
Channels
Users
Security &
Control
Solutions
z System
Middleware
ESBApplication
CLOUD
ALL
CLOUD
GATEWAY
CONSUMERS
EMPLOYEES
Service
18. Applications
and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business
Channels
Users
Security &
Control
Solutions
z System
Middleware
ESBApplication
CLOUD
ALL
CONSUMERS
EMPLOYEES
Service
IBM
DataPower
Gateway
Reduce cost + improve security & control with a
single gateway
19. IBM Multi-channel gateway
ISAM for DataPower module provides the reverse proxy component that provides enforcement for
Centralized user authentication & coarse-grained authorization
Session management, & web SSO
Context based access & mobile SSO
Strong authentication including one-time password and multi-factor authentication
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway
New in V7.1
IBM DataPower Gateway
Web Browsers
and Portals
Mobile
Web
Web 2.0
(AJAX)
Native
Mobile
B2B Hybrid
Mobile
APISOA
(Web Services)
App, Service & API
security
IBM DataPower Gateway
ISAM Module
User access
security
Traffic control &
optimization
Connectivity &
transformation
20. Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance
(Establish a new connection to pass results)
• Cache data on-box or in centralized, shared XC10 grid
Connection from client
ACL
Virus
Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0,
WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAP
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security
Policy
WS-Trust
SAML
OAuth 2.0
Internet
SaaS
Partner
Apps
Browsers
ProtocolFirewall
Security
Gateway
Packaged Apps
Proprietary Apps
Data
HTTP(s)
ESB
Tivoli (TAM)
MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
DomainFirewall
ACL
Security
Gateway
Internal
Consumer
Incoming access control;
Threat protection
Outgoing access control;
SAML injection etc
Internal
Security
Web Service Request
SAML, LTPA,
Kerberos
21. Protection of data plus XML & JSON threat
protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
Security standards: OAuth, WS-Security, WS-Policy, WS-
SecurityPolicy, SAML, XACML, WS-Trust, …
Use WS-SecurityPolicy to define security requirements for your web services
– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services
– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization
• PEP, PDP
DataPower security is policy driven
XML Threat Protection
• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
JSON Threat Protection
• Label - Value Pairs
‒ Label String Length (characters)
‒ Value String Length (characters)
‒ Number Length (characters)
• Threat Protection
‒ Maximum nesting depth (levels)
‒ Maximum document size (bytes)
23. Service Level Monitoring (SLM) to protect your services and
applications from over-utilization and enforce quota
• Frequency based on concurrency OR based on messages per time period
• Take action when exceeding a custom threshold:
– Notify (or log), Shape (or delay), Throttle (or reject)
Traffic Control / Rate Limiting
24. Retail Service Provider
Securely expose services to consumers
Solution
Implemented WebSphere DataPower to form the Web
services backbone
Through content-based routing, security policy
enforcement & data encryption, DataPower ensures safe
& efficient flow of confidential customer data
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Secure SOA on standards-based platform
Easily reuse Web services throughout enterprise
Boosts productivity of IT staff
Substantially shorten time to market for new services
Challenge
Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to
meet specific needs
Web services infrastructure needed to support highly
secure data routing with daily high volume & sensitive
nature of information
Identity Mgmt
25. Self Balancing: Self balance across a cluster of appliances
Replace front-end IP load balancer
Enables connections to be preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems
Replace backend load balancer
Auto-discovers application targets and distributes load using dynamic feedback mechanism
Topology learning for WAS ND and VE
Embedded On Demand Router for WAS ND environments
Provides several options for enabling Session Affinity
Cache application response data locally or in a caching grid (IBM DataPower XC10)**
Front-end IP
load balancers
not needed
Self
balancing
(IP spraying) Built-in
cache
Dynamic back-side routing
and load distribution
(leveraging dynamic
information from back-ends)
Failure of target application
endpoints are masked by
appropriate weighted
distributionDataPower
Application Optimization
26. User
WAS Application
{ "Task" : "AddEntry",
"Detail": "Create
presentation materials." }
HighLoad
Scenario
– JSON REST app to-do list
Issues
– High server load
– Slow response time
Slow
Response
(>10s)
Public
Enterprise
User
WAS Application
1
1
ImprovedL
Public
DMZ Data
Center
DataPower
Improve Server Load with SSL Offload
1. Client requests are secured via DP SSL concentrator
Application Optimization Example
27. User
WAS Application
1
21
PUT /joe/todos HTTP/1.1
Host: joe.org
Content-Type:
application/json
Content-Length: 69
{ "Task" : "AddEntry",
"Detail": “Waste time." }
ImprovedLoad
DataPower
Manage Traffic with Application Fluency
2. DataPower enables application aware traffic management
User
WAS Application
3
1
1
ImprovedLo
Improved
Response
Time
DataPower
Distribute Load Intelligently
3. Application Optimization effects load distribution intelligence
Leverage dynamic runtime conditions to distribute based on topology & workload
2
Application Optimization Example
28. REST
Cache at the edge(s)
4. Application results are cached at the edge using XC10 caching grid OR locally on-box
User
WAS Application
3
4
1
2
1
DataPower
DataPower XC10
LowLoad
Fast
Response
• Faster application response time
• Lower server load
• Improved system throughput
Application Optimization Example
29. REST
Using XC10 As a Side Cache For DataPower
User
1
5
3
2 4
Client
Provider
1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI.
Easily integrates into the existing business process
– No code changes to the client or back-end application
– Simply add the side cache mediation
Significantly reduces the load on the back-end system by
eliminating redundant requests
Improve client observed response time
Improved
Response
Time
ImprovedLoad
DataPower XC10
DataPower XI Appliances
Large Response Time
30. DataPower Gateway + XC10: Travel and
Transportation
Online Reservations Reservations System
– Before: 3-5 sec response time
– After: .01 -.05 sec response time
– Caching service requests
– Improved the average response time of the Global
Distribution System requests for Fare Availability and
Category Availability
– 52% caching rate
– 10 minute cache resulted in 40% reduction in load on the
back-end systems
– Maintained high data integrity. Faster responses were
also accurate
– POC in 3.5 hrs
100x
performance
improvement
Improved reliability and scalability of reservation channels
Reduced traffic to backend systems
Deliver high performance & consistent response times
Scale with simplicity and lower TCO
33. • How to protect your back-end
systems from harmful workloads and
unauthorized mobile users & apps?
• How to limit & shape mobile traffic
based on service level agreements,
and route based on message
content?
• How to convert mobile payloads,
bridge transports and connect to
existing services at wire-speed?
• How to improve response time,
reduce load on backend systems and
intelligently distribute load?
