zEnterprise Hybrid computing with DataPower Opimization Blades


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Hardware Management has been extended to handle discovery of vital product data for blades and optimizer, determining what resources are entitled to be powered on and managed. The layout of the blade frame can be displayed and managed (e.g., for MES handling), including frames, switches, and BladeCenters.
  • Mix of passthru, routing, transformation, and validation message processing operations xASB (projected from Nehalem EP measurements) pASB (projected from 750 measurements) zLinux (projected from z10 measurements) z/OS (projected from z10 measurements) X150b measured
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • 10/07/11 12:50
  • zEnterprise Hybrid computing with DataPower Opimization Blades

    1. 1. zEnterprise Hybrid computing with DataPower Optimization Blades Peter Brabec CEE zWebSphere Brand Leader DataPower Ambassador IBM SOA&BPM Top Trendy 2011 22-23.09.2011 - Radziejowice
    2. 2. WebSphere DataPower Appliances… WebSphere DataPower Appliances provide a low startup cost , helping companies increase their ROI and reduce their TCO with specialized, consumable, dedicated appliances that combine superior performance and hardened security SIMPLIFY your connectivity infrastructure ACCELERATE your time to value SECURE your SOA, Web 2.0, B2B, and Cloud environments GOVERN your evolving IT architecture
    3. 3. DataPower boasts a decade of connectivity innovation 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 XSLJIT Optimized Software Compiler XG4 Gigabit/Sec OEM HW Solution Acquisition ITCAM for SOA Model 9235 (aka 9004) DGXT Optimal Software Interpreter XG3 Optimized Hardware Acceleration Model 7993 (aka 9003) WebSphere Transformation Extender Secure Cloud Connector XA35 XS40 XI50 XB60 XM70 2011 Application Optimization XI50B XI50Z
    4. 4. Why use an appliance for connectivity? <ul><li>Purpose-built, fine-tuned consumable hardware platform </li></ul><ul><li>Provides high levels of certified security assurance </li></ul><ul><ul><li>FIPS 140-2 Level 3 </li></ul></ul><ul><ul><li>Common Criteria EAL4 </li></ul></ul><ul><li>Achieves fast performance with multiple layers of specialized hardware acceleration </li></ul><ul><li>Many functions incorporated in a single device </li></ul><ul><ul><li>Service level management and Policy enforcement </li></ul></ul><ul><ul><li>Dynamic routing and load distribution </li></ul></ul><ul><ul><li>Edge security </li></ul></ul><ul><ul><li>Transport and message transformation </li></ul></ul><ul><li>Simplified maintenance model </li></ul><ul><ul><li>Drop-in appliance form-factor </li></ul></ul><ul><ul><li>Push-button flash upgrade process </li></ul></ul><ul><ul><li>Integrates with existing operations </li></ul></ul>
    5. 5. Configuration-driven approach speeds time to market <ul><li>Enforce security standards with zero coding </li></ul><ul><li>Uses intuitive pipeline message processing </li></ul><ul><li>Import/export configurations between environments </li></ul><ul><li>Transaction probe shows message content between actions for debugging </li></ul>
    6. 6. Deploy WebSphere DataPower Appliances in a variety of use cases Internet Trusted Domain Consumer Consumer 4 Internal Security 5 Enterprise Service Bus 6 Runtime SOA Governance 7 Web Service Management 8 Legacy Integration 9 Low Latency Gateway 3 B2B Partner Gateway 1 Secure Gateway (Web Services, Web Applications) 2 Intelligent Load Distribution Application Application System z DMZ
    7. 7. Different VLAN IDs over a Shared IEDN in the Ensemble: Security Virtual Server10A VLAN10 VMAC-A Virtual Server10B VLAN10 VMAC-B Virtual Server11C VLAN11 VMAC-C Virtual Server11D VLAN11 VMAC-D TCPIP1 (z/OS1) TCPIP3 (z/OS3) MAC-X VLAN10 VMAC1 VLAN11 VMAC3 VLAN10 VLAN11 OSX Virtual Server Virtual Server Top of Rack Build separate security zones with VLANs. Only nodes that reside in the same VLAN can communicate with each other over the Flat Network. Extra Security: VLAN ID Enforcement takes place at the TOR and Hypervisor: PR/SM ™ , z/VM, VSwitch, Blade Hypervisor, OSX. Trunk Mode
