© 2015 IBM Corporation
IBM DataPower Gateway & V7.1Overview
Ozair Sheikh, Senior Product Manager IBM DataPower Gateways
Arif Siddiqui, Principal Product Manager – Strategic InitiativesIBM DataPower Gateways & API Economy
© 2015 IBM Corporation2
Agenda
DataPower Gateway Overview
Recent Releases
What’s New in DataPower Gateway & V7.1
Q&A
© 2015 IBM Corporation33
DataPower Gateways …
3
IBM DataPower Gateways provide a low startup cost,
helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances that
combine superior performance and hardened security in
physical and virtual form factors
INTEGRATE Systems of Engagement with Systems of Record
CONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
© 2015 IBM Corporation4
Gateway for the Multi-channel Enterprise
Single security and integration gateway platform to
provide security, integration, control & optimized
access to a full range of Mobile, API, Web, SOA,
B2B, & Cloud workloads
B2B
Simplify mobile security with single,
purpose-built gateway; control
mobile traffic and accelerate delivery
WebSimplify web security with single,
purpose-built gateway; control traffic and
accelerate delivery for intranet and
internet web applications
CloudDataPower gateway functionality in a
virtual appliance form factor, supports
multiple hypervisor & cloud environments
IBM DataPower
GatewayAPIEasily secure, control, publish,
monitor & manage your APIs
SOASecure, integrate, control &
manage SOA workloads in the
DMZ and Trusted zones
Extend Connectivity & Integration beyond the
enterprise with DMZ-ready B2B edge capabilities
Mobile
© 2015 IBM Corporation5
IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, integration, control
and optimized access to a full range of
Mobile, Web, API, SOA, B2B, & Cloud workloads
Common Use Cases
Internet Trusted Domain
Consumer
Application or Service
DMZ
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 ESB / Integration Gateway
7 Internal Security Enforcement
8 Web Services Governance & Management
9 Legacy Integration
Consumer
Middleware
z System
DataPower Gateway DataPower Gateway
© 2015 IBM Corporation6
IBM API Management: One Integrated Platform
design, secure, control, publish, monitor & manage APIs
Explore API documentation
Provision application keys
Self-service experience
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway (IBM DataPower)
Enforce runtime policies to control API traffic
© 2015 IBM Corporation7
Features
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
Integrate
Any-to-any message
transformation
Transport protocol
bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner
connectivity
Control OptimizeSecure
SSL / TLS offload
Hardware accelerated
crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Response caching
Intelligent load
distribution
Service level management
Quota enforcement, rate
limiting
Message accounting
Content-based routing
Failure re-routing
Integration with
management & visibility
platforms
Authentication,
authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering &
semantics validation
Message digital signature
Message encryption
© 2015 IBM Corporation8
Deployment options
Purpose-built, DMZ-ready appliances provide physical security
High density 2U rack-mount design
8 x 1 and 2 x 10 GbE ports
Cryptographic acceleration card
Trusted platform module
Customized intrusion detection
Optional HSM (FIPS 140-2 Level 3 certified)
Virtual appliances provide deployment flexibility
Support multiple hypervisors and cloud environments
− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on SoftLayer (x86 nodes)
− IBM SoftLayer bare metal instances using supported hypervisors
VirtualPhysical
© 2015 IBM Corporation9
Purpose-built hardware provides physical security
• Sealed, tamper-evident case
• No usable USB, VGA, other ports
• Intrusion detection switch
• Trusted Platform Module
• Encrypted flash drive
• FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys
Hardened firmware provides platform security for physical & virtual gateways
• Single signed and encrypted firmware by IBM
• No arbitrary software
• Optimized, embedded operating system
• High assurance, “locked-down” configuration
• Key materials are not exportable from the appliance *
Enterprise grade security requires a secure platform
© 2015 IBM Corporation10
Virtual Edition
DataPower gateway functionality in virtual appliance form
factor to rapidly secure, integrate, control & optimize
access to Mobile, API, Web, SOA & B2B workloads in
hypervisor & clouds platforms
Use for development, test or production
Supports multiple hypervisor & cloud platforms
VMware
Citrix XenServer
IBM PureApplication System W1500/W2500
IBM PureApplication Service on SoftLayer (x86)
IBM SoftLayer bare metal instances on x86 nodes
Seamless configuration migration between physical
and virtual appliances
Utilizes the same industry-proven & purpose-built
platform including an embedded, optimized DataPower
Operating System, that powers the physical appliances
