More Related Content Similar to IBM DataPower Gateway - Common Use Cases (20) IBM DataPower Gateway - Common Use Cases1. © 2015 IBM Corporation
IBM DataPower Gateway
Common Use Cases
Ozair Sheikh, Senior Product Manager
IBM DataPower Gateways
Arif Siddiqui, Principal Product Manager – Strategic Initiatives
IBM DataPower Gateways & API Economy
2. © 2015 IBM Corporation2
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
3. © 2015 IBM Corporation33
DataPower Gateways …
3
IBM DataPower Gateways provide a low startup cost,
helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances that
combine superior performance and hardened security in
physical and virtual form factors
INTEGRATE Systems of Engagement with Systems of Record
CONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
4. © 2015 IBM Corporation4
Gateway for the Multi-channel Enterprise
Single security and integration gateway platform to
provide security, integration, control & optimized
access to a full range of Mobile, API, Web, SOA,
B2B, & Cloud workloads
B2B
Simplify mobile security with single,
purpose-built gateway; control
mobile traffic and accelerate delivery
Web
Simplify web security with single,
purpose-built gateway; control traffic and
accelerate delivery for intranet and
internet web applications
Cloud
DataPower gateway functionality in a
virtual appliance form factor, supports
multiple hypervisor & cloud environments
IBM DataPower
GatewayAPI
Easily secure, control, publish,
monitor & manage your APIs
SOA
Secure, integrate, control &
manage SOA workloads in the
DMZ and Trusted zones
Extend Connectivity & Integration beyond the
enterprise with DMZ-ready B2B edge capabilities
Mobile
5. © 2015 IBM Corporation5
IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, integration, control
and optimized access to a full range of
Mobile, Web, API, SOA, B2B, & Cloud workloads
Common Use Cases
Internet Trusted Domain
Consumer
Application or Service
DMZ
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 ESB / Integration Gateway
7 Internal Security Enforcement
8 Web Services Governance & Management
9 Legacy Integration
Consumer
Middleware
z System
DataPower Gateway DataPower Gateway
6. © 2015 IBM Corporation6
Features
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
Secure
Consumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
Integrate
Any-to-any message
transformation
Transport protocol
bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner
connectivity
Control OptimizeSecure
SSL / TLS offload
Hardware accelerated
crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Response caching
Intelligent load
distribution
Service level management
Quota enforcement, rate
limiting
Message accounting
Content-based routing
Failure re-routing
Integration with
management & visibility
platforms
Authentication,
authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering &
semantics validation
Message digital signature
Message encryption
7. © 2015 IBM Corporation7
Modules
ISAM Proxy Module
User access control, session
management, web SSO enforcement
Advanced mobile security: mobile
SSO, context-based access, one-
time password, multi-factor authn
Integration with ISAM for Mobile
Application Optimization
Module
Frontend self-balancing
Backend intelligent load distribution
Session affinity
z Sysplex Distributor integration
Integration
Module
Any-to-Any message transformation
Database connectivity
Mainframe IMS connectivity
B2B Module
B2B DMZ gateway
EDIINT AS1,AS2,AS3,ebXML
Partner profile management
B2B transaction viewer
Any-to-Any message transformation
Database connectivity
TIBCO EMS
Module
Integrate with TIBCO EMS
messaging middleware
Support for queues & topics
Load balancing & fault-tolerance
DataPower Gateway: Single, modular & extensible platform
IBM DataPower Gateway (Base)
Secure
Authentication, authorization
Security token translation
Service / API virtualization
Threat protection
Message validation
Message filtering
Message digital signature
Message encryption
AV scanning integration
Integrate
Transport protocol bridging
Message enrichment
Message transformation &
processing using JavaScript,
JSONiq, XQuery, XSLT
Mainframe integration &
enablement
Flexible pipeline message
processing engine
Control & Manage
Service level management
Quota & rate enforcement
Content-based routing
Message accounting
Integration w/ management &
visibility platforms including
IBM API Management &
WSRR for policy enforcement
Optimize & Offload
SSL / TLS offload
Hardware accelerated crypto*
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Local response caching
Distributed caching with WXS
or XC10
Backend load balancing
2U Physical or Virtual Edition
8. © 2015 IBM Corporation8
Deployment options
Purpose-built, DMZ-ready appliances
provide physical security
High density 2U rack-mount design
8 x 1 and 2 x 10 GbE ports
Cryptographic acceleration card
Trusted platform module
Customized intrusion detection
Optional HSM (FIPS 140-2 Level 3 certified)
Virtual appliances provide deployment
flexibility
Support multiple hypervisors and
cloud environments
− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on
SoftLayer (x86 nodes)
− IBM SoftLayer bare metal instances
using supported hypervisors
VirtualPhysical
9. © 2015 IBM Corporation9
Purpose-built hardware provides physical security
• Sealed, tamper-evident case
• No usable USB, VGA, other ports
• Intrusion detection switch
• Trusted Platform Module
• Encrypted flash drive
• FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys
Hardened firmware provides platform security for physical & virtual gateways
• Single signed and encrypted firmware by IBM
• No arbitrary software
• Optimized, embedded operating system
• High assurance, “locked-down” configuration
• Key materials are not exportable from the appliance *
Enterprise grade security requires a secure platform
10. © 2015 IBM Corporation10
Virtual Edition
DataPower gateway functionality in virtual appliance form
factor to rapidly secure, integrate, control & optimize
access to Mobile, API, Web, SOA & B2B workloads in
hypervisor & clouds platforms
Use for development, test or production
Supports multiple hypervisor & cloud platforms
VMware
Citrix XenServer
IBM PureApplication System W1500/W2500
IBM PureApplication Service on SoftLayer (x86)
IBM SoftLayer bare metal instances on x86 nodes
Seamless configuration migration between physical
and virtual appliances
Utilizes the same industry-proven & purpose-built
platform including an embedded, optimized DataPower
Operating System, that powers the physical appliances
x86
Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor for
cloud deployments
11. © 2015 IBM Corporation11
Virtual Edition Benefits
Deployment flexibility and elasticity – “Right size” the
deployment, quickly deploy where needed, & rapidly scale
Workload isolation - Projects can use their own instances
Unbounded memory scalability - Memory can be added
to instances without additional licensing
Low cost for Dev & Test environments - Developers &
Non-Production versions include add-on software modules at
no additional charge
Free disaster recovery - Warm or cold backup without
additional licenses when licensed for Production
Flexible licensing and entitlement
Sub-capacity licensing
Monthly licensing option
Entitlement to future product versions at no
additional charge with active maintenance (S&S)
x86
Server
Delivers purpose-built, highly
consumable Security &
Integration Gateway functionality
in virtual appliance form factor for
cloud deployments
12. © 2015 IBM Corporation12
• Used by 95% of top global insurances
firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries
• Defense and security organizations
• Crown corporations
Insurance
Government
Banking
• Healthcare
• Retailers
• Utilities, Power, Oil and Gas
• Telecom
• Airlines
• Others
Many, many, more
• Majority of the big US and European
banks
• All of the big 5 Canadian banks
• Numerous regional banks and credit
unions
DataPower Gateways
Over 14 years of innovation & over 2,000 global installations
13. © 2015 IBM Corporation13
DataPower’ing IBM Bluemix!!!
