IBM Software Group DataPower Introduction

watermelonroachdaleInternet και Εφαρμογές Web

30 Ιουλ 2012 (πριν από 5 χρόνια και 18 μέρες)

944 εμφανίσεις

IBM Software Group

DataPower Introduction

Patricia Pettersson


WebSphere Technical Sales

IBM Software Group

IBM Software Group

2

DataPower SOA Appliance

DataPower SOA Appliances redefine the boundaries of middleware extending the
SOA Foundation with
specialized, consumable, and dedicated

SOA
Appliances

that simplify and combine
superior performance, hardened
security, and integration

for SOA implementations.

An SOA Appliance…


Simplifies

SOA and accelerates time to value


Helps secure
SOA XML implementations


Governs and enforces
SOA/Web Services policies

creates customer value through extreme
SOA performance, connectivity, and
security.

IBM Software Group

3

Why an Appliance for SOA?


Addresses the divergent needs of
different groups


Enterprise architects, network operations,
security operations, web services developers


Simplified deployment and ongoing
management


Drop
-
in appliance, secures traffic in minutes,
integrates with existing operations


Hardened, specialized hardware for helping to integrate, secure & accelerate SOA


Many functions in a single device


Service level management, dynamic routing, policy enforcement, transformation


Higher levels of security assurance certification


FIPS 140
-
2 Level 3, Common Criteria EAL4


Higher performance with hardware acceleration facilitates security enforcement

IBM Software Group

4

What is DataPower ?


Provides the flexibility of software in a hardware footprint


Is quick to deploy


configuration NOT coding or programming


Typically takes days to integrate NOT weeks or months


Is a 1U 19” Rack Mounted appliance


Looks like a router


Has minimal components and has no stack of software.
Consequently DataPower is highly secure


As attack points are minimised


DataPower is undergoing accreditation to Common Criteria
EAL4


This is globally recognised check by an impartial third party that
warrants the security claims made by IBM

IBM Software Group

5

What Does DataPower Address ?


XML is the language of Web Services and SOA


XML is pervasive


in a matter of years, it will fuel every application, device, and
document found in enterprise networks



XML challenges


XML is very ‘Verbose’


XML is bandwidth intensive


Has a direct impact on Application Server performance


XML processing requires significant processor cycles and memory
resources


XML is effectively ‘Human readable’ Text


It has no native security mechanisms


It is readily understood and vulnerable to interception


Security can be implemented on the application server but this is additional
XML processing and adds to the performance problem


SOA is not just Web Services and XML


Customers need to integrate existing legacy systems, messaging formats
and protocols into the SOA architecture.


The ability to ‘transform’ legacy systems into the XML format is needed.

IBM Software Group

6

What Does DataPower Address ?


XML Performance


How ?


by offloading XML processing from the Application Server to
DataPower in optimised hardware


Thereby greatly reducing the required number of Application Servers


XML Security


How ?


by offloading XML security to DataPower


Provide standards based security


WS Security


Integrating XML and legacy systems


How ?


by using DataPower to transform XML to legacy message
formats and protocols e.g


XML < > Cobol Copybook (brings a Mainframe into SOA
Architecture)


XML > HMTL (renders HTML content to Portal very rapidly)


XML < > MQ Messaging


All of this is done at WIRESPEED

IBM Software Group

7


Offload XML processing


No more hand
-
optimizing XML


Lowers development costs


Hardware ESB


“Any
-
to
-
Any” conversion at wire
-
speed


Bridges multiple protocols


Integrated message
-
level security


Enhanced Security Capabilities


Centralized Policy Enforcement


Fine
-
grained authorization


Rich authentication


WebSphere DataPower SOA Appliance Product Line


B2B Messaging (AS2/AS3)


