• Like
IBM DataPower Appliances - Common Use Cases
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

IBM DataPower Appliances - Common Use Cases


IBM DataPower appliances are used in a variety of user scenarios to enable security, control, integration and optimized access for a range of workloads including Mobile, Web, API, B2B, Web Services …

IBM DataPower appliances are used in a variety of user scenarios to enable security, control, integration and optimized access for a range of workloads including Mobile, Web, API, B2B, Web Services and SOA. This presentation from the IBM DataPower team provides an in-depth look at each use case.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. © 2013 IBM CorporationDataPower Common Use CasesBharat Bhushan, Principal Connectivity Architect, IBM UKChristopher Khoury, Worldwide Client Technical Leader, IBM USArif Siddiqui, DataPower Product Manager, IBM US
  • 2. 22 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 3. 33 © 2013 IBM CorporationIntroduction to DataPower GatewayAppliancesIBM DataPower Gateway Appliances are the industry-leadingSecurity & Integration gateways that help provide security, control, integrationand optimized access to a full range ofMobile, Web, API, SOA, B2B and Cloud workloads
  • 4. 44 © 2013 IBM CorporationSecurity & Integration Gateway Appliances• Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload• Securely connect apps/services within the enterprise, while optimizing delivery of the workload andproviding integration including XML offload, message validation/filtering, message/transport protocoltransformation, traffic control/quota enforcement, SOA governance & management, dynamic routing &intelligent load distribution• Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superiorperformance, hardened security, increased ROI and reduced TCO• Provides high levels of certified Security assurance‒ e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization,Audit• Simplified maintenance model‒ Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process• Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold• Virtual appliance provides deployment flexibility & reduced cost for development and test environmentsIBM DataPower Gateway AppliancesInternet Trusted DomainConsumerApplication or ServiceDMZDataPower DataPowerConsumer
  • 5. 55 © 2013 IBM CorporationInternet Trusted DomainConsumerApplication or ServiceSystem zDMZDataPower DataPowerIBM IntegrationBusApplication Service FileTrading partnersDataPower appliances used across a variety of scenarios1 Security Gateway(Web Services/Apps/APIs)2 Intelligent ContentRouting & Load Distribution3 B2B Partner Gateway4 Internal Security Enforcement5 Integration6 Runtime SOA Governance7 Web Service Management8 Legacy IntegrationConsumer
  • 6. 66 © 2013 IBM CorporationUpdate applicationservers individuallyBefore DataPower AppliancesSecure, control, integrate, &optimize all applications instantlyNo changes to applicationsAfter DataPower AppliancesSecure, control, integrate & optimize multiple applications without code changesLower cost and complexityEnable new business with unmatched performanceUse appliances to simplify & centralize critical functionsControlIntegrateRoute & OptimizeSecure
  • 7. 77 © 2013 IBM Corporation• Control‒ Service-level agreements‒ Traffic control‒ Message accounting‒ Content-based routing‒ Governance & management• Optimization‒ SSL & TLS offload‒ Hardware accelerated crypto ops‒ XSLT & XQuery acceleration‒ JSONiq acceleration‒ Connection pooling, offload‒ Intelligent load distribution‒ Caching: Local & external (XC10)• Security‒ OAuth, SAML, XACML, WS- Security,LTPA, Kerberos, etc‒ Authentication & authorization‒ Security token translation‒ Message & transport protection• Integration‒ Convert payloads (JSON, XML, CSV,Cobol, binary, etc)‒ Bridge transports (HTTP, MQ, FTP,WAS JMS, TIBCO EMS, etc)‒ Database connectivity (DB2, IMS,Oracle, MS SQL, Sybase)‒ Mainframe integration (IMS Connect,IMS Callout, CICS, etc)‒ B2B integration (AS1,AS2,AS3,etc)• Resilience‒ Operation admission control‒ Failure re-routing‒ XML threat protection‒ JSON threat protection‒ Schema validation‒ Messages filteringClientsIn-the-ClearRequestMaliciousRequestCobol/MQApplCobol/MQEncrypted andSigned RequestServiceProvidersIBM DataPower Gateway Appliance capabilities