• Security
• Control
• Filtering
• Content-Based Routing
• Load balancing
• Monitoring and Logging
Mobile
client
Bluemix
Tooling
VM
Application
Manager
App
App
App
App
Service
Service
Service
Service
Open Stack
External
ServiceExternal
Services
Internet
Did you know?
DataPower has been trusted to be the exclusive gateway
for Bluemix, IBM’s global Platform as a Service
14. © 2015 IBM Corporation14
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
15. © 2015 IBM Corporation15
Use Case: Security & Optimization Gateway
Securing the Enterprise & providing optimized access
16. © 2015 IBM Corporation16
DataPower security roles and objectives
• Protect data and other resources on the
appliance and protected servers
– System availability
• Protect against unwanted access,
denial of service attacks, and other
unwanted intrusion attempts from the
network
• Only allow “valid” messages through
– Identification and Authentication
• Verify identity of network users
– Authorization
• Protect data and other system
resources from unauthorized access
Protect data in the network using
cryptographic security protocols
– Data End Point Authentication
• Verify who the secure end point claims to be
– Data Origin Authentication
• Verify that data was originated by claimed
sender
– Message Integrity
• Verify contents were unchanged in transit
– Data Confidentiality
• Conceal clear-text using encryption
IntranetDMZInternet
Authentication
Authorization
User Federation
z/OS RACF for
User I&A
Authorization
Cert/keys
Secure access to
Web and legacy
applications
Converged
security
enforcement
Rocksolid
DataPower
platform
Leverages
enterprise
security and
policy managers
17. © 2015 IBM Corporation17
Applications
and Systems
Silos of security & control are impeding business agility
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
API
GATEWAY
B2B
GATEWAY
SOA
GATEWAY
WEB
ACCESS
PROXY
MOBILE
GATEWAY
Business
Channels
Users
Security &
Control
Solutions
CLOUD
ALL
CLOUD
GATEWAY
CONSUMERS
EMPLOYEES
z SystemMiddleware
ESBApplication Service
18. © 2015 IBM Corporation18
Applications
and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business
Channels
Users
Security &
Control
Solutions
CLOUD
ALL
CONSUMERS
EMPLOYEES
Reduce cost + improve security & control with a single gateway
z SystemMiddleware
ESBApplication Service
Virtual appliance Physical appliance
DataPower Gateway
19. © 2015 IBM Corporation19
IBM Multi-channel gateway
ISAM for DataPower module provides the reverse proxy component that provides enforcement for
Centralized user authentication & coarse-grained authorization
Session management, & web SSO
Context based access & mobile SSO
Strong authentication including one-time password and multi-factor authentication
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway
New in V7.1
IBM DataPower Gateway
Web Browsers
and Portals
Mobile
Web
Web 2.0
(AJAX)
Native
Mobile
B2B Hybrid
Mobile
APISOA
(Web Services)
App, Service & API
security
IBM DataPower Gateway
ISAM Module
User access
security
Traffic control &
optimization
Connectivity &
transformation
20. © 2015 IBM Corporation20
Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance
(Establish a new connection to pass results)
• Cache data on-box or in centralized, shared grid
Connection from client
ACL
Virus
Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0,
WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAP
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security
Policy
WS-Trust
SAML
OAuth 2.0
Internet
SaaS
Partner
Apps
Browsers
ProtocolFirewall
Security
Gateway
Packaged Apps
Proprietary Apps
Data
HTTP(s)
ESB
Tivoli (TAM)
MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
DomainFirewall
ACL
Security
Gateway
Internal
Consumer
Incoming access control;
Threat protection
Outgoing access control;
SAML injection etc
Internal
Security
Web Service Request
SAML, LTPA,
Kerberos
21. © 2015 IBM Corporation21
Protection of data plus XML & JSON threat protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
Security standards: OAuth, WS-Security, WS-Policy, WS-
SecurityPolicy, SAML, XACML, WS-Trust, …
Use WS-SecurityPolicy to define security requirements for your web services
– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services
– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization
• PEP, PDP
DataPower security is policy driven
XML Threat Protection
• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
JSON Threat Protection
• Label - Value Pairs
‒ Label String Length (characters)
‒ Value String Length (characters)
‒ Number Length (characters)
• Threat Protection
‒ Maximum nesting depth (levels)
‒ Maximum document size (bytes)
22. © 2015 IBM Corporation22
AAA : Authentication Authorization Auditing
Extract
Identity
HTTP Headers
WS-Security Tokens
WS-SecureConversation
WS-Trust
Kerberos
X.509/SSL
SAML Assertion
IP Address
LTPA Token
HTML Form
OAuth
Custom
Authenticate
Extract
Resource
URL
XPath
SOAP Operation
HTTP Operation
Custom
LDAP/Active Directory
System/z NSS (RACF, SAF)
IBM Security Access Manager
Kerberos
WS-Trust
Netegrity SiteMinder
RADIUS
SAML
LTPA
Verify Signature
Custom
Authorize
Audit &
Post-Process
Map
Identity
Map
Resource
LDAP/ActiveDirectory
System/z NSS
IBM Security Access Manager
Netegrity SiteMinder
SAML
XACML
OAuth
Custom
Add WS-Security
Generate z/OS ICRX Token
Generate Kerberos
Generate Spnego
Generate SAML
Generate LTPA
Map Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
23. © 2015 IBM Corporation23
Enhance security intelligence and compliance through integration with
QRadar security information and event management (SIEM) platform
Coming soon: Device Support Module (DSM) for DataPower Gateways to
