DataPower Common Use Cases

(1)

DataPower Common Use Cases

Bharat Bhushan, Principal Connectivity Architect, IBM UK

Christopher Khoury, Worldwide Client Technical Leader, IBM US

Arif Siddiqui, Product Manager, IBM US

(2)

2

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change

or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a

commitment, promise, or legal obligation to deliver any material, code or

functionality. Information about potential future products may not be incorporated

into any contract. The development, release, and timing of any future features or

functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM

benchmarks in a controlled environment. The actual throughput or performance

that any user will experience will vary depending upon many factors, including

considerations such as the amount of multiprogramming in the user’s job stream,

the I/O configuration, the storage configuration, and the workload processed.

Therefore, no assurance can be given that an individual user will achieve results

similar to those stated here.

(3)

3

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(4)

4

Introduction to DataPower Gateway

Appliances

IBM DataPower Gateway Appliances are the industry-leading

Security & Integration gateways that help provide security, control, integration

and optimized access to a full range of

(5)

5

Security & Integration Gateway Appliances

• Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload

• Securely connect apps/services within the enterprise, while optimizing delivery of the workload and

providing integration including XML offload, message validation/filtering, message/transport protocol transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing & intelligent load distribution

• Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior

performance, hardened security, increased ROI and reduced TCO • Provides high levels of certified Security assurance

‒ e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization, Audit

• Simplified maintenance model

‒ Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process • Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold

• Virtual appliance provides deployment flexibility & reduced cost for development and test environments

IBM DataPower Gateway Appliances

Internet Trusted Domain

Consumer

Application or Service

DMZ

DataPower DataPower

(6)

6

Internet Trusted Domain

Consumer Application or Service System z DMZ DataPower DataPower IBM Integration Bus

Application Service File

Trading partners

DataPower appliances used across a variety of scenarios

1

Security Gateway

(Web Services/Apps/APIs)

2

Intelligent Content Routing & Load Distribution

3

B2B Partner Gateway

4

Internal Security Enforcement

5

Integration

6

Runtime SOA Governance

7

Web Service Management

8

Legacy Integration

(7)

7

Update application servers individually

Before DataPower Appliances

Secure, control, integrate, & optimize all applications instantly

No changes to applications

After DataPower Appliances

Secure, control, integrate & optimize multiple applications without code changes

Lower cost and complexity

Enable new business with unmatched performance

Use appliances to simplify & centralize critical functions

Control

Integrate

Route & Optimize Secure

(8)

• Control

‒ Service-level agreements ‒ Traffic control ‒ Message accounting ‒ Content-based routing

‒ Governance & management

• Optimization

‒ SSL & TLS offload

‒ Hardware accelerated crypto ops

‒ XSLT & XQuery acceleration

‒ JSONiq acceleration

‒ Connection pooling, offload ‒ Intelligent load distribution

‒ Caching: Local & external (XC10)

• Security

‒ OAuth, SAML, XACML,

WS-Security, LTPA, Kerberos, etc ‒ Authentication & authorization ‒ Security token translation

‒ Message & transport protection

• Integration

‒ Convert payloads (JSON, XML, CSV,

Cobol, binary, etc)

‒ Bridge transports (HTTP, MQ, FTP, WAS JMS, TIBCO EMS, etc)

‒ Database connectivity (DB2, IMS, Oracle, MS SQL, Sybase)

‒ Mainframe integration (IMS Connect, IMS Callout, CICS, etc)

‒ B2B integration (AS1,AS2,AS3,etc)

• Resilience

‒ Operation admission control ‒ Failure re-routing

‒ XML threat protection ‒ JSON threat protection

‒ Schema validation ‒ Messages filtering Clients In-the-Clear Request Malicious Request Cobol/ MQ Appl Cobol/MQ Encrypted and Signed Request S e rv ic e P ro v id e rs

(9)

9

DataPower Family

Integration Appliance XI52

High density 2U form, XG45 functionality plus “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement Available in Virtual Edition

Service Gateway XG45

Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic routing Lightweight integration functions (optional) Available in Virtual Edition

B2B Appliance XB62

High density 2U form, XI52 functionality plus B2B Messaging (AS1/AS2/AS3/ebMS)

Trading Partner Profile Management B2B Transaction Viewer

Integration Blade XI50B/XI50z

Functionally equivalent to XI52 Form factor flexibility

XI50B: BladeCenter form factor

XI50z: zEnterprise BladeCenter Extension (zBX) form factor

(10)

10

• Used by 95% of top global insurances firms

• SaaS providers, ASPs, regulators, etc.

