datapower and cast iron update
TRANSCRIPT
DataPower and Cast Iron updateMatt RobertsSenior Software EngineerIBM Hursley Labs
© 2012 IBM Corporation
Agenda
WebSphere DataPower Family
– Overview
– WebSphere DataPower v5.0 update
– DataPower virtual editions
– WebSphere Appliance Management Center
WebSphere Cast Iron
– Cast Iron Integration Services
– Cast Iron Express
– Cast Iron Live WebAPI Services
WebSphere DataPower Appliances…
WebSphere DataPower Appliances provide a low startup cost,helping clients increase ROI and reduce TCO with specialized, consumable, dedicated appliances that
combine superior performance and hardened security
SIMPLIFY your connectivity infrastructure
ACCELERATE your time to value
SECURE your SOA, Web 2.0, Mobile, B2B, and Cloud environments
GOVERN your evolving IT architecture
© 2012 IBM Corporation4
IBM WebSphere DataPower organization makes appliances
Simple architecture: – microcode firmware + purpose-built hardware
Delivered from the factory with everything you need to connect to the network and start working
– No need to provision anything but the Ethernet network and CAT cables to get started
All computationally-significant components sealed within a tamper-evident casing
– Chips– Memory– Boards and cards– Flash-based file system (signed and encrypted)– Parsing and xform accelerator– Cryptographic accelerator
Appliance “lock down” means:– Removing need for commodity code– Removing reliance on general purpose
operating systems and run times– Porting to purpose-built firmware– Simplicity = BIG TCO SAVINGS
Guiding philosophy is to take rote, repeatable security / integration tasks and lock them down in the appliance form factor, including:
– Security gateway functions– Service Bus (ESB) functions– B2B gateway functions– Application optimization functions
Why use an appliance for connectivity?
Purpose-built, fine-tuned consumable hardware platform
Achieves fast performance with multiple layers of hardware acceleration
Many functions incorporated in a single device Service level management
Dynamic routing and load distributionTransport and message level security
Policy enforcementTransport and message transformation
Simplified maintenance modelDrop-in appliance form-factorSecures traffic in minutes
Push-button flash upgrade processIntegrates with existing operations
Provides high levels of certified security assuranceTransport Protocol Security (SSL/TLS)
Message Level SecurityAuthentication, Authorization, Audit (AAA)
FIPS 140-2 Level 3, Common Criteria EAL4*
6
WebSphere DataPower FamilyIntegration Appliance XI52
High density 2U form Consumable hardware ESB “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement
Service Gateway XG45 Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic
routing Lightweight ESB functions (optional module)
B2B Appliance XB62 High density 2U form B2B Messaging (AS1/AS2/AS3/ebMS) Trading Partner Profile Management B2B Transaction Viewer
Integration Blade XI50B/XI50z Functionally equivalent to XI52 Form factor flexibility XI50B: BladeCenter form factor XI50z: zEnterprise BladeCenter Extension
(zBX) form factor
Internet Trusted Domain
Consumer
6 Runtime SOA Governance
7 Web Service Management
8 Legacy Integration
1 Secure Gateway (Web Services, Web Applications)
2 B2B Gateway
3 Intelligent Load Distribution
Application
Application
System z
DMZ
Deploy WebSphere DataPower Appliances in a variety of use cases
4 Internal Security
5 Enterprise Service Bus
Agenda
WebSphere DataPower Overview
WebSphere DataPower v5.0
WebSphere DataPower virtual editions
WebSphere Appliance Management Center
WebSphere DataPower V5.0: Key FeaturesOAuth 2.0 support
– Securely expose enterprise services to Web 2.0 & mobile applications using industry standard
– Integrated into the AAA framework, allows DataPower to act as both the PEP for Resource Server and Authorization Server
Enhanced Service & SLA Management
– Provides more consumable and centralized service Governance & SLA management with support for automatic policy synchronization and enforcement b/w WSRR and DataPower
Application Optimization option on XG45
– Decreases cost by enabling self-balancing across a cluster of DataPower appliances and eliminating the need for frontend load balancers
– Improves efficiency by providing dynamic and intelligent load distribution to backend servers and eliminates the need for backend load balancers
Improved processing capability
– Improves processing power with extended memory support for 9005 and XI50B appliances
B2B volumetrics support
– B2B volumetrics support allows detailed analytics of B2B transactions by providingflexible service based access to B2B metadata stored in the appliance persistencestore
Resource Owner
Authorization Server
OAuth ClientResource Server
The resource owner never shares her username or password with the OAuth client
Example OAuth “3-Legged” Scenario
1. Resource Owner initiates a request with OAuth Client