  • 8. 88 © 2013 IBM CorporationDataPower FamilyIntegration Appliance XI52High density 2U form, XG45 functionality plus“Any-to-Any” conversion at wire-speedBridges multiple transport protocolsMainframe integration & enablementAvailable in Virtual EditionService Gateway XG45Entry-level device, slim footprint (1U)Security gateway (AAA, XML threat, etc)Service level management and monitoringIntelligent load distribution & dynamic routingLightweight integration functions (optional)Available in Virtual EditionB2B Appliance XB62High density 2U form, XI52 functionality plusB2B Messaging (AS1/AS2/AS3/ebMS)Trading Partner Profile ManagementB2B Transaction ViewerIntegration Blade XI50B/XI50zFunctionally equivalent to XI52Form factor flexibilityXI50B: BladeCenter form factorXI50z: zEnterprise BladeCenter Extension (zBX)form factor
  • 9. 99 © 2013 IBM Corporation• Used by 95% of top global insurancesfirms• SaaS providers, ASPs, regulators, etc.• Agencies and ministries• Defense and security organizations• Crown corporationsInsuranceGovernmentBanking• Healthcare• Retailers• Utilities, Power, Oil and Gas• Telecom• Airlines• etc.Many, many, more• Majority of the big US and Europeanbanks• All of the big 5 Canadian banks• Numerous regional banks and creditunionsDataPower AppliancesOver a decade of innovation & over 2000 worldwide installations
  • 10. 1010 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 11. 1111 © 2013 IBM CorporationUse Case: Security & Optimization GatewaySecuring the Enterprise & providing optimized access
  • 12. IBM Software Group – Enterprise Networking Software© 2010 IBM CorporationPage 1212DataPower security roles and objectivesProtect data and other resources onthe appliance and protected servers– System availability• Protect against unwanted access,denial of service attacks, and otherunwanted intrusion attempts from thenetwork• Only allow “valid” messages through– Identification and Authentication• Verify identity of network users– Authorization• Protect data and other systemresources from unauthorized accessProtect data in the network usingcryptographic security protocols– Data End Point Authentication• Verify who the secure end point claims to be– Data Origin Authentication• Verify that data was originated by claimedsender– Message Integrity• Verify contents were unchanged in transit– Data Confidentiality• Conceal clear-text using encryptionIntranetIntranetDMZDMZInternetInternetMission-critical dataFIREWALLFIREWALLAuthenticationAuthorizationUser Federationz/OS RACF forUser I&AAuthorizationCert/keysSecure access toWeb and legacyapplicationsConvergedsecurityenforcementRocksolidDataPowerplatformLeveragesenterprisesecurity andpolicy managers
  • 13. 1313 © 2013 IBM CorporationProtection of data plus XML & JSON threat protectionUse DataPower to help resolve PCI compliance issuesEasily sign, verify, encrypt, decrypt any contentConfigurable XML Encryption and Digital Signatures– Message-level, Field-level, HeadersSecurity standards: OAuth, WS-Security, WS-Policy, WS-SecurityPolicy, SAML, XACML, WS-Trust, …Use WS-SecurityPolicy to define security requirements for your web services– DataPower natively consumes and enforces WS-SecurityPolicy statements• Integrity & Confidentiality, SupportingTokens, Message/Transport ProtectionUse XACML to define access and authorization policies for your web services– DataPower natively consumes and enforces XACML policies• Resource-based Authorization• PEP, PDPDataPower security is policy drivenXML Threat Protection• Entity Expansion/Recursion Attacks• Public Key DoS• XML Flood• Resource Hijack• Dictionary Attack• Replay AttackMessage/Data TamperingMessage SnoopingXPath or SQL InjectionXML EncapsulationXML Virus…many othersJSON Threat Protection• Label - Value Pairs‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)
  • 14. 1414 © 2013 IBM CorporationAAA : Authentication Authorization AuditingExtractIdentityHTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustomAuthenticateExtractResourceURLXPathSOAP OperationHTTP OperationCustomLDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustomAuthorizeAudit &Post-ProcessMapIdentityMapResourceLDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustomAdd WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated IdentityExternal Access Control Server or Onboard Identity Management Storeinput output
