zEnterprise Hybrid computing with    DataPower Optimization Blades    Peter Brabec    WebSphere on System Z Brand Leader  ...
WebSphere DataPower Appliances…          SECURE your SOA, Web 2.0,          B2B, and Cloud environments          SIMPLIFY ...
DataPower boasts a decade of connectivity        innovation                 DGXT                                 Optimal  ...
Why use an appliance for connectivity?         Purpose-built, fine-tuned consumable hardware platform         Provides h...
Configuration-driven approach speeds time to        market         Enforce security standards with zero coding         U...
Deploy WebSphere DataPower Appliances in        a variety of use cases         Internet           DMZ                    T...
Different VLAN IDs over a Shared IEDN in the    Ensemble: Security     Extra Security: VLAN ID Enforcement takes place    ...
zEnterprise Security Architecture                                                                             zBX         ...
Legacy Enablement –    XML Parsing and Encryption in Application on z/OS                                                  ...
Introducing the WebSphere DataPower XI50z      for zEnterprise XI50 features optimized in a     dense, high compute IBM  ...
Manage IBM WebSphere DataPower Integration Appliancewith zManager      View DataPower firmware       entitlement and leve...
Why is DataPower in     zEnterprise ?12
Translated to a physical Server & Network      Architecture          Information Technology today is limited by the techno...
Background/Context      IBM zEnterprise 196, (short name z196) introduced last year,        – Offers an optional infrastr...
Smarter Banking Showcase                                                                                                  ...
Emerging Distribution and HA Strategies                                New in 3.8.0                                       ...
DataPower XI50z Delivers StunningPrice/Performance      Enterprise      Service Bus                                       ...
System Z usecases18
IMS Integration (1)       Web Services Security and Management for IMS        Web services                `     SOAP/HTTP...
IMS Integration (2)         DataPower provides WS-enablement to IMS applications         User codes schema-dependent FFD...
IMS Integration (3): WS-Enablement       Remove MQ *requirement* of WS-enablement of IMS           – MQ still best altern...
IMS Integration (4): IMS Proxy      Bring DataPower value add to standard IMS connect usage       patterns      Provide ...
DB2 Integration (1)      Supports DB2,                              Web service requests are       Oracle, Sybase,      ...
DB/2 Integration (2)       DataPower 3.7.1 provides a standard WS façade to DB/2          – Common tool (IBM Data Studio ...
CICS Integration (1)         Web Services Security and Management for CICS          Web services                         ...
CICS Integration (2)      DataPower provides WS-enablement to CICS      Customer codes schema-dependent XSL/FFD/TypeTree...
CICS Integration (3)        DataPower provides WS Security, XDOS to CICS WS         back-end        User creates schema-...
Short XML                   Partner                         message                   System                          • 1K...
Remote SAF Security Integration                                                                           TSOM            ...
Crypto Integration                                                                                  RACF                  ...
Why use DataPower with Message Broker?      Message Broker can use the DataPower appliance to handle its      processing ...
DataPower Offload      Offload Web Services security to DataPower        – Single tool and security policy description   ...
Message Broker & DataPower Integration      Use DataPower to perform WS Security processing for Messag       Broker WS Fl...
Pre-requisites on your DataPower appliance      The Message Broker user…       – Requires a username, password and domain...
DataPower Security Wizard      Interacts with your DataPower appliance        – Retrieves Crypto Profiles for SSL communi...
DataPower Security Wizard: Policy Sets      A Policy Set is used to configure the WS-Security aspects of       your encry...
DataPower Firewall created by the Security     Wizard      Up to two DataPower Firewalls         created          – One F...
DataPower Policy created by the Security     Wizard      Each DataPower Firewall has an       associated DataPower Policy...
Summary39
DataPower/zBX Integration Details      Blade Hardware Management           –   Monitoring of HW for health, degraded oper...
System z Integration     Smart SOA connectivity throughout the enterprise      Broad integration with System z      Conn...
Summary     Purpose-built hardware for simplified deployment and     hardened security                               Secu...
43
Backup:     DataPower Overview44
Protect your data with cryptography and XML      threat protection           Use DataPower to help resolve PCI compliance...
Employ flexible AAA (Authenticate, Authorize,      Audit) Policies                                  LDAP          HTTP Hea...
Access heterogeneous systems with      transport and payload transformations           Integrate disparate transport prot...