parse event information
Integration with QRadar Security Intelligence Platform
QRadar SIEM
User
Client
Provider
DataPower
24. © 2015 IBM Corporation24
Service Level Monitoring (SLM) to protect your services
and applications from over-utilization and enforce quota
– Frequency based on concurrency OR based on messages per time period
– Take action when exceeding a custom threshold:
• Notify (or log), Shape (or delay), Throttle (or reject)
Traffic Control / Rate Limiting
25. © 2015 IBM Corporation25
Retail Service Provider
Securely expose services to consumers
Solution
Implemented WebSphere DataPower to form the Web
services backbone
Through content-based routing, security policy
enforcement & data encryption, DataPower ensures safe
& efficient flow of confidential customer data
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Secure SOA on standards-based platform
Easily reuse Web services throughout enterprise
Boosts productivity of IT staff
Substantially shorten time to market for new services
Challenge
Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to
meet specific needs
Web services infrastructure needed to support highly
secure data routing with daily high volume & sensitive
nature of information
Identity Mgmt
26. © 2015 IBM Corporation26
Self Balancing: Self balance across a cluster of appliances
Replace front-end IP load balancer
Enables connections to be preserved, without loss, during failover scenario
Dynamic and Intelligent Load Distribution to backend systems
Replace backend load balancer
Auto-discovers application targets and distributes load using dynamic feedback mechanism
Topology learning for WAS ND and VE
Embedded On Demand Router for WAS ND environments
Provides several options for enabling Session Affinity
Cache application response data locally or in a caching grid (IBM WXS or XC10)
Front-end IP
load balancers
not needed
Self
balancing
(IP spraying) Built-in
cache
Application Optimization
Dynamic back-side
routing and load
distribution (leveraging
dynamic information
from back-ends)
Failure of target application
endpoints are masked by
appropriate weighted
distributionDataPower
27. © 2015 IBM Corporation27
User
WAS Application
{ "Task" : "AddEntry",
"Detail": "Create
presentation materials." }
HighLoad
Scenario
– JSON REST app to-do list
Issues
– High server load
– Slow response time
Slow
Response
(>10s)
Application Optimization Example
Public
Enterprise
User
WAS Application
1
1
ImprovedLoad
Public
DMZ Data
Center
DataPower
Improve Server Load with SSL Offload
1. Client requests are secured via DP SSL concentrator
28. © 2015 IBM Corporation28
User
WAS Application
1
21
PUT /joe/todos HTTP/1.1
Host: joe.org
Content-Type:
application/json
Content-Length: 69
{ "Task" : "AddEntry",
"Detail": “Waste time." }
ImprovedLoad
DataPower
Manage Traffic with Application Fluency
2. DataPower enables application aware traffic management
User
WAS Application
3
1
1
ImprovedLoad
Improved
Response
Time
DataPower
Distribute Load Intelligently
3. Application Optimization effects load distribution intelligence
Leverage dynamic runtime conditions to distribute based on topology & workload
2
Application Optimization Example
29. © 2015 IBM Corporation29
REST
Cache at the edge(s)
4. Results are cached at the edge using IBM WXS or XC10 caching grid OR locally on-box
Application Optimization Example
User
WAS Application
3
4
1
21
DataPower
WXS or XC10
LowLoad
Fast
Response
• Faster application response time
• Lower server load
• Improved system throughput
30. © 2015 IBM Corporation30
REST
Using IBM WXS or XC10 As a Side Cache For DataPower
User
1
5
3
2 4
Client
Provider
1. Client submits application request.
2. DataPower XI parses request and queries WXS / XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to WXS / XC10.
5. Client receives response from XI. Easily integrates into the existing business process
– No code changes to the client or back-end application
– Simply add the side cache mediation
Significantly reduces the load on the back-end system by
eliminating redundant requests
Improve client observed response time
Improved
Response
Time
ImprovedLoad
WXS or XC10
DataPower XI Appliances
Large Response Time
31. © 2015 IBM Corporation31
DataPower Gateway + XC10: Travel and Transportation
Online Reservations Reservations System
– Before: 3-5 sec response time
– After: .01 -.05 sec response time
– Caching service requests
– Improved the average response time of the Global
Distribution System requests for Fare Availability and
Category Availability
– 52% caching rate
– 10 minute cache resulted in 40% reduction in load on the
back-end systems
– Maintained high data integrity. Faster responses were
also accurate
– POC in 3.5 hrs
100x
performance
improvement
Improved reliability and scalability of reservation channels
Reduced traffic to backend systems
Deliver high performance & consistent response times
Scale with simplicity and lower TCO
32. © 2015 IBM Corporation32
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
33. © 2015 IBM Corporation33
Use Case: Mobile Connectivity
Securely & Rapidly connect Mobile Apps with
Enterprise Services
34. © 2015 IBM Corporation34
• How to protect your back-end
systems from harmful workloads and
unauthorized mobile users & apps?
• How to limit & shape mobile traffic
based on service level agreements,
and route based on message
content?
• How to convert mobile payloads,
bridge transports and connect to
existing services at wire-speed?
• How to improve response time,
reduce load on backend systems and
intelligently distribute load?
Key Mobile-specific Application & API issues?