    8. 8. zEnterprise Security Architecture
    9. 9. Legacy Enablement – XML Parsing and Encryption in Application on z/OS Client Encrypted XML SOAP/HTTPS Client Significant CPU consumption for XML processing Reduced CPU consumption for XML processing zEnterprise Encypted XML SOAP/HTTPS SOAP/HTTP with binary (Cobol) MTOM attachment
    10. 10. Introducing the WebSphere DataPower XI50z for zEnterprise <ul><li>Purpose-built Integration Appliance </li></ul><ul><ul><li>Sysplex, CICS, IMS, DB2, SAF, RACF integration </li></ul></ul><ul><li>Supports all ESB, Security and Integration capabilities of DataPower XI50 </li></ul><ul><li>XI50 features optimized in a dense, high compute IBM zEnterprise BladeCenter Extension (zBX) form-factor </li></ul><ul><li>Tightly integrated with zEnterprise </li></ul><ul><ul><li>Unified hardware and firmware management through the Hardware Management Console (HMC) </li></ul></ul><ul><ul><li>Inherits serviceability, monitoring and reporting capabilities of zEnterprise </li></ul></ul><ul><li>Highest capacity DataPower appliance for SOA workloads optimized for zEnterprise environments </li></ul>HMC
    11. 11. Manage IBM WebSphere DataPower Integration Appliance with zManager <ul><li>View DataPower firmware entitlement and level </li></ul><ul><li>Set up virtual networks (VLANs) </li></ul><ul><ul><li>VLANs provide enforced isolation of network traffic with secure private networks </li></ul></ul><ul><li>View DataPower in the context of an ensemble </li></ul><ul><ul><li>Topology view </li></ul></ul><ul><li>View BladeCenter and Blade details </li></ul><ul><li>Hardware Problem Detection, Reporting and Call Home </li></ul><ul><li>Monitor resource usage through Monitors Dashboard (CPU, Memory, Power consumption) </li></ul><ul><ul><li>Power Capping </li></ul></ul>
    12. 12. Why is DataPower in zEnterprise ?
    13. 13. Translated to a physical Server & Network Architecture <ul><li>Complexity and Limitations of Today’s Environment </li></ul><ul><li>Many tiers/nodes of independent resources connected over corporate network </li></ul><ul><li>System management information typically not end-to-end view </li></ul><ul><li>Automation Policies are limited to tier/node boundaries </li></ul><ul><li>Redundancy is pervasive for Operational staff, HW, Software and policies across architectures </li></ul><ul><li>Managing this complexity now consumes the majority if IT budgets </li></ul>Information Technology today is limited by the technology and architecture configurations available DS Servers LAN Servers SSL/XML Appliances Caching Appliances Routers Switches Firewall Servers Security/Directory Servers Application Servers File/Print Servers Business Intelligence Servers Web Servers System z zNextTLLB_
    14. 14. Background/Context <ul><li>IBM zEnterprise 196, (short name z196) introduced last year, </li></ul><ul><ul><li>Offers an optional infrastructure called the IBM zEnterprise BladeCenter Extension (zBX) </li></ul></ul><ul><ul><li>Consists of 1 to 4 42U racks that can each contain 1 or 2 BladeCenter Chassis, each chassis having 14 slots </li></ul></ul><ul><ul><li>Therefore up to 112 BladeCenter slots are available in a zBX configured with the maximum of 4 racks with 2 chassis in each rack </li></ul></ul><ul><li>zEnterprise Unified Resource Manager (short name zManager) </li></ul><ul><ul><li>Firmware component that manages the entire zEnterprise (the z196 and the zBX) from a single point </li></ul></ul><ul><ul><li>Simplified management is one of the key value propositions of the zEnterprise </li></ul></ul><ul><li>DataPower XI59z was introduced in March 2011 </li></ul>