Key Mobile-specific Application & API issues?
Secure
Control
Integrate
Optimize
Key Mobile-specific Application & API issues?
34. SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authentication
Authorization
Context-based Access
Mobile SS0
Security Token Translation
Message Transformation
Content-Based Routing
Intelligent Load Distribution
Response Caching
Middleware / ESB,
Legacy Apps
Apps, Services
IBM DataPower Gateway
ISAM Module
/apimanagement
Native, Hybrid,
Mobile Web
Rapidly Connect Mobile Apps with Enterprise Services
Securely expose enterprise data & APIs to Mobile Apps while optimizing delivery
35. • DataPower appliance with ISAM module for security enforcement, traffic control &
management, application acceleration, transport bridging & message transformation
• ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong
authentication including one-time password (OTP) & multi-factor authentication
(MFA)
Mobile Gateway solution for on-premise and cloud
ISAM for
Mobile
ISAM for
Mobile
Rapidly deliver secure integration & optimized access for enterprise mobile applications
DataPower Gateway
(Security Enforcement Point)
ISAM Module
Apps, Services,
Middleware,
(Security Decision Point)
z System
36. Closer look at some Mobile Connectivity scenarios
REST Proxy
Provider
JSON / XML / SOAPREST
JSON or XML / HTTP(s)
Mobile Consumer
SSL offload
Enforcement point for centralized security policies
– Authentication, Authorization, OAuth 2.0, Audit
– Threat protection for XML and JSON
– Message validation and filtering
Centralized management and monitoring point
– Traffic control / Rate limiting
Routing / Intelligent load distribution to Provider
RESTful façade to non-REST Provider
REST Service Gateway for Mobile Apps
Provider
HTTP(s) GETHTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
XML
Application Acceleration for Mobile Apps
Offload heavy lifting of message transformation from the Provider
Transform to a format best suited for the requesting Mobile App
– JSON for native/hybrid app
– HTML/XHTML for browser based
IBM DataPower Gateway
IBM DataPower Gateway
Cache response data from Provider
– Locally on the appliance
– Externally to elastic caching XC10
37. Sportsbet leverages IBM DataPower appliances to
drive mobile business growth
Challenges
Business
-Increase demand for mobile services while
bolstering security & cost optimization
IT
- Securely integrate mobile apps with e-commerce
platform & APIs to address performance, capacity
management & decoupling front-end apps from
back-end business logic
Solution
IBM DataPower appliance XG45 as a
mobile security & integration gateway
Benefits
Time to value
- Rapid implementation enabled the business to quickly
integrate the middle layer in just 2 weeks vs. 2 months
with a competitor’s product
Performance
- Processed ~4000 transactions per minute increasing
performance 4X
Security & Agility
- Separation of concern between consumer applications
& core e-commerce system, through security, translation
- Enterprise Architecture Manager, Sportsbet
“DataPower forms our
mobile middle layer & our
API infrastructure for all
future consumer apps”
38. Challenges
Business
- Grow mobile revenue while protecting
customer privacy and optimizing costs
IT
- Integrate mobile devices, addressing security,
speed, scalability and optimization of demand
on existing application infrastructure
Benefits
Time to value
- Drop-in rack-ready solution for rapid deployment
enables the business to quickly launch a new mobile
device within a month
Scale on demand
- 50 billion transactions/month for external ad gateway
- 1 billion transactions/month for internal users
Solution
- IBM DataPower Integration Appliance XI52 as a
security & integration gateway for external and
internal use
- IBM DataPower Caching Appliance XC10 as a
side cache to increase customer responsiveness
Sprint leverages IBM DataPower appliances to
rapidly & securely grow mobile revenue
41. Explore API documentation
Provision application keys
Self-service experience
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway
(IBM DataPower)
Enforce runtime policies to control API traffic
IBM API Management: One Integrated Platform
design, secure, control, publish, monitor & manage APIs
42. Consumer
(Systems of
Engagement)
Provider
(Systems of
Record)
API Management Solution
Partner App
Developer
API
API
API
API Gateway
(DataPower)
Developer Portal
Syndication
Creation & Assembly
Policy Management
Monitoring & Analytics
Security & Control
Lifecycle Mgmt & Governance
External App
Developer
Mobile & Web Apps
Internal App
Developer
App / API Provider,
Middleware, Datastore,
z System
On-premise
OR
Cloud
Business Partner
Apps
Enterprise Internal Apps
API Management
43. Business Challenge
Business Challenge
Accelerate end-to-end mobile application development
Reduce time to configure and manage software, prepare test
environments
Enhanced analytics on the usage of their services
Increased performance to handle peak seasonal volumes
Business Challenge
Accelerate end-to-end mobile application development
Reduce time to configure and manage software, prepare test
environments
Enhanced analytics on the usage of their services
Increased performance to handle peak seasonal volumes
Solution
IBM API Management, DataPower, Worklight, PureSystems
Solution
IBM API Management, DataPower, Worklight, PureSystems
Business Value
Enhanced user experience enabling quick access to customer
information using OAuth authentication replacing custom
security solution
Ability to access backend data through DataPower/API
Management using RESTful services
Easily handle traffic spikes, enabling easier capacity planning
Business Value
Enhanced user experience enabling quick access to customer
information using OAuth authentication replacing custom
security solution
Ability to access backend data through DataPower/API
Management using RESTful services
Easily handle traffic spikes, enabling easier capacity planning
$
Large Financial institution provides secure mobile
access to customer information
44. Business Challenge
Difficult for internal partners and developers to
discover & access key financial services
Lacked a standard ecosystem to manage internal
partners including global credit card companies and
merchants
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Business Challenge
Difficult for internal partners and developers to
discover & access key financial services
Lacked a standard ecosystem to manage internal
partners including global credit card companies and
merchants
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Example Apps
Solution
IBM API Management & DataPower
Solution
IBM API Management & DataPower
Business Value
Offers 3rd
party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
Business Value
Offers 3rd
party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
$
Leading Global Commercial Bank provides easy &
secure access to key financial services
45. Business Challenge
Business Challenge
External business partners retrieve flight information by
scraping the company’s website
Unauthorized access to full flight information , with no usage
analytics
Delays in updating website – difficult for authorized partner to
test changes
REST-based API had just been built but security was not in
place
Business Challenge
External business partners retrieve flight information by
scraping the company’s website
Unauthorized access to full flight information , with no usage
analytics
Delays in updating website – difficult for authorized partner to
test changes
REST-based API had just been built but security was not in
place
Solution
IBM API Management & DataPower
Solution
IBM API Management & DataPower
Business Value
Easily and securely connect company Website to new APIs,
saving cost of building OAuth based secure access
Enable secure exposure of APIs to External Business
Partners, saving the implementation cost of building a
developer support infrastructure with access management