  • 15. 1515 © 2013 IBM CorporationSecurity GatewayNew connection to targetProxying and Enforcement• Terminate incoming connection• Terminate transport-level security (SSL/TLS offload)• Threat protection• Enforce Service Level Agreement policies• Inspect message content and filter (Schema validate)• Enforce security policies on message content(Encrypt/decrypt, Verify/sign digital signatures)• Authentication, Authorization, Auditing (AAA)• Call out to virus checker• Transform content & enrich message• Translate security token• Dynamically route based on content and load balance(Establish a new connection to pass results)• Cache data on-box or in centralized, shared XC10 gridConnection from clientACLVirusScannerConsumerProviderWeb Service RequestBasic Auth, OAuth 2.0,WS-Security UNT, etcWeb Service RequestSAML, LTPA,KerberosOutside World Internal NetworkDMZHTTP(s)HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENCWS-SecurityWS-Security PolicyWS-TrustSAMLOAuth 2.0InternetSaaSPartnerAppsBrowsersProtocolFirewallSecurityGatewayPackaged AppsProprietary AppsDataHTTP(s)ESBTivoli (TAM)MS Active DirectoryAny LDAP, e.g. OracleCA SiteMinderPDP (XACML, SAML, other)DomainFirewallACLSecurityGatewayInternalConsumerIncoming access control;Threat protectionOutgoing access control;SAML injection etcInternalSecurity
  • 16. 16Retail Service ProviderSecurely expose services to consumersSolutionImplemented WebSphere DataPower to form the Webservices backboneThrough content-based routing, security policyenforcement & data encryption, DataPower ensures safe& efficient flow of confidential customer dataIntegrated seamlessly into heterogeneous environmentincreasing interoperability & promoting reuseBenefitsSecure SOA on standards-based platformEasily reuse Web services throughout enterpriseBoosts productivity of IT staffSubstantially shorten time to market for new servicesChallengeConsistent & secure delivery of online services topartners that could be shared, integrated & flexible tomeet specific needsWeb services infrastructure needed to support highlysecure data routing with daily high volume & sensitivenature of informationIdentity Mgmt
  • 17. 17DataPower & Tivoli OfferingsTivoli Federated Identity Manager (TFIM)Tivoli Access Manager (TAM)Allows authoring of XACML policy to beenforced by DataPower. [PAP]TSPM can also act as PDP to makeAuthorization decisions [PDP]Tivoli Security Policy manager (TSPM)Provides a single point of decisionmaking for Authentication andAuthorization. [PDP]DataPower will enforcethe decision. [PEP]– PAP: Policy Authoring Point– PDP: Policy Decision Point– PEP: Policy Enforcement PointLocally cached TAM policydatabase reduces networklatency and traffic congestionProvides federated identitymanagement and a single IdPenterprise solution [Federation]DataPower integrates with Tivoli offerings to provide authentication and authorizationpolicy enforcement point solution
  • 18. 18Centralized Service Governance & Policy EnforcementComplete SOA Governance solution– WSRR for web service life-cycle policy management– DataPower for web service run-time policy enforcementUse WebSphere Service Registry & Repository (WSRR) to store, publish, andgovern your web services– DataPower can subscribe or poll web services information from WSRRAutomatically expose services and policies in DataPower via WSRR subscription– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment– Retrieve WSDLs by specific version numberDynamically retrieve run-time routing information from WSRRWSRR (Policy AdministrationPoint)Consumer ServiceMessageMessageMessageMessageITCAM forSOA(PolicyMonitoringPoint)DiscoverServices & PolicyMonitorServicesDataPower (PolicyEnforcement Point)Centralized transaction monitoring– ITCAM for SOASupport for UDDI v2 and v3 for UDDIregistries
  • 19. 19Service Level Monitoring (SLM) to protect your services and applications fromover-utilization and enforce quota– Frequency based on concurrency OR based on messages per time period– Take action when exceeding a custom threshold:• Notify (or log), Shape (or delay), Throttle (or reject)Service Level Monitor (SLM): Traffic Control / Rate Limiting
  • 20. 20UserWAS Application{ "Task" : "AddEntry","Detail": "Createpresentation materials." }HighLoadScenario– JSON REST app to-do listIssues– High server load– Slow response timeSlowResponse(>10s)Application Optimization ExamplePublicEnterpriseUserWAS Application11ImprovedLoadPublicDMZ DataCenterDataPowerImprove Server Load with SSL Offload1. Client requests are secured via DP SSL concentrator
  • 21. 21UserWAS Application121PUT /joe/todos HTTP/1.1Host: joe.orgContent-Type:application/jsonContent-Length: 69{ "Task" : "AddEntry","Detail": “Waste time." }ImprovedLoadDataPowerManage Traffic with Application Fluency2. DataPower enables application aware traffic managementUserWAS Application311ImprovedLoadImprovedResponseTimeDataPowerDistribute Load Intelligently3. Application Optimization effects load distribution intelligenceLeverage dynamic runtime conditions to distribute based on topology & workload2Application Optimization Example
  • 22. 22RESTCache at the edge(s)4. Application results are cached at the edge using XC10 caching grid OR locally on-boxApplication Optimization ExampleUserWAS Application34121DataPowerDataPower XC10LowLoadFastResponse• Faster application response time• Lower server load• Improved system throughput