Efficiently leverage your assets with content-      based routing      Dynamically route based on any message content    ...
Shape your traffic with Service Level      Management and Load Balancing       Use Service Level Management (SLM) to prot...
Consolidate your infrastructure with      Application Optimization       Use Self-Balancing technology to spread inbound ...
Use Self Balancing for high availability and capacity scaling      Configure the appliances to share a single IP address ...
Provide application-aware Intelligent Load Distribution      Auto-discovers application targets using dynamic feedback me...
Upcoming SlideShare
Loading in …5
×

zEnterprise Hybrid computing with DataPower Optimization Blades

1,242 views

Published on

Prezentacja 2. Mistrzowski Mainframe

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,242
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Hardware Management has been extended to handle discovery of vital product data for blades and optimizer, determining what resources are entitled to be powered on and managed. The layout of the blade frame can be displayed and managed (e.g., for MES handling), including frames, switches, and BladeCenters.
  • Mix of passthru, routing, transformation, and validation message processing operations xASB (projected from Nehalem EP measurements) pASB (projected from 750 measurements) zLinux (projected from z10 measurements) z/OS (projected from z10 measurements) X150b measured
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.):Request-response and sync-async matching XML/SOAP Firewall: Filter on any content, medata or network variables Data Validation: Approve incoming/outgoing XML and SOAP at wirespeed Field Level Security: WS-Security, encrypt & sign individual fields, non-repudiation XML Web Services Access Control/AAA: SAML, LDAP, RADIUS, etc. Web Services Management: Centralized Service Level Management, Service Virtualization, Policy Management Easy Configuration & Management: WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • 06/20/12 09:01
  • zEnterprise Hybrid computing with DataPower Optimization Blades

    1. 1. zEnterprise Hybrid computing with DataPower Optimization Blades Peter Brabec WebSphere on System Z Brand Leader DataPower Ambassador1
    2. 2. WebSphere DataPower Appliances… SECURE your SOA, Web 2.0, B2B, and Cloud environments SIMPLIFY your connectivity infrastructure ACCELERATE your time to value GOVERN your evolving IT architecture WebSphere DataPower Appliances provide a low startup cost, helping companies increase their ROI and reduce their TCO with specialized, consumable, dedicated appliances that combine superior performance and hardened security 22
    3. 3. DataPower boasts a decade of connectivity innovation DGXT Optimal Software 1999 Interpreter XA35 2000 XS40 XSLJIT 2001 Optimized Software XI50 Compiler XG3 2002 Optimized Hardware 2003 Acceleration XG4 WebSphere Gigabit/Sec 2004 Transformation OEM HW Extender Solution 2005 XB60 2006 XM70 Model Acquisition 7993 2007 (aka 9003) ITCAM 2008 Secure for SOA Model 2009 Cloud Connector 9235 (aka 9004) Application 2010 Optimization 2011 XI50B XI50Z 33
    4. 4. Why use an appliance for connectivity?  Purpose-built, fine-tuned consumable hardware platform  Provides high levels of certified security assurance – FIPS 140-2 Level 3 – Common Criteria EAL4  Achieves fast performance with multiple layers of specialized hardware acceleration  Many functions incorporated in a single device – Service level management and Policy enforcement – Dynamic routing and load distribution – Edge security – Transport and message transformation  Simplified maintenance model – Drop-in appliance form-factor – Push-button flash upgrade process4 4 – Integrates with existing operations
    5. 5. Configuration-driven approach speeds time to market  Enforce security standards with zero coding  Uses intuitive pipeline message processing  Import/export configurations between environments  Transaction probe shows message content between actions for debugging 55
    6. 6. Deploy WebSphere DataPower Appliances in a variety of use cases Internet DMZ Trusted Domain 4 Internal Security 1 Secure Gateway 5 Enterprise Service Bus (Web Services, Web Applications) 6 Runtime SOA Governance System z 2 Intelligent Load 7 Web Service Management Consumer Distribution 8 Legacy Integration Application 3 B2B Partner Gateway 9 Low Latency Gateway Application Consumer 66
