Data power use cases
Transcript of Data power use cases
© 2015 IBM Corporation
IBM DataPower GatewayCommon Use CasesChristopher Khoury Andrew White
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
2
3
DataPower Gateways …
3
IBM DataPower Gateways provide a low startup cost,helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances thatcombine superior performance and hardened security in
physical and virtual form factors
INTEGRATE Systems of Engagement with Systems of RecordCONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
Single security and integration gateway platform to provide security, integration, control & optimized access to a full range of Mobile, API, Web, SOA, B2B, & Cloud workloads
B2B
Simplify mobile security with single, purpose-built gateway; control mobile traffic and accelerate delivery
WebSimplify web security with single, purpose-built gateway; control traffic and accelerate delivery for intranet and internet web applications
CloudDataPower gateway functionality in a virtual appliance form factor, supports multiple hypervisor & cloud environments
IBM DataPower GatewayAPI
Easily secure, control, publish, monitor & manage your APIs
SOASecure, integrate, control &
manage SOA workloads in the DMZ and Trusted zones
Extend Connectivity & Integration beyond the enterprise with DMZ-ready B2B edge capabilities
Mobile
Gateway for the Multi-channel Enterprise
IBM DataPower Gateway Appliances are the industry-leading Security & Integration gateways that help provide security, integration, control and
optimized access to a full range of Mobile, Web, API, SOA, B2B, & Cloud workloads
Internet Trusted Domain
Consumer
Application or Service
DMZ
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 ESB / Integration Gateway
7 Internal Security Enforcement
8 Web Services Governance & Management
9 Legacy Integration
Consumer
Middleware
z System
DataPower Gateway DataPower Gateway
Common Use Cases
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
IntegrateAny-to-any message
transformation
Transport protocol bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner connectivity
Control OptimizeSecureSSL / TLS offload
Hardware accelerated crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT, XQuery acceleration
Response caching
Intelligent load distribution
Service level management
Quota enforcement, rate limiting
Message accounting
Content-based routing
Failure re-routing
Integration with management & visibility
platforms
Authentication, authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering & semantics validation
Message digital signature
Message encryption
Features
Modules
ISAM Proxy ModuleUser access control, session management, web SSO enforcementAdvanced mobile security: mobile SSO, context-based access, one-time password, multi-factor authnIntegration with ISAM for Mobile
Application OptimizationModule
Frontend self-balancingBackend intelligent load distributionSession affinityz Sysplex Distributor integration
Integration Module
Any-to-Any message transformationDatabase connectivityMainframe IMS connectivity
B2B ModuleB2B DMZ gatewayEDIINT AS1,AS2,AS3,ebXMLPartner profile managementB2B transaction viewerAny-to-Any message transformationDatabase connectivity
TIBCO EMSModule
Integrate with TIBCO EMS messaging middlewareSupport for queues & topicsLoad balancing & fault-tolerance
IBM DataPower Gateway (Base)IBM DataPower Gateway (Base)Secure
Authentication, authorizationSecurity token translationService / API virtualizationThreat protectionMessage validationMessage filteringMessage digital signatureMessage encryptionAV scanning integration
IntegrateTransport protocol bridgingMessage enrichmentMessage transformation & processing using JavaScript, JSONiq, XQuery, XSLTMainframe integration & enablementFlexible pipeline message processing engine
Control & ManageService level managementQuota & rate enforcementContent-based routingMessage accountingIntegration w/ management & visibility platforms including IBM API Management & WSRR for policy enforcement
Optimize & OffloadSSL / TLS offloadHardware accelerated crypto*JSON, XML offloadJavaScript, JSONiq, XSLT, XQuery accelerationLocal response cachingDistributed caching w/ XC10Backend load balancing
2U Physical or Virtual Edition
DataPower Gateway: Single, modular & extensible platform
Deployment options
Purpose-built, DMZ-ready appliances provide physical security
High density 2U rack-mount design 8 x 1 and 2 x 10 GbE ports Cryptographic acceleration card Trusted platform module Customized intrusion detection Optional HSM (FIPS 140-2 Level 3 certified)
Virtual appliances provide deployment flexibility
Support multiple hypervisors and cloud environments− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on SoftLayer (x86 nodes)
− IBM SoftLayer bare metal instances using supported hypervisors
VirtualPhysical
Purpose-built hardware provides physical security
• Sealed, tamper-evident case
• No usable USB, VGA, other ports
• Intrusion detection switch
• Trusted Platform Module
• Encrypted flash drive
• FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys
Hardened firmware provides platform security for physical & virtual gateways
• Single signed and encrypted firmware by IBM
• No arbitrary software
• Optimized, embedded operating system
• High assurance, “locked-down” configuration
• Key materials are not exportable from the appliance *
Enterprise grade security requires a secure platform
DataPower gateway functionality in virtual appliance form factor to rapidly secure, integrate, control & optimize access to Mobile, API, Web, SOA & B2B workloads in hypervisor & clouds platforms
Use for development, test or production
