datapower impact cases_new
DESCRIPTION
DatapowerTRANSCRIPT
© 2013 IBM Corporation
DataPower Common Use Cases
Bharat Bhushan, Principal Connectivity Architect, IBM UK
Christopher Khoury, Worldwide Client Technical Leader, IBM US
Arif Siddiqui, Product Manager, IBM US
TIS – 3089
22 © 2013 IBM Corporation
Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.
33 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
44 © 2013 IBM Corporation
Introduction to DataPower Gateway
Appliances
IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, control, integration
and optimized access to a full range of
Mobile, Web, API, SOA, B2B and Cloud workloads
55 © 2013 IBM Corporation
Security & Integration Gateway Appliances
• Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload
• Securely connect apps/services within the enterprise, while optimizing delivery of the workload and providing integration including XML offload, message validation/filtering, message/transport protocol transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing & intelligent load distribution
• Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior performance, hardened security, increased ROI and reduced TCO
• Provides high levels of certified Security assurance‒ e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization,
Audit
• Simplified maintenance model‒ Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process
• Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold
• Virtual appliance provides deployment flexibility & reduced cost for development and test environments
IBM DataPower Gateway Appliances
Internet Trusted Domain
Consumer
Application or Service
DMZ
DataPower DataPower
Consumer
66 © 2013 IBM Corporation
Internet Trusted Domain
Consumer
Application or Service
System z
DMZ
DataPower DataPower
IBM Integration
Bus
Application Service FileTrading partners
DataPower appliances used across a variety of scenarios
1 Security Gateway
(Web Services/Apps/APIs)
2 Intelligent Content
Routing & Load Distribution
3 B2B Partner Gateway
4 Internal Security Enforcement
5 Integration
6 Runtime SOA Governance
7 Web Service Management
8 Legacy Integration
Consumer
77 © 2013 IBM Corporation
Update application
servers individually
Before DataPower Appliances
Secure, control, integrate, & optimize all applications instantly
No changes to applications
After DataPower Appliances
� Secure, control, integrate & optimize multiple applications without code changes
� Lower cost and complexity
� Enable new business with unmatched performance
Use appliances to simplify & centralize critical functions
Control
Integrate
Route & Optimize
Secure
88 © 2013 IBM Corporation
• Control‒ Service-level agreements‒ Traffic control‒ Message accounting‒ Content-based routing‒ Governance & management
• Optimization‒ SSL & TLS offload‒ Hardware accelerated crypto ops‒ XSLT & XQuery acceleration‒ JSONiq acceleration‒ Connection pooling, offload‒ Intelligent load distribution‒ Caching: Local & external (XC10)
• Security‒ OAuth, SAML, XACML, WS-
Security, LTPA, Kerberos, etc‒ Authentication & authorization‒ Security token translation‒ Message & transport protection
• Integration‒ Convert payloads (JSON, XML, CSV,
Cobol, binary, etc)‒ Bridge transports (HTTP, MQ, FTP,
WAS JMS, TIBCO EMS, etc)‒ Database connectivity (DB2, IMS,
Oracle, MS SQL, Sybase)‒ Mainframe integration (IMS Connect,
IMS Callout, CICS, etc)‒ B2B integration (AS1,AS2,AS3,etc)
• Resilience‒ Operation admission control‒ Failure re-routing‒ XML threat protection‒ JSON threat protection‒ Schema validation‒ Messages filtering
Clients
In-the-Clear Request
Malicious Request
Cobol/MQ Appl
Cobol/MQ
Encrypted and Signed Request
Serv
ice P
rovid
ers
IBM DataPower Gateway Appliance capabilities
99 © 2013 IBM Corporation
DataPower Family
Integration Appliance XI52� High density 2U form, XG45 functionality plus
� “Any-to-Any” conversion at wire-speed
� Bridges multiple transport protocols
� Mainframe integration & enablement
� Available in Virtual Edition
Service Gateway XG45� Entry-level device, slim footprint (1U)
� Security gateway (AAA, XML threat, etc)
� Service level management and monitoring
� Intelligent load distribution & dynamic routing
� Lightweight integration functions (optional)
� Available in Virtual Edition
B2B Appliance XB62� High density 2U form, XI52 functionality plus
� B2B Messaging (AS1/AS2/AS3/ebMS)
� Trading Partner Profile Management
� B2B Transaction Viewer
Integration Blade XI50B/XI50z� Functionally equivalent to XI52
� Form factor flexibility
� XI50B: BladeCenter form factor
� XI50z: zEnterprise BladeCenter Extension (zBX) form factor
1010 © 2013 IBM Corporation
• Used by 95% of top global insurances firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries• Defense and security organizations• Crown corporations
Insurance
Government
Banking
• Healthcare• Retailers• Utilities, Power, Oil and Gas• Telecom• Airlines• etc.
