© 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.
-
Upload
aidan-flores -
Category
Documents
-
view
307 -
download
1
Transcript of © 2013 IBM Corporation Intro to DataPower IBM WebSphere SOA Appliances.
© 2013 IBM Corporation
Intro to DataPowerIBM WebSphere SOA Appliances
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
2
Agenda
What is a DataPower Appliance?
Models and Features
Additional Use Cases
Success stories
How to learn more
simpler solutions for a smarter planetsimpler solutions for a smarter planet
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
Why IBM DataPower?
DATAPOWER IS A PURPOSE BUILT PLATFORM THAT PROVIDES HIGH SECURITY AND EXCEPTIONAL PERFORMANCE
– There is no third party sofware (OS, Java, DB, etc) present on the system nor can such programs be executed. So general vulnerabilities found in other platforms built up on such stacks are not there on DataPower.
– Entirely configuration based ensuring that security holes are not introduced inadvertently.– XML acceleration and cryptographic acceleration help in providing near wire speed throughput.
Security is not compromised for performance.
UNPARALLELED INVESTMENTS TO INNOVATION– IBM Software Group invests over $6 Billion annually on Research and Development– WebSphere Business Unit within IBM invests over $1 Billion annually on R&D alone, far surpassing
any perceived competitors in the marketplace– IBM develops, defines, and participates in defining and developing open standards and conforms to
the same to protect investments.
GLOBAL REACH AND SCALE OF BUSINESS OPERATIONS
- IBM has a global presence -- doing business in more than 170 countries -- making us an ideal partner to scale geographically- dispersed solution implementations, operations, and teams. We are uniquely positioned to support international operations.
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
4
The IBM WebSphere DataPower organization makes appliances
Simple architecture: – microcode firmware + purpose-built hardware
Delivered from the factory with everything you need to connect to the network and start working
– No need to provision anything but the Ethernet network and CAT cables to get started
All computationally-significant components sealed within a temper-proof casing
– Chips– Memory– Boards and cards– Flash-based file system (signed and encrypted)– Parsing and xform accelerators (patented)– Cryptographic accelerators (patented)
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
5
Guiding philosophy is to take rote, repeatable integration tasks and lock them down in the appliance form factor, including:
– Services gateway functions– Web application gateway functions– Service Bus (ESB) functions– B2B gateway functions– Edge optimization functions
Appliance “lock down” means:– Removing need for commodity code– Removing reliance on general purpose
operating systems and run times– Porting to purpose-built firmware– Simplicity = BIG TCO SAVINGS
But simple does NOT mean lacking in functionality
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
6
Over 1,800 worldwide installations and growing fast
Used by 95% of top global insurances firms
SaaS providers, ASPs, regulators, etc.
Agencies and ministries
Defense and security organizations
Crown corporations
Insurance
Government
Banking
Telecommunications
Utilities, Power, Oil and Gas
Airlines
Retailers
Many, many, more
All of the big 5 Canadian banks
Numerous regional banks and credit unions
SaaS providers, ASPs, regulators, etc.
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
7
Returns are typically found by:– Accelerating project timelines (and
beginning to realize new revenues earlier)• Drop-in deployment, even to sensitive networks• Configuration of tasks that would otherwise be
coded
– Reduction of project resource requirements
• Configuration of tasks that would otherwise be coded
• No tuning required for performance
– Reduction of existing server footprint or deferment of the need to scale up
• Offloading of resource-intensive functions to a platform purpose-built to do them at low resource penalties
– Lowering ongoing operations costs• Simple architecture and low-touch maintenance
model• Centralization of rote, repeatable integration tasks
Returns are based on implementation and maintenance cost reductions
Do Nothing
Adopt WDP
DataPower appliances offer a classic SOA business case
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
8
Why use an appliance?