Secure
Control
Integrate
Optimize
35. © 2015 IBM Corporation35
SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authentication
Authorization
Context-based Access
Mobile SS0
Security Token Translation
Message Transformation
Content-Based Routing
Intelligent Load Distribution
Response Caching
Middleware / ESB,
Legacy Apps
Apps, Services
Rapidly Connect Mobile Apps with Enterprise Services
Securely expose enterprise data & APIs to Mobile Apps while optimizing delivery
IBM DataPower Gateway
ISAM Module
/apimanagement
Native, Hybrid,
Mobile Web
36. © 2015 IBM Corporation36
• DataPower appliance with ISAM module for security enforcement, traffic control &
management, application acceleration, transport bridging & message transformation
• ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong
authentication including one-time password (OTP) & multi-factor authentication (MFA)
Mobile Gateway solution for on-premise and cloud
ISAM for
Mobile
Rapidly deliver secure integration & optimized access for enterprise mobile applications
DataPower Gateway
(Security Enforcement Point)
ISAM Module
Apps, Services,
Middleware,
(Security Decision Point)
z System
37. © 2015 IBM Corporation37
Closer look at some Mobile Connectivity scenarios
REST Proxy
Provider
JSON / XML / SOAPREST
JSON or XML / HTTP(s)
Mobile Consumer
SSL offload
Enforcement point for centralized security policies
– Authentication, Authorization, OAuth 2.0, Audit
– Threat protection for XML and JSON
– Message validation and filtering
Centralized management and monitoring point
– Traffic control / Rate limiting
Routing / Intelligent load distribution to Provider
RESTful façade to non-REST Provider
REST Service Gateway for Mobile Apps
Provider
HTTP(s) GETHTTP(s) GET
JSON or HTML/XHTML
Mobile Consumer
XML
Application Acceleration for Mobile Apps
Offload heavy lifting of message transformation from the Provider
Transform to a format best suited for the requesting Mobile App
– JSON for native/hybrid app
– HTML/XHTML for browser based
IBM DataPower Gateway
IBM DataPower Gateway
Cache response data from Provider
– Locally on the appliance
– Externally to elastic caching XC10
38. Sportsbet leverages IBM DataPower appliances to drive
mobile business growth
Challenges
Business
-Increase demand for mobile services while bolstering
security & cost optimization
IT
- Securely integrate mobile apps with e-commerce
platform & APIs to address performance, capacity
management & decoupling front-end apps from back-end
business logic
Solution
IBM DataPower appliance XG45 as a
mobile security & integration gateway
Benefits
Time to value
- Rapid implementation enabled the business to quickly
integrate the middle layer in just 2 weeks vs. 2 months with a
competitor’s product
Performance
- Processed ~4000 transactions per minute increasing
performance 4X
Security & Agility
- Separation of concern between consumer applications &
core e-commerce system, through security, translation &
transformation logic in the gateway
- Enterprise Architecture Manager, Sportsbet
“DataPower forms our mobile
middle layer & our API
infrastructure for all future
consumer apps”
39. Sprint leverages IBM DataPower appliances to rapidly &
securely grow mobile revenue
Challenges
Business
- Grow mobile revenue while protecting
customer privacy and optimizing costs
IT
- Integrate mobile devices, addressing security,
speed, scalability and optimization of demand
on existing application infrastructure
Benefits
Time to value
- Drop-in rack-ready solution for rapid deployment
enables the business to quickly launch a new mobile
device within a month
Scale on demand
- 50 billion transactions/month for external ad gateway
- 1 billion transactions/month for internal users
Solution
- IBM DataPower Integration Appliance XI52 as a
security & integration gateway for external and
internal use
- IBM DataPower Caching Appliance XC10 as a
side cache to increase customer responsiveness
40. © 2015 IBM Corporation40
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
41. © 2015 IBM Corporation41
Use Case: API Management
Securely & Rapidly Create, Socialize & Manage
Business APIs to engage with a Developer ecosystem
42. © 2015 IBM Corporation42
IBM API Management: One Integrated Platform
design, secure, control, publish, monitor & manage APIs
Explore API documentation
Provision application keys
Self-service experience
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway
(IBM DataPower)
Enforce runtime policies to control API traffic
43. © 2015 IBM Corporation43
Consumer
(Systems of
Engagement)
Provider
(Systems of
Record)
API Management Solution
Partner App
Developer
API
API
API
API Gateway
(DataPower)
Developer Portal
Syndication
Creation & Assembly
Policy Management
Monitoring & Analytics
Security & Control
Lifecycle Mgmt & Governance
External App
Developer
Mobile & Web Apps
Internal App
Developer
API Management
App / API Provider,
Middleware, Datastore,
z System
On-premise
OR
Cloud
Business Partner Apps
Enterprise Internal Apps
44. © 2015 IBM Corporation44
Business Challenge
Business Challenge
Accelerate end-to-end mobile application development
Reduce time to configure and manage software, prepare test
environments
Enhanced analytics on the usage of their services
Increased performance to handle peak seasonal volumes
Solution
IBM API Management, DataPower, Worklight, PureSystems
Business Value
Enhanced user experience enabling quick access to customer
information using OAuth authentication replacing custom
security solution
Ability to access backend data through DataPower/API
Management using RESTful services
Easily handle traffic spikes, enabling easier capacity planning
Large Financial institution provides secure mobile
access to customer information $
45. © 2015 IBM Corporation45
Business Challenge
Difficult for internal partners and developers to
discover & access key financial services
Lacked a standard ecosystem to manage internal
partners including global credit card companies and
merchants
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Example Apps
Solution
IBM API Management & DataPower
Leading Global Commercial Bank provides easy & secure
access to key financial services
Business Value
Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
$
46. © 2015 IBM Corporation46
Business Challenge
Business Challenge
External business partners retrieve flight information by
scraping the company’s website
Unauthorized access to full flight information , with no usage
analytics
Delays in updating website – difficult for authorized partner to
test changes
REST-based API had just been built but security was not in
place
Solution
IBM API Management & DataPower
Business Value
Easily and securely connect company Website to new APIs,
saving cost of building OAuth based secure access
Enable secure exposure of APIs to External Business
Partners, saving the implementation cost of building a
developer support infrastructure with access management
Ability to leverage existing investment in IBM DataPower
gateway and internal team skillset
Enable secure Mobile app integration with Enterprise APIs
Large Airline in North America provides authorized access to
flight services
47. © 2015 IBM Corporation47
Leading European Auto Manufacturer provides innovative
vehicle connectivity with IBM API Management
Business Challenge
Offer innovative connectivity services to customers,
improve the driver experience, improve safety, and
create new revenue sources
Improve driving conditions with driver profiling,
eco-driving, fleet management, reduce accident
risk
Collect data to monetize them for partners
Solution
IBM API Management, DataPower & MessageSight
Business Value
“Always connected” low-latency reliable
communications with the car systems/apps and
customer mobile apps
Vehicle data APIs published on secure developer
portal
Internal & external developers use vehicle data to
develop mobile applications
Drives innovation for Mobile application development
48. © 2015 IBM Corporation48
Business ChallengeBusiness Challenge
Difficult for internal partners and developers to
discover & access key retail services
Leverage mobility as a revenue stream and manage
internal and external business partners
No visibility on Service consumption or ability to
chargeback for LoB use of Services
Solution
IBM API Management & DataPower
Business Value
Offers 3rd party merchants secure standards-based
access to key business services as APIs, with a
self-service experience
Provides an internal ecosystem for partners and a
central repository with usage analytics
Drives innovation for Mobile application
development
Leading Retailer in North America provides easy & secure
access to retail services
49. © 2015 IBM Corporation49
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
50. © 2015 IBM Corporation50
Use Case: Enterprise Integration
Consumable integration solution for securely connecting
applications & services while optimizing delivery of workload
51. © 2015 IBM Corporation51
Integration
• Dynamically route based on any message content
– Attributes such as the originating IP, requested URL, protocol headers, etc.