• Agencies and ministries

• Defense and security organizations

• Crown corporations

Insurance

Government

Banking

• Healthcare • Retailers

• Utilities, Power, Oil and Gas

• Telecom

• Airlines

• etc.

Many, many, more

• Majority of the big US and European banks

• All of the big 5 Canadian banks

• Numerous regional banks and credit unions

DataPower Appliances

(11)

11

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(12)

12

Use Case: Security & Optimization Gateway

Securing the Enterprise & providing optimized access

(13)

IBM Software Group – Enterprise Networking Software

DataPower security roles and objectives

Protect data and other resources on the appliance and protected servers

– System availability

• Protect against unwanted access, denial of service attacks, and other unwanted intrusion attempts from the network

• Only allow “valid” messages through

– Identification and Authentication

• Verify identity of network users

– Authorization

• Protect data and other system

resources from unauthorized access

Protect data in the network using cryptographic security protocols

– Data End Point Authentication

• Verify who the secure end point claims to be

– Data Origin Authentication

• Verify that data was originated by claimed sender

– Message Integrity

• Verify contents were unchanged in transit

– Data Confidentiality

• Conceal clear-text using encryption

Intranet DMZ Internet Mission-critical data F I R E W A L L F I R E W A L L Authentication Authorization User Federation

z/OS RACF for User I&A Authorization

Cert/keys

Secure access to

Web and legacy applications Converged security enforcement Rocksolid DataPower platform Leverages enterprise security and policy managers

(14)

14

Protection of data plus XML & JSON threat protection

Use DataPower to help resolve PCI complianceissues

Easily sign, verify, encrypt, decrypt any content

ConfigurableXML Encryption and Digital Signatures – Message-level, Field-level, Headers

Security standards:OAuth, Security, Policy,

WS-SecurityPolicy, SAML, XACML, WS-Trust, M

Use WS-SecurityPolicy to define security requirements for your web services – DataPower natively consumes and enforces WS-SecurityPolicy statements

• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection

Use XACML to define access and authorization policies for your web services – DataPower natively consumes and enforces XACML policies

• Resource-based Authorization • PEP, PDP

DataPower security is policy driven

XML Threat Protection

• Entity Expansion/Recursion Attacks • Public Key DoS

• XML Flood • Resource Hijack • Dictionary Attack • Replay Attack Message/Data Tampering Message Snooping XPath or SQL Injection XML Encapsulation XML Virus Mmany others

JSON Threat Protection

• Label - Value Pairs

‒ Label String Length (characters) ‒ Value String Length (characters) ‒ Number Length (characters) • Threat Protection

‒ Maximum nesting depth (levels) ‒ Maximum document size (bytes)

(15)

15

AAA : Authentication Authorization Auditing

Extract Identity HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509/SSL SAML Assertion IP Address LTPA Token HTML Form OAuth Custom Authenticate Extract Resource URL XPath SOAP Operation HTTP Operation Custom LDAP/Active Directory System/z NSS (RACF, SAF) IBM Security Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom

Authorize _Post-ProcessAudit &

Map Identity Map Resource LDAP/ActiveDirectory System/z NSS

IBM Security Access Manager Netegrity SiteMinder SAML XACML OAuth Custom Add WS-Security

Generate z/OS ICRX Token Generate Kerberos

Generate Spnego Generate SAML Generate LTPA

Map Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

(16)

16

Security Gateway

New connection to target

Proxying and Enforcement

• Terminate incoming connection

• Terminate transport-level security (SSL/TLS offload) • Threat protection

• Enforce Service Level Agreement policies

• Inspect message content and filter (Schema validate) • Enforce security policies on message content

(Encrypt/decrypt, Verify/sign digital signatures) • Authentication, Authorization, Auditing (AAA) • Call out to virus checker

• Transform content & enrich message • Translate security token

• Dynamically route based on content and load balance (Establish a new connection to pass results)

• Cache data on-box or in centralized, shared XC10 grid

Connection from client

ACL

Virus Scanner

Consumer

Provider

Web Service Request Basic Auth, OAuth 2.0,

WS-Security UNT, etc

Web Service Request SAML, LTPA,

Kerberos

Outside World DMZ Internal Network

HTTP(s)

HTML, JSON, XML, SOAP MME, DIME, MTOM XMLDSIG, XMLENC WS-Security WS-Security Policy WS-Trust SAML OAuth 2.0 Internet SaaS Partner Apps Browsers P ro to c o l F ir e w a ll _Security Gateway Packaged Apps Proprietary Apps Data HTTP(s) ESB Tivoli (TAM) MS Active Directory Any LDAP, e.g. Oracle

