0
© 2015 IBM Corporation
IBM DataPower Gateway
Common Use Cases
Ozair Sheikh, Senior Product Manager
IBM DataPower Gateways
...
© 2015 IBM Corporation2
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API ...
© 2015 IBM Corporation33
DataPower Gateways …
3
IBM DataPower Gateways provide a low startup cost,
helping clients increas...
© 2015 IBM Corporation4
Gateway for the Multi-channel Enterprise
Single security and integration gateway platform to
provi...
© 2015 IBM Corporation5
IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that hel...
© 2015 IBM Corporation6
Features
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
Secure
Consum...
© 2015 IBM Corporation7
Modules
ISAM Proxy Module
 User access control, session
management, web SSO enforcement
 Advance...
© 2015 IBM Corporation8
Deployment options
 Purpose-built, DMZ-ready appliances
provide physical security
 High density ...
© 2015 IBM Corporation9
 Purpose-built hardware provides physical security
• Sealed, tamper-evident case
• No usable USB,...
© 2015 IBM Corporation10
Virtual Edition
 DataPower gateway functionality in virtual appliance form
factor to rapidly sec...
© 2015 IBM Corporation11
Virtual Edition Benefits
 Deployment flexibility and elasticity – “Right size” the
deployment, q...
© 2015 IBM Corporation12
• Used by 95% of top global insurances
firms
• SaaS providers, ASPs, regulators, etc.
• Agencies ...
© 2015 IBM Corporation13
DataPower’ing IBM Bluemix!!!
• Security
• Control
• Filtering
• Content-Based Routing
• Load bala...
© 2015 IBM Corporation14
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation15
Use Case: Security & Optimization Gateway
Securing the Enterprise & providing optimized access
© 2015 IBM Corporation16
DataPower security roles and objectives
• Protect data and other resources on the
appliance and p...
© 2015 IBM Corporation17
Applications
and Systems
Silos of security & control are impeding business agility
DEVELOPERSPART...
© 2015 IBM Corporation18
Applications
and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DE...
© 2015 IBM Corporation19
IBM Multi-channel gateway
 ISAM for DataPower module provides the reverse proxy component that p...
© 2015 IBM Corporation20
Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connectio...
© 2015 IBM Corporation21
Protection of data plus XML & JSON threat protection
 Use DataPower to help resolve PCI complian...
© 2015 IBM Corporation22
AAA : Authentication Authorization Auditing
Extract
Identity
HTTP Headers
WS-Security Tokens
WS-S...
© 2015 IBM Corporation23
 Enhance security intelligence and compliance through integration with
QRadar security informati...
© 2015 IBM Corporation24
Service Level Monitoring (SLM) to protect your services
and applications from over-utilization a...
© 2015 IBM Corporation25
Retail Service Provider
Securely expose services to consumers
Solution
 Implemented WebSphere Da...
© 2015 IBM Corporation26
 Self Balancing: Self balance across a cluster of appliances
 Replace front-end IP load balance...
© 2015 IBM Corporation27
User
WAS Application
{ "Task" : "AddEntry",
"Detail": "Create
presentation materials." }
HighLoad...
© 2015 IBM Corporation28
User
WAS Application
1
21
PUT /joe/todos HTTP/1.1
Host: joe.org
Content-Type:
application/json
Co...
© 2015 IBM Corporation29
REST
Cache at the edge(s)
4. Results are cached at the edge using IBM WXS or XC10 caching grid OR...
© 2015 IBM Corporation30
REST
Using IBM WXS or XC10 As a Side Cache For DataPower
User
1
5
3
2 4
Client
Provider
1. Client...
© 2015 IBM Corporation31
DataPower Gateway + XC10: Travel and Transportation
Online Reservations Reservations System
– Bef...
© 2015 IBM Corporation32
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation33
Use Case: Mobile Connectivity
Securely & Rapidly connect Mobile Apps with
Enterprise Services
© 2015 IBM Corporation34
• How to protect your back-end
systems from harmful workloads and
unauthorized mobile users & app...
© 2015 IBM Corporation35
SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authenticatio...
© 2015 IBM Corporation36
• DataPower appliance with ISAM module for security enforcement, traffic control &
management, ap...
© 2015 IBM Corporation37
Closer look at some Mobile Connectivity scenarios
REST Proxy
Provider
JSON / XML / SOAPREST
JSON ...
Sportsbet leverages IBM DataPower appliances to drive
mobile business growth
Challenges
Business
-Increase demand for mobi...
Sprint leverages IBM DataPower appliances to rapidly &
securely grow mobile revenue
Challenges
Business
- Grow mobile reve...
© 2015 IBM Corporation40
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation41
Use Case: API Management
Securely & Rapidly Create, Socialize & Manage
Business APIs to engage wi...
© 2015 IBM Corporation42
IBM API Management: One Integrated Platform
design, secure, control, publish, monitor & manage AP...
© 2015 IBM Corporation43
Consumer
(Systems of
Engagement)
Provider
(Systems of
Record)
API Management Solution
Partner App...
© 2015 IBM Corporation44
Business Challenge
Business Challenge
 Accelerate end-to-end mobile application development
 Re...
© 2015 IBM Corporation45
Business Challenge
 Difficult for internal partners and developers to
discover & access key fina...
© 2015 IBM Corporation46
Business Challenge
Business Challenge
 External business partners retrieve flight information by...
© 2015 IBM Corporation47
Leading European Auto Manufacturer provides innovative
vehicle connectivity with IBM API Manageme...
© 2015 IBM Corporation48
Business ChallengeBusiness Challenge
 Difficult for internal partners and developers to
discover...
© 2015 IBM Corporation49
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation50
Use Case: Enterprise Integration
Consumable integration solution for securely connecting
applicat...
© 2015 IBM Corporation51
Integration
• Dynamically route based on any message content
– Attributes such as the originating...
© 2015 IBM Corporation52
Integration
Transport Protocol Translation
 Integrate disparate transport protocols with extreme...
© 2015 IBM Corporation53
Integration
Consumer
Provider
SOAP / HTTP(s)
MQ Queue Manager
Cobol / MQ
Format & transport
bridg...
© 2015 IBM Corporation54
Core Services
Core Data
UK Government Agency
Enables integration capabilities using DataPower
Sol...
© 2015 IBM Corporation5555
Security & Integration Scenario – Financial Firm
© 2015 IBM Corporation56
Centralized Service Governance & Policy Enforcement
 Complete SOA Governance solution
– WSRR for...
© 2015 IBM Corporation57
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation58
Use Case: Mainframe integration & enablement
Offload processing for reduced MIPS
Web Services Ena...
© 2015 IBM Corporation59
Broad integration with System z
Client
SOAP/HTTP`
SOAP/HTTP
CCB / MQ
IMS SOAP Gateway
WAS+IMS con...
© 2015 IBM Corporation60
• IMS Callout feature allows IMS transactions to easily consume external web
services via DataPow...
© 2015 IBM Corporation61
Core banking platform on Z
An Irish Bank
Enabling retail banking
Solution
 DataPower in trusted ...
© 2015 IBM Corporation62
Customer & Product related
application and systems on Z
High Street Clothing and Fashion Accessor...
© 2015 IBM Corporation63
IMS Integration
Web Services Security and Management for IMS Web Services
• Content-based Message...
© 2015 IBM Corporation64
DataPower
IMS Integration
Web Services Enablement for IMS-based Services
IMS
O
T
M
A
IMSApplicati...