    7. 7. Different VLAN IDs over a Shared IEDN in the Ensemble: Security Extra Security: VLAN ID Enforcement takes place Trunk at the TOR and Hypervisor: PR/SM , z/VM, VSwitch, ™ Mode Top of Rack Blade Hypervisor, OSX. Virtual Server10B Virtual Server Virtual Server VLAN10 VMAC-B TCPIP1 (z/OS1) TCPIP3 (z/OS3) VLAN10 VLAN11 Virtual Server11D VLAN10 VLAN11 VLAN11 MAC-X VMAC1 VMAC3 VMAC-D OSX Virtual Server11C VLAN11 VMAC-C Virtual Server10A Build separate security zones with VLANs. VLAN10 Only nodes that reside in the same VLAN can communicate with each other over the Flat Network. VMAC-A7 7
    8. 8. zEnterprise Security Architecture zBX CEC Application, XML z/OS, Linux on System Z Application z/OS LPAR Request Network Layer Firewall LPAR (Internet / Firewall Intrusion WebService SSO Detection / Back End Intranet / internal Network AAA Network) Firewall Intrusion Systems and Databases (IP-, Packet-, Port-, ... Prevention Integration Appliance Appliaction Entry Point Filtering, Systems (IBM: CICS, DB2, IMS SSL termination) (IBM WebSphere (IBM: WAS ND, CTG, etc.) DataPower XI50z) WMQ etc.) Private Data Network (IEDN) Hipersockets / Cross Memory8
    9. 9. Legacy Enablement – XML Parsing and Encryption in Application on z/OS Significant ` Encrypted XML CPU consumption SOAP/HTTPS for XML Client processing zEnterprise Reduced CPU consumption for XML processing Encypted XML SOAP/HTTP with binary SOAP/HTTPS ` (Cobol) MTOM attachment Client9 9
    10. 10. Introducing the WebSphere DataPower XI50z for zEnterprise XI50 features optimized in a dense, high compute IBM zEnterprise BladeCenter Extension (zBX) form-factor Tightly integrated with zEnterprise HMC – Unified hardware and firmware management through the Hardware Management Console (HMC)  Purpose-built Integration – Inherits serviceability, monitoring and Appliance reporting capabilities of zEnterprise – Sysplex, CICS, IMS, DB2, Highest capacity DataPower SAF, RACF integration appliance for SOA workloads  Supports all ESB, Security and optimized for zEnterprise Integration capabilities of environments DataPower XI50 1010
    11. 11. Manage IBM WebSphere DataPower Integration Appliancewith zManager  View DataPower firmware entitlement and level  Set up virtual networks (VLANs) – VLANs provide enforced isolation of network traffic with secure private networks  View DataPower in the context of an ensemble – Topology view  View BladeCenter and Blade details  Hardware Problem Detection, Reporting and Call Home  Monitor resource usage through Monitors Dashboard (CPU, Memory, Power consumption) – Power Capping11 11
    12. 12. Why is DataPower in zEnterprise ?12
    13. 13. Translated to a physical Server & Network Architecture Information Technology today is limited by the technology and architecture configurations available Web Servers Security/Directory System z SSL/XML Servers Appliances Application Servers Routers Switches File/Print Business Intelligence Servers Servers DS Servers Caching Firewall Appliances Servers LAN Servers Complexity and Limitations of Today’s Environment  Many tiers/nodes of independent resources connected over corporate network  System management information typically not end-to-end view  Automation Policies are limited to tier/node boundaries  Redundancy is pervasive for Operational staff, HW, Software and policies across architectures  Managing this complexity now consumes the majority if IT budgets zNextTLLB_1313
    14. 14. Background/Context  IBM zEnterprise 196, (short name z196) introduced last year, – Offers an optional infrastructure called the IBM zEnterprise BladeCenter Extension (zBX) – Consists of 1 to 4 42U racks that can each contain 1 or 2 BladeCenter Chassis, each chassis having 14 slots – Therefore up to 112 BladeCenter slots are available in a zBX configured with the maximum of 4 racks with 2 chassis in each rack  zEnterprise Unified Resource Manager (short name zManager) – Firmware component that manages the entire zEnterprise (the z196 and the zBX) from a single point – Simplified management is one of the key value propositions of the zEnterprise  DataPower XI59z was introduced in March 201114
    15. 15. Smarter Banking Showcase z/OS DataPower XI50 blade z/OS Integration Hub SOA Accelerator z/OS Core Banking Services WAS, WPS, WESB WebSphere DataPower and FIS WebSphere Transformation Operational CICS Transaction Extender Database Server DB2 for z/OS System z Hardware Management Console (HMC) System z Host Select IBM Blades Optimizers IBM Smart Analytics Optimizer with Unified Resource Manager z/TPF z/VSETM Future Offering Future Offering Linux Linux and AIX on DataPower 1 z/OS Linux on on Windows POWER7 System z System z on System x z/VM Blade Virtualization Blade Virtualization System z PR/SM™ z HW Resources Blade HW Resources Support Element zBX Private data network (IEDN)15