2. Resource Owner authenticates and provides the authorization decision on whether to allow OAuth Client access to their resource
3. OAuth Client sends in its credentials and the approval it obtained from 2. Asks for access token to access the resource
4. Here is my access token, let me access the resource
JSON Protection
JSON Examples
• Jumbo Payload• Name-Value Pair
• Label - Value Pairs– Label String Length (characters)– Value String Length (characters)– Number Length (characters)
• Threat Protection– Maximum nesting depth (levels)– Maximum document size (bytes)
Label String
Nesting Depth of 3
Value StringNumber
DocumentSize
12
Enhanced Governance & SLA Management Support
Implement Service Level Agreements (SLA) enforcement on DataPower via declarative policy documents without manually creating DataPower configuration artifacts
– WS-Proxy consumes the specified policy and modeled SLA semantics through WS-Policy and WS-PolicyAttachment artifacts that are fetched from WSRR subscription or appliance configuration
• Author SLA policy and associate it with a web service (configuration task)
• DataPower fetches SLA policy and renders the required DataPower configuration Processing Policy artifacts (rules and actions) to enforce policy
• DataPower enforces SLA policy based on Processing Policy artifacts (rules and actions) created from consumed policy documents
• DataPower synchronizes SLA policy based on manual user action and/or WSRR subscription settings
• Policy domains define syntax & vocabularies used to describe the desired behavior that needs to be enforced. Common policy domains supported in DataPower v5.0 include:
– WS-SecurityPolicy (W3C specification)– WS-MediationPolicy (IBM specification)
Traffic Management Policy
<wsp:Policy Name=“Max100MsgSec_Reject"> <wsmp:Rule>
<wsmp:Condition> <wsmp:Expression>
<wsmp:Attribute>MessageCount</wsmp:Attribute> <wsmp:Operation>GreaterThan</wsmp:Operation> <wsmp:Value>100</wsmp:Value> <wsmp:Interval>PT01S</wsmp:Interval>
</wsmp:Expression></wsmp:Condition>
<wsmp:Action> <wsmp:RejectMessage/> </wsmp:Action>
</wsmp:Rule> </wsp:Policy>
S e r v i c e L e v e l D e f i n i t i o n
S e r v i c e L e v e l A g r e e m e n t
G l o b a l W e a t h e r S e r v i c eV e r s i o n 1 . 1
W e a t h e r A p p l i c a t i o nV e r s i o n 1 . 0
S e r v i c e E n d p o i n tI n t e r n a l
S e r v i c e E n d p o i n tE x p o s e d
M a x 1 0 0 M s g / S e cQ o S P o l i c y
M a x 5 0 0 M s g / S e cQ o S P o l i c y
“If message traffic exceeds 100 messages per second, then reject any new messages until message traffic is below 100 messages per
second again”
Policy generated by WSRR, automatically
enforced by DataPower
WSRR Policy creation
WSRR Model
Application Optimization Option provides
Self Balancing: Self balance across a cluster of appliances
Replace front-end IP load balancer
New support (introduced in firmware version 4.0.2) enables connections to be preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems
Replace backend load balancer
Front-end IP load balancers not needed
Self balancing (IP spraying)
Application Optimization Option on XG45
Provides application-aware Intelligent Load Distribution
Auto-discovers application targets and distributes load using dynamic feedback mechanism
Topology learning for WAS ND and VE
Uses intelligent weighted distribution algorithms based on current server load
Weighted Least Connection load balancing algorithm
Provides several options for enabling session affinity
DataPower performs dynamic back-side routing and load distribution (leveraging dynamic information
from back-ends)
Application Optimization Option on XG45
Failure of target appliances are masked
by appropriate weighted distribution
Use
r Com
men
t
REQUEST RESPONSE
B2B Volumetrics Support
Provides service based access to on-box B2B transaction metadata
– XML Management Interface “b2b-query-metadata” operation
– Schema definitions in store:///xml-mgmt-ops.xsd and store:///xml-mgmt-b2b.xsd
– Query Condition – used to construct the selection criteria, e.g. “all failed transactions with partner A”
– Result Constraints – used to specify how to represent the resulting data, including max rows per response, which properties to be included and properties to be used for sorting
DataPower virtual editions
Announcement:http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS212-468&appname=USN
Planned availability: 30 November 2012
Virtual appliance form factor
• VMWare ESX or VMWare ESXi server
• XG45 Service Gateway appliance
• XI52 Integration Gateway appliance
Supports various scenarios
• Development and testing – no longer require a physical appliance
• Includes various optional features free of charge for non-production use (eg application optimization)
• Production environments where physical appliances are not suitable or not necessary
Full transportability of configuration between physical and virtual appliances
• Develop using a virtual appliance, then move to physical for production
Brand New!