Ability to leverage existing investment in IBM DataPower
gateway and internal team skillset
Enable secure Mobile app integration with Enterprise APIs
Business Value
Easily and securely connect company Website to new APIs,
saving cost of building OAuth based secure access
Enable secure exposure of APIs to External Business
Partners, saving the implementation cost of building a
developer support infrastructure with access management
Ability to leverage existing investment in IBM DataPower
gateway and internal team skillset
Enable secure Mobile app integration with Enterprise APIs
Large Airline in North America provides authorized
access to flight services
46. Business Challenge
Offer innovative connectivity services to customers,
improve the driver experience, improve safety, and
create new revenue sources
Improve driving conditions with driver profiling,
eco-driving, fleet management, reduce accident
risk
Collect data to monetize them for partners
Business Challenge
Offer innovative connectivity services to customers,
improve the driver experience, improve safety, and
create new revenue sources
Improve driving conditions with driver profiling,
eco-driving, fleet management, reduce accident
risk
Collect data to monetize them for partners
Solution
IBM API Management, DataPower & MessageSight
Solution
IBM API Management, DataPower & MessageSight
Business Value
“Always connected” low-latency reliable
communications with the car systems/apps and
customer mobile apps
Vehicle data APIs published on secure developer
portal
Internal & external developers use vehicle data to
develop mobile applications
Drives innovation for Mobile application development
Business Value
“Always connected” low-latency reliable
communications with the car systems/apps and
customer mobile apps
Vehicle data APIs published on secure developer
portal
Internal & external developers use vehicle data to
develop mobile applications
Drives innovation for Mobile application development
Leading European Auto Manufacturer provides innovative
vehicle connectivity with IBM API Management
47. Business ChallengeBusiness Challenge
Difficult for internal partners and developers to
discover & access key retail services
Leverage mobility as a revenue stream and manage
internal and external business partners
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Business Challenge
Difficult for internal partners and developers to
discover & access key retail services
Leverage mobility as a revenue stream and manage
internal and external business partners
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Solution
IBM API Management & DataPower
Solution
IBM API Management & DataPower
Business Value
Offers 3rd
party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
Business Value
Offers 3rd
party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
Leading Retailer in North America provides easy &
secure access to retail services
50. Integration
• Dynamically route based on any message content
• Attributes such as the originating IP, requested URL, protocol headers, etc.
• Data within the message such as SOAP Headers, XML, Non-XML content, etc.
• Query a repository for routing information
• WebSphere Service Registry & Repository, XML files, Databases, Web Servers
Content-Based Routing
Service
Providers
Unclassified
Requests
Transform the message format with ultimate flexibility
– Leverage WebSphere Transformation Extender for data mapping
Any-To-Any Message Transformation
<XML/> TEXT binary
Input
Message
Output
Message
<XML/> TEXT binary
? ?
WebSphere TX Design Studio
51. Integration
Transport Protocol Translation
Integrate disparate transport protocols with extreme ease
– No dependencies between inbound “front-side” and outbound “back-side”
– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns
HTTP(s)
FTP(s)
SFTP
WebSphere
MQ, MQ FTE
WebSphere
JMS
Database
DB2, SQL Server,
Oracle, Sybase,
TIBCO
EMS
IMS NFS
52. Integration
Consumer
Provider
SOAP / HTTP(s)
MQ Queue Manager
Cobol / MQ
Format & transport
bridging
Message Format & Transport Protocol Mediation Example
Outside World Internal NetworkDMZ
ProtocolFirewall
HTTP(s)
FTP(s)
SFTP(SSH)
WMQ(s)
WS JMS
TIBCO EMS
ODBC
DomainFirewall
ACL
DB
LDAP
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
Internet
JMS
EMS
FTP
NFS
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
DataPower
Gateway
HTTP
WMQ
IMS Connect
Enhanced
Security
DMZ
SaaS
Partner
Apps
Browsers
• Content based routing
• Message enrichment
• Message transformation
• Transport protocol translation
• AAA, Threat protection
• Message validation & filtering
• Traffic control / Rate limiting
Integration Scenario
• Intelligent content based routing
• Intelligent load distribution
• Local and distributed caching
53. Core Services
Core Data
UK Government Agency
Enables integration capabilities using DataPower
Solution
DataPower in key network zones within and outside of
the department
Thorough content-based validation, routing, and security
policy enforcement
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Ease of integration
Security assurance of the architecture
Secure SOA on standards-based platform
Consistent experience and policy for all users
Challenge
Data held in the back-end systems vital to delivering
citizen services, fraud detection across various layers of
the Governments across the EU
Vulnerable back-end services
Security
Capacity/ SLA
Consistent usability experience for internal or external
service consumers
Integration Layer
Government
network
Other EU
Countries
Other UK
Departments
Internal Users
55. Centralized Service Governance & Policy Enforcement
Complete SOA Governance solution
• WSRR for web service life-cycle policy management
• DataPower for web service run-time policy enforcement
Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
– DataPower can subscribe or poll web services information from WSRR
Automatically expose services and policies in DataPower via WSRR subscription
– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
– Retrieve WSDLs by specific version number
Dynamically retrieve run-time routing information from WSRR
WSRR (Policy Administration
Point)
Consumer Service
Message
Message
Message
Message
ITCAM for
SOA
(Policy
Monitoring
Point)
Discover
Services & Policy
Monitor
Services
DataPower (Policy
Enforcement Point)
Centralized transaction monitoring
– ITCAM for SOA
Support for UDDI v2 and v3 for UDDI
registries
58. Broad integration with System z
Client
SOAP/HTTP
SOAP/HTTP
CCB / MQ
IMS SOAP Gateway
WAS+IMS connector
DataPower
IMS
O
T
M
A
IMSApplication
MQServer
MQ
Brdg
• Connect to existing applications over WebSphere MQ, HTTP
• Transform XML to/from COBOL Copybook for legacy needs
• Integrate with RACF security from DataPower AAA
• Dynamic crypto material retrieval & caching, or offload crypto ops to z
• Connect to IMS
• Via IMS Connect client
• Via Web Services
• Via WebSphere MQ
• Via IMS DB
• Connect from IMS via “Callout”
• Connect to CICS
• Via WebSphere MQ
• Via Web Service
• Connect to DB2
• Via Web Service
• Via direct ODBC call with ODBC Client option
DRDA
DB2
59. • IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required
Enhanced value for System z & IMS
IMS DB feature supports DataPower integration
with IMS database through SQL interface
‒ Enrich messages with database content
‒ Expose data as a service to remote applications
Client
SOAP / REST
DataPower
DRDA
IMS
O
T
M
A
App1
IMS
Connect
App2
Service Provider
SOAP / REST
DataPower
TCP/IP
Service Consumer
IMS Callout
60. Core banking platform on Z
An Irish Bank
Enabling retail banking
Solution
DataPower in trusted network exposed services for XML/
HTTP(S) and protocol bridging to WebSphere MQ
Message validation and transformation using
WebSphere Transformation Extender (WTX)
Benefits
Retail application acceleration through transformations
and caching
Optimized platform for handling, parsing and processing
payloads
Challenge
Retail application contained 7000 screens; slow
response times over dedicated proprietary network.