    16. 16. Emerging Distribution and HA Strategies New in 3.8.0 z/OS Sysplex z/Linux SASP Distributor zBX Sysplex Distributor WebSphere on z/OS or z/Linux DataPower Self Balancing DataPower load distribution C OD Any service DataPower provider Clients DataPower ILD on p or x Tier ASB Tier 1 Tier 2 OD distribution C distribution options options WebSphere on p or x Red = Connection distribution; Black = Request distribution zBX16
    17. 17. DataPower XI50z Delivers StunningPrice/Performance Enterprise Service Bus One BizTalk server: benchmark 492 messages per sec comparison Microsoft BizTalk Server TCA: $375,711 Windows on Intel Server BizTalk This doesn’t include the extra 4 sockets, 32 cores Server costs of cabling, network 128 GB switches, firewalls, etc. Windows required for an external ESB server One DataPower XI50z: messages DataPower messages 5,117 messages per sec XI50z TCA: $166,703 DataPower Test consists of measuring maximum XI50z in zBX throughput of ESB while performing a variety of message mediation workloads: Up to 10.4x the throughput at less than ½ the cost, resulting in up to 23x price/performance benefit pass-through, routing, transformation, and schema validation*Results may vary based on customer workload profiles/characteristics. Prices will vary by country. 17 17
    18. 18. System Z usecases18
    19. 19. IMS Integration (1) Web Services Security and Management for IMS Web services ` SOAP/HTTP SOAP/HTTP IMS SOAP Gateway Client WAS+IMS connector Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)19 XML/SOAP Firewall
    20. 20. IMS Integration (2)  DataPower provides WS-enablement to IMS applications  User codes schema-dependent FFD or WTX data map to perform request/response mapping  This is the preferred way to WS-enable IMS applications  Requires MQ – MQ bridge to access IMS – MQ client is embedded in DataPower – Customers push back against MQ requirement due to cost and complexity issues IMS Application SOAP/HTTP Cobol/MQ MQ Client IMS MQ Server O T DataPower MQ M Service XI50z Brdg A Originator Z Service Provider20
    21. 21. IMS Integration (3): WS-Enablement  Remove MQ *requirement* of WS-enablement of IMS – MQ still best alternative for scenarios requiring transactional support – IMS has few alternatives (IMS SOAP Gateway is an entry-level solution)  “IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol IMS IMS Appl1 Connect New in 3.8.0: Automatic chunking and de-chunking Appl2 O T M New in 3.8.1: Commit mode 1, Sync level commit support A Appl3 SOAP/HTTP Cobol/TCP Client Connect IMS User exit (eg. IMS Appl4 HWSSMPL0) O Service DataPower T Appl5 M Originator A Appl6 z Service Provider21
    22. 22. IMS Integration (4): IMS Proxy  Bring DataPower value add to standard IMS connect usage patterns  Provide an “IMS Connect Client” on DataPower that natively connects to IMS Connect  Provide an “IMS Connect Server” on DataPower that accepts IMS Connect client connections and provides an intermediation framework that leverages DataPower IMS IMS – Enables authentication checks, authorization, logging, SLM, Appl1 Connect O T Appl2 transformation, route, DB look-up, SSL offload, etc. M SQL A Appl3 Cobol/TCP Cobol/TCP Client Connect IMS “Server” Connect IMS User exit DataPower (eg. IMS Appl4 HWSSMPL0) O Service T Appl5 Originator M A Appl6 z Service Provider22
    23. 23. DB2 Integration (1)  Supports DB2,  Web service requests are Oracle, Sybase, augmented with MSFT information from the  3.7.1 added DB2 database (message – Parameter marking enrichment) – Array-based  Supports writing to DB operations also – Perf DRDA – Logging and auditing enhancements – Stored procedures SOAP/HTTP SOAP/HTTP – Native XML processing Service DataPower Service Originator Provider Service request Augmented service request23
    24. 24. DB/2 Integration (2)  DataPower 3.7.1 provides a standard WS façade to DB/2 – Common tool (IBM Data Studio 1.2 – GA in Aug) to generate WSDL and data mapping in both Data Web Services runtime and DataPower – SOAP call is mapped to an ODBC (DRDA) invocation  Exposes database content (information) as a service Service provider façade (generated) SOAP/HTTP DRDA Service DB2 Originator DataPower Content transformation DB service request XMLto SQL (generated)24