Agenda
WebSphere DataPower Quick Overview
WebSphere DataPower v5.0
WebSphere DataPower virtual editions
WebSphere Appliance Management Center
WebSphere Appliance Management Center (WAMC)Simple Multi-Box Management for WebSphere Appliances
Web application which provides multi-box operational management for WebSphere DataPower SOA appliances
– Centralized firmware management
– Disaster recovery
– Configuration life cycle deployment
Separate standalone monitoring component is included
– IBM Tivoli Composite Application Manager (ITCAM) Agent for WebSphere DataPower Appliances
Provides firmware management & monitoring support for WebSphere DataPower XC10 appliances
Available for download, free of charge, to licensed users entitled to service for a supported appliance
New in WebSphere Appliance Management Center Lighter, snappier, more streamlined interactions
– Much lower resource consumption, fast install and start up, improved responsiveness
– Simplified user interface for improved work flow
Flexible appliance and domain grouping– Appliances & domains can be grouped in any way the user chooses, may be members of multiple groups
– Filters allow the user to quickly view and select members of a group
Improved firmware management support– Simplified firmware upload and deployment
– Supports firmware management on XC10
Finer grained configuration management– Deploy configuration at the domain and service level
Quick Page Navigation
Easy access to actions
14.11.12 21
Focused on monitoring appliance level metrics
– DataPower Appliances
• Resource utilization
• Network and connection statistics
• Object status, system log, event notifications, etc.
Supports monitoring multiple DataPower Appliances with one agent
WebSphere DataPower SOA ApplianceTivoli Composite Application Manager Agent for WebSphere DataPower Appliance
ITCAM Agent for WebSphere DataPower Appliance
22
WebSphere Cast Iron Cloud Integration
Cast Iron Integration Services
Cast Iron Express
Cast Iron Live Web API Services
23
Integration Maximises Value of Cloud Investments
PackagedApplications
Home-grownApplications
Organisations are increasingly adopting SaaS applications
© 2012 IBM Corporation24
Complete Flexibility
Multi-tenant cloud service
Virtual Appliances
Physical Appliances
Total Connectivity Complete Re-usability
TIP Exchange
TIP Development Kit
TIP Community
For All Types of Projects
UI Mash-ups
Process Integration
Data Migration
Complete Flexibility
No Coding Beyond Configuration Preconfigured Templates(TIPs)
No “integration experts” or Specialized Resources to Hire
Simple: Configuration, Not Coding approach
© 2012 IBM Corporation26
Cloud Offering Customer Scenario Duration
Sales Cloud – SAP360 Degree Customer View 10 Days
Custom Cloud - PeopleSoft Billing and Invoice Integration 8 Days
Sales Cloud & Chatter – SAPCustomer and Sales Order Integration
14 Days
Netsuite, CRMOpportunity to order sync 20 Days
Oracle CRM On Demand, EBSReal-time order and invoice
visibility10 Days
Sales Cloud, Service Cloud, Force.com - JeevesOrder to Shipment
21 Days
Rapid Success: Integrate in Days!