    15. 15. Smarter Banking Showcase System z Hardware Management Console (HMC) with Unified Resource Manager zBX Select IBM Blades Blade HW Resources Optimizers IBM Smart Analytics Optimizer z HW Resources z/OS z/TPF z/VSE TM Linux on System z Support Element Linux on System z z/VM Private data network (IEDN) System z Host Linux and Windows on System x AIX on POWER7 DataPower 1 Future Offering Future Offering Blade Virtualization Blade Virtualization System z PR/SM ™ FIS Operational Database DB2 for z/OS z/OS Integration Hub WAS, WPS, WESB z/OS SOA Accelerator WebSphere DataPower and WebSphere Transformation Extender Core Banking Services CICS Transaction Server z/OS DataPower XI50 blade
    16. 16. Emerging Distribution and HA Strategies Clients WebSphere on p or x Tier 1 distribution options Tier 2 distribution options DataPower Self Balancing Sysplex Distributor DataPower ILD DataPower Tier Sysplex Distributor Any service provider on p or x ASB SASP zBX ODC z/OS z/Linux WebSphere on z/OS or z/Linux Red = Connection distribution ; Black = Request distribution DataPower load distribution ODC zBX New in 3.8.0
    17. 17. Web services requester JAX-WS Web Services Partner System z/OS or zLINUX WebSphere DataPower XI50 <ul><li>Long XML message </li></ul><ul><li>>250K in length </li></ul><ul><li>> 18K elements </li></ul><ul><li><tns1:transfer_pd_bd><tns1:pstg_orgnl_amt>50</tns1:pstg_orgnl_amt><tns1:pstg_orgnl_iso4217>GBP</tns1:pstg_orgnl_iso4217><tns1:fee_on_debit_ind>0</tns1:fee_on_debit_ind><tns1:fsre_rfrnc_id></tns1:fsre_rfrnc_id></tns1:transfer_pd_bd </li></ul>WebSphere DataPower XI50z SOAP/HTTP SOAP/HTTP Smarter Banking Showcase 1. Data transformation from XML to COMMAREA using WTX 2. Convert message to MTOM/XOP format <ul><li>Short XML </li></ul><ul><li>message </li></ul><ul><li>1K in length </li></ul><ul><li>1 element </li></ul><ul><li><tns:w_comm_i> </li></ul><ul><li><href=&quot;cid:f7269b79-2d87-4687-941d-225829c20246&quot;/></tns:w_comm_i> </li></ul>Backend application <ul><li>Binary attachment </li></ul><ul><li>CICS COMMAREA </li></ul>Saves MIPs
    18. 18. DataPower XI50z Delivers Stunning Price/Performance messages messages Enterprise Service Bus benchmark comparison DataPower XI50z in zBX Microsoft BizTalk Server Windows on Intel Server 4 sockets, 32 cores 128 GB Test consists of measuring maximum throughput of ESB while performing a variety of message mediation workloads: pass-through, routing, transformation, and schema validation One BizTalk server: 492 messages per sec TCA: $375,711 One DataPower XI50z: 5,117 messages per sec TCA: $166,703 Up to 10.4x the throughput at less than ½ the cost, resulting in up to 23x price/performance benefit *Results may vary based on customer workload profiles/characteristics. Prices will vary by country. This doesn’t include the extra costs of cabling, network switches, firewalls, etc. required for an external ESB server Windows BizTalk Server DataPower XI50z
    19. 19. System Z usecases
    20. 20. IMS Integration (1) <ul><li>Web Services Security and Management for IMS Web services </li></ul><ul><li>Content-based Message Routing </li></ul><ul><li>Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) </li></ul><ul><li>XML/SOAP Firewall </li></ul><ul><li>Data Validation </li></ul><ul><li>Field Level Security </li></ul><ul><li>XML Web Services Access Control/AAA </li></ul><ul><li>Web Services Management </li></ul>Client SOAP/HTTP IMS SOAP Gateway SOAP/HTTP WAS+IMS connector
    21. 21. IMS Integration (2) Service Originator DataPower XI50z IMS O T M A IMS Application MQ Server MQ Brdg SOAP/HTTP Z Service Provider <ul><li>DataPower provides WS-enablement to IMS applications </li></ul><ul><li>User codes schema-dependent FFD or WTX data map to perform request/response mapping </li></ul><ul><li>This is the preferred way to WS-enable IMS applications </li></ul><ul><li>Requires MQ </li></ul><ul><ul><li>MQ bridge to access IMS </li></ul></ul><ul><ul><li>MQ client is embedded in DataPower </li></ul></ul><ul><ul><li>Customers push back against MQ requirement due to cost and complexity issues </li></ul></ul>Cobol/MQ MQ Client