“IBM ESBs [including DataPower] have the broadest set of supported runtime protocols, connectivity options, mediation capabilities, security, commercial data standards, and service monitoring and management — hands down." - Forrester
Hardened, high-performance hardware
Many functions integrated into a single device
Enables run-time SOA governance and policy
enforcement
Addresses divergent needs of different groups
Simplified deployment and ongoing management
Proven Green / IT Efficiency Value
• Tightly integrated hardware and firmware• High performance• Security without performance bottlenecks• Simplicity • connectivity requires:
• service level management• routing, policy, transformation
• dynamically control • service availability• security• performance• endpoint selection
• enterprise architects• network operations• security operations• identity management• web services developers
• Example: Appliance performs XML and
Web services security processing as much
as 72x faster than server-based systems• Impact: Same tasks accomplished with
reduced system footprint and power
consumption
• reduces need for in-house SOA skills &
accelerates time to SOA benefits
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
9
Agenda
What is a DataPower Appliance?
Models and Features
Additional Use Cases
Success stories
How to learn more
simpler solutions for a smarter planetsimpler solutions for a smarter planet
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
10
Integration Appliance XI52 High density 2U form Consumable hardware ESB “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement
Service Gateway XG45 Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic
routing Lightweight ESB functions (optional module)
B2B Appliance XB62 High density 2U form B2B Messaging (AS1/AS2/AS3/ebMS) Trading Partner Profile Management B2B Transaction Viewer
Integration Blade XI50B/XI50z Functionally equivalent to XI52 Form factor flexibility XI50B: BladeCenter form factor XI50z: zEnterprise BladeCenter Extension
(zBX) form factor
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
1111
Internet Trusted Domain
Consumer
6 Runtime SOA Governance
7 Web Service Management
8 Legacy Integration
1 Secure Gateway (Web Services, Web Applications)
2 B2B Gateway
3 Edge Optimization
Application
Application
System z
DMZ
Deploy WebSphere DataPower Appliances in a variety of use cases
4 Internal Security
5 Enterprise Service Bus
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
12
AAA
Employ flexible AAA (Authenticate, Authorize, Audit) Policies
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom
Authenticate
ExtractResource
URLSOAP OperationHTTP OperationCustom
LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
13
The SOA appliances simplify and centralize key functions
Higher cost: Application servers must be updated individually
Before SOA Appliances
Secure, route, transform all applications instantly
No changes to applications
After SOA Appliances
High speed routing, transformation, and securing of messages to multiple applications without coding changes
Reduced complexity resulting in lower hardware, software, maintenance and administration costs, improved productivity
Increased flexibility that enables new functionality may be delivered to the business more quickly
Routing
Transformation
New XML standard
Access control update
Security Processing
Change purchase order schema
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
14
Proxying and Enforcement• Terminate incoming connection
• Terminate transport-level security
• Enforce Service Level Agreement policies
• Inspect message content, filter, pattern-match
• Enforce security policies on message content
• Call out to Access Control List(s)
• Detach binaries and call out to virus checker
• Transform content (XSLT, XML-to-XML)
• Establish a new connection to pass results
Connection from client
New connection to target
ACLVirus
Scanner
Partner App
Internal App
1U form factor• 4x 1Gbps Ethernet ports
• 2x 10Gbps Ethernet ports
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
ConsumerProvider
SOAP / HTTP(s)
MQ QueueManager
Cobol / MQ
Format & transport bridging
Message Format & Transport Protocol Mediation Example
2U form factor– Simplified “drop in” deployment– Configure your integrations– Integrates smoothly into any “shop”, .Net, Java, Legacy
Content based routing
Message enrichment
Message transformation
Transport protocol translation
Security– AAA, Threat protection– Message validation & filtering
Centralized management and monitoring point– Traffic control / Rate limiting
Intelligent load distribution
Outside World Internal NetworkDMZ
Pro
toc
ol
Fir
ew
all
HTTP(s)FTP(s)
SFTP(SSH)WMQ(s)WS JMS
TIBCO EMS
ODBC
Do
ma
in F
ire
wa
ll
ACL
DB
LDAP
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Internet
JMSEMS
FTP NFS
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
DataPower
HTTPWMQ
IMS Connect
Enhanced Security
DMZ
SaaS
Partner Apps
Browsers
ESB HUB Scenario
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
16
All of the capabilities of the XG45 to proxy and enforce policies