x86 Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor for
cloud deployments
© 2015 IBM Corporation11
Virtual Edition Benefits
Deployment flexibility and elasticity – “Right size” the
deployment, quickly deploy where needed, & rapidly scale
Workload isolation - Projects can use their own instances
Unbounded memory scalability - Memory can be added
to instances without additional licensing
Low cost for Dev & Test environments - Developers &
Non-Production versions include add-on software modules at
no additional charge
Free disaster recovery - Warm or cold backup without
additional licenses when licensed for Production
Flexible licensing and entitlement
Sub-capacity licensing
Monthly licensing option
Entitlement to future product versions at no
additional charge with active maintenance (S&S)
x86 Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor for
cloud deployments
© 2015 IBM Corporation12
• Used by 95% of top global insurances firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries• Defense and security organizations• Crown corporations
Insurance
Government
Banking
• Healthcare• Retailers• Utilities, Power, Oil and Gas• Telecom• Airlines• Others
Many, many, more
• Majority of the big US and European banks
• All of the big 5 Canadian banks• Numerous regional banks and credit
unions
DataPower GatewaysOver 14 years of innovation & over 2,000 global installations
© 2015 IBM Corporation13
DataPower’ing IBM Bluemix!!!
• Security
• Control
• Filtering
• Content-Based Routing
• Load balancing
• Monitoring and Logging
Mobile
client
Bluemix
Tooling
VM
Application
Manager
AppApp
AppApp
ServiceService
ServiceService
Open Stack
External
ServiceExternal
Services
Internet
Did you know?
DataPower has been trusted to be the exclusive gatewayfor Bluemix, IBM’s global Platform as a Service
© 2015 IBM Corporation14
Agenda
DataPower Gateway Overview
Recent Releases
What’s New in DataPower Gateway & V7.1
Q&A
© 2015 IBM Corporation15
Provides the API gateway functionality for IBM API Management
Quick integration with IBM Worklight to secure mobile web traffic
Improved REST services handling with native JSON support including
schema validation & query, extract, filter & transform through JSONiq
New XML data query, extraction & manipulation support with XQuery 1.0
Enhanced security with new OAuth 2.0 capabilities, new support for
Kerberos constrained delegation (S4U2Proxy), and TLS 1.1/1.2
Improved WS-MediationPolicy consumption from WSRR & SLAs for non-
SOAP traffic
Embedded On-Demand Router functionality for WAS ND environments
Optimized application delivery with response caching on-the-box &
seamless integration with elastic caching XC10 appliances
New System z integration capabilities allowing IMS transactions to easily
consume external web services & easy consumption of IMS data as a
service
Simple ability to create & deploy common DataPower configuration
patterns
Highlights of DataPower v6.0Released
June 2013
© 2015 IBM Corporation16
Adds Application Optimization (optional add-on module) on XB62
Support for self-balancing and intelligent load distribution
Eliminate load balancing hops - reducing cost & complexity + improving scalability & performance
Empowers XB62 to provide API gateway functionality for IBM API Management solution
Enables a converged solution for B2B and API management gateways
NIST SP800-131a security standard compliance + FIPS 140-2 Level 1 certified cryptography
module
Enables U.S. Federal & Public sector customers to meet government mandated security standard
Supported on both physical & virtual appliances
Enhanced support for Web, Mobile & REST workloads
Enhanced Configuration Pattern Console
Improved error handling and description
Adds version support for configuration patterns
Important Note: This firmware is not supported on 9004 appliances, i.e. XS40, XI50 or XB60
Links:
Release Notes: http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m1/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html
Highlights of DataPower v6.0.1Released
Dec 2013
© 2015 IBM Corporation17
GatewayScript: A JavaScript runtime that is
secured, optimized and tuned for the gateway
environment to simplify configuration for developers
and provide an easier development paradigm for
Mobile, Web, & API
New Virtual Edition for Developers provides a low
cost, per user pricing, and easy to use gateway for
developers
Support for Citrix XenServer hypervisor provides
additional deployment flexibility on-premise & cloud
deployments
WebSocket Proxy support enables full-duplex, bi-
directional, & low-latency communication for Mobile
& Web applications, Internet of Things
Improved security & traffic control functionality in
support of IBM API Management offering
Highlights of DataPower v7.0
GatewayScript
Released
June 2014
© 2015 IBM Corporation18
Agenda
DataPower Gateway Overview
Recent Releases
What’s New in DataPower Gateway & V7.1
Q&A
© 2015 IBM Corporation19
Secure. Integrate. Control. Optimize.