    22. 22. IMS Integration (3): WS-Enablement Service Originator DataPower IMS Connect Client IMS Appl1 IMS Connect SOAP/HTTP z Service Provider <ul><li>Remove MQ *requirement* of WS-enablement of IMS </li></ul><ul><ul><li>MQ still best alternative for scenarios requiring transactional support </li></ul></ul><ul><ul><li>IMS has few alternatives (IMS SOAP Gateway is an entry-level solution) </li></ul></ul><ul><li>“ IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol </li></ul><ul><li>New in 3.8.0: Automatic chunking and de-chunking </li></ul><ul><li>New in 3.8.1: Commit mode 1, Sync level commit support </li></ul>Cobol/TCP Appl2 Appl3 IMS Appl4 Appl5 Appl6 User exit (eg. HWSSMPL0) O T M A O T M A
    23. 23. IMS Integration (4): IMS Proxy Service Originator DataPower IMS Appl1 IMS Connect Cobol/TCP z Service Provider <ul><li>Bring DataPower value add to standard IMS connect usage patterns </li></ul><ul><li>Provide an “IMS Connect Client” on DataPower that natively connects to IMS Connect </li></ul><ul><li>Provide an “IMS Connect Server” on DataPower that accepts IMS Connect client connections and provides an intermediation framework that leverages DataPower </li></ul><ul><ul><li>Enables authentication checks, authorization, logging, SLM, transformation, route, DB look-up, SSL offload, etc. </li></ul></ul>Cobol/TCP Appl2 Appl3 IMS Appl4 Appl5 Appl6 User exit (eg. HWSSMPL0) SQL IMS Connect Client O T M A O T M A IMS Connect “ Server”
    24. 24. DB2 Integration (1) Service Originator Service Provider DataPower Augmented service request <ul><li>Web service requests are augmented with information from the database (message enrichment) </li></ul><ul><li>Supports writing to DB also </li></ul><ul><ul><li>Logging and auditing </li></ul></ul>SOAP/HTTP SOAP/HTTP DRDA DB2 Service request <ul><li>Supports DB2, Oracle, Sybase, MSFT </li></ul><ul><li>3.7.1 added </li></ul><ul><ul><li>Parameter marking </li></ul></ul><ul><ul><li>Array-based operations </li></ul></ul><ul><ul><li>Perf enhancements </li></ul></ul><ul><ul><li>Stored procedures </li></ul></ul><ul><ul><li>Native XML processing </li></ul></ul>
    25. 25. DB/2 Integration (2) Service Originator DataPower <ul><li>DataPower 3.7.1 provides a standard WS façade to DB/2 </li></ul><ul><ul><li>Common tool (IBM Data Studio 1.2 – GA in Aug) to generate WSDL and data mapping in both Data Web Services runtime and DataPower </li></ul></ul><ul><ul><li>SOAP call is mapped to an ODBC (DRDA) invocation </li></ul></ul><ul><li>Exposes database content (information) as a service </li></ul>SOAP/HTTP DRDA DB2 Service provider façade (generated) DB service request Content transformation XMLto SQL (generated)
    26. 26. <ul><li>Web Services Security and Management for CICS Web services </li></ul><ul><li>Content-based Message Routing </li></ul><ul><li>Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) </li></ul><ul><li>XML/SOAP Firewall </li></ul><ul><li>Data Validation </li></ul><ul><li>Field Level Security </li></ul><ul><li>XML Web Services Access Control/AAA </li></ul><ul><li>Web Services Management </li></ul><ul><li>New in 3.8.0: ID propagation </li></ul>CICS Integration (1) Client SOAP/HTTP WAS+CICS connector CICS Web Services SOAP/HTTP
    27. 27. CICS Integration (2) Service Originator DataPower CICS CICS Application MQ Server CICS Brdg SOAP/HTTP Z Service Provider <ul><li>DataPower provides WS-enablement to CICS </li></ul><ul><li>Customer codes schema-dependent XSL/FFD/TypeTree (Contivo or WTX) to perform request/response mapping </li></ul><ul><li>Requires MQ </li></ul><ul><ul><li>MQ bridge to access CICS </li></ul></ul><ul><ul><li>MQ client capability is embedded in DataPower </li></ul></ul>Cobol/MQ MQ Client
    28. 28. CICS Integration (3) CICS Web Services DataPower SOAP/HTTP SOAP/HTTP Service request SOAP with binary (Cobol) MTOM attachment <ul><li>DataPower provides WS Security, XDOS to CICS WS back-end </li></ul><ul><li>User creates schema-dependent transform to perform request/response mapping </li></ul><ul><li>Payload transformation is pushed to DataPower </li></ul><ul><li>SOAP Header information required at CICS WS back-end for correct operations, e.g. WS-Atomic Transactions </li></ul>