Trading Partner Profile Management


B2B Transaction Viewer


Unparalleled performance


Simplified management and configuration


High volume, low latency messaging


Enhanced QoS and performance


Simplified, configuration
-
driven approach to LLM


Publish/subscribe messaging


High Availability

XM70

XA35

XI50

XB60

XS40

IBM Software Group

8

WebSphere DataPower Basic Use Cases

Internet

Trusted Domain

Consumer

Consumer

4
Internal Security

5
Enterprise Service Bus

6
Web Service Management

7

Legacy Integration

8
XML Acceleration


3
Low Latency Gateway

1
B2B Gateway

2
Secure Gateway


(Web Services,


Web Applications)

Application

Application

System z

DMZ

IBM Software Group

9


XML Pipeline processing accelerates XML/XSLT/XPath evaluation,
increasing throughput and decreasing latency by offloading XML
operations to the network


Innovative drag
-
and
-
drop policy editor accelerates time to value and
simplifies configuration and deployment


Logical application domains allow individual “sandboxes” and facilitate
configuration management through import/export features


Multiple management interfaces serve varying needs of an organization,
including browser
-
based WebGUI, command line CLI, and scriptable
Web Services


“The Original” DataPower XML Appliance


Defines high performance architecture for all
DataPower SOA Appliances


Processes XML operations at “wire
-
speed”


Ideal in an XSL
-
intensive HTTP presentation tier


XML Accelerator XA35

Purpose
-
built hardware for presentation
-
tier transformation

IBM Software Group

10

XML Security Gateway XS40

Purpose
-
built hardware for assuring confidentiality, authenticity, and non
-
repudiation


Native support for WS
-
Security policy enforcement


Extremely secure hardware design


Integrate with a variety of authentication and
authorization systems for real
-
time protection


Ideal in front
-
line DMZ or internal security gateway


XML/SOAP Firewall capabilities enable Layer 7 filtering on any content,
metadata or network variable in a message


Web Application Firewall service offers additional security, threat
mediation, and content processing for other URL encoded HTTP
-
based
applications


Easily configurable field
-
level security options allow flexible enforcement
of confidentiality, authenticity, and non
-
repudiation requirements


Low latency architecture leverages hardware
-
acceleration for
cryptographic operations

IBM Software Group

11

Hardware Device for Improved Security


Sealed network
-
resident appliance


Optimized hardware, firmware, embedded OS


Single signed/encrypted firmware upgrade only


No arbitrary software


High assurance, “default off” locked
-
down configuration


Security vulnerabilities minimized (few 3 party components)


Hardware storage of encryption keys, locked audit log


No USB ports, tamper
-
proof case


Third party certification


FIPS 140
-
2 level 3 HSM (option)


Common Criteria EAL4

“The DataPower [XS40]... is the most hardened ... it looks
and feels like a datacenter appliance, with no extra ports
or buttons exposed… "


-

InfoWorld

IBM Software Group

12

XML security threats are growing

DataPower provides hardened real
-
time protection


XML Entity Expansion and Recursion
Attacks


XML Document Size Attacks


XML Document Width Attacks


XML Document Depth Attacks


XML Wellformedness
-
based Parser
Attacks


Jumbo Payloads


Recursive Elements


MegaTags


aka Jumbo Tag Names


Public Key DoS


XML Flood


Resource Hijack


Dictionary Attack


Message Tampering


Data Tampering



Message Snooping


XPath Injection


SQL injection


WSDL Enumeration


Routing Detour


Schema Poisoning


Malicious Morphing


Malicious Include


also called
XML External Entity (XXE)
Attack


Memory Space Breach


XML Encapsulation


XML Virus


Falsified Message


Replay Attack


…others

IBM Software Group

13

Gartner: Web Services Security Best Practices


“Therefore, enterprises should
investigate tools such as security
gateways, SSL concentrators and
accelerators, and
wire
-
speed SOAP/XML
inspection hardware
.”