CA SiteMinder PDP (XACML, SAML, other)

D o m a in F ir e w a ll ACL Security Gateway Internal Consumer

Incoming access control; Threat protection Outgoing access control;

SAML injection etc

Internal Security

(17)

17

Retail Service Provider

Securely expose services to consumers

Solution

Implemented WebSphere DataPower to form the Web services backbone

Through content-based routing, security policy

enforcement & data encryption, DataPower ensures safe & efficient flow of confidential customer data

Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse

Benefits

Secure SOA on standards-based platform

Easily reuse Web services throughout enterprise

Boosts productivity of IT staff

Substantially shorten time to market for new services

Challenge

Consistent & secure delivery of online services to partners that could be shared, integrated & flexible to meet specific needs

Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information

(18)

18

Centralized Service Governance & Policy Enforcement

Complete

SOA Governance

solution

– WSRR for web service life-cycle policy management

– DataPower for web service run-time policy enforcement

Use WebSphere Service Registry & Repository (WSRR) to store, publish, and

govern your web services

– DataPower can subscribe or poll web services information from WSRR

Automatically expose services and policies in DataPower via WSRR subscription

– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment – Retrieve WSDLs by specific version number

Dynamically retrieve run-time routing information from WSRR

WSRR (Policy Administration Point) Consumer Service Message Message Message Message ITCAM for SOA (Policy Monitoring Point) Discover

Services & Policy _ServicesMonitor

DataPower (Policy Enforcement Point)

Centralized transaction monitoring – ITCAM for SOA

Support for UDDI v2 and v3 for UDDI registries

(19)

19

Service Level Monitoring (SLM)

to protect your services and applications from

over-utilization and enforce quota

– Frequency based on concurrency OR based on messages per time period – Take action when exceeding a custom threshold:

• Notify (or log), Shape (or delay), Throttle (or reject)

(20)

20 User WAS Application { "Task" : "AddEntry", "Detail": "Create presentation materials." } H ig h L o a d Scenario

– JSON REST app to-do list

Issues

– High server load – Slow response time

Slow Response

(>10s)

Application Optimization Example

Public _Enterprise User WAS Application 1 1 Im p ro v e d L o a d Public _DMZ _Data Center DataPower

Improve Server Load with SSL Offload

(21)

21 User WAS Application 1 2 1 PUT /joe/todos HTTP/1.1 Host: joe.org Content-Type: application/json Content-Length: 69 { "Task" : "AddEntry", "Detail": “Waste time." }

Im p ro v e d L o a d DataPower

Manage Traffic with Application Fluency

2. DataPower enables application aware traffic management

User WAS Application 3 1 1 Im p ro v e d L o a d Improved Response Time DataPower

Distribute Load Intelligently

3. Application Optimization effects load distribution intelligence

Leverage dynamic runtime conditions to distribute based on topology & workload

2

(22)

22

REST

Cache at the edge(s)

4. Application results are cached at the edge using XC10 caching grid OR locally on-box

Application Optimization Example

User WAS Application 3 4 1 2 1 DataPower DataPower XC10 L o w L o a d Fast Response

• Faster application response time

• Lower server load

(23)

23

REST

Using XC10 As a Side Cache For DataPower

User 1 5 3 2 ₄ Client Provider

1. Client submits application request.

2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.

3. On a miss, XI forwards request to target Provider.

4. XI adds application response to XC10.

5. Client receives response from XI. _{Easily integrates into the existing business process}

– No code changes to the client or back-end application – Simply add the side cache mediation

Significantly reduces the load on the back-end system by eliminating redundant requests

Improve client observed response time

Improved Response Time Im p ro v e d L o a d DataPower XC10 DataPower XI Appliances

(24)

24

DataPower XI52 + XC10: Travel and Transportation

Online Reservations

_{Reservations System}

– Before:3-5 sec response time – After: .01 -.05 sec response time – Caching service requests

– Improved the average response time of the Global Distribution System requests for Fare Availability and Category Availability

– 52% caching rate

– 10 minute cache resulted in 40% reduction in load on the back-end systems

– Maintained high data integrity. Faster responses were also accurate

– POC in 3.5 hrs

100x

performance improvement

Improved reliability and scalability of reservation channels Reduced traffic to backend systems

Deliver high performance & consistent response times Scale with simplicity and lower TCO

(25)

25

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(26)

26

Use Case: Mobile Connectivity

Securely & Rapidly connect Mobile Apps with

(27)