Supports multiple hypervisor & cloud platforms VMware Citrix XenServer IBM PureApplication System W1500/W2500 IBM PureApplication Service on SoftLayer (x86) IBM SoftLayer bare metal instances on x86 nodes
Seamless configuration migration between physical
and virtual appliances
Utilizes the same industry-proven & purpose-built platform including an embedded, optimized DataPower Operating System, that powers the physical appliances
x86 Server
Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments
Virtual Edition
Deployment flexibility and elasticity – “Right size” the deployment, quickly deploy where needed, & rapidly scale
Workload isolation - Projects can use their own instances
Unbounded memory scalability - Memory can be added to instances without additional licensing
Low cost for Dev & Test environments - Developers & Non-Production versions include add-on software modules at no additional charge
Free disaster recovery - Warm or cold backup without additional licenses when licensed for Production
Flexible licensing and entitlement Sub-capacity licensing Monthly licensing option Entitlement to future product versions at no
additional charge with active maintenance (S&S)
x86 Server
Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments
Virtual Edition Benefits
• Used by 95% of top global insurances firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries• Defense and security organizations• Crown corporations
Insurance
Government
Banking
• Healthcare• Retailers• Utilities, Power, Oil and Gas• Telecom• Airlines• Others
Many, many, more
• Majority of the big US and European banks
• All of the big 5 Canadian banks• Numerous regional banks and credit
unions
Over 14 years of innovation & over 2,000 global installations
DataPower Gateways
DataPower’ing IBM Bluemix!!!• Security• Control• Filtering• Content-Based Routing• Load balancing• Monitoring and Logging
Mobile client
DataPowerDataPower
Bluemix Tooling
VM
Application Manager
Application Manager
AppAppAppApp
AppAppAppApp
ServiceServiceServiceService
ServiceServiceServiceService
Open StackOpen Stack
External Service
External ServiceExternal
ServicesExternal Services
Internet
Did you know?DataPower has been trusted to be the exclusive gateway
for Bluemix, IBM’s global Platform as a Service
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
14
Security & Optimization Gateway
DataPower security roles and objectives
• Protect data and other resources on the appliance and protected servers • System availability – Protect against unwanted access, denial of
service attacks, and other unwanted intrusion attempts from the network
– Only allow “valid” messages through • Identification and Authentication – Verify identity of network users
• Authorization – Protect data and other system resources
from unauthorized access
Protect data in the network using cryptographic security protocols
– Data End Point Authentication• Verify who the secure end point claims to be
– Data Origin Authentication• Verify that data was originated by claimed
sender– Message Integrity
• Verify contents were unchanged in transit – Data Confidentiality
• Conceal clear-text using encryption
IntranetIntranetDMZDMZInternetInternet
Mission-critical data
FIREWALL
FIREWALL
AuthenticationAuthorization
User Federation
z/OS RACF for User I&A
Authorization Cert/keys
Secure access to Web and legacy applications
Converged security enforcement
Rocksolid DataPower platform
Leverages enterprise security and policy managers
Applications and Systems
Silos of security & control are impeding business agility
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
API GATEWAY
B2BGATEWAY
SOAGATEWAY
WEB ACCESS PROXY
MOBILE GATEWAY
Business Channels
Users
Security & Control
Solutions
z SystemMiddleware
ESBApplication
CLOUD
ALL
CLOUD GATEWAY
CONSUMERS
EMPLOYEES
Service
Applications and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business Channels
Users
Security & Control
Solutions
z SystemMiddleware
ESBApplication
CLOUD
ALLCONSUMERS
EMPLOYEES
Service
IBM DataPower Gateway
Reduce cost + improve security & control with a single gateway
IBM Multi-channel gateway
ISAM for DataPower module provides the reverse proxy component that provides enforcement for Centralized user authentication & coarse-grained authorization Session management, & web SSO Context based access & mobile SSO Strong authentication including one-time password and multi-factor authentication
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security Access Manager in a single, converged security and integration gateway
New in V7.1
IBM DataPower Gateway
Web Browsers and Portals
MobileWeb
Web 2.0 (AJAX)
NativeMobile
B2B HybridMobile
APISOA (Web Services)
App, Service & APIsecurity
IBM DataPower Gateway
ISAM Module
User access security
Traffic control & optimization
Connectivity &transformation
Security Gateway
New connection to target
Proxying and Enforcement• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance (Establish a new connection to pass results)
• Cache data on-box or in centralized, shared XC10 grid
Connection from client
ACL
Virus Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0, WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENC
WS-SecurityPolicy
WS-TrustSAML
OAuth 2.0
Internet
SaaS
Partner Apps
Browsers
Pro
toco
l Firew
all
Security Gateway
Packaged AppsProprietary Apps
Data
HTTP(s)ESB
Tivoli (TAM)MS Active Directory
Any LDAP, e.g. OracleCA SiteMinder
PDP (XACML, SAML, other)
Do
ma
in F
irewall
ACL
Security Gateway
InternalConsumer
Incoming access control; Threat protection
Outgoing access control; SAML injection etc
Internal Security
Web Service Request
SAML, LTPA, Kerberos
Protection of data plus XML & JSON threat protection
