Intorduction to Datapower


Published on

Published in: Technology

Intorduction to Datapower

  1. 1. DataPower Introduction
  2. 2. DataPower SOA Appliance An SOA Appliance… creates customer value through extreme SOA performance, connectivity, and security.  Simplifies SOA and accelerates time to value  Helps secure SOA XML implementations  Governs and enforces SOA/Web Services policies DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, and dedicated SOA Appliances that simplify and combine superior performance, hardened security, and integration for SOA implementations. 2
  3. 3. Why an Appliance for SOA?  Hardened, specialized hardware for helping to integrate, secure & accelerate SOA  Many functions in a single device  Service level management, dynamic routing, policy enforcement, transformation  Higher levels of security assurance certification  FIPS 140-2 Level 3, Common Criteria EAL4  Higher performance with hardware acceleration facilitates security enforcement • Addresses the divergent needs of different groups – Enterprise architects, network operations, security operations, web services developers • Simplified deployment and ongoing management – Drop-in appliance, secures traffic in minutes, integrates with existing operations 3
  4. 4. What is DataPower ? • • • • Provides the flexibility of software in a hardware footprint Is quick to deploy – configuration NOT coding or programming Typically takes days to integrate NOT weeks or months Is a 1U 19” Rack Mounted appliance – • • Looks like a router Has minimal components and has no stack of software. Consequently DataPower is highly secure As attack points are minimised – – DataPower is undergoing accreditation to Common Criteria EAL4 This is globally recognised check by an impartial third party that warrants the security claims made by IBM 4
  5. 5. What Does DataPower Address ? • • XML is the language of Web Services and SOA XML is pervasive – in a matter of years, it will fuel every application, device, and document found in enterprise networks • XML challenges – XML is very ‘Verbose’ • XML is bandwidth intensive • Has a direct impact on Application Server performance • XML processing requires significant processor cycles and memory resources – XML is effectively ‘Human readable’ Text • It has no native security mechanisms • It is readily understood and vulnerable to interception • Security can be implemented on the application server but this is additional XML processing and adds to the performance problem – SOA is not just Web Services and XML • Customers need to integrate existing legacy systems, messaging formats and protocols into the SOA architecture. • The ability to ‘transform’ legacy systems into the XML format is needed. 5
  6. 6. What Does DataPower Address ? • XML Performance – How ? – by offloading XML processing from the Application Server to DataPower in optimised hardware – Thereby greatly reducing the required number of Application Servers • XML Security – How ? – by offloading XML security to DataPower – Provide standards based security – WS Security • Integrating XML and legacy systems – How ? – by using DataPower to transform XML to legacy message formats and protocols e.g • XML < > Cobol Copybook (brings a Mainframe into SOA Architecture) • XML > HMTL (renders HTML content to Portal very rapidly) • XML < > MQ Messaging All of this is done at WIRESPEED 6
  7. 7. WebSphere DataPower SOA Appliance Product Line XM70  XB60 High volume, low latency messaging Enhanced QoS and performance Simplified, configuration-driven approach to LLM Publish/subscribe messaging High Availability          B2B Messaging (AS2/AS3) Trading Partner Profile Management B2B Transaction Viewer Unparalleled performance Simplified management and configuration XA35 – – – Offload XML processing No more hand-optimizing XML Lowers development costs XS40     Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authentication XI50     Hardware ESB “Any-to-Any” conversion at wire-speed Bridges multiple protocols Integrated message-level security 7
  8. 8. WebSphere DataPower Basic Use Cases Internet DMZ Trusted Domain Application Consumer 1 B2B Gateway 3 Low Latency Gateway Application 2 Secure Gateway (Web Services, Web Applications) Consumer 4 Internal Security 5 Enterprise Service Bus 6 Web Service Management 7 Legacy Integration 8 XML Acceleration System z 8
  9. 9. XML Accelerator XA35 Purpose-built hardware for presentation-tier transformation • “The Original” DataPower XML Appliance • Defines high performance architecture for all DataPower SOA Appliances • Processes XML operations at “wire-speed” • Ideal in an XSL-intensive HTTP presentation tier • XML Pipeline processing accelerates XML/XSLT/XPath evaluation, increasing throughput and decreasing latency by offloading XML operations to the network • Innovative drag-and-drop policy editor accelerates time to value and simplifies configuration and deployment • Logical application domains allow individual “sandboxes” and facilitate configuration management through import/export features • Multiple management interfaces serve varying needs of an organization, including browser-based WebGUI, command line CLI, and scriptable Web Services 9