© 2015 IBM Corporation65
DataPower
IMS Integration
Web Services Enablement for IMS-based Services (cont’d)
CCB / TCP
Clien...
© 2015 IBM Corporation66
DataPower
IMS Integration
IMS Connect Reverse Proxy
CCB / TCPClient
IMS Connect TCP
`
IMS
O
T
M
A...
© 2015 IBM Corporation67
DataPower
DB2 Integration
“Information as a Service”
DRDA
Client
SOAP / REST`
 DataPower provide...
© 2015 IBM Corporation68
CICS Integration
Web Services Security and Management for CICS Web Services
• Content-based Messa...
© 2015 IBM Corporation69
DataPower
CICS Integration
Web Services Enablement for CICS Applications
 DataPower provides WS-...
© 2015 IBM Corporation70
Agenda
 DataPower Gateway Overview
 Security & Optimization Gateway
 Mobile Connectivity
 API...
© 2015 IBM Corporation71
Use Case: B2B integration
Extend integration beyond the enterprise
to partner community
© 2015 IBM Corporation72
DataPower B2B Functionality
Extend beyond the enterprise to integrate with partners
• B2B Gateway...
© 2015 IBM Corporation73
UK Logistics and Distribution
Benefits
 Create customer interaction and value through innovative...
© 2015 IBM Corporation74
Health Insurance Provider
Smarter Business Outcomes:
 Reliable and secure routing of customer se...
© 2015 IBM Corporation75
Internet
EDIINT Flow: Simple AS2 transaction flow with Transform
Application
Browser
Application
...
© 2015 IBM Corporation76
Internet
Web Services bridged to AS2 File Transfer Pattern
WS Client
Browser
Flat
B2B Hub
Partner...
© 2015 IBM Corporation77
Internet
MQ FTE Integration Pattern – Inbound File to Message
Browser
(LOB User)
XB60
TradingPart...
© 2015 IBM Corporation78
Browser
B2B Gateway Service
WebSphere DataPower
B2B Appliance
Applications
Transaction
Viewer
Col...
© 2015 IBM Corporation79
B2B Hub
AS2 Process
Healthcare
Applications
Partner B
Hospital
Internet
AS2 (HL7 V3)
AS2/MDN
B2B ...
© 2015 IBM Corporation80
Securing HL7 over the Internet with Integration to the
WebSphere Healthcare Connectivity Pack
Tra...
© 2015 IBM Corporation81
Resources
© 2015 IBM Corporation82
DataPower on GitHub
 Repository of DataPower related tools & collateral
 Open source
 Communit...
© 2015 IBM Corporation83
Getting Social with IBM DataPower Gateways
DataPower on Slideshare LinkedIn
IBM DataPower Gateway...
© 2015 IBM Corporation84
Available Now: DataPower Handbook, Second Edition, Volume 1
 Known as the ‘bible’ of
DataPower p...
© 2015 IBM Corporation85
BACKUP
© 2015 IBM Corporation86
 Simple Architecture: Purpose-built firmware + hardware
 Complete gateway platform delivered as...
© 2015 IBM Corporation8787
Configuration-driven approach speeds time to market
• Enforce security standards with zero codi...
© 2015 IBM Corporation88
Capabilities
Rapidly deliver secure integration & optimized access for a full range of workloads
...
© 2015 IBM Corporation89
SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authenticatio...
© 2015 IBM Corporation90
• Data format & language
– JavaScript
‒ JSON
‒ JSON Schema
‒ JSONiq
‒ REST
‒ SOAP 1.1, 1.2
‒ WSDL...
© 2015 IBM Corporation9191
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Gigabit/Sec
HW Solution
Acquisition...
Upcoming SlideShare
Loading in...5
×

IBM DataPower Gateway - Common Use Cases

38,346

Published on

IBM DataPower Gateway appliances are used in a variety of user scenarios to enable security, control, integration and optimized access for a range of workloads including Mobile, Web, API, B2B, Web Services and SOA. This presentation from the IBM DataPower team provides an in-depth look at each use case.

Published in: Technology

Transcript of "IBM DataPower Gateway - Common Use Cases"

  1. 1. © 2015 IBM Corporation IBM DataPower Gateway Common Use Cases Ozair Sheikh, Senior Product Manager IBM DataPower Gateways Arif Siddiqui, Principal Product Manager – Strategic Initiatives IBM DataPower Gateways & API Economy
  2. 2. © 2015 IBM Corporation2 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  3. 3. © 2015 IBM Corporation33 DataPower Gateways … 3 IBM DataPower Gateways provide a low startup cost, helping clients increase ROI and reduce TCO with specialized, consumable, dedicated gateway appliances that combine superior performance and hardened security in physical and virtual form factors INTEGRATE Systems of Engagement with Systems of Record CONTROL & MANAGE Traffic and Service Level Agreements SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads OPTIMIZE Data Delivery and User Experiences CONSOLIDATE & Simplify Infrastructure Footprint
  4. 4. © 2015 IBM Corporation4 Gateway for the Multi-channel Enterprise Single security and integration gateway platform to provide security, integration, control & optimized access to a full range of Mobile, API, Web, SOA, B2B, & Cloud workloads B2B Simplify mobile security with single, purpose-built gateway; control mobile traffic and accelerate delivery Web Simplify web security with single, purpose-built gateway; control traffic and accelerate delivery for intranet and internet web applications Cloud DataPower gateway functionality in a virtual appliance form factor, supports multiple hypervisor & cloud environments IBM DataPower GatewayAPI Easily secure, control, publish, monitor & manage your APIs SOA Secure, integrate, control & manage SOA workloads in the DMZ and Trusted zones Extend Connectivity & Integration beyond the enterprise with DMZ-ready B2B edge capabilities Mobile
  5. 5. © 2015 IBM Corporation5 IBM DataPower Gateway Appliances are the industry-leading Security & Integration gateways that help provide security, integration, control and optimized access to a full range of Mobile, Web, API, SOA, B2B, & Cloud workloads Common Use Cases Internet Trusted Domain Consumer Application or Service DMZ Trading partners 1 Mobile Gateway 2 API Gateway 3 Web Gateway 4 B2B Partner Gateway 5 SOA & API Gateway 6 ESB / Integration Gateway 7 Internal Security Enforcement 8 Web Services Governance & Management 9 Legacy Integration Consumer Middleware z System DataPower Gateway DataPower Gateway
  6. 6. © 2015 IBM Corporation6 Features Before DataPower Gateway After DataPower Gateway Control Integrate Optimize Secure Consumer Consumer Consumer Consumer Simplify, offload & centralize critical functions Integrate Any-to-any message transformation Transport protocol bridging Message enrichment Database connectivity Mainframe connectivity B2B trading partner connectivity Control OptimizeSecure SSL / TLS offload Hardware accelerated crypto operations JSON, XML offload JavaScript, JSONiq, XSLT, XQuery acceleration Response caching Intelligent load distribution Service level management Quota enforcement, rate limiting Message accounting Content-based routing Failure re-routing Integration with management & visibility platforms Authentication, authorization, auditing Security token translation Threat protection Schema validation Message filtering & semantics validation Message digital signature Message encryption
  7. 7. © 2015 IBM Corporation7 Modules ISAM Proxy Module  User access control, session management, web SSO enforcement  Advanced mobile security: mobile SSO, context-based access, one- time password, multi-factor authn  Integration with ISAM for Mobile Application Optimization Module  Frontend self-balancing  Backend intelligent load distribution  Session affinity  z Sysplex Distributor integration Integration Module  Any-to-Any message transformation  Database connectivity  Mainframe IMS connectivity B2B Module  B2B DMZ gateway  EDIINT AS1,AS2,AS3,ebXML  Partner profile management  B2B transaction viewer  Any-to-Any message transformation  Database connectivity TIBCO EMS Module  Integrate with TIBCO EMS messaging middleware  Support for queues & topics  Load balancing & fault-tolerance DataPower Gateway: Single, modular & extensible platform IBM DataPower Gateway (Base) Secure  Authentication, authorization  Security token translation  Service / API virtualization  Threat protection  Message validation  Message filtering  Message digital signature  Message encryption  AV scanning integration Integrate  Transport protocol bridging  Message enrichment  Message transformation & processing using JavaScript, JSONiq, XQuery, XSLT  Mainframe integration & enablement  Flexible pipeline message processing engine Control & Manage  Service level management  Quota & rate enforcement  Content-based routing  Message accounting  Integration w/ management & visibility platforms including IBM API Management & WSRR for policy enforcement Optimize & Offload  SSL / TLS offload  Hardware accelerated crypto*  JSON, XML offload  JavaScript, JSONiq, XSLT, XQuery acceleration  Local response caching  Distributed caching with WXS or XC10  Backend load balancing 2U Physical or Virtual Edition