Many, many, more
• Majority of the big US and European banks
• All of the big 5 Canadian banks• Numerous regional banks and credit
unions
DataPower Appliances
Over a decade of innovation & over 2000 worldwide installations
1111 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
1212 © 2013 IBM Corporation
Use Case: Security & Optimization GatewaySecuring the Enterprise & providing optimized access
IBM Software Group – Enterprise Networking Software
© 2010 IBM CorporationPage 1313
DataPower security roles and objectives
� Protect data and other resources on
the appliance and protected servers
– System availability
• Protect against unwanted access,
denial of service attacks, and other
unwanted intrusion attempts from the
network
• Only allow “valid” messages through
– Identification and Authentication
• Verify identity of network users
– Authorization
• Protect data and other system
resources from unauthorized access
� Protect data in the network using
cryptographic security protocols
– Data End Point Authentication
• Verify who the secure end point claims to be
– Data Origin Authentication
• Verify that data was originated by claimed
sender
– Message Integrity
• Verify contents were unchanged in transit
– Data Confidentiality
• Conceal clear-text using encryption
IntranetDMZInternet
Mission-critical data
FIREWALL
FIREWALL
AuthenticationAuthorization
User Federation
z/OS RACF for User I&A
Authorization Cert/keys
� Secure access to
Web and legacy
applications
� Converged
security
enforcement
� Rocksolid
DataPower
platform
� Leverages
enterprise
security and
policy managers
1414 © 2013 IBM Corporation
Protection of data plus XML & JSON threat protection
� Use DataPower to help resolve PCI compliance issues
� Easily sign, verify, encrypt, decrypt any content
� Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
� Security standards: OAuth, WS-Security, WS-Policy, WS-SecurityPolicy, SAML, XACML, WS-Trust, M
� Use WS-SecurityPolicy to define security requirements for your web services
– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
� Use XACML to define access and authorization policies for your web services
– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization
• PEP, PDP
DataPower security is policy driven
XML Threat Protection• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
� Message/Data Tampering
� Message Snooping
� XPath or SQL Injection
� XML Encapsulation
� XML Virus
� Mmany others
JSON Threat Protection
• Label - Value Pairs‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)
• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)
1515 © 2013 IBM Corporation
AAA : Authentication Authorization Auditing
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom
Authenticate
ExtractResource
URLXPathSOAP OperationHTTP OperationCustom
LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
AuthorizeAudit &
Post-Process
MapIdentity
MapResource
LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
1616 © 2013 IBM Corporation
Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance
(Establish a new connection to pass results)
• Cache data on-box or in centralized, shared XC10 grid
Connection from client
ACL
Virus
Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0,
WS-Security UNT, etc
Web Service Request
SAML, LTPA,
Kerberos
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENC
WS-SecurityWS-Security Policy
WS-TrustSAML
OAuth 2.0
Internet
SaaS
Partner Apps
Browsers
Pro
tocol Fir
ew
all Security
Gateway
Packaged AppsProprietary Apps
Data
HTTP(s)ESB
Tivoli (TAM)MS Active Directory
Any LDAP, e.g. OracleCA SiteMinder
PDP (XACML, SAML, other)
Dom
ain
Fir
ew
all
ACL
Security Gateway
InternalConsumer
Incoming access control;
Threat protection
Outgoing access control;
SAML injection etc
Internal
Security
17
Retail Service ProviderSecurely expose services to consumers
Solution� Implemented WebSphere DataPower to form the Web
services backbone� Through content-based routing, security policy
enforcement & data encryption, DataPower ensures safe & efficient flow of confidential customer data
� Integrated seamlessly into heterogeneous environment increasing interoperability & promoting reuse
Benefits� Secure SOA on standards-based platform � Easily reuse Web services throughout enterprise� Boosts productivity of IT staff� Substantially shorten time to market for new services
Challenge� Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to meet specific needs
� Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information
Identity Mgmt
18
Centralized Service Governance & Policy Enforcement
� Complete SOA Governance solution– WSRR for web service life-cycle policy management– DataPower for web service run-time policy enforcement
� Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
– DataPower can subscribe or poll web services information from WSRR
� Automatically expose services and policies in DataPower via WSRR subscription
– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
– Retrieve WSDLs by specific version number
� Dynamically retrieve run-time routing information from WSRR
WSRR (Policy Administration Point)
Consumer Service
Message
Message
Message
Message
ITCAM for SOA