Cost of processing XML on the mainframe.
Message transformation needed before the core banking
platform could process requests.
DataPower
Q
Branch Network
Q Q Q Q
Branch Application (web based)
61. Customer & Product related
application and systems on Z
High Street Clothing and Fashion Accessories Retailer
Increase customer interaction and loyalty
Solution
DataPower acted as a reverse proxy for:
Outbound messages via a service provider
Inbound customer updates/ delivery notifications
Transform SOAP/ XML payload to COBOL copybook
messages for CICS application
Benefits
Create customer interaction and value through innovative
business strategy.
Integrate various suppliers using standards based
interfaces securely.
Graphical configuration driven appliance; short learning
curve
Challenge
Highly competitive industry; first mover advantage
Weak customer loyalty
Multi channel customer experience
Complex supply chain and service providers
DataPower
Q
Open Internet
Q
62. IMS Integration
Web Services Security and Management for IMS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
Client
SOAP / REST
SOAP/HTTP
IMS SOAP Gateway
WAS+IMS connector
DataPower
63. DataPower
IMS Integration
Web Services Enablement for IMS-based Services
IMS
O
T
M
A
IMSApplication
MQServer
MQ
Brdg
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform
request/response mapping
Requires WebSphere MQ for z/OS
– MQ bridge to access IMS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST
64. DataPower
IMS Integration
Web Services Enablement for IMS-based Services (cont’d)
CCB / TCP
Client
SOAP / REST
IMS
O
T
M
A
Appl1
IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform
request/response mapping
“IMS Connect Client” (back-side handler) natively connects to IMS Connect
using its custom request/response protocol
65. DataPower
IMS Integration
IMS Connect Reverse Proxy
CCB / TCPClient
IMS Connect TCP
IMS
O
T
M
A
Appl1
IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
Bring DataPower value add to standard IMS connect usage patterns
Provide an “IMS Connect Client” on DataPower that natively connects to
IMS Connect
Provide an “IMS Connect Server” on DataPower that accepts IMS Connect
client connections and provides an intermediation framework that
leverages DataPower
– Enables authentication checks, authorization, logging, SLM,
transformation, route, DB look-up, SSL offload, etc.
66. DataPower
DB2 Integration
“Information as a Service”
DRDA
Client
SOAP / REST
DataPower provides a standard WS façade to DB/2
– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower
– SOAP call is mapped to an ODBC (DRDA) invocation
Exposes database content (information) as a service
Leverages extensive Web Services security and management capabilities of
DataPower to more securely expose critical data to the enterprise
DB2
67. CICS Integration
Web Services Security and Management for CICS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
• Support CICS ID propagation
Client
SOAP / REST
SOAP/HTTP
CICS Web Services
WAS+CICS connector
DataPower
68. DataPower
CICS Integration
Web Services Enablement for CICS Applications
DataPower provides WS-enablement to CICS applications
User codes schema-dependent WTX data map to perform
request/response mapping
Requires WebSphere MQ for z/OS
– MQ bridge to access CICS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST
CICS
CICSApplication
MQServer
CICS
Brdg
71. DataPower B2B Functionality
Extend beyond the enterprise to integrate with partners
• B2B Gateway Service
• AS1, AS2, AS3 and ebMS v2.0
• Plaintext email support
• EDI, XML and Binary Payload routing
• Front Side Protocol Handlers
• Hard Drive Archive/Purge policy
• CPA and Partner Profile Associations
• MQ File Transfer Edition integration
• Trading Partner Profiles
• Two Types – Internal and External
• ebXML CPPA v2.0
• Multiple Business IDs
• Multiple Destinations (URL Openers)
• Certificate Management (S/MIME Security)
• Multi-step processing policy
• B2B Viewer
• B2B transaction viewing
• MQ FTE transaction viewing
• Transaction resend capabilities
• Transaction and Acknowledgement correlation
• Role based access
• Persistent Storage
• AES Encrypted B2B document storage
• Option for Off-Box Storage (NFS)
• Transaction Store
• B2B metadata storage
• B2B state management
DataPower
B2B Gateway Service
Partner Connection
Front Side Handlers
Internal Partner
Destinations
Integration
Front Side Handlers
External Partner
Destinations
B2B Viewer
Metadata
Store
(DB)
Document
Store
(HDD)
Partner
Profiles
72. UK Logistics and Distribution
Benefits
Create customer interaction and value through innovative business strategy.
Integrate various suppliers using standards based interfaces securely.
Graphical configuration driven appliance; short learning curve
Challenge
AS2, File and Web Services based interfaces to 100s of B2B customers.
Messages are exchanged at least once a day
Secure proxy solution in the DMZ
Complex incumbent supplier chain
73. Health Insurance Provider
Smarter Business Outcomes:
Reliable and secure routing of customer sensitive data
Easy to use and maintain; no additional skill needed
XML Messages with attachments are authenticated, authorized,
and virus scanned
Industry Pains:
HIPAA Security requirements
for transporting data over the
Internet
HL7 v3.0 XML threat protection
Complexity of B2B for
healthcare
Secure appliance form factor providing secure connections to trading
partners, advanced threat protection and reliable file delivery of
confidential medical information
Value of DataPower B2B Appliances for Extending Connectivity?
74. Internet
EDIINT Flow: Simple AS2 transaction flow
with Transform
Application
Browser
Application
EDI XML
AS2
(EDI)
AS2
(MDN)
B2B Hub
Partner BPartner A
XB62
AS2 Process
B2B
Gateway
Service
Transaction
Viewer
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
Data
Store
4
3a
3b2
1
5
75. Internet
Web Services bridged to AS2 File Transfer Pattern
WS Client
Browser
Flat
B2B Hub
Partner BPartner A
XB62
Web Service
Process
Web Service
Proxy
Transaction
Viewer
B2B
Gateway
Service
AS2
Pre-ProcessFlat
SOAP
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving
and sending data over any of the 16 supported protocol handlers. When Services are tied together
in front of or behind a B2B Gateway Service they are handled like pre and post processes.