Use DataPower to help resolve PCI compliance issues Easily sign, verify, encrypt, decrypt any content Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers Security standards: OAuth, WS-Security, WS-Policy, WS-
SecurityPolicy, SAML, XACML, WS-Trust, …
Use WS-SecurityPolicy to define security requirements for your web services– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization• PEP, PDP
DataPower security is policy driven
XML Threat Protection• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
JSON Threat Protection• Label - Value Pairs‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)
• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)
AAA : Authentication Authorization Auditing
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom
Authenticate
ExtractResource
URLXPathSOAP OperationHTTP OperationCustom
LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
Service Level Monitoring (SLM) to protect your services and applications from over-utilization and enforce quota• Frequency based on concurrency OR based on messages per time period• Take action when exceeding a custom threshold:– Notify (or log), Shape (or delay), Throttle (or reject)
Traffic Control / Rate Limiting
Retail Service ProviderSecurely expose services to consumers
Solution Implemented WebSphere DataPower to form the Web
services backbone Through content-based routing, security policy
enforcement & data encryption, DataPower ensures safe & efficient flow of confidential customer data
Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse
Benefits Secure SOA on standards-based platform Easily reuse Web services throughout enterprise Boosts productivity of IT staff Substantially shorten time to market for new services
Challenge Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to meet specific needs
Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information
Identity Mgmt
Self Balancing: Self balance across a cluster of appliances Replace front-end IP load balancer Enables connections to be preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems Replace backend load balancer
Auto-discovers application targets and distributes load using dynamic feedback mechanism
Topology learning for WAS ND and VE
Embedded On Demand Router for WAS ND environments
Provides several options for enabling Session Affinity
Cache application response data locally or in a caching grid (IBM DataPower XC10)**
Front-end IP load balancers
not needed
Self balancing
(IP spraying) Built-in cache
Dynamic back-side routing and load distribution (leveraging dynamic
information from back-ends)
Failure of target application endpoints are masked by
appropriate weighted distributionDataPower
Application Optimization
User
WAS Application
{ "Task" : "AddEntry", "Detail": "Create presentation materials." }
Hig
h L
oad
Scenario– JSON REST app to-do list
Issues– High server load– Slow response time
Slow Response
(>10s)
Public Enterprise
User
WAS Application
11
Imp
rov
ed L
oad
Public DMZ DataCenter
DataPower
Improve Server Load with SSL Offload1. Client requests are secured via DP SSL concentrator
Application Optimization Example
User
WAS Application
1
21
PUT /joe/todos HTTP/1.1Host: joe.orgContent-Type: application/jsonContent-Length: 69
{ "Task" : "AddEntry", "Detail": “Waste time." }
Imp
rov
ed
Lo
ad
DataPower
Manage Traffic with Application Fluency2. DataPower enables application aware traffic management
User
WAS Application
311
Imp
rov
ed L
oad
ImprovedResponse
Time
DataPower
Distribute Load Intelligently3. Application Optimization effects load distribution intelligence Leverage dynamic runtime conditions to distribute based on topology & workload
2
Application Optimization Example
REST
Cache at the edge(s)4. Application results are cached at the edge using XC10 caching grid OR locally on-box
User
WAS Application
3
4
1
21
DataPower
DataPower XC10
Lo
w L
oa
d
Fast Response
• Faster application response time
• Lower server load
• Improved system throughput
Application Optimization Example
REST
Using XC10 As a Side Cache For DataPower
User
1
5
3
2 4
Client
Provider
1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI. Easily integrates into the existing business process
– No code changes to the client or back-end application– Simply add the side cache mediation
Significantly reduces the load on the back-end system by eliminating redundant requests
Improve client observed response time
ImprovedResponse
Time
Imp
rov
ed L
oad
DataPower XC10
DataPower XI AppliancesLarge Response Time
DataPower Gateway + XC10: Travel and Transportation
Online Reservations Reservations System
– Before: 3-5 sec response time – After: .01 -.05 sec response time– Caching service requests– Improved the average response time of the Global
Distribution System requests for Fare Availability and Category Availability
– 52% caching rate – 10 minute cache resulted in 40% reduction in load on the
back-end systems– Maintained high data integrity. Faster responses were
also accurate– POC in 3.5 hrs
100x performance improvement
Improved reliability and scalability of reservation channels
Reduced traffic to backend systems
Deliver high performance & consistent response times
Scale with simplicity and lower TCO
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
31
Mobile Connectivity
• How to protect your back-end systems from harmful workloads and unauthorized mobile users & apps?
• How to limit & shape mobile traffic based on service level agreements, and route based on message content?
• How to convert mobile payloads, bridge transports and connect to existing services at wire-speed?
• How to improve response time, reduce load on backend systems and intelligently distribute load?
Key Mobile-specific Application & API issues?
Secure
Control
Integrate
Optimize
Key Mobile-specific Application & API issues?