(Policy Monitoring
Point)
Discover Services & Policy
Monitor Services
DataPower (Policy Enforcement Point)
� Centralized transaction monitoring– ITCAM for SOA
� Support for UDDI v2 and v3 for UDDI registries
19
� Service Level Monitoring (SLM) to protect your services and applications from
over-utilization and enforce quota– Frequency based on concurrency OR based on messages per time period
– Take action when exceeding a custom threshold:
• Notify (or log), Shape (or delay), Throttle (or reject)
Service Level Monitor (SLM): Traffic Control / Rate Limiting
20
User
WAS Application
{ "Task" : "AddEntry", "Detail": "Create presentation materials." }
Hig
h L
oad
� Scenario
– JSON REST app to-do list
� Issues
– High server load
– Slow response time
Slow Response
(>10s)
Application Optimization ExamplePublic
Enterprise
User
WAS Application
11
Impro
ved L
oad
PublicDMZ Data
Center
DataPower
Improve Server Load with SSL Offload1. Client requests are secured via DP SSL concentrator
21
User
WAS Application
1
21
PUT /joe/todos HTTP/1.1Host: joe.orgContent-Type: application/jsonContent-Length: 69
{ "Task" : "AddEntry", "Detail": “Waste time." }
Impro
ved L
oad
DataPower
Manage Traffic with Application Fluency2. DataPower enables application aware traffic management
User
WAS Application
31
1
Impro
ved L
oad
ImprovedResponse
Time
DataPower
Distribute Load Intelligently3. Application Optimization effects load distribution intelligence
Leverage dynamic runtime conditions to distribute based on topology & workload
2
Application Optimization Example
22
REST
Cache at the edge(s)4. Application results are cached at the edge using XC10 caching grid OR locally on-box
Application Optimization Example
User
WAS Application
3
4
1
21
DataPower
DataPower XC10
Low
Load
Fast Response
• Faster application response time
• Lower server load
• Improved system throughput
23
REST
Using XC10 As a Side Cache For DataPower
User
1
5
3
2 4
Client
Provider
1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI. � Easily integrates into the existing business process
– No code changes to the client or back-end application
– Simply add the side cache mediation
� Significantly reduces the load on the back-end system by
eliminating redundant requests
� Improve client observed response time
ImprovedResponse
Time
Impro
ved L
oad
DataPower XC10
DataPower XI Appliances
Large Response Time
24
DataPower XI52 + XC10: Travel and Transportation
Online Reservations Reservations System
– Before: 3-5 sec response time
– After: .01 -.05 sec response time
– Caching service requests
– Improved the average response time of the Global
Distribution System requests for Fare Availability and
Category Availability
– 52% caching rate
– 10 minute cache resulted in 40% reduction in load on the
back-end systems
– Maintained high data integrity. Faster responses were
also accurate
– POC in 3.5 hrs
100xperformance improvement
Improved reliability and scalability of reservation channels
Reduced traffic to backend systems
Deliver high performance & consistent response times
Scale with simplicity and lower TCO
2525 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
2626 © 2013 IBM Corporation
Use Case: Mobile ConnectivitySecurely & Rapidly connect Mobile Apps with
Enterprise Services
2727 © 2013 IBM Corporation
e.g. REST (JSON/XML)
over HTTPS
SSL Offload
Threat Protection
Rate Limiting
Validation, Filtering
now with Native JSON Support**
Authentication
Authorization
Security Token Translation
Transformation
Content-Based Routing
Intelligent Load Distribution
now with On Demand Router for WAS ND**
Response Caching Locally or to XC10 **
Securely expose enterprise
data to Mobile Apps while
optimizing delivery of the
workload
Securely expose enterprise
data to Mobile Apps while
optimizing delivery of the
workload
Worklight, WAS ND
e.g. SOAP
over HTTPS
Message Oriented,
Legacy Apps
Web Apps, Services
Connect Mobile Apps with Enterprise Apps & Services
IBM DataPower Gateway Appliance
Security, Control, Integration & Optimization of mobile workload
Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices **Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**
** Available in DataPower firmware version 6.0
2828 © 2013 IBM Corporation
A closer look at some Mobile Connectivity scenarios
REST Proxy
Provider
JSON / XML / SOAPREST
JSON or XML / HTTP(s)
Mobile Consumer
� SSL offload
� Enforcement point for centralized security policies
– Authentication, Authorization, OAuth 2.0, Audit
– Threat protection for XML and JSON
– Message validation and filtering
� Centralized management and monitoring point
– Traffic control / Rate limiting
� Routing / Intelligent load distribution to Provider
� RESTful façade to non-REST Provider
REST Service Gateway for Mobile Apps
Provider
HTTP(s) GETHTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
XML
Application Acceleration for Mobile Apps
� Offload heavy lifting of message transformation from the Provider
� Transform to a format best suited for the requesting Mobile App
– JSON for native/hybrid app
– HTML/XHTML for browser based
IBM DataPower Gateway
IBM DataPower Gateway
� Cache response data from Provider
– Locally on the appliance