Data
Store
7
4
5
6
3
2
1
76. Internet
MQ FTE Integration Pattern
Inbound File to Message
Browser
(LOB User)
XB60
TradingPartner
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
Mgmt
Data
Store
Browser
(Admin)
Browser
(Partner view)
Server
Source
Agent
Data
Store
Applications
Enterprise
Target
Agent
MQFTE
Network
Queue
Manager
Queue
Manager
Queue
ManagerQueue
Manager
MQ
Explorer
DB
Logger
(DB2 or Oracle)
1
4
2a
3
6
5
2
78. B2B Hub
AS2 Process
Healthcare
Applications
Partner B
Hospital
Internet
AS2 (HL7 V3)
AS2/MDN
B2B Appliance
B2B Gateway
Service
Profiles
Internal Profile
Regional
Center
Validate XML and
Transform to any
V.2.x format
External Profile
Hospital
Transaction
Viewer
Healthcare
Applications
HL7V3
Partner A
Regional Healthcare Center
Any Transport
HL7 V2.x
Any Transport
HL7 V3.x
5
4
3
2
1
6
Health Level 7 3.x to 2.x Transform Pattern
79. Securing HL7 over the Internet with Integration to
the WebSphere Healthcare Connectivity Pack
TradingPartner
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
Mgmt
Data
Store
Browser
(Admin)
Browser
(Partner view)
Clinical Trials
System
WebSphere Healthcare
Connectivity Pack
Healthcare Provider
Internet
1
2a
3
5
2
WebSphere
MQ
Patient
Administration
System
Billing
System
4
AS2
(HL7))
AS2
(MDN))
HL7/MQ
HL7/MLLP
HL7/MLLP
XML/HTTP
Pharmacy
HL7/MLLP
81. Repository of DataPower related tools & collateral
Open source
Community driven: Use, collaborate, contribute
http://ibm-datapower.github.io/
DataPower Configuration Manager
Tool for DataPower configuration management & migration
Standalone command line or IBM UrbanCode Deploy plugin
https://github.com/ibm-datapower/datapower-configuration-manager
https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp
DPXMLSH
Bash script / shell library for working with DataPower’s XML Management interface
Interactive & scripted use
https://github.com/ibm-datapower/datapower-xml-shell
DataPower On GitHub
82. LinkedIn
IBM DataPower Gateway Group
LinkedIn
IBM DataPower Gateway Group
• YouTube Channel: IBM DataPower Gateways
• Slideshare: IBM DataPower Gateway
• Twitter: @IBMGateways
• LinkedIn Group: IBM DataPower Gateway
• developerWorks blog: IBM DataPower Gateway
• GitHub: IBM DataPower Gateway
• Online User Forum
• Product page on ibm.com
• Product documentation
Getting Social with IBM DataPower Gateways
83. Available Now: DataPower Handbook,
Second Edition, Volume 1
Known as the ‘bible’ of
DataPower planning,
implementation, and
usage.
New content to cover
previous six years of new
products/features,
including 9006/7.1!
Volume 1 consists of
Chap 1 DataPower Intro,
Chap 2 Setup Guide, new
Preface and two
invaluable new
appendices for physical
and virtual appliances.
Available in softcover and e-book formats
85. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®,
pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®,
QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®,
Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at:
www.ibm.com/legal/copytrade.shtml.
86. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.
88. Simple Architecture: Purpose-built firmware + hardware
Complete gateway platform delivered as firmware
Guiding philosophy is to centralize common security,
integration, control, traffic management, acceleration
functions and optimize them in a security-hardened
gateway appliance
Simple and Secure Architecture
Display
Ports
database
config
App
Server
config
Apache
HTTPD
config
JVM
config
Proprietary
Software
config
Linux Daemons
config
JSP
Engine
glibclibxml
Full Linux OS
(including shells and user accounts)
config
Bootable
CDROM
Drive
Bootable
USB
Ports
Hardware
Commodity Gateways
config
Hardware
DataPower Gateway Platform
Digitally Signed and Encrypted
Firmware
Flash
Memory
Crypto
Acceleration
IBM Optimized Embedded Operating Environment
Purpose-built Gateways
89. 89
Configuration-driven approach speeds time to market
• Enforce security standards with zero coding
• Uses intuitive pipeline message processing
• Import/export configurations between
environments
• Transaction probe shows message content
between actions for debugging
89
90. Capabilities
Rapidly deliver secure integration & optimized access for a full range of workloads
• Secure & protect your back-end systems from
harmful workloads and unauthorized users & apps
• Convert payloads, bridge transports and connect
to existing services at wire-speed
• Limit & shape traffic based on service level
agreements, and route based on message content
• Improve response times, reduce load on
backend systems and intelligently distribute load
Secure
Control
Integrate
Optimize
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
91. SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authentication, Authorization
Context-based Access, Mobile SS0
Security Token Translation
Message Transformation
Content-Based Routing
Intelligent Load Distribution
Response Caching
Connect Mobile Apps with Enterprise Services
Securely expose enterprise systems & APIs to Mobile Apps while optimizing delivery
92. • Data format & language
– JavaScript
‒ JSON
‒ JSON Schema
‒ JSONiq
‒ REST
‒ SOAP 1.1, 1.2
‒ WSDL 1.1
‒ XML 1.0
‒ XML Schema 1.0
‒ XPath 1.0
‒ XPath 2.0 (XQuery only)
‒ XSLT 1.0
‒ XQuery 1.0
• Security policy enforcement
‒ OAuth 2.0
‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries
‒ XACML 2.0
‒ Kerberos (including S4U2Self, S4U2Proxy)
‒ SPNEGO
‒ RADIUS
‒ RSA SecurID OTP using RADIUS
‒ LDAP versions 2 and 3
‒ Lightweight Third-Party Authentication
‒ Microsoft Active Directory
‒ FIPS 140-2 Level 3 (w/ optional HSM)
‒ FIPS 140-2 Level 1 (w/ certified crypto module)
‒ SAF & IBM RACF® integration with z/OS
‒ Internet Content Adaptation Protocol
‒ W3C XML Encryption
‒ W3C XML Signature
‒ S/MIME encryption and digital signature
‒ WS-Security 1.0, 1.1
‒ WS-I Basic Security Profile 1.0, 1.1
‒ WS-SecurityPolicy
‒ WS-SecureConversation 1.3
DataPower Gateway: Supported standards & protocols
• Transport & connectivity
– HTTP, HTTPS, WebSocket Proxy
– FTP, FTPS, SFTP
– WebSphere MQ
– WebSphere MQ File Transfer Edition
– TIBCO EMS
– WebSphere Java Message Service
– IBM IMS Connect, & IMS Callout
– NFS
– AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62)
– DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security
‒ TLS versions 1.0, 1.1, and 1.2
‒ SSL versions 2 and 3
• Public key infrastructure (PKI)
‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP
‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12
‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management
‒ Simple Network Management Protocol
‒ SYSLOG
‒ IPv4, IPv6
• Open File Formats
‒ Distributed Management Task Force
(DMTF) Open Virtualization Format
(OVF)
‒ Virtual Machine Disk Format (VMDK)
‒ Virtual Hard Disk (VHD)
Link to Product Documentation
• Web services
– WS-I Basic Profile 1.0, 1.1
– WS-I Simple SOAP Basic Profile
– WS-Policy Framework
– WS-Policy 1.2, 1.5
– WS-Trust 1.3
– WS-Addressing