7.1DataPower
IBM Gateway Released
Nov 2014
Consolidated productSingle, modular & extensible gateway
platform to secure, integrate, control, &
optimize full range of workloads
New hardware platformIncrease capacity & throughput while
reducing latency with latest
generation hardware
Deployment flexibilityUse physical or virtual appliance with
seamless configuration migration with
on-premise & cloud deployments
B2B moduleCentralize B2B trading partner
connectivity & transaction management
with high performance secure entry point
in the DMZ
Multi-channel gatewayUtilize single gateway with integrated
access enforcement from ISAM to secure &
optimize delivery of mobile, API, web, SOA,
B2B, cloud apps, and integrate with IBM
MobileFirst & WebSphere platforms
Enhanced securityEnable additional flexible authentication
from internet consumers & Non-Microsoft
consumers to Microsoft systems
© 2015 IBM Corporation20
Highlights of IBM DataPower Gateway & V7.1
Single multi-channel gateway platform to secure & optimize
delivery of mobile, API, web, SOA, B2B, cloud apps, and
integrate with IBM MobileFirst & WebSphere platforms
Integrates industry-proven access enforcement capabilities of
IBM Security Access Manager into the DataPower platform,
available as add-on ISAM Proxy Module
IBM DataPower Gateway is the new name of a consolidated,
extensible & modular platform
Converges three existing products, XG45 / XI52 / XB62, into a
single modular offering
Physical appliance uses purpose-built latest generation
hardware platform to provide increased performance & capacity
Virtual appliance runs on VMware & Citrix XenServer
hypervisors and cloud platforms that support them
Easy-to-use & secure B2B integration capabilities, formerly on
XB62 appliances only, available as add-on B2B Module
Enable authentication from internet consumers & Non-Microsoft
consumers to Microsoft systems with Kerberos S4U2Self
support
© 2015 IBM Corporation21
IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform Converges three existing products, XG45 / XI52 / XB62, into a single modular offering
Available in physical and virtual form factor
Supports V7.1 and above
Physical Appliance 2U rack mount appliance using latest generation hardware platform
Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified)
Each software module is licensed separately
Virtual Edition Three editions: Developer, Non-Production, Production
Developer includes all software modules at no additional cost, except TIBCO EMS
Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy
Production: Each software module is licensed separately
Add-on software modules provide additional functionality that can be activated quickly
when needed
IBM API Management solution requires base IBM DataPower Gateway as runtime for
executing API workloads
Single, modular & extensible platform (1 of 2)
© 2015 IBM Corporation22
Modules
ISAM Proxy Module User access control, session
management, web SSO enforcement
Advanced mobile security: mobile
SSO, context-based access, one-
time password, multi-factor authn
Integration with ISAM for Mobile
Application Optimization
Module Frontend self-balancing
Backend intelligent load distribution
Session affinity
z Sysplex Distributor integration
Integration
Module Any-to-Any message transformation
Database connectivity
Mainframe IMS connectivity
B2B Module B2B DMZ gateway
EDIINT AS1,AS2,AS3,ebXML
Partner profile management
B2B transaction viewer
Any-to-Any message transformation
Database connectivity
TIBCO EMS
Module Integrate with TIBCO EMS
messaging middleware
Support for queues & topics
Load balancing & fault-tolerance
IBM DataPower Gateway (Base)
Secure Authentication, authorization