  8. 8. © 2015 IBM Corporation8 Deployment options  Purpose-built, DMZ-ready appliances provide physical security  High density 2U rack-mount design  8 x 1 and 2 x 10 GbE ports  Cryptographic acceleration card  Trusted platform module  Customized intrusion detection  Optional HSM (FIPS 140-2 Level 3 certified)  Virtual appliances provide deployment flexibility  Support multiple hypervisors and cloud environments − VMware − Citrix XenServer − IBM PureApplication System (x86 nodes) − IBM PureApplication Service on SoftLayer (x86 nodes) − IBM SoftLayer bare metal instances using supported hypervisors VirtualPhysical
  9. 9. © 2015 IBM Corporation9  Purpose-built hardware provides physical security • Sealed, tamper-evident case • No usable USB, VGA, other ports • Intrusion detection switch • Trusted Platform Module • Encrypted flash drive • FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys  Hardened firmware provides platform security for physical & virtual gateways • Single signed and encrypted firmware by IBM • No arbitrary software • Optimized, embedded operating system • High assurance, “locked-down” configuration • Key materials are not exportable from the appliance * Enterprise grade security requires a secure platform
  10. 10. © 2015 IBM Corporation10 Virtual Edition  DataPower gateway functionality in virtual appliance form factor to rapidly secure, integrate, control & optimize access to Mobile, API, Web, SOA & B2B workloads in hypervisor & clouds platforms  Use for development, test or production  Supports multiple hypervisor & cloud platforms  VMware  Citrix XenServer  IBM PureApplication System W1500/W2500  IBM PureApplication Service on SoftLayer (x86)  IBM SoftLayer bare metal instances on x86 nodes  Seamless configuration migration between physical and virtual appliances  Utilizes the same industry-proven & purpose-built platform including an embedded, optimized DataPower Operating System, that powers the physical appliances x86 Server Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments
  11. 11. © 2015 IBM Corporation11 Virtual Edition Benefits  Deployment flexibility and elasticity – “Right size” the deployment, quickly deploy where needed, & rapidly scale  Workload isolation - Projects can use their own instances  Unbounded memory scalability - Memory can be added to instances without additional licensing  Low cost for Dev & Test environments - Developers & Non-Production versions include add-on software modules at no additional charge  Free disaster recovery - Warm or cold backup without additional licenses when licensed for Production  Flexible licensing and entitlement  Sub-capacity licensing  Monthly licensing option  Entitlement to future product versions at no additional charge with active maintenance (S&S) x86 Server Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments
  12. 12. © 2015 IBM Corporation12 • Used by 95% of top global insurances firms • SaaS providers, ASPs, regulators, etc. • Agencies and ministries • Defense and security organizations • Crown corporations Insurance Government Banking • Healthcare • Retailers • Utilities, Power, Oil and Gas • Telecom • Airlines • Others Many, many, more • Majority of the big US and European banks • All of the big 5 Canadian banks • Numerous regional banks and credit unions DataPower Gateways Over 14 years of innovation & over 2,000 global installations
  13. 13. © 2015 IBM Corporation13 DataPower’ing IBM Bluemix!!! • Security • Control • Filtering • Content-Based Routing • Load balancing • Monitoring and Logging Mobile client Bluemix Tooling VM Application Manager App App App App Service Service Service Service Open Stack External ServiceExternal Services Internet Did you know? DataPower has been trusted to be the exclusive gateway for Bluemix, IBM’s global Platform as a Service
  14. 14. © 2015 IBM Corporation14 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  15. 15. © 2015 IBM Corporation15 Use Case: Security & Optimization Gateway Securing the Enterprise & providing optimized access
  16. 16. © 2015 IBM Corporation16 DataPower security roles and objectives • Protect data and other resources on the appliance and protected servers – System availability • Protect against unwanted access, denial of service attacks, and other unwanted intrusion attempts from the network • Only allow “valid” messages through – Identification and Authentication • Verify identity of network users – Authorization • Protect data and other system resources from unauthorized access  Protect data in the network using cryptographic security protocols – Data End Point Authentication • Verify who the secure end point claims to be – Data Origin Authentication • Verify that data was originated by claimed sender – Message Integrity • Verify contents were unchanged in transit – Data Confidentiality • Conceal clear-text using encryption IntranetDMZInternet Authentication Authorization User Federation z/OS RACF for User I&A Authorization Cert/keys  Secure access to Web and legacy applications  Converged security enforcement  Rocksolid DataPower platform  Leverages enterprise security and policy managers
  17. 17. © 2015 IBM Corporation17 Applications and Systems Silos of security & control are impeding business agility DEVELOPERSPARTNERS CONSUMERS EMPLOYEES WEBMOBILEB2B SOA APIS PARTNERS DEVELOPERS API GATEWAY B2B GATEWAY SOA GATEWAY WEB ACCESS PROXY MOBILE GATEWAY Business Channels Users Security & Control Solutions CLOUD ALL CLOUD GATEWAY CONSUMERS EMPLOYEES z SystemMiddleware ESBApplication Service
  18. 18. © 2015 IBM Corporation18 Applications and Systems DEVELOPERSPARTNERS CONSUMERS EMPLOYEES WEBMOBILEB2B SOA APIS PARTNERS DEVELOPERS Business Channels Users Security & Control Solutions CLOUD ALL CONSUMERS EMPLOYEES Reduce cost + improve security & control with a single gateway z SystemMiddleware ESBApplication Service Virtual appliance Physical appliance DataPower Gateway
  19. 19. © 2015 IBM Corporation19 IBM Multi-channel gateway  ISAM for DataPower module provides the reverse proxy component that provides enforcement for  Centralized user authentication & coarse-grained authorization  Session management, & web SSO  Context based access & mobile SSO  Strong authentication including one-time password and multi-factor authentication Leverage the combined capabilities of IBM DataPower Gateway and IBM Security Access Manager in a single, converged security and integration gateway New in V7.1 IBM DataPower Gateway Web Browsers and Portals Mobile Web Web 2.0 (AJAX) Native Mobile B2B Hybrid Mobile APISOA (Web Services) App, Service & API security IBM DataPower Gateway ISAM Module User access security Traffic control & optimization Connectivity & transformation