– WS-Enumeration
– WS-Eventing
– WS-Notification
– Web Services Distributed Management
– WS-Management
– WS-I Attachments Profile
– SOAP Attachment Feature 1.2
– SOAP with Attachments (SwA)
– Direct Internet Message Encapsulation
– Multipurpose Internet Mail Extensions
– XML-binary Optimized Packaging (XOP)
– Message Transmission Optimization
Mechanism (MTOM)
– WS-MediationPolicy (IBM standard)
– Universal Description, Discovery, and
Integration (UDDI versions 2 and 3),
UDDI version 3 subscription
– WebSphere Service Registry and
Repository (WSRR)
93. 93
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Gigabit/Sec
HW Solution
Acquisition
ITCAM for SOA
(Transaction Monitoring)
Model 9235
(aka 9004)
Model 7993
(aka 9003)
WebSphere
Transformation Extender
XA35
XS40
XI50
XB60
2012
XG45,
XI52 & XB62
XI50B Blade
WebSphere Appliance
Management Center
Optimized
Interpreter and
Compiler
Optimized
Hardware
Acceleration
2013
2014
Application Optimization
(Self-Balancing & Intelligent
Load Distribution)
XI50z Blade
Virtual Edition
(VMware)
Virtual Edition
(PureApplication System)
Virtual Edition
(for Developers + XenServer)
Optimized & secure JavaScript
Over 14 years of innovation & 2000+ global installations
Notas do Editor
Physical Appliance
2U rack mount appliance using latest generation hardware platform
Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified)
Each software module is licensed separately
Virtual Edition
Three editions: Developer, Non-Production, Production
Developer includes all software modules at no additional cost, except TIBCO EMS
Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy
Production: Each software module is licensed separately
All software modules are field upgradeable
* Hardware crypto accelerated operations are provided on the physical appliance through built-in cryptography accelerator card
Sealed network-resident devices in a tamper-proof case.
No drives; no USB ports.
Optimized hardware, firmware, and embedded operating system.
Single signed/encrypted firmware image prevents attackers from installing arbitrary software.
By default, appliances ship with a locked-down configuration.
Secure hardware storage of encryption keys and locked audit log.
Minimized security vulnerabilities by using few third-party components.
Historically, organizations have been forced to choose specific enforcement solutions based on the backend applications or IT resources that they are trying to secure, control & integrate, or the channel through which they are trying to expose those resources:
SOA gateways
API management gateways
Web access management proxies
B2B gateways
Mobile gateways
Adding a new business channel, for example moving towards an enterprise wide mobile strategy, has often seen IT leaders introduce additional security & integration solutions into an already heterogeneous landscape. This has led to a fragmented set of technologies, often from multiple vendors, that have different management interfaces, different policy languages, and require a diverse set of skills to work with.
In the best case it makes it extremely difficult to implement consistent security & control enforcement policies regardless of the business channel that is being used to access applications and services…in the worst case, it makes it impossible.
Many enterprises will deploy multiple gateway or proxy technologies in the DMZ and Trusted Zone, in order to secure, control & integrate access to the data center. However, these are often point solutions that are focused on very specific business channels (web, mobile, B2B,web services, REST APIs). The result is a complex deployment architecture that involves several components from several vendors that might include load balancers, web reverse proxies, service-oriented architecture (SOA) and API gateways, web application firewalls, and caching proxies, among others. A need exists to be able to simplify this architecture in the DMZ and Trusted Zone.
Organizations need a single solution, a security and integration gateway, that is capable of handling all types of application workloads with a policy-driven interface. This will promote consistent security, control & integration policy enforcement and provide end-to-end security for transactional workloads, regardless of the business channel that they are coming in through; reduce infrastructure complexity, lower operating costs, allow consistent enforcement of security & control policies while improving user experience and helping scale the backend IT infrastructure.
An ideal security integration gateway for the multi-channel enterprise should be able to help secure, control, integrate and optimize workloads across all of these different business channels, and utilize a common policy-based interface. The gateway acts as the policy enforcement point (PEP) for all authentication and authorization decisions related to these combined workloads.
But the gateway should do more than access management, it should provide a full range of other capabilities as well, such as helping protect against application-level threats, application acceleration, integration, and traffic management. By deploying a security and integration gateway, enterprises can decouple the enforcement of security and other policies from the underlying application and also provide functional offload of repeatable tasks to allow the backend applications and resources to more efficiently scale to meet the high-volume demands that inevitably occur with mobile and cloud traffic.
Transport-level security (SSL/TLS)
Threat protection
Enforce Service Level Agreement policies
Schema validate and filter
Verify / sign
Encrypt / decrypt
Authentication, Authorization, Auditing (AAA)
Anti virus scanning through ICAP protocol
Transform content (XSLT, XML-to-XML)
Message enrichment
Security token translation (SAML, LTPA, etc)
Routing & intelligent load distribution
Proxying and Enforcement
Terminate incoming connection
Terminate transport-level security
Threat protection
Enforce Service Level Agreement policies
Inspect message content and filter
Enforce security policies on message content
Authentication, Authorization, Auditing (AAA)
Call out to virus checker
Transform content (XSLT, XML-to-XML)
Translate security token
Route and load balance
Establish a new connection to pass results
Looking at the details of the Mobile integration use case, the first one is you have a service that doesn’t have a REST interface, but the consuming app outside the enterprise speaks REST. So what you need is a RESTful façade to a non-REST provider. And since this is coming from the outside, you want to authenticate and authorize at runtime, you want OAuth support, which is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. You also want threat protection, message validation, and more like intelligent routing. For that you use DataPower because it does it all in a single physical secure appliance.