– Externally to elastic caching XC10
2929 © 2013 IBM Corporation
3030 © 2013 IBM Corporation
Client examples using DataPower for Mobile use cases
Several examples of businesses using DataPower as a Mobile Gateway for
their Security & Integration needs
‒ Large international bank has mobile banking goes through DataPower
‒ Large Mobile company in the UK has traffic from handsets, REST
service calls, being secured via DataPower
‒ Large global phone company has their RESTful service calls using
JSON and XML from Mobile devices and consumer browsers are
secured and load balanced using DataPower
‒ Large retailer went live recently with DataPower proxying Mobile traffic
‒ Retailer secures their provisioning iPad traffic through DataPower
‒ A wireless carrier secures mobile traffic to account data through
DataPower
3131 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
3232 © 2013 IBM Corporation
Use Case: API Management Securely & Rapidly Create, Socialize & Manage
Business APIs to engage with a Developer ecosystem
3333 © 2013 IBM Corporation
On Premise
App Developer Portal
Business
Ops Dashboard
Enterprise
ServicesDataPower
Dev Ops
Dashboard
Web Apps
Mobile
Create, Manage, Socialize APIs
•Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Ops
perspective, API lifecycle mgmt
•Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas,
manage communities and monitor service levels
•Application Developer Portal with Self-Service registration and with hooks into social communities
On-Premise DMZ-ready API Gateway
•Rapid on-ramping of APIs
•API security; SSL termination, Threat protection, Authentication, Authorization with OAuth
•Quota enforcement / Traffic control; Enforce API consumption policies
•Monitors API use
•Caching support for both on-box local and remote caching using XC10
•Intelligent routing and load distribution
IBM API Management V2.0 (On-Premise)Secure, control and optimize access to APIs through DataPower
3434 © 2013 IBM Corporation
Applications & Services
on App Servers(WAS, WAS ND,
Worklight or
other Provider)
Caching ApplianceIBM DataPower XC10
Security & Integration GatewayIBM DataPower Appliance
API consumers & App Developers
API ownersCreate, Publish, Manage & Socialize APIs
IBM API Management**
Multi-device developmentIBM Worklight
Mobile Apps
& Web consumers
Secure Mobile App Integration + API Management
** Available in IBM API Management 2.0
3535 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
3636 © 2013 IBM Corporation
Use Case: Enterprise IntegrationConsumable integration solution for securely connecting
applications & services while optimizing delivery of workload
3737 © 2013 IBM Corporation
Integration
ConsumerProvider
SOAP / HTTP(s)
MQ QueueManager
Cobol / MQ
Format & transport bridging
Message Format & Transport Protocol Mediation Example
Outside World Internal NetworkDMZ
Pro
tocol Fir
ew
all
HTTP(s)FTP(s)
SFTP(SSH)WMQ(s)WS JMS
TIBCO EMS
ODBC
Dom
ain
Fir
ew
all
ACL
DB
LDAP
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Internet
JMSEMS
FTPNFS
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
Packaged AppsProprietary Apps
Data
DataPower
Gateway
HTTPWMQ
IMS Connect
Enhanced Security
DMZ
SaaS
Partner Apps
Browsers
• Content based routing
• Message enrichment
• Message transformation
• Transport protocol translation
• AAA, Threat protection
• Message validation & filtering
• Traffic control / Rate limiting
Integration Scenario
• Intelligent content based routing
• Intelligent load distribution
• Local and distributed caching
3838 © 2013 IBM Corporation
Core Services
Core Data
UK Government Agency
enables integration capabilities using DataPower
Solution� DataPower in key network zones within and outside of
the department� Thorough content-based validation, routing, and security
policy enforcement� Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits� Ease of integration� Security assurance of the architecture� Secure SOA on standards-based platform� Consistent experience and policy for all users
Challenge� Data held in the back-end systems vital to delivering
citizen services, fraud detection across various layers of the Governments across the EU
� Vulnerable back-end services
� Security
� Capacity/ SLA
� Consistent usability experience for internal or external service consumers
Integration Layer
Government
network
Other EU
Countries
Other UK
Departments
Internal Users
3939
Security & Integration Scenario – Financial Firm
4040 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
4141 © 2013 IBM Corporation
Use Case: Mainframe integration & enablementOffload processing for reduced MIPS
Web Services Enablement for IMS, CICS, DB2
4242 © 2013 IBM Corporation
Core banking platform on Z
An Irish Bank
Enabling retail banking
Solution� DataPower in trusted network exposed services for
XML/ HTTP(S) and protocol bridging to WebSphere MQ� Message validation and transformation using
WebSphere Transformation Extender (WTX)
Benefits� Retail application acceleration through transformations
and caching� Optimized platform for handling, parsing and processing
payloads
Challenge� Retail application contained 7000 screens; slow
response times over dedicated proprietary network.