Partner Management functions:– Define partners with the web management console– Associate partners with network endpoints– Attach metadata about the partners to their definitions
Enhanced Qualities of Service– Onboard persistent transaction store– Search messages by partner, time, etc– Replay messages if necessary– ebXML/ebMS, AS1, AS2, and AS3 protocol bindings
for greater reliability across traditionally unreliable protocols
Additional protocols supported– SFTP (SSH)– TIBCO EMS is available as an option– ODBC
Additional formats supported– PKCS7 is included in base
Additional transformation engines supported– DataGlue – WTX/FFD is included in base
ebMS /
2U form factor• 8x 1Gbps Ethernet ports
• 2x 10Gbps Ethernet ports
• More memory
• More storage
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
IBM WebSphere DataPower Virtual EditionDeployment flexibility & reduced cost for development and test environments
What’s New? WebSphere DataPower XG45 and XI52 physical appliance functionality in a “virtual appliance” form-factor running on VMware hypervisor
Features/Business Value Industry-leading workload security, optimization, and integration functionality similar to the corresponding physical DataPower appliance models, with three exceptions:
No Hardware Security Module (HSM) support for FIPS compliance
No cryptographic hardware acceleration support
Not part of Common Criteria certification effort in progress for physical appliances Powered by a purpose-built platform including an embedded, optimized DataPower Operating System Ability to upgrade and downgrade firmware similar to physical appliances Seamless configuration migration between physical and virtual appliances
Client Benefits A flexible, cost effective choice for non-production environments A production solution for environments not suitable for physical appliance deployment Offers ability to use virtual appliances for development/test environments and physical appliances for staging, production and disaster recovery
What’s New? WebSphere DataPower XG45 and XI52 physical appliance functionality in a “virtual appliance” form-factor running on VMware hypervisor
Features/Business Value Industry-leading workload security, optimization, and integration functionality similar to the corresponding physical DataPower appliance models, with three exceptions:
No Hardware Security Module (HSM) support for FIPS compliance
No cryptographic hardware acceleration support
Not part of Common Criteria certification effort in progress for physical appliances Powered by a purpose-built platform including an embedded, optimized DataPower Operating System Ability to upgrade and downgrade firmware similar to physical appliances Seamless configuration migration between physical and virtual appliances
Client Benefits A flexible, cost effective choice for non-production environments A production solution for environments not suitable for physical appliance deployment Offers ability to use virtual appliances for development/test environments and physical appliances for staging, production and disaster recovery
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
18
Agenda
simpler solutions for a smarter planet
What is a DataPower Appliance?
Models and Features
Additional Use Cases
Success stories
How to learn more
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
Many people who have used DataPower to secure & optimize customer access from laptops are now allowing mobile browser access.
A global furniture retail business with web applications wants to enable customer mobile access to their hosted web content (i.e shopping cart data). They are looking to extend access to these web applications from mobile browsers but want to ensure the access is protected.
Mobile Browser Applications
Browser Application
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
REST Proxy
Provider
JSON / XML / SOAPREST
JSON or XML / HTTP(s)
Mobile Consumer
SSL offload
Enforcement point for centralized security policies– Authentication, Authorization, Audit– Threat protection for XML and JSON– Message validation and filtering
Centralized management and monitoring point– Traffic control / Rate limiting
Routing / Intelligent load distribution to Provider
RESTful façade to non-REST Provider
REST Service Gateway for Mobile Apps
Provider
HTTP(s) GETHTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
XML
Application Acceleration for Mobile Apps
Offload heavy lifting of message transformation from the Provider
Transform to a format best suited for the requesting Mobile App
– JSON for native/hybrid app– HTML/XHTML for browser based
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
WebSphere DataPower provides mobile operations with:
Ease of Use: Solves complex security and integration challenges in a secure, easy to consume and extremely low TCO network device. DataPower appliances are configuration driven not programming driven which simplifies deployment
Performance: DataPower is a network device that operates at wire speed. Greater processing power is realized with every new firmware release.