    29. 29. RACF Users and resources NSS I & A, AC req /resp Remote SAF Security Integration z/OS Client platform Target application or middleware TSOM Audit records RACF Administrator NSS client Request NSS on z/OS to identify and access administrative users and to perform access control operations when access to DataPower resources is requested. GA 3.7.2. NSS provides remote interface to RACF for I&A, and access control requests. Can request RACF certificate name filtering. z/OS R10. RACF
    30. 30. Datapower XS40 RACF Keyring Network Security Services NSS Key req /resp Crypto Integration Datapower XS40 Request NSS on z/OS to perform operations that require access to RACF keyring. This includes signing, validating signatures during security initialization, key unwrapping, and key downloading. NSS performs requested key operation using certificates and keys stored in RACF z/OS Client platform Target application or middleware NSS client RACF Administrator TLS Endpoints RACF
    31. 31. Why use DataPower with Message Broker? <ul><li>Message Broker can use the DataPower appliance to handle its WS- Security processing </li></ul><ul><ul><li>Security at the edge of a network </li></ul></ul><ul><ul><li>It's a tamperproof device, so offers a degree of physical security </li></ul></ul><ul><ul><li>Offloads WS- Security processing away from the Message Flow processing </li></ul></ul><ul><ul><ul><li>On platforms such as z/OS, with offload you can reduce TCO moving WS-Security processor MIPS and latency. </li></ul></ul></ul>DMZ
    32. 32. DataPower Offload <ul><li>Offload Web Services security to DataPower </li></ul><ul><ul><li>Single tool and security policy description </li></ul></ul><ul><ul><li>Security best practices </li></ul></ul><ul><ul><ul><li>WS-Security at appropriate point in topology </li></ul></ul></ul><ul><ul><ul><li>Built-in XML threat protection; Hardened device </li></ul></ul></ul><ul><ul><li>Scale as volumes increase </li></ul></ul><ul><ul><ul><li>Enhanced performance with SOA appliance </li></ul></ul></ul><ul><ul><ul><li>Add capacity when necessary </li></ul></ul></ul><ul><li>Administration User Experience </li></ul><ul><ul><li>Operational reconfiguration only </li></ul></ul><ul><ul><li>Applications and Message Flows unchanged </li></ul></ul><ul><ul><li>Right click on flow and select “Use DataPower” </li></ul></ul><ul><ul><ul><li>DataPower performs WS-Security processing </li></ul></ul></ul><ul><ul><ul><li>Forwards processed request to MB </li></ul></ul></ul><ul><li>Initial focus is on WS-Security processing </li></ul><ul><ul><li>Integral part of MB Explorer V7 </li></ul></ul><ul><ul><li>Other functions may follow </li></ul></ul>
    33. 33. Message Broker & DataPower Integration <ul><li>Use DataPower to perform WS Security processing for Message Broker WS Flows </li></ul><ul><ul><li>Decryption for HTTP and HTTPS Input Nodes </li></ul></ul><ul><ul><li>Encryption for HTTP and HTTPS Reply Nodes </li></ul></ul><ul><li>Configures your DataPower appliance from Broker Explorer as a… </li></ul><ul><ul><li>XMLfirewall within a DMZ </li></ul></ul><ul><ul><li>inbound decryption engine </li></ul></ul><ul><ul><li>outbound encryption engine </li></ul></ul><ul><ul><li>SSL gateway to the broker </li></ul></ul><ul><li>Security processing only </li></ul><ul><ul><li>More functionalities will follow </li></ul></ul>
    34. 34. Pre-requisites on your DataPower appliance <ul><li>The Message Broker user… </li></ul><ul><ul><li>Requires a username, password and domain on their DataPower appliance </li></ul></ul><ul><ul><li>Requires Certificates and Crypto Profiles available on the DataPower appliance in their domain. (For SSL, decryption and encryption) </li></ul></ul><ul><ul><li>Does not need to use the DataPower appliance directly at all </li></ul></ul><ul><ul><ul><li>All configuration via the DataPower Security Wizard </li></ul></ul></ul>
    35. 35. DataPower Security Wizard <ul><li>Interacts with your DataPower appliance </li></ul><ul><ul><li>Retrieves Crypto Profiles for SSL communications </li></ul></ul><ul><ul><li>Retrieves encryption & decryption certificates </li></ul></ul><ul><li>Interacts with your Message Broker server </li></ul><ul><ul><li>Retrieves all HTTP & HTTPS Message Flow Input Nodes </li></ul></ul>