� Cost of processing XML on the mainframe.
� Message transformation needed before the core banking platform could process requests.
DataPower
Q
Branch Network
Q Q Q Q
Branch Application (web based)
4343 © 2013 IBM Corporation
Customer & Product related
application and systems on Z
High Street Clothing and Fashion Accessories Retailer
Increase customer interaction and loyalty
Solution� DataPower acted as a reverse proxy for:
� Outbound messages via a service provider� Inbound customer updates/ delivery notifications
� Transform SOAP/ XML payload to COBOL copybook messages for CICS application
Benefits� Create customer interaction and value through innovative
business strategy.� Integrate various suppliers using standards based
interfaces securely.� Graphical configuration driven appliance; short learning
curve
Challenge� Highly competitive industry; first mover advantage
� Weak customer loyalty
� Multi channel customer experience
� Complex supply chain and service providers
DataPower
Q
Open Internet
Q
4444 © 2013 IBM Corporation
Broad integration with System z
Client
SOAP/HTTP
SOAP/HTTP
CCB / MQ
IMS SOAP Gateway
WAS+IMS connector
Data
Pow
er IMS
OTMA
IMS A
pplic
atio
n
MQ Server
MQ
Brdg
DataPower XI50z• Connect to existing applications over WebSphere MQ
• Transform XML to/from COBOL Copybook for legacy needs
• Integrate with RACF security from DataPower AAA• Dynamic crypto material retrieval & caching, or offload
crypto ops to z• Connect to IMS
‒ Via IMS Connect client‒ Via Web Services‒ Via WebSphere MQ
• Connect to CICS‒ Via WebSphere MQ‒ Via Web Service
• Connect to DB2‒ Via Web Service‒ As direct ODBC call with ODBC Client option
Additional benefits with integrated DataPower XI50z blade form factor
�Fast secure network between DataPower blade and target servers
�Virtual Network Provisioning
�Dynamic Load Balancing (via Sysplex Distributor)
�HMC Console Integration
�Blade Hardware Management
�Energy Monitoring and Management of DP Blades
�DP Firmware Load and Update
�Monitoring and Reporting
DRDA
DB2
4545 © 2013 IBM Corporation
• IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required
Enhanced value for System z & IMSNew integration capabilities between DataPower and IMS
� IMS DB feature supports DataPower integration
with IMS database through SQL interface‒ Enrich messages with database content
‒ Expose data as a service to remote applications
Client
SOAP / REST
DataPower
DRDA
IMS
OTMA
App1IMS
ConnectApp2
Service Provider
SOAP / REST
DataPower
TCP/IP
Service Consumer
IMS Callout
4646 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
4747 © 2013 IBM Corporation
Use Case: B2B integration
Extend integration beyond the enterprise
to partner community
4848 © 2013 IBM Corporation
DataPower B2B FunctionalityExtend beyond the enterprise to integrate with partners
• B2B Gateway Service
‒ AS1, AS2, AS3 and ebMS v2.0
‒ Plaintext email support
‒ EDI, XML and Binary Payload routing
‒ Front Side Protocol Handlers
‒ Hard Drive Archive/Purge policy
‒ CPA and Partner Profile Associations
‒ MQ File Transfer Edition integration
• Trading Partner Profiles
‒ Two Types – Internal and External
‒ ebXML CPPA v2.0
‒ Multiple Business IDs
‒ Multiple Destinations (URL Openers)
‒ Certificate Management (S/MIME Security)
‒ Multi-step processing policy
• B2B Viewer
‒ B2B transaction viewing
‒ MQ FTE transaction viewing
‒ Transaction resend capabilities
‒ Transaction and Acknowledgement correlation
‒ Role based access
• Persistent Storage
‒ AES Encrypted B2B document storage
‒ Option for Off-Box Storage (NFS or iSCSI)
• Transaction Store
‒ B2B metadata storage
‒ B2B state management
DataPower
B2B Gateway Service
Partner Connection
Front Side Handlers
Internal Partner
Destinations
Integration
Front Side Handlers
External Partner
Destinations
B2B Viewer
Metadata
Store
(DB)
Document
Store
(HDD)
Partner
Profiles
49
UK Logistics and Distribution
Benefits� Create customer interaction and value through innovative business strategy.� Integrate various suppliers using standards based interfaces securely.� Graphical configuration driven appliance; short learning curve
Challenge� AS2, File and Web Services based interfaces to 100s of B2B customers.
