© 2013 IBM Corporation
What’s New in DataPower Appliances
Hugh Everett
IT Specialist
IBM Manchester, UK
2 2 © 2013 IBM Corporation
Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.
3 3 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• What’s new in DataPower Virtual Edition
• What’s new in DataPower v6.0
4 4 © 2013 IBM Corporation
Introduction to DataPower Gateway
Appliances
IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, control, integration
and optimized access to a full range of
Mobile, Web, API, SOA, B2B and Cloud workloads
5 5 © 2013 IBM Corporation
IBM Integration Bus and Integration Gateway
• IBM Integration Bus: IBM’s Strategic Integration Technology ‒ Single engineered product for .NET, Java and fully heterogeneous integration
scenarios
‒ DataPower continues to evolve as IBM’s integration gateway
• IBM DataPower: IBM’s Strategic Integration Gateway ‒ Highly secure configurable appliance
‒ To integrate and optimise access to web, mobile, and API workloads beyond
the enterprise
‒ Complements IBM Integration Bus
Edge
Integration
Gateway Integration Bus
6 6 © 2013 IBM Corporation
Security & Integration Gateway Appliances
• Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload
• Securely connect apps/services within the enterprise, while optimizing delivery of the workload and providing integration including XML offload, message validation/filtering, message/transport protocol transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing & intelligent load distribution
• Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior performance, hardened security, increased ROI and reduced TCO
• Provides high levels of certified Security assurance ‒ e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication,
Authorization, Audit • Simplified maintenance model
‒ Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process • Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold • Virtual appliance provides deployment flexibility & reduced cost for development and test
environments
IBM DataPower Gateway Appliances
Internet Trusted Domain
Consumer
Application or Service
DMZ
DataPower DataPower
Consumer
7 7 © 2013 IBM Corporation
Internet Trusted Domain
Consumer
Application or Service
System z
DMZ
DataPower DataPower
IBM Integration Bus
Application Service File Trading partners
DataPower appliances used across a variety of scenarios
1 Security Gateway
(Web Services/Apps/APIs)
2 Intelligent Content
Routing & Load Distribution
3 B2B Partner Gateway
4 Internal Security Enforcement
5 Integration
6 Runtime SOA Governance
7 Web Service Management
8 Legacy Integration
Consumer
8 8 © 2013 IBM Corporation
Update application
servers individually
Before DataPower Appliances
Secure, control, integrate, & optimize all applications instantly
No changes to applications
After DataPower Appliances
Secure, control, integrate & optimize multiple applications without code changes
Lower cost and complexity
Enable new business with unmatched performance
Use appliances to simplify & centralize critical functions
Control
Integrate
Route & Optimize
Secure
9 9 © 2013 IBM Corporation
• Control ‒ Service-level agreements ‒ Traffic control ‒ Message accounting ‒ Content-based routing ‒ Governance & management
• Optimization ‒ SSL & TLS offload ‒ Hardware accelerated crypto ops ‒ XSLT & XQuery acceleration ‒ JSONiq acceleration ‒ Connection pooling, offload ‒ Intelligent load distribution ‒ Caching: Local & external (XC10)
• Security ‒ OAuth, SAML, XACML, WS-
Security, LTPA, Kerberos, etc ‒ Authentication & authorization ‒ Security token translation ‒ Message & transport protection
• Integration ‒ Convert payloads (JSON, XML,
CSV, Cobol, binary, etc) ‒ Bridge transports (HTTP, MQ, FTP,
WAS JMS, TIBCO EMS, etc) ‒ Database connectivity (DB2, IMS,
Oracle, MS SQL, Sybase) ‒ Mainframe integration (IMS
Connect, IMS Callout, CICS, etc) ‒ B2B integration (AS1,AS2,AS3,etc)
• Resilience ‒ Operation admission control ‒ Failure re-routing ‒ XML threat protection ‒ JSON threat protection ‒ Schema validation ‒ Messages filtering
Clients
In-the-Clear Request
Malicious Request
Cobol/MQ Appl
Cobol/MQ
Encrypted and Signed Request
Se
rvic
e P
rovid
ers
IBM DataPower Gateway Appliance capabilities
10 10 © 2013 IBM Corporation
DataPower Family
Integration Appliance XI52 High density 2U form, XG45 functionality plus “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement Available in Virtual Edition
Service Gateway XG45 Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic routing Lightweight integration functions (optional) Available in Virtual Edition
B2B Appliance XB62 High density 2U form, XI52 functionality plus B2B Messaging (AS1/AS2/AS3/ebMS) Trading Partner Profile Management B2B Transaction Viewer
Integration Blade XI50B/XI50z Functionally equivalent to XI52 Form factor flexibility XI50B: BladeCenter form factor XI50z: zEnterprise BladeCenter Extension (zBX)
form factor
11 11 © 2013 IBM Corporation
• Used by 95% of top global insurances firms
• SaaS providers, ASPs, regulators, etc.
