zenterprise hybrid computing with datapower optimization blades
TRANSCRIPT
1
zEnterprise Hybrid computing with
DataPower Optimization Blades Peter BrabecWebSphere on System Z Brand Leader DataPower Ambassador
44
Why use an appliance for connectivity?Why use an appliance for connectivity?
Purpose-built, fine-tuned consumable hardware platform Provides high levels of certified security assurance
– FIPS 140-2 Level 3
– Common Criteria EAL4
Achieves fast performance with multiple layers of specialized hardware
acceleration
Many functions incorporated in a single device
– Service level management and Policy enforcement
– Dynamic routing and load distribution
– Edge security
– Transport and message transformation
Simplified maintenance model
– Drop-in appliance form-factor
– Push-button flash upgrade process
– Integrates with existing operations
55
Configuration-driven approach speeds time to Configuration-driven approach speeds time to marketmarket
Enforce security standards with zero coding Uses intuitive pipeline message processing Import/export configurations between
environments Transaction probe shows message content
between actions for debugging
7
Different VLAN IDs over a Shared IEDN in the Different VLAN IDs over a Shared IEDN in the Ensemble: SecurityEnsemble: Security
Virtual Server10A
VLAN10
VMAC-A
Virtual Server10B
VLAN10
VMAC-B
Virtual Server11C
VLAN11
VMAC-C
Virtual Server11D
VLAN11
VMAC-D
TCPIP1 (z/OS1) TCPIP3 (z/OS3)
MAC-XVLAN10VMAC1
VLAN11VMAC3
VLAN10 VLAN11
OSX
Virtual Server Virtual Server
Top of Rack
Build separate security zones with VLANs.
Only nodes that reside in the same VLAN can communicate with each other over the Flat Network.
Extra Security: VLAN ID Enforcement takes place at the TOR and Hypervisor: PR/SM™, z/VM, VSwitch, Blade Hypervisor, OSX.
Trunk Mode
7
9
Legacy Enablement – Legacy Enablement – XML Parsing and Encryption in Application on z/OSXML Parsing and Encryption in Application on z/OS
9
Client
Encrypted XML
SOAP/HTTPS
`
Client
`
Significant CPU
consumption for XML
processing
Reduced CPU consumption
for XML processing
zEnterprise
Encypted XML
SOAP/HTTPS
SOAP/HTTP with binary
(Cobol) MTOM attachment
11
Manage IBM WebSphere DataPower Integration Appliance Manage IBM WebSphere DataPower Integration Appliance with zManager with zManager
View DataPower firmware entitlement and level
Set up virtual networks (VLANs)
– VLANs provide enforced isolation of network traffic with secure private networks
View DataPower in the context of an ensemble
– Topology view View BladeCenter and Blade details
Hardware Problem Detection,
Reporting and Call Home Monitor resource usage through
Monitors Dashboard (CPU, Memory, Power consumption)
– Power Capping
11
16
Emerging Distribution and HA StrategiesEmerging Distribution and HA Strategies
Clients
WebSphereon p or x
Tier 1 distribution
options
Tier 2 distribution
options
DataPowerSelf Balancing
Sysplex Distributor
DataPowerILDDataPower
Tier
Sysplex Distributor
Any service provideron p or x
ASB
SA
SP
zBX
ODC
z/OS
z/Linux
WebSphereon z/OS or
z/Linux
Red = Connection distribution; Black = Request distribution
DataPowerload distribution
OD
C
zBX
New in 3.8.0
23
DB2 Integration (1)DB2 Integration (1)
Service Originator
Service Provider
DataPower
Augmented service request
Web service requests are augmented with information from the database (message enrichment)
Supports writing to DB also– Logging and auditing
SOAP/HTTP SOAP/HTTP
DRDA
DB2
Service request
Supports DB2, Oracle, Sybase, MSFT
3.7.1 added– Parameter marking– Array-based operations– Perf enhancements– Stored procedures– Native XML processing