SSL OffloadThreat Protection
Rate Limiting / SLA EnforcementValidation, Filtering
AuthenticationAuthorization
Context-based AccessMobile SS0
Security Token TranslationMessage TransformationContent-Based Routing
Intelligent Load DistributionResponse Caching
Middleware / ESB, Legacy Apps
Apps, Services
IBM DataPower Gateway
ISAM Module
/apimanagement
Native, Hybrid, Mobile Web
Rapidly Connect Mobile Apps with Enterprise ServicesSecurely expose enterprise data & APIs to Mobile Apps while optimizing delivery
• DataPower appliance with ISAM module for security enforcement, traffic control & management, application acceleration, transport bridging & message transformation
• ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong authentication including one-time password (OTP) & multi-factor authentication (MFA)
Mobile Gateway solution for on-premise and cloud
ISAM for Mobile
ISAM for Mobile
Rapidly deliver secure integration & optimized access for enterprise mobile applications
DataPower Gateway(Security Enforcement Point)
ISAM Module
Apps, Services, Middleware,
(Security Decision Point)
z System
Closer look at some Mobile Connectivity scenarios
REST Proxy
Provider
JSON / XML / SOAPREST
JSON or XML / HTTP(s)
Mobile Consumer
SSL offload
Enforcement point for centralized security policies– Authentication, Authorization, OAuth 2.0, Audit– Threat protection for XML and JSON– Message validation and filtering
Centralized management and monitoring point– Traffic control / Rate limiting
Routing / Intelligent load distribution to Provider
RESTful façade to non-REST Provider
REST Service Gateway for Mobile Apps
Provider
HTTP(s) GETHTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
XML
Application Acceleration for Mobile Apps
Offload heavy lifting of message transformation from the Provider
Transform to a format best suited for the requesting Mobile App– JSON for native/hybrid app– HTML/XHTML for browser based
IBM DataPower Gateway
IBM DataPower Gateway
Cache response data from Provider– Locally on the appliance– Externally to elastic caching XC10
Sportsbet leverages IBM DataPower appliances to drive mobile business growth
ChallengesBusiness-Increase demand for mobile services while bolstering security & cost optimization
IT- Securely integrate mobile apps with e-commerce platform & APIs to address performance, capacity management & decoupling front-end apps from back-end business logic
SolutionIBM DataPower appliance XG45 as a mobile security & integration gateway
BenefitsTime to value- Rapid implementation enabled the business to quickly integrate the middle layer in just 2 weeks vs. 2 months with a competitor’s product
Performance - Processed ~4000 transactions per minute increasing performance 4X
Security & Agility- Separation of concern between consumer applications & core e-commerce system, through security, translation & transformation logic in the gateway
- Enterprise Architecture Manager, Sportsbet
“DataPower forms our mobile middle layer & our API infrastructure for all future consumer apps”
ChallengesBusiness- Grow mobile revenue while protecting customer privacy and optimizing costs
IT- Integrate mobile devices, addressing security, speed, scalability and optimization of demand on existing application infrastructure
BenefitsTime to value- Drop-in rack-ready solution for rapid deployment enables the business to quickly launch a new mobile device within a month
Scale on demand- 50 billion transactions/month for external ad gateway- 1 billion transactions/month for internal users
Solution- IBM DataPower Integration Appliance XI52 as a security & integration gateway for external and internal use- IBM DataPower Caching Appliance XC10 as a side cache to increase customer responsiveness
Sprint leverages IBM DataPower appliances to rapidly & securely grow mobile revenue
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
39
API Management
Explore API documentation
Provision application keys
Self-service experience
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway (IBM DataPower)
Enforce runtime policies to control API traffic
IBM API Management: One Integrated Platformdesign, secure, control, publish, monitor & manage APIs
Consumer (Systems of
Engagement)
Provider (Systems of
Record)
API Management Solution
Partner App Developer
APIAPI
API
API Gateway(DataPower)
Developer PortalSyndication
Creation & AssemblyPolicy Management
Monitoring & AnalyticsSecurity & Control
Lifecycle Mgmt & Governance
External App Developer
Mobile & Web Apps
Internal App Developer
App / API Provider, Middleware, Datastore,
z System
On-premise OR Cloud
Business Partner Apps
Enterprise Internal Apps
API Management
Business ChallengeBusiness Challenge Accelerate end-to-end mobile application development Reduce time to configure and manage software, prepare test
environments Enhanced analytics on the usage of their services Increased performance to handle peak seasonal volumes
Business Challenge Accelerate end-to-end mobile application development Reduce time to configure and manage software, prepare test
environments Enhanced analytics on the usage of their services Increased performance to handle peak seasonal volumes
SolutionIBM API Management, DataPower, Worklight, PureSystems SolutionIBM API Management, DataPower, Worklight, PureSystems
Business Value Enhanced user experience enabling quick access to customer
information using OAuth authentication replacing custom security solution
Ability to access backend data through DataPower/API Management using RESTful services
Easily handle traffic spikes, enabling easier capacity planning
Business Value Enhanced user experience enabling quick access to customer
information using OAuth authentication replacing custom security solution
Ability to access backend data through DataPower/API Management using RESTful services
Easily handle traffic spikes, enabling easier capacity planning
$Large Financial institution provides secure mobile access to customer information
Business Challenge Difficult for internal partners and developers to
discover & access key financial services Lacked a standard ecosystem to manage internal
partners including global credit card companies and merchants
No visibility on Service consumption or ability to chargeback for LoB use of Services
Business Challenge Difficult for internal partners and developers to
discover & access key financial services Lacked a standard ecosystem to manage internal