    25. 25. CICS Integration (1)  Web Services Security and Management for CICS Web services SOAP/HTTP CICS Web Services ` SOAP/HTTP WAS+CICS connector Client  Content-based Message Routing  Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)  XML/SOAP Firewall25  Data Validation
    26. 26. CICS Integration (2)  DataPower provides WS-enablement to CICS  Customer codes schema-dependent XSL/FFD/TypeTree (Contivo or WTX) to perform request/response mapping  Requires MQ – MQ bridge to access CICS – MQ client capability is embedded in DataPower Z Service Provider CICS Application SOAP/HTTP Cobol/MQ CICS MQ Server MQ Client CICS DataPower Brdg Service Originator26
    27. 27. CICS Integration (3)  DataPower provides WS Security, XDOS to CICS WS back-end  User creates schema-dependent transform to perform request/response mapping  Payload transformation is pushed to DataPower  SOAP Header information required at CICS WS back-end for correct operations, e.g. WS-Atomic Transactions SOAP/HTTP SOAP/HTTP CICS Web Services DataPower Service request SOAP with binary (Cobol) MTOM attachment27
    28. 28. Short XML Partner message System • 1K in length Smarter Banking Showcase • 1 element <tns:w_comm_i> z/OS or zLINUX <href="cid:f7269b7 Web services JAX-WS 9-2d87-4687-941d- Backend requester Web 225829c20246"/></ Services tns:w_comm_i> application Binary attachment Long XML message • CICS COMMAREA Saves MIPs • >250K in length P TT SO • > 18K elements H P/ AP A <tns1:transfer_pd_ SO / 5 Batch Transfer services per second HT T bd><tns1:pstg_org P 10 nl_amt>50</tns1:ps 9 tg_orgnl_amt><tns 8 CICS TOR CPU (APPL%) 7 1:pstg_orgnl_iso42 6 CICS TOR 17>GBP</tns1:pstg 5 zAAP % _orgnl_iso4217><tn WebSphere 4 CICS TOR GCP % s1:fee_on_debit_in DataPower 3 d>0</tns1:fee_on_ XI50z XI50 2 1 debit_ind><tns1:fsr 1. Data transformation from XML 0 e_rfrnc_id></tns1:f to COMMAREA using WTX TranExtB TranExtB-MTOM sre_rfrnc_id></tns1 2. Convert message to :transfer_pd_bd MTOM/XOP format28
    29. 29. Remote SAF Security Integration TSOM RACF NSS provides remote Administrator interface to RACF for I&A, and access control requests. Can request Audit RACF certificate name records filtering. z/OS R10. z/OS Request NSS on z/OS to identify and access RACF Users administrative users and to NSS and resources perform access control operations when access to DataPower resources is requested. GA 3.7.2. I & A, AC req /resp RACF Client NSS client Target application platform or middleware29
    30. 30. Crypto Integration RACF Administrator NSS performs requested key operation using certificates and keys stored in RACF Request NSS on z/OS to perform operations that require access to RACF z/OS keyring. This includes signing, validating Network signatures during security initialization, key unwrapping, and key downloading. Security RACF Keyring Services NSS Key req /resp RACF NSS client Datapower Datapower Target application Client XS40 XS40 or middleware platform TLS Endpoints30
    31. 31. Why use DataPower with Message Broker?  Message Broker can use the DataPower appliance to handle its processing – Security at the edge of a network – Its a tamperproof device, so offers a degree of physical security – Offloads WS- Security processing away from the Message Flow proces DMZ • On platforms such as z/OS, with offload you can reduce TCO moving WS-S and latency.31
    32. 32. DataPower Offload  Offload Web Services security to DataPower – Single tool and security policy description – Security best practices • WS-Security at appropriate point in topology • Built-in XML threat protection; Hardened device – Scale as volumes increase • Enhanced performance with SOA appliance • Add capacity when necessary  Administration User Experience32 – Operational reconfiguration only
    33. 33. Message Broker & DataPower Integration  Use DataPower to perform WS Security processing for Messag Broker WS Flows – Decryption for HTTP and HTTPS Input Nodes – Encryption for HTTP and HTTPS Reply Nodes  Configures your DataPower appliance from Broker Explorer as – XMLfirewall within a DMZ – inbound decryption engine – outbound encryption engine – SSL gateway to the broker  Security processing only – More functionalities will follow33
    34. 34. Pre-requisites on your DataPower appliance  The Message Broker user… – Requires a username, password and domain on th – Requires Certificates and Crypto Profiles available SSL, decryption and encryption) – Does not need to use the DataPower appliance di • All configuration via the DataPower Security Wi34