27

e.g. REST (JSON/XML) over HTTPS

SSL Offload Threat Protection

Rate Limiting Validation, Filtering now with Native JSON Support**

Authentication Authorization Security Token Translation

Transformation Content-Based Routing Intelligent Load Distribution

now with On Demand Router for WAS ND** Response Caching Locally or to XC10 **

Securely expose enterprise

data to Mobile Apps while

optimizing delivery of the

workload

Securely expose enterprise

data to Mobile Apps while

optimizing delivery of the

workload Worklight, WAS ND e.g. SOAP over HTTPS Message Oriented, Legacy Apps

Web Apps, Services

Connect Mobile Apps with Enterprise Apps & Services

IBM DataPower Gateway Appliance

Security, Control, Integration & Optimization of mobile workload

Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices ** Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**

(28)

28

A closer look at some Mobile Connectivity scenarios

REST Proxy Provider JSON / XML / SOAP REST JSON or XML / HTTP(s) Mobile Consumer SSL offload

Enforcement point for centralized security policies – Authentication, Authorization, OAuth 2.0, Audit – Threat protection for XML and JSON

– Message validation and filtering

Centralized management and monitoring point – Traffic control / Rate limiting

Routing / Intelligent load distribution to Provider RESTful façade to non-REST Provider

REST Service Gateway for Mobile Apps

Provider HTTP(s) GET HTTP(s) GET JSON or HTML/XHTML Mobile Consumer XML

Application Acceleration for Mobile Apps

Offload heavy lifting of message transformation from the Provider

Transform to a format best suited for the requesting Mobile App – JSON for native/hybrid app

– HTML/XHTML for browser based

IBM DataPower Gateway

Cache response data from Provider – Locally on the appliance

(29)

29

(30)

30

Client examples using DataPower for Mobile use cases

Several examples of businesses using DataPower as a Mobile Gateway for

their Security & Integration needs

‒

Large international bank has mobile banking goes through DataPower

‒

Large Mobile company in the UK has traffic from handsets, REST

service calls, being secured via DataPower

‒

Large global phone company has their RESTful service calls using

JSON and XML from Mobile devices and consumer browsers are

secured and load balanced using DataPower

‒

Large retailer went live recently with DataPower proxying Mobile traffic

‒

Retailer secures their provisioning iPad traffic through DataPower

‒

A wireless carrier secures mobile traffic to account data through

DataPower

(31)

31

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(32)

32

Use Case: API Management

Securely & Rapidly Create, Socialize & Manage

Business APIs to engage with a Developer ecosystem

(33)

33

On Premise App Developer Portal

Business Ops Dashboard Enterprise Services DataPower Dev Ops Dashboard Web Apps Mobile

Create, Manage, Socialize APIs

•Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Ops perspective, API lifecycle mgmt

•Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas, manage communities and monitor service levels

•Application Developer Portal with Self-Service registration and with hooks into social communities

On-Premise DMZ-ready API Gateway

•Rapid on-ramping of APIs

•API security; SSL termination, Threat protection, Authentication, Authorization with OAuth •Quota enforcement / Traffic control; Enforce API consumption policies

•Monitors API use

•Caching support for both on-box local and remote caching using XC10 •Intelligent routing and load distribution

IBM API Management V2.0 (On-Premise)

(34)

34

Applications & Services on App Servers (WAS, WAS ND, Worklight or other Provider) Caching Appliance IBM DataPower XC10

Security & Integration Gateway

IBM DataPower Appliance

API consumers

& App Developers _{Create, Publish, Manage & Socialize APIs} API owners

IBM API Management**

Multi-device development

IBM Worklight

Mobile Apps & Web consumers

Secure Mobile App Integration + API Management

(35)

35

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(36)

36

Use Case: Enterprise Integration

Consumable integration solution for securely connecting

applications & services while optimizing delivery of workload

(37)

Integration

Consumer Provider SOAP / HTTP(s) MQ Queue Manager Cobol / MQ

Format & transport bridging

Message Format & Transport Protocol Mediation Example

Outside World DMZ Internal Network

P ro to c o l F ir e w a ll HTTP(s) FTP(s) SFTP(SSH) WMQ(s) WS JMS TIBCO EMS ODBC D o m a in F ir e w a ll ACL DB LDAP Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data Internet JMS EMS FTP NFS Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data Packaged Apps Proprietary Apps Data DataPower Gateway HTTP WMQ IMS Connect Enhanced Security DMZ SaaS Partner Apps Browsers

• Content based routing • Message enrichment • Message transformation • Transport protocol translation