The other scenario is on App Acceleration. You have a service but want to offload the heavy lifting of message transformation to meet your mobile needs. Again DataPower is used for this scenario
Public case study on ibm.com: http://public.dhe.ibm.com/common/ssi/ecm/en/wsc14480usen/WSC14480USEN.PDF
Customer: Sportsbet Pty. Ltd.
Industry: Media & Entertainment
Solution: Mobile
Geo: AP
Deployment country: Australia
Public case study on ibm.com: http://public.dhe.ibm.com/common/ssi/ecm/en/wsc14480usen/WSC14480USEN.PDF
Public video – customer endorsement 1: http://www.youtube.com/watch?v=0hpZcnrG26Q
Public video – customer endorsement 2: http://www.youtube.com/watch?v=dRNcI_OTrJM
Public video – customer endorsement 3: http://www.youtube.com/watch?v=3SLBEnztjx4
Customer: Sprint Nextel Corp
Industry: Telecommunication
Solution: Mobile
Deployment country: United States
Geo: NA
IBM API Mgmt provides the management platform, while IBM DataPower provides the API Gateway to enforce API security and control . IBM APIM sits on a server as a virtual appliance, while DataPower can be a virtual appliance or a physical appliance
Tangerine Bank spoke at Impact 2014 conference on Day 1 keynote. Video on YouTube
Citi
This is a use case that covers banks, payment processors, wireless telecommunications, merchants and their supply chain partners. Electronic wallets are getting significant airplay that falls in line with the growth of smart phones. Particularly with customers under 35, they rarely leave any location without taking their phone. Using it for financial transactions using Near Field Communication (NFC) is growing and the pace will quicken in 2014. API Management provides a secure environment for transactions to take place and includes near real time analytics to understand what is going on with the transactions. To help generate new applications from internal, partner or independent developers, a branded, easy to use developer portal is included.
Neiman Marcus
Electronic wallets are getting significant airplay that falls in line with the growth of smart phones. Particularly with customers under 35, they rarely leave any location without taking their phone. Using it for financial transactions using Near Field Communication (NFC) is growing and the pace will quicken in 2014. API Management provides a secure environment for transactions to take place and includes near real time analytics to understand what is going on with the transactions. To help generate new applications from internal, partner or independent developers, a branded, easy to use developer portal is included.
In this example Partner A sends an EDI file into their B2B Hub (1) which wraps the file in an AS2 envelope and sends it to Partner B (2), Partner B’s B2B Gateway Services in the XB60 transforms the EDI file to XML (3a) and sends it to the backend application over any XB60 supported protocol (3b), after the transaction has been successfully received by the back-end, Partner B’s B2B Gateway Service generates and sends an MDN back to partner A. Optionally, the Admin user can view the state of the transaction in the B2B viewer (5).
The EDIINT B2B pattern is a common pattern used to exchange B2B data that has been wrapped in a B2B messaging envelope. The Applicability Statements (AS1, AS2, AS3) provide a mechanism to securely transport data over a public network. They provide encryption, signatures and identity of the sender and receiver as well as providing for non-repudiation of origin and receipt. Although EDIINT stands for EDI over the Internet, over the years it has evolved to be payload agnostic and is commonly used to envelope any payload data format. This pattern as depicted in the next slide demonstrates the B2B appliance’s ability to consume an AS2 message from a trading partner that contains an EDI payload and transforming the payload to XML.
Using EDIINT to exchange data over the Internet provides the following business value:
Verification of partner information using partner profile management and security policy enforcement
Protects sensitive data as it traverses the Internet or any public network using S/MIME security
Improved Interoperability between disparate vendor B2B solutions
Confirmation of delivery of the B2B message utilizing message disposition notifications
A flat file is passed from Partner A’s back-end application into a process that wraps the file in a SOAP envelope as defined in the WSDL.
Partner A sends the SOAP message to Partner B over HTTP or HTTPS.
Partner B unwraps the SOAP envelop based on information defined in the WSDL using a Web Service Proxy service
Partner B wraps the flat file payload in a minimal AS2 header using a processing policy within the Web Service Proxy service and routes the AS2 message into a B2B Gateway Service over HTTP or HTTPS
Partner B’s B2B Gateway service unwraps the AS2 message and sends the flat file to Partner B’s back-end application using any protocol supported by the B2B appliance.
Optionally, if a Web Services response indicating the message was required by the sender this can be generated in the processing policy and sent after the file has been routed to the application. If the response is generated from the back-end Web Service application this could be passed back into the policy and sent to the partner.
The user can view the state of the transactions using the B2B Transaction Viewer.
The Web Services bridging pattern is a common pattern for company’s that need to consume a B2B payload over Web Services but wish to pass all inbound B2B data as a canonical B2B messaging format into their B2B gateway service; typically this is due to a trading partner’s requirement to only exchange data with external partners using the Web Services protocol. In this scenario we have chosen to use the AS2 protocol as the canonical protocol of choice.
The benefit of tying other DataPower services to the B2B Gateway Service is it provides you with the flexibility to utilize all of the integration functionality included in the device to connect to a wide variety of trading partners whom typically demand that you communicate in a manner that is convenient for them. Essentially, the other services on the B2B appliances can act as a pre or post process to the B2B Gateway Service giving you the extensibility needed to support the most demanding B2B transaction flows.
1: Trading Partner sends a file into the B2B Gateway service over any support protocol. The B2B GW uses profile management to identify the partner and process any messaging envelopes that may exist (Security, compression, acknowledgements, etc. - depends on standard used).
2: The B2B Gateway routes the file to a MQ Queue that is shared with an MQ FTE Agent.
2a: Optionally, a processing policy may be used in the B2B Gateway to set RFH2 headers and or trigger the MQ FTE file transfer.
3: The B2B Gateway recognizes the responses from MQ and if a B2B Messaging protocol (AS1, AS2, AS3, etc.) was used it will generate a message disposition notification and send it to the trading partner.
4: The Source Agent moves the file to the Target Agent based on either XML command file instructions or if the Agent was set to poll the shared MQ Queue.
5: The Target Agent moves the file off of the MQ Queue to the file system destination.
6: The back-end application uses the file to complete the flow. NOTE: you may be using adapters on IBM SOA products to integrate to apps like SAP, this is not depicted in this picture.
The business-to-business (B2B) enabled multi-enterprise file transfer pattern is a common pattern for company’s that wish to integrate their MQ File Transfer Edition backbone, located inside the protected network, with their external trading partners. The B2B appliance’s ability to protocol bridge between MQ FTE and any supported protocol provides a secure connection to external trading partners.