    35. 35. DataPower Security Wizard  Interacts with your DataPower appliance – Retrieves Crypto Profiles for SSL communications – Retrieves encryption & decryption certificates  Interacts with your Message Broker server – Retrieves all HTTP & HTTPS Message Flow Input Nodes35
    36. 36. DataPower Security Wizard: Policy Sets  A Policy Set is used to configure the WS-Security aspects of your encryption and decryption rules – Define the WS-Security for your decryption and encryption actions using the Key Information table in your Policy Set Bindings – Cut down version of the Policy Set Editor available in V6.136
    37. 37. DataPower Firewall created by the Security Wizard  Up to two DataPower Firewalls created – One Firewall for HTTP Input Nodes – One Firewall for HTTPS Input Nodes  Front and back HTTP ports set  IP address of the message broker listener is configured  SSL Server Crypto Profile set as specified by the policy  HTTPS Firewall has back (Message Broker) SSL Client37 Crypto Profile set
    38. 38. DataPower Policy created by the Security Wizard  Each DataPower Firewall has an associated DataPower Policy  Two rules created per HTTP(S) Input Node each with the appropriate Match Rule – Request Rule (inbound) – Response Rule (outbound)  Ability to merge rules with existing DataPower Policy and DataPower Firewall – Rules are added to the DataPower Policy. – No changes are made to the38 DataPower Firewall
    39. 39. Summary39
    40. 40. DataPower/zBX Integration Details  Blade Hardware Management – Monitoring of HW for health, degraded operation  DP Failure Recovery and Restart – Call-home for current/expected problems, automatic – HMC/SE will detect and report on appliance failures dispatch of CSR and can be used to re-cycle appliance if DP built-in – Consolidation/Integration of DP HW problem reporting restart fails with other problems reported in zBX – Periodic Backup/restore of full blade configuration – Energy Monitoring and Management of DP Blades (automatic on changes to config); Backup to HMC  DP Firmware Load and Update media – Consistent change mgmt with other zGryphon firmware  Networking mgmt – Virtual Network Provisioning – Enforced restriction of firmware updates to SE userid – Provides enforced isolation of network traffic via – Enhanced new firmware level testing in zBX by System z VLAN support Devt/Product Engineering and built-in restrictions on – 10Gb end-to-end network infrastructure number of variations supported (test and production – Built-in network redundancy variants – IEDN provides protected network, possibly obviating  HMC Console Integration customer-perceived need for encryption of last-mile flows between DP and target back-end server – Person monitoring the z environment from an overall hardware operational perspective will see DP blades  Monitoring and Reporting included in the picture, with associated status from a – Monitoring of DP health via HMC single (w/ redundancy) console – Consolidated platform error logging across whole – Group GUI operations for functions supported on HMC environment (e.g. power up/quiesce/upgrade firmware for these 5 DP – Products like ITCAM may also monitor the DP blade blades) at a higher level ... But some customers may not Time synchronization with system z time via HMC/SE have or want ITCAM or equivalent, at least initially time server but need some monitoring.  Dynamic Load Balancing – Allows LB1 decision based on consolidated understanding of load on DP blades as well as associated back-end sub-systems 40 – via Sysplex Distributor40
    41. 41. System z Integration Smart SOA connectivity throughout the enterprise  Broad integration with System z  Connect to existing applications over WebSphere MQ  Transform XML to/from COBOL Copybook for legacy needs  Natively communicate with IMS Connect  Integrate with RACF security from DataPower AAA  Dynamic crypto material retrieval & caching, or offload crypto ops to z  Service enable CICS using WebSphere MQ  Virtualize CICS Web Services41
    42. 42. Summary Purpose-built hardware for simplified deployment and hardened security  Security: VLAN support provides enforced isolation of network traffic with secure private networks.  Improved support: Monitoring of hardware with “call home” for current/ expected problems and support by System z Service Support Representative.  System z packaging: Increased quality with pre-testing of blade and zBX. Upgrade history available to ease growth.  Operational controls: Monitoring rolled into System z environment from single console. Consistent change management with Unified Resource Manager.42