� Messages are exchanged at least once a day
� Secure proxy solution in the DMZ
� Complex incumbent supplier chain
50
UK Logistics and Distribution
Internal
Systems
Internal
Systems
External
Systems
External
Systems
Internal
System
Internal
System
51
DataPower Appliances Benefits
� Reduce Complexity: Replace software servers functionality with
DataPower Appliances, reduce infrastructure footprint, and off-load
systems intensive processes.
� Lower TCO: DataPower Appliances have demonstrated reducing
operational costs by as much as 50%
� Reduce Time to Market: DataPower Appliances dramatically decrease
the testing time and amount of development required to upgrade your
environment, most policy are configuration driven as opposed to
development driven
� Reduce Risk: DataPower Appliances provide the communication layer
without requiring application modification, and deliver improved security
and audit
� Flexibility & Security: DataPower Appliances shield business
applications from security requirements, protocol changes and service
versioning - no application modifications needed
5252 © 2013 IBM Corporation
DataPower resources
www.ibm.com/software/integration/datapower
� IBM DataPower Web Page (support, technotes, doc)
� http://www-01.ibm.com/software/integration/datapower/
� developerWorks DataPower Discussion Area
� http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
� Vast library of published articles:
� http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html
(Also search for “DataPower” within “WebSphere”, “SOA/Web Services” and “XML”)
� http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search “DataPower”)
� IBM Redbooks:
� http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
� IBM WebSphere DataPower SOA Appliance Handbook
� http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194
� YouTube:
� http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
� DataPower Podcasts:
� http://www.ibm.com/podcasts/software/websphere/datapower/index.rss
5353 © 2013 IBM Corporation
We love your Feedback!
Don’t forget to submit your Impact session and speaker feedback!
• Your feedback is very important to us – we use it to improve next year’s
conference
• Go to the Impact 2013 SmartSite (http://impactsmartsite/com):
‒ Use the session ID number to locate the session
‒ Click the “Take Survey” link
‒ Submit your feedback
5454 © 2013 IBM Corporation
5555 © 2013 IBM Corporation
Legal Disclaimer
• © IBM Corporation 2013. All Rights Reserved.
• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.
5656 © 2013 IBM Corporation
BACKUP Material
5757 © 2013 IBM Corporation
Health Insurance Provider
Smarter Business Outcomes:� Reliable and secure routing of customer sensitive data
� Easy to use and maintain; no additional skill needed
� XML Messages with attachments are authenticated, authorized, and virus scanned
Industry Pains:� HIPAA Security requirements
for transporting data over the
Internet
� HL7 v3.0 XML threat protection
� Complexity of B2B for
healthcare
Secure appliance form factor providing secure connections to trading
partners, advanced threat protection and reliable file delivery of
confidential medical information
Value of DataPower B2B Appliances for Extending Connectivity?
58
Internet
EDIINT Flow: Simple AS2 transaction flow with Transform
Application
Browser
Application
EDI XMLAS2
(EDI)
AS2
(MDN)
B2B Hub
Partner BPartner A
XB62
AS2 Process
B2B
Gateway
Service
Transaction
Viewer
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
Data Store
4
3a
3b21
5
5959 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
6060 © 2013 IBM Corporation
Why use an Appliance for connectivity?