– Data within the message such as SOAP Headers, XML, Non-XML content, etc.
• Query a repository for routing information
– WebSphere Service Registry & Repository, XML files, Databases, Web Servers
Content-Based Routing
Service
Providers
Unclassified
Requests
Transform the message format with ultimate flexibility
– Leverage WebSphere Transformation Extender for data mapping
Any-To-Any Message Transformation
<XML/> TEXT binary
Input
Message
Output
Message
<XML/> TEXT binary
? ?
WebSphere TX Design Studio
52. © 2015 IBM Corporation52
Integration
Transport Protocol Translation
Integrate disparate transport protocols with extreme ease
– No dependencies between inbound “front-side” and outbound “back-side”
– Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)
Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns
HTTP(s)
FTP(s)
SFTP
WebSphere
MQ, MQ FTE
WebSphere
JMS
Database
DB2, SQL Server,
Oracle, Sybase,
TIBCO
EMS
IMS NFS
53. © 2015 IBM Corporation53
Integration
Consumer
Provider
SOAP / HTTP(s)
MQ Queue Manager
Cobol / MQ
Format & transport
bridging
Message Format & Transport Protocol Mediation Example
Outside World Internal NetworkDMZ
ProtocolFirewall
HTTP(s)
FTP(s)
SFTP(SSH)
WMQ(s)
WS JMS
TIBCO EMS
ODBC
DomainFirewall
ACL
DB
LDAP
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
Internet
JMS
EMS
FTP
NFS
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
Packaged Apps
Proprietary Apps
Data
DataPower
Gateway
HTTP
WMQ
IMS Connect
Enhanced
Security
DMZ
SaaS
Partner
Apps
Browsers
• Content based routing
• Message enrichment
• Message transformation
• Transport protocol translation
• AAA, Threat protection
• Message validation & filtering
• Traffic control / Rate limiting
Integration Scenario
• Intelligent content based routing
• Intelligent load distribution
• Local and distributed caching
54. © 2015 IBM Corporation54
Core Services
Core Data
UK Government Agency
Enables integration capabilities using DataPower
Solution
DataPower in key network zones within and outside of
the department
Thorough content-based validation, routing, and security
policy enforcement
Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse
Benefits
Ease of integration
Security assurance of the architecture
Secure SOA on standards-based platform
Consistent experience and policy for all users
Challenge
Data held in the back-end systems vital to delivering
citizen services, fraud detection across various layers of
the Governments across the EU
Vulnerable back-end services
Security
Capacity/ SLA
Consistent usability experience for internal or external
service consumers
Integration Layer
Government
network
Other EU
Countries
Other UK
Departments
Internal Users
55. © 2015 IBM Corporation5555
Security & Integration Scenario – Financial Firm
56. © 2015 IBM Corporation56
Centralized Service Governance & Policy Enforcement
Complete SOA Governance solution
– WSRR for web service life-cycle policy management
– DataPower for web service run-time policy enforcement
Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
– DataPower can subscribe or poll web services information from WSRR
Automatically expose services and policies in DataPower via WSRR subscription
– Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
– Retrieve WSDLs by specific version number
Dynamically retrieve run-time routing information from WSRR
WSRR (Policy Administration
Point)
Consumer Service
Message
Message
Message
Message
ITCAM for
SOA
(Policy
Monitoring
Point)
Discover
Services & Policy
Monitor
Services
DataPower (Policy
Enforcement Point)
Centralized transaction monitoring
– ITCAM for SOA
Support for UDDI v2 and v3 for UDDI
registries
57. © 2015 IBM Corporation57
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
58. © 2015 IBM Corporation58
Use Case: Mainframe integration & enablement
Offload processing for reduced MIPS
Web Services Enablement for IMS, CICS, DB2
59. © 2015 IBM Corporation59
Broad integration with System z
Client
SOAP/HTTP`
SOAP/HTTP
CCB / MQ
IMS SOAP Gateway
WAS+IMS connector
DataPower
IMS
O
T
M
A
IMSApplication
MQServer
MQ
Brdg
• Connect to existing applications over WebSphere MQ, HTTP
• Transform XML to/from COBOL Copybook for legacy needs
• Integrate with RACF security from DataPower AAA
• Dynamic crypto material retrieval & caching, or offload crypto ops to z
• Connect to IMS
– Via IMS Connect client
– Via Web Services
– Via WebSphere MQ
– Via IMS DB
– Connect from IMS via “Callout”
• Connect to CICS
– Via WebSphere MQ
– Via Web Service
• Connect to DB2
– Via Web Service
– Via direct ODBC call with ODBC Client option
DRDA
DB2
60. © 2015 IBM Corporation60
• IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required
Enhanced value for System z & IMS
IMS DB feature supports DataPower integration
with IMS database through SQL interface
‒ Enrich messages with database content
‒ Expose data as a service to remote applications
Client
SOAP / REST
`
DataPower
DRDA
IMS
O
T
M
A
App1
IMS
Connect
App2
Service Provider
SOAP / REST
`
DataPower
TCP/IP
Service Consumer
IMS Callout
61. © 2015 IBM Corporation61
Core banking platform on Z
An Irish Bank
Enabling retail banking
Solution
DataPower in trusted network exposed services for
XML/ HTTP(S) and protocol bridging to WebSphere MQ
Message validation and transformation using
WebSphere Transformation Extender (WTX)
Benefits
Retail application acceleration through transformations
and caching
Optimized platform for handling, parsing and processing
payloads
Challenge
Retail application contained 7000 screens; slow
response times over dedicated proprietary network.