• Agencies and ministries • Defense and security organizations • Crown corporations
Insurance
Government
Banking
• Healthcare • Retailers • Utilities, Power, Oil and Gas • Telecom • Airlines • etc.
Many, many, more
• Majority of the big US and European banks
• All of the big 5 Canadian banks • Numerous regional banks and credit
unions
DataPower Gateway Appliances
Over a decade of innovation & over 2000 worldwide installations
12 12 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• What’s new in DataPower Virtual Edition
• What’s new in DataPower v6.0
13 13 © 2013 IBM Corporation
DataPower Appliances extend its market
leading Security & Integration Gateway
functionality into Virtual Appliances
providing deployment flexibility
Business Integration
Available Now
Business Value:
Industry-leading workload security, optimization, and
integration functionality similar to the corresponding physical
DataPower appliance models
A flexible, cost effective Security & Integration Gateway for
non-production environments
A production solution for environments not suitable for
physical appliance deployment
What’s new:
WebSphere DataPower XG45 & XI52 physical appliance
functionality in a “virtual appliance” form-factor running on
VMware hypervisor on x86 servers, IBM PureApplication
System W1500, & IBM Workload Deployer platforms
Ability to upgrade & downgrade firmware similar to physical
appliances
Seamless configuration migration between physical and
virtual appliances
Powered by a purpose-built platform including an embedded,
optimized DataPower Operating System
x86 Server
IBM DataPower Virtual Edition Deployment flexibility & reduced cost for development and test environments
14 14 © 2013 IBM Corporation
IBM DataPower Virtual Edition: Overview Product Name WebSphere DataPower Service Gateway XG45 Virtual Edition (Passport Advantage Product ID: 5725-J90)
WebSphere DataPower Integration Appliance XI52 Virtual Edition (Passport Advantage Product ID: 5725-J91)
Functionality Same workload security, optimization, & integration functionality as the corresponding physical appliance model.
Exceptions, besides lack of physical security features (e.g. tamper-resistant hardware), include capability
implemented or enhanced via hardware in physical appliances: No Hardware Security Module (HSM) support for FIPS 140-2 Level 3 compliance
No hardware acceleration support for cryptographic operations
Seamless configuration migration, through export/import feature, between physical and virtual appliances Full-appliance secure backup/restore only works within the same form factor, i.e. virtual to virtual & physical to physical
Each “virtual appliance” is powered by a purpose-built platform and includes an embedded, optimized DataPower
Operating System
Uses signed/encrypted firmware images like physical appliances, doesn’t allow installation of other software
Uses “scrypt4” format firmware image (scrypt2/3 used for physical appliances), does not run or support firmware prior to v5.0.0
Version Two functionally equivalent versions, Production & Non-Production, for each product. Each licensed and priced
separately:
XG45 Virtual Edition for Non-Production Environments: For non-production use. Includes following optional
features at no additional cost: Application Optimization, Data Integration Module
XG45 Virtual Edition: For production use. All optional features must be ordered separately, all are field
upgradeable.
** Both XG45 Virtual Edition versions include Tivoli Access Manager feature in the base product like physical appliance
models
XI52 Virtual Edition for Non-Production Environments: For non-production use. Includes following optional
features at no additional cost: Application Optimization, Database Connectivity, Tivoli Access Manager
** TIBCO EMS option must be ordered separately
XI52 Virtual Edition: For production use. All optional features must be ordered separately, all are field upgradeable.
Pricing Priced based on Processor Value Unit (PVU). Available through Passport Advantage.