• Purpose-built, fine-tuned consumable platform• Achieves fast performance with multiple layers of specialized acceleration
Many functions incorporated in a single device
�Service level management
�Dynamic routing and load distribution
�Transport and message level security
�Policy enforcement
�Transport and message transformation
Simplified maintenance model�Drop-in appliance form-factor
�Secures traffic in minutes
�Push-button flash upgrade process
�Integrates with existing operations
Provides high levels of certified security assurance�Transport Protocol Security (SSL/TLS)
�Message Level Security
�Authentication, Authorization, Audit (AAA)
�FIPS 140-2 Level 3
6161 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
62
DataPower & Tivoli Offerings
Tivoli Federated Identity Manager (TFIM)Tivoli Access Manager (TAM)
Allows authoring of XACML policy to be
enforced by DataPower. [PAP]
TSPM can also act as PDP to make
Authorization decisions [PDP]
Tivoli Security Policy manager (TSPM)
Provides a single point of decision making for Authentication and Authorization. [PDP]
DataPower will enforce the decision. [PEP]
– PAP: Policy Authoring Point
– PDP: Policy Decision Point
– PEP: Policy Enforcement Point
Locally cached TAM policy database reduces network latency and traffic congestion
Provides federated identity management and a single IdP enterprise solution [Federation]
DataPower integrates with Tivoli offerings to provide authentication and authorization policy enforcement point solution
63
Internet Trusted Domain
Consumer
ConsumerApplication
Application
System z
DMZ
Application Optimization
Application Optimization
SOA Optimization
- Application Intelligence- Application Security- SSL Acceleration
- XML Intelligence- XML Security- Routing, Transformation, Mediation
Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance
64
� Self Balancing: Self balance across a cluster of appliances
� Replace front-end IP load balancer
� New support (introduced in firmware version 4.0.2) enables connections to be
preserved, without loss, during failover scenario
� Dynamic and Intelligent Load Distribution to backend systems
� Replace backend load balancer
Front-end IP load balancers not needed
Self balancing (IP spraying)
Application Optimization
65
Provides application-aware Intelligent Load Distribution
� Auto-discovers application targets and distributes load using dynamic
feedback mechanism
� Topology learning for WAS ND and VE
� Uses intelligent weighted distribution algorithms based on current server load
� Weighted Least Connection load balancing algorithm
� Provides several options for enabling Session Affinity
DataPower performs dynamic back-side routing and load distribution (leveraging dynamic information
from back-ends)
Application Optimization
Failure of target appliances are masked by appropriate weighted
distribution
6666 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
67
Integration
� Dynamically route based on any message content
– Attributes such as the originating IP, requested URL, protocol headers, etc.
– Data within the message such as SOAP Headers, XML, Non-XML content, etc.
� Query a repository for routing information
– WebSphere Service Registry & Repository, XML files, Databases, Web Servers
Content-Based Routing
Service Providers
UnclassifiedRequests
� Transform the message format with ultimate flexibility
– Leverage WebSphere Transformation Extender for data mapping
Any-To-Any Message Transformation
<XML/> TEXT binary
Input
Message
Output
Message
<XML/> TEXT binary
? ?
WebSphere TX Design Studio
68
Integration
Transport Protocol Translation
� Integrate disparate transport protocols with extreme ease
– No dependencies between inbound “front-side” and outbound “back-side”
– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
� Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns
HTTP(s)
FTP(s)
SFTP
WebSphere
MQ, MQ FTE
WebSphere
JMS
DatabaseDB2, SQL Server,
Oracle, Sybase,
TIBCO
EMS
IMS NFS
6969 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
70
IMS Integration Web Services Security and Management for IMS Web Services
� Content-based Message Routing
� Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
� XML/SOAP Firewall
� Data Validation
� Field Level Security
� XML Web Services Access Control/AAA
� Web Services Management
Client
SOAP/HTTP
SOAP/HTTP
IMS SOAP Gateway
WAS+IMS connector
Data
Pow
er
71
Data
Pow
er
IMS IntegrationWeb Services Enablement for IMS-based Services
IMS
OT
M
A
IMS
Applic
atio
n
MQ Server
MQ
Brdg
� DataPower provides WS-enablement to IMS applications
� User codes schema-dependent WTX data map to perform
request/response mapping
� Requires WebSphere MQ for z/OS
– MQ bridge to access IMS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP/HTTP
72
Data
Pow
er
IMS IntegrationWeb Services Enablement for IMS-based Services (cont’d)
CCB / TCP
Client
SOAP/HTTP
IMS
O
T
M
A
Appl1IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
� DataPower provides WS-enablement to IMS applications
� User codes schema-dependent WTX data map to perform
request/response mapping
� “IMS Connect Client” (back-side handler) natively connects to IMS
Connect using its custom request/response protocol
73
Data
Pow
er
IMS IntegrationIMS Connect Reverse Proxy
CCB / TCPClient
IMS Connect TCP
IMS
O
T
M
A
Appl1IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
� Bring DataPower value add to standard IMS connect usage patterns
� Provide an “IMS Connect Client” on DataPower that natively connects to
IMS Connect
� Provide an “IMS Connect Server” on DataPower that accepts IMS Connect
client connections and provides an intermediation framework that
leverages DataPower
– Enables authentication checks, authorization, logging, SLM,
transformation, route, DB look-up, SSL offload, etc.