partners including global credit card companies and merchants
No visibility on Service consumption or ability to chargeback for LoB use of Services
Example Apps
SolutionIBM API Management & DataPowerSolutionIBM API Management & DataPowerBusiness Value Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a self-service experience
Provides an internal ecosystem for partners and a central repository with usage analytics
Drives innovation for Mobile application development
Business Value Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a self-service experience
Provides an internal ecosystem for partners and a central repository with usage analytics
Drives innovation for Mobile application development
$Leading Global Commercial Bank provides easy & secure access to key financial services
Business Challenge
Business Challenge External business partners retrieve flight information by
scraping the company’s website Unauthorized access to full flight information , with no usage
analytics Delays in updating website – difficult for authorized partner to
test changes REST-based API had just been built but security was not in
place
Business Challenge External business partners retrieve flight information by
scraping the company’s website Unauthorized access to full flight information , with no usage
analytics Delays in updating website – difficult for authorized partner to
test changes REST-based API had just been built but security was not in
place
SolutionIBM API Management & DataPowerSolutionIBM API Management & DataPower
Business Value Easily and securely connect company Website to new APIs,
saving cost of building OAuth based secure access Enable secure exposure of APIs to External Business
Partners, saving the implementation cost of building a developer support infrastructure with access management
Ability to leverage existing investment in IBM DataPower gateway and internal team skillset
Enable secure Mobile app integration with Enterprise APIs
Business Value Easily and securely connect company Website to new APIs,
saving cost of building OAuth based secure access Enable secure exposure of APIs to External Business
Partners, saving the implementation cost of building a developer support infrastructure with access management
Ability to leverage existing investment in IBM DataPower gateway and internal team skillset
Enable secure Mobile app integration with Enterprise APIs
Large Airline in North America provides authorized access to flight services
Business Challenge Offer innovative connectivity services to customers,
improve the driver experience, improve safety, and create new revenue sources
Improve driving conditions with driver profiling, eco-driving, fleet management, reduce accident risk
Collect data to monetize them for partners
Business Challenge Offer innovative connectivity services to customers,
improve the driver experience, improve safety, and create new revenue sources
Improve driving conditions with driver profiling, eco-driving, fleet management, reduce accident risk
Collect data to monetize them for partners
SolutionIBM API Management, DataPower & MessageSightSolutionIBM API Management, DataPower & MessageSight
Business Value “Always connected” low-latency reliable
communications with the car systems/apps and customer mobile apps
Vehicle data APIs published on secure developer portal
Internal & external developers use vehicle data to develop mobile applications
Drives innovation for Mobile application development
Business Value “Always connected” low-latency reliable
communications with the car systems/apps and customer mobile apps
Vehicle data APIs published on secure developer portal
Internal & external developers use vehicle data to develop mobile applications
Drives innovation for Mobile application development
Leading European Auto Manufacturer provides innovative vehicle connectivity with IBM API Management
Business ChallengeBusiness Challenge Difficult for internal partners and developers to
discover & access key retail services Leverage mobility as a revenue stream and manage
internal and external business partners No visibility on Service consumption or ability to
chargeback for LoB use of Services
Business Challenge Difficult for internal partners and developers to
discover & access key retail services Leverage mobility as a revenue stream and manage
internal and external business partners No visibility on Service consumption or ability to
chargeback for LoB use of Services
SolutionIBM API Management & DataPower SolutionIBM API Management & DataPower
Business Value Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a self-service experience
Provides an internal ecosystem for partners and a central repository with usage analytics
Drives innovation for Mobile application development
Business Value Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a self-service experience
Provides an internal ecosystem for partners and a central repository with usage analytics
Drives innovation for Mobile application development
Leading Retailer in North America provides easy & secure access to retail services
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
48
Enterprise Integration
Integration
• Dynamically route based on any message content• Attributes such as the originating IP, requested URL, protocol headers, etc.• Data within the message such as SOAP Headers, XML, Non-XML content, etc.
• Query a repository for routing information• WebSphere Service Registry & Repository, XML files, Databases, Web Servers
Content-Based Routing
Service Providers
UnclassifiedRequests
Transform the message format with ultimate flexibility– Leverage WebSphere Transformation Extender for data mapping
Any-To-Any Message Transformation
<XML/> TEXT binary
Input Message
Output Message
<XML/> TEXT binary
? ?
WebSphere TX Design Studio
IntegrationTransport Protocol Translation Integrate disparate transport protocols with extreme ease
– No dependencies between inbound “front-side” and outbound “back-side”– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once message patterns
HTTP(s)
FTP(s)
SFTP
WebSphereMQ, MQ FTE
WebSphereJMS
DatabaseDB2, SQL Server, Oracle, Sybase,
TIBCO EMS
IMS NFS
Integration
ConsumerProvider
SOAP / HTTP(s)
MQ Queue Manager
Cobol / MQ
Format & transport bridging
Message Format & Transport Protocol Mediation Example
Outside World Internal NetworkDMZ
Protocol Firewall
HTTP(s)FTP(s)
SFTP(SSH)WMQ(s)WS JMS
TIBCO EMS
ODBC
Domain Firewall
ACL