Hypervisor VMware ESX v4.0 Update 2, v4.1 OR ESXi v4.0 Update 2, v4.1, v5.0, v5.1
Platform x86 Servers, IBM PureApplication System W1500, IBM Workload Deployer utilizing x86 hardware
Requirements Minimum virtual resources for each virtual edition appliance: 4 vCPU (i.e. virtual core) and 4GB RAM
Package Delivered as an Open Virtualization Archive (OVA) package
15 15 © 2013 IBM Corporation
Agenda
• DataPower Quick Overview
• What’s new in DataPower Virtual Edition
• What’s new in DataPower v6.0
16 16 © 2013 IBM Corporation
What’s New
Summary
IBM DataPower Gateway Appliances extend industry-leading
service-oriented architecture (SOA) and business-to-business (B2B)
security, control, optimization, and integration capabilities to
web, mobile, and API workloads
17 17 © 2013 IBM Corporation
Secure integration Securely integrate API, Web & Mobile
workloads, in addition to SOA & B2B
Mobile-ready security gateway Secure & optimize delivery of Mobile
applications & integrate with
IBM Worklight
Faster consistent response time Reduce load on back-end systems and
optimize delivery through local & external
caching and intelligent load distribution
Secure. Integrate. Optimize.
Pattern-based configuration Create & deploy common configuration
patterns for reduced time to value,
improved productivity & quality
Deployment flexibility Use physical or virtual appliance with
seamless configuration migration
System z integration Easily consume external web services
from IMS & expose IMS data as a
service
6 DataPower
18 18 © 2013 IBM Corporation
Secure, integrate & optimize access to Web, Mobile & API workloads IBM DataPower Gateway Appliance v6.0
DataPower Appliances extend its
market leading Security & Integration
Gateway for Web, Mobile & API
workloads, in addition to SOA & B2B,
reducing infrastructure complexity &
lowering TCO
Business Integration
Business Value:
Secure integration of Web, Mobile, API, SOA & B2B workloads in a single,
highly secure, highly consumable, DMZ-ready appliance
Operational agility for WAS Network Deployment environments
Fast & consistent response time for enterprise applications including mobile &
web apps with local & external caching reducing load on back-end systems
Enhanced System z integration with IMS systems for reduced TCO
Faster time to value & improved developer productivity with configuration
pattern-authoring & deployment support
What’s new:
Provides the API gateway functionality for IBM API Management V2.0
Quick integration with IBM Worklight to secure mobile web traffic
Improved REST services handling with native JSON support including schema
validation & query, extract, filter & transform through JSONiq
New XML data query, extraction & manipulation support with XQuery 1.0
Enhanced security with improved OAuth 2.0 and new support for Kerberos
constrained delegation & TLS 1.1/1.2
Improved WS-MediationPolicy consumption from WSRR & SLAs for non-
SOAP traffic
Embedded On-Demand Router functionality for WAS ND environments
Optimized application delivery with response caching on-the-box & seamless
integration with elastic caching XC10 appliances
New System z integration capabilities allowing IMS transactions to easily
consume external web services & easy consumption of IMS data as a service
Simple ability to create & deploy common DataPower configuration patterns
19 19 © 2013 IBM Corporation
On Premise
App Developer Portal
Business Ops Dashboard
Enterprise Services
DataPower
Dev Ops Dashboard
Web Apps
Mobile
Create, Manage, Socialize APIs •Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Ops perspective, API lifecycle mgmt •Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas, manage communities and monitor service levels •Application Developer Portal with Self-Service registration and with hooks into social communities
On-Premise DMZ-ready API Gateway •Rapid on-ramping of APIs •API security; SSL termination, Threat protection, Authentication, Authorization with OAuth •Quota enforcement / Traffic control; Enforce API consumption policies •Monitors API use •Caching support for both on-box local and remote caching using XC10 •Intelligent routing and load distribution
IBM API Management V2.0 (On-Premise) Secure, control and optimize access to APIs through DataPower
20 20 © 2013 IBM Corporation
IBM API Management (On-Premise)
DataPower XG45 w/ DIM & AO option,
XI50, XI50B, XI52 w/ AO option
• REQUIRED component
• Physical or Virtual
• Purchase new or re-use
existing appliances
Secure, Control,
Optimize
Cast Iron Standard Edition
• OPTIONAL component
•Physical or HVE
•Purchase new or re-use
existing appliances
Create
(Assemble)
IBM API Management
• 2 Hypervisor Installs
Create, Publish,
Manage, Socialize
API Gateway
IBM API Management V2.0
1 Solution, 1 Pane of Glass