--

John Pescatore, Gartner


Build Expertise/Design From Strength


Educate Business Leaders


Build Centralized Infrastructure


SSL is key


Use management/security platforms


Manage your identities


You may need PKI


Trust (Really) Your Partners


Use OTS Web Services with Caution


Monitor and Control



Provide System Security


Inspect ALL traffic


Transform all messages


Mask internal resources


Implement XML filtering


Secure logging


Protect against XML DoS


Require good authentication
mechanisms


Provide Message Security


Sign all messages



Validate messages
(Inbound+Outbound)


Time
-
stamp all messages


Ask for Compatibility


SSL MA, SAML, x.509.


WS
-
Security


WS
-
* extensions


IBM Software Group

14

Access Control Integration Framework (AAA)

Authenticate, Authorize, Audit

External Access Control Server or

Onboard Identity Management Store

Authenticate

Authorize

Output Message

Extract
Resource

Extract
Identity

Input Message

Audit &
Accounting

Transport Headers

URL

SOAP Method

XPath

WS
-
Security

SAML

X.509

Kerberos

Proprietary Tokens

SAML Assertion

Credential Mediation

IDS Integration

Monitoring

Map
Resource

Map

Credentials

LDAP

ActiveDirectory

SAML

Tivoli

CA eTrust/Netegrity

RSA

Entrust

Novell

Proprietary

LDAP

ActiveDirectory

SAML

Tivoli

CA eTrust/Netegrity

RSA

Entrust

Novell

RACF

IBM Software Group

15

Web Application Firewall


URL
-
encoded HTTP application protection
in addition to XML Web Services firewall
security


Protection for static or dynamic HTML
-
based applications


Supports browser
-
based clients and
HTTP/HTTPS backend servers


Wizard
-
driven configuration


Cross
-
site scripting and SQL Injection
protection


AAA framework support for web
applications


General name
-
value criteria boundary
profiles for:


Query string and form parameters


HTTP headers


Cookies


HTML Input Conversion Maps for form
processing and handling


Cookie watermarking (sign and/or encrypt)


Rate limiting and traffic throttling/shaping


HTTP header stripping, injection and rewriting


HTTP protocol and method filtering


Content
-
type filtering


Dynamic routing and load balancing


Session handling policies


SSL Acceleration & Termination (Link)


XML and non
-
XML processing policies


Customizable error handling

IBM Software Group

16

Integration Appliance XI50


Web Service virtualization for legacy applications


Enforce high levels of security independent of
protocol or payload format


Integrate with enterprise monitoring systems


Service level management options to shape traffic


Advanced protocol
-
bridging seamlessly supports a wide array of
transports, including HTTP, WebSphere MQ, WebSphere JMS, Tibco
EMS, FTP, NFS


Any
-
to
-
any “DataGlue” engine supports XML and Non
-
XML (Binary)
payloads, promoting asset reuse and enabling integration without coding


Direct database access enables message
-
enrichment and data
-
as
-
a
-
service messaging patterns (DB2, Oracle, MS
-
SQL, Sybase)


High performance architecture creates low
-
cost, easily
-
scalable ESB
solution for Smart SOA needs

!

Purpose
-
built hardware for Enterprise Service Bus functionality

IBM Software Group

17

Internal Trusted
Networks
DMZ
Intranet
Portal
Wireless
Access
Internet
Access
Business
Partners
Internet
Portal
Wireless
Portal
Directory
/
IDM
Logging
Monitoring
/
Management
Midrange
DB
2
IMS
System Z
SCM
CRM
w
2
k
Unix
ESB
In medium to large organizations
running significant transaction volumes,
the footprint of their ESB becomes very
large and
expensive
, very quickly.

The ESB Cost Explosion
-

background

A significant and growing problem with bus installations around the world.

IBM Software Group

18

The ESB Cost Explosion


Root causes

1.
The resource requirements of today’s services (mostly XML
-
based)



Software mediation solutions written on general
-
purpose platforms require shocking
amounts of CPU and memory to process messages and perform the basic bus
functions:


Message Parsing and Interpretation


Message Transformation


Message Routing

2.
The minimal headroom purchased because of HA requirements.


Companies quickly use up extra capacity purchased initially in order to maintain high
availability for this critical part of their network.