• AAA, Threat protection

• Message validation & filtering • Traffic control / Rate limiting

Integration Scenario

• Intelligent content based routing • Intelligent load distribution

(38)

38

Core Services

Core Data

UK Government Agency

enables

integration capabilities using DataPower

Solution

DataPower in key network zones within and outside of the department

Thorough content-based validation, routing, and security policy enforcement

Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse

Benefits

Ease of integration

Security assurance of the architecture

Secure SOA on standards-based platform

Consistent experience and policy for all users

Challenge

Data held in the back-end systems vital to delivering citizen services, fraud detection across various layers of the Governments across the EU

Vulnerable back-end services

Security

Capacity/ SLA

Consistent usability experience for internal or external service consumers Integration Layer Government network Other EU Countries Other UK Departments Internal Users

(39)

39

(40)

40

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

(41)

41

Use Case: Mainframe integration & enablement

Offload processing for reduced MIPS

(42)

42

Core banking platform on Z

An Irish Bank

Enabling retail banking

Solution

DataPower in trusted network exposed services for XML/ HTTP(S) and protocol bridging to WebSphere MQ

Message validation and transformation using WebSphere Transformation Extender (WTX)

Benefits

Retail application acceleration through transformations and caching

Optimized platform for handling, parsing and processing payloads

Challenge

Retail application contained 7000 screens; slow response times over dedicated proprietary network.

Cost of processing XML on the mainframe.

Message transformation needed before the core banking platform could process requests.

DataPower

Q

Branch Network

Q Q Q Q

(43)

43

Customer & Product related application and systems on Z

High Street Clothing and Fashion Accessories Retailer

Increase customer interaction and loyalty

Solution

DataPower acted as a reverse proxy for:

Outbound messages via a service provider

Inbound customer updates/ delivery notifications

Transform SOAP/ XML payload to COBOL copybook messages for CICS application

Benefits

Create customer interaction and value through innovative business strategy.

Integrate various suppliers using standards based interfaces securely.

Graphical configuration driven appliance; short learning curve

Challenge

Highly competitive industry; first mover advantage

Weak customer loyalty

Multi channel customer experience

Complex supply chain and service providers

DataPower

Q

Open Internet

(44)

44

Broad integration with System z

Client

SOAP/HTTP

SOAP/HTTP CCB / MQ

IMS SOAP Gateway WAS+IMS connector D a ta P o w e r IMS O T M A IM S A p p lic a tio n M Q S e r v e r MQ Brdg DataPower XI50z

• Connect to existing applications over WebSphere MQ • Transform XML to/from COBOL Copybook for legacy

needs

• Integrate with RACF security from DataPower AAA • Dynamic crypto material retrieval & caching, or offload

crypto ops to z • Connect to IMS

‒ Via IMS Connect client ‒ Via Web Services ‒ Via WebSphere MQ • Connect to CICS

‒ Via WebSphere MQ ‒ Via Web Service • Connect to DB2

‒ Via Web Service

‒ As direct ODBC call with ODBC Client option

Additional benefits with integrated DataPower XI50z blade form factor

Fast secure network between DataPower blade and target servers

Virtual Network Provisioning

Dynamic Load Balancing (via Sysplex Distributor) HMC Console Integration

Blade Hardware Management

Energy Monitoring and Management of DP Blades DP Firmware Load and Update

Monitoring and Reporting

DRDA

(45)

45

• IMS Callout

feature allows IMS transactions to easily consume external web

services via DataPower, with minimal application updates required

Enhanced value for System z & IMS

New integration capabilities between DataPower and IMS

IMS DB

feature supports DataPower integration

with IMS database through SQL interface

‒ Enrich messages with database content

‒ Expose data as a service to remote applications

Client SOAP / REST DataPower DRDA IMS O T M A App1 IMS Connect App2 Service Provider SOAP / REST DataPower TCP/IP Service Consumer IMS Callout

(46)

46

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

(47)

47

Use Case: B2B integration

Extend integration beyond the enterprise

to partner community

(48)

48

DataPower B2B Functionality

Extend beyond the enterprise to integrate with partners

• B2B Gateway Service

‒ AS1, AS2, AS3 and ebMS v2.0 ‒ Plaintext email support

‒ EDI, XML and Binary Payload routing ‒ Front Side Protocol Handlers

‒ Hard Drive Archive/Purge policy ‒ CPA and Partner Profile Associations ‒ MQ File Transfer Edition integration • Trading Partner Profiles

‒ Two Types – Internal and External ‒ ebXML CPPA v2.0

‒ Multiple Business IDs

‒ Multiple Destinations (URL Openers)

