901-100-400
Nov 07, 2015
901-100-400
.'
'I
-,
')))))
'))'),''
)
:).),)
)))))
,
.))
.)
.),))
!)JJJ.)JJJJJJt)()cooooaO
IBM Training
-
-
---
-- Accelerate, Secure andlntegrate with IBMWebSphere DataPower SOAAppliances
(Course code W8555 i V8555) TOMO I
Student NotebookERC 2.0
g$ffi^ | Training
WebSphere Education
El color azul de la impresin garanliza la autenticidad de este docunrento@ Copyright
Authorized
rung
TrademarksIBM@ is a registered trademark of lnternational Business Machines Corporation.The following are trademarks of lnternational Business Machines Corporation in the UnitedStates, or other countries, or both:
Approach@ DataPower@ DataPower device@DB2@ developerWorks@ Domino@IMSrM Lotus@ MQSeries@Notes@ Rational@ RDNrMTivoli@ WebSphere@ z/OS@zSeries@
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion areregistered trademarks or trademarks (the "Marks") of VMware, lnc. in the United Statesand/or other jurisdictions.Edge of Network@ and ThinkPad@ are trademarks or registered trademarks of Lenovo inthe United States, other countries, or both.Adobe is either a registered trademark or a trademark of Adobe Systems lncorporated inthe United States, and/or other countries.lntel and Pentium are trademarks or registered trademarks of lntel Corporation or itssubsidiaries in the United States and other countries.Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, lnc.in the United States, other countries, or both.Linux@ is a registered trademark of Linus Torvalds in the United States, other countries, orboth.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, othercountries, or both.UNIX@ is a registered trademark of The Open Group in the United States and othercountries.
Other company, product, or service names may be trademarks or service marks of others.
May 2009 editionThe information contained in this document has not been submitted to any formal IBM test and is distributed on an "as is" basis withoutany warranty ether express or implied. The use of this information or the implementation of any of these techniques is a customerresponsibility and depends on the customer's ability to evaluate and ntegrate them into the customer's operational environment. Whileeach item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results willresult elsewhere. Customers attempting to adapt these techniques to their own envronments do so at their own risk.
@ Copyright lnternational Business Machines Corporation 2009. All rights reserved.This document may not be reproduced in whole or in part without the prior written permission of lBM.Note to U.S. Government Users
-
Documentation related to restricted rights -
Use, duplication or disclosure is subject to restrictionsset forth in GSA ADP Schedule Contract with IBM Corp.
I
El color azul de la mpresin gaanliza la autenticidad de este documentoO Copyriqht
IBM Training
ContentsTrademarks xvil
Course description xix
Agenda xxilt
Unit 1. lntroduction to DataPower SOA AppliancesUnit objectives .XMl-aware networking . .Role of XML in SOAUses of XML in SOASome SOA specifications based on XMLDisadvantages and threats with XMLWeb services as a security risk . .Solution: lntegrate an XML-aware network layerSOA appliances in detailDataPower SOA appliances: Built for securityDataPower SOA appliances: Purpose-built solution . .DataPower SOA appliances provide both performance and securityTopic summaryDataPower SOA appliance use casesUse cases for SOA appliances . . .Use case 1: Securing Web servicesLayers of security for XML-based applicationsUse case 2: Legacy integration and hub mediationEnable Web services for legacy applications . . . .Content based routingUse case 3: Web service management . .Enforce service level agreements with DataPower SOA appliancesUse case 4: Accelerate dynamic Web sitesAccelerate dynamic Web sitesTopicsummary :;...lntroduction to DataPower SOA appliancesIBM WebSphere DataPower product line .XML Accelerator XA35 featuresXML Security Gateway XS40 featureslntegration Appliance X150 features .DataPower SOA appliances in the network stackFeatures comparison (1 of 3)Features comparison (2 of 3)Features comparison (3 of 3)Topic summaryCheckpoint . .Unit summary
1-11-21-31-41-51-71-8
)
)
)
)
)
)
))
)))
)
).).").,)JJJJJ(JIaooaG
...1-12
... 1-13
...1-14
... 1-15
... 1-16
1-91-101-1 1
1-17
1-331-341-351-361-371-381-39
.1-181-191-201-211-221-231-241-251-261-271-281-291-301-31
. 1-32
@ Copyright IBM Corp. 2009 Contents iiiCourse materials may not be reproduced in whole or in part
without the prlor wrtten permission of lBM.
El color azul de la impresin garanliza la autentlcidad de este documentoO Copyright
rirgUnit 2. DataPower administration overview
Unit objectivesAdministration through the WebGUlDataPower SOA appliance administrationWebGUl Web administration applicationAdministration using the Web browser . . .Navigation bar categories .System control features (1 of 2)System control features (2 of 2)File managementFile directories for configurationFile directories for security . . .File directories for logging . . . .Administrative access controlCreate an application domainApplication domain
-
Configuration tabConfiguration Checkpoints . . . .View application domain statusCreate a user account and a user groupManage user group detailsManage user account detailsExport the system configuration . .lmport a system configuration . . . .Saving configuration changes . . . .Topic summaryAlternate adm in istrationAdministration by using the command line interfacelnitial CLI login screenQuick initial configuration procedureUser and privileged modesRetrieve system information using the CLIAdministration using Web serviceXML Management: Create a new application domainXML Management: Domain creation responseWSDM interfaceManagement interface summaryTopic summary . .Checkpoint.....Unitsummary...
Unit 3. lntroduction to XSL transformationsUnit objectiveslntroduction to Extensible Stylesheet LanguageThree parts of Extensible Stylesheet Language (XSL)XSL Transformations (XSLT) overviewThe XSLT processWhat is XPath? . ,Example XPath
"rpt.siont
.2-1
.2-3
.2-4
.2-5
.2-6
.2-7
.2-82-102-122-132-142-152-16
.3-1
.3-2
.3-3
.3-4
.3-5
.3-6
.3-7
.3-8
.2-19
.2-20
.2-21
.2-22
.2-23
.2-25
.2-26
.2-27
.2-28
.2-29
.2-30
.2-31
.2-32
.2-33
.2-34
.2-35
.2-36
.2-37
.2-38
.2-39
.2-40
.2-42
.2-43
.2-44
)
')
)
)
)
j
)
)
))
)
))
))
.J)).)J-)JJJJJJJJJIIooooc
lv Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permssion of lBM.
El color azul de la impresin garanliza la autenticidad de este documento@ Copyrioht
Stu IBM Trarmngaa
)
l
)
)
)
)\
)))))
.)
.iJ.')J.)JJ\)I()oOOooG
XPath current contextXPath step syntax . . .XPath address notationExample: XPath absolute addressing . . .Example: XPath relative addressing . . . . . .Anatomy of an XSL style sheetThe elementThe elementThe elementXSLT style sheet elements to generate outputXML input as a treeDesired HTML outputXML to HTML (1 of a)XML to HTML Q ot QXML to HTML (3 of 4)XML to HTML (4 of 4)XSL style sheet control elementsThe elementThe element . . .The element (1 of 2)The element Q of 2)Elements to generate output (XML to XML)The elementThe elementTopic summaryCustom style sheet programmingUsing custom style sheets . . . . .How to develop style sheets with DataPower extensionsXSLT variablesDataPower variablesDataPower variable scopesExample
-
DataPower variablesStylesheet using DataPower extension functionsTopic summaryCheckpoint
3-113-123-133-143-153-16
. . .3-17
... 3-18
... 3-19
...3-20
. . .3-213-22
...3-233-24
. . 3-253-263-273-283-293-303-31
. . 3-32
. . 3-333-34
3-373-383-393-413-42
Unit 4. DataPower services overviewUnit objectives .Primary servicesServices available on the DataPower applianceXSL proxy serviceXSL Coprocessor Service . . .XML firewall serviceWeb service proxy serviceMulti-protocol gateway service
Unit summary
Web application firewall serviceDataPower services feature h ierarchy
4-14-24-34-44-54-6
4-10
4-7..4-8..4-9
. . 4-11
@ Copyright IBM Corp. 2009 Contents vCouse materials may not be reproduced n whole or in pan
without the prior written permission of lBM.
El color azul de la impresin garantza la autenticidacl de este documento@ Copyright
rungChoosing the serviceSecondary servicesTopic summaryService configurationObject oriented configurationMessage processing phasesBasic architectural model . .Processing policyProcessing rulesMatch actionProcessing actionsMultistep processing rulesMultistep scope variables . . . .Service typesURL rewritingXML Manager .Default XML Manager configurationXML parser limitsTopic summary .Checkpoint....:.:.Unitsummary......
4-134-144-154-164-174-184-20
4-224-234-244-254-264-274-284-304-314-324-334-344-35
Unit 5. XML firewall service. 5-15-25-35-45-55-6
.
))
I
)
)
)
)))))
.)
.)).),)-)-)J-)JJJJJJJI(aoooo
Unit objectivesWhat is an XML firewall service? (1 of 2) .What is an XML firewall service? Q of 2)Configuring an XML firewall serviceXML firewall service
-
Object model . . . .Step 1: Create an XML firewallStep 2: XML firewall configuration (1 of 2)Step 2: XML firewall configuration (2 of IPlanning for configuration migrationRequesVresponse message processing . . . .Request/response attachment processing . .Advanced XML firewall configurationHeader injection and suppression parametersAssociate monitors to XML firewallXML threat protectionStep 3: lmplement a seruice policy .CreateaMatchaction .. . .. .Processing actionsMore processing actions . . . .Validate actionTransform acton .Filter actionFilter action
-
Replay attackContent based routingRoute action configuration
. .5-7.5-8.5-9
5-105-115-125-135-155-165-175-185-19.5-20.5-22.5-23.5-24.5-25.5-26.5-27.5-28
vl Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or n part
without the prior written permisson of lBM.
