Datapower Impact Cases - New

DataPower Common Use Cases
Bharat Bhushan, Principal Connectivity Architect, IBM UK

Christopher Khoury, Worldwide Client Technical Leader, IBM US
Arif Siddiqui, Product Manager, IBM US
TIS 3089
2013 IBM Corporation
Please Note
IBMs statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBMs sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the users job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.
Agenda
DataPower Quick Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
Introduction to DataPower Gateway

Appliances
IBM DataPower Gateway Appliances are the industry-leading

Security & Integration gateways that help provide security, control, integration
and optimized access to a full range of
Mobile, Web, API, SOA, B2B and Cloud workloads
IBM DataPower Gateway Appliances

Security & Integration Gateway Appliances
Internet
DMZ
Trusted Domain
Consumer
DataPower
DataPower
Application or Service
Consumer
Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload
Securely connect apps/services within the enterprise, while optimizing delivery of the workload and
providing integration including XML offload, message validation/filtering, message/transport protocol
transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing &
intelligent load distribution
Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior
performance, hardened security, increased ROI and reduced TCO
Provides high levels of certified Security assurance
e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization,
Audit
Simplified maintenance model
Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process
Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold
Virtual appliance provides deployment flexibility & reduced cost for development and test environments
5
DataPower appliances used across a variety of scenarios
Internet
DMZ
Trusted Domain
Consumer
Application or Service
DataPower
DataPower
System z
1 Security Gateway
(Web Services/Apps/APIs)
2 Intelligent Content
Consumer
Routing & Load Distribution
3 B2B Partner Gateway

Trading partners
4 Internal Security Enforcement

5 Integration
6 Runtime SOA Governance
7 Web Service Management
8 Legacy Integration
IBM Integration
Bus
Application
Service
File
Use appliances to simplify & centralize critical functions

Secure, control, integrate & optimize multiple applications without code changes
Lower cost and complexity
Enable new business with unmatched performance
Before DataPower Appliances
After DataPower Appliances
Secure
Control
Integrate
Route & Optimize
Update application
servers individually
Secure, control, integrate, &

optimize all applications instantly
No changes to applications
IBM DataPower Gateway Appliance capabilities

Resilience
OAuth, SAML, XACML, WSSecurity, LTPA, Kerberos, etc

Authentication & authorization
Security token translation
Message & transport protection
Integration
Operation admission control

Failure re-routing
XML threat protection
JSON threat protection
Schema validation
Messages filtering
Convert payloads (JSON, XML, CSV,

Cobol, binary, etc)
Bridge transports (HTTP, MQ, FTP,
WAS JMS, TIBCO EMS, etc)
Database connectivity (DB2, IMS,
Oracle, MS SQL, Sybase)
Mainframe integration (IMS Connect,
IMS Callout, CICS, etc)
B2B integration (AS1,AS2,AS3,etc)
In-the-Clear
Request
Clients
8
Control
Service-level agreements
Traffic control
Message accounting
Content-based routing
Governance & management
Optimization
SSL & TLS offload

Hardware accelerated crypto ops
XSLT & XQuery acceleration
JSONiq acceleration
Connection pooling, offload
Intelligent load distribution
Caching: Local & external (XC10)
Encrypted and
Signed Request
Malicious
Request
Cobol/
MQ
Appl
Cobol/MQ
Service Providers
Security
DataPower Family
Service Gateway XG45

Entry-level device, slim footprint (1U)

Security gateway (AAA, XML threat, etc)
Service level management and monitoring
Intelligent load distribution & dynamic routing
Lightweight integration functions (optional)
Available in Virtual Edition
Integration Blade XI50B/XI50z

Functionally equivalent to XI52

Form factor flexibility
XI50B: BladeCenter form factor
XI50z: zEnterprise BladeCenter Extension (zBX)
form factor
Integration Appliance XI52

High density 2U form, XG45 functionality plus

Any-to-Any conversion at wire-speed
Bridges multiple transport protocols
Mainframe integration & enablement
Available in Virtual Edition
B2B Appliance XB62

High density 2U form, XI52 functionality plus

B2B Messaging (AS1/AS2/AS3/ebMS)
Trading Partner Profile Management
B2B Transaction Viewer
DataPower Appliances
Over a decade of innovation & over 2000 worldwide installations
Government
Agencies and ministries
Defense and security organizations
Crown corporations
Banking
Majority of the big US and European

banks
All of the big 5 Canadian banks
Numerous regional banks and credit
unions
Insurance
Used by 95% of top global insurances
firms
SaaS providers, ASPs, regulators, etc.
Many, many, more
10
Healthcare
Retailers
Utilities, Power, Oil and Gas
Telecom
Airlines
etc.
Agenda
Mobile Connectivity
API Management
Integration
B2B
11
Use Case: Security & Optimization Gateway