Security token translation
Service / API virtualization
Threat protection
Message validation
Message filtering
Message digital signature
Message encryption
AV scanning integration
Integrate Transport protocol bridging
Message enrichment
Message transformation &
processing using JavaScript,
JSONiq, XQuery, XSLT
Mainframe integration &
enablement
Flexible pipeline message
processing engine
Control & Manage Service level management
Quota & rate enforcement
Content-based routing
Message accounting
Integration w/ management &
visibility platforms including
IBM API Management &
WSRR for policy enforcement
Optimize & Offload SSL / TLS offload
Hardware accelerated crypto*
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Local response caching
Distributed caching with WXS
or XC10
Backend load balancing
2U Physical or Virtual Edition
Single, modular & extensible platform (2 of 2)
© 2015 IBM Corporation23
Latest Generation Hardware Platform Trusted Platform Module
Customized intrusion detection
Cryptographic Acceleration Card
Hardware Security Module (Optional, FIPS 140-2 Level 3 certified)
Runtime Hardware Diagnostic
Intelligent Platform Management Interface
Supercapacitor Powered Flash-backed RAID Cache
Multiple Replaceable Units
– Customer Replaceable Units (CRU)
• Fan, Power Supply, HDD, Network Module
– Field Replaceable Units (FRU)
• Appliance, CPU, Memory, Flash Drive, Coin
Battery, Supercapacitor for RAID
• Cryptographic Acceleration Card, HSM
Card, RAID Card
Purpose-built, high density 2U rack mount design
Increased capacity
‒ Higher performance CPU & memory
‒ Faster cryptographic acceleration card
‒ New RAID controller w/ large write cache
192 GB memory
Two 1.2 TB high speed hard drives
Three management traffic ports
1 RJ45 serial port
2 x 1 GbE ports
Ten application traffic ports
‒ 8 x 1 GbE ports
‒ 2 x 10 GbE ports
2 10-Gigabit Ethernet NICs
8 1-Gigabit Ethernet NICs
RAID mirroring across two drives
© 2015 IBM Corporation24
Comparison with older products
IBM WebSphere DataPower Service Gateway XG45
(1U Physical, Virtual Edition)
IBM WebSphere DataPower Integration Appliance XI52
(2U Physical, Virtual Edition)
Previously3 Products (XG45/XI52/XB62)
2 Physical appliances (1U & 2U)2 Virtual appliances (XG45/XI52)
Now1 Product
1 Physical appliance (2U only)
1 Virtual appliance
IBM DataPower Gateway Virtual Edition provides the same
functionality & modules as physical appliances with the exception of
HSM (that provides FIPS 140-2 Level 3 certification)
Integration & B2B Module are independent & can be purchased separately
IBM DataPower Gateway + Integration Module
(2U Physical, Virtual Edition)
IBM WebSphere DataPower B2B Appliance XB62
(2U Physical)
IBM DataPower Gateway
(2U Physical, Virtual Edition)
IBM DataPower Gateway + B2B Module
(2U Physical, Virtual Edition)
IBM DataPower Gateway 2U rack mount physical appliance is available
with optional HSM (FIPS 140-2 Level 3 certified)
© 2015 IBM Corporation25
Firmware V7.1, Modules & Supported Platforms
Firmware V7.1 delivers ISAM Proxy Module to enable advance access enforcement of mobile & web use cases
B2B Module to enable secure B2B integration capabilities, formerly available on XB62 only
Integration Module to enable integration functionality including any-to-any message
transformation, database connectivity & mainframe connectivity
Kerberos S4U2Self functionality to provide flexible authentication for Microsoft environments
Increase in XML Names maximum to allow for large configurations, RAS & other enhancements
V7.1 supports the following IBM DataPower Gateway (Physical and Virtual Edition)
XG45 (Physical and Virtual Edition)