  20. 20. © 2015 IBM Corporation20 Security Gateway New connection to target Proxying and Enforcement • Terminate incoming connection • Terminate transport-level security (SSL/TLS offload) • Threat protection • Enforce Service Level Agreement policies • Inspect message content and filter (Schema validate) • Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures) • Authentication, Authorization, Auditing (AAA) • Call out to virus checker • Transform content & enrich message • Translate security token • Dynamically route based on content and load balance (Establish a new connection to pass results) • Cache data on-box or in centralized, shared grid Connection from client ACL Virus Scanner Consumer Provider Web Service Request Basic Auth, OAuth 2.0, WS-Security UNT, etc Outside World Internal NetworkDMZ HTTP(s) HTML, JSON, XML, SOAP MME, DIME, MTOM XMLDSIG, XMLENC WS-Security Policy WS-Trust SAML OAuth 2.0 Internet SaaS Partner Apps Browsers ProtocolFirewall Security Gateway Packaged Apps Proprietary Apps Data HTTP(s) ESB Tivoli (TAM) MS Active Directory Any LDAP, e.g. Oracle CA SiteMinder PDP (XACML, SAML, other) DomainFirewall ACL Security Gateway Internal Consumer Incoming access control; Threat protection Outgoing access control; SAML injection etc Internal Security Web Service Request SAML, LTPA, Kerberos
  21. 21. © 2015 IBM Corporation21 Protection of data plus XML & JSON threat protection  Use DataPower to help resolve PCI compliance issues  Easily sign, verify, encrypt, decrypt any content  Configurable XML Encryption and Digital Signatures – Message-level, Field-level, Headers  Security standards: OAuth, WS-Security, WS-Policy, WS- SecurityPolicy, SAML, XACML, WS-Trust, …  Use WS-SecurityPolicy to define security requirements for your web services – DataPower natively consumes and enforces WS-SecurityPolicy statements • Integrity & Confidentiality, SupportingTokens, Message/Transport Protection  Use XACML to define access and authorization policies for your web services – DataPower natively consumes and enforces XACML policies • Resource-based Authorization • PEP, PDP DataPower security is policy driven XML Threat Protection • Entity Expansion/Recursion Attacks • Public Key DoS • XML Flood • Resource Hijack • Dictionary Attack • Replay Attack  Message/Data Tampering  Message Snooping  XPath or SQL Injection  XML Encapsulation  XML Virus  …many others JSON Threat Protection • Label - Value Pairs ‒ Label String Length (characters) ‒ Value String Length (characters) ‒ Number Length (characters) • Threat Protection ‒ Maximum nesting depth (levels) ‒ Maximum document size (bytes)
  22. 22. © 2015 IBM Corporation22 AAA : Authentication Authorization Auditing Extract Identity HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509/SSL SAML Assertion IP Address LTPA Token HTML Form OAuth Custom Authenticate Extract Resource URL XPath SOAP Operation HTTP Operation Custom LDAP/Active Directory System/z NSS (RACF, SAF) IBM Security Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom Authorize Audit & Post-Process Map Identity Map Resource LDAP/ActiveDirectory System/z NSS IBM Security Access Manager Netegrity SiteMinder SAML XACML OAuth Custom Add WS-Security Generate z/OS ICRX Token Generate Kerberos Generate Spnego Generate SAML Generate LTPA Map Tivoli Federated Identity External Access Control Server or Onboard Identity Management Store input output
  23. 23. © 2015 IBM Corporation23  Enhance security intelligence and compliance through integration with QRadar security information and event management (SIEM) platform  Coming soon: Device Support Module (DSM) for DataPower Gateways to parse event information Integration with QRadar Security Intelligence Platform QRadar SIEM User Client Provider DataPower
  24. 24. © 2015 IBM Corporation24 Service Level Monitoring (SLM) to protect your services and applications from over-utilization and enforce quota – Frequency based on concurrency OR based on messages per time period – Take action when exceeding a custom threshold: • Notify (or log), Shape (or delay), Throttle (or reject) Traffic Control / Rate Limiting
  25. 25. © 2015 IBM Corporation25 Retail Service Provider Securely expose services to consumers Solution  Implemented WebSphere DataPower to form the Web services backbone  Through content-based routing, security policy enforcement & data encryption, DataPower ensures safe & efficient flow of confidential customer data  Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse Benefits  Secure SOA on standards-based platform  Easily reuse Web services throughout enterprise  Boosts productivity of IT staff  Substantially shorten time to market for new services Challenge  Consistent & secure delivery of online services to partners that could be shared, integrated & flexible to meet specific needs  Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information Identity Mgmt
  26. 26. © 2015 IBM Corporation26  Self Balancing: Self balance across a cluster of appliances  Replace front-end IP load balancer  Enables connections to be preserved, without loss, during failover scenario  Dynamic and Intelligent Load Distribution to backend systems  Replace backend load balancer  Auto-discovers application targets and distributes load using dynamic feedback mechanism  Topology learning for WAS ND and VE  Embedded On Demand Router for WAS ND environments  Provides several options for enabling Session Affinity  Cache application response data locally or in a caching grid (IBM WXS or XC10) Front-end IP load balancers not needed Self balancing (IP spraying) Built-in cache Application Optimization Dynamic back-side routing and load distribution (leveraging dynamic information from back-ends) Failure of target application endpoints are masked by appropriate weighted distributionDataPower
  27. 27. © 2015 IBM Corporation27 User WAS Application { "Task" : "AddEntry", "Detail": "Create presentation materials." } HighLoad  Scenario – JSON REST app to-do list  Issues – High server load – Slow response time Slow Response (>10s) Application Optimization Example Public Enterprise User WAS Application 1 1 ImprovedLoad Public DMZ Data Center DataPower Improve Server Load with SSL Offload 1. Client requests are secured via DP SSL concentrator
  28. 28. © 2015 IBM Corporation28 User WAS Application 1 21 PUT /joe/todos HTTP/1.1 Host: joe.org Content-Type: application/json Content-Length: 69 { "Task" : "AddEntry", "Detail": “Waste time." } ImprovedLoad DataPower Manage Traffic with Application Fluency 2. DataPower enables application aware traffic management User WAS Application 3 1 1 ImprovedLoad Improved Response Time DataPower Distribute Load Intelligently 3. Application Optimization effects load distribution intelligence Leverage dynamic runtime conditions to distribute based on topology & workload 2 Application Optimization Example
  29. 29. © 2015 IBM Corporation29 REST Cache at the edge(s) 4. Results are cached at the edge using IBM WXS or XC10 caching grid OR locally on-box Application Optimization Example User WAS Application 3 4 1 21 DataPower WXS or XC10 LowLoad Fast Response • Faster application response time • Lower server load • Improved system throughput
  30. 30. © 2015 IBM Corporation30 REST Using IBM WXS or XC10 As a Side Cache For DataPower User 1 5 3 2 4 Client Provider 1. Client submits application request. 2. DataPower XI parses request and queries WXS / XC10. On a hit, skip to step 5. 3. On a miss, XI forwards request to target Provider. 4. XI adds application response to WXS / XC10. 5. Client receives response from XI.  Easily integrates into the existing business process – No code changes to the client or back-end application – Simply add the side cache mediation  Significantly reduces the load on the back-end system by eliminating redundant requests  Improve client observed response time Improved Response Time ImprovedLoad WXS or XC10 DataPower XI Appliances Large Response Time