    43. 43. 43
    44. 44. Backup: DataPower Overview44
    45. 45. Protect your data with cryptography and XML threat protection  Use DataPower to help resolve PCI compliance issues  Easily sign, verify, encrypt, decrypt any content  Configurable XML Encryption and Digital Signatures – Message-level – Field-level – Headers XML Threat Protection  Entity Expansion/Recursion  Message/Data Tampering Attacks  Message Snooping  Public Key DoS  XPath or SQL Injection  XML Flood  Resource Hijack  XML Encapsulation  Dictionary Attack  XML Virus  Replay Attack  …many others See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks 4545
    46. 46. Employ flexible AAA (Authenticate, Authorize, Audit) Policies LDAP HTTP Headers System/z NSS (RACF, SAF) WS-Security Tokens Tivoli Access Manager AAA WS-SecureConversation Kerberos WS-Trust WS-Trust Kerberos Netegrity SiteMinder X.509 RADIUS SAML Assertion SAML IP Address LTPA LDAP LTPA Token Verify Signature ActiveDirectory Add WS-Security Custom Custom System/z NSS Generate z/OS ICRX Token Tivoli Access Manager Generate Kerberos SAML Generate SAML Extract Map XACML Generate LTPA Identity Authenticate Identity Custom Map Tivoli Federated Identityinput Audit & output Authorize Post-Process Extract Map Resource Resource URL SOAP Operation HTTP Operation Custom External Access Control Server or Onboard Identity Management Store 4646
    47. 47. Access heterogeneous systems with transport and payload transformations  Integrate disparate transport protocols with extreme ease – No dependencies between inbound “front-side” and outbound “back- side” – Examples: HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)  Transform the message format with ultimate flexibility – Process XML and Non-XML formats in a single configuration – Leverage WebSphere Transformation Extender XML for data mapping SOAP COBOL  Support synchronous, asynchronous, IMS binary CSV publish-subscribe and guaranteed-delivery CICS MQ DB2 message patterns WebSphere…. 4747
    48. 48. Efficiently leverage your assets with content- based routing  Dynamically route based on any message content – Attributes such as the originating IP, requested URL, protocol headers, etc. – Data within the message such as SOAP Headers, XML, Non-XML content, etc.  Query WebSphere Service Registry & Repository for routing information – Or, use simple XML files – Databases – Web servers  Deploy changes to your routing policy with no downtime  Convert transport protocol using a simple routing change 4848
    49. 49. Shape your traffic with Service Level Management and Load Balancing  Use Service Level Management (SLM) to protect your applications from over-utilization – Frequency based on concurrency OR based on messages per time period – Take action when exceeding a custom threshold: • Notify (or log) • Shape (or delay) • Throttle (or reject)  Combine SLM with Routing to make intelligent failover decisions – Use alternate servers when a threshold is exceeded  Advanced Load Balancing algorithms simplify your architecture – First Available – (Weighted) Round Robin – (Weighted) Least Connections49 49 – Hash
    50. 50. Consolidate your infrastructure with Application Optimization  Use Self-Balancing technology to spread inbound traffic load across multiple DataPower appliances using a single target – Eliminates the need for additional physical Load Balancers – Efficiently distributes traffic with minimal overhead  Use Intelligent Load Distribution to optimize outbound traffic across multiple destinations – Supports dynamic WebSphere cell interrogation – Automatically updates targets and weights  Use Session Affinity to preserve target session state across multiple requests – Supports WebSphere and Non-WebSphere targets 5050
    51. 51. Use Self Balancing for high availability and capacity scaling  Configure the appliances to share a single IP address  Leverages proven, world-class IBM technology (e.g., Sysplex Distributor)  Eliminates dependency on a separate load balancers  Built for automatic failover 5151
    52. 52. Provide application-aware Intelligent Load Distribution  Auto-discovers application targets using dynamic feedback mechanism  Uses intelligent weighted distribution algorithms based on current server load  Provides several options for enabling session affinity  Combine with traditional DataPower load balancing options for flexibility 5252

    ×