Available in IBM API Management V2.0 & DataPower V6.0
21 21 © 2013 IBM Corporation
e.g. REST (JSON/XML) over HTTPS
SSL Offload Threat Protection
Rate Limiting Validation, Filtering
now with Native JSON Support** Authentication Authorization
Security Token Translation Transformation
Content-Based Routing Intelligent Load Distribution
now with On Demand Router for WAS ND** Response Caching Locally or to XC10 **
Securely expose enterprise
data to Mobile Apps while
optimizing delivery of the
workload
Worklight, WAS ND
e.g. SOAP over HTTPS
Message Oriented, Legacy Apps
Web Apps, Services
Connect Mobile Apps with Enterprise Apps & Services
IBM DataPower Gateway Appliance
Security, Control, Integration & Optimization of mobile workload
Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices ** Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**
** Available in DataPower firmware version 6.0
22 22 © 2013 IBM Corporation
XQuery 1.0 Flexible XML data manipulation
<gold-customers>
{
for $x in orders/order
where $x/price >= 100.00
order by $x/last
return <customer first="{$x/first}" last="{$x/last}" />
}
</gold-customers>
• Query, extract, filter, transform XML messages using XQuery 1.0 ‒ Efficient data query & manipulation of XML ‒ Simple scripting language syntax provides ease of use ‒ Built-in functions & FLWOR statements improve productivity & reduce LoC
<orders>
<order><first>John</first> <last>Smith</last><sku>20223</sku><price>23.95</price> </order>
<order><first>Alice</first><last>Brown</last><sku>54321</sku><price>199.95</price></order>
<order><first>John</first> <last>Smith</last><sku>23420</sku><price>104.95</price></order>
<order><first>Bob</first> <last>Green</last><sku>90231</sku><price>300.00</price></order>
<order><first>Scott</first><last>Jones</last><sku>54321</sku><price>199.95</price></order>
<order><first>Jim</first> <last>Lee</last> <sku>89820</sku><price>46.50</price> </order>
</orders>
<?xml version="1.0" encoding="UTF-8"?>
<gold-customers>
<customer first="Alice" last="Brown"/>
<customer first="Bob" last="Green"/>
<customer first="Scott" last="Jones"/>
<customer first="John" last="Smith"/>
</gold-customers>
XQuery is not XML!
INPUT
OUTPUT
FLWOR:
For
Let
Where
Order by
Return
Query orders with purchase of at least $100
23 23 © 2013 IBM Corporation
Native JSON Support Enhanced security & control for REST services
• JSON is now a first class, native format on DataPower similar to XML ‒ High-speed parsing and tuned compilation with native execution
• JSON schema validation: Security & input validation ‒ Built-in validate action
‒ Support for draft 3 of IETF specification (http://tools.ietf.org/html/draft-zyp-json-schema-03)
{ "name" : "John Smith",
"sku" : "20223",
"price" : "23.95",
"shipTo" : { "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" },
"billTo" : { "name" : "John Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" }
}
{
"type": "object",
"properties": {
"name": { "type": "string" },
"sku": { "type": "string" },
"price": { "type": "number", "minimum": 0 },
"shipTo": {
"type": "object",
"properties": {
"name": { "type": "string" },
"address": { "type": "string" },
"city": { "type": "string" },
"state": { "type": "string" },
"zip": { "type": "string" }
}
},
"billTo": {
"type": "object",
"properties": {
"name": { "type": "string" },
"address": { "type": "string" },
"city": { "type": "string" },
"state": { "type": "string" },
"zip": { "type": "string" }
}
}
}
}
JSON Schema JSON Message
24 24 © 2013 IBM Corporation
Native JSON Support Enhanced security & control for REST services
• JSON is now a first class, native format on DataPower similar to XML ‒ High-speed parsing and tuned compilation with native execution
• Query, extract, filter, transform JSON messages using JSONiq ‒ Extension to XQuery: Like SQL for JSON and XML
‒ Efficient data query and manipulation of JSON
‒ Support for JSONiq spec 0.4.42 (http://jsoniq.org/docs/spec/en-US/html-single/index.html)
{ "name" : "John Smith",
"sku" : "20223",
"price" : "23.95",
"shipTo" : { "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" },
"billTo" : { "name" : "John Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" }
}
{ "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345"
}
*** ABORTED: Error noshipHI: Sorry, we do not ship to Hawaii.
declare namespace output = "http://www.w3.org/2010/xslt-xquery-serialization";
declare option jsoniq-version "0.4.42";
declare option output:method "json";
.("shipTo")
Extract shipping address
declare namespace output =
"http://www.w3.org/2010/xslt-xquery-serialization";
declare option jsoniq-version "0.4.42";
declare option output:method "json";
if (.("shipTo")("state") = "HI")
then fn:error(fn:QName('http://example.org/mine',
'myerr:noshipHI'),
'Sorry, we do not ship to Hawaii.')