DB
LDAP
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Internet
JMSEMS
FTP NFS
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
DataPowerGateway
HTTPWMQ
IMS Connect
Enhanced Security
DMZ
SaaS
Partner Apps
Browsers
• Content based routing• Message enrichment• Message transformation• Transport protocol translation
• AAA, Threat protection• Message validation & filtering• Traffic control / Rate limiting
Integration Scenario• Intelligent content based routing• Intelligent load distribution• Local and distributed caching
Core Services
Core Data
UK Government AgencyEnables integration capabilities using DataPower
Solution DataPower in key network zones within and outside of
the department Thorough content-based validation, routing, and security
policy enforcement Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits Ease of integration Security assurance of the architecture Secure SOA on standards-based platform Consistent experience and policy for all users
Challenge Data held in the back-end systems vital to delivering
citizen services, fraud detection across various layers of the Governments across the EU
Vulnerable back-end services Security Capacity/ SLA
Consistent usability experience for internal or external service consumers
Integration Layer
Government network
Other EU Countries
Other UK Departments
Internal Users
54
Security & Integration Scenario – Financial Firm
Centralized Service Governance & Policy Enforcement
Complete SOA Governance solution• WSRR for web service life-cycle policy management• DataPower for web service run-time policy enforcement
Use WebSphere Service Registry & Repository (WSRR) to store, publish, and govern your web services
– DataPower can subscribe or poll web services information from WSRR Automatically expose services and policies in DataPower via WSRR subscription
– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment– Retrieve WSDLs by specific version number
Dynamically retrieve run-time routing information from WSRR
WSRR (Policy Administration Point)
Consumer Service
Message
Message
Message
Message
ITCAM for SOA
(Policy Monitoring
Point)
Discover Services & Policy
Monitor Services
DataPower (Policy Enforcement Point)
Centralized transaction monitoring– ITCAM for SOA
Support for UDDI v2 and v3 for UDDI registries
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
56
Mainframe integration & enablement
Broad integration with System z
Client
SOAP/HTTP
SOAP/HTTPCCB / MQ
IMS SOAP Gateway
WAS+IMS connector
Dat
aPo
wer
IMS
OTMA
IMS
Ap
plicat io
n
MQ
Server
MQBrdg
• Connect to existing applications over WebSphere MQ, HTTP• Transform XML to/from COBOL Copybook for legacy needs• Integrate with RACF security from DataPower AAA• Dynamic crypto material retrieval & caching, or offload crypto ops to z• Connect to IMS
• Via IMS Connect client• Via Web Services• Via WebSphere MQ• Via IMS DB• Connect from IMS via “Callout”
• Connect to CICS• Via WebSphere MQ• Via Web Service
• Connect to DB2• Via Web Service• Via direct ODBC call with ODBC Client option
DRDA
DB2
• IMS Callout feature allows IMS transactions to easily consume external web services via DataPower, with minimal application updates required
Enhanced value for System z & IMS
IMS DB feature supports DataPower integration with IMS database through SQL interface‒ Enrich messages with database content‒ Expose data as a service to remote applications
Client
SOAP / REST
DataPower
DRDA
IMSOTMA
App1IMSConnect
App2
Service Provider
SOAP / REST
DataPower
TCP/IP
Service Consumer
IMS Callout
Core banking platform on Z
An Irish BankEnabling retail banking
Solution DataPower in trusted network exposed services for XML/
HTTP(S) and protocol bridging to WebSphere MQ Message validation and transformation using
WebSphere Transformation Extender (WTX)
Benefits Retail application acceleration through transformations
and caching Optimized platform for handling, parsing and processing
payloads
Challenge Retail application contained 7000 screens; slow
response times over dedicated proprietary network. Cost of processing XML on the mainframe. Message transformation needed before the core banking
platform could process requests.
DataPower
Q
Branch Network
Q Q Q Q
Branch Application (web based)
Customer & Product related application and systems on Z
High Street Clothing and Fashion Accessories RetailerIncrease customer interaction and loyalty
Solution DataPower acted as a reverse proxy for:
Outbound messages via a service provider Inbound customer updates/ delivery notifications
Transform SOAP/ XML payload to COBOL copybook messages for CICS application
Benefits Create customer interaction and value through innovative
business strategy. Integrate various suppliers using standards based
interfaces securely. Graphical configuration driven appliance; short learning
curve
Challenge Highly competitive industry; first mover advantage Weak customer loyalty Multi channel customer experience Complex supply chain and service providers
DataPower
Q
Open Internet
Q
IMS Integration Web Services Security and Management for IMS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
Client
SOAP / REST
SOAP/HTTPIMS SOAP Gateway
WAS+IMS connector
Dat
aPo
wer
Dat
aPo
wer
IMS Integration Web Services Enablement for IMS-based Services
IMS
OTMA
IMS
Ap
pl icatio
n
MQ
Serv er
MQBrdg
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform request/response mapping
Requires WebSphere MQ for z/OS – MQ bridge to access IMS– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST
Dat
aPo
wer
IMS Integration Web Services Enablement for IMS-based Services (cont’d)
CCB / TCP
Client
SOAP / REST
IMS
OTMA
Appl1IMS
Connect
Appl2
Appl3
IMS
OTMA
Appl4
Appl5
Appl6
User exit
(e.g.. HWSSM
PL0)
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform request/response mapping
“IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol
Dat
aPo
wer
IMS IntegrationIMS Connect Reverse Proxy
CCB / TCPClient
IMS Connect TCP
IMS
OTMA
Appl1IMS
Connect
Appl2
Appl3
IMS
OTMA
Appl4
Appl5
Appl6
User exit
(e.g.. HWSSM
PL0)
Bring DataPower value add to standard IMS connect usage patterns
Provide an “IMS Connect Client” on DataPower that natively connects to IMS Connect
Provide an “IMS Connect Server” on DataPower that accepts IMS Connect client connections and provides an intermediation framework that leverages DataPower
– Enables authentication checks, authorization, logging, SLM, transformation, route, DB look-up, SSL offload, etc.