EI color azul de ia impresin garanliza la autentcidad de esie documentoO Copyright
IBM TrainirgStudent Notebook
Style sheet programming with dynamic routing . . .Results actionResults asynchronous and multi-way results modeExporting XML firewall configurationCloning an XMLfirewall configuration . . . . . .Troubleshooting an XML firewall configurationCheckpointUnit summary
Unit 6. Problem determination toolsUnit objectivesProblem determination toolsCommon problem determination toolsAppliance status information . . . . . . .Troubleshooting panelTroubleshooti ng: Network connectivityTroubleshooting : Packet captu reTroubleshooting: Generate error report . . . . . .Troubleshooting: Send a test message . .Troubleshooting: System log . .Filtering system log . .Troubleshooting: Generate Log EventTroubleshooting: XML File Capture . . .Troubleshooting: Multistep probeTroubleshooting: Enabling the multistep probeMultistep probe windowMultistep probe contentProblem determination with cURLCommunicating with DataPower supportTopic summaryLog targetsLogging basicsAvailable log levelsLogtargets ...Log target configuration ...Nine log target types .,. :',Event filtersObject filtersEvent subscriptionsLog actionTopic summaryCheckpoint . .Unit summary
Unit 7. Handling errors in a service policy.Unit objectivesError handling constructsConfigure an On Error action
5-295-315-325-335-345-355-365-37
)
)
)
)
)
'
i)
l
)
)
)
)
)))))))))
.)
.)"_).,}
6-16-26-36-46-56-6
7-1
6-226-236-246-256-266-276-286-296-306-316-326-336-34
6-7.....6-8.....6-9.... 6-10.... 6-11. . . .6-12.... 6-13....6-14... 6-15... 6-16. . .6-17...6-18... 6-19...6-20
JJ.)JJJ()caooo3
@ Copyright IBM Corp. 2009 Contents viiCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garanliza la autenticidad de este docurento@ Copyright
iningCreating an error rule .Configure Transform action in error rule . . . . .Style sheet programming using error variablesExample custom error style sheetError rule versus On Error actionCheckpointUnit summary
Unit 8. DataPower cryptographic toolsUnit objectivesSecurity problemsSecurity problem 1
-
Message confidentialitySymmetric key encryption . .Asymmetric key encryptionSecurity problem 2
-
Message integritySecurity problem 3
-
NonrepudiationDigital signatureSecurity problems I soluoDigital certificates . . .Distribution problemDataPower crypto tools .Generating crypto (asymmetric) keys on board ( of 2)Generating crypto (asymmetric) keys on board (2 of 2)Download keys from temporary storageKeys and ceftificates are objectsCrypto shared secret (symmetric) keyCrypto certificateCertificates exist in a trust chainCrypto identification credentialCrypto validation credentialCrypto profilelmport and export crypto objectsUploading keys .Java keytool commandCertificates can expire or get revokedCertificate revocation list (CRL) retrievalCrypto certification monitorHardware security module (HSM)Checkpoint .Unit summary
Unit 9. Securing connections using SSL.Unit objectivesSolving security problemsSSL featuresSSL terminology .SSL handshakeSSL handshake: client hello
.7-5
.7-6
.7-7
.7-8
.7-97-107-11
8-18-2
. . .8-3
. . .8-4
. . .8-5
. . .8-6
. . .8-7
. . .8-8
. . .8-9
. .8-10
.8-13
.8-14
.8-15
.8-16. .8-17. .8-18. .8-19. .8-20. .8-21. .8-22. .8-24.8-25.8-26.8-27.8-28.8-29.8-30.8-31.8-32.8-33
)
))
')))
)
)
)))
))))
.)_)
.,)
.)
.)J,).)")JJJJJJJ\)(,1
.9-1
.9-2
.9-3
.9-4
.9-5
.9-6
.9-7
viii Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
El color azul cle la impresin garanltza la aulenlicidad de este documento@ Copyright
IBM TrainingStudent Notebook
SSL handshake: server helloSSL handshake: verify seruer certificate .SSL handshake: client key exchange . . .SSL handshake: reply with secret keySSL handshake secured . .DataPower support for SSLSSL Proxy profile: crypto objects relationshipSecuring connections from client to applianceStep 1: Appliance supplies cryptographic certificateStep 2: Configuring SSL server crypto profilelf you do not have an SSL server crypto profileStep 3: Verify SSL server proxy profile settingsSecuring the connection from appliance to external application serverStep 1: Appliance validates presented certificateStep 2: Configuring an SSL client crypto profileStep 3: Verify SSL client proxy profile settingsSSL Proxy Profile list . .Useragent....Configuring a user agentCreate a user agent configuration . .Checkpoint ....Unit summary
Unit 10. XML threat protectionUnit objectives .What are the security concerns?Traditional systems and exposure . .Addressing the security concerns . .Three high-level deployment patternsFour types of XML attacksXML denial of service (XDoS): Single-message attacksXML denial of service (XDoS): Multiple-message attacks .Unauthorized access attacksData integrity and confidentiality attacksSystem compromise attacksXML parser limitsXML threat protection . . .XML threat protection: Single message XDoSXML threat protection: Multiple message XDoSXML threat protection: Protocol threatsXML threat protection: XML virusXML threat protection: Dictionary attackMessage tamperingSQL injection attackSQL injection attack protectionCheckpointUnit summary
..9-8
..9-9
. 9-10
. 9-119-129-139-149-159-16
.9-179-189-199-209-219-22
. . 9-23
. .9-24
. . 9-25
. . 9-269-279-289-29
l
)
I
)
))
\
J
)
))
,)
)
))
).).J.-).)J._)
JJJ-)(^)IoaooG
10-110-210-310-410-5
. . 10-6
. . 10-7
. . 10-810-9
10-1010-11
. . . 10-1210-1310-1410-1510-17
. . . 10-19
. . . 10-20
. . . 10-21
. . . 10-22
. . . 10-23
. . . 10-25
. . . 10-26
. . . 10-27
@ Copyright IBM Corp. 2009 Contents txCourse materials may not be reproduced n whole or n part
without the prior written permission of lBM.
El color azul de la impresin garanliza la autentlcidad de este docurento@ Copyrighl
ningUnit 11. Web service proxy service
Unit objectivesWeb service proxy overviewWeb service proxy architectureWeb service proxy benefitsWeb service proxy featuresWeb service proxy basic configuration steps . .Step 1: Obtain WSDL documentWSDL structureStep 2: Creating a Web service proxyWeb service proxy object editor . .Web service proxy GUI .Step 3: Add WSDL document to Web service proxyStep 4: Configure WSDL endpointConfigure local endpoint handlerView WSDL servicesRetrieve the "client'WSDL from the serviceModifying the location in the "client" WSDLStep 5: Configuring Web seruice proxy policy (optional)Configure Web service proxy policy ruleDefault validation (user policies)Create reusable ruleAdvanced Web service proxy configurationWS-PolicyConformance policyConformance policy objectService priorityProxy settings (1 of 4) . .Proxy settings (2 of \ . .Proxy settings (3 of 4)
Encrypt actionDecrypt action
1 1-111-21 1-311-41 1-51 1-611-71 1-81 1-9
.11-10
.1 1-11
.11-12
.11-13
.11-14
.11-15
.11-16
.11-17
.11-18
.11-19
.11-20
.11-21
.11-22
.11-23
.11-24
.11-25
.11-26
.11-27
.11-28
.11-29
.11-31. .11-32. .11-33. .11-34. .1 1-35. .11-36. .11-37
12-112-212-3
. .12-5
..12-6
. .12-7
. .12-8
. .12-9
.12-10
.12-12
.12-13
Proxy settings $ of $ .Web service proxy SLMWSDL cache policyTroubleshooting Web service proxyCheckpointUnit summary
Unit 12. XML and Web services security overviewUnit objectivesReview of basic security terminology . . .Web services security . . .Components of WS-SecuritySpecifying security in SOAP messagesScenario 1: Ensure confidentiality with XML encryptionDataPower support for XML encryption
))
))))
.)))))_)-)JJJJJJJJJJ\I
Field-level encryption and decryption
x Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the pror wrtten permission of lBM.