‒ Certificate Management (S/MIME Security) ‒ Multi-step processing policy

• B2B Viewer

‒ B2B transaction viewing ‒ MQ FTE transaction viewing ‒ Transaction resend capabilities

‒ Transaction and Acknowledgement correlation ‒ Role based access

• Persistent Storage

‒ AES Encrypted B2B document storage ‒ Option for Off-Box Storage (NFS or iSCSI) • Transaction Store ‒ B2B metadata storage ‒ B2B state management

DataPower

B2B Gateway Service Partner Connection Front Side Handlers

Internal Partner Destinations

Integration Front Side Handlers External Partner Destinations

B2B Viewer

Metadata Store (DB) Document Store (HDD) Partner Profiles

(49)

49

UK Logistics and Distribution

Benefits

Create customer interaction and value through innovative business strategy.

Integrate various suppliers using standards based interfaces securely.

Graphical configuration driven appliance; short learning curve

Challenge

AS2, File and Web Services based interfaces to 100s of B2B customers.

Messages are exchanged at least once a day

Secure proxy solution in the DMZ

(50)

50

UK Logistics and Distribution

Internal Systems Internal Systems External Systems External Systems Internal System Internal System

(51)

51

DataPower Appliances Benefits

Reduce Complexity: Replace software servers functionality with

DataPower Appliances, reduce infrastructure footprint, and off-load

systems intensive processes.

Lower TCO: DataPower Appliances have demonstrated reducing

operational costs by as much as 50%

Reduce Time to Market: DataPower Appliances dramatically decrease

the testing time and amount of development required to upgrade your

environment, most policy are configuration driven as opposed to

development driven

Reduce Risk: DataPower Appliances provide the communication layer

without requiring application modification, and deliver improved security

and audit

Flexibility & Security: DataPower Appliances shield business

applications from security requirements, protocol changes and service

versioning - no application modifications needed

(52)

52

DataPower resources

www.ibm.com/software/integration/datapower

IBM DataPower Web Page (support, technotes, doc)

http://www-01.ibm.com/software/integration/datapower/

developerWorks DataPower Discussion Area

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198

Vast library of published articles:

http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html

(Also search for “DataPower” within “WebSphere”, “SOA/Web Services” and “XML”)

http://www.ibm.com/developerworks/views/websphere/libraryview.jsp(Search “DataPower”) IBM Redbooks:

http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower

IBM WebSphere DataPower SOA Appliance Handbook

http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194

YouTube:

http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel

DataPower Podcasts:

(53)

53

We love your Feedback!

Don’t forget to submit your Impact session and speaker feedback!

• Your feedback is very important to us – we use it to improve next year’s

conference

• Go to the Impact 2013 SmartSite (

http://impactsmartsite/com

):

‒

Use the session ID number to locate the session

‒

Click the “Take Survey” link

‒

Submit your feedback

(54)

54

(55)

55

Legal Disclaimer

• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtmlfor guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. • If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:

Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries.

• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

(56)

56

(57)

57

Health Insurance Provider

Smarter Business Outcomes:

Reliable and secure routing of customer sensitive data

Easy to use and maintain; no additional skill needed

XML Messages with attachments are authenticated, authorized, and virus scanned

Industry Pains:

HIPAA Security requirements for transporting data over the Internet

HL7 v3.0 XML threat protection

Complexity of B2B for healthcare

Secure appliance form factor providing secure connections to trading

partners, advanced threat protection and reliable file delivery of

confidential medical information

(58)

58

Internet

EDIINT Flow: Simple AS2 transaction flow with Transform

Application

Browser Application

EDI _(EDI)AS2 XML

AS2 (MDN) B2B Hub

Partner B

Partner A

XB62 AS2 Process B2B Gateway Service Transaction Viewer

Note: This flow works the same for any AS protocol as well as for ebMS B2B messages. Data Store 4 3a 3b 2 1 5

(59)

59

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(60)

60

Why use an Appliance for connectivity?