Dat
aPo
wer
DB2 Integration“Information as a Service”
DRDA
Client
SOAP / REST
DataPower provides a standard WS façade to DB/2– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower– SOAP call is mapped to an ODBC (DRDA) invocation
Exposes database content (information) as a service
Leverages extensive Web Services security and management capabilities of DataPower to more securely expose critical data to the enterprise
DB2
CICS IntegrationWeb Services Security and Management for CICS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
• Support CICS ID propagation
Client
SOAP / RESTSOAP/HTTP
CICS Web Services
WAS+CICS connector
Dat
aPo
wer
Dat
aPo
wer
CICS IntegrationWeb Services Enablement for CICS Applications
DataPower provides WS-enablement to CICS applications
User codes schema-dependent WTX data map to perform request/response mapping
Requires WebSphere MQ for z/OS – MQ bridge to access CICS– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST
CIC
S
CIC
S A
pp
lication
MQ
Serv er
CICSBrdg
Agenda
• DataPower Gateway Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
69
B2B integration
DataPower B2B FunctionalityExtend beyond the enterprise to integrate with partners
• B2B Gateway Service• AS1, AS2, AS3 and ebMS v2.0• Plaintext email support• EDI, XML and Binary Payload routing• Front Side Protocol Handlers • Hard Drive Archive/Purge policy• CPA and Partner Profile Associations• MQ File Transfer Edition integration
• Trading Partner Profiles • Two Types – Internal and External• ebXML CPPA v2.0• Multiple Business IDs• Multiple Destinations (URL Openers)• Certificate Management (S/MIME Security)• Multi-step processing policy
• B2B Viewer• B2B transaction viewing• MQ FTE transaction viewing• Transaction resend capabilities• Transaction and Acknowledgement correlation• Role based access
• Persistent Storage• AES Encrypted B2B document storage • Option for Off-Box Storage (NFS)
• Transaction Store• B2B metadata storage• B2B state management
DataPower
B2B Gateway Service
Partner ConnectionFront Side Handlers
Internal PartnerDestinations
IntegrationFront Side Handlers
External PartnerDestinations
B2B Viewer
MetadataStore(DB)
DocumentStore(HDD)
PartnerProfiles
UK Logistics and Distribution
BenefitsCreate customer interaction and value through innovative business strategy.Integrate various suppliers using standards based interfaces securely.Graphical configuration driven appliance; short learning curve
Challenge AS2, File and Web Services based interfaces to 100s of B2B customers. Messages are exchanged at least once a day Secure proxy solution in the DMZ Complex incumbent supplier chain
Health Insurance Provider
Smarter Business Outcomes: Reliable and secure routing of customer sensitive data Easy to use and maintain; no additional skill needed XML Messages with attachments are authenticated, authorized,
and virus scanned
Industry Pains: HIPAA Security requirements
for transporting data over the Internet
HL7 v3.0 XML threat protection Complexity of B2B for
healthcare
Secure appliance form factor providing secure connections to trading partners, advanced threat protection and reliable file delivery of
confidential medical information
Value of DataPower B2B Appliances for Extending Connectivity?
Internet
EDIINT Flow: Simple AS2 transaction flowwith Transform
Application
Browser
Application
EDI XMLAS2(EDI)
AS2(MDN)
B2B Hub
Partner BPartner A
XB62
AS2 ProcessB2B
Gateway Service
TransactionViewer
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
Data Store
4
3a
3b 21
5
Internet
Web Services bridged to AS2 File Transfer Pattern
WS Client
Browser
Flat
B2B Hub
Partner BPartner A
XB62
Web Service Process
Web ServiceProxy
TransactionViewer
B2B Gateway Service
AS2
Pre-ProcessFlat
SOAP
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and sending data over any of the 16 supported protocol handlers. When Services are tied together in front of or behind a B2B Gateway Service they are handled like pre and post processes.
Data Store
7
4
5
6
3 2
1
Internet
MQ FTE Integration PatternInbound File to Message
Browser (LOB User)
XB60
Trad
ing
Partn
er
XB62
B2B Gateway Service
TransactionViewer
ProfileMgmt
Data Store
Browser (Admin)
Browser (Partner view)
Server
SourceAgent
Data Store
Applications
Enterprise
TargetAgent
MQFTENetwork
Queue Manager
Queue Manager
Queue ManagerQueue
Manager
MQ Explorer
DB Logger
(DB2 or Oracle)
1 4
2a
3
6
5
2
Browser
B2B Gateway Service
WebSphere DataPower B2B Appliance
Applications
TransactionViewer
Collaboration Partner Agreement Entries
Internal Collaboration Partner Profile
External Collaboration Partner Profile
CPAId / Collaboration
Collaboration ProtocolAgreement Entry
Internal Collaboration Partner Profile
External Collaboration Partner Profile
CPAId / Collaboration
External Partners
Internet ebMS(Ack)
ebMS (ebXML))
ebXML
5
4
3 2
1
DMZ
Secured Network
Public Network
Collaboration Partner Agreement Entries
Internal Collaboration Partner Profile
External Collaboration Partner Profile
CPAId / Collaboration
ebXML with CPPA Pattern
B2B Hub
AS2 Process
HealthcareApplications
Partner BHospital
Internet
AS2 (HL7 V3)
AS2/MDN
B2B Appliance
B2B GatewayService
Profiles
Internal ProfileRegionalCenter
Validate XML andTransform to anyV.2.x format
External ProfileHospital
TransactionViewer
HealthcareApplicationsH
L7
V3
Partner ARegional Healthcare Center
Any TransportHL7 V2.x
Any TransportHL7 V3.x
5
4
3
21
6
Health Level 7 3.x to 2.x Transform Pattern
Securing HL7 over the Internet with Integration to the WebSphere Healthcare Connectivity Pack
Trading P
artne r
XB62
B2B Gateway Service
TransactionViewer
ProfileMgmt
Data Store
Browser (Admin)
Browser (Partner view)
Clinical Trials System
WebSphere Healthcare Connectivity Pack
Healthcare Provider
Internet1
2a
3
5
2WebSphere
MQ
Patient Administration
System
Billing System
4AS2
(HL7))
AS2 (MDN))
HL7/MQ
HL7/MLLP
HL7/MLLP
XML/HTTP
Pharmacy
HL7/MLLP
Resources
Repository of DataPower related tools & collateral Open source Community driven: Use, collaborate, contribute http://ibm-datapower.github.io/
DataPower Configuration Manager Tool for DataPower configuration management & migration Standalone command line or IBM UrbanCode Deploy plugin https://github.com/ibm-datapower/datapower-configuration-manager https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp
DPXMLSH Bash script / shell library for working with DataPower’s XML Management interface Interactive & scripted use https://github.com/ibm-datapower/datapower-xml-shell
DataPower On GitHub
LinkedInIBM DataPower Gateway Group
LinkedInIBM DataPower Gateway Group
• YouTube Channel: IBM DataPower Gateways• Slideshare: IBM DataPower Gateway• Twitter: @IBMGateways• LinkedIn Group: IBM DataPower Gateway • developerWorks blog: IBM DataPower Gateway• GitHub: IBM DataPower Gateway• Online User Forum• Product page on ibm.com• Product documentation
Getting Social with IBM DataPower Gateways
Available Now: DataPower Handbook, Second Edition, Volume 1
Known as the ‘bible’ of DataPower planning, implementation, and usage.