El color azul de la impresin garanltza a autenticidad de este documenlo@ Copyright
IBM TrainingStudent Notebook
XPath toolSample encrypted SOAP messageScenario 2: Ensure integrity with XML signaturesDataPower support for XML signatureSign actionVerify actionVerify action
-
Advanced tabField-level message signature and verificationSample signed SOAP messageCheckpoint . . .Unit summary
Unit 13. Authentication, authorization, and auditing (AAA)Unit objectivesAuthentication, authorizalion, and auditing .Authentication and authorization frameworkAAA action and access control policyHow to define an access control policy (1 of 2)How to define an access control policy (2 of 2)Access control policy processingScenario 1: Authorize authenticated clientsScenario 1: Sample SOAP request messageScenario 1: ldentify the clientScenario 1: Authorize access to resourcesScenario 2: Securitytoken conversion . . . . . .Scenario 2: Sample HTTP request messageScenario 2: ldentify the clientScenario 2: Authorize access to resources . . . ,Scenario 3: Multiple identity extraction methodsScenario 3: ldentify the clientScenario 3: Authorize access to resources . .lnternal access control resourcesAAA XML fileExample AAA XML fileLightweight Third Party AuthenticationExternal access control resourceLightweight Directory Access ProtocolSecurity Assertion Markup LanguageTypes of SAML assertionsScenario 4: Authorize valid SAML assertions . . . .Scenario 4: SAML authentication statement . . . . .Scenario 4: SAML attribute statementScenario 4: ldentify the clientScenario 4: Authorize access to resources . . . . . .Scenario 4: Match SAML attributesAccess control policy using SAML information . . .Checkpoint....Unitsmmary ..:
12-1412-1512-1612-1812-1912-2012-2112-2212-2312-2412-25
13-113-2
)
)
)
))
)
)
)
))))))))))
.).-).)J.J.JJJJ.J{)OaooaG
13-413-613-713-813-9
. 13-10
. 13-1 1
. 13-121 3-1313-1413-1513-1613-171 3-181 3-1913-2013-21
..13-22
..13-23
. . 13-2413-2513-2613-2713-28
. . 13-29
. . 13-30
. . 13-31
. . 13-32
. . 13-33
. . 13-34
. . 13-35
. . 13-36
. . 13-37
@ Copyright IBM Corp. 2009 Contents xiCourse materials may not be reproduced in whole or n part
without the pror written permission of lBM.
El color azul de la impresn gaanliza la autenticidad de este documento@ Copyright
ningUnit 14. Configuring LDAP using AAA
Unit objectivesExternal access control resource . . .Lightweight Directory Access ProtocolDirectory servicesDirectoriesCommon LDAP attributesDirectory services structureLDAP operationsLDAP Data lnterchange Format (LDIF)LDAP URLDirectory services implementationsExample scenarioAuthenticate the client using LDAPAuthorize the client using LDAPConfigure a load balancer groupConfigure the load balancer group health settingsCheckpoint . . .Unit summary . .
Protocol handlers at a glance (2 o 2)Front-side protocol handlers . . . .Static back-end gatewayDynamic back-end gateway . . . .
Step 1: Configure the back-end transport .Step 2: Create a document processing rule
Scenario 2: Dynamic back-end serviceStep 1: Configure the back-end transport .Sample service targeting style sheet . . . .Scenario 3: Provide WebSphere MQ access . .
- Scenario 4: Provide WebSphere JMS accessScenario 5: Provide IMS Connect accessComparing servicesCheckpoint.....Unitsumm"ty......
Unit 16. Monitoring objectsUnitobjectives ..;..
Unit 15. Multi-protocol gateway service . . . .15-1Unit objectives .15-2
.15-3
.15-4
.15-5
.15-6
.15-7
.15-8
What is a multi-protocol gateway?Protocol handlers at a glance (1 of 2)
Multi-protocol gateway and XML firewall comparedMulti-protocol gateway editor . . . .15-10
. .15-12
. .15-13
. .15-14
. .15-15
. .15-16
. .15-17
. .15-18
. .15-19
. .15-20
. .15-21
. .15-22
. .15-23
. .15-24
Scenario 1: Provide HTTP and HTTPS access
Step 3: Create the front side handlersStep 4: Configure the front side handler .Step 5: Configure the SSL Proxy profile
. . .14-9
. .14-10
. .14-11
. .14-12
. .14-13
. .14-14
. .14-16.14-17.14-18.14-19
. .14-20
.15-25
.15-26
" . .14-3. . .14-4. . .14-5. . .14-6. . .14-7
14-114-2
16-116-2
)
I
I
))))
))
)
)
))).).J).)
.J_)r)JJJJJJJJJilIoooo
xii Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garantiza ia autenticdad de este documento@ Copyright
IBM Training Stu F"Message monitorsMonitor objectsDefining monitor objectsStep 1: Specifying particular traffic to monitorStep 1: Matching on HTTP headersStep 2: Message type configurationStep 3: Message Filter Action configurationStep 4C: Message count monitor configurationStep 4C: Thresholds/Filters for count monitor . . .Step 4D: Message duration monitor configurationStep 4D: The transaction life cycleStep 4D:Thresholds/Filters for duration monitor .Step 5: Service-monitor association example . . .Other types of monitorsWhich monitor types are supported by a service?CheckpointUnit summary
Unit 17. Service level monitoringUnit objectivesWhat is service level monitoring (SLM)?SLM in DataPower
-
Basic principlesTwo ways to configure SLMService level monitor types in the Web service proxy . .Service level monitor
-
GraphsThe WS-Proxy's SLM tabSLM Rule actionSLM action granularity . . .Configuring the SLM policy . . . . . . .Constructing an SLM policy . . . . . . .The SLM credential classThe SLM resource classSLM resource class exampleThe SLM actionThe SLM ScheduleSLM statement (1 of 2)SLM statement (2 of 2)SLMpolicy...Checkpointquestions . . .Unit summary
Unit 18. lntegration with WebSphere MQUnit objectives .WebSphere MQ fundamentalsWebSphere MQ message . . . .TransactionsDataPower support for WebSphere MQ .Provide WebSphere MQ Access
....16-4
.... 16-5
.... 16-6
....16-7
.... 16-8
.... 16-9
. . . 16-10
... 16-11
. . . 16-12
. . . 16-13
. . . 16-1416-1516-1616-1716-18
.... 16-19
. . 17-1117-10
. 17-12
. 17-13
. 17-14
. 17-15
. 17-16
. 17-18
. 17-1917-2017-2117-2217-23
. . 18-1
. . 18-2
. . 18-3
. . 18-4
. . 18-5
16-3
17-117-217-317-417-5
18-7
)
)
))
)
I
)
)
)
)
)
)
))))))))
.,)-).l.J-).)JJJ\){JeaoaoG
. . 18-8
@ Copyright IBM Corp. 2009 Contents xiiiCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garanltza la autenticidad de este docunrentoO Copyrght
iningStep 1: Create an MQ queue manager (1 of 2)Step 1 : Create an MQ queue manager (2 o12)Step 1: Use SSL in mutual authentication modeStep 2: Add an MQ front side handlerStep 3: Configure an MQ back-end transport .
"
Ordered processing of MQ messagesControlling backout of MQ messagesDecision tree for the backout settingsMQ Header action in service policyTypical uses of an MQ Header actionTransactions and WebSphere MQMQ front-side transactionsMQ back-side transactionsWebSphere MQ DataPower URLMQ queue manager Group objectCheckpointUnitsummary...
Unit 19. DataPower and Java Message Service (JMS)Unit objectivesMessaging middlewareJava Message Service (JMS)Why use JMS instead of HTTP?JMS modelsWebSphere
-
Service integration bus (SlBus)JMS Queue resources on SlBus . .JMS topic resources on SlBusWebSphere JMS support . . .WebSphere JMS interaction .WebSphere JMS: Main
-
Messaging bus . . .WebSphere JMS: Main
-
Optional settingsWebSphere JMS - WebSphere JMS EndpointCommunicating to WebSphere JMSWebSphere JMS Front Side Handler . .WebSphere JMS Backend URL .TIBCO EMS JMS supportTIBCO EMS interactionTIBCO EMS: Main
-
EMS hostTIBCO EMS: Main
-
Optional settingsTIBCO EMS: Load balancing and fail-over . . .
- Communicating to TIBCO EMSTIBCO EMS Front Side HandlerTIBCO EMS Backend URLOrdered processing of JMS messagesCheckpointUnit summary
.18-918-1018-1 118-1218-1318-1518-1718-1818-1918-2018-2118-2218-2318-2418-2518-2618-27
19-119-219-3
.19-4
.19-5
.19-6
.19-7
.19-8
.19-919-1019-1119-1219-1319-1519-1619-1719-1819-1919-2019-2119-2219-2419-2519-2619-2719-2819-3019-31
xiv Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garantiza la autenticidad de este docunrento@ Copyright
)))
))
.)
)
))
)
)))
.)))),))
JJJJJJJJJi)IOoooo
IBM TrainingStudent Notebook
Unit 20. DataPower architectural scenariosUnit objectivesAgendaAgendaEnterprise Service Bus (ESB)DataPower Xl50 usage as an Enterprise Service BusExample 1: DataPower Xl50 as an ESB .Example 2: DataPower Xl50 as an ESB gateway . . .DataPower Xl50 functionality within an ESBAgendaDataPower deployment scenarios for securityExample 1: Secure XML Web servicesExample 1: Secure Web services in DV|Z .Example 2: Federated identity within an organization . . . .Example 2: lntranet identity federation diagramExample 3: Federated identity among partnersExample 3: Extranet identity federation deployment diagram . .Example 4: DataPower as a Web application firewallExample 4: DataPower as a Web application firewall diagram .AgendaExample 1: Web service virtualization . .Example 1: Web service virlualization diagram . . .Example 2: Service level monitoringExample 2: Service level monitoring deployment diagramExample 3: SOA governanceExample 3: SOA governance diagramCheckpointUnit summary
Unit 21. Course summary 21-121-2Unit objectives .