PrivateCloud
27
■ Entry-Level Self-Service offering – Integrate in hours
■ Basic Salesforce.com integration use-cases:- SalesForce and Databases (DB2, MySQL, MS SQL, Oracle)- SalesForce and Flat-files+FTP, local file upload
Sign up online for a free 90 day trial https://express.castiron.com
■ Connectivity, Data Mapping - (but not workflow logic)
Cast Iron Express
28
Cast Iron Express web-based user interface
29
Cast Iron LiveWeb API Services
30 IBM Confidential
$7bn worth of items sold annually on
eBay through APIs
5.9 Billion Mobile Subscribers
Globally in 2011
Over 1 Billion API Calls Per Day Each from NetFlix, eBay, Klout, AccuWeather
10.5 Billion Minutes per Day Spent On
25 Billion Apps Downloaded from
the Apple AppStore
400 Million Tweets Per Day Today
10x more traffic via API than the Twitter
website
The API Economy
Apps
Customer
Business User
IT Guy
Enterprise
App Developer
• Business Users want to engage Customers in new markets
• They need to Externalize the Enterprise
• They need to get Apps in front of these Customers
• Apps need APIs that Externalize the Enterprise
• App Developers use APIs
• App Developers are now External to the Enterprise
• IT Guys need to secure, scale and support the externalized Enterprise
• Business Users and IT Guys needs Insights so they can respond to business needs
The Platform
Enterprises wants to tap into innovation from a large
community of developers, not just developers they employ
The Engaging Enterprise
Security– Managing access
– Quota usage, tracking and monitoring
Capability– Proxy of existing services
– “Assembly” of existing data sources to create a new API
Caching– Deal with increased load on backend services
– Flood control / DoS prevention
Analytics– Technical metrics about calls made, devices used, workload per app developer
– Business level queries defined on the fly
Community– Publicize and promote adoption of your APIs
– Manage sign up of app developers
– Provide branding for your enterprise, plus self service documentation and samples for your users
2. Builds
The Enterprise
Key concepts for Web APIs
2. Builds
The Enterprise
Sign up online for a free 90 day trial https://webapi.castiron.com
Try it free today!
Summary
WebSphere DataPower Family
– Overview
– WebSphere DataPower v5.0 update
– DataPower virtual editions
– WebSphere Appliance Management Center
WebSphere Cast Iron
– Cast Iron Integration Services
– Cast Iron Express
– Cast Iron Live WebAPI Services
WebSphere DataPower: IBM Appliances for Smarter Connectivity
www.ibm.com/software/integration/datapower
Established Resources:
IBM DataPower Web Page (support, technotes, doc) http://www-01.ibm.com/software/integration/datapower/
developerWorks DataPower Discussion Area http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
Vast library of published articles: http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html
(Also search for “DataPower” within “WebSphere”, “SOA/Web Services” and “XML”)
http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search “DataPower”)
IBM Redbooks: http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
IBM WebSphere DataPower SOA Appliance Handbook:) http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194
YouTube: http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
DataPower Podcasts: http://www.ibm.com/podcasts/software/websphere/datapower/index.rss
WebSphere Cast Iron cloud integration
www.castiron.com
Resources
– Homepage
• http://www-01.ibm.com/software/integration/cast-iron-cloud-integration/
• Various whitepapers to download on cloud integration
– Intro and Technical overview:
• http://www.redbooks.ibm.com/abstracts/redp4840.html?Open
– Getting Started:
• http://www.redbooks.ibm.com/abstracts/sg248004.html
Cast Iron Express
– https://express.castiron.com
Web API Services
– Https://webapi.castiron.com
– http://www.youtube.com/watch?v=dJRij1PDtu8
– http://www.youtube.com/watch?v=qQ_4VsmXiuI
Traditional DataPower Services Security use cases–Policy enforcement (WS-Policy, Service Level Management, etc.)–Cryptography (Encryption, Digital Signatures, etc.)–Access control (Authentication, Authorization, etc.)
New DataPower Connectivity and Integration use cases–Built-in support for HTTP, MQ, WebSphere JMS, and FTP–Optional support for Non-XML transformation and database integration
1U form factor
38
WebSphere DataPower Security Gateway XG45
Slim form 1U rackmount design
Two network modules for application traffic
– 4 x 1 Gbe ports– 2 x 10 Gbe ports
Increase capability– Higher performance CPU, memory,
flash size, hard drive space…– New RAID controller
• Large write cache• Battery backup
Multiple Replaceable Units– Customer Replaceable Units (CRU)
• Fan, Power Supply, Hard Drive, Network Module
– Field Replaceable Units (FRU)• Appliance• Battery (RAID & Coin)• PCI e-Card
Enhanced Features– Runtime Hardware Diagnostic– Customized intrusion detection
Support for Hardware Security Module
39
WebSphere DataPower XG45 Technical Specs
4 1-Gigabit Ethernet NICs
RAID mirroring across two drives
2 10-Gigabit Ethernet NICs