  10. 10. XML Security Gateway XS40 Purpose-built hardware for assuring confidentiality, authenticity, and nonrepudiation • Native support for WS-Security policy enforcement • Extremely secure hardware design • Integrate with a variety of authentication and authorization systems for real-time protection • Ideal in front-line DMZ or internal security gateway • XML/SOAP Firewall capabilities enable Layer 7 filtering on any content, metadata or network variable in a message • Web Application Firewall service offers additional security, threat mediation, and content processing for other URL encoded HTTP-based applications • Easily configurable field-level security options allow flexible enforcement of confidentiality, authenticity, and non-repudiation requirements • Low latency architecture leverages hardware-acceleration for cryptographic operations 10
  11. 11. Hardware Device for Improved Security • Sealed network-resident appliance – Optimized hardware, firmware, embedded OS – Single signed/encrypted firmware upgrade only – No arbitrary software – High assurance, “default off” locked-down configuration – Security vulnerabilities minimized (few 3 party components) – Hardware storage of encryption keys, locked audit log – No USB ports, tamper-proof case • Third party certification – FIPS 140-2 level 3 HSM (option) – Common Criteria EAL4 “The DataPower [XS40]... is the most hardened ... it looks and feels like a datacenter appliance, with no extra ports or buttons exposed… " - InfoWorld 11
  12. 12. XML security threats are growing DataPower provides hardened real-time protection • • • • • • • • • • • • • • XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Data Tampering • • • • • • • • • • • • • • Message Snooping XPath Injection SQL injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include – also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack …others 12
  13. 13. Gartner: Web Services Security Best Practices  Provide System Security  Inspect ALL traffic  Transform all messages  Mask internal resources  Implement XML filtering  Secure logging  Protect against XML DoS  Require good authentication mechanisms  Provide Message Security  Sign all messages  Validate messages (Inbound+Outbound)  Time-stamp all messages  Ask for Compatibility  SSL MA, SAML, x.509.  WS-Security  WS-* extensions • • • Build Expertise/Design From Strength Educate Business Leaders Build Centralized Infrastructure – – – – • • • SSL is key Use management/security platforms Manage your identities You may need PKI Trust (Really) Your Partners Use OTS Web Services with Caution Monitor and Control “Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware.” -- John Pescatore, Gartner 13
  14. 14. Access Control Integration Framework (AAA) Transport Headers URL SOAP Method XPath Input Message Extract Resource WS-Security SAML X.509 Kerberos Proprietary Tokens Extract Identity LDAP ActiveDirectory SAML Tivoli CA eTrust/Netegrity RSA Entrust Novell RACF Authenticate Map Resource LDAP ActiveDirectory SAML Tivoli CA eTrust/Netegrity RSA Entrust Novell Proprietary Authorize SAML Assertion Credential Mediation IDS Integration Monitoring Audit & Accounting Output Message Authenticate, Authorize, Audit Map Credentials External Access Control Server or Onboard Identity Management Store 14
  15. 15. Web Application Firewall • • • • • • • URL-encoded HTTP application protection in addition to XML Web Services firewall security Protection for static or dynamic HTMLbased applications Supports browser-based clients and HTTP/HTTPS backend servers Wizard-driven configuration Cross-site scripting and SQL Injection protection AAA framework support for web applications General name-value criteria boundary profiles for: – Query string and form parameters  HTML Input Conversion Maps for form processing and handling  Cookie watermarking (sign and/or encrypt)  Rate limiting and traffic throttling/shaping  HTTP header stripping, injection and rewriting  HTTP protocol and method filtering  Content-type filtering  Dynamic routing and load balancing  Session handling policies  SSL Acceleration & Termination (Link)  XML and non-XML processing policies  Customizable error handling – HTTP headers – Cookies 15