Course learning objectivesCourse review (1 of 3)Course review (2 of 3)Course review (3 of 3)DataPower services feature hierarchyClass evaluationLab exercise solutions . . .To learn more on this subjectReferences . . .Unit summaryUnit summary
20-120-220-3
)
)
)
)
)
).J.,)..1
.)JJJUa0aoooG
. 20-4
.20-5
. 20-6
.20-7
. 20-8
. 20-920-1020-1120-1320-1420-1620-1720-1820-1920-2120-2220-2320-2420-2520-2620-2720-2920-3020-3120-32
. . .21-3
. . .21-4
...21-5
. . .21-6
...21-7
...21-8
. . .21-9
. .21-10
Appendix A. Web application firewall service .. . . . A-1AppendixB. Checkpointsolutions ....8-1Glossary of abbreviations and acronyms. . . . X-1@ Copyright IBM Corp. 2009 Contents xv
Course materials may not be reproduced in whole or in partwithout the pror written permlssion of lBM.
El color azul de la impresin garanliza la autenticidad de este documentoO Copyriqht
f"i"g((^,ara)oonftnor)nooooooooooo()o()Oooooo()ooo(,o(og(,()oeecaOoaooO
xvi Accelerate, Secure and lntegrate wth DataPower @ Copyright IBM Gorp. 2009Course materlals may not be reproduced ln whole or n part
wthout the prlor wrltten permlsson of lBM.
El color azul de la impresin garanliza la autenticidad de este documento.@ Copyright
IBM Traini.g rr_flStudent Notebook
TrademarksThe reader should recognize that the following terms, which appear in the content of thistraining document, are official trademarks of IBM or other companies:IBM@ is a registered trademark of lnternational Business Machines Corporation.The following are trademarks of lnternational Business Machines Corporation in the UnitedStates, or other countries, or both:
DataPower@developerWorks@Lotus@Rational@WebSphere@
Approach@D82@IMSTMNotes@Tivoli@zSeries@
DataPower device@Domino@MQSeries@RDNTMz/OS@
)
)
)
.)
)
.)r.)
.i
LJ
.,
r)JJ\)fJIaIooa
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion areregistered trademarks or trademarks (the "Marks") of VMware, lnc. in the United Statesand/or other j urisdictions.Edge of Network@ and ThinkPad@ are trademarks or registered trademarks of Lenovo inthe United States, other countries, or both.Adobe is either a registered trademark or a trademark of Adobe Systems lncorporated inthe United States, and/or other countries.lntel and Pentium are trademarks or registered trademarks of lntel Corporation or itssubsidiaries in the United States and other countries.Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, lnc.in the United States, other countries, or both.Linux@ is a registered trademark of Linus Torvalds in the United States, other countries, orboth.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, othercountries, or both.UNIX@ is a registered trademark of The Open Group in the United States and othercountries.
Other company, product, or service names may be trademarks or service marks of others.
@ Copyright IBM Corp. 2009 Trademarks xviiCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin ganIza la autenticidacl de este documento@ Copyright
rung
xvii Accelerate, Secure and Integrate wth DataPower @ Copyright IBM Corp. 2009Course materlals may not be reproduced ln whole or ln part
wlthout the pror wrltten permlsslon of lBM.
El color azul de la impresin garanliza la autenticdad de este documento.@ Copyright
IBM TrainingStudent Notebook
Course descriptionAccelerate, Secure and lntegrate with IBM WebSphere DataPower SOAAppliances
Duration: 5 days
Purposeln this 5-day instructor-led course, students learn the fundamentalskills required to implement IBM WebSphere DataPower SOAAppliances.The IBM WebSphere DataPower SOA Appliances allow an enterpriseto simplify, accelerate, and enhance the security capabilities of itsExtensible Markup Language (XML) and Web services deployments,and extend the capabilities of its service-oriented architecture (SOA)infrastructure.
Through a combination of instructor-led lectures and hands-on labexercises, students learn how to implement the key use cases for theDataPower appliances, including XML acceleration and threatprotection, authentication, authorization, and auditing (AAA), Webservice virtualization, Web services security, and integrating with IBMWebSphere MQ and Java Message Service (JMS).Students also learn how to use various problem determination toolssuch as logs, monitors, and probes, as well as techniques for testingDataPower services and handling errors.The hands-on exercises give students experience working directly withan IBM WebSphere DataPower SOA Appliance by focusing on skillssuch as creating XML firewalls, working with encryption andcryptographic objects, configuring service level monitoring,troubleshooting services, and handlng errors.
AudienceThis course is designed for integration developers who configureservice policies on IBM WebSphere DataPower SOA Appliances.
PrerequisitesBefore taking this course, students should be familiar with. Security-based concepts and protocols
@ Copyright IBM Corp. 2009 Course description xixCourse materials may not be reproduced in whole or in part
without the prior written permssion of lBM.
El color azul de la impresin garantiza la autenticidad de este documentoO Copyright
ning. XML-related technologies, such as XML schema, XPath, and XSLT. Web service fundamentals and the Web Services Security
specification
ObjectivesAfter completing this course, students should be able to:. Describe the key use cases and architectural scenarios for the IBM
WebSphere DataPower SOA Appliances. Describe how WebSphere DataPower Appliances are configured,
including the role of XSL Transformations (XSLT). Configure an XML firewall to protect against a new class of
XML-based threats. Create a Web services proxy to virtualize Web service applications. lmplement Web services security. Create and configure cryptographic objects. Configure Secure Sockets Layer (SSL) to and from WebSphere
DataPower SOA Appliances. Configure a multi-protocol gateway (MPG) to handle multiple
protocols for a single service. Configure a service level monitoring (SLM) policy to handle service
processing violations. Enforce service level policies to manage traffic to and from
WebSphere DataPower SOA Appliances. Configure support for IBM WebSphere MQ and Java Message
Service (JMS). Troubleshoot services using logs and probes. Handle errors in service policies
Contents. Course introduction. lntroduction to DataPower SOA Appliances. DataPower administration overview. lntroduction to XSL transformations. DataPower services overview. XML firewall service
xx Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be repfoduced in whole or in part
without the pror written permission of lBM.
El color azul de la impresln garantiza la autenticidad de este documentoO Copyrighl
IBM Traini.gStudent Notebook
. Problem determination tools
. Handling errors in a service policy
. DataPower cryptographic tools
. Securing connections using SSL
. XML threat protection
. Web service proxy service
. XML and Web services security overview
. Authentication, authorization, and auditing (AAA)
. Configuring LDAP using AAA
. Multi-protocol gateway service
. Monitoring objects
. Service level monitoring
. lntegration with WebSphere Me
. DataPower and Java Message Service (JMS)
. DataPower architectural scenarios
. Course summary
t,
)))J.).)JUtcoooC
@ Gopyright IBM Corp. 2009 Course description xxiCourse materials may not be reproduced in whole or in part
without the pror written permission of lBM.
El color azul dc la impresin garantza ra aurenticidad cre csle crocLrmento@ Coryright
ning
xxii Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materals may not be reproduced in whole or in part
without the prlor wrltten permission of IBM'
El color azul de la mpresin garantiza la autenticidad de este documento.@ Copyright
IBM Training Stuat-lotlooTAgendaDay 1
Day 2
Day 3
Day 4
Course introductionUnit 1. lntroduction to DataPower SOA AppliancesUnit 2. DataPower administration overviewExercise 1. Exercises setupUnit 3. lntroduction to XSL transformationsExercise 2. Creating XML transformationsUnit 4. DataPower services overviewExercise 3. Creating a simple XML firewall
Unit 5. XML firewall serviceUnit 6. Problem determination toolsExercise 4. Creating an advanced XML firewallUnit 7. Handling errors in a service policyExercise 5. Adding error handling to a service policy
Unit 8. DataPower cryptographic toolsExercise 6. Creating cryptographic objectsUnit 9. Securing connections using SSL
Exercise 7. Securing connections using SSLUnit 10. XML threat protectionExercise 8. Protecting against XML threatsUnit 11 . Web service proxy serviceExercise 9. Configuring a Web service proxyUnit 12. XML and Web services security overviewExercise 10. Web service encryption and digital signatures
Unit 13. Authentication, authorization, and auditing (AAA)Exercise 11. Web service authentication and authorizationUnit 14. Configuring LDAP using AAAExercise 12. Creating a AAA policy using LDAP
Unit 15. Multi-protocol gateway serviceExercise 13. Configuring a multi-protocol gateway serviceUnit 16. Monitoring objectsUnit 17. Service level monitoring
)
)))))
)
))
.)\
._),JJJ\,I{oooOo
@ Copyright IBM Corp. 2009 Agenda xxiiiCourse materials may not be reproduced in whole or in part
wthout the prior wrtten permission of lBM.
El color azul de la impresin garantiza la autentcidad de este documento@ Copyright
ining r , -Q
Day 5Unit 18. lntegration with WebSphere MQExercise 14. Configuring a multi-protocol gateway service with
WebSphere MQUnit 19. DataPower and Java Message Service (JMS)Unit 20. DataPower architectural scenariosUnit 21. Course summary
AppendixesAppendix A. Web application firewall serviceExercise A. Creating a firewall and HTTP proxy for a Web applicationExercise B. Configuring WebSphere JMS
xxiv Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garanliza la autenticidad de este documentoO Copyright
)
,
)
)
)))
)))))
.)-)
.J
.")JJJJJJ\)Icoooa
IBM TrainingStudent Notebook
'
)
)
)
)
)
)
)
)
)
)
))
)
)
)
))
))
.J
-).),)JJJ(JOOooae
Unit 1. lntroduction to DataPower SOAAppliances
What this unit is aboutThis unit introduces the concept of SOA appliances: an XML-awarenetwork device that accelerates, secures, and integrates XML-basedapplications and Web services.
What you should be able to doAfter completing this unit, you should be able to:. Describe and define the role of an SOA appliance. ldentify the products in the WebSphere DataPower SOA Appliance
product line. Describe how to use WebSphere DataPower SOA Appliances in
an enterprise architecture
How you will check your progress. Checkpoint
Referenceshttp ://www. i bm . co m/s oftwa reli nteg rati o n/d atapowe r/
WebSphere DataPower SOA Appliances
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the pror written permssion of lBM.
1-1
E color azul de la impresn garantrza la aulenticidad de este documento@ Copyright
rErrng
Unit objectivesAfter completing this unit, you should be able to:. Describe and define the role of an SOA appliance. ldentify the products in the WebSphere DataPower SOA
Appliance product line. Describe how to use WebSphere DataPower SOA Appliances
in an enterprise architecture
o Copyright IBM Corporation 2009
Figure 1-1. Unit objectives wB5ss / v85552.0
Nofes
1-2 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
El color azul de la impresin garantlza la autentlcidad de este documento@ Copyrght
'
)
)
)
)
)
).).J.J.).).),JJJJ)oooo.
IBM TrainirgStudent Notebook
XML-aware networkingAfter completing this topic, you should be able to:. Explain the role of XML in a service-oriented architecture
(SOA) ,^ rf \1t\rt .^,i*lrin a^ e/^l a,ia h tl
' ldentify the uses of XML within an SOA i r o ic;',-' e't. Explain the disadvantages and threats with deploying XML-
based applications in the enterprise. Describe the features in an XMl-aware network layer that
mitigate the risks of deploying XML-based applications
u lut\.btn
O Copyright IBM Corporation 2009
Figure 1-2. XMl-aware networking
Notes:
w8555 / V85552.0
))))
-)J(.)(3ooo(_
@ Copyright IBM Corp. 2009 Unit 1. lntroducton to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-3
E color azul cle la rnrprcsin garnnlza l aLtentcidad dc esti: cioountcirtrO Oopyr lllrl
rirg
Role of XML in SOA. Extensible Markup Language (XML) provides a text-based,
human-readable scheme for describing information in astructured format
. lts simplicity and self-describing nature makes XML popular asan interoperable data format
. XML is becoming the way to:-
Exchange data between disparate systems within and outside of anenterprise system
- Enable application functions as interoperable services
. XML is also the foundation for a number of SOA specifications.
@ copyright IBM Corpotion 2009
Figure 1-3. Role of XML in SOA w8555 / V85552.0
/Vofes.'Extensible Markup Language (XML) is a way of encapsulating and describing data in atext-based, human-readable manner.Being text-based, practically any computer system in existence can process the dataformat. Compare this scheme with proprietary binary formats. Being human-readableenables future developers to decipher the data format, years after the original developershave retired.
ln short, XML provides a self-describing container for data that is widely compatible todayand tomorrow.For these reasons, XML is a natural choice within an SOA implementation, and for anumber of specifications that define SOA.
1-4 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
)
))
,
;
)
))
)))
)))
.)))
.,)
.,)
.)JJJJJJJ'-)\rl\)Ioaooo
El color azul de la impresin garanliza a autenticidad de este docurnento@ Copyrght
IBM TrainingStudent Notebook
Uses of XML in SOA
Security serverIBM Tivoli Access
Manager
WSDL
Securityassertion.
,alo c /"NL. ie |,n
Order managementWeb applicationon IBM WebSphereApplication Server
Customer billingapplication
on IBM WebSphereProcess Server
O Copyrght lBN.4 Corporaton 2009
Customerdatabaseon IBM DB2
Universal Database
:3t.tl:i
)
''.,
).),i
.)J\{taooot
Figure 1-4. Uses of XML in SOA w8555 / V85552.0
Notes:1. Web Services Description Language (WSDL) provides an interoperable,
platform-independent format for describing the interface and binding details of anetwork service. Since WSDL documents are also XML documents, they can beconsumed by virtually any computer system regardless of operating system,program ming language, or- hardware differences.
2. One of the more popular messaging formats for encapsulating an operation callis SOAP. The SOAP specification defines an XML-based envelope format forholding the message payload and processing instructions through the body andheader elements, respectively. As XML messages, a wide range of systems can invokeand provide service functionality by consuming and producing SOAP messages,regardless of the implementation differences between the client and the server.
3. Additional information about messages can also be encapsulated in an XML format. Forexample, the Web services security specifications provide a standard for encodingsecurity metadata in a SOAP message header. A wide range of security packagessupport these security tokens, allowing the exchange of security information.
@ Copyright IBM Gorp. 2009 Unit 1. lntroduction to DataPower SOA Appliances l-5Course materials may not be reproduced n whole or in part
without the prior written permssion of lBM.
El color azul de la impresn garantiza la autenticidad cje este docur-nentoO Copyrichl
ining4. Security servers might choose to attach authentication, authorization, or additional
security characteristics on an incoming message as it passes through servers in theenterprise. Security asseftions reduce the number of security checks from internalapplications and abstract security decisions from application developers.
5. Applications can retrieve and store information to data stores using an XML stream orXML messages. The use of XML abstracts the actual implementation of the data storeitself. lt provides information as a service.
1.6 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
)")
)l
))
)
).))
.)jI
.)
_)
U",}.jJJJ')JJJJIoooo
El color azul de la impresin garantiza la autenticidad de este docunrentoO Copyright
IBM TrainingStudent Notebook
Some SOA specfications based on XMLSpecification Description
XML schema
SOAP Provides a standard structure for Web services requests andresponse messages, in XML format.
WSDL Provides a language for defining the interface and binding details of aWeb service. WSDL documents are XML documents.
XSLT The language for transforming XML documents to another format.Transform templates are described using XML.
XPath A platform-independent syntax for addressing parts of an XMLdocument tree.
XML digitalsignatures
Provides a standard for storing digital signatures of XML documents,in XML format.
XML encryption Provides a standard for storing encrypted parts of an XML document,in XML format.
SAML Provides a standard for stating security assertions. Assertions can bewritten in an XML format.
@ Copyright IBM Corporation 2009
Figure 1-5. Some SOA specifications based on XML w8555 / V85552.0
Nofes.'WSDL: Web Services Description LanguageXSLI XSL (XML Stylesheet Language) TransformationsXPath: XML Path LanguageSAML: Security Assertion Markup Language
@ Copyright IBM Corp. 2009 Unit 1. Introduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
1-7
El color azul de la irrpresin ganIiza la autenticidad de este documentoO Copyright
ining
Disadvantages and threats with XML. As a text-based, human-readable protocol, XML tends to be
more verbose-
Parsing, processing, and transforming XML data incur significantoverhead for application servers
. XML introduces new threats and security exposures-
Most companies disable XML validation due to performance costs-
Traditional network security devices do not protect against a newclass of XML-based attacks, such as:. Entity expansion and recursion. Malicious includes. XML encapsulation
. Dealing with XML-based applications becomes a compromisebetween performance and security
@ Copyright IBM CorpoEtion 2009
,\
)))
l
)
')
)
)
)
))
)
))
I
)
)
))
))
.)))J.J.JJJJJJJJJJJ\,,Icooo
Figure 1-6. Disadvantages and threats with XML w8555 / V8s552.0
Notes:Entity expansion and recursion attacks use entity declarations in an XML document headerthat references itself. When an XML parser resolves the recursive reference, the size of theentity expands exponentially, consuming all available memory and processing power on aserver.
Malicious includes add a URL reference into an XML document. The reference itselfguesses at the name and location of privileged information, such as a UNIX password file.XML encapsulation exploits the CDATA reference, which attaches arbitrary non-XML datainto an XML document. Within the CDATA reference, malicious users can embed arbitrarycode or system commands. A poorly designed service might inadvertently execute thecode or the command.More information on XML threats will be discussed in a later lecture.
1-B Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garanltza la autenticidad de este docul.lrento@ Copyright
IBM Traini.gStu
Web services as a security risk' One of the advantages of Web services is its ability to easily
expose back-end systems to business partners and customers-
Web services often leverage HTTP, a widely supported andunblocked protocol in most company networks
. Traditional Web seryers and proxy servers do not inspect XMLand SOAP traffic for attacks
Bina traffic')
XML traffic over HTTP
Externalclient tJ llInternet Demilitarized
zone (DMZ)Intranet
@ Copyright IBM Corporation 2009
:=
)
))
))
)
))
-)JJ-l.)JJ\.)()eooooG
Figure 1-7. Web services as a security risk w8555 / V85552.0
Nofes.'Many corporations allow inbound communications through port 80 in order to serue staticWeb pages or results from dynamic Web sites (Web applications). Calls to Webapplications are considered lower in risk because they do not represent arbitrary calls toapplications on the system itself. That is, an attacker might succeed in disrupting service onan application server, but the server system itself is not compromised.Web services provide application functionality from a wide range of clients through theexchange of XML messages. lmproper designs can expose sensitive applications that areotherwise not meant to be accessed by external users.The holes in both lP firewalls represent unfiltered traffic that passes freely through anHTTP transport. Gateway servers within the demilitarized zone (DMZ) also do not inspect
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materals may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
1-9
El coior azul de la tmpresirr garariiza la autentlcidacl de este doculento@ Copyrght
iruinng
Solution: lntegrate an XMl-aware network layer. Address performance
and security concernswith XML-awarenetwork devices thataccelerate and secureXML processing-
These network devicescomplement your existingnetwork infrastructure
- XMl-aware networkdevices also offloadprocessor-i ntensive XM Lprocessing and securitytasks from yourapplication i nfrastructu re
. SOA appliances provide a quick way to deploy an XMl-awarenetwork layer
O Copyrght lBl\,.l Corporation 2009
llqt
49*
XML-aware network
Figure 1-8. Solution: lntegrate an XMl-aware network layer w8555 / V85552.0
Notes:The core issue is that traditional network architectures were not designed to handleXML-based traffic. Software-based solutions perform adequately with XML data, but it isnot as fast as a dedicated hardware solution. Most hardware network devices simply do notunderstand XML data. SOA appliances provide a solution to both issues: ahigh-performance, hardware-based XML processing device.
1-10 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
withoul the prior wrtten permission of lBM.
E color azul de la rlpresin ga(arlza a autenticdad dc cste doculnento@) Copyriglrt
'.))
)))))JJ\)Ioo
IBM Training Slu
SOA appliances in detail. SOA appliances are purpose-built, easy-to-deploy network
devices that accelerate and secure your XML and Webservices deployments
. Compared to software solutions, SOA appliances are:-
Simpler to manage-
Easier to scale
- Easier to secure
- Quicker to deploy
- More robust against attacks
- More cost-effective
- they provide lower total cost of ownership (TCO)
. IBM WebSphere DataPower SOA appliances are one of theleaders in the SOA appliance space
@ Copyright lBNl Corporation 2009
w8555 / V85552.0Figure 1-9. SOA appliances in detail
lVofes
l
)
)
)
)
)
)
)
))
)
)
)
)
)
))
_)
))))
))
.JJJJ.)JJJ\)IOoooo3
@ Copyright IBM Corp. 2009 Unit 1. Introduction to DataPower SOA AppliancesCourse matefials may not be reproduced in whole or in part
without the prior wrtten permisson ol lBM.
1-1 1
El color azul de la impresin garantiza la autenticidad de este documentoO Copyrlght
rrirg
DataPower SOA appliances: Built for security. Consist of sealed network-resident devices in a tamper-proof
case. Have no drives, no USB ports, and no spinning media t^- t la;n,J
. Single signed or encrypted firmware image prevents attackersfrom installing arbitrary software
. By default, appliances ship with a locked-down configuration
. Offer secure hardware storage of encryption keys and lockedaudit log
. Security vulnerabilities were minimized by using few third-partycomponents
@ Copyrght IBM Corporation 2009
Figure 1-10. DataPower SOA appliances: Built for security w8555 / v85552.0
Notes:There is no floppy drive or USB port, which eliminates the possibility of loading a devicewith malicious software.There is less of a chance that security holes will be exploited since no third party softwareor complex operating systems are installed.
1-12 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or n part
without the prior written permission of lBM.
I.\
I
)
)')')))))
)
)
)
)))))
.))
._)
)J)_)JJJJJJJJJ\Icoooo
El color azul de la impresin garanliza la autenticidad de este documento@ Copyright
IBM Traini.gStudent Notebook
DataPower SOA appliances: Purpose-builtsolution
Proprietarysoftware
Webserver
Applicationserver
Database
Firmware XMLlibrary C library
Developmentplatform
l Floppy CD-ROMdrive USB port Hard disk HardwareIBM WebSphere DataPower
Purpose-built hardware and firmwareXML Security Server appliance
General-purpose hardware and software
@ Copyright IBM Corporation 2009
Serverdaemon
Operating system
Figure 1-11. DataPower SOA appliances: Purpose-built soluton
Notes:
w8555 / V85552.0
t
))
-)J(,(J9oooG
@ Copyright IBM Corp. 2009 Unt 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
wthout the prior written permission of lBM.
1-13
El color azLr dc la inrpresin garantiza a autenticiclar,l de este docUtrclltoG) Coltyr crht
ning
DataPower SOA appliances provide bothperformance and security. As a hardware solution, DataPower processes XML data near
wirespeed. DataPower appliances protect networks against traditional and
new XMl-based attacks. Wth DataPower, there is no compromise: you get both
performance and security in one package
,#
ll ffiil>U
XML traffic over HTTP
Externalclient LIInternet Demilitarized
zone (DMZ)Intranet
@ Copyright IBM Corporation 2009
:=
Figure 1-1 2. DataPower SOA appliances provide both performance and securty wBs55 / v85552.0
Notes:
1-14 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permission of lBM.
I
)I
).))
)
,)J',
J.).)JJl)fOoooo
El color azul de la impresin garantiza la autentlcidad de este docurrentoO Copyrght
IBM Traini^gStudent Notebook
Topic summary
Having completed this topic, you should be able to:. Explain the role of XML in promoting interoperability in an SOA. ldentify the uses of XML within an SOA:-
Provides a platform-neutral interface format-
Defines a platform-neutral messaging format-
Encapsulates security metadata, such as tokens and assertions-
Enables information as a service, as opposed to implementation-specificdatabase protocols
. List the disadvantages and risks associated with XML adoption-
Lower performance compared to a compressed, binary format-
New class of attacks not anticipated with traditional devices. Explain how SOA appliances accelerate and secure XMl-based
applications
@ Copyright IBM Corporaton 2009
Figure 1-13. Topic summary
Notes:
w8555 / V85552.0
.).)
.JJ{JtIoaac
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-15
El coor azLrl c1e la mpresin garanLza la rutenticiclacl dc csLe dcclntentoO Copvriqlrt
rnrng
DataPower SOA appliance use casesAfter completing this topic, you should be able to:. Describe use cases for deploying IBM WebSphere
DataPower SOA appliances
IBM Corportion 2009
Figure 1-1 4. DataPower SOA appliance use cases
Notes:
w8555 / V85552.0
1-16 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the prior written permisson of lBM.
El color azul de la impresn gatantza la autenticdad de este documento@ Copyright
IBM TrainirgStudent Notebook
Use cases for SOA appliances1. Securing Web services
- Provide secure access of back-end systems to business partnersand customers
2. Legacy integration and hub mediatio n :4odu i0-
Enable mainframe or legacy applications as Web services
3. Web services management
4. Portal acceleration
'Pq. llfr,,t\ Ccac\a cL !rc
O Copyrght IBM Corporation 2009
Fgure 1-1 5. Use cases for SOA appliances
Notes:
2 9( f)taL \MSYr.- exfov-en ws
wB55s / V85552.0
))
)
)
.))),)JJ()t.aoooe
@ Copyright IBM Corp. 2009 Unit 1. Introducton to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the pror written permission of lBM.
1-17
El color azul de la impresn garanliza la autenticidad de este docureltoO Copyrght
ning
Use case 1: Securing Web services. Traditional network security devices do not secure XML or
SOAP-based traffic-
By design, lP firewalls do not distinguish between Web browser trafficand application calls over HTTP
- Externally facing Web services are not protected against XMl-basedattacks
. Augment your existing network security infrastructure withXML-aware network devices acting as an XML firewall-
First level:. Deploy an XML Security Gateway to efficiently screen potential XML-
based attacks at wirespeed
- Second level:. Leverage the security of existing application servers for additional
processing
o Copyrght IBM Corporation 2009
Figure 1-16. Use case 1 : Securing Web services w8555 / VBss52.0
Notes:
1-18 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Cofp: 2009Course materlals may not be reproduced in whole or in part
wthout the prior written permission of lBM.
)
)
)))))
))
)
)
)).).)..).).)J
t,)
JJJJJJJJ\)l,l.oooO
El color azul de la impresin garantiza la aulenlicidad de este documentoO Copyright
il3ll{ Traimi*gstuen tik'
Layers of security for XML-based applicationsI
I,
,t
tIIIIII,
,
,
II
IIIItI
t'-,?:
t
I
1
Demilitarizedzone (DMZ) Intranet
Externalclient I
tII
O Copyright IBN/l Corporation 2009
{:::::::i
Figure 1-17. Layers of security for XML-based applications
Notes:1. Standard lP firewalls protect the edge of your corporate network.2. A cluster of IBM WebSphere DataPower SOA appliances complements your existing
network security infrastructure. These devices become a centralized gateway for allXML-based applications, including Web seryices. The DataPower appliances screenincoming and outgoing traffic for XML-based attacks, SOAP message validity, andcompliance to WSDL messages. IBM WebSphere DataPower SOA appliances can actas a security policy enforcement point (PEP), authenticating and authorizing incomingapplication requests.
3. DataPower services can fonvard information about the principal, in the form of securitytokens or assertions. Application servers consume these security artifacts and enforcerole-based security in its application.
c lrc^ ci/\ey
w8555 / V85552.0
'^t)
.)J(,)Ocooe
D ?. ( rcc K{ Lo^ejr , n\.ei\1.-,n.!.- e")+ t / k--
e\ .\:ernLsv Jt 1.t , /
@ Copyright IBM Corp. 2009 Unit 1. Introduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-19
E co or azul cle a ntpresin ()t anl)/t) a autcltLir; tlLcl de ostr: cloounlotlluG) Oot)y lcl ri
ning
Use case 2: Legacy integration and hub mediation. DataPower SOA lntegration Appliance Xl50 features any-to-
any transformation-
The DataGlue engine within the DataPower SOA appliance uses XSLtransforms to manipulate non-XML data
- Quickly provide a Web seruice endpoint to COBOL applicationswithout the use of complex connectors
. As a gateway to legacy systems, the lntegration ApplianceXl50 provides:-
Protocol bridging-
Data transformation
. DataPower SOA appliances can efficiently transform, route,and log messages among XML applications and Web services
@ Copyrght IBM Corporation 2009
Figure 1 -1 8. Use case 2: Legacy integration and hub mediation w8555 / V85552.0
IVofes
1-20 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course malerials may not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la impresin garantiza la autenticidad de este docunrento@ Copyright
)
)
))
)
)
)
)
)
))))))))
J.JJJ.)JJJJ\,Icooo
IBM Trainirg str*ffioffi
Enable Web services for legacy applications
WebSphereMQ messages
{+"Put" request
queue
"Get" replyqueue
-+
+-
O Copyright IBN Corporaton 2009
Figure 1-1 9. Enable Web services for legacy applications w8555 / V85552.0
Notes:With the lntegration Appliance X150, you do not need to modify your existing legacyapplications. The DataPower SOA appliance acts as an IBM Websphere MQ client to yourexisting GET and PUT queues on Message Broker. With a multi-protocol gatewayDataPower service, Web service clients can now access your legacy applications.
)
).)).).)Jt)()eooOG
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-21
E coor azul dc ia inttres garanlza la autentcidrd cle esle d()cutn(iIto(c) Colryrielht
rnrng
Gontent based routing
-=
' Purchase orderService Vl
DataPowerSOA appliance
O Copyrght IBM Corporation 2009
Externalclient
Applicationservers
:p=
Figure 1-20. Content based routing w8555 / V85552.0
Notes:1. A DataPower SOA appliance service endpoint receives an XML message representing
a purchase order.2. The document processing policy in the service routes the message to the latest version
of the order fulfillment application, on the first application server.
3. This application server receives the bulk of the purchase orders.4. A second message arrives at the same service endpoint. The message is sent from a
client, which uses the older version of the order fulfillment application. The routingaction redirects the order to the previous version of the order fulfillment application, onthe second application server.
1-22 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
wthout the pror written permission of lBM.
E color azu de la mpres r garatliza la autentlcidad de este doculnentoO Copyright
.)
)
)
))
.).,)
).',})JJIcooo
IBM TrainingStudent Notebook
Use case 3: Web servce management. ln addition to monitoring against XMl-based threats, XML-
aware networks need to enforce service level agreements(sLA)-
Record the amount and duration of Web services requests-
Notify system administrators if service levels are not met-
Automatically reduce traffic frequency in order to avoid overloadingback-end systems
- Limit or block traffic from a particular host
. DataPower SOA appliances can enforce an SLA in addition toa security policy-
Service levels and monitoring can be applied at the endpoint, service,or operation level
O Copyrght IBM Corporation 2009
Fgure 1-21. Use case 3: Web service management
Nofes.'
w8555 / V85s52.0
@ Copyright IBM Corp. 2009 Unit 1. Introduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-23
El color azu de la impresin garanliza la autenticidad de este documento@ Copyright
rmng
Enforce service Ievel agreements with DataPowerSOA appliances
Policy IBlock clients that make morethan 500 requests perminute. Clients are identifiedby their IP address.
***
---+
Policy 2Throttle (reduce rate) oftraffic from clents that makemore than 100 requests Perminute.
O Copyright IBM Corporation 2009
Figure 1-22. Enforce service level agreements with DataPower SOA appliances w8555 / V85552.0
Nofes.'1. ln the first case, one particular client sends more than 500 requests within a minute.
According to the service level management policy, requests from the client are blockedfor a fixed time period.
2. ln the second case, another client makes more than 100 requests within a minute.lnstead of blocking all subsequent requests, the policy reduces the rate of requests to afixed frequency threshold for a certain time period.
1-24 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
wthout the prior written permission of lBM.
l
,
)
)
)
)
J.,)JJJJJJtJIooao
El color azul de la impresin garantza la autenticidad de este documelrtoO Copyrioht
IBM TrainirgStudent Notebook
Use case 4: Accelerate dynamic Web sites. Dynamic Web sites use XML to pass information flexibly between
application layers-
Sites use XML to encapsulate data between different application layers-
ln the final step, the presentation layer transforms XML data into an HTMLWeb page
. However, XSL transformation creates performance problems onthe portal server
. Offloading processor-intensive XML transformations to theDataPower SOA appliance significantly frees up resources on theapplication server-
lnclude XML-PI (processing instructions) in a raw XML response from theportal server
- he XML parser within DataPower SOA appliance automatically appliesthe XSL transformation without additional configuration
@ Copyrght lB[4 Corporation 2009
Figure 1-23. Use case 4: Accelerate dynamic Web sites w8555 / V8s552.0
Nofes;Within an SOA, XML is widely becoming the choice for encapsulating data betweendifferent systems. As a text-based protocol, XML suffers from performance issuescompared to fine-tuned binary data formats. On the other hand, portal systems need tosupport a wide variety of clients, including Web browsers and mobile phones. Suchsystems use XSL transforms to convert the raw XML output into an HTML Web page, WMLmobile phone Web page, or CHTML mobile phone page.IBM WebSphere DataPower SOA appliances provides an easy drop-in solution foroffloading XML processing from portal servers. First, disable XSL transformation on theportal server. On most software packages, this task can be accomplished without affectingindividual portlets or Web applications. Configure the portal server to specify atransformation style sheet in the processing instructions section of an XML document,XML-Pl. As the Pl header is part of the XML specification, any standards-based parser canapply the style sheet to the XML data. A DataPower XSL accelerator service wouldautomatically transform the document as it parses the XML data.
)
)
)
)
)
)
)
)
))
)
)
)
._)
J',,
JJJJIoOooo3
@ Copyright IBM Corp. 2009 Unit 1. Introducton to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in pan
without the prior wrtten permission of lBM.
1-25
El color azul de la impresin garaliza la autenticidad de este docunrento@ Copyr cht
ining
Accelerate dynamic Web sites
HTMLb page
Raw XMLresponse
Externalclient
DataPowerSOA appliance
O Copyright IBM Corporation 2009
Applicationserver or
poftal server
Figure 1-24. Accelerate dynamic Web sites w8555 / v85552.0
Notes:1. The final presentation layer rendering is offloaded from the portal server to the
DataPower SOA appliance.2. As specified in the XML-PI (processing instruction) header, the XML parser within the
DataPower SOA appliance automatically retrieves an XSL transform from a localdirectory or from a remote file server. The service applies the transform to the raw XMLresponse. No additional configuration is necessary for the DataPower SOA applianceservice.
3. The DataPower SOA appliance returns a properly formatted HTML Web page to theoriginal client.
1-26 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
without the pror written permission of lBM.
El color azul de la irrpresln garanliza la autenticrdad de este documento@ Copyright
l
'i
)
I
)
')
)
.J'.,}).,)JJJ\)IOoooo
IBM TrainirgStudent Notebook
Topic summaryHaving completed this topic, you should be able to:. Describe use cases for deploying IBM WebSphere
DataPower SOA appliances:-
Secure Web service and XML applications-
lntegrate legacy systems-
Provide centralized Web service management-
Accelerate content rendering of dynamic Web sites
@ Copyright IBM Corporaton 2009
Figure 1-25. Topic summary
l\lofes;
1
)'
i)I
r-J
(.Io3
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-27
El color azul de la mpresin garantiza la autentic dad de eslc docunrelrto@ Copyright t
w8555 / V85552.0
ining
Introduction to DataPower SOA appliancesAfter completing this topic, you should be able to:. Describe the different features in the IBM WebSphere
DataPower SOA Appliance product line. ldentify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
@ Copyright lBlV Corporaton 2009
Figure 1-26. lntroduction to DataPower SOA appliances
Notes:
w8555 / V85552.0
1-28 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp, 2009Course materials my not be reproduced in whole or in part
without the prior written permission of lBM.
El color azul de la irnpresin garantiza a autentlcidad de esle documentoG) Copyrght
ll
._)
_)t
.-,
_,-JJl'JIOc
IBM Training Student Notebook
IBM WebSphere DataPower product Iine
iffimnnnr-,;M
. IBM WebSphere DataPower XMLAccelerator XA35-
Offloads processor-intensive XML processing andtransformation tasks from application seryers
- Protects against attacks on Web applications
. IBM WebSphere DataPower XML SecurityGateway XS40-
Acts as a security policy enforcement point forXML applications and Web services
- Virtualizes Web services easily with dynamicWSDL-based configuration
. IBM WebSpher lntegrationAppliance Xl50-
Provides a Web service interface for mainframeapplications
- Performs any-to-any data transformation at
dl c.n s rmaco '\l)4 b'nc'r- a5
@ Copyright IBM Corporation 2009
)
)
,
)
)
)
)
)
)
)
)))))
)
)
.)
.)
.)
.)J-)._)JJ..)IIoo
Figure 1-27. IBM WebSphere DataPower product line w8555 / V85552.0
Notes:. IBM WebSphere DataPower lntegration Appliance Xl50:
http ://www. i bm.com/software/i nteg ratio n/datapower/xi50/. IBM WebSphere DataPower XML Security Gateway XS40:
http ://www. i bm.com/software/i nteg ratio n/datapower/xs40/. IBM WebSphere DataPower XML Accelerator XA35:
http://www.i bm.com/software/integration/datapower/xa35/
@ Copyright IBM Corp. 2009 Unit 1. Introduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
wthout the prlor written permission of lBM.