Securing the Enterprise & providing optimized access
12
IBM Software Group Enterprise Networking Software
DataPower security roles and objectives

Secure access to
Web and legacy
applications
Authentication
Authorization
User Federation
Converged
security
enforcement
Rocksolid
DataPower
platform
Internet
F
I
R
E
W
A
L
L
DMZ
F
I
R
E
W
A
L
L
Mission-critical data
z/OS RACF for

User I&A
Authorization
Cert/keys
Intranet
Leverages
enterprise
security and
policy managers
Protect data and other resources on

the appliance and protected servers
System availability
Protect against unwanted access,
denial of service attacks, and other
unwanted intrusion attempts from the
network
Only allow valid messages through
Identification and Authentication

Verify identity of network users
Authorization
Protect data and other system
13 13
Page
resources from unauthorized access
Protect data in the network using

cryptographic security protocols
Data End Point Authentication
Verify who the secure end point claims to be
Data Origin Authentication

Verify that data was originated by claimed
sender
Message Integrity
Verify contents were unchanged in transit
Data Confidentiality
Conceal clear-text using encryption
Protection of data plus XML & JSON threat protection

Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
Message-level, Field-level, Headers
Security standards: OAuth, WS-Security, WS-Policy, WSSecurityPolicy, SAML, XACML, WS-Trust, M
XML Threat Protection
Entity Expansion/Recursion Attacks Message/Data Tampering
Public Key DoS
Message Snooping
XML Flood
XPath or SQL Injection
Resource Hijack
XML Encapsulation
Dictionary Attack
XML Virus
Replay Attack
Mmany others
JSON Threat Protection
Label - Value Pairs

Label String Length (characters)
Value String Length (characters)
Number Length (characters)
Threat Protection
Maximum nesting depth (levels)
Maximum document size (bytes)
DataPower security is policy driven

Use WS-SecurityPolicy to define security requirements for your web services
DataPower natively consumes and enforces WS-SecurityPolicy statements
Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services
DataPower natively consumes and enforces XACML policies
Resource-based Authorization
PEP, PDP
14
AAA : Authentication Authorization Auditing

HTTP Headers
WS-Security Tokens
WS-SecureConversation
WS-Trust
Kerberos
X.509/SSL
SAML Assertion
IP Address
LTPA Token
HTML Form
OAuth
Custom
Extract
Identity
LDAP/Active Directory
System/z NSS (RACF, SAF)
IBM Security Access Manager
Kerberos
WS-Trust
Netegrity SiteMinder
RADIUS
SAML
LTPA
Verify Signature
Custom
Authenticate
Map
Identity
input
LDAP/ActiveDirectory
System/z NSS
IBM Security Access Manager
Netegrity SiteMinder
SAML
XACML
OAuth
Custom
Authorize
Extract
Resource
Add WS-Security
Generate z/OS ICRX Token
Generate Kerberos
Generate Spnego
Generate SAML
Generate LTPA
Map Tivoli Federated Identity
Audit &
Post-Process
output
Map
Resource
URL
XPath
SOAP Operation
HTTP Operation
Custom
External Access Control Server or Onboard Identity Management Store

15
Security Gateway
Outside World
DMZ
HTML, JSON, XML, SOAP

MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security
WS-Security Policy
WS-Trust
SAML
OAuth 2.0
Security
Gateway
Incoming access control;
Threat protection
Domain Firewall
Internet
Protocol Firewall
HTTP(s)
SaaS
Internal Network
Security
Gateway
Outgoing access control;

SAML injection etc
Browsers
Partner
Apps
Internal
Consumer
HTTP(s)
Internal
Security
Packaged Apps
Proprietary Apps
Data
ESB
ACL
Tivoli (TAM)
MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
Proxying and Enforcement

Terminate incoming connection
Connection from client
Web Service Request
Consumer
Basic Auth, OAuth 2.0,

WS-Security UNT, etc
Terminate transport-level security (SSL/TLS offload)

Threat protection
Enforce Service Level Agreement policies
Inspect message content and filter (Schema validate)
Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
Authentication, Authorization, Auditing (AAA)
Call out to virus checker
ACL
Virus
Scanner
Transform content & enrich message

Translate security token
16
Dynamically route based on content and load balance

(Establish a new connection to pass results)
Cache data on-box or in centralized, shared XC10 grid
New connection to target
Web Service Request

SAML, LTPA,
Kerberos
Provider
Retail Service Provider

Securely expose services to consumers
Challenge
Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to
meet specific needs
Web services infrastructure needed to support highly
secure data routing with daily high volume & sensitive
nature of information
Solution
Implemented WebSphere DataPower to form the Web
services backbone
Through content-based routing, security policy
enforcement & data encryption, DataPower ensures safe
& efficient flow of confidential customer data
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits

Secure SOA on standards-based platform

Easily reuse Web services throughout enterprise
Boosts productivity of IT staff
Substantially shorten time to market for new services
17
Identity Mgmt
Centralized Service Governance & Policy Enforcement

Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
DataPower can subscribe or poll web services information from WSRR
Automatically expose services and policies in DataPower via WSRR subscription

Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
Retrieve WSDLs by specific version number
Dynamically retrieve run-time routing information from WSRR

Complete SOA Governance solution
WSRR for web service life-cycle policy management
DataPower for web service run-time policy enforcement
WSRR (Policy Administration
Point)
Centralized transaction monitoring

ITCAM for SOA
Discover
Services & Policy
Support for UDDI v2 and v3 for UDDI

registries
Message
Consumer
18
Message
ITCAM for
SOA
(Policy
Monitoring
Point)
Monitor
Services
Message
DataPower (Policy
Enforcement Point)
Message
Service
Service Level Monitor (SLM): Traffic Control / Rate Limiting

Service Level Monitoring (SLM) to protect your services and applications from
over-utilization and enforce quota
Frequency based on concurrency OR based on messages per time period
Take action when exceeding a custom threshold:
Notify (or log), Shape (or delay), Throttle (or reject)
19
Application Optimization Example

Public
Enterprise
High Load
Slow
Response
(>10s)
User
WAS Application
{ "Task" : "AddEntry",
"Detail": "Create
presentation materials." }
Scenario
JSON REST app to-do list
Issues
High server load

Slow response time
Improve Server Load with SSL Offload

1. Client requests are secured via DP SSL concentrator
Public
DMZ
Data
Center
Improved Load
DataPower
1
1
User
20
WAS Application
PUT /joe/todos HTTP/1.1

Host: joe.org
Content-Type:
application/json
Content-Length: 69
Manage Traffic with Application Fluency

2. DataPower enables application aware traffic management
{ "Task" : "AddEntry",
"Detail": Waste time." }
Improved Load
DataPower
2
User
WAS Application
Distribute Load Intelligently

3. Application Optimization effects load distribution intelligence
Leverage dynamic runtime conditions to distribute based on topology & workload
1
1
User
21
Improved Load
DataPower
2
3
Improved
Response
Time
WAS Application

Cache at the edge(s)
4. Application results are cached at the edge using XC10 caching grid OR locally on-box
DataPower
3
Fast
Response
User
REST
DataPower XC10
22
Low Load
Faster application response time
Lower server load
Improved system throughput
WAS Application
Using XC10 As a Side Cache For DataPower

1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI.
Easily integrates into the existing business process

No code changes to the client or back-end application
Simply add the side cache mediation
Significantly reduces the load on the back-end system by
eliminating redundant requests
Improve client observed response time
DataPower XI Appliances
Improved Load
Large Response Time
3
User
Client
Improved
Response
Time
REST
23
DataPower XC10
Provider
DataPower XI52 + XC10: Travel and Transportation

Online Reservations
100x
performance
improvement
Reservations System
Before: 3-5 sec response time

After: .01 -.05 sec response time
Caching service requests
Improved the average response time of the Global
Distribution System requests for Fare Availability and
Category Availability
52% caching rate
10 minute cache resulted in 40% reduction in load on the
back-end systems
Maintained high data integrity. Faster responses were
also accurate
POC in 3.5 hrs
Improved reliability and scalability of reservation channels

Reduced traffic to backend systems
Deliver high performance & consistent response times
Scale with simplicity and lower TCO
24
Agenda
Mobile Connectivity
API Management
Integration
B2B
25
Use Case: Mobile Connectivity

Securely & Rapidly connect Mobile Apps with
Enterprise Services
26
Connect Mobile Apps with Enterprise Apps & Services

Security, Control, Integration & Optimization of mobile workload
Securely expose enterprise
data to Mobile Apps while
optimizing delivery of the
workload
Message Oriented,
Legacy Apps
IBM DataPower Gateway Appliance

Worklight, WAS ND
SSL Offload
Threat
Protection
e.g. REST (JSON/XML)
e.g. SOAP
Rate Limiting
over HTTPS
over HTTPS
Validation, Filtering
now with Native JSON Support**
Authentication
Authorization
Security Token Translation
Transformation
Content-Based Routing
Intelligent Load Distribution
now with On Demand Router for WAS ND**
Response Caching Locally or to XC10 **
Web Apps, Services
Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices **
Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**
27
** Available in DataPower firmware version 6.0
A closer look at some Mobile Connectivity scenarios

REST Service Gateway for Mobile Apps
SSL offload
Enforcement point for centralized security policies
Authentication, Authorization, OAuth 2.0, Audit
Threat protection for XML and JSON
Message validation and filtering
Centralized management and monitoring point

Traffic control / Rate limiting
Routing / Intelligent load distribution to Provider
RESTful faade to non-REST Provider
REST Proxy
REST
JSON / XML / SOAP
JSON or XML / HTTP(s)
Provider
IBM DataPower Gateway
Mobile Consumer
Application Acceleration for Mobile Apps

Offload heavy lifting of message transformation from the Provider
Transform to a format best suited for the requesting Mobile App
JSON for native/hybrid app
HTML/XHTML for browser based
HTTP(s) GET
HTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
28
Cache response data from Provider

Locally on the appliance
Externally to elastic caching XC10
XML
IBM DataPower Gateway
Provider
29
Client examples using DataPower for Mobile use cases

Several examples of businesses using DataPower as a Mobile Gateway for
their Security & Integration needs
Large international bank has mobile banking goes through DataPower
Large Mobile company in the UK has traffic from handsets, REST

service calls, being secured via DataPower
Large global phone company has their RESTful service calls using
JSON and XML from Mobile devices and consumer browsers are
secured and load balanced using DataPower
Large retailer went live recently with DataPower proxying Mobile traffic
Retailer secures their provisioning iPad traffic through DataPower
A wireless carrier secures mobile traffic to account data through

DataPower
30
Agenda
Mobile Connectivity
API Management
Integration
B2B
31
Use Case: API Management

Securely & Rapidly Create, Socialize & Manage
Business APIs to engage with a Developer ecosystem
32
IBM API Management V2.0 (On-Premise)

Secure, control and optimize access to APIs through DataPower
Create, Manage, Socialize APIs
Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Ops
perspective, API lifecycle mgmt
Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas,
manage communities and monitor service levels
Application Developer Portal with Self-Service registration and with hooks into social communities
On-Premise DMZ-ready API Gateway

Rapid on-ramping of APIs
API security; SSL termination, Threat protection, Authentication, Authorization with OAuth
Quota enforcement / Traffic control; Enforce API consumption policies
Monitors API use
Caching support for both on-box local and remote caching using XC10
Intelligent routing and load distribution
App Developer Portal
Enterprise
Services
Web Apps
Dev Ops
Dashboard
DataPower
Business
Ops Dashboard
Mobile
On Premise
33
Secure Mobile App Integration + API Management
Mobile Apps
& Web consumers
Security & Integration Gateway

IBM DataPower Appliance
Caching Appliance
IBM DataPower XC10
API consumers
& App Developers
Create, Publish, Manage & Socialize APIs
Applications & Services

on App Servers
(WAS, WAS ND,
Worklight or
other Provider)
API owners
IBM API Management**
Multi-device development
IBM Worklight
34
** Available in IBM API Management 2.0

Agenda
Mobile Connectivity
API Management
Integration
B2B
35
Use Case: Enterprise Integration

Consumable integration solution for securely connecting
applications & services while optimizing delivery of workload
36
Integration
Partner
Apps
Internet
Enhanced
Security
DMZ
SaaS
Internal Network
Domain Firewall
Browsers
DMZ
Protocol Firewall
Outside World
Packaged Apps
Proprietary Apps
Data
HTTP(s)
FTP(s)
SFTP(SSH)
WMQ(s)
WS JMS
TIBCO EMS
Packaged Apps
Proprietary Apps
Data
HTTP
WMQ
DataPower
Gateway
LDAP
Packaged Apps
Proprietary Apps
Data
IMS Connect
ACL
ODBC
DB
JMS
EMS
Packaged Apps
Proprietary Apps
Data
FTP
NFS
Packaged Apps
Proprietary Apps
Data
Integration Scenario
Content based routing

AAA, Threat protection
Message enrichment
Message validation & filtering
Message transformation
Traffic control / Rate limiting
Transport protocol translation
Intelligent content based routing

Intelligent load distribution
Local and distributed caching
Message Format & Transport Protocol Mediation Example

Format & transport
bridging
Cobol / MQ
SOAP / HTTP(s)
37
Consumer
MQ Queue
Manager
Provider
UK Government Agency
enables integration capabilities using DataPower
Challenge
Data held in the back-end systems vital to delivering
citizen services, fraud detection across various layers of
the Governments across the EU
Vulnerable back-end services
Security
Capacity/ SLA
Consistent usability experience for internal or external
service consumers
Other UK
Departments
Internal Users
Other EU
Countries
Government
network
Solution
DataPower in key network zones within and outside of
the department
Thorough content-based validation, routing, and security
policy enforcement
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Integration Layer
Benefits

Ease of integration
Security assurance of the architecture
Secure SOA on standards-based platform
Consistent experience and policy for all users
38
Core Services
Core Data
Security & Integration Scenario Financial Firm
39
39
Agenda
Mobile Connectivity
API Management
Integration
B2B
40
Use Case: Mainframe integration & enablement