XI52 (Physical and Virtual Edition), XI50B (2426 & 4195 models)
XB62 (Physical)
ISAM Proxy module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition)
XG45 (Physical, and Virtual Edition)
XI52 (Physical, and Virtual Edition)
XB62 (Physical)
B2B module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition)
XG45 (Physical, and Virtual Edition)
XI52 (Physical, and Virtual Edition)
Integration module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition)
© 2015 IBM Corporation26
Applications
and Systems
Silos of security & control are impeding business agility
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
API GATEWAY
B2BGATEWAY
SOAGATEWAY
WEB ACCESS PROXY
MOBILEGATEWAY
Business
Channels
Users
Security &
Control
Solutions
CLOUD
ALL
CLOUD GATEWAY
CONSUMERS
EMPLOYEES
z SystemMiddleware
ESBApplication Service
© 2015 IBM Corporation27
Applications
and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business
Channels
Users
Security &
Control
Solutions
CLOUD
ALLCONSUMERS
EMPLOYEES
Reduce cost + improve security & control with a single gateway
z SystemMiddleware
ESBApplication Service
Virtual appliance Physical appliance
DataPower Gateway
© 2015 IBM Corporation28
IBM Multi-channel gateway
ISAM for DataPower module provides the reverse proxy component that provides enforcement for
Centralized user authentication & coarse-grained authorization
Session management, & web SSO
Context based access & mobile SSO
Strong authentication including one-time password and multi-factor authentication
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway
New in V7.1
IBM DataPower Gateway
Web Browsers
and Portals
Mobile
Web
Web 2.0
(AJAX)
Native
MobileB2B Hybrid
Mobile
APISOA
(Web Services)
App, Service & API
security
IBM DataPower Gateway
ISAM Module
User access
security
Traffic control &
optimizationConnectivity &
transformation
© 2015 IBM Corporation29
What is ISAM for DataPower Module?
• ISAM for DataPower module provides the reverse proxy component that is
available on ISAM for Web and ISAM for Mobile appliances
ISAM
Module
DataPower
Base Appliance
• Reverse Proxy
IBM SecurityAccess Managerfor Mobile
• Context based Access (CBA)
• One-time Password (OTP) / Multi-factor Authentication (MFA)
• Advanced Security
IBM SecurityAccess Managerfor Web
• Load Balancer
• Protocol Analysis Module (PAM)
ISAM for Web was formerly known as Tivoli Access Manager for E-Business (TAMeb)
© 2015 IBM Corporation30
SSL OffloadThreat Protection
Rate Limiting / SLA EnforcementValidation, Filtering
AuthenticationAuthorization
Context-based AccessMobile SS0
Security Token TranslationMessage TransformationContent-Based Routing
Intelligent Load DistributionResponse Caching
Middleware / ESB, Legacy Apps
Apps, Services
Rapidly Connect Mobile Apps with Enterprise ServicesSecurely expose enterprise data & APIs to Mobile Apps while optimizing delivery
IBM DataPower Gateway
ISAM Module
/apimanagement
Native, Hybrid, Mobile Web
© 2015 IBM Corporation31
• DataPower appliance with ISAM module for security enforcement, traffic control &
management, application acceleration, transport bridging & message transformation
• ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong
authentication including one-time password (OTP) & multi-factor authentication (MFA)
Mobile Gateway solution for on-premise and cloud
ISAM for
Mobile
Rapidly deliver secure integration & optimized access for enterprise mobile applications
DataPower Gateway(Security Enforcement Point)
ISAM Module
Apps, Services, Middleware,
(Security Decision Point)
z System
© 2015 IBM Corporation33
REST
1
5
3
2 4
Client
Provider
Improve Response
Time
Imp
rov
ed
Lo
ad
DataPower
Large Response Time
WebSphere Extreme Scale (WXS)