Flexibility: Secure, integrate, bridge and version applications without application modification
Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy”
Lower TCO: Customers’ own data has shown that DataPower can be 7X-8X less expensive to operate in the data center than traditional alternatives.
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
22
Protect your data with cryptography and XML threat protection
See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks
XML Threat Protection
Use DataPower to help resolve compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures– Message-level– Field-level– Headers
Entity Expansion/Recursion Attacks
Public Key DoS
XML Flood
Resource Hijack
Dictionary Attack
Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
23
Payment Card Industry – History
•Initial specifications adopted December 2004•1.1 Specifications adopted September 2006•1.2 Specifications adopted October 2008•1.2.1 specifications adopted August 2009•2.0 specifications adopted October 2010•As of January 2011, every institution must abide by 2.0 specifications
Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
To Whom Does PCI DSS Apply?
All merchants & service providers that store, process, use, or transmit cardholder data
Retail (e-commerce & brick & mortar)
Hospitality (restaurants, hotels, casinos)
Convenience Stores (gas stations, fast food)
Transportation (airlines, car rental, travel agencies)
Financial Services (credit card processors, banks, insurance companies)
Healthcare/Education (hospitals, universities)
Government (where payment cards are accepted)
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
PCI DSS Requirements “The Digital Dozen”
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data sent across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security – Connected Entities and Contracts
PCI DSS Ver. 1.1
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
26
Agenda
simpler solutions for a smarter planet
What is a DataPower Appliance?
Models and Features
Additional Use Cases
Success stories
How to learn more
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
Online Service Provider Scalable & Secure Online Transactions
Challenge To deploy a more scalable infrastructure for supporting secure
online transactions and enhancing the scalability, manageability & reliability of IT environment
WebSphere DataPower Integration Appliance XI50
WebSphere DataPower XML Security Gateway XS40
Solution Implemented WebSphere DataPower Integration Appliance &
WebSphere DataPower XML Security Gateway The XI50 provides protocol mediation functions & accepts front-
end requests via TIBCO EMS. The solution secures, transforms & routes Web services calls to the appropriate endpoint
The XS40 deployed in the DMZ as a security-enforcement offers a full range of Web service security functions.
Benefits Increased scalability and security for high volume credit card
authorization services, without performance degradation. Faster to implement than software-only solution with
significantly lower maintenance costs.
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
Large Outdoor Retailer Web Service Enabled Credit Card Repository
Challenge To quickly deploy a more secure infrastructure for storing and
accessing credit card data in order to meet PCI DSS Compliance deadlines
Solution Implemented WebSphere DataPower Integration Appliance with
licensed ODBC option The XI50 provides a web service interface to the back end
DB2v9 Database that holds customer credit card information Tivoli Systems Automation for Multiplatform (TSA) provides DB
redundancy, on-box load balancing provides redundancy for DataPower
Solution will accommodate significant growth
Benefits Met PCI DSS Compliance deadlines Improved application integration flexibility through use of SOA
standards and componentry WebSphere DataPower Integration
Appliance XI50 Tivoli Systems Automation for
Multiplatform DB2 v9
DB2v9
SOAP Messages
SQL Statements
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
29
Agenda
What is a DataPower Appliance?
Models and Features
Additional Use Cases
Success stories
How to learn more
simpler solutions for a smarter planetsimpler solutions for a smarter planet
© 2013 IBM Corporation
Introduction to IBM WebSphere DataPower SOA Appliances
30
How to learn more
YouTube http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
IBM.com http://www-01.ibm.com/software/integration/datapower/
Redbooks:
– Appliance architectural patterns http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf
– B2B Gateway appliance http://www.redbooks.ibm.com/redbooks/pdfs/sg247745.pdf
– The programmatic management interface http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf