690 likes | 2.24k Views
Intro to DataPower IBM WebSphere SOA Appliances. Agenda. What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more. simpler solutions for a smarter planet. Why IBM DataPower?.
E N D
Agenda What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more simpler solutions for a smarter planet
Why IBM DataPower? • DATAPOWER IS A PURPOSE BUILT PLATFORM THAT PROVIDES HIGH SECURITY AND EXCEPTIONAL PERFORMANCE • There is no third party sofware (OS, Java, DB, etc) present on the system nor can such programs be executed. So general vulnerabilities found in other platforms built up on such stacks are not there on DataPower. • Entirely configuration based ensuring that security holes are not introduced inadvertently. • XML acceleration and cryptographic acceleration help in providing near wire speed throughput. Security is not compromised for performance. • UNPARALLELED INVESTMENTS TO INNOVATION • IBM Software Group invests over $6 Billion annually on Research and Development • WebSphere Business Unit within IBM invests over $1 Billion annually on R&D alone, far surpassing any perceived competitors in the marketplace • IBM develops, defines, and participates in defining and developing open standards and conforms to the same to protect investments. • GLOBAL REACH AND SCALE OF BUSINESS OPERATIONS - IBM has a global presence -- doing business in more than 170 countries -- making us an ideal partner to scale geographically- dispersed solution implementations, operations, and teams. We are uniquely positioned to support international operations.
The IBM WebSphere DataPower organization makes appliances • Simple architecture: • microcode firmware + purpose-built hardware • Delivered from the factory with everything you need to connect to the network and start working • No need to provision anything but the Ethernet network and CAT cables to get started • All computationally-significant components sealed within a temper-proof casing • Chips • Memory • Boards and cards • Flash-based file system (signed and encrypted) • Parsing and xform accelerators (patented) • Cryptographic accelerators (patented)
But simple does NOT mean lacking in functionality • Guiding philosophy is to take rote, repeatable integration tasks and lock them down in the appliance form factor, including: • Services gateway functions • Web application gateway functions • Service Bus (ESB) functions • B2B gateway functions • Edge optimization functions Appliance “lock down” means: • Removing need for commodity code • Removing reliance on general purpose operating systems and run times • Porting to purpose-built firmware • Simplicity = BIG TCO SAVINGS
Over 1,800 worldwide installations and growing fast Government • Agencies and ministries • Defense and security organizations • Crown corporations Banking • All of the big 5 Canadian banks • Numerous regional banks and credit unions • SaaS providers, ASPs, regulators, etc. Insurance • Used by 95% of top global insurances firms • SaaS providers, ASPs, regulators, etc. Many, many, more • Telecommunications • Utilities, Power, Oil and Gas • Airlines • Retailers
Returns are typically found by: Accelerating project timelines (and beginning to realize new revenues earlier) Drop-in deployment, even to sensitive networks Configuration of tasks that would otherwise be coded Reduction of project resource requirements Configuration of tasks that would otherwise be coded No tuning required for performance Reduction of existing server footprint or deferment of the need to scale up Offloading of resource-intensive functions to a platform purpose-built to do them at low resource penalties Lowering ongoing operations costs Simple architecture and low-touch maintenance model Centralization of rote, repeatable integration tasks DataPower appliances offer a classic SOA business case Do Nothing Returns are based on implementation and maintenance cost reductions Adopt WDP
Why use an appliance? • Hardened, high-performance hardware Many functions integrated into a single device Enables run-time SOA governance and policy enforcement Addresses divergent needs of different groups Simplified deployment and ongoing management Proven Green / IT Efficiency Value • Tightly integrated hardware and firmware • High performance • Security without performance bottlenecks • Simplicity • connectivity requires: • service level management • routing, policy, transformation • dynamically control • service availability • security • performance • endpoint selection • enterprise architects • network operations • security operations • identity management • web services developers • reduces need for in-house SOA skills & accelerates time to SOA benefits • Example: Appliance performs XML and Web services security processing as much as 72x faster than server-based systems • Impact: Same tasks accomplished with reduced system footprint and power consumption “IBM ESBs [including DataPower] have the broadest set of supported runtime protocols, connectivity options, mediation capabilities, security, commercial data standards, and service monitoring and management — hands down." - Forrester
Agenda What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more simpler solutions for a smarter planet
Service Gateway XG45 • Entry-level device, slim footprint (1U) • Security gateway (AAA, XML threat, etc) • Service level management and monitoring • Intelligent load distribution & dynamic routing • Lightweight ESB functions (optional module) • Integration Appliance XI52 • High density 2U form • Consumable hardware ESB • “Any-to-Any” conversion at wire-speed • Bridges multiple transport protocols • Mainframe integration & enablement • Integration Blade XI50B/XI50z • Functionally equivalent to XI52 • Form factor flexibility • XI50B: BladeCenter form factor • XI50z: zEnterprise BladeCenter Extension (zBX) form factor • B2B Appliance XB62 • High density 2U form • B2B Messaging (AS1/AS2/AS3/ebMS) • Trading Partner Profile Management • B2B Transaction Viewer 10
Deploy WebSphere DataPower Appliances in a variety of use cases Internet DMZ Trusted Domain 4 Internal Security 5 Enterprise Service Bus Application Application Consumer 1 Secure Gateway (Web Services, Web Applications) 2 B2B Gateway 3 Edge Optimization System z 6Runtime SOA Governance 7 Web Service Management 8 Legacy Integration 11
Employ flexible AAA (Authenticate, Authorize, Audit) Policies AAA LDAP System/z NSS (RACF, SAF) Tivoli Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509 SAML Assertion IP Address LTPA Token Custom LDAP ActiveDirectory System/z NSS Tivoli Access Manager SAML XACML Custom Add WS-Security Generate z/OS ICRX Token Generate Kerberos Generate SAML Generate LTPA Map Tivoli Federated Identity Map Identity Extract Identity Authenticate Authorize Audit & Post-Process input output Extract Resource Map Resource URL SOAP Operation HTTP Operation Custom External Access Control Server or Onboard Identity Management Store 12
Before SOA Appliances Security Processing Routing Transformation New XML standard Access control update Change purchase order schema Higher cost: Application servers must be updated individually The SOA appliances simplify and centralize key functions • High speed routing, transformation, and securing of messages to multiple applications without coding changes • Reduced complexity resulting in lower hardware, software, maintenance and administration costs, improved productivity • Increased flexibility that enables new functionality may be delivered to the business more quickly After SOA Appliances Secure, route, transform all applications instantly No changes to applications
1U form factor • 4x 1Gbps Ethernet ports • 2x 10Gbps Ethernet ports • Proxying and Enforcement • Terminate incoming connection • Terminate transport-level security • Enforce Service Level Agreement policies • Inspect message content, filter, pattern-match • Enforce security policies on message content • Call out to Access Control List(s) • Detach binaries and call out to virus checker • Transform content (XSLT, XML-to-XML) • Establish a new connection to pass results Connection from client Partner App ACL Virus Scanner New connection to target Internal App
2U form factor Simplified “drop in” deployment Configure your integrations Integrates smoothly into any “shop”, .Net, Java, Legacy Outside World DMZ Internal Network Protocol Firewall Domain Firewall HTTP(s)FTP(s)SFTP(SSH)WMQ(s)WS JMSTIBCO EMS HTTP WMQ DataPower Internet Enhanced Security DMZ IMS Connect LDAP FTP NFS ODBC JMSEMS Packaged AppsProprietary AppsData Packaged AppsProprietary AppsData Browsers Packaged AppsProprietary AppsData Partner Apps ACL SaaS DB Packaged AppsProprietary AppsData Packaged AppsProprietary AppsData ESB HUB Scenario • Security • AAA, Threat protection • Message validation & filtering • Centralized management and monitoring point • Traffic control / Rate limiting • Intelligent load distribution • Content based routing • Message enrichment • Message transformation • Transport protocol translation Message Format & Transport Protocol Mediation Example Format & transport bridging Cobol / MQ SOAP / HTTP(s) Provider MQ Queue Manager Consumer
All of the capabilities of the XG45 to proxy and enforce policies Partner Management functions: Define partners with the web management console Associate partners with network endpoints Attach metadata about the partners to their definitions Enhanced Qualities of Service Onboard persistent transaction store Search messages by partner, time, etc Replay messages if necessary ebXML/ebMS, AS1, AS2, and AS3 protocol bindings for greater reliability across traditionally unreliable protocols Additional protocols supported SFTP (SSH) TIBCO EMS is available as an option ODBC Additional formats supported PKCS7 is included in base Additional transformation engines supported DataGlue – WTX/FFD is included in base ebMS / 2U form factor • 8x 1Gbps Ethernet ports • 2x 10Gbps Ethernet ports • More memory • More storage
IBM WebSphere DataPower Virtual Edition Deployment flexibility & reduced cost for development and test environments • What’s New? • WebSphere DataPower XG45 and XI52 physical appliance functionality in a “virtual appliance” form-factor running on VMware hypervisor • Features/Business Value • Industry-leading workload security, optimization, and integration functionality similar to the corresponding physical DataPower appliance models, with three exceptions: No Hardware Security Module (HSM) support for FIPS compliance No cryptographic hardware acceleration support Not part of Common Criteria certification effort in progress for physical appliances • Powered by a purpose-built platform including an embedded, optimized DataPower Operating System • Ability to upgrade and downgrade firmware similar to physical appliances • Seamless configuration migration between physical and virtual appliances • Client Benefits • A flexible, cost effective choice for non-production environments • A production solution for environments not suitable for physical appliance deployment • Offers ability to use virtual appliances for development/test environments and physical appliances for staging, production and disaster recovery
Agenda What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more simpler solutions for a smarter planet
Many people who have used DataPower to secure & optimize customer access from laptops are now allowing mobile browser access. A global furniture retail business with web applications wants to enable customer mobile access to their hosted web content (i.e shopping cart data). They are looking to extend access to these web applications from mobile browsers but want to ensure the access is protected. Mobile Browser Applications Browser Application
REST Service Gateway for Mobile Apps • SSL offload • Enforcement point for centralized security policies • Authentication, Authorization, Audit • Threat protection for XML and JSON • Message validation and filtering • Centralized management and monitoring point • Traffic control / Rate limiting • Routing / Intelligent load distribution to Provider • RESTful façade to non-REST Provider REST Proxy REST JSON / XML / SOAP JSON or XML / HTTP(s) Provider Mobile Consumer Application Acceleration for Mobile Apps • Offload heavy lifting of message transformation from the Provider • Transform to a format best suited for the requesting Mobile App • JSON for native/hybrid app • HTML/XHTML for browser based HTTP(s) GET HTTP(s) GET JSON or HTML/XHTML XML Provider Mobile Consumer
WebSphere DataPower provides mobile operations with: • Ease of Use: Solves complex security and integration challenges in a secure, easy to consume and extremely low TCO network device. DataPower appliances are configuration driven not programming driven which simplifies deployment • Performance: DataPower is a network device that operates at wire speed. Greater processing power is realized with every new firmware release. • Flexibility: Secure, integrate, bridge and version applications without application modification • Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” • Lower TCO: Customers’ own data has shown that DataPower can be 7X-8X less expensive to operate in the data center than traditional alternatives.