• Purpose-built, fine-tuned

consumable

platform

• Achieves

fast performance

with multiple layers of specialized acceleration

Many functions incorporated in a

single device

Service level management

Dynamic routing and load distribution Transport and message level security

Policy enforcement

Transport and message transformation

Simplified

maintenance model

Drop-in appliance form-factor Secures traffic in minutes Push-button flash upgrade process Integrates with existing operations

Provides high levels of certified

security

assurance

Transport Protocol Security (SSL/TLS) Message Level Security

Authentication, Authorization, Audit (AAA) FIPS 140-2 Level 3

(61)

61

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(62)

62

DataPower & Tivoli Offerings

Tivoli Federated Identity Manager (TFIM) Tivoli Access Manager (TAM)

Allows authoring of XACML policy to be enforced by DataPower. [PAP]

TSPM can also act as PDP to make Authorization decisions [PDP]

Tivoli Security Policy manager (TSPM)

Provides a single point of decision making for Authentication and Authorization. [PDP]

DataPower will enforce the decision. [PEP]

– PAP: Policy Authoring Point

– PDP: Policy Decision Point

– PEP: Policy Enforcement Point

Locally cached TAM policy database reduces network latency and traffic congestion

Provides federated identity management and a single IdP enterprise solution [Federation]

DataPower integrates with Tivoli offerings to provide authentication and authorization policy enforcement point solution

(63)

63

Internet Trusted Domain

Consumer Consumer Application Application System z DMZ

Application Optimization

Application Optimization SOA Optimization - Application Intelligence - Application Security - SSL Acceleration - XML Intelligence - XML Security

- Routing, Transformation, Mediation

Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance

(64)

64

Self Balancing: Self balance across a cluster of appliances

Replace front-end IP load balancer

New support (introduced in firmware version 4.0.2) enables connections to be

preserved, without loss, during failover scenario

Dynamic and Intelligent Load Distribution to backend systems

Replace backend load balancer

Front-end IP load balancers not needed

Self balancing (IP spraying)

(65)

65

Provides application-aware Intelligent Load Distribution

Auto-discovers application targets and distributes load using

dynamic

feedback

mechanism

Topology learning for WAS ND and VE

Uses intelligent weighted distribution algorithms based on current server load

Weighted Least Connection load balancing algorithm

Provides several options for enabling

Session Affinity

DataPower performs dynamic back-side routing and load distribution

(leveraging dynamic information from back-ends)

Application Optimization

Failure of target appliances are masked by appropriate weighted

(66)

66

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

• B2B

(67)

67

Integration

Dynamically route based on any message content

– Attributes such as the originating IP, requested URL, protocol headers, etc. – Data within the message such as SOAP Headers, XML, Non-XML content, etc. Query a repository for routing information

– WebSphere Service Registry & Repository, XML files, Databases, Web Servers

Content-Based Routing

Service Providers Unclassified

Requests

Transform the

message format

with ultimate flexibility

– Leverage

WebSphere Transformation Extender

for data mapping

Any-To-Any Message Transformation

<XML/> TEXT binary Input Message Output Message <XML/> TEXT binary

?

(68)

68

Integration

Transport Protocol Translation

Integrate disparate transport protocols with extreme ease

– No dependencies between inbound “front-side” and outbound “back-side”

– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)

Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once message patterns HTTP(s) FTP(s) SFTP WebSphere MQ, MQ FTE WebSphere JMS Database DB2, SQL Server, Oracle, Sybase, TIBCO EMS IMS NFS

(69)

69

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

(70)

70

IMS Integration

Web Services Security and Management for IMS Web Services

Content-based Message Routing

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) XML/SOAP Firewall

Data Validation Field Level Security

XML Web Services Access Control/AAA Web Services Management

Client

SOAP/HTTP

SOAP/HTTP

IMS SOAP Gateway

WAS+IMS connector D a ta P o w e r

(71)

71 D a ta P o w e r

IMS Integration

Web Services Enablement for IMS-based Services

IMS

O T M A IM S A p p lic a tio n M Q S e r v e r MQ Brdg

DataPower provides WS-enablement to IMS applications User codes schema-dependent WTX data map to perform

request/response mapping

Requires WebSphere MQ for z/OS – MQ bridge to access IMS

– MQ connectivity is embedded in DataPower

CCB / MQ

Client

(72)

72 D a ta P o w e r

IMS Integration

Web Services Enablement for IMS-based Services (cont’d)

CCB / TCP Client SOAP/HTTP IMS O T M A Appl1 IMS Connect Appl2 Appl3 IMS O T M A Appl4 Appl5 Appl6 User exit (e.g.. HWSSM PL0)

DataPower provides WS-enablement to IMS applications User codes schema-dependent WTX data map to perform

“IMS Connect Client” (back-side handler) natively connects to IMS Connect using its custom request/response protocol

(73)

73 D a ta P o w e r

IMS Integration

IMS Connect Reverse Proxy

CCB / TCP Client IMS Connect TCP IMS O T M A Appl1 IMS Connect Appl2 Appl3 IMS O T M A Appl4 Appl5 Appl6 User exit (e.g.. HWSSM PL0)

Bring DataPower value add to standard IMS connect usage patterns Provide an “IMS Connect Client” on DataPower that natively connects to

IMS Connect

Provide an “IMS Connect Server” on DataPower that accepts IMS Connect client connections and provides an intermediation framework that

leverages DataPower

– Enables authentication checks, authorization, logging, SLM, transformation, route, DB look-up, SSL offload, etc.

(74)

74 D a ta P o w e r

DB2 Integration

“Information as a Service”

DRDA Client SOAP/HTTP

DataPower provides a standard WS façade to DB/2

– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web Services runtime and DataPower

– SOAP call is mapped to an ODBC (DRDA) invocation

Exposes database content (information) as a service

Leverages extensive Web Services security and management capabilities of DataPower to more securely expose critical data to the enterprise

(75)

75

CICS Integration

Web Services Security and Management for CICS Web Services

Content-based Message Routing

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) XML/SOAP Firewall

Data Validation Field Level Security

XML Web Services Access Control/AAA Web Services Management

Support CICS ID propagation

Client

SOAP/HTTP SOAP/HTTP

CICS Web Services

WAS+CICS connector D a ta P o w e r

(76)

76 D a ta P o w e r

CICS Integration

Web Services Enablement for CICS Applications

DataPower provides WS-enablement to CICS applications User codes schema-dependent WTX data map to perform

Requires WebSphere MQ for z/OS – MQ bridge to access CICS

– MQ connectivity is embedded in DataPower

CCB / MQ Client SOAP/HTTP

C

IC

S

C IC S A p p lic a tio n M Q S e r v e r CICS Brdg

(77)

77

Agenda

• DataPower Quick Overview

• Security & Optimization Gateway

• Mobile Connectivity

• API Management

• Integration

• Mainframe Integration & Enablement

(78)

78

Internet

Web Services bridged to AS2 File Transfer Pattern

WS Client Browser Flat B2B Hub

Partner B

Partner A

XB62 Web Service Process Web Service Proxy Transaction Viewer B2B Gateway Service AS2 Pre-Process Flat SOAP

Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and sending data over any of the 16 supported protocol handlers. When Services are tied together in front of or behind a B2B Gateway Service they are handled like pre and post processes.

Data Store 7 4 5 6 3 2 1

(79)

79

Internet

MQ FTE Integration Pattern – Inbound File to Message

Browser (LOB User) XB60

T

ra

d

in

g

P

a

rt

n

e

r

XB62 B2B Gateway Service Transaction Viewer Profile Mgmt _StoreData Browser (Admin) Browser (Partner view) Server Source Agent Data Store Applications

Enterprise

Target Agent

MQFTE

Network

Queue Manager Queue Manager Queue Manager Queue Manager MQ Explorer DB Logger (DB2 or Oracle) 1 4 2a 3 6 5 2

(80)

80 Browser B2B Gateway Service

WebSphere DataPower

B2B Appliance

Applications Transaction Viewer Collaboration Partner Agreement Entries Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration Collaboration Protocol Agreement Entry Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration External Partners Internet ebMS (Ack) ebMS (ebXML)) ebXML

ebXML with CPPA Pattern

5 4 3 2 1 DMZ Secured Network Public Network Collaboration Partner Agreement Entries Internal Collaboration Partner Profile External Collaboration Partner Profile CPAId / Collaboration

(81)

81 B2B Hub AS2 Process Healthcare Applications Partner B Hospital Internet AS2 (HL7 V3) AS2/MDN B2B Appliance B2B Gateway Service Profiles Internal Profile Regional Center Validate XML and Transform to any V.2.x format External Profile Hospital Transaction Viewer Healthcare Applications H L 7 V 3 Partner A

Regional Healthcare Center

Any Transport HL7 V2.x Any Transport HL7 V3.x 5 4 3 2 1 6

(82)

82

Securing HL7 over the Internet with Integration to the WebSphere

Healthcare Connectivity Pack

T

ra

d

in

g

P

a

rtn

e

r

XB62 B2B Gateway Service Transaction Viewer Profile Mgmt _StoreData Browser (Admin) Browser (Partner view) Clinical Trials System WebSphere Healthcare Connectivity Pack

Healthcare Provider

Internet 1 2a 3 5 2 WebSphere MQ Patient Administration System Billing System 4 AS2 (HL7)) AS2 (MDN)) HL7/MQ HL7/MLLP HL7/MLLP XML/HTTP Pharmacy HL7/MLLP