74
Data
Pow
er
DB2 Integration“Information as a Service”
DRDA
Client
SOAP/HTTP
� DataPower provides a standard WS façade to DB/2– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower
– SOAP call is mapped to an ODBC (DRDA) invocation
� Exposes database content (information) as a service
� Leverages extensive Web Services security and management capabilities of
DataPower to more securely expose critical data to the enterprise
DB2
75
CICS Integration Web Services Security and Management for CICS Web Services
� Content-based Message Routing
� Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
� XML/SOAP Firewall
� Data Validation
� Field Level Security
� XML Web Services Access Control/AAA
� Web Services Management
� Support CICS ID propagation
Client
SOAP/HTTPSOAP/HTTP
CICS Web Services
WAS+CICS connector
Data
Pow
er
76
Data
Pow
er
CICS IntegrationWeb Services Enablement for CICS Applications
� DataPower provides WS-enablement to CICS applications
� User codes schema-dependent WTX data map to perform
request/response mapping
� Requires WebSphere MQ for z/OS
– MQ bridge to access CICS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP/HTTP
CIC
S
CIC
S A
pplic
atio
n
MQ Server
CICS
Brdg
7777 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• Security & Optimization Gateway
• Mobile Connectivity
• API Management
• Integration
• Mainframe Integration & Enablement
• B2B
78
Internet
Web Services bridged to AS2 File Transfer Pattern
WS Client
Browser
Flat
B2B Hub
Partner BPartner A
XB62
Web Service
Process
Web Service
Proxy
Transaction
Viewer
B2B
Gateway
Service
AS2
Pre-ProcessFlat
SOAP
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and
sending data over any of the 16 supported protocol handlers. When Services are tied together in
front of or behind a B2B Gateway Service they are handled like pre and post processes.
Data Store
7
4
5
6
3
2
1
79
Internet
MQ FTE Integration Pattern – Inbound File to Message
Browser
(LOB User)
XB60
Tra
din
g P
artn
er
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
MgmtData Store
Browser
(Admin)
Browser
(Partner view)
Server
Source
AgentData Store
Applications
Enterprise
Target
Agent
MQFTE
NetworkQueue
Manager
Queue
Manager
Queue
ManagerQueue
Manager
MQ
Explorer
DB
Logger
(DB2 or Oracle)
14
2a
3
6
5
2
80
Browser
B2B Gateway Service
WebSphere DataPower
B2B Appliance
Applications
Transaction
Viewer
Collaboration Partner
Agreement Entries
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
Collaboration Protocol
Agreement Entry
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
External Partners
Internet ebMS
(Ack)
ebMS
(ebXML))
ebXML
ebXML with CPPA Pattern
5
4
3
2
1
DMZ
Secured
Network
Public Network
Collaboration Partner
Agreement Entries
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
81
B2B Hub
AS2 Process
Healthcare
Applications
Partner B
Hospital
Internet
AS2 (HL7 V3)
AS2/MDN
B2B Appliance
B2B Gateway
Service
Profiles
Internal Profile
Regional
Center
Validate XML and
Transform to any
V.2.x format
External Profile
Hospital
Transaction
Viewer
Healthcare
ApplicationsHL7 V
3
Partner A
Regional Healthcare Center
Any Transport
HL7 V2.x
Any Transport
HL7 V3.x
5
4
3
21
6
Health Level 7 3.x to 2.x Transform Pattern
82
Securing HL7 over the Internet with Integration to the WebSphere Healthcare Connectivity Pack
Tra
din
g P
artn
er
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
MgmtData Store
Browser
(Admin)
Browser
(Partner view)
Clinical Trials
System
WebSphere Healthcare
Connectivity Pack
Healthcare Provider
Internet
1
2a
3
5
2WebSphere
MQ
Patient
Administration
System
Billing
System
4AS2
(HL7))
AS2
(MDN))
HL7/MQ
HL7/MLLP
HL7/MLLP
XML/HTTP
Pharmacy
HL7/MLLP