Offload processing for reduced MIPS
Web Services Enablement for IMS, CICS, DB2
41
An Irish Bank
Enabling retail banking
Challenge
Retail application contained 7000 screens; slow
response times over dedicated proprietary network.
Cost of processing XML on the mainframe.
Message transformation needed before the core
banking platform could process requests.
Branch Application (web based)
Solution
Branch Network
DataPower in trusted network exposed services for

XML/ HTTP(S) and protocol bridging to WebSphere MQ
Message validation and transformation using
WebSphere Transformation Extender (WTX)
DataPower
Benefits
Retail application acceleration through transformations
and caching
Optimized platform for handling, parsing and processing
payloads
Core banking platform on Z
42
High Street Clothing and Fashion Accessories Retailer

Increase customer interaction and loyalty
Challenge

Highly competitive industry; first mover advantage

Weak customer loyalty
Multi channel customer experience
Complex supply chain and service providers
Solution
Open Internet
DataPower acted as a reverse proxy for:

Outbound messages via a service provider
Inbound customer updates/ delivery notifications
Transform SOAP/ XML payload to COBOL copybook
messages for CICS application
DataPower
Benefits
Create customer interaction and value through innovative
business strategy.
Integrate various suppliers using standards based
interfaces securely.
Graphical configuration driven appliance; short learning
curve
43
Customer & Product related

application and systems on Z
Broad integration with System z
Connect to existing applications over WebSphere MQ

Transform XML to/from COBOL Copybook for legacy
needs
Integrate with RACF security from DataPower AAA
Dynamic crypto material retrieval & caching, or offload
crypto ops to z
Connect to IMS
Via IMS Connect client
Via Web Services
Via WebSphere MQ
Connect to CICS
Via WebSphere MQ
Via Web Service
Connect to DB2
Via Web Service
As direct ODBC call with ODBC Client option
Additional benefits with integrated DataPower XI50z

blade form factor
Fast secure network between DataPower blade and
target servers
Virtual Network Provisioning
Dynamic Load Balancing (via Sysplex Distributor)
HMC Console Integration
Blade Hardware Management
Energy Monitoring and Management of DP Blades
DP Firmware Load and Update
Monitoring and Reporting
IMS SOAP Gateway

WAS+IMS connector
Client
MQ Server
SOAP/HTTP
IMS
MQ
Brdg
O
T
M
A
IMS Application
SOAP/HTTP
CCB / MQ
DataPower
DataPower
XI50z
DRDA
DB2
44
Enhanced value for System z & IMS

New integration capabilities between DataPower and IMS
IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required
IMS Callout
SOAP / REST
Service Provider
TCP/IP
IMS
Connect
IMS
O
T
M
A
App1
App2
DataPower
Service Consumer
IMS DB feature supports DataPower integration

with IMS database through SQL interface
Enrich messages with database content
Expose data as a service to remote applications
SOAP / REST
Client
45
DRDA
DataPower
Agenda
Mobile Connectivity
API Management
Integration
B2B
46
Use Case: B2B integration

Extend integration beyond the enterprise
to partner community
47
DataPower B2B Functionality

Extend beyond the enterprise to integrate with partners
48
B2B Gateway Service

AS1, AS2, AS3 and ebMS v2.0
Plaintext email support
EDI, XML and Binary Payload routing
Front Side Protocol Handlers
Hard Drive Archive/Purge policy
CPA and Partner Profile Associations
MQ File Transfer Edition integration
Trading Partner Profiles
Two Types Internal and External
ebXML CPPA v2.0
Multiple Business IDs
Multiple Destinations (URL Openers)
Certificate Management (S/MIME Security)
Multi-step processing policy
B2B Viewer
B2B transaction viewing
MQ FTE transaction viewing
Transaction resend capabilities
Transaction and Acknowledgement correlation
Role based access
Persistent Storage
AES Encrypted B2B document storage
Option for Off-Box Storage (NFS or iSCSI)
Transaction Store
B2B metadata storage
B2B state management
DataPower
B2B Gateway Service
Partner Connection Internal Partner
Front Side Handlers
Destinations
External Partner
Integration
Destinations
Front Side Handlers
Partner
Profiles
Metadata
Store
(DB)
Document
Store
(HDD)
B2B Viewer
UK Logistics and Distribution

Challenge

AS2, File and Web Services based interfaces to 100s of B2B customers.
Messages are exchanged at least once a day
Secure proxy solution in the DMZ
Complex incumbent supplier chain
Benefits
Create customer interaction and value through innovative business strategy.
Integrate various suppliers using standards based interfaces securely.
Graphical configuration driven appliance; short learning curve
49
UK Logistics and Distribution
Internal
Systems
External
Systems
Internal
System
Internal
Systems
External
Systems
Internal
System
50
DataPower Appliances Benefits

Reduce Complexity: Replace software servers functionality with
DataPower Appliances, reduce infrastructure footprint, and off-load
systems intensive processes.
Lower TCO: DataPower Appliances have demonstrated reducing
operational costs by as much as 50%
Reduce Time to Market: DataPower Appliances dramatically decrease
the testing time and amount of development required to upgrade your
environment, most policy are configuration driven as opposed to
development driven
Reduce Risk: DataPower Appliances provide the communication layer
without requiring application modification, and deliver improved security
and audit
Flexibility & Security: DataPower Appliances shield business
applications from security requirements, protocol changes and service
versioning - no application modifications needed
51
DataPower resources
IBM DataPower Web Page (support, technotes, doc)
http://www-01.ibm.com/software/integration/datapower/
developerWorks DataPower Discussion Area

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
Vast library of published articles:

http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html
(Also search for DataPower within WebSphere, SOA/Web Services and XML)
http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search DataPower)
IBM Redbooks:
http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
IBM WebSphere DataPower SOA Appliance Handbook

http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194
YouTube:
http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
DataPower Podcasts:
http://www.ibm.com/podcasts/software/websphere/datapower/index.rss
52
www.ibm.com/software/integration/datapower
We love your Feedback!

Dont forget to submit your Impact session and speaker feedback!
Your feedback is very important to us we use it to improve next years
conference
Go to the Impact 2013 SmartSite (http://impactsmartsite/com):
Use the session ID number to locate the session
Click the Take Survey link
Submit your feedback
53
54
Legal Disclaimer
IBM Corporation 2013. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMs current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus Sametime Unyte). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
If you reference Adobe in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
If you reference Java in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
If you reference UNIX in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.
55
BACKUP Material
56
Health Insurance Provider
Industry Pains:
HIPAA Security requirements
for transporting data over the
Internet
HL7 v3.0 XML threat protection
Complexity of B2B for
healthcare
Smarter Business Outcomes:

Reliable and secure routing of customer sensitive data
Easy to use and maintain; no additional skill needed
XML Messages with attachments are authenticated, authorized,
and virus scanned
Value of DataPower B2B Appliances for Extending Connectivity?

Secure appliance form factor providing secure connections to trading
partners, advanced threat protection and reliable file delivery of
confidential medical information
57
EDIINT Flow: Simple AS2 transaction flow with Transform
Partner A
Partner B
B2B Hub
EDI
Application
XB62
2
AS2 Process
3b
AS2
(EDI)
B2B
3a
Gateway
Service
AS2
(MDN)
Internet
XML
Application
Data
Store
Transaction
Viewer
Browser
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
58
Agenda
Mobile Connectivity
API Management
Integration
B2B
59
Why use an Appliance for connectivity?

Many functions incorporated in a single device
Service level management
Dynamic routing and load distribution
Transport and message level security
Policy enforcement
Transport and message transformation
Simplified maintenance model

Drop-in appliance form-factor
Secures traffic in minutes
Push-button flash upgrade process
Integrates with existing operations
Provides high levels of certified security assurance

Transport Protocol Security (SSL/TLS)
Message Level Security
Authentication, Authorization, Audit (AAA)
FIPS 140-2 Level 3
Purpose-built, fine-tuned consumable platform

Achieves fast performance with multiple layers of specialized acceleration
60
Agenda
Mobile Connectivity
API Management
Integration
B2B
61
DataPower & Tivoli Offerings

DataPower integrates with Tivoli offerings to provide authentication and authorization
policy enforcement point solution
Tivoli Security Policy manager (TSPM)
Locally cached TAM policy
database reduces network
latency and traffic congestion
Allows authoring of XACML policy to be

enforced by DataPower. [PAP]
TSPM can also act as PDP to make
Authorization decisions [PDP]
DataPower will enforce

the decision. [PEP]
Tivoli Access Manager (TAM)

Provides a single point of decision
making for Authentication and
Authorization. [PDP]
PAP: Policy Authoring Point
PDP: Policy Decision Point
PEP: Policy Enforcement Point
62
Tivoli Federated Identity Manager (TFIM)

Provides federated identity
management and a single IdP
enterprise solution [Federation]
Application Optimization
Application Optimization (AO) is about leveraging application knowledge in the network to better
optimize application behavior, conformance, and performance
Internet
DMZ
Trusted Domain
- Application Intelligence
- Application Security
- SSL Acceleration
System z
Consumer
Application
SOA Optimization
Consumer
63
- XML Intelligence
- XML Security
- Routing, Transformation, Mediation
Application
Self Balancing: Self balance across a cluster of appliances
Replace front-end IP load balancer
New support (introduced in firmware version 4.0.2) enables connections to be
preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems
Replace backend load balancer
Front-end IP load
balancers not needed
Self balancing (IP

spraying)
64
Provides application-aware Intelligent Load Distribution
Auto-discovers application targets and distributes load using dynamic
feedback mechanism
Topology learning for WAS ND and VE
Uses intelligent weighted distribution algorithms based on current server load
Weighted Least Connection load balancing algorithm
Provides several options for enabling Session Affinity
DataPower performs dynamic backside routing and load distribution

(leveraging dynamic information
from back-ends)
65
Failure of target
appliances are masked
by appropriate weighted
distribution
Agenda
Mobile Connectivity
API Management
Integration
B2B
66
Integration
Content-Based Routing
Dynamically route based on any message content
Attributes such as the originating IP, requested URL, protocol headers, etc.
Data within the message such as SOAP Headers, XML, Non-XML content, etc.
Query a repository for routing information
WebSphere Service Registry & Repository, XML files, Databases, Web Servers
Unclassified
Requests
Any-To-Any Message Transformation

Transform the message format with ultimate flexibility
Leverage WebSphere Transformation Extender for data mapping
Input
Message
Output
Message
?
<XML/>
TEXT
Service
Providers
?
<XML/>
binary
67
WebSphere TX Design Studio
TEXT
binary
Integration
Transport Protocol Translation
Integrate disparate transport protocols with extreme ease
No dependencies between inbound front-side and outbound back-side
Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns
WebSphere
JMS
HTTP(s)
WebSphere
MQ, MQ FTE
TIBCO
EMS
FTP(s)
SFTP
68
Database
DB2, SQL Server,
Oracle, Sybase,
IMS
NFS
Agenda
Mobile Connectivity
API Management
Integration
B2B
69
IMS Integration
Web Services Security and Management for IMS Web Services
Content-based Message Routing

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
XML/SOAP Firewall
Data Validation
Field Level Security
XML Web Services Access Control/AAA
SOAP/HTTP
Client
70
DataPower
Web Services Management
IMS SOAP Gateway

SOAP/HTTP
WAS+IMS connector
IMS Integration
Web Services Enablement for IMS-based Services
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform
request/response mapping
Requires WebSphere MQ for z/OS
MQ bridge to access IMS
MQ connectivity is embedded in DataPower
71
DataPower
Client
CCB / MQ
MQ Server
SOAP/HTTP
MQ
Brdg
O
T
M
A
IMS Application
IMS
IMS Integration
Web Services Enablement for IMS-based Services (contd)
DataPower provides WS-enablement to IMS applications

IMS Connect Client (back-side handler) natively connects to IMS
Connect using its custom request/response protocol
SOAP/HTTP
Client
72
DataPower
IMS
Connect
CCB / TCP
IMS
O
T
M
A
User exit
IMS
(e.g..
HWSSM
PL0)
O
T
M
A
Appl1
Appl2
Appl3
Appl4
Appl5
Appl6
IMS Integration
IMS Connect Reverse Proxy
Bring DataPower value add to standard IMS connect usage patterns
Provide an IMS Connect Client on DataPower that natively connects to
IMS Connect
Provide an IMS Connect Server on DataPower that accepts IMS Connect
client connections and provides an intermediation framework that
leverages DataPower
Enables authentication checks, authorization, logging, SLM,
transformation, route, DB look-up, SSL offload, etc.
IMS Connect TCP
Client
73
DataPower
IMS
Connect
CCB / TCP
IMS
O
T
M
A
User exit
IMS
(e.g..
HWSSM
PL0)
O
T
M
A
Appl1
Appl2
Appl3
Appl4
Appl5
Appl6
DB2 Integration
Information as a Service
DataPower provides a standard WS faade to DB/2
Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower
SOAP call is mapped to an ODBC (DRDA) invocation
Exposes database content (information) as a service
SOAP/HTTP
Client
74
DataPower
Leverages extensive Web Services security and management capabilities of

DataPower to more securely expose critical data to the enterprise
DB2
DRDA
CICS Integration
Web Services Security and Management for CICS Web Services
Content-based Message Routing
Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
XML/SOAP Firewall
Data Validation
Field Level Security
XML Web Services Access Control/AAA
Web Services Management
SOAP/HTTP
Client
75
DataPower
Support CICS ID propagation

CICS Web Services
SOAP/HTTP
WAS+CICS connector
CICS Integration
Web Services Enablement for CICS Applications
DataPower provides WS-enablement to CICS applications
CICS Application
76
CICS
Brdg
CICS
Client
CCB / MQ
MQ Server
SOAP/HTTP
DataPower
Requires WebSphere MQ for z/OS

MQ bridge to access CICS
MQ connectivity is embedded in DataPower
Agenda
Mobile Connectivity
API Management
Integration
B2B
77
Web Services bridged to AS2 File Transfer Pattern
Partner A
WS Client
Flat
Partner B
B2B Hub
XB62
Pre-Process
B2B
Gateway
Service
Flat
5
4
SOAP
Internet
AS2
Data
Store
Web Service
Process
2
6
Web Service
Proxy
Transaction
Viewer
Browser
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and
sending data over any of the 16 supported protocol handlers. When Services are tied together in
front of or behind a B2B Gateway Service they are handled like pre and post processes.
78
MQ FTE Integration Pattern Inbound File to Message