  • 23. 23RESTUsing XC10 As a Side Cache For DataPowerUser1532 4ClientProvider1. Client submits application request.2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.3. On a miss, XI forwards request to target Provider.4. XI adds application response to XC10.5. Client receives response from XI. Easily integrates into the existing business process– No code changes to the client or back-end application– Simply add the side cache mediationSignificantly reduces the load on the back-end system byeliminating redundant requestsImprove client observed response timeImprovedResponseTimeImprovedLoadDataPower XC10DataPower XI AppliancesLarge Response Time
  • 24. 24DataPower XI52 + XC10: Travel and TransportationOnline Reservations Reservations System– Before: 3-5 sec response time– After: .01 -.05 sec response time– Caching service requests– Improved the average response time of the GlobalDistribution System requests for Fare Availability andCategory Availability– 52% caching rate– 10 minute cache resulted in 40% reduction in load on theback-end systems– Maintained high data integrity. Faster responses werealso accurate– POC in 3.5 hrs100xperformanceimprovementImproved reliability and scalability of reservation channelsReduced traffic to backend systemsDeliver high performance & consistent response timesScale with simplicity and lower TCO
  • 25. 2525 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 26. 2626 © 2013 IBM CorporationUse Case: Mobile ConnectivitySecurely & Rapidly connect Mobile Apps withEnterprise Services
  • 27. 2727 © 2013 IBM Corporatione.g. REST (JSON/XML)over HTTPSSSL OffloadThreat ProtectionRate LimitingValidation, Filteringnow with Native JSON Support**AuthenticationAuthorizationSecurity Token TranslationTransformationContent-Based RoutingIntelligent Load Distributionnow with On Demand Router for WAS ND**Response Caching Locally or to XC10 **Securely expose enterprisedata to Mobile Apps whileoptimizing delivery of theworkloadSecurely expose enterprisedata to Mobile Apps whileoptimizing delivery of theworkloadWorklight, WAS NDe.g. SOAPover HTTPSMessage Oriented,Legacy AppsWeb Apps, ServicesConnect Mobile Apps with Enterprise Apps & ServicesIBM DataPower Gateway ApplianceSecurity, Control, Integration & Optimization of mobile workloadEnhanced form-based authentication support for quick integration with Worklight applications running on mobile devices **Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**** Available in DataPower firmware version 6.0
  • 28. 2828 © 2013 IBM CorporationA closer look at some Mobile Connectivity scenariosREST ProxyProviderJSON / XML / SOAPRESTJSON or XML / HTTP(s)Mobile ConsumerSSL offloadEnforcement point for centralized security policies– Authentication, Authorization, OAuth 2.0, Audit– Threat protection for XML and JSON– Message validation and filteringCentralized management and monitoring point– Traffic control / Rate limitingRouting / Intelligent load distribution to ProviderRESTful façade to non-REST ProviderREST Service Gateway for Mobile AppsProviderHTTP(s) GETHTTP(s) GETJSON or HTML/XHTMLMobile ConsumerXMLApplication Acceleration for Mobile AppsOffload heavy lifting of message transformation from the ProviderTransform to a format best suited for the requesting Mobile App– JSON for native/hybrid app– HTML/XHTML for browser basedIBM DataPower GatewayIBM DataPower GatewayCache response data from Provider– Locally on the appliance– Externally to elastic caching XC10
  • 29. 2929 © 2013 IBM Corporation
  • 30. 3030 © 2013 IBM CorporationClient examples using DataPower for Mobile use casesSeveral examples of businesses using DataPower as a Mobile Gateway fortheir Security & Integration needs‒ Large international bank has mobile banking goes through DataPower‒ Large Mobile company in the UK has traffic from handsets, RESTservice calls, being secured via DataPower‒ Large global phone company has their RESTful service calls usingJSON and XML from Mobile devices and consumer browsers aresecured and load balanced using DataPower‒ Large retailer went live recently with DataPower proxying Mobile traffic‒ Retailer secures their provisioning iPad traffic through DataPower‒ A wireless carrier secures mobile traffic to account data throughDataPower
  • 31. 3131 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 32. 3232 © 2013 IBM CorporationUse Case: API ManagementSecurely & Rapidly Create, Socialize & ManageBusiness APIs to engage with a Developer ecosystem