24
DB/2 Integration (2)DB/2 Integration (2)
Service Originator DataPower
DataPower 3.7.1 provides a standard WS façade to DB/2
– Common tool (IBM Data Studio 1.2 – GA in Aug) to generate WSDL and data mapping in both Data Web Services runtime and DataPower
– SOAP call is mapped to an ODBC (DRDA) invocation
Exposes database content (information) as a service
SOAP/HTTP DRDA
DB2
Service provider façade (generated)
DB service request
Content transformation XMLto SQL (generated)
25
Web Services Security and Management for CICS Web services
Content-based Message Routing
Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
XML/SOAP Firewall
Data Validation
Field Level Security
XML Web Services Access Control/AAA
Web Services Management
New in 3.8.0: ID propagation
Client
SOAP/HTTP`
WAS+CICS connector
CICS Web ServicesSOAP/HTTP
CICS Integration (1) CICS Integration (1)
26
CICS Integration (2)CICS Integration (2)
ServiceOriginator
DataPower
CIC
S
CIC
S A
pp
lication
MQ
Serv
er
CICSBrdg
SOAP/HTTP
Z Service Provider
DataPower provides WS-enablement to CICS Customer codes schema-dependent XSL/FFD/TypeTree
(Contivo or WTX) to perform request/response mapping Requires MQ
– MQ bridge to access CICS
– MQ client capability is embedded in DataPower
MQ
Clien
t
Cobol/MQ
27
CICS Web Services
DataPower
SOAP/HTTP SOAP/HTTP
Service requestSOAP with binary (Cobol)
MTOM attachment
DataPower provides WS Security, XDOS to CICS WS back-end User creates schema-dependent transform to perform
request/response mapping Payload transformation is pushed to DataPower SOAP Header information required at CICS WS back-end for
correct operations, e.g. WS-Atomic Transactions
CICS Integration (3)CICS Integration (3)
28
Web services requester
JAX-WS Web
Services
Partner System
Backendapplication
z/OS or zLINUX
WebSphere DataPower
XI50
Long XML message• >250K in length • > 18K elements
<tns1:transfer_pd_
bd><tns1:pstg_org
nl_amt>50</
tns1:pstg_orgnl_am
t><tns1:pstg_orgnl_
iso4217>GBP</
tns1:pstg_orgnl_iso
4217><tns1:fee_on
_debit_ind>0</
tns1:fee_on_debit_i
nd><tns1:fsre_rfrnc
_id></
tns1:fsre_rfrnc_id>
</
tns1:transfer_pd_b
d
WebSphere DataPower
XI50z
SOAP/HTTP
SOAP/HTTP
Smarter Banking Showcase
1. Data transformation from XML to COMMAREA using WTX2. Convert message to MTOM/XOP format
Short XML
message• 1K in length • 1 element
<tns:w_comm_i>
<href="cid:f7269b7
9-2d87-4687-941d-
225829c20246"/
></tns:w_comm_i>
Binary attachment• CICS COMMAREA
5 Batch Transfer services per second
0
1
2
3
4
5
6
7
8
9
10
TranExtB TranExtB-MTOM
CIC
S T
OR
CP
U (
AP
PL
%)
CICS TOR zAAP %
CICS TOR GCP %
Saves MIPs
29
RACF Users
and resources NSS
I & A, AC req /resp
Remote SAF Security IntegrationRemote SAF Security Integration
z/OS
RACF
Client
platform
Target application
or middleware
TSOM
Audit records
RACF
Administrator
NSS client
Request NSS on z/OS to identify and access
administrative users and to perform access control
operations when access to DataPower resources is
requested. GA 3.7.2.
NSS provides remote interface to RACF for
I&A, and access control requests. Can request RACF certificate name
filtering. z/OS R10.
31
Why use DataPower with Message Broker?Why use DataPower with Message Broker?
Message Broker can use the DataPower appliance to handle its WS- Security processing– Security at the edge of a network
– It's a tamperproof device, so offers a degree of physical security
– Offloads WS- Security processing away from the Message Flow processing
• On platforms such as z/OS, with offload you can reduce TCO moving WS-Security processor MIPS and latency.