  16. 16. Integration Appliance XI50 Purpose-built hardware for Enterprise Service Bus functionality • Web Service virtualization for legacy applications • Enforce high levels of security independent of protocol or payload format • Integrate with enterprise monitoring systems • Service level management options to shape traffic ! Advanced protocol-bridging seamlessly supports a wide array of transports, including HTTP, WebSphere MQ, WebSphere JMS, Tibco EMS, FTP, NFS Any-to-any “DataGlue” engine supports XML and Non-XML (Binary) payloads, promoting asset reuse and enabling integration without coding Direct database access enables message-enrichment and data-as-aservice messaging patterns (DB2, Oracle, MS-SQL, Sybase) High performance architecture creates low-cost, easily-scalable ESB solution for Smart SOA needs 16
  17. 17. The ESB Cost Explosion - background A significant and growing problem with bus installations around the world. In medium to large organizations running significant transaction volumes, the footprint of their ESB becomes very large and expensive, very quickly. Business Partners Internet Access Wireless Access Intranet Portal ESB Internet Portal Wireless Portal DMZ Midrange System Z Internal Trusted Networks DB2 Unix IMS w2k Logging Monitoring / Management SCM Directory / IDM CRM 17
  18. 18. The ESB Cost Explosion – Root causes 1. The resource requirements of today’s services (mostly XML-based) – Software mediation solutions written on general-purpose platforms require shocking amounts of CPU and memory to process messages and perform the basic bus functions: • Message Parsing and Interpretation • Message Transformation • Message Routing 2. The minimal headroom purchased because of HA requirements. – Companies quickly use up extra capacity purchased initially in order to maintain high availability for this critical part of their network. Nevertheless the problem is often still hidden by the HA deployment initially Companies are often taken by surprise by how quickly they “hit the wall” – – It doesn’t take much! • • At somewhere between 20-60 TPS the infrastructure needs to be at least doubled. you don’t have to be a F500 company to get hit 18
  19. 19. The ESB Cost Explosion - Solution The DataPower module, deployed in an Architected ESB Federation pattern, is designed to bring the “commodity” work of an ESB to the network layer. SOA Network Infrastructure History tells us that selecting universal, repetitive functions and moving them to purpose-built appliances reduces solution costs, both in terms of increased performance / reduced processing costs, and reduced complexity of deployment (network devices are configured, not coded). 19
  20. 20. Processing rule actions for ESB Programmer-friendly functions within the purely-configuration message flow. WAIT 20
  21. 21. Processing rule actions for ESB Fan-out (Fan-in) FTP Notification Fire and Forget HTTP JMS HTTP Composition JMS MQ 21
  22. 22. Content-based Routing Select destination based on transaction metadata • Dynamically determine route from transaction context and/or message content – Analyze originating URL, protocol headers, transaction attributes, etc. – Analyze legacy or XML content • Leverage a routing table for real-time decisions – Quickly deploy routing changes, including protocol conversions • Retrieve routing information from other systems – E.g., databases, web servers, file servers, etc. Unclassified Requests Service Providers 22
  23. 23. Protocol Mediation Independently bridge inbound and outbound protocols  First-class support for message and transport protocol bridging  Protocol mediation with simple configuration: – HTTP  MQ  WebSphere JMS  FTP  Tibco EMS  Request-response and sync-async matching  Configurable for fully guaranteed, once-and-only-once delivery WebSphere JMS http(s) 3rd Party Messaging WebSphere MQ Database FTP(s) sFTP DB2, SQL Server, Oracle, Sybase, IMS NFS 24
  24. 24. Web Services Management Service Level Management protects application resources • • Defined as action in the policy pipeline Configure policies based on: – Any parameter: WSDL; Service Endpoint; Operation; Credential – Request; Response; Fault; XPath • • Enforce same thresholds across a pool of devices Configure service level to trigger action: – Notify (Alert) – Shape (Slow Down) – Throttle (Reject) • • • Supports WSDM and other Web services management standards Allows subscription to SLM for alerts, logging, etc. Notify other applications such as billing, audit, etc. 25
  25. 25. System z Integration • Broad integration with System z • Connect to existing applications over WebSphere MQ • Transform XML to/from COBOL Copybook for legacy needs • Natively communicate with IMS Connect • Integrate with RACF security from DataPower AAA • Service enable CICS using WebSphere MQ • Virtualize CICS Web Services 27