  31. 31. © 2015 IBM Corporation31 DataPower Gateway + XC10: Travel and Transportation Online Reservations Reservations System – Before: 3-5 sec response time – After: .01 -.05 sec response time – Caching service requests – Improved the average response time of the Global Distribution System requests for Fare Availability and Category Availability – 52% caching rate – 10 minute cache resulted in 40% reduction in load on the back-end systems – Maintained high data integrity. Faster responses were also accurate – POC in 3.5 hrs 100x performance improvement Improved reliability and scalability of reservation channels Reduced traffic to backend systems Deliver high performance & consistent response times Scale with simplicity and lower TCO
  32. 32. © 2015 IBM Corporation32 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  33. 33. © 2015 IBM Corporation33 Use Case: Mobile Connectivity Securely & Rapidly connect Mobile Apps with Enterprise Services
  34. 34. © 2015 IBM Corporation34 • How to protect your back-end systems from harmful workloads and unauthorized mobile users & apps? • How to limit & shape mobile traffic based on service level agreements, and route based on message content? • How to convert mobile payloads, bridge transports and connect to existing services at wire-speed? • How to improve response time, reduce load on backend systems and intelligently distribute load? Key Mobile-specific Application & API issues? Secure Control Integrate Optimize
  35. 35. © 2015 IBM Corporation35 SSL Offload Threat Protection Rate Limiting / SLA Enforcement Validation, Filtering Authentication Authorization Context-based Access Mobile SS0 Security Token Translation Message Transformation Content-Based Routing Intelligent Load Distribution Response Caching Middleware / ESB, Legacy Apps Apps, Services Rapidly Connect Mobile Apps with Enterprise Services Securely expose enterprise data & APIs to Mobile Apps while optimizing delivery IBM DataPower Gateway ISAM Module /apimanagement Native, Hybrid, Mobile Web
  36. 36. © 2015 IBM Corporation36 • DataPower appliance with ISAM module for security enforcement, traffic control & management, application acceleration, transport bridging & message transformation • ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong authentication including one-time password (OTP) & multi-factor authentication (MFA) Mobile Gateway solution for on-premise and cloud ISAM for Mobile Rapidly deliver secure integration & optimized access for enterprise mobile applications DataPower Gateway (Security Enforcement Point) ISAM Module Apps, Services, Middleware, (Security Decision Point) z System
  37. 37. © 2015 IBM Corporation37 Closer look at some Mobile Connectivity scenarios REST Proxy Provider JSON / XML / SOAPREST JSON or XML / HTTP(s) Mobile Consumer  SSL offload  Enforcement point for centralized security policies – Authentication, Authorization, OAuth 2.0, Audit – Threat protection for XML and JSON – Message validation and filtering  Centralized management and monitoring point – Traffic control / Rate limiting  Routing / Intelligent load distribution to Provider  RESTful façade to non-REST Provider REST Service Gateway for Mobile Apps Provider HTTP(s) GETHTTP(s) GET JSON or HTML/XHTML Mobile Consumer XML Application Acceleration for Mobile Apps  Offload heavy lifting of message transformation from the Provider  Transform to a format best suited for the requesting Mobile App – JSON for native/hybrid app – HTML/XHTML for browser based IBM DataPower Gateway IBM DataPower Gateway  Cache response data from Provider – Locally on the appliance – Externally to elastic caching XC10
  38. 38. Sportsbet leverages IBM DataPower appliances to drive mobile business growth Challenges Business -Increase demand for mobile services while bolstering security & cost optimization IT - Securely integrate mobile apps with e-commerce platform & APIs to address performance, capacity management & decoupling front-end apps from back-end business logic Solution IBM DataPower appliance XG45 as a mobile security & integration gateway Benefits Time to value - Rapid implementation enabled the business to quickly integrate the middle layer in just 2 weeks vs. 2 months with a competitor’s product Performance - Processed ~4000 transactions per minute increasing performance 4X Security & Agility - Separation of concern between consumer applications & core e-commerce system, through security, translation & transformation logic in the gateway - Enterprise Architecture Manager, Sportsbet “DataPower forms our mobile middle layer & our API infrastructure for all future consumer apps”
  39. 39. Sprint leverages IBM DataPower appliances to rapidly & securely grow mobile revenue Challenges Business - Grow mobile revenue while protecting customer privacy and optimizing costs IT - Integrate mobile devices, addressing security, speed, scalability and optimization of demand on existing application infrastructure Benefits Time to value - Drop-in rack-ready solution for rapid deployment enables the business to quickly launch a new mobile device within a month Scale on demand - 50 billion transactions/month for external ad gateway - 1 billion transactions/month for internal users Solution - IBM DataPower Integration Appliance XI52 as a security & integration gateway for external and internal use - IBM DataPower Caching Appliance XC10 as a side cache to increase customer responsiveness
  40. 40. © 2015 IBM Corporation40 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  41. 41. © 2015 IBM Corporation41 Use Case: API Management Securely & Rapidly Create, Socialize & Manage Business APIs to engage with a Developer ecosystem
  42. 42. © 2015 IBM Corporation42 IBM API Management: One Integrated Platform design, secure, control, publish, monitor & manage APIs Explore API documentation Provision application keys Self-service experience Developer Portal API Manager Management Console Define and manage APIs Explore API usage with analytics Manage API user communities Provision system resources Monitor runtime health Scale the environment API Gateway (IBM DataPower) Enforce runtime policies to control API traffic
  43. 43. © 2015 IBM Corporation43 Consumer (Systems of Engagement) Provider (Systems of Record) API Management Solution Partner App Developer API API API API Gateway (DataPower) Developer Portal Syndication Creation & Assembly Policy Management Monitoring & Analytics Security & Control Lifecycle Mgmt & Governance External App Developer Mobile & Web Apps Internal App Developer API Management App / API Provider, Middleware, Datastore, z System On-premise OR Cloud Business Partner Apps Enterprise Internal Apps
  44. 44. © 2015 IBM Corporation44 Business Challenge Business Challenge  Accelerate end-to-end mobile application development  Reduce time to configure and manage software, prepare test environments  Enhanced analytics on the usage of their services  Increased performance to handle peak seasonal volumes Solution  IBM API Management, DataPower, Worklight, PureSystems Business Value  Enhanced user experience enabling quick access to customer information using OAuth authentication replacing custom security solution  Ability to access backend data through DataPower/API Management using RESTful services  Easily handle traffic spikes, enabling easier capacity planning Large Financial institution provides secure mobile access to customer information $
  45. 45. © 2015 IBM Corporation45 Business Challenge  Difficult for internal partners and developers to discover & access key financial services  Lacked a standard ecosystem to manage internal partners including global credit card companies and merchants  No visibility on Service consumption or ability to chargeback for LoB use of Services Example Apps Solution  IBM API Management & DataPower Leading Global Commercial Bank provides easy & secure access to key financial services Business Value  Offers 3rd party merchants secure standards-based access to key business services as APIs, with a self-service experience  Provides an internal ecosystem for partners and a central repository with usage analytics  Drives innovation for Mobile application development $