DMZ
32
DataPower OffloadDataPower Offload Offload Web Services security to DataPower
– Single tool and security policy description
– Security best practices
• WS-Security at appropriate point in topology
• Built-in XML threat protection; Hardened device
– Scale as volumes increase
• Enhanced performance with SOA appliance
• Add capacity when necessary
Administration User Experience
– Operational reconfiguration only
– Applications and Message Flows unchanged
– Right click on flow and select “Use DataPower”
• DataPower performs WS-Security processing
• Forwards processed request to MB
Initial focus is on WS-Security processing
– Integral part of MB Explorer V7
– Other functions may follow
33
Message Broker & DataPower IntegrationMessage Broker & DataPower Integration
Use DataPower to perform WS Security processing for Message Broker WS Flows
– Decryption for HTTP and HTTPS Input Nodes
– Encryption for HTTP and HTTPS Reply Nodes
Configures your DataPower appliance from Broker Explorer as a…– XMLfirewall within a DMZ
– inbound decryption engine
– outbound encryption engine
– SSL gateway to the broker
Security processing only– More functionalities will follow
34
Pre-requisites on your DataPower appliancePre-requisites on your DataPower appliance
The Message Broker user…– Requires a username, password and domain on their DataPower appliance– Requires Certificates and Crypto Profiles available on the DataPower appliance in their domain. (For
SSL, decryption and encryption)– Does not need to use the DataPower appliance directly at all
• All configuration via the DataPower Security Wizard
35
DataPower Security WizardDataPower Security Wizard
Interacts with your DataPower appliance– Retrieves Crypto Profiles for SSL communications
– Retrieves encryption & decryption certificates
Interacts with your Message Broker server– Retrieves all HTTP & HTTPS Message Flow Input Nodes
36
DataPower Security Wizard: Policy SetsDataPower Security Wizard: Policy Sets
A Policy Set is used to configure the WS-Security aspects of your encryption and decryption rules
– Define the WS-Security for your decryption and encryption actions using the Key Information table in your Policy Set Bindings
– Cut down version of the Policy Set Editor available in V6.1
37
DataPower Firewall created by the Security DataPower Firewall created by the Security WizardWizard
Up to two DataPower Firewalls created
– One Firewall for HTTP Input Nodes
– One Firewall for HTTPS Input Nodes
Front and back HTTP ports set IP address of the message
broker listener is configured SSL Server Crypto Profile set as
specified by the policy HTTPS Firewall has back
(Message Broker) SSL Client Crypto Profile set
38
DataPower Policy created by the Security DataPower Policy created by the Security WizardWizard
Each DataPower Firewall has an associated DataPower Policy
Two rules created per HTTP(S) Input Node each with the appropriate Match Rule
– Request Rule (inbound)
– Response Rule (outbound) Ability to merge rules with
existing DataPower Policy and DataPower Firewall
– Rules are added to the DataPower Policy.
– No changes are made to the DataPower Firewall
40
40
DataPower/zBX Integration DetailsDataPower/zBX Integration Details Blade Hardware Management
– Monitoring of HW for health, degraded operation– Call-home for current/expected problems, automatic
dispatch of CSR– Consolidation/Integration of DP HW problem reporting with
other problems reported in zBX– Energy Monitoring and Management of DP Blades
DP Firmware Load and Update – Consistent change mgmt with other zGryphon firmware
mgmt– Enforced restriction of firmware updates to SE userid– Enhanced new firmware level testing in zBX by System z
Devt/Product Engineering and built-in restrictions on number of variations supported (test and production variants
HMC Console Integration– Person monitoring the z environment from an overall
hardware operational perspective will see DP blades included in the picture, with associated status from a single (w/ redundancy) console
– Group GUI operations for functions supported on HMC (e.g. power up/quiesce/upgrade firmware for these 5 DP blades)Time synchronization with system z time via HMC/SE time server
Dynamic Load Balancing – Allows LB1 decision based on consolidated understanding
of load on DP blades as well as associated back-end sub-systems
– via Sysplex Distributor
DP Failure Recovery and Restart– HMC/SE will detect and report on appliance failures
and can be used to re-cycle appliance if DP built-in restart fails
– Periodic Backup/restore of full blade configuration (automatic on changes to config); Backup to HMC media
Networking– Virtual Network Provisioning – Provides enforced isolation of network traffic via
VLAN support– 10Gb end-to-end network infrastructure – Built-in network redundancy– IEDN provides protected network, possibly obviating
customer-perceived need for encryption of last-mile flows between DP and target back-end server
Monitoring and Reporting – Monitoring of DP health via HMC– Consolidated platform error logging across whole
environment– Products like ITCAM may also monitor the DP blade
at a higher level ... But some customers may not have or want ITCAM or equivalent, at least initially but need some monitoring.