1-29
El color azul de la inrpresin garantiza la autenticidad de este docurnentoO Copyright
ining
XML Accelerator XA35 features
. Accelerates dynamic content generation-
Transforms XML data into any presentation layer format at wirespeed
. Offloads XML manipulation through industry standard API-
Performs XML processing and transformation through the Java APIfor XML-based Parsing (JAXP)
@ Copyrght IBM Corporaton 2009
wBs55 / V85552.0
,
)
)))
)
l
)
)
))
))
.))))))).)J..1
J.)JJ-).lJJJIIe
1-30 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materals may not be reproduced in whole or n part
wthout the prior written permission of lBM.
El color azul de la impresin garantiza la autentlcidad de este documento@ Copyright
l
Figure 1-28. XML Accelerator XA35 features
Notes:
IBM Trainirg Stu oT'
XML Security Gateway XS40 features
. XML and Web services security provides:-
XML denial-of-service protection* Field-level message encryption and digital signature-
Web services access control at the operation, interface, or endpoint level-
Service virtualization to abstract service endpoints within your network-
Authentication, authorization, and auditing (AAA) framework that supportsa variety of user password, security token, and other identity informationfrom requests
- Centralized policy management is enforced by a cluster of SOA appliances
- Service level management, policy management, and Web servicesmanagement support
" Includes all XML acceleration features from the XA35 appliance
f) aahFolir
@ Copyright IBM Corporation 2009
;
)
l
)
)
)
)
))I
)
.-)
.)JJ.)JJJIIcoo
Figure 1-29. XML Security Gateway XS40 features
Notes:
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the prior written permission of lBM.
1-31
El color azul de la impresin garanltza la autenticidad de este documento@ Copyriqht
w8555 / V85552.0
rung
lntegration Appliance Xl 50 features
. Acceleration of existing integration hubs-
Processor-intensive tasks such as XSLT processing, routing, and legacy-to-XML conversion can be offloaded to the Xl50
. Mainframe modernization with Web services-
XMl-to-any conversion allows mainframe applications to be virtualized asWeb services
. Manages non-XML traffic as easily as XML data-
Can parse and transform arbitrary binary, flat text, and XML messages-
No custom programming needed to manipulate messages. Offers support for popular messaging systems-
Xl50 appliances acts as an IBM WebSphere MQ client' lncludes all security and acceleration features from the XS40 and
XA35 appliances, respectively@ Copyright lBlV Corporaton 2009
Figure 1-30. lntegration Appliance X150 features w8555 / V85552.0
Notes:
1-32 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or in part
wthout the prior written permission of IBM'
El color azul de la impresin ga(anliza la aulenticidad de este documento@ Copyr ght
IBM TrainingStudent Notebook
DataPower SOA appliances in the network stack
Application layer
Transport layer
Network layer
Data link layer
Physical layer
Multi-protocolgateway
TLS/SSL
UDP
ICMP
Web servicessecurity
SOAP
XML
Web servicesstandards
Webservices
proxy
XSL proxv
Web applicationfirewall
DataPowerservices
XMLfirewall
HTTP
TCP
IP
SNMP
lPSec
TCP/IP protocolstack
@ Copyright IBM Colporation 2009
Fgure 1-31. DataPower SOA appliances in the network stack w8555 / V85552.0
lVofes.'Listed below are some of the protocols associated with the TCP/IP stack:. lP: lnternet protocol, communication across a packet-switched network. ICMP: lnternet Control Message Protocol, for sending system-level error messages. lPSec: lP Security, authentication and encryption at the lP packet level. TCP:Transmission Control Protocol, virtual circuit protocol that guarantees reliable and
in-order data delivery. UDP: User Datagram Protocol, lightweight packet communication without ordering or
reliability guarantee. HTTP: Hypertext Transfer Protocol, transmitting information across the World Wide
Web (WWW). TLS/SSL: Transport Layer Security/Secure Sockets Layer, authentication and
confidentiality over the lnternet. SNMP: Simple Network Management Protocol, monitors network-attached devices
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse mateials may not be reproduced in whole or in part
wthout the pror wrtten permission of lBM.
1-33
El color azul de la lmpresin garanliza la autenticidad de este documento@ Copyright
rirg
Features comparison (1 of 3)Feature xt50 xs40 xA35
XSL transformation
XML and SOAP validation
HTM L-XM L transformation
Basic XML threat protection
SOAP V1.1 and V1.2 bindings
XSLT V1.0 and V2.0
Logging (on-board and off-device)SSL termination and initiation
XML coprocessor mode
Figure 1-32. Features comparison (1 of 3) w855s / V85s52.0
Notes:
1-34 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced n whole or in part
without the prior written permission of lBM.
El color azu de la impresin garantza la autenticidad de este documento@ Copyright
)
)
;
)))
))
)))))))
_)
)J"),).)JJJJJJI(
IBM TrainirgStudent Notebook
Features comparison (2 of 3)
,
)
)
)
)
)
)
)
)
)
)
)
)
))
)
))))
))
).).)
J,)-))..)JJJ\,,IOoa
Feature xt50 xs40 xA35
SNMP management integration
Remote device management integration
WSDL V1.1
Content encryption and decryption
Sign XML content and verify digital signatures
Authentication, authorization, and auditing
Content-based routing and filtering
Fetch content from off-device locations
MIME, DIME, MTOM attachment processing
Figure 1-33. Features comparison (2 of 3) W8555 / VBS5S2.0Notes:Message Transmission Optimizalion Mechanism (MTOM) is now available using theMTOM policy for optimizing wire format transmissions of SOAP messages.
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
without the pror wrtten permission of lBM.
1-35
El color azul de la impresin garanliza la autenticidad de este documento@ Coryright
ining
Features comparison (3 of 3)Feature xt50 xs40 XA35
Full XML threat protection
Web application firewall
WSDl-based configuration ,/
Direct database access g>n .Pfccnia
Multi-protocol gateway (HTTP, HTTPS)TIBCO EMS support
IBM WebSphere MQ client
Binary-XM L transformations (DataGlue)IBM Tivoli Access Manager support
O Copyright
Figure 1-34. Features comparson (3 of 3) w8555 / V85552.0
Notes
1-36 Accelerate, Secure and lntegrate with DataPower @ Copyright IBM Corp. 2009Course materals may not be reproduced in whole or in part
without the prior wrtten permission of lBM.
)
))
)
)
)
)
\
)
))
))))
)
.i
.,
J.))
.J
.JJJJJ\)\)90
El color azul de la impresin garantiza la autenticidad de este docurnento@ Copyrioht
IBM TrainirgStudent Notebook
Topic summaryHaving completed this topic, you should be able to:. Describe the different features in the IBM Websphere
DataPower SOA Appliance product line-
Application Integration Xl50-
XML Security Gateway XS40-
XML Accelerator XA35
' ldentify the sections of the TCP/IP network protocol stack thatare secured by DataPower SOA appliances-
Application layer device that operates on web applications, XML-based applications, and Web services
O Copyright lB,4 Corporaton 2009
Figure 1-35. Topic summary
Notes:
w8555 / V85552.0
,)
.)
.
,i
.t.jJL
IJt
@ Gopyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or in part
wthout the prior written permission of lBM.
1-37
El color azul de la impresn qatantza la autelticidad (ie este clooL.utentoO Oopyrlcht
ining
Checkpoint
1. What is an XMl-aware network? Why is it important toimplement an XMl-aware network in an SOA?
2. What features of the DataPower SOA appliance make itsecure from attacks?
3. Name all IBM WebSphere DataPower SOA appliancesproduct offerings and their main features, respectively.
@ Copyrght IBM Corporaton 2009
J
Figure 1-36. Checoint
Nofes.'Write your answers here:
1.
2.
3.
wB5s5 / V85552.0
)
.t
_)t
.)
J
).i
-JJJJJJJJ
1-38 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp; 2009Course materals may not be reproduced in whole or in part
without the prior written permlssion of lBM.
El color azul de la impresin garantiza la autenticidad de este documentoO Copyright
J.9UIolrl
IBM Training Sfu ook
Unit summaryHaving completed this unit, you should be able to:. Describe and define the role of an SOA appliance. ldentify the products in the Websphere DataPower SOA
Appliance product line. Describe how to use WebSphere DataPower SOA Appliances
in an enterprise architecture
)
)
)
)
)
)
)
)
)
)
)
))
))
))
)
.,)-))
.,)
.):).lJJJJIeoo
Figure 1-37. Unit summary
Nofes.'
@ Copyright IBM Corp. 2009 Unit 1. lntroduction to DataPower SOA AppliancesCourse materials may not be reproduced in whole or n part
wthout the prior written permisson of lBM.
1-39
El color azul de la impresin garantiza la autenticidad de este docunrentoO Copyright
w8555 / V85552.0
ngr.larlo(-).-)a.)aarlaooOooooo(l()()i)()OoOOoO()ooOo(Jouu(,\)(,(,It)9IOooo
1-40 Accelerate, Secure and Integrate with DataPower @ Copyright IBM Corp. 2009Course materials may not be reproduced in whole or n part
wlthout the prior wrtten permlsslon ot lBM.
El color azul de la impresin garantiza la autenticdad de este documento.@ Copyright
IBM