Nevertheless the problem is often still hidden by the HA deployment initially


Companies are often taken by surprise by how quickly they “hit the wall”



It doesn’t take much!


At somewhere between 20
-
60 TPS the infrastructure needs to be at least doubled.


you don’t have to be a F500 company to get hit

IBM Software Group

19

The ESB Cost Explosion
-

Solution

The DataPower module, deployed in an
Architected ESB Federation

pattern, is designed to
bring the “commodity” work of an ESB to the network layer.

SOA Network Infrastructure

History tells us that selecting universal, repetitive
functions and moving them to purpose
-
built
appliances
reduces solution costs
, both in terms of
increased performance / reduced processing costs,
and reduced complexity of deployment (network
devices are configured, not coded).

IBM Software Group

20

Processing rule actions for ESB

Programmer
-
friendly functions within the purely
-
configuration message flow.

WAIT

IBM Software Group

21

Processing rule actions for ESB

Fan
-
out (Fan
-
in)

Notification
Fire and Forget

Composition

MQ

JMS

HTTP

HTTP

JMS

FTP

IBM Software Group

22

Content
-
based Routing

Select destination based on transaction metadata


Dynamically determine route from transaction context and/or message
content


Analyze originating URL, protocol headers, transaction attributes, etc.


Analyze legacy or XML content


Leverage a routing table for real
-
time decisions


Quickly deploy routing changes, including protocol conversions


Retrieve routing information from other systems


E.g., databases, web servers, file servers, etc.

Service

Providers

Unclassified

Requests

IBM Software Group

24


First
-
class support for message and transport protocol bridging


Protocol mediation with simple configuration:



HTTP


MQ


WebSphere
JMS


FTP


Tibco EMS


Request
-
response and sync
-
async matching


Configurable for fully guaranteed, once
-
and
-
only
-
once delivery

Protocol Mediation

Independently bridge inbound and outbound protocols

http(s)

FTP(s)

sFTP

WebSphere

MQ

WebSphere

JMS

Database

DB2, SQL Server,

Oracle, Sybase,

3
rd

Party

Messaging

IMS

NFS

IBM Software Group

25

Web Services Management

Service Level Management protects application resources


Defined as action in the policy pipeline


Configure policies based on:


Any parameter: WSDL; Service Endpoint; Operation; Credential


Request; Response; Fault; XPath


Enforce same thresholds across a pool of devices


Configure service level to trigger action:


Notify (Alert)


Shape (Slow Down)


Throttle (Reject)


Supports WSDM and other Web services management standards


Allows subscription to SLM for alerts, logging, etc.


Notify other applications such as billing, audit, etc.

IBM Software Group

27

System z Integration


Broad integration with System z


Connect to existing applications over WebSphere MQ


Transform XML to/from COBOL Copybook for legacy needs


Natively communicate with IMS Connect


Integrate with RACF security from DataPower AAA


Service enable CICS using WebSphere MQ


Virtualize CICS Web Services

IBM Software Group

28

Business to Business (B2B) Appliance XB60

Purpose
-
built B2B hardware for simplified deployment, exceptional
performance and hardened security


Extend integration beyond the enterprise with B2B



Hardened Security for DMZ deployments


Easily manage and connect to trading partners
using industry standards


Simplified deployment and ongoing management


Trading Partner Management for B2B Governance; B2B protocol policy
enforcement, access control, message filtering, and data security


Application Integration with standalone B2B Gateway capabilities supporting B2B
patterns for AS2, AS3 and Web Services


Full featured User Interface for B2B configuration and transaction viewing;
correlate documents and acknowledgments displaying all associated events


Simplified deployment, configuration and management providing a quicker time to
value by establishing rapid connectivity to trading partners

IBM Software Group

29

DataPower B2B Appliance XB60
-

B2B Components


B2B Gateway Service


AS2 and AS3 packaging/unpackaging


EDI, XML and Binary Payload routing


Front Side Protocol Handlers


Trading Partner Profile Management


Multiple Destinations (Back Side
Protocol Handlers)