There is significant business value in combining the WebSphere DataPower B2B Appliance and WebSphere MQ File Transfer Edition to enable reliable and auditable internal file transfers and securing external file transfers between organizations by providing B2B governance and security at the edge of the network.
The following list describes the combined benefits that you can expect from this type of deployment scenario:
Integration between the B2B appliance and MQ FTE is over WebSphere MQ instead of a shared file system.
Files transferred between the B2B appliance and MQ FTE can be correlated using the integration ID from MQ; this ID can also be seen in the B2B Viewer.
The combined B2B messaging flow through the B2B appliance and file transfer flow through MQ FTE can be viewed through the B2B Viewer on the appliance. This provides the user with an end-to-end view of the file transfer.
File transfers can be set up to occur at specified times or dates, or repeated at specified intervals. File transfers can also be triggered by a range of system events, such as new files or updated files.
Think of the analogy of WSDL-SOAP over HTTP-WebServices for CPPA-ebMS-ebXML relations -- but wider in CPPA.
WSDL describes Web Services and how to access the services; SOAP over HTTP is used to invoke the Web Services.
CPA (and ebBP) describes the agreed of business collaborations and the technical capabilities how two trading partners do e-business; ebMS, which is protocol-independent, is used to invoke the business services.
An external partner sends an ebMS message into the B2B Gateway service over http or https.
The B2B GW uses profile management in combination with CPA entries associated with the B2B Gateway service to identify the ebXML collaboration and process the ebMS message.
The B2B Gateway routes the ebxml payload to the back-end applications.
After the ebXML payload is successfully transferred to the back-end the B2B Gateway Service generates an ebms ack (signal) message and sends it to the external trading partner.
The user can view the state of the transactions using the B2B Transaction Viewer.
Standards based ebXML is an open, XML-based infrastructure that enables the global use of electronic business information in an interoperable, secure, and consistent manner by all trading partners. Collaborative Protocol Profile and Agreements are XML based documents specifying a trading agreement between trading partners. Each trading partner will have their own Collaboration Protocol Profile (CPP) document that describes their abilities in an XML format. The Message Service Specification (ebMS) describes a communication-neutral mechanism with Message Service Handlers (MSH) that must be implemented in order to exchange business documents. ebMS2.0 is the current version of the specification and is built as an extension on top of the SOAP with Attachments specification.
The B2B appliance provides a CPA Import utility that maps the public side definitions of internal party in the CPA file to B2B Gateway structures, save the certificates defined in the CPA file in the file system, and automatically configures the Gateway with CPA entries, two Partner Profiles, front-side protocol handler(s), and crypto objects. The import process attempts to capture as much semantics contained in the CPA file to DataPower configuration, post import the users will need to perform essential configurations to make the Gateway service operational (for example, attach private key for the newly created Crypto Key object since there can not be private key materials inside the CPA file) and define the internal side interfaces like front-side protocol handler for accepting documents coming from internal application in an outbound gateway or the internal partner&apos;s Destination for an inbound gateway.
HL7 v2.x data does not adhere to the EDI X12 spec when it comes to segments and thus it has no ISA segment, but rather a MSH segment. Since we don&apos;t natively parse the MSH segment in a B2B Gateway and since the elements used to identify sender and receiver are optional, HL7 data must be handled as binary data when passing it into a B2B Gateway for outbound processing.
Partner A sends an HL7 v3.0 XML file wrapped in an AS2 envelope into Partner B’s B2B Gateway service over http or https.
The B2B Gateway service uses profile management to identify the sender and receiver partner profiles and routes the HL7 XML file into a processing policy in the internal partner profile.
The B2B Gateway service validates the HL7 XML payload against its schema and transforms the file into an HL7 EDI file using the processing policy.
The B2B Gateway service transfer the HL7 EDI file to the back-end healthcare applications using any B2B appliance supported protocol.
After the HL7 payload is successfully transferred to the back-end the B2B Gateway Service generates an AS2 message disposition notification (MDN) and sends it to Partner A.
The user can view the state of the transactions using the B2B Transaction Viewer.
HL7 is an ANSI accredited standards body; its mandate is to produce interoperable data standards for exchanging information across the entire healthcare industry. There are currently two versions of HL7; version 2 and version 3. HL7 v2 is based on EDI and is currently the most predominately used of the HL7 versions. HL7 v3 is based on XML and is very well suited for communication between applications. As HL7 v3 adoption grows, having a B2B solution that can support both versions when communicating with trading partners is essential. The B2B Appliance XB60 supports this pattern very well in that it uses DataPower&apos;s implementation of WebSphere Transformation Extender to execute maps (DataPower Mode Maps) that are created in the WTX Design Studio and compiled to run on DataPower. The maps transform the HL7 EDI format (v2) into a canonical HL7 XML format (v3) before routing the data to trading partners or the back-side healthcare applications.
1: The Trading Partner sends a HL7 file using AS2 to secure it over the Internet, to the healthcare provider, the B2B GW uses profile management to identify the partner and processes the AS2 messaging envelope (Security, compression, acknowledgements, etc.)
2: The B2B Gateway routes the HL7 payload to a MQ queue that is that is being monitored by WebSphere Message Broker
2a: Optionally, a processing policy may be used in the B2B Gateway manipulate the payload (validate, transform, parse, dynamic route, etc.)
3: The B2B Gateway recognizes the responses from MQ, generates a message disposition notification (MDN) and sends it to the Trading Partner
4: WebSphere Message Broker pulls the file from the MQ queue and processes it with the WebSphere Healthcare connectivity pack
5: The HL7 payload is further manipulated in the Broker flow and routed to the appropriate downstream healthcare system
*** The advantage of using the XB62 and the WMB Healthcare Connectivity Pack together is the XB62 can handle the security and governance of the partner connection over a public network at the network edge and easily integrate to WMB which is connected to the many internal systems that use HL7 2.x over MLLP. The connectivity pack can natively connect over MLLP, handle sequencing, duplicate checking, and provides detailed viewing and analytics of the HL7 data flow. It can also transform the HL7 files from one format to the other, however, if WTX is preferred for transformation, this can be done in the XB62
Available today on Amazon CreateSpace
https://www.createspace.com/4745597
Amazon.com worldwide & Amazon Kindle
KindleMatch – buy hardcopy & get ebook for US$2.99
Kinde Unlimited, Kindle lending
How DataPower is different than our competitors
Lets take a brief look at the history of DP to get a better perspective on how the product portfolio has evolved based on customer demand & feedback over the years and the innovation that has enabled it to become the market leader