Cost of processing XML on the mainframe.
Message transformation needed before the core
banking platform could process requests.
DataPower
Q
Branch Network
Q Q Q Q
Branch Application (web based)
62. © 2015 IBM Corporation62
Customer & Product related
application and systems on Z
High Street Clothing and Fashion Accessories Retailer
Increase customer interaction and loyalty
Solution
DataPower acted as a reverse proxy for:
Outbound messages via a service provider
Inbound customer updates/ delivery notifications
Transform SOAP/ XML payload to COBOL copybook
messages for CICS application
Benefits
Create customer interaction and value through innovative
business strategy.
Integrate various suppliers using standards based
interfaces securely.
Graphical configuration driven appliance; short learning
curve
Challenge
Highly competitive industry; first mover advantage
Weak customer loyalty
Multi channel customer experience
Complex supply chain and service providers
DataPower
Q
Open Internet
Q
63. © 2015 IBM Corporation63
IMS Integration
Web Services Security and Management for IMS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
Client
SOAP / REST`
SOAP/HTTP
IMS SOAP Gateway
WAS+IMS connector
DataPower
64. © 2015 IBM Corporation64
DataPower
IMS Integration
Web Services Enablement for IMS-based Services
IMS
O
T
M
A
IMSApplication
MQServer
MQ
Brdg
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform
request/response mapping
Requires WebSphere MQ for z/OS
– MQ bridge to access IMS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST`
65. © 2015 IBM Corporation65
DataPower
IMS Integration
Web Services Enablement for IMS-based Services (cont’d)
CCB / TCP
Client
SOAP / REST`
IMS
O
T
M
A
Appl1
IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
DataPower provides WS-enablement to IMS applications
User codes schema-dependent WTX data map to perform
request/response mapping
“IMS Connect Client” (back-side handler) natively connects to IMS
Connect using its custom request/response protocol
66. © 2015 IBM Corporation66
DataPower
IMS Integration
IMS Connect Reverse Proxy
CCB / TCPClient
IMS Connect TCP
`
IMS
O
T
M
A
Appl1
IMS
Connect
Appl2
Appl3
IMS
O
T
M
A
Appl4
Appl5
Appl6
User exit
(e.g..
HWSSM
PL0)
Bring DataPower value add to standard IMS connect usage patterns
Provide an “IMS Connect Client” on DataPower that natively connects to
IMS Connect
Provide an “IMS Connect Server” on DataPower that accepts IMS Connect
client connections and provides an intermediation framework that
leverages DataPower
– Enables authentication checks, authorization, logging, SLM,
transformation, route, DB look-up, SSL offload, etc.
67. © 2015 IBM Corporation67
DataPower
DB2 Integration
“Information as a Service”
DRDA
Client
SOAP / REST`
DataPower provides a standard WS façade to DB/2
– Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower
– SOAP call is mapped to an ODBC (DRDA) invocation
Exposes database content (information) as a service
Leverages extensive Web Services security and management capabilities of
DataPower to more securely expose critical data to the enterprise
DB2
68. © 2015 IBM Corporation68
CICS Integration
Web Services Security and Management for CICS Web Services
• Content-based Message Routing
• Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)
• XML/SOAP Firewall
• Data Validation
• Field Level Security
• XML Web Services Access Control/AAA
• Web Services Management
• Support CICS ID propagation
Client
SOAP / REST
`
SOAP/HTTP
CICS Web Services
WAS+CICS connector
DataPower
69. © 2015 IBM Corporation69
DataPower
CICS Integration
Web Services Enablement for CICS Applications
DataPower provides WS-enablement to CICS applications
User codes schema-dependent WTX data map to perform
request/response mapping
Requires WebSphere MQ for z/OS
– MQ bridge to access CICS
– MQ connectivity is embedded in DataPower
CCB / MQ
Client
SOAP / REST`
CICS
CICSApplication
MQServer
CICS
Brdg
70. © 2015 IBM Corporation70
Agenda
DataPower Gateway Overview
Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B
71. © 2015 IBM Corporation71
Use Case: B2B integration
Extend integration beyond the enterprise
to partner community
72. © 2015 IBM Corporation72
DataPower B2B Functionality
Extend beyond the enterprise to integrate with partners
• B2B Gateway Service
– AS1, AS2, AS3 and ebMS v2.0
– Plaintext email support
– EDI, XML and Binary Payload routing
– Front Side Protocol Handlers
– Hard Drive Archive/Purge policy
– CPA and Partner Profile Associations
– MQ File Transfer Edition integration
• Trading Partner Profiles
– Two Types – Internal and External
– ebXML CPPA v2.0
– Multiple Business IDs
– Multiple Destinations (URL Openers)
– Certificate Management (S/MIME Security)
– Multi-step processing policy
• B2B Viewer
– B2B transaction viewing
– MQ FTE transaction viewing
– Transaction resend capabilities
– Transaction and Acknowledgement correlation
– Role based access
• Persistent Storage
– AES Encrypted B2B document storage
– Option for Off-Box Storage (NFS)
• Transaction Store
– B2B metadata storage
– B2B state management
DataPower
B2B Gateway Service
Partner Connection
Front Side Handlers
Internal Partner
Destinations
Integration
Front Side Handlers
External Partner
Destinations
B2B Viewer
Metadata
Store
(DB)
Document
Store
(HDD)
Partner
Profiles
73. © 2015 IBM Corporation73
UK Logistics and Distribution
Benefits
Create customer interaction and value through innovative business strategy.