  46. 46. © 2015 IBM Corporation46 Business Challenge Business Challenge  External business partners retrieve flight information by scraping the company’s website  Unauthorized access to full flight information , with no usage analytics  Delays in updating website – difficult for authorized partner to test changes  REST-based API had just been built but security was not in place Solution  IBM API Management & DataPower Business Value  Easily and securely connect company Website to new APIs, saving cost of building OAuth based secure access  Enable secure exposure of APIs to External Business Partners, saving the implementation cost of building a developer support infrastructure with access management  Ability to leverage existing investment in IBM DataPower gateway and internal team skillset  Enable secure Mobile app integration with Enterprise APIs Large Airline in North America provides authorized access to flight services
  47. 47. © 2015 IBM Corporation47 Leading European Auto Manufacturer provides innovative vehicle connectivity with IBM API Management Business Challenge  Offer innovative connectivity services to customers, improve the driver experience, improve safety, and create new revenue sources  Improve driving conditions with driver profiling, eco-driving, fleet management, reduce accident risk  Collect data to monetize them for partners Solution  IBM API Management, DataPower & MessageSight Business Value  “Always connected” low-latency reliable communications with the car systems/apps and customer mobile apps  Vehicle data APIs published on secure developer portal  Internal & external developers use vehicle data to develop mobile applications  Drives innovation for Mobile application development
  48. 48. © 2015 IBM Corporation48 Business ChallengeBusiness Challenge  Difficult for internal partners and developers to discover & access key retail services  Leverage mobility as a revenue stream and manage internal and external business partners  No visibility on Service consumption or ability to chargeback for LoB use of Services Solution  IBM API Management & DataPower Business Value  Offers 3rd party merchants secure standards-based access to key business services as APIs, with a self-service experience  Provides an internal ecosystem for partners and a central repository with usage analytics  Drives innovation for Mobile application development Leading Retailer in North America provides easy & secure access to retail services
  49. 49. © 2015 IBM Corporation49 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  50. 50. © 2015 IBM Corporation50 Use Case: Enterprise Integration Consumable integration solution for securely connecting applications & services while optimizing delivery of workload
  51. 51. © 2015 IBM Corporation51 Integration • Dynamically route based on any message content – Attributes such as the originating IP, requested URL, protocol headers, etc. – Data within the message such as SOAP Headers, XML, Non-XML content, etc. • Query a repository for routing information – WebSphere Service Registry & Repository, XML files, Databases, Web Servers Content-Based Routing Service Providers Unclassified Requests  Transform the message format with ultimate flexibility – Leverage WebSphere Transformation Extender for data mapping Any-To-Any Message Transformation <XML/> TEXT binary Input Message Output Message <XML/> TEXT binary ? ? WebSphere TX Design Studio
  52. 52. © 2015 IBM Corporation52 Integration Transport Protocol Translation  Integrate disparate transport protocols with extreme ease – No dependencies between inbound “front-side” and outbound “back-side” – Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)  Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once message patterns HTTP(s) FTP(s) SFTP WebSphere MQ, MQ FTE WebSphere JMS Database DB2, SQL Server, Oracle, Sybase, TIBCO EMS IMS NFS
  53. 53. © 2015 IBM Corporation53 Integration Consumer Provider SOAP / HTTP(s) MQ Queue Manager Cobol / MQ Format & transport bridging Message Format & Transport Protocol Mediation Example Outside World Internal NetworkDMZ ProtocolFirewall HTTP(s) FTP(s) SFTP(SSH) WMQ(s) WS JMS TIBCO EMS ODBC DomainFirewall ACL DB LDAP Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data Internet JMS EMS FTP NFS Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data DataPower Gateway HTTP WMQ IMS Connect Enhanced Security DMZ SaaS Partner Apps Browsers • Content based routing • Message enrichment • Message transformation • Transport protocol translation • AAA, Threat protection • Message validation & filtering • Traffic control / Rate limiting Integration Scenario • Intelligent content based routing • Intelligent load distribution • Local and distributed caching
  54. 54. © 2015 IBM Corporation54 Core Services Core Data UK Government Agency Enables integration capabilities using DataPower Solution  DataPower in key network zones within and outside of the department  Thorough content-based validation, routing, and security policy enforcement  Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse Benefits  Ease of integration  Security assurance of the architecture  Secure SOA on standards-based platform  Consistent experience and policy for all users Challenge  Data held in the back-end systems vital to delivering citizen services, fraud detection across various layers of the Governments across the EU  Vulnerable back-end services  Security  Capacity/ SLA  Consistent usability experience for internal or external service consumers Integration Layer Government network Other EU Countries Other UK Departments Internal Users
  55. 55. © 2015 IBM Corporation5555 Security & Integration Scenario – Financial Firm
  56. 56. © 2015 IBM Corporation56 Centralized Service Governance & Policy Enforcement  Complete SOA Governance solution – WSRR for web service life-cycle policy management – DataPower for web service run-time policy enforcement  Use WebSphere Service Registry & Repository (WSRR) to store, publish, and govern your web services – DataPower can subscribe or poll web services information from WSRR  Automatically expose services and policies in DataPower via WSRR subscription – Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment – Retrieve WSDLs by specific version number  Dynamically retrieve run-time routing information from WSRR WSRR (Policy Administration Point) Consumer Service Message Message Message Message ITCAM for SOA (Policy Monitoring Point) Discover Services & Policy Monitor Services DataPower (Policy Enforcement Point)  Centralized transaction monitoring – ITCAM for SOA  Support for UDDI v2 and v3 for UDDI registries
  57. 57. © 2015 IBM Corporation57 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  58. 58. © 2015 IBM Corporation58 Use Case: Mainframe integration & enablement Offload processing for reduced MIPS Web Services Enablement for IMS, CICS, DB2
  59. 59. © 2015 IBM Corporation59 Broad integration with System z Client SOAP/HTTP` SOAP/HTTP CCB / MQ IMS SOAP Gateway WAS+IMS connector DataPower IMS O T M A IMSApplication MQServer MQ Brdg • Connect to existing applications over WebSphere MQ, HTTP • Transform XML to/from COBOL Copybook for legacy needs • Integrate with RACF security from DataPower AAA • Dynamic crypto material retrieval & caching, or offload crypto ops to z • Connect to IMS – Via IMS Connect client – Via Web Services – Via WebSphere MQ – Via IMS DB – Connect from IMS via “Callout” • Connect to CICS – Via WebSphere MQ – Via Web Service • Connect to DB2 – Via Web Service – Via direct ODBC call with ODBC Client option DRDA DB2