  26. 26. Business to Business (B2B) Appliance XB60 Purpose-built B2B hardware for simplified deployment, exceptional performance and hardened security • Extend integration beyond the enterprise with B2B • Hardened Security for DMZ deployments • Easily manage and connect to trading partners using industry standards • Simplified deployment and ongoing management • Trading Partner Management for B2B Governance; B2B protocol policy enforcement, access control, message filtering, and data security • Application Integration with standalone B2B Gateway capabilities supporting B2B patterns for AS2, AS3 and Web Services • Full featured User Interface for B2B configuration and transaction viewing; correlate documents and acknowledgments displaying all associated events • Simplified deployment, configuration and management providing a quicker time to value by establishing rapid connectivity to trading partners 28
  27. 27. DataPower B2B Appliance XB60 - B2B Components The DataPower B2B Appliance extends your ESB beyond the enterprise by supporting the following B2B functionality: • • B2B Gateway Service – AS2 and AS3 packaging/unpackaging – EDI, XML and Binary Payload routing – Front Side Protocol Handlers – Trading Partner Profile Management • Multiple Destinations (Back Side Protocol Handlers) • Certificate Management (Security) – Hard Drive Archive/Purge policy B2B Viewer – B2B transaction viewing – Transaction resend capabilities – Acknowledgement correlation – Transaction event correlation – Role based access • Transaction Store – B2B metadata storage – B2B state management B2B Gateway Service Internal Partner Destinations Front Side Handlers for Integration Transaction Store Front Side Handlers for Partner Connections External Partner Destinations Persistent Storage Persistent Storage – Encrypted with a box specific key – B2B document storage • DataPower B2B XB60 B2B Viewer 29
  28. 28. Low-Latency Appliance XM70 Purpose-built hardware for low-latency, network-based messaging and data feed processing • Drop-in messaging solution which plugs into existing network infrastructure • Enhanced QoS and performance with purpose-built hardware • Simplified, configuration-driven approach to low-latency, publish/subscribe messaging and content-based routing • High availability out of the box (two or more appliances) • Low-latency unicast and multicast messaging, scaling to 1M messages / sec with microsecond latency • Destination, property and content-based routing, including native XML and FIX parsers • Optimized to bridge between leading standard messaging protocols such as MQ, Tibco, WebSphere JMS and HTTP(S) • Simplified deployment, configuration and management providing a quicker time to value by rapidly configuring messaging destinations, connectivity and routing 30
  29. 29. Configuration & Administration Fits into existing environments  Multiple administration consoles     IDE integration      Eclipse/Rational Application Developer Altova XML Spy WAS 7 Admin Console for Multi-box Management Easy export/import for configuration promotion Standard operational interfaces   WebGUI – 100% availability of functions in all consoles CLI – Familiar to network operators SOAP interface – Programmatic access to all config for easy scripting SNMP XI50 SNMP, syslog, etc. Industry leading integration support across IBM and 3rd party application, security, identity management, and networking infrastructure 31
  30. 30. IBM SOA Appliance Deployment Summary Web Tier XML HTML WML Client or Server XML XSL XA35 Application Server Web Server Internet Security Tivoli NetView Tivoli NetView Tivoli Access Manager Tivoli Access Manager Tivoli Access Manager -----------Federated Identity Manager XS40 Internet WebSphere App Server WebSphere App Server IP Firewall Application Server DataPower XS40 DataPower XS40 Integration & Management Tiers  LEGACY REQ Nortel L7 Module Nortel L7 Module DataPower XS40 DataPower XS40  HTTP XML REQ MQ Server MQ Server LEGACY RESP  XI50 HTTP XML RESPONSE  ITCAM for SOA Web service Web service client client Tivoli NetView Web Services Client Tivoli Access Manager 32 WebSphere App Server DataPower XS40
  31. 31. IBM SOA Appliance Deployment continued Business to Business (B2B) DMZ AS2 Message FW XML/EDI/Binary Internet XB60 FW FW AS2 MDN Trading Partners AS2, AS3, HTTP, FTP, Web Services, MQ Receiver WSRR ITCAM for SOA Tivoli NetView Trading Manger for EDI Processing Application Server Tivoli Access Manager WebSphere App Server Low Latency Messaging (LLM) Receiver DataPower XS40 RUM (unicast) Nortel L7 Module DataPower XS40 Transmitter MQ Server RMM XM70 RUM Receiver (multicast) Web service client Transmitter MQ/TIBCO 33
  32. 32. Summary – IBM Specialized Hardware for Smart SOA Connectivity • • • • • • Hardened, specialized product for helping integrate, secure & accelerate SOA Many functions integrated into a single device Broad integration with both non-IBM and IBM software Higher levels of security assurance certifications require hardware Higher performance with hardware acceleration Simplified deployment and ongoing management SOA Appliances: Creating customer value through extreme SOA performance, connectivity, and security  Simplifies SOA and accelerates time to value  Helps secure SOA XML implementations  Governs and enforces SOA/Web Services policies 34