  • 33. 3333 © 2013 IBM CorporationOn PremiseApp Developer PortalBusinessOps DashboardEnterpriseServicesDataPowerDev OpsDashboardWeb AppsMobileCreate, Manage, Socialize APIs•Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Opsperspective, API lifecycle mgmt•Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas,manage communities and monitor service levels•Application Developer Portal with Self-Service registration and with hooks into social communitiesOn-Premise DMZ-ready API Gateway•Rapid on-ramping of APIs•API security; SSL termination, Threat protection, Authentication, Authorization with OAuth•Quota enforcement / Traffic control; Enforce API consumption policies•Monitors API use•Caching support for both on-box local and remote caching using XC10•Intelligent routing and load distributionIBM API Management V2.0 (On-Premise)Secure, control and optimize access to APIs through DataPower
  • 34. 3434 © 2013 IBM CorporationApplications & Serviceson App Servers(WAS, WAS ND,Worklight orother Provider)Caching ApplianceIBM DataPower XC10Security & Integration GatewayIBM DataPower ApplianceAPI consumers& App DevelopersAPI ownersCreate, Publish, Manage & Socialize APIsIBM API Management**Multi-device developmentIBM WorklightMobile Apps& Web consumersSecure Mobile App Integration + API Management** Available in IBM API Management 2.0
  • 35. 3535 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 36. 3636 © 2013 IBM CorporationUse Case: Enterprise IntegrationConsumable integration solution for securely connectingapplications & services while optimizing delivery of workload
  • 37. 37IntegrationDynamically route based on any message content– Attributes such as the originating IP, requested URL, protocol headers, etc.– Data within the message such as SOAP Headers, XML, Non-XML content, etc.Query a repository for routing information– WebSphere Service Registry & Repository, XML files, Databases, Web ServersContent-Based RoutingServiceProvidersUnclassifiedRequestsTransform the message format with ultimate flexibility– Leverage WebSphere Transformation Extender for data mappingAny-To-Any Message Transformation<XML/> TEXT binaryInputMessageOutputMessage<XML/> TEXT binary? ?WebSphere TX Design Studio
  • 38. 38IntegrationTransport Protocol TranslationIntegrate disparate transport protocols with extreme ease– No dependencies between inbound “front-side” and outbound “back-side”– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, TibcoEMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only oncemessage patternsHTTP(s)FTP(s)SFTPWebSphereMQ, MQ FTEWebSphereJMSDatabaseDB2, SQL Server,Oracle, Sybase,TIBCOEMSIMS NFS
  • 39. 3939 © 2013 IBM CorporationIntegrationConsumerProviderSOAP / HTTP(s)MQ QueueManagerCobol / MQFormat & transportbridgingMessage Format & Transport Protocol Mediation ExampleOutside World Internal NetworkDMZProtocolFirewallHTTP(s)FTP(s)SFTP(SSH)WMQ(s)WS JMSTIBCO EMSODBCDomainFirewallACLDBLDAPPackaged AppsProprietary AppsDataPackaged AppsProprietary AppsDataInternetJMSEMSFTPNFSPackaged AppsProprietary AppsDataPackaged AppsProprietary AppsDataPackaged AppsProprietary AppsDataDataPowerGatewayHTTPWMQIMS ConnectEnhancedSecurityDMZSaaSPartnerAppsBrowsers• Content based routing• Message enrichment• Message transformation• Transport protocol translation• AAA, Threat protection• Message validation & filtering• Traffic control / Rate limitingIntegration Scenario• Intelligent content based routing• Intelligent load distribution• Local and distributed caching
  • 40. 4040 © 2013 IBM CorporationCore ServicesCore DataUK Government AgencyEnables integration capabilities using DataPowerSolutionDataPower in key network zones within and outside ofthe departmentThorough content-based validation, routing, and securitypolicy enforcementIntegrated seamlessly into heterogeneous environmentincreasing interoperability & promoting reuseBenefitsEase of integrationSecurity assurance of the architectureSecure SOA on standards-based platformConsistent experience and policy for all usersChallengeData held in the back-end systems vital to deliveringcitizen services, fraud detection across various layers ofthe Governments across the EUVulnerable back-end servicesSecurityCapacity/ SLAConsistent usability experience for internal or externalservice consumersIntegration LayerGovernmentnetworkOther EUCountriesOther UKDepartmentsInternal Users
  • 41. 4141Security & Integration Scenario – Financial Firm
  • 42. 4242 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 43. 4343 © 2013 IBM CorporationUse Case: Mainframe integration & enablementOffload processing for reduced MIPSWeb Services Enablement for IMS, CICS, DB2