Protect your data with cryptography and XML threat protection Entity Expansion/Recursion Attacks Public Key DoS XML Flood Resource Hijack Dictionary Attack Replay Attack • Use DataPower to help resolve compliance issues • Easily sign, verify, encrypt, decrypt any content • Configurable XML Encryption and Digital Signatures • Message-level • Field-level • Headers XML Threat Protection • Message/Data Tampering • Message Snooping • XPath or SQL Injection • XML Encapsulation • XML Virus • …many others See: The (XML) threat is out there… by Bill Hines ibm.com/developerWorks 22
Payment Card Industry – History Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. • Initial specifications adopted December 2004 • 1.1 Specifications adopted September 2006 • 1.2 Specifications adopted October 2008 • 1.2.1 specifications adopted August 2009 • 2.0 specifications adopted October 2010 • As of January 2011, every institution must abide by 2.0 specifications
To Whom Does PCI DSS Apply? • All merchants & service providers that store, process, use, or transmit cardholder data • Retail (e-commerce & brick & mortar) • Hospitality (restaurants, hotels, casinos) • Convenience Stores (gas stations, fast food) • Transportation (airlines, car rental, travel agencies) • FinancialServices (credit card processors, banks, insurance companies) • Healthcare/Education (hospitals, universities) • Government (where payment cards are accepted)
PCI DSS Requirements “The Digital Dozen” PCI DSS Ver. 1.1
Agenda What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more simpler solutions for a smarter planet 26
Online Service Provider Scalable & Secure Online Transactions Challenge • To deploy a more scalable infrastructure for supporting secure online transactions and enhancing the scalability, manageability & reliability of IT environment Solution • Implemented WebSphere DataPower Integration Appliance & WebSphere DataPower XML Security Gateway • The XI50 provides protocol mediation functions & accepts front-end requests via TIBCO EMS. The solution secures, transforms & routes Web services calls to the appropriate endpoint • The XS40 deployed in the DMZ as a security-enforcement offers a full range of Web service security functions. Benefits • Increased scalability and security for high volume credit card authorization services, without performance degradation. • Faster to implement than software-only solution with significantly lower maintenance costs. • WebSphere DataPower Integration Appliance XI50 • WebSphere DataPower XML Security Gateway XS40
Large Outdoor Retailer Web Service Enabled Credit Card Repository Challenge • To quickly deploy a more secure infrastructure for storing and accessing credit card data in order to meet PCI DSS Compliance deadlines Solution • Implemented WebSphere DataPower Integration Appliance with licensed ODBC option • The XI50 provides a web service interface to the back end DB2v9 Database that holds customer credit card information • Tivoli Systems Automation for Multiplatform (TSA) provides DB redundancy, on-box load balancing provides redundancy for DataPower • Solution will accommodate significant growth Benefits • Met PCI DSS Compliance deadlines • Improved application integration flexibility through use of SOA standards and componentry SOAP Messages SQL Statements DB2v9 • WebSphere DataPower Integration Appliance XI50 • Tivoli Systems Automation for Multiplatform • DB2 v9
Agenda What is a DataPower Appliance? Models and Features Additional Use Cases Success stories How to learn more simpler solutions for a smarter planet 29
How to learn more • YouTube http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel • IBM.com http://www-01.ibm.com/software/integration/datapower/ • Redbooks: • Appliance architectural patterns http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf • B2B Gateway appliance http://www.redbooks.ibm.com/redbooks/pdfs/sg247745.pdf • The programmatic management interface http://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf 30