    36. 36. DataPower Security Wizard: Policy Sets <ul><li>A Policy Set is used to configure the WS-Security aspects of your encryption and decryption rules </li></ul><ul><ul><li>Define the WS-Security for your decryption and encryption actions using the Key Information table in your Policy Set Bindings </li></ul></ul><ul><ul><li>Cut down version of the Policy Set Editor available in V6.1 </li></ul></ul>
    37. 37. DataPower Firewall created by the Security Wizard <ul><li>Up to two DataPower Firewalls created </li></ul><ul><ul><li>One Firewall for HTTP Input Nodes </li></ul></ul><ul><ul><li>One Firewall for HTTPS Input Nodes </li></ul></ul><ul><li>Front and back HTTP ports set </li></ul><ul><li>IP address of the message broker listener is configured </li></ul><ul><li>SSL Server Crypto Profile set as specified by the policy </li></ul><ul><li>HTTPS Firewall has back (Message Broker) SSL Client Crypto Profile set </li></ul>
    38. 38. DataPower Policy created by the Security Wizard <ul><li>Each DataPower Firewall has an associated DataPower Policy </li></ul><ul><li>Two rules created per HTTP(S) Input Node each with the appropriate Match Rule </li></ul><ul><ul><li>Request Rule (inbound) </li></ul></ul><ul><ul><li>Response Rule (outbound) </li></ul></ul><ul><li>Ability to merge rules with existing DataPower Policy and DataPower Firewall </li></ul><ul><ul><li>Rules are added to the DataPower Policy. </li></ul></ul><ul><ul><li>No changes are made to the DataPower Firewall </li></ul></ul>
    39. 39. Summary
    40. 40. DataPower/zBX Integration Details <ul><li>Blade Hardware Management </li></ul><ul><ul><li>Monitoring of HW for health, degraded operation </li></ul></ul><ul><ul><li>Call-home for current/expected problems, automatic dispatch of CSR </li></ul></ul><ul><ul><li>Consolidation/Integration of DP HW problem reporting with other problems reported in zBX </li></ul></ul><ul><ul><li>Energy Monitoring and Management of DP Blades </li></ul></ul><ul><li>DP Firmware Load and Update </li></ul><ul><ul><li>Consistent change mgmt with other zGryphon firmware mgmt </li></ul></ul><ul><ul><li>Enforced restriction of firmware updates to SE userid </li></ul></ul><ul><ul><li>Enhanced new firmware level testing in zBX by System z Devt/Product Engineering and built-in restrictions on number of variations supported (test and production variants </li></ul></ul><ul><li>HMC Console Integration </li></ul><ul><ul><li>Person monitoring the z environment from an overall  hardware operational perspective will see DP blades included in the picture, with associated status from a single (w/ redundancy) console </li></ul></ul><ul><ul><li>Group GUI operations for functions supported on HMC (e.g. power up/quiesce/upgrade firmware for  these 5 DP blades) Time synchronization with system z time via HMC/SE time server </li></ul></ul><ul><li>Dynamic Load Balancing </li></ul><ul><ul><li>Allows LB1 decision based on consolidated understanding of load on DP blades as well as associated back-end sub-systems </li></ul></ul><ul><ul><li>via Sysplex Distributor </li></ul></ul><ul><li>DP Failure Recovery and Restart </li></ul><ul><ul><li>HMC/SE will detect and report on appliance failures and can be used to re-cycle appliance if DP built-in restart fails </li></ul></ul><ul><ul><li>Periodic Backup/restore of full blade configuration (automatic on changes to config); Backup to HMC media </li></ul></ul><ul><li>Networking </li></ul><ul><ul><li>Virtual Network Provisioning </li></ul></ul><ul><ul><li>Provides enforced isolation of network traffic via VLAN support </li></ul></ul><ul><ul><li>10Gb end-to-end network infrastructure </li></ul></ul><ul><ul><li>Built-in network redundancy </li></ul></ul><ul><ul><li>IEDN provides protected network, possibly obviating customer-perceived need for encryption of last-mile flows between DP and target back-end server </li></ul></ul><ul><li>Monitoring and Reporting </li></ul><ul><ul><li>Monitoring of DP health via HMC </li></ul></ul><ul><ul><li>Consolidated platform error logging across whole environment </li></ul></ul><ul><ul><li>Products like ITCAM may also monitor the DP blade at a higher level ... But some customers may not have or want ITCAM or equivalent, at least initially but need some monitoring. </li></ul></ul>