New content to cover previous six years of new products/features, including 9006/7.1!
Volume 1 consists of Chap 1 DataPower Intro, Chap 2 Setup Guide, new Preface and two invaluable new appendices for physical and virtual appliances.
Available in softcover and e-book formats
Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone,
laptop or conference kiosk.
BACKUP
Simple Architecture: Purpose-built firmware + hardware
Complete gateway platform delivered as firmware
Guiding philosophy is to centralize common security, integration, control, traffic management, acceleration functions and optimize them in a security-hardened gateway appliance
Simple and Secure Architecture
Display Ports
database
configApp
Server
config
Apache HTTPD
config
JVM
config
Proprietary Software
config
Linux Daemons
configJSP
Engineglibclibxml
Full Linux OS(including shells and user accounts)
config
Bootable CDROM
Drive
Bootable USB Ports
Hardware
Commodity Gateways
config
Hardware
DataPower Gateway PlatformDigitally Signed and Encrypted
Firmware
FlashMemory
Crypto Acceleration
IBM Optimized Embedded Operating Environment
Purpose-built Gateways
89
Configuration-driven approach speeds time to market
• Enforce security standards with zero coding• Uses intuitive pipeline message processing• Import/export configurations between
environments• Transaction probe shows message content
between actions for debugging
89
CapabilitiesRapidly deliver secure integration & optimized access for a full range of workloads
• Secure & protect your back-end systems from harmful workloads and unauthorized users & apps
• Convert payloads, bridge transports and connect to existing services at wire-speed
• Limit & shape traffic based on service level agreements, and route based on message content
• Improve response times, reduce load on backend systems and intelligently distribute load
Secure
Control
Integrate
Optimize
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
SSL OffloadThreat Protection
Rate Limiting / SLA EnforcementValidation, Filtering
Authentication, AuthorizationContext-based Access, Mobile SS0
Security Token TranslationMessage TransformationContent-Based Routing
Intelligent Load DistributionResponse Caching
Connect Mobile Apps with Enterprise ServicesSecurely expose enterprise systems & APIs to Mobile Apps while optimizing delivery
• Data format & language– JavaScript‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0
• Security policy enforcement‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos (including S4U2Self, S4U2Proxy)‒ SPNEGO ‒ RADIUS‒ RSA SecurID OTP using RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM)‒ FIPS 140-2 Level 1 (w/ certified crypto module) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3
DataPower Gateway: Supported standards & protocols• Transport & connectivity– HTTP, HTTPS, WebSocket Proxy– FTP, FTPS, SFTP – WebSphere MQ– WebSphere MQ File Transfer Edition – TIBCO EMS – WebSphere Java Message Service– IBM IMS Connect, & IMS Callout– NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security ‒ TLS versions 1.0, 1.1, and 1.2‒ SSL versions 2 and 3
• Public key infrastructure (PKI)‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management‒ Simple Network Management Protocol‒ SYSLOG ‒ IPv4, IPv6
• Open File Formats‒ Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)
‒ Virtual Machine Disk Format (VMDK)‒ Virtual Hard Disk (VHD)
Link to Product Documentation
• Web services– WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management– WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation– Multipurpose Internet Mail Extensions– XML-binary Optimized Packaging (XOP) – Message Transmission Optimization
Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and
Integration (UDDI versions 2 and 3), UDDI version 3 subscription
– WebSphere Service Registry and Repository (WSRR)
93
20002001
2002
20032004
20052006
20072008
20092010
2011
Gigabit/SecHW Solution
Acquisition
ITCAM for SOA(Transaction Monitoring)
Model 9235(aka 9004)
Model 7993(aka 9003)
WebSphereTransformation Extender
XA35
XS40
XI50
XB60
2012
XG45,XI52 & XB62
XI50B Blade
WebSphere Appliance Management Center
Optimized Interpreter and
Compiler
OptimizedHardware
Acceleration
20132014
Application Optimization(Self-Balancing & Intelligent
Load Distribution)
XI50z Blade
Virtual Edition(VMware)
Virtual Edition(PureApplication System)
Virtual Edition(for Developers + XenServer)
Optimized & secure JavaScript
Over 14 years of innovation & 2000+ global installations