Integrate various suppliers using standards based interfaces securely.
Graphical configuration driven appliance; short learning curve
Challenge
AS2, File and Web Services based interfaces to 100s of B2B customers.
Messages are exchanged at least once a day
Secure proxy solution in the DMZ
Complex incumbent supplier chain
74. © 2015 IBM Corporation74
Health Insurance Provider
Smarter Business Outcomes:
Reliable and secure routing of customer sensitive data
Easy to use and maintain; no additional skill needed
XML Messages with attachments are authenticated, authorized,
and virus scanned
Industry Pains:
HIPAA Security requirements
for transporting data over the
Internet
HL7 v3.0 XML threat protection
Complexity of B2B for
healthcare
Secure appliance form factor providing secure connections to trading
partners, advanced threat protection and reliable file delivery of
confidential medical information
Value of DataPower B2B Appliances for Extending Connectivity?
75. © 2015 IBM Corporation75
Internet
EDIINT Flow: Simple AS2 transaction flow with Transform
Application
Browser
Application
EDI XML
AS2
(EDI)
AS2
(MDN)
B2B Hub
Partner BPartner A
XB62
AS2 Process
B2B
Gateway
Service
Transaction
Viewer
Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.
Data
Store
4
3a
3b2
1
5
76. © 2015 IBM Corporation76
Internet
Web Services bridged to AS2 File Transfer Pattern
WS Client
Browser
Flat
B2B Hub
Partner BPartner A
XB62
Web Service
Process
Web Service
Proxy
Transaction
Viewer
B2B
Gateway
Service
AS2
Pre-ProcessFlat
SOAP
Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and
sending data over any of the 16 supported protocol handlers. When Services are tied together in
front of or behind a B2B Gateway Service they are handled like pre and post processes.
Data
Store
7
4
5
6
3
2
1
77. © 2015 IBM Corporation77
Internet
MQ FTE Integration Pattern – Inbound File to Message
Browser
(LOB User)
XB60
TradingPartner
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
Mgmt
Data
Store
Browser
(Admin)
Browser
(Partner view)
Server
Source
Agent
Data
Store
Applications
Enterprise
Target
Agent
MQFTE
Network
Queue
Manager
Queue
Manager
Queue
ManagerQueue
Manager
MQ
Explorer
DB
Logger
(DB2 or Oracle)
1
4
2a
3
6
5
2
78. © 2015 IBM Corporation78
Browser
B2B Gateway Service
WebSphere DataPower
B2B Appliance
Applications
Transaction
Viewer
Collaboration Partner
Agreement Entries
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
Collaboration Protocol
Agreement Entry
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
External Partners
Internet ebMS
(Ack)
ebMS
(ebXML))
ebXML
ebXML with CPPA Pattern
5
4
3
2
1
DMZ
Secured
Network
Public Network
Collaboration Partner
Agreement Entries
Internal Collaboration
Partner Profile
External Collaboration
Partner Profile
CPAId / Collaboration
79. © 2015 IBM Corporation79
B2B Hub
AS2 Process
Healthcare
Applications
Partner B
Hospital
Internet
AS2 (HL7 V3)
AS2/MDN
B2B Appliance
B2B Gateway
Service
Profiles
Internal Profile
Regional
Center
Validate XML and
Transform to any
V.2.x format
External Profile
Hospital
Transaction
Viewer
Healthcare
Applications
HL7V3
Partner A
Regional Healthcare Center
Any Transport
HL7 V2.x
Any Transport
HL7 V3.x
5
4
3
2
1
6
Health Level 7 3.x to 2.x Transform Pattern
80. © 2015 IBM Corporation80
Securing HL7 over the Internet with Integration to the
WebSphere Healthcare Connectivity Pack
TradingPartner
XB62
B2B
Gateway
Service
Transaction
Viewer
Profile
Mgmt
Data
Store
Browser
(Admin)
Browser
(Partner view)
Clinical Trials
System
WebSphere Healthcare
Connectivity Pack
Healthcare Provider
Internet
1
2a
3
5
2
WebSphere
MQ
Patient
Administration
System
Billing
System
4
AS2
(HL7))
AS2
(MDN))
HL7/MQ
HL7/MLLP
HL7/MLLP
XML/HTTP
Pharmacy
HL7/MLLP
82. © 2015 IBM Corporation82
DataPower on GitHub
Repository of DataPower related tools & collateral
Open source
Community driven: Use, collaborate, contribute
http://ibm-datapower.github.io/
DataPower Configuration Manager
Tool for DataPower configuration management & migration
Standalone command line or IBM UrbanCode Deploy plugin
https://github.com/ibm-datapower/datapower-configuration-manager
https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp
DPXMLSH
Bash script / shell library for working with DataPower’s XML Management interface
Interactive & scripted use
https://github.com/ibm-datapower/datapower-xml-shell
83. © 2015 IBM Corporation83
Getting Social with IBM DataPower Gateways
DataPower on Slideshare LinkedIn
IBM DataPower Gateway Group
developerWorks BlogYouTube
IBM DataPower Gateway Channel
Twitter
@IBMGateways
Online User Forum
• YouTube Channel: IBM DataPower Gateways
• Slideshare: IBM DataPower Gateway
• Twitter: @IBMGateways
• LinkedIn Group: IBM DataPower Gateway
• developerWorks blog: IBM DataPower Gateway
• GitHub: IBM DataPower Gateway
• Online User Forum
• Product page on ibm.com
• Product documentation
84. © 2015 IBM Corporation84
Available Now: DataPower Handbook, Second Edition, Volume 1
Known as the ‘bible’ of
DataPower planning,
implementation, and
usage.
New content to cover
previous six years of new
products/features,
including 9006/7.1!