http://www-01.ibm.com/support/docview.wss?uid=swg21697033
1. Client submits application request.
2. DataPower parses request and queries WXS. On a hit, skip to step 5.
3. On a miss, DataPower forwards request to target Provider.
4. DataPower adds application response to WXS.
5. Client receives response from DataPower.
Response Caching Integration with WXSIn addition to support for XC10
© 2015 IBM Corporation34
Enhance security intelligence and compliance through integration with QRadar security information and event management (SIEM) platform
Coming soon: Device Support Module (DSM) for DataPower Gateways to parse event information
Integration with QRadar Security Intelligence Platform
QRadar SIEM
User
ClientProvider
DataPower
© 2015 IBM Corporation35
DataPower on GitHub Repository of DataPower related tools & collateral
Open source
Community driven: Use, collaborate, contribute
http://ibm-datapower.github.io/
DataPower Configuration Manager Tool for DataPower configuration management & migration
Standalone command line or IBM UrbanCode Deploy plugin
https://github.com/ibm-datapower/datapower-configuration-manager
https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp
DPXMLSH Bash script / shell library for working with DataPower’s XML Management interface
Interactive & scripted use
https://github.com/ibm-datapower/datapower-xml-shell
© 2015 IBM Corporation36
Secure. Integrate. Control. Optimize.
7.1DataPower
IBM Gateway Released
Nov 2014
Consolidated productSingle, modular & extensible gateway
platform to secure, integrate, control, &
optimize full range of workloads
New hardware platformIncrease capacity & throughput while
reducing latency with latest
generation hardware
Deployment flexibilityUse physical or virtual appliance with
seamless configuration migration with
on-premise & cloud deployments
B2B moduleCentralize B2B trading partner
connectivity & transaction management
with high performance secure entry point
in the DMZ
Multi-channel gatewayUtilize single gateway with integrated
access enforcement from ISAM to secure &
optimize delivery of mobile, API, web, SOA,
B2B, cloud apps, and integrate with IBM
MobileFirst & WebSphere platforms
Enhanced securityEnable additional flexible authentication
from internet consumers & Non-Microsoft
consumers to Microsoft systems
© 2015 IBM Corporation37
Agenda
DataPower Gateway Overview
Recent Releases
What’s New in DataPower Gateway & V7.1
Q&A
© 2015 IBM Corporation38
Getting Social with IBM DataPower Gateways
DataPower on Slideshare LinkedInIBM DataPower Gateway Group
developerWorks BlogYouTubeIBM DataPower Gateway Channel
Twitter@IBMGateways
Online User Forum
• YouTube Channel: IBM DataPower Gateways
• Slideshare: IBM DataPower Gateway
• Twitter: @IBMGateways
• LinkedIn Group: IBM DataPower Gateway
• developerWorks blog: IBM DataPower Gateway
• GitHub: IBM DataPower Gateway
• Online User Forum
• Product page on ibm.com
• Product documentation
© 2015 IBM Corporation39
Available Now: DataPower Handbook, Second Edition, Volume 1
Known as the ‘bible’ of
DataPower planning,
implementation, and
usage.
New content to cover
previous six years of new
products/features,
including 9006/7.1!
Volume 1 consists of
Chap 1 DataPower Intro,
Chap 2 Setup Guide, new
Preface and two
invaluable new
appendices for physical
and virtual appliances.
Available in softcover and e-book formats
© 2015 IBM Corporation41
Simple Architecture: Purpose-built firmware + hardware
Complete gateway platform delivered as firmware
Guiding philosophy is to centralize common security,
integration, control, traffic management, acceleration
functions and optimize them in a security-hardened
gateway appliance
Simple and Secure Architecture
Display
Ports
database
config
App
Server
config
Apache
HTTPD
config
JVM
config
Proprietary
Software
config
Linux Daemons
configJSP
Engineglibclibxml
Full Linux OS
(including shells and user accounts)
config
Bootable
CDROM
Drive
Bootable
USB
Ports
Hardware
Commodity Gateways
config
Hardware
DataPower Gateway Platform
Digitally Signed and Encrypted
Firmware
Flash
Memory
Crypto
Acceleration
IBM Optimized Embedded Operating Environment
Purpose-built Gateways
© 2015 IBM Corporation4242
Configuration-driven approach speeds time to market
• Enforce security standards with zero coding
• Uses intuitive pipeline message processing
• Import/export configurations between
environments
• Transaction probe shows message content
between actions for debugging
42
© 2015 IBM Corporation43
(2U Physical, Virtual Edition)
ISAM Proxy
Module
Integration Module
B2B Module
AO Module
TIBCO EMS
Module
IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform Converges three existing products, XG45 / XI52 / XB62, into a single modular offering
Available in physical and virtual form factor
Physical Appliance 2U rack mount appliance using latest generation hardware platform
Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified)
Each software module is licensed separately
Virtual Edition Three editions: Developer, Non-Production, Production
Developer includes all software modules at no additional cost, except TIBCO EMS
Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy
Production: Each software module is licensed separately
Supports V7.1
& above
All software modules
are field upgradeable
Single, modular & extensible platform
© 2015 IBM Corporation44
CapabilitiesRapidly deliver secure integration & optimized access for a full range of workloads
• Secure & protect your back-end systems from
harmful workloads and unauthorized users & apps
• Convert payloads, bridge transports and connect
to existing services at wire-speed
• Limit & shape traffic based on service level
agreements, and route based on message content
• Improve response times, reduce load on
backend systems and intelligently distribute load
Secure
Control
Integrate
Optimize
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
© 2015 IBM Corporation45
SSL OffloadThreat Protection
Rate Limiting / SLA EnforcementValidation, Filtering
Authentication, AuthorizationContext-based Access, Mobile SS0
Security Token TranslationMessage TransformationContent-Based Routing
Intelligent Load DistributionResponse Caching
Connect Mobile Apps with Enterprise ServicesSecurely expose enterprise systems & APIs to Mobile Apps while optimizing delivery
© 2015 IBM Corporation46
• Data format & language– JavaScript‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0
• Security policy enforcement‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos (including S4U2Self, S4U2Proxy)
‒ SPNEGO ‒ RADIUS‒ RSA SecurID OTP using RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM)‒ FIPS 140-2 Level 1 (w/ certified crypto module)
‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3
DataPower Gateway: Supported standards & protocols• Transport & connectivity
– HTTP, HTTPS, WebSocket Proxy– FTP, FTPS, SFTP – WebSphere MQ– WebSphere MQ File Transfer Edition – TIBCO EMS – WebSphere Java Message Service– IBM IMS Connect, & IMS Callout– NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security‒ TLS versions 1.0, 1.1, and 1.2‒ SSL versions 2 and 3
• Public key infrastructure (PKI)‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management‒ Simple Network Management Protocol‒ SYSLOG ‒ IPv4, IPv6
• Open File Formats‒ Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)
‒ Virtual Machine Disk Format (VMDK)‒ Virtual Hard Disk (VHD)
Link to Product Documentation
• Web services– WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management– WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation– Multipurpose Internet Mail Extensions– XML-binary Optimized Packaging (XOP) – Message Transmission Optimization
Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and
Integration (UDDI versions 2 and 3), UDDI version 3 subscription
– WebSphere Service Registry and Repository (WSRR)
© 2015 IBM Corporation4747
2000
2001
2002
20032004
2005
2006
2007
20082009
20102011
Gigabit/Sec
HW Solution
Acquisition
ITCAM for SOA
(Transaction Monitoring)
Model 9235
(aka 9004)
Model 7993
(aka 9003)
WebSphere
Transformation Extender
XA35
XS40
XI50
XB60
2012
XG45,
XI52 & XB62
XI50B Blade
WebSphere Appliance
Management Center
Optimized
Interpreter and
Compiler
Optimized
Hardware
Acceleration
20132014
Application Optimization
(Self-Balancing & Intelligent
Load Distribution)
XI50z Blade
Virtual Edition(VMware)
Virtual Edition(PureApplication System)
Virtual Edition(for Developers + XenServer)
Optimized & secure JavaScript
Multi-channel Gateway
Consolidated Gateway Platform
ISAM Proxy Module
Over 14 years of innovation & 2000+ global installations
IBM DataPower
Gateway
© 2015 IBM Corporation48
The adoption of cloud, analytics, mobile, and social computing
is forcing organizations to open IT assets to new business
channels
…and challenging them to rethink the way they have traditionally approached security & control
Between 2005
and 2020, the
amount of data
in the world will
grow 300X, from
130 to 40,000
exabytes.
81% of adults
use personally
owned mobile
devices for
conducting
business
70% of
employees are
engaged in
social
activities both
internally and
externally
73% of
organizations
discovered
cloud usage
outside of IT
or security
policies