  60. 60. © 2015 IBM Corporation60 • IMS Callout feature allows IMS transactions to easily consume external web services via DataPower, with minimal application updates required Enhanced value for System z & IMS  IMS DB feature supports DataPower integration with IMS database through SQL interface ‒ Enrich messages with database content ‒ Expose data as a service to remote applications Client SOAP / REST ` DataPower DRDA IMS O T M A App1 IMS Connect App2 Service Provider SOAP / REST ` DataPower TCP/IP Service Consumer IMS Callout
  61. 61. © 2015 IBM Corporation61 Core banking platform on Z An Irish Bank Enabling retail banking Solution  DataPower in trusted network exposed services for XML/ HTTP(S) and protocol bridging to WebSphere MQ  Message validation and transformation using WebSphere Transformation Extender (WTX) Benefits  Retail application acceleration through transformations and caching  Optimized platform for handling, parsing and processing payloads Challenge  Retail application contained 7000 screens; slow response times over dedicated proprietary network.  Cost of processing XML on the mainframe.  Message transformation needed before the core banking platform could process requests. DataPower Q Branch Network Q Q Q Q Branch Application (web based)
  62. 62. © 2015 IBM Corporation62 Customer & Product related application and systems on Z High Street Clothing and Fashion Accessories Retailer Increase customer interaction and loyalty Solution  DataPower acted as a reverse proxy for:  Outbound messages via a service provider  Inbound customer updates/ delivery notifications  Transform SOAP/ XML payload to COBOL copybook messages for CICS application Benefits  Create customer interaction and value through innovative business strategy.  Integrate various suppliers using standards based interfaces securely.  Graphical configuration driven appliance; short learning curve Challenge  Highly competitive industry; first mover advantage  Weak customer loyalty  Multi channel customer experience  Complex supply chain and service providers DataPower Q Open Internet Q
  63. 63. © 2015 IBM Corporation63 IMS Integration Web Services Security and Management for IMS Web Services • Content-based Message Routing • Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) • XML/SOAP Firewall • Data Validation • Field Level Security • XML Web Services Access Control/AAA • Web Services Management Client SOAP / REST` SOAP/HTTP IMS SOAP Gateway WAS+IMS connector DataPower
  64. 64. © 2015 IBM Corporation64 DataPower IMS Integration Web Services Enablement for IMS-based Services IMS O T M A IMSApplication MQServer MQ Brdg  DataPower provides WS-enablement to IMS applications  User codes schema-dependent WTX data map to perform request/response mapping  Requires WebSphere MQ for z/OS – MQ bridge to access IMS – MQ connectivity is embedded in DataPower CCB / MQ Client SOAP / REST`
  65. 65. © 2015 IBM Corporation65 DataPower IMS Integration Web Services Enablement for IMS-based Services (cont’d) CCB / TCP Client SOAP / REST` IMS O T M A Appl1 IMS Connect Appl2 Appl3 IMS O T M A Appl4 Appl5 Appl6 User exit (e.g.. HWSSM PL0)  DataPower provides WS-enablement to IMS applications  User codes schema-dependent WTX data map to perform request/response mapping  “IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol
  66. 66. © 2015 IBM Corporation66 DataPower IMS Integration IMS Connect Reverse Proxy CCB / TCPClient IMS Connect TCP ` IMS O T M A Appl1 IMS Connect Appl2 Appl3 IMS O T M A Appl4 Appl5 Appl6 User exit (e.g.. HWSSM PL0)  Bring DataPower value add to standard IMS connect usage patterns  Provide an “IMS Connect Client” on DataPower that natively connects to IMS Connect  Provide an “IMS Connect Server” on DataPower that accepts IMS Connect client connections and provides an intermediation framework that leverages DataPower – Enables authentication checks, authorization, logging, SLM, transformation, route, DB look-up, SSL offload, etc.
  67. 67. © 2015 IBM Corporation67 DataPower DB2 Integration “Information as a Service” DRDA Client SOAP / REST`  DataPower provides a standard WS façade to DB/2 – Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web Services runtime and DataPower – SOAP call is mapped to an ODBC (DRDA) invocation  Exposes database content (information) as a service  Leverages extensive Web Services security and management capabilities of DataPower to more securely expose critical data to the enterprise DB2
  68. 68. © 2015 IBM Corporation68 CICS Integration Web Services Security and Management for CICS Web Services • Content-based Message Routing • Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) • XML/SOAP Firewall • Data Validation • Field Level Security • XML Web Services Access Control/AAA • Web Services Management • Support CICS ID propagation Client SOAP / REST ` SOAP/HTTP CICS Web Services WAS+CICS connector DataPower
  69. 69. © 2015 IBM Corporation69 DataPower CICS Integration Web Services Enablement for CICS Applications  DataPower provides WS-enablement to CICS applications  User codes schema-dependent WTX data map to perform request/response mapping  Requires WebSphere MQ for z/OS – MQ bridge to access CICS – MQ connectivity is embedded in DataPower CCB / MQ Client SOAP / REST` CICS CICSApplication MQServer CICS Brdg
  70. 70. © 2015 IBM Corporation70 Agenda  DataPower Gateway Overview  Security & Optimization Gateway  Mobile Connectivity  API Management  Integration  Mainframe Integration & Enablement  B2B
  71. 71. © 2015 IBM Corporation71 Use Case: B2B integration Extend integration beyond the enterprise to partner community
  72. 72. © 2015 IBM Corporation72 DataPower B2B Functionality Extend beyond the enterprise to integrate with partners • B2B Gateway Service – AS1, AS2, AS3 and ebMS v2.0 – Plaintext email support – EDI, XML and Binary Payload routing – Front Side Protocol Handlers – Hard Drive Archive/Purge policy – CPA and Partner Profile Associations – MQ File Transfer Edition integration • Trading Partner Profiles – Two Types – Internal and External – ebXML CPPA v2.0 – Multiple Business IDs – Multiple Destinations (URL Openers) – Certificate Management (S/MIME Security) – Multi-step processing policy • B2B Viewer – B2B transaction viewing – MQ FTE transaction viewing – Transaction resend capabilities – Transaction and Acknowledgement correlation – Role based access • Persistent Storage – AES Encrypted B2B document storage – Option for Off-Box Storage (NFS) • Transaction Store – B2B metadata storage – B2B state management DataPower B2B Gateway Service Partner Connection Front Side Handlers Internal Partner Destinations Integration Front Side Handlers External Partner Destinations B2B Viewer Metadata Store (DB) Document Store (HDD) Partner Profiles
  73. 73. © 2015 IBM Corporation73 UK Logistics and Distribution Benefits  Create customer interaction and value through innovative business strategy.  Integrate various suppliers using standards based interfaces securely.  Graphical configuration driven appliance; short learning curve Challenge  AS2, File and Web Services based interfaces to 100s of B2B customers.  Messages are exchanged at least once a day  Secure proxy solution in the DMZ  Complex incumbent supplier chain
  74. 74. © 2015 IBM Corporation74 Health Insurance Provider Smarter Business Outcomes:  Reliable and secure routing of customer sensitive data  Easy to use and maintain; no additional skill needed  XML Messages with attachments are authenticated, authorized, and virus scanned Industry Pains:  HIPAA Security requirements for transporting data over the Internet  HL7 v3.0 XML threat protection  Complexity of B2B for healthcare Secure appliance form factor providing secure connections to trading partners, advanced threat protection and reliable file delivery of confidential medical information Value of DataPower B2B Appliances for Extending Connectivity?