Filter shipment to Hawaii
declare option jsoniq-version "0.4.42";
<order>
<name>{.("name")}</name>
<price>{.("price")}</price>
<state>{.("shipTo")("state")}</state>
</order>
Transform to XML
<?xml version="1.0" encoding="UTF-8"?>
<order><name>John Smith</name><price>23.95</price><state>NY</state></order>
[{ "given" : "John", "surname" : "Smith", "sku" : "20223", "price" : 23.95},
{ "given" : "Alice", "surname" : "Brown", "sku" : "54321", "price" : 199.95},
{ "given" : "John", "surname" : "Smith", "sku" : "23420", "price" : 104.95},
{ "given" : "Bob", "surname" : "Green", "sku" : "90231", "price" : 300.00},
{ "given" : "Scott", "surname" : "Jones", "sku" : "54321", "price" : 199.95},
{ "given" : "Jim", "surname" : "Lee", "sku" : "89820", "price" : 46.50}]
Alice Brown
Bob Green
Scott Jones
John Smith
declare option jsoniq-version "0.4.42";
for $x in jn:members(.)
where $x("price") >= 100.00
order by $x("surname")
return concat($x("given"), ' ', $x("surname"), '
')
Query members with purchase of at least $100
INPUT OUTPUT
25 25 © 2013 IBM Corporation
• OAuth is an open standard for authorization. It provides a method for resource owners to grant limited access to their resources to third party client applications without sharing credentials .
Security Enhancements Enhanced OAuth 2.0 support & additional features enable new security use cases
• New OAuth 2.0 specification support ‒ Public Client & Implicit Grant Type
Enables Clients that cannot keep their credentials confidential or can only support simple authorization flows
Browser-based & native applications including mobile ones
‒ Refresh Token Allows Clients to obtain new access tokens upon expiration
without going through initial login sequence
• Additional new features ‒ SSL Client Certificate Authentication Method
Client can provide it’s certificate for authentication rather than a secret (i.e. 2-way SSL aka SSL mutual authentication
‒ Revoke Token Provides better flexibility & control to Client & Resource
Owner, either can revoke Client can revoke to logout
Resource Owner can revoke in case of compromised password or lost mobile device
26 26 © 2013 IBM Corporation
• Kerberos constrained delegation (S4U2Proxy) ‒ Preserve the client identity from the incoming Kerberos
ticket for the backend service when DataPower is acting as a proxy
• Transport Layer Security (TLS) 1.1 & 1.2 ‒ Helps meet security guideline (e.g. NIST SP 800-131A)
• LDAP ‒ Connection Pooling: Configured per XML Mgr
ldap-search(), ldap-simply-query(), AAA
Improve performance & reduce load on LDAP server
‒ Read Timeout
Extension functions, AAA, CRL, RBM
Handle slow or unresponsive LDAP server
Security Enhancements Enhanced transport and message security
27 27 © 2013 IBM Corporation
Application
Servers
WAS ND Cluster
Application
Servers
WAS ND Cluster
Security Enhancements Enhanced transport and message security
• SSL Proxy Service enhancements ‒ Forward proprietary protocol traffic with SSL across
DMZ and within the enterprise
SSL offload & termination
‒ New features
Transaction timeout (address long lived connections)
Max client connection limit (configurable)
Client-side idle timeout (address misbehaving client)
Server-side idle timeout (address misbehaving/over
loaded server)
Additional logging & improved reliability
• ISAM (formerly TAM) integration enhancements ‒ Support for 6.1.1 and 7.0
‒ Support co-existence of multiple registry type
‒ Ships four ISAM client library versions in the
firmware and allows user to select the version
6.0, 6.1, 6.1.1, 7.0 (XG45, XI52, XB62, XI50B, VE)
If ISAM server undergoes an upgrade, then appropriate
DataPower ISAM client can be selected to match
TLS 1.2 or NIST compliance option for ISAM 7.0
28 28 © 2013 IBM Corporation
• Capability added to Multi-Protocol Gateway Service (MPGW) to enforce
business requirements by consuming WS-MediationPolicy from WSRR
Subscriptions and as locally attached policy for non-SOAP traffic
Implement Service Level Agreements (SLA) enforcement on DataPower via
declarative policy documents without manually creating DataPower configuration
artifacts
MPGW SLA & WS-MediationPolicy Support
Flexible traffic control policy consumption & enforcement for non-SOAP traffic
Visibility and Control • Reduce costs and increase
operational efficiency of enterprise boundaries
• Increase enterprise agility through rapid realization of policies and SLAs in response to business change