Volume 1 consists of
Chap 1 DataPower Intro,
Chap 2 Setup Guide, new
Preface and two
invaluable new
appendices for physical
and virtual appliances.
Available in softcover and e-book formats
86. © 2015 IBM Corporation86
Simple Architecture: Purpose-built firmware + hardware
Complete gateway platform delivered as firmware
Guiding philosophy is to centralize common security,
integration, control, traffic management, acceleration
functions and optimize them in a security-hardened
gateway appliance
Simple and Secure Architecture
Display
Ports
database
config
App
Server
config
Apache
HTTPD
config
JVM
config
Proprietary
Software
config
Linux Daemons
config
JSP
Engine
glibclibxml
Full Linux OS
(including shells and user accounts)
config
Bootable
CDROM
Drive
Bootable
USB
Ports
Hardware
Commodity Gateways
config
Hardware
DataPower Gateway Platform
Digitally Signed and Encrypted
Firmware
Flash
Memory
Crypto
Acceleration
IBM Optimized Embedded Operating Environment
Purpose-built Gateways
87. © 2015 IBM Corporation8787
Configuration-driven approach speeds time to market
• Enforce security standards with zero coding
• Uses intuitive pipeline message processing
• Import/export configurations between
environments
• Transaction probe shows message content
between actions for debugging
87
88. © 2015 IBM Corporation88
Capabilities
Rapidly deliver secure integration & optimized access for a full range of workloads
• Secure & protect your back-end systems from
harmful workloads and unauthorized users & apps
• Convert payloads, bridge transports and connect
to existing services at wire-speed
• Limit & shape traffic based on service level
agreements, and route based on message content
• Improve response times, reduce load on
backend systems and intelligently distribute load
Secure
Control
Integrate
Optimize
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
89. © 2015 IBM Corporation89
SSL Offload
Threat Protection
Rate Limiting / SLA Enforcement
Validation, Filtering
Authentication, Authorization
Context-based Access, Mobile SS0
Security Token Translation
Message Transformation
Content-Based Routing
Intelligent Load Distribution
Response Caching
Connect Mobile Apps with Enterprise Services
Securely expose enterprise systems & APIs to Mobile Apps while optimizing delivery
90. © 2015 IBM Corporation90
• Data format & language
– JavaScript
‒ JSON
‒ JSON Schema
‒ JSONiq
‒ REST
‒ SOAP 1.1, 1.2
‒ WSDL 1.1
‒ XML 1.0
‒ XML Schema 1.0
‒ XPath 1.0
‒ XPath 2.0 (XQuery only)
‒ XSLT 1.0
‒ XQuery 1.0
• Security policy enforcement
‒ OAuth 2.0
‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries
‒ XACML 2.0
‒ Kerberos (including S4U2Self, S4U2Proxy)
‒ SPNEGO
‒ RADIUS
‒ RSA SecurID OTP using RADIUS
‒ LDAP versions 2 and 3
‒ Lightweight Third-Party Authentication
‒ Microsoft Active Directory
‒ FIPS 140-2 Level 3 (w/ optional HSM)
‒ FIPS 140-2 Level 1 (w/ certified crypto module)
‒ SAF & IBM RACF® integration with z/OS
‒ Internet Content Adaptation Protocol
‒ W3C XML Encryption
‒ W3C XML Signature
‒ S/MIME encryption and digital signature
‒ WS-Security 1.0, 1.1
‒ WS-I Basic Security Profile 1.0, 1.1
‒ WS-SecurityPolicy
‒ WS-SecureConversation 1.3
DataPower Gateway: Supported standards & protocols
• Transport & connectivity
– HTTP, HTTPS, WebSocket Proxy
– FTP, FTPS, SFTP
– WebSphere MQ
– WebSphere MQ File Transfer Edition
– TIBCO EMS
– WebSphere Java Message Service
– IBM IMS Connect, & IMS Callout
– NFS
– AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62)
– DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security
‒ TLS versions 1.0, 1.1, and 1.2
‒ SSL versions 2 and 3
• Public key infrastructure (PKI)
‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP
‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12
‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management
‒ Simple Network Management Protocol
‒ SYSLOG
‒ IPv4, IPv6
• Open File Formats
‒ Distributed Management Task Force
(DMTF) Open Virtualization Format
(OVF)
‒ Virtual Machine Disk Format (VMDK)
‒ Virtual Hard Disk (VHD)
Link to Product Documentation
• Web services
– WS-I Basic Profile 1.0, 1.1
– WS-I Simple SOAP Basic Profile
– WS-Policy Framework
– WS-Policy 1.2, 1.5
– WS-Trust 1.3
– WS-Addressing
– WS-Enumeration
– WS-Eventing
– WS-Notification
– Web Services Distributed Management
– WS-Management
– WS-I Attachments Profile
– SOAP Attachment Feature 1.2
– SOAP with Attachments (SwA)
– Direct Internet Message Encapsulation
– Multipurpose Internet Mail Extensions
– XML-binary Optimized Packaging (XOP)
– Message Transmission Optimization
Mechanism (MTOM)
– WS-MediationPolicy (IBM standard)
– Universal Description, Discovery, and
Integration (UDDI versions 2 and 3),
UDDI version 3 subscription
– WebSphere Service Registry and
Repository (WSRR)
91. © 2015 IBM Corporation9191
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Gigabit/Sec
HW Solution
Acquisition
ITCAM for SOA
(Transaction Monitoring)
Model 9235
(aka 9004)
Model 7993
(aka 9003)
WebSphere
Transformation Extender
XA35
XS40
XI50
XB60
2012
XG45,
XI52 & XB62
XI50B Blade
WebSphere Appliance
Management Center
Optimized
Interpreter and
Compiler
Optimized
Hardware
Acceleration
2013
2014
Application Optimization
(Self-Balancing & Intelligent
Load Distribution)
XI50z Blade
Virtual Edition
(VMware)
Virtual Edition
(PureApplication System)
Virtual Edition
(for Developers + XenServer)
Optimized & secure JavaScript
Multi-channel Gateway
Consolidated Gateway Platform
ISAM Proxy Module
Over 14 years of innovation & 2000+ global installations
IBM DataPower
Gateway