  75. 75. © 2015 IBM Corporation75 Internet EDIINT Flow: Simple AS2 transaction flow with Transform Application Browser Application EDI XML AS2 (EDI) AS2 (MDN) B2B Hub Partner BPartner A XB62 AS2 Process B2B Gateway Service Transaction Viewer Note: This flow works the same for any AS protocol as well as for ebMS B2B messages. Data Store 4 3a 3b2 1 5
  76. 76. © 2015 IBM Corporation76 Internet Web Services bridged to AS2 File Transfer Pattern WS Client Browser Flat B2B Hub Partner BPartner A XB62 Web Service Process Web Service Proxy Transaction Viewer B2B Gateway Service AS2 Pre-ProcessFlat SOAP Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and sending data over any of the 16 supported protocol handlers. When Services are tied together in front of or behind a B2B Gateway Service they are handled like pre and post processes. Data Store 7 4 5 6 3 2 1
  77. 77. © 2015 IBM Corporation77 Internet MQ FTE Integration Pattern – Inbound File to Message Browser (LOB User) XB60 TradingPartner XB62 B2B Gateway Service Transaction Viewer Profile Mgmt Data Store Browser (Admin) Browser (Partner view) Server Source Agent Data Store Applications Enterprise Target Agent MQFTE Network Queue Manager Queue Manager Queue ManagerQueue Manager MQ Explorer DB Logger (DB2 or Oracle) 1 4 2a 3 6 5 2
  78. 78. © 2015 IBM Corporation78 Browser B2B Gateway Service WebSphere DataPower B2B Appliance Applications Transaction Viewer Collaboration Partner Agreement Entries Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration Collaboration Protocol Agreement Entry Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration External Partners Internet ebMS (Ack) ebMS (ebXML)) ebXML ebXML with CPPA Pattern 5 4 3 2 1 DMZ Secured Network Public Network Collaboration Partner Agreement Entries Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration
  79. 79. © 2015 IBM Corporation79 B2B Hub AS2 Process Healthcare Applications Partner B Hospital Internet AS2 (HL7 V3) AS2/MDN B2B Appliance B2B Gateway Service Profiles Internal Profile Regional Center Validate XML and Transform to any V.2.x format External Profile Hospital Transaction Viewer Healthcare Applications HL7V3 Partner A Regional Healthcare Center Any Transport HL7 V2.x Any Transport HL7 V3.x 5 4 3 2 1 6 Health Level 7 3.x to 2.x Transform Pattern
  80. 80. © 2015 IBM Corporation80 Securing HL7 over the Internet with Integration to the WebSphere Healthcare Connectivity Pack TradingPartner XB62 B2B Gateway Service Transaction Viewer Profile Mgmt Data Store Browser (Admin) Browser (Partner view) Clinical Trials System WebSphere Healthcare Connectivity Pack Healthcare Provider Internet 1 2a 3 5 2 WebSphere MQ Patient Administration System Billing System 4 AS2 (HL7)) AS2 (MDN)) HL7/MQ HL7/MLLP HL7/MLLP XML/HTTP Pharmacy HL7/MLLP
  81. 81. © 2015 IBM Corporation81 Resources
  82. 82. © 2015 IBM Corporation82 DataPower on GitHub  Repository of DataPower related tools & collateral  Open source  Community driven: Use, collaborate, contribute  http://ibm-datapower.github.io/  DataPower Configuration Manager  Tool for DataPower configuration management & migration  Standalone command line or IBM UrbanCode Deploy plugin  https://github.com/ibm-datapower/datapower-configuration-manager  https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp  DPXMLSH  Bash script / shell library for working with DataPower’s XML Management interface  Interactive & scripted use  https://github.com/ibm-datapower/datapower-xml-shell
  83. 83. © 2015 IBM Corporation83 Getting Social with IBM DataPower Gateways DataPower on Slideshare LinkedIn IBM DataPower Gateway Group developerWorks BlogYouTube IBM DataPower Gateway Channel Twitter @IBMGateways Online User Forum • YouTube Channel: IBM DataPower Gateways • Slideshare: IBM DataPower Gateway • Twitter: @IBMGateways • LinkedIn Group: IBM DataPower Gateway • developerWorks blog: IBM DataPower Gateway • GitHub: IBM DataPower Gateway • Online User Forum • Product page on ibm.com • Product documentation
  84. 84. © 2015 IBM Corporation84 Available Now: DataPower Handbook, Second Edition, Volume 1  Known as the ‘bible’ of DataPower planning, implementation, and usage.  New content to cover previous six years of new products/features, including 9006/7.1!  Volume 1 consists of Chap 1 DataPower Intro, Chap 2 Setup Guide, new Preface and two invaluable new appendices for physical and virtual appliances. Available in softcover and e-book formats
  85. 85. © 2015 IBM Corporation85 BACKUP
  86. 86. © 2015 IBM Corporation86  Simple Architecture: Purpose-built firmware + hardware  Complete gateway platform delivered as firmware  Guiding philosophy is to centralize common security, integration, control, traffic management, acceleration functions and optimize them in a security-hardened gateway appliance Simple and Secure Architecture Display Ports database config App Server config Apache HTTPD config JVM config Proprietary Software config Linux Daemons config JSP Engine glibclibxml Full Linux OS (including shells and user accounts) config Bootable CDROM Drive Bootable USB Ports Hardware Commodity Gateways config Hardware DataPower Gateway Platform Digitally Signed and Encrypted Firmware Flash Memory Crypto Acceleration IBM Optimized Embedded Operating Environment Purpose-built Gateways
  87. 87. © 2015 IBM Corporation8787 Configuration-driven approach speeds time to market • Enforce security standards with zero coding • Uses intuitive pipeline message processing • Import/export configurations between environments • Transaction probe shows message content between actions for debugging 87
  88. 88. © 2015 IBM Corporation88 Capabilities Rapidly deliver secure integration & optimized access for a full range of workloads • Secure & protect your back-end systems from harmful workloads and unauthorized users & apps • Convert payloads, bridge transports and connect to existing services at wire-speed • Limit & shape traffic based on service level agreements, and route based on message content • Improve response times, reduce load on backend systems and intelligently distribute load Secure Control Integrate Optimize Before DataPower Gateway After DataPower Gateway Control Integrate Optimize SecureConsumer Consumer Consumer Consumer
  89. 89. © 2015 IBM Corporation89 SSL Offload Threat Protection Rate Limiting / SLA Enforcement Validation, Filtering Authentication, Authorization Context-based Access, Mobile SS0 Security Token Translation Message Transformation Content-Based Routing Intelligent Load Distribution Response Caching Connect Mobile Apps with Enterprise Services Securely expose enterprise systems & APIs to Mobile Apps while optimizing delivery
  90. 90. © 2015 IBM Corporation90 • Data format & language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos (including S4U2Self, S4U2Proxy) ‒ SPNEGO ‒ RADIUS ‒ RSA SecurID OTP using RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ FIPS 140-2 Level 1 (w/ certified crypto module) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 DataPower Gateway: Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition – TIBCO EMS – WebSphere Java Message Service – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ TLS versions 1.0, 1.1, and 1.2 ‒ SSL versions 2 and 3 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ Virtual Machine Disk Format (VMDK) ‒ Virtual Hard Disk (VHD) Link to Product Documentation • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation – Multipurpose Internet Mail Extensions – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
  91. 91. © 2015 IBM Corporation9191 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Gigabit/Sec HW Solution Acquisition ITCAM for SOA (Transaction Monitoring) Model 9235 (aka 9004) Model 7993 (aka 9003) WebSphere Transformation Extender XA35 XS40 XI50 XB60 2012 XG45, XI52 & XB62 XI50B Blade WebSphere Appliance Management Center Optimized Interpreter and Compiler Optimized Hardware Acceleration 2013 2014 Application Optimization (Self-Balancing & Intelligent Load Distribution) XI50z Blade Virtual Edition (VMware) Virtual Edition (PureApplication System) Virtual Edition (for Developers + XenServer) Optimized & secure JavaScript Multi-channel Gateway Consolidated Gateway Platform ISAM Proxy Module Over 14 years of innovation & 2000+ global installations IBM DataPower Gateway
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×