• Centrally manage and govern service and
associated policies exposed at service
gateway
• Enable automatic deployment of operational
policies and SLA to service gateways
WSRR
DataPower Subscribed to a collection of services defined by
WSRR saved search
‘WebBankingServicesQuery’
Can also subscribe directly to a Service Version
29 29 © 2013 IBM Corporation
DataPower
Consume & enforce
Enforce
Policy & SLAs
WSRR Model Policy
& SLAs
Policy Admin /
Operations
Manage Policies
& Services
SLA
Policy
App1
App2
Service
SLA
Policy
Traffic Control Policy Management & Enforcement
30 30 © 2013 IBM Corporation
Optimization: Intelligent Routing & Load Distribution Operational agility for WAS ND environments
Embedded On Demand Router (ODR) to intelligently route HTTP traffic to WAS ND Intelligent routing & load distribution to backend WAS ND environments, including those running
Worklight Server, based on dynamic, real-time topology, application and workload information ODR is central to providing the Intelligent Management features of WAS
– Automatic routing: discovers & recognizes all changes which affect routing
– Application edition routing: upgrade applications without incurring outages
– Multi-Cell routing: Automatically route to different application in multiple cells
– Weighted Least Outstanding Request (WLOR) load balancing: Quickly redirect traffic away from slow and hung backends
– Automatically populate custom headers needed by WAS to process traffic
– High available control connection to WAS: REST-based service automatically available on dmgr and nodeagent
When to use ODR compared to current AO ILD support? Whenever you have a WAS backend
– More OOTB functionality: Multi-Cell routing, header population, does not require installation of application on WAS, etc
– Smaller configuration footprint: Requires much less configuration on DataPower, connect once and go
– Built-in high availability of control connection to retrieve dynamic information from WAS
– Consistent technology across DP and IBM HTTP Server (IHS)
Requires Application Optimization software option
Cluster 1
Cluster 2
Cluster 3
Cell 1
Cell 2
DataPower w/ ODR
WAS ND Environment DataPower performs dynamic routing and load distribution
leveraging dynamic information from back-ends
Clients
`
31 31 © 2013 IBM Corporation
Reduced time to value with integrated Gateway & Caching appliances
Out-of-the-box “one-click” configuration options provide
efficient and secure cache operations
‒ Encrypt/decrypt data stored in the XC10
‒ Obfuscate the cache key used to identify a data item
‒ Sub-second timeout on cache requests
‒ Load balance requests across a collective of XC10
instances
Remotely manage and monitor XC10 data grid directly
from DataPower management interface
‒ Create data grid on XC10
‒ Clear data grid on XC10
‒ View high-level cache statistics to verify effectiveness of
caching policies
Greatly reduce the number of lines of XSLT required to
interact with XC10 from a DataPower processing policy
‒ Define XC10 data grid to DataPower once and reuse in
multiple policies
‒ Easy to use XC10-specific URL format for use with
standard url-open extension function
‒ Automatically manage HTTP session cookies required by
XC10 REST gateway interface
‘Off-box’ Caching integration with XC10 appliances already available
** Available in DataPower firmware version 5.0.0.4
32 32 © 2013 IBM Corporation
Optimization: Backend Response Caching Accelerate workload delivery & reduce load on backend systems
Provider
Lo
w L
oad
Fast Response Time Client
DataPower
2 1
3
Slow Response Time
DataPower
REST
DataPower
XC10
Provider
Lo
w L
oad
Fast Response Time Client
3 1
5
Slow Response Time
2 4
Features – Cache HTTP(s) GET, PUT, POST requests
– Smart RESTful cache invalidation
– Return stale documents
– Supports cache validation requests
– Cache based on HTTP 1.1 cache control headers
– Supports user-defined cache key
– Little to no XSLT required
Policy-driven local ‘on-box’ HTTP(s) backend response caching & seamless
integration with XC10 appliances for ‘off-box’, shared, elastic caching – Built into base product
• Improve client observed response time
• Reduce backend server load
• Improve system throughput Local ‘on-box’ caching
– Utilizes appliance memory
– Unique to individual appliance
External ‘off-box’ caching – Utilizes XC10 appliances
– Distributed, shared & elastic cache
accessed across multiple appliances