41
System z IntegrationSystem z IntegrationSmart SOA connectivity throughout the enterpriseSmart SOA connectivity throughout the enterprise
Broad integration with System z Connect to existing applications over WebSphere MQ Transform XML to/from COBOL Copybook for legacy needs Natively communicate with IMS Connect Integrate with RACF security from DataPower AAA Dynamic crypto material retrieval & caching, or offload crypto
ops to z Service enable CICS using WebSphere MQ Virtualize CICS Web Services
42
SummarySummaryPurpose-built hardware for simplified deployment and Purpose-built hardware for simplified deployment and hardened securityhardened security Security: VLAN support provides enforced isolation
of network traffic with secure private networks. Improved support: Monitoring of hardware with “call
home” for current/expected problems and support by System z Service Support Representative.
System z packaging: Increased quality with pre-testing of blade and zBX. Upgrade history available to ease growth.
Operational controls: Monitoring rolled into System z environment from single console. Consistent change management with Unified Resource Manager.
4545
Protect your data with cryptography and XML Protect your data with cryptography and XML threat protectionthreat protection
See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks
XML Threat Protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures– Message-level– Field-level– Headers
Entity Expansion/Recursion Attacks
Public Key DoS XML Flood Resource Hijack Dictionary Attack Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
4646
AAA
Employ flexible AAA (Authenticate, Authorize, Employ flexible AAA (Authenticate, Authorize, Audit) PoliciesAudit) Policies
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom
Authenticate
ExtractResource
URLSOAP OperationHTTP OperationCustom
LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
4747
Access heterogeneous systems with Access heterogeneous systems with transport and payload transformationstransport and payload transformations
Integrate disparate transport protocols with extreme ease– No dependencies between inbound “front-side” and outbound “back-
side”
– Examples: HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Transform the message format with ultimate flexibility– Process XML and Non-XML formats in a single configuration
– Leverage WebSphere Transformation Extender for data mapping
Support synchronous, asynchronous, publish-subscribe and guaranteed-delivery message patterns
SOAPXML
COBOL
CSV
CICS
binaryIMS
DB2
MQ
WebSphere….
4848
Efficiently leverage your assets with content-Efficiently leverage your assets with content-based routingbased routing
Dynamically route based on any message content– Attributes such as the originating IP, requested URL, protocol headers,
etc.
– Data within the message such as SOAP Headers, XML, Non-XML content, etc.
Query WebSphere Service Registry & Repository for routing information
– Or, use simple XML files
– Databases
– Web servers
Deploy changes to your routing policy with no downtime Convert transport protocol using a simple routing change
4949
Shape your traffic with Service Level Shape your traffic with Service Level Management and Load BalancingManagement and Load Balancing
Use Service Level Management (SLM) to protect your applications from over-utilization
– Frequency based on concurrency OR based on messages per time period
– Take action when exceeding a custom threshold:
• Notify (or log)
• Shape (or delay)
• Throttle (or reject)
Combine SLM with Routing to make intelligent failover decisions– Use alternate servers when a threshold is exceeded
Advanced Load Balancing algorithms simplify your architecture– First Available
– (Weighted) Round Robin
– (Weighted) Least Connections
– Hash
5050
Consolidate your infrastructure with Consolidate your infrastructure with Application OptimizationApplication Optimization Use Self-Balancing technology to spread inbound traffic load
across multiple DataPower appliances using a single target– Eliminates the need for additional physical Load Balancers
– Efficiently distributes traffic with minimal overhead
Use Intelligent Load Distribution to optimize outbound traffic across multiple destinations
– Supports dynamic WebSphere cell interrogation
– Automatically updates targets and weights
Use Session Affinity to preserve target session state across multiple requests
– Supports WebSphere and Non-WebSphere targets
5151
Use Self Balancing for high availability and capacity scaling
Configure the appliances to share a single IP address
Leverages proven, world-class IBM technology (e.g., Sysplex Distributor)
Eliminates dependency on a separate load balancers
Built for automatic failover
5252
Provide application-aware Intelligent Load Distribution
Auto-discovers application targets using dynamic feedback mechanism
Uses intelligent weighted distribution algorithms based on current server load
Provides several options for enabling session affinity
Combine with traditional DataPower load balancing options for flexibility