    41. 41. System z Integration Smart SOA connectivity throughout the enterprise <ul><li>Broad integration with System z </li></ul><ul><li>Connect to existing applications over WebSphere MQ </li></ul><ul><li>Transform XML to/from COBOL Copybook for legacy needs </li></ul><ul><li>Natively communicate with IMS Connect </li></ul><ul><li>Integrate with RACF security from DataPower AAA </li></ul><ul><li>Dynamic crypto material retrieval & caching, or offload crypto ops to z </li></ul><ul><li>Service enable CICS using WebSphere MQ </li></ul><ul><li>Virtualize CICS Web Services </li></ul>
    42. 42. Summary Purpose-built hardware for simplified deployment and hardened security <ul><li>Security: VLAN support provides enforced isolation of network traffic with secure private networks. </li></ul><ul><li>Improved support: Monitoring of hardware with “call home” for current/expected problems and support by System z Service Support Representative. </li></ul><ul><li>System z packaging: Increased quality with pre-testing of blade and zBX. Upgrade history available to ease growth. </li></ul><ul><li>Operational controls: Monitoring rolled into System z environment from single console. Consistent change management with Unified Resource Manager. </li></ul>
    43. 44. Backup: DataPower Overview
    44. 45. Protect your data with cryptography and XML threat protection <ul><li>Entity Expansion/Recursion Attacks </li></ul><ul><li>Public Key DoS </li></ul><ul><li>XML Flood </li></ul><ul><li>Resource Hijack </li></ul><ul><li>Dictionary Attack </li></ul><ul><li>Replay Attack </li></ul>See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks XML Threat Protection <ul><li>Use DataPower to help resolve PCI compliance issues </li></ul><ul><li>Easily sign, verify, encrypt, decrypt any content </li></ul><ul><li>Configurable XML Encryption and Digital Signatures </li></ul><ul><ul><li>Message-level </li></ul></ul><ul><ul><li>Field-level </li></ul></ul><ul><ul><li>Headers </li></ul></ul><ul><li>Message/Data Tampering </li></ul><ul><li>Message Snooping </li></ul><ul><li>XPath or SQL Injection </li></ul><ul><li>XML Encapsulation </li></ul><ul><li>XML Virus </li></ul><ul><li>… many others </li></ul>
    45. 46. Employ flexible AAA (Authenticate, Authorize, Audit) Policies AAA Extract Identity HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509 SAML Assertion IP Address LTPA Token Custom Authenticate Extract Resource URL SOAP Operation HTTP Operation Custom LDAP System/z NSS (RACF, SAF) Tivoli Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom Authorize Audit & Post-Process Map Identity Map Resource LDAP ActiveDirectory System/z NSS Tivoli Access Manager SAML XACML Custom Add WS-Security Generate z/OS ICRX Token Generate Kerberos Generate SAML Generate LTPA Map Tivoli Federated Identity External Access Control Server or Onboard Identity Management Store input output
    46. 47. Access heterogeneous systems with transport and payload transformations <ul><li>Integrate disparate transport protocols with extreme ease </li></ul><ul><ul><li>No dependencies between inbound “front-side” and outbound “back-side” </li></ul></ul><ul><ul><li>Examples: HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server) </li></ul></ul><ul><li>Transform the message format with ultimate flexibility </li></ul><ul><ul><li>Process XML and Non-XML formats in a single configuration </li></ul></ul><ul><ul><li>Leverage WebSphere Transformation Extender for data mapping </li></ul></ul><ul><li>Support synchronous, asynchronous, publish-subscribe and guaranteed-delivery message patterns </li></ul>SOAP XML COBOL CSV CICS binary IMS DB2 MQ WebSphere….