  • 44. 4444 © 2013 IBM CorporationBroad integration with System zClientSOAP/HTTPSOAP/HTTPCCB / MQIMS SOAP GatewayWAS+IMS connectorDataPowerIMSOTMAIMSApplicationMQServerMQBrdgDataPowerXI50z• Connect to existing applications over WebSphere MQ• Transform XML to/from COBOL Copybook for legacyneeds• Integrate with RACF security from DataPower AAA• Dynamic crypto material retrieval & caching, or offloadcrypto ops to z• Connect to IMS‒ Via IMS Connect client‒ Via Web Services‒ Via WebSphere MQ• Connect to CICS‒ Via WebSphere MQ‒ Via Web Service• Connect to DB2‒ Via Web Service‒ As direct ODBC call with ODBC Client optionAdditional benefits with integrated DataPower XI50zblade form factorFast secure network between DataPower blade andtarget serversVirtual Network ProvisioningDynamic Load Balancing (via Sysplex Distributor)HMC Console IntegrationBlade Hardware ManagementEnergy Monitoring and Management of DP BladesDP Firmware Load and UpdateMonitoring and ReportingDRDADB2
  • 45. 4545 © 2013 IBM Corporation• IMS Callout feature allows IMS transactions to easily consume external webservices via DataPower, with minimal application updates requiredEnhanced value for System z & IMSNew integration capabilities between DataPower and IMS in v6.0IMS DB feature supports DataPower integrationwith IMS database through SQL interface‒ Enrich messages with database content‒ Expose data as a service to remote applicationsClientSOAP / RESTDataPowerDRDAIMSOTMAApp1IMSConnectApp2Service ProviderSOAP / RESTDataPowerTCP/IPService ConsumerIMS Callout
  • 46. 4646 © 2013 IBM CorporationCore banking platform on ZAn Irish BankEnabling retail bankingSolutionDataPower in trusted network exposed services forXML/ HTTP(S) and protocol bridging to WebSphere MQMessage validation and transformation usingWebSphere Transformation Extender (WTX)BenefitsRetail application acceleration through transformationsand cachingOptimized platform for handling, parsing and processingpayloadsChallengeRetail application contained 7000 screens; slowresponse times over dedicated proprietary network.Cost of processing XML on the mainframe.Message transformation needed before the core bankingplatform could process requests.DataPowerQBranch NetworkQ Q Q QBranch Application (web based)
  • 47. 4747 © 2013 IBM CorporationCustomer & Product relatedapplication and systems on ZHigh Street Clothing and Fashion Accessories RetailerIncrease customer interaction and loyaltySolutionDataPower acted as a reverse proxy for:Outbound messages via a service providerInbound customer updates/ delivery notificationsTransform SOAP/ XML payload to COBOL copybookmessages for CICS applicationBenefitsCreate customer interaction and value through innovativebusiness strategy.Integrate various suppliers using standards basedinterfaces securely.Graphical configuration driven appliance; short learningcurveChallengeHighly competitive industry; first mover advantageWeak customer loyaltyMulti channel customer experienceComplex supply chain and service providersDataPowerQOpen InternetQ
  • 48. 48IMS IntegrationWeb Services Security and Management for IMS Web ServicesContent-based Message RoutingProtocol Bridging (HTTP, MQ, JMS, FTP, etc.)XML/SOAP FirewallData ValidationField Level SecurityXML Web Services Access Control/AAAWeb Services ManagementClientSOAP / RESTSOAP/HTTPIMS SOAP GatewayWAS+IMS connectorDataPower
  • 49. 49DataPowerIMS IntegrationWeb Services Enablement for IMS-based ServicesIMSOTMAIMSApplicationMQServerMQBrdgDataPower provides WS-enablement to IMS applicationsUser codes schema-dependent WTX data map to performrequest/response mappingRequires WebSphere MQ for z/OS– MQ bridge to access IMS– MQ connectivity is embedded in DataPowerCCB / MQClientSOAP / REST
  • 50. 50DataPowerIMS IntegrationWeb Services Enablement for IMS-based Services (cont’d)CCB / TCPClientSOAP / RESTIMSOTMAAppl1IMSConnectAppl2Appl3IMSOTMAAppl4Appl5Appl6User exit(e.g..HWSSMPL0)DataPower provides WS-enablement to IMS applicationsUser codes schema-dependent WTX data map to performrequest/response mapping“IMS Connect Client” (back-side handler) natively connects to IMSConnect using its custom request/response protocol
  • 51. 51DataPowerIMS IntegrationIMS Connect Reverse ProxyCCB / TCPClientIMS Connect TCPIMSOTMAAppl1IMSConnectAppl2Appl3IMSOTMAAppl4Appl5Appl6User exit(e.g..HWSSMPL0)Bring DataPower value add to standard IMS connect usage patternsProvide an “IMS Connect Client” on DataPower that natively connects toIMS ConnectProvide an “IMS Connect Server” on DataPower that accepts IMS Connectclient connections and provides an intermediation framework thatleverages DataPower– Enables authentication checks, authorization, logging, SLM,transformation, route, DB look-up, SSL offload, etc.