33 33 © 2013 IBM Corporation
IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required – Requires one of the following models: XI52, XI52 VE, XI50B, XB62
Enhanced value for System z & IMS New integration capabilities between DataPower and IMS
IMS DB feature supports DataPower integration
with IMS database through SQL interface ‒ Enrich messages with database content
‒ Expose data as a service to remote applications
‒ Requires one of the following models:
XG45 or XG45 VE (with Database Integration Module option)
XI52, XI52 VE or XI50B (with Database Connectivity option)
XB62
Client
SOAP / REST `
DataPower
DRDA
IMS
O T M A
App1 IMS
Connect
App2
Service Provider
SOAP / REST `
DataPower
TCP/IP
Service Consumer
IMS Callout
34 34 © 2013 IBM Corporation
Patterns capture a tested solution to a common recurring use case
Ships with 10 Pre-built patterns for common
web application & web services scenarios
• Reduce time to value
through accelerated
user configuration &
deployment for both
new & experienced
users
• Increase developer
productivity by
leveraging working
examples of common
use cases
• Improve quality &
scale expertise
through reuse of
configuration created
by skilled roles
Built-in, easy-to-use, new interface for creating & deploying
common DataPower configuration patterns
Improved User Experience: Pattern-based Configuration Reduce time-to-value, increase productivity & quality of DataPower solutions
Deploy new service from pattern Create service pattern for reuse
Browse patterns
Supports user-defined patterns
35 35 © 2013 IBM Corporation
Secure, integrate & optimize access to Web, Mobile & API workloads IBM DataPower Gateway Appliance v6.0
DataPower Appliances extend its
market leading Security & Integration
Gateway for Web, Mobile & API
workloads, in addition to SOA & B2B,
reducing infrastructure complexity &
lowering TCO
Business Integration
Business Value:
Secure integration of Web, Mobile, API, SOA & B2B workloads in a single,
highly secure, highly consumable, DMZ-ready appliance
Operational agility for WAS Network Deployment environments
Fast & consistent response time for enterprise applications including mobile &
web apps with local & external caching reducing load on back-end systems
Enhanced System z integration with IMS systems for reduced TCO
Faster time to value & improved developer productivity with configuration
pattern-authoring & deployment support
What’s new:
Provides the API gateway functionality for IBM API Management V2.0
Quick integration with IBM Worklight to secure mobile web traffic
Improved REST services handling with native JSON support including schema
validation & query, extract, filter & transform through JSONiq
New XML data query, extraction & manipulation support with XQuery 1.0
Enhanced security with improved OAuth 2.0 and new support for Kerberos
constrained delegation & TLS 1.1/1.2
Improved WS-MediationPolicy consumption from WSRR & SLAs for non-
SOAP traffic
Embedded On-Demand Router functionality for WAS ND environments
Optimized application delivery with response caching on-the-box & seamless
integration with elastic caching XC10 appliances
New System z integration capabilities allowing IMS transactions to easily
consume external web services & easy consumption of IMS data as a service
Simple ability to create & deploy common DataPower configuration patterns
36 36 © 2013 IBM Corporation
DataPower resources
www.ibm.com/software/integration/datapower
IBM DataPower Web Page (support, technotes, doc)
http://www-01.ibm.com/software/integration/datapower/
developerWorks DataPower Discussion Area
http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
Vast library of published articles:
http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html
(Also search for “DataPower” within “WebSphere”, “SOA/Web Services” and “XML”)
http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search “DataPower”)
IBM Redbooks:
http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
IBM WebSphere DataPower SOA Appliance Handbook
http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194
YouTube:
http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel
DataPower Podcasts:
http://www.ibm.com/podcasts/software/websphere/datapower/index.rss
37 37 © 2013 IBM Corporation
38 38 © 2013 IBM Corporation
Legal Disclaimer
• © IBM Corporation 2013. All Rights Reserved.
• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.