    47. 48. Efficiently leverage your assets with content-based routing <ul><li>Dynamically route based on any message content </li></ul><ul><ul><li>Attributes such as the originating IP, requested URL, protocol headers, etc. </li></ul></ul><ul><ul><li>Data within the message such as SOAP Headers, XML, Non-XML content, etc. </li></ul></ul><ul><li>Query WebSphere Service Registry & Repository for routing information </li></ul><ul><ul><li>Or, use simple XML files </li></ul></ul><ul><ul><li>Databases </li></ul></ul><ul><ul><li>Web servers </li></ul></ul><ul><li>Deploy changes to your routing policy with no downtime </li></ul><ul><li>Convert transport protocol using a simple routing change </li></ul>
    48. 49. Shape your traffic with Service Level Management and Load Balancing <ul><li>Use Service Level Management (SLM) to protect your applications from over-utilization </li></ul><ul><ul><li>Frequency based on concurrency OR based on messages per time period </li></ul></ul><ul><ul><li>Take action when exceeding a custom threshold: </li></ul></ul><ul><ul><ul><li>Notify (or log) </li></ul></ul></ul><ul><ul><ul><li>Shape (or delay) </li></ul></ul></ul><ul><ul><ul><li>Throttle (or reject) </li></ul></ul></ul><ul><li>Combine SLM with Routing to make intelligent failover decisions </li></ul><ul><ul><li>Use alternate servers when a threshold is exceeded </li></ul></ul><ul><li>Advanced Load Balancing algorithms simplify your architecture </li></ul><ul><ul><li>First Available </li></ul></ul><ul><ul><li>(Weighted) Round Robin </li></ul></ul><ul><ul><li>(Weighted) Least Connections </li></ul></ul><ul><ul><li>Hash </li></ul></ul>
    49. 50. Consolidate your infrastructure with Application Optimization <ul><li>Use Self-Balancing technology to spread inbound traffic load across multiple DataPower appliances using a single target </li></ul><ul><ul><li>Eliminates the need for additional physical Load Balancers </li></ul></ul><ul><ul><li>Efficiently distributes traffic with minimal overhead </li></ul></ul><ul><li>Use Intelligent Load Distribution to optimize outbound traffic across multiple destinations </li></ul><ul><ul><li>Supports dynamic WebSphere cell interrogation </li></ul></ul><ul><ul><li>Automatically updates targets and weights </li></ul></ul><ul><li>Use Session Affinity to preserve target session state across multiple requests </li></ul><ul><ul><li>Supports WebSphere and Non-WebSphere targets </li></ul></ul>
    50. 51. Use Self Balancing for high availability and capacity scaling <ul><li>Configure the appliances to share a single IP address </li></ul><ul><li>Leverages proven, world-class IBM technology (e.g., Sysplex Distributor) </li></ul><ul><li>Eliminates dependency on a separate load balancers </li></ul><ul><li>Built for automatic failover </li></ul>
    51. 52. Provide application-aware Intelligent Load Distribution <ul><li>Auto-discovers application targets using dynamic feedback mechanism </li></ul><ul><li>Uses intelligent weighted distribution algorithms based on current server load </li></ul><ul><li>Provides several options for enabling session affinity </li></ul><ul><li>Combine with traditional DataPower load balancing options for flexibility </li></ul>