  • 52. 52DataPowerDB2 Integration“Information as a Service”DRDAClientSOAP / RESTDataPower provides a standard WS façade to DB/2– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data WebServices runtime and DataPower– SOAP call is mapped to an ODBC (DRDA) invocationExposes database content (information) as a serviceLeverages extensive Web Services security and management capabilities ofDataPower to more securely expose critical data to the enterpriseDB2
  • 53. 53CICS IntegrationWeb Services Security and Management for CICS Web ServicesContent-based Message RoutingProtocol Bridging (HTTP, MQ, JMS, FTP, etc.)XML/SOAP FirewallData ValidationField Level SecurityXML Web Services Access Control/AAAWeb Services ManagementSupport CICS ID propagationClientSOAP / RESTSOAP/HTTPCICS Web ServicesWAS+CICS connectorDataPower
  • 54. 54DataPowerCICS IntegrationWeb Services Enablement for CICS ApplicationsDataPower provides WS-enablement to CICS applicationsUser codes schema-dependent WTX data map to performrequest/response mappingRequires WebSphere MQ for z/OS– MQ bridge to access CICS– MQ connectivity is embedded in DataPowerCCB / MQClientSOAP / RESTCICSCICSApplicationMQServerCICSBrdg
  • 55. 5555 © 2013 IBM CorporationAgenda• DataPower Quick Overview• Security & Optimization Gateway• Mobile Connectivity• API Management• Integration• Mainframe Integration & Enablement• B2B
  • 56. 5656 © 2013 IBM CorporationUse Case: B2B integrationExtend integration beyond the enterpriseto partner community
  • 57. 5757 © 2013 IBM CorporationDataPower B2B FunctionalityExtend beyond the enterprise to integrate with partners• B2B Gateway Service‒ AS1, AS2, AS3 and ebMS v2.0‒ Plaintext email support‒ EDI, XML and Binary Payload routing‒ Front Side Protocol Handlers‒ Hard Drive Archive/Purge policy‒ CPA and Partner Profile Associations‒ MQ File Transfer Edition integration• Trading Partner Profiles‒ Two Types – Internal and External‒ ebXML CPPA v2.0‒ Multiple Business IDs‒ Multiple Destinations (URL Openers)‒ Certificate Management (S/MIME Security)‒ Multi-step processing policy• B2B Viewer‒ B2B transaction viewing‒ MQ FTE transaction viewing‒ Transaction resend capabilities‒ Transaction and Acknowledgement correlation‒ Role based access• Persistent Storage‒ AES Encrypted B2B document storage‒ Option for Off-Box Storage (NFS)• Transaction Store‒ B2B metadata storage‒ B2B state managementDataPowerB2B Gateway ServicePartner ConnectionFront Side HandlersInternal PartnerDestinationsIntegrationFront Side HandlersExternal PartnerDestinationsB2B ViewerMetadataStore(DB)DocumentStore(HDD)PartnerProfiles
  • 58. 58UK Logistics and DistributionBenefitsCreate customer interaction and value through innovative business strategy.Integrate various suppliers using standards based interfaces securely.Graphical configuration driven appliance; short learning curveChallengeAS2, File and Web Services based interfaces to 100s of B2B customers.Messages are exchanged at least once a daySecure proxy solution in the DMZComplex incumbent supplier chain
  • 59. 5959 © 2013 IBM CorporationHealth Insurance ProviderSmarter Business Outcomes:Reliable and secure routing of customer sensitive dataEasy to use and maintain; no additional skill neededXML Messages with attachments are authenticated, authorized,and virus scannedIndustry Pains:HIPAA Security requirementsfor transporting data over theInternetHL7 v3.0 XML threat protectionComplexity of B2B forhealthcareSecure appliance form factor providing secure connections to tradingpartners, advanced threat protection and reliable file delivery ofconfidential medical informationValue of DataPower B2B Appliances for Extending Connectivity?