Certificate Management (Security)


Hard Drive Archive/Purge policy



B2B Viewer


B2B transaction viewing


Transaction resend capabilities


Acknowledgement correlation


Transaction event correlation


Role based access



Persistent Storage


Encrypted with a box specific key


B2B document storage



Transaction Store


B2B metadata storage


B2B state management

The DataPower B2B Appliance extends your
ESB beyond the enterprise by supporting the
following B2B functionality:


B
2
B Viewer
Transaction
Store
Persistent
Storage
B
2
B Gateway Service
DataPower B
2
B XB
60
External Partner
Destinations
Internal Partner
Destinations
Front Side
Handlers for
Integration
Front Side
Handlers
for Partner
Connections
IBM Software Group

30


Drop
-
in messaging solution which plugs into existing
network infrastructure



Enhanced QoS and performance with purpose
-
built
hardware



Simplified, configuration
-
driven approach to low
-
latency,
publish/subscribe messaging and content
-
based routing



High availability out of the box (two or more appliances)




Optimized to bridge between leading standard messaging protocols such as MQ,
Tibco, WebSphere JMS and HTTP(S)


Low
-
latency unicast and multicast messaging, scaling to 1M messages / sec with
microsecond latency

Low
-
Latency Appliance XM70

Purpose
-
built hardware for low
-
latency, network
-
based messaging and data feed
processing


Destination, property and content
-
based routing, including native XML and FIX
parsers


Simplified deployment, configuration and management providing a quicker time to
value by rapidly configuring messaging destinations, connectivity and routing

IBM Software Group

31

Configuration & Administration

Fits into existing environments


Multiple administration consoles


WebGUI


100% availability of functions in all consoles


CLI


Familiar to network operators


SOAP interface


Programmatic access to all config for easy scripting


IDE integration


Eclipse/Rational Application Developer


Altova XML Spy


WAS 7 Admin Console for Multi
-
box Management


Easy export/import for configuration promotion


Standard operational interfaces


SNMP, syslog, etc.



Industry leading integration support across IBM and 3
rd

party application, security, identity
management, and networking infrastructure

XI50

SNMP

IBM Software Group

32

IBM SOA Appliance Deployment Summary

XML

XSL

Internet

XML

HTML

WML

XA35


Client

or

Server

XS40

Tivoli
Access
Manager

------------

Federated
Identity
Manager



HTTP XML REQ


HTTP XML RESPONSE


Web Services
Client



LEGACY REQ

LEGACY RESP


XI㔰

IP Firewall

Internet

Web Tier

Security

Integration & Management Tiers

Application Server

Application Server Web Server

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

ITCAM for
SOA

IBM Software Group

33

IBM SOA Appliance Deployment continued

Low Latency Messaging (LLM)

Trading
Partners

XB60

Business to Business (B2B)

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

ITCAM for
SOA

WSRR

Internet



AS2 Message

FW

FW

AS2 MDN

AS2, AS3, HTTP,
FTP, Web
Services, MQ

FW

XML/EDI/Binary

Application
Server

Trading Manger for
EDI Processing

DMZ

Receiver
Receiver
Receiver
MQ/TIBCO

Transmitter
Transmitter
RUM

(unicast)

RMM

(multicast)

XM70

RUM

IBM Software Group

34

Summary


IBM Specialized Hardware for Smart SOA Connectivity


Hardened, specialized product for helping integrate, secure & accelerate SOA


Many functions integrated into a single device


Broad integration with both
non
-
IBM and IBM

software


Higher levels of security assurance certifications require hardware


Higher performance with hardware acceleration


Simplified deployment and ongoing management




Simplifies

SOA and accelerates time to value


Helps secure

SOA XML implementations


Governs and enforces

SOA/Web Services policies

SOA Appliances: Creating customer value
through extreme SOA performance,
connectivity, and security


www.ibm.com/software/integration/datapower


IBM Software Group

35