Enterprise
Browser
(Admin)
Trading Partner
XB62
Queue
Manager
2a
B2B
Gateway
Service
Internet
3
Profile
Mgmt
Data
Store
Server
Queue
Manager
Queue
Manager
Data
Store
Manager
Target
Agent
XB60
Transaction
Viewer
Applications
DB (DB2 or Oracle)
Logger
MQ
Explorer
Browser
(Partner view)
Browser
(LOB User)
79
Source
Agent
MQFTE
Network
Queue
ebXML with CPPA Pattern

DMZ
Public Network
Secured
Network
WebSphere DataPower
B2B Appliance
B2B Gateway Service
3
2
ebMS
(ebXML))
Internet
ebMS
(Ack)
4
External Partners
ebXML
Collaboration Partner
Agreement
Collaboration
Entries
Protocol
Collaboration
Agreement Entry
Partner
CPAIdAgreement
/ Collaboration
Entries
Applications
CPAId / Collaboration
CPAId
/ Collaboration
Internal
Collaboration
PartnerCollaboration
Profile
Internal
Profile
Internal
External Collaboration
Partner Profile
Profile
External
Partner
Profile
External Collaboration
Partner Profile
Transaction
Viewer
80
Browser
Health Level 7 3.x to 2.x Transform Pattern

Partner B
Hospital
Partner A
Regional Healthcare Center
B2B Appliance
B2B Hub
B2B Gateway
Service
AS2 Process
1
AS2 (HL7 V3)

2
AS2/MDN
Profiles
5
HL7 V3
Any Transport
HL7 V3.x
Internet
Any Transport
HL7 V2.x
External Profile
Hospital
Internal Profile
Regional
Center
Validate XML and

Transform to any
V.2.x format
Healthcare
Applications
81
Transaction
Viewer
Healthcare
Applications
Securing HL7 over the Internet with Integration to the WebSphere

Healthcare Connectivity Pack
Healthcare Provider
Browser
(Admin)
HL7/MLLP
Clinical Trials
System
Trading Partner
XB62
B2B
Gateway
Service
Internet
3
AS2
(MDN))
HL7/MQ
2a
AS2
(HL7))
Profile
Mgmt
Data
Store
WebSphere
MQ
XML/HTTP
WebSphere Healthcare
Connectivity Pack
Billing
System
HL7/MLLP
Transaction
Viewer
Browser
(Partner view)
82
HL7/MLLP
Pharmacy
Patient
Administration
System

Datapower Impact Cases - New

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Datapower Impact Cases - New

Transféré par

Droits d'auteur :

Formats disponibles

DataPower Common Use Cases

Bharat Bhushan, Principal Connectivity Architect, IBM UK

2013 IBM Corporation

2013 IBM Corporation

2013 IBM Corporation

Introduction to DataPower Gateway

IBM DataPower Gateway Appliances are the industry-leading

2013 IBM Corporation

IBM DataPower Gateway Appliances

2013 IBM Corporation

DataPower appliances used across a variety of scenarios

Routing & Load Distribution

3 B2B Partner Gateway

4 Internal Security Enforcement

2013 IBM Corporation

Use appliances to simplify & centralize critical functions

Before DataPower Appliances

After DataPower Appliances

Secure, control, integrate, &

2013 IBM Corporation

IBM DataPower Gateway Appliance capabilities

OAuth, SAML, XACML, WSSecurity, LTPA, Kerberos, etc

Operation admission control

Convert payloads (JSON, XML, CSV,

SSL & TLS offload

2013 IBM Corporation

Entry-level device, slim footprint (1U)

Integration Blade XI50B/XI50z

Functionally equivalent to XI52

Integration Appliance XI52

High density 2U form, XG45 functionality plus

B2B Appliance XB62

High density 2U form, XI52 functionality plus

2013 IBM Corporation

Majority of the big US and European

Many, many, more

2013 IBM Corporation

2013 IBM Corporation

Use Case: Security & Optimization Gateway

2013 IBM Corporation

IBM Software Group Enterprise Networking Software

DataPower security roles and objectives

z/OS RACF for

Protect data and other resources on

Identification and Authentication

Protect data in the network using

Data Origin Authentication

Protection of data plus XML & JSON threat protection

XML Threat Protection

Entity Expansion/Recursion Attacks Message/Data Tampering

Public Key DoS

XPath or SQL Injection

JSON Threat Protection

Label - Value Pairs

DataPower security is policy driven

2013 IBM Corporation

AAA : Authentication Authorization Auditing

External Access Control Server or Onboard Identity Management Store

2013 IBM Corporation

HTML, JSON, XML, SOAP

Outgoing access control;

Proxying and Enforcement

Web Service Request