  • 60. 60InternetEDIINT Flow: Simple AS2 transaction flow with TransformApplicationBrowserApplicationEDI XMLAS2(EDI)AS2(MDN)B2B HubPartner BPartner AXB62AS2 ProcessB2BGatewayServiceTransactionViewerNote: This flow works the same for any AS protocol as well as for ebMS B2B messages.DataStore43a3b215
  • 61. 61InternetWeb Services bridged to AS2 File Transfer PatternWS ClientBrowserFlatB2B HubPartner BPartner AXB62Web ServiceProcessWeb ServiceProxyTransactionViewerB2BGatewayServiceAS2Pre-ProcessFlatSOAPNote: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving andsending data over any of the 16 supported protocol handlers. When Services are tied together infront of or behind a B2B Gateway Service they are handled like pre and post processes.DataStore7456321
  • 62. 62InternetMQ FTE Integration Pattern – Inbound File to MessageBrowser(LOB User)XB60TradingPartnerXB62B2BGatewayServiceTransactionViewerProfileMgmtDataStoreBrowser(Admin)Browser(Partner view)ServerSourceAgentDataStoreApplicationsEnterpriseTargetAgentMQFTENetworkQueueManagerQueueManagerQueueManagerQueueManagerMQExplorerDBLogger(DB2 or Oracle)142a3652
  • 63. 63BrowserB2B Gateway ServiceWebSphere DataPowerB2B ApplianceApplicationsTransactionViewerCollaboration PartnerAgreement EntriesInternal CollaborationPartner ProfileExternal CollaborationPartner ProfileCPAId / CollaborationCollaboration ProtocolAgreement EntryInternal CollaborationPartner ProfileExternal CollaborationPartner ProfileCPAId / CollaborationExternal PartnersInternet ebMS(Ack)ebMS(ebXML))ebXMLebXML with CPPA Pattern54321DMZSecuredNetworkPublic NetworkCollaboration PartnerAgreement EntriesInternal CollaborationPartner ProfileExternal CollaborationPartner ProfileCPAId / Collaboration
  • 64. 64B2B HubAS2 ProcessHealthcareApplicationsPartner BHospitalInternetAS2 (HL7 V3)AS2/MDNB2B ApplianceB2B GatewayServiceProfilesInternal ProfileRegionalCenterValidate XML andTransform to anyV.2.x formatExternal ProfileHospitalTransactionViewerHealthcareApplicationsHL7V3Partner ARegional Healthcare CenterAny TransportHL7 V2.xAny TransportHL7 V3.x543216Health Level 7 3.x to 2.x Transform Pattern
  • 65. 65Securing HL7 over the Internet with Integration to the WebSphereHealthcare Connectivity PackTradingPartnerXB62B2BGatewayServiceTransactionViewerProfileMgmtDataStoreBrowser(Admin)Browser(Partner view)Clinical TrialsSystemWebSphere HealthcareConnectivity PackHealthcare ProviderInternet12a352WebSphereMQPatientAdministrationSystemBillingSystem4AS2(HL7))AS2(MDN))HL7/MQHL7/MLLPHL7/MLLPXML/HTTPPharmacyHL7/MLLP
  • 66. 66DataPower Appliances BenefitsReduce Complexity: Replace software servers functionality withDataPower Appliances, reduce infrastructure footprint, and off-loadsystems intensive processes.Lower TCO: DataPower Appliances have demonstrated reducingoperational costs by as much as 50%Reduce Time to Market: DataPower Appliances dramatically decreasethe testing time and amount of development required to upgrade yourenvironment, most policy are configuration driven as opposed todevelopment drivenReduce Risk: DataPower Appliances provide the communication layerwithout requiring application modification, and deliver improved securityand auditFlexibility & Security: DataPower Appliances shield businessapplications from security requirements, protocol changes and serviceversioning - no application modifications needed
  • 67. 6767 © 2013 IBM CorporationDataPower resourceswww.ibm.com/software/integration/datapowerIBM DataPower Web Page (support, technotes, doc)http://www-01.ibm.com/software/integration/datapower/developerWorks DataPower Discussion Areahttp://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198Vast library of published articles:http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html(Also search for “DataPower” within “WebSphere”, “SOA/Web Services” and “XML”)http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search “DataPower”)IBM Redbooks:http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapowerIBM WebSphere DataPower SOA Appliance Handbookhttp://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194YouTube:http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channelDataPower Podcasts:http://www.ibm.com/podcasts/software/websphere/datapower/index.rss