IBM WebSphere DataPower

Deployment Patterns

IT ist kein Picknick!

Picknick Enterprise IT

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

IBM WebSphere DataPower

USE CASES

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

IBM WebSphere Datapower Use Cases

Public Domain DMZ Trusted Domain

Application

Consumer

1 B2B Gateway

3 Low Latency Gateway

Internet
Application

2 Security Gateway
(Web Services, Web Applications)

Consumer

4 Internal Security 5 Enterprise Service Bus 6 Web Service Management 7 Legacy Integration 8 XML Acceleration

System z

Quelle: IBM 2009

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

Scenario 1 - B2B Gateway

Electronic Data Interchange (EDI) over the Internet
Handling Transactions for Partners Message Transmission:
AS2 (MIME/HTTP) AS3 (MIME/FTP)

Message Formats:
ANSI X12 EDIFACT Various Industries:
UNTDI, ODETTE, HiPAA, HL7, VICS, VDA, UCS, ACORD

XML

B2B Entry Point for WPS and WESB Offloading for WebSphere Partner Gateway
29.10.2009 Reto Hirt / schlag&rahm gmbh 2009 5

Scenario 2 Security Gateway

SSL Endpoint / SSL Termination Authentication, Authorization and Audit (AAA) Provide efficient Crypto Functions
Encryption & Decryption Sign & Verify

Security Token Transformation SAML, LTPA, XML Threat Protection XDoS, MMXDoS XML Schema Validation Resource Masking
29.10.2009 Reto Hirt / schlag&rahm gmbh 2009 6

Scenario 3 Low Latency Gateway

FIX Content Routing und Filtering Transform FIX to FIXML Bridge to MQ Supported Messaging Patterns:
Point-to-Point (+ Fan Out) Publish-Subscribe (+ Fan Out) Publish-Subscribe Relay

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

Scenario 4 Internal Security

70% of attacks are from the inside Do the same for the internal users as for the internet, partner etc. >> Zone-Concept

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

Scenario 5 Enterprise Service Bus

Protocol Bridging Data Transformation Service Orchestration
Multiple services, aggregate, combine

Content Based Routing

Based on Header and Payload

Dynamic Content Rendering

HTML, Mobile Devices, WML

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

Scenario 6 Web Service Management

Service Virtualization Policy Management for WSDLs WSDL Cache Policy Integration with Service Registry (WSRR) Service Level Monitoring Service Priority Notify, Shape, Throttle

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

10

Scenario 7 Legacy Integration

Enable Legacy Systems to talk Web Services
WebSphere MQ CICS IMS Tibco EMS

Special cases: Raw XML over TCP/IP

Use with caution!

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

11

Scenario 8 XML Acceleration

XSLT Transformation XML Schema validation XPath queries XML Security Token Validation SSL Acceleration

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

12

Use Case 1

WEB SERVICE VIRTUALIZATION SECURITY GATEWAY

29.10.2009 Reto Hirt / schlag&rahm gmbh 2009 13

IBM WebSphere Datapower Use Cases

Public Domain DMZ Trusted Domain

Application

Consumer

1 B2B Gateway

3 Low Latency Gateway

Internet
Application

2 Security Gateway
(Web Services, Web Applications)

Consumer

4 Internal Security 5 Enterprise Service Bus 6 Web Service Management 7 Legacy Integration 8 XML Acceleration

System z

Quelle: IBM 2009

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

14

Context
Existing WebServices for internal clients Two different WSDLs, N operations each Activities like Authentication, transformation, encryption, validation performed in the WAS Runtime running the WebServices

--> Now, a subset of the available operations need to be exposed to partners / internet users

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

15

Full Exposure

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

16

Selective Exposure No DataPower

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

17

Selective Exposure With DataPower

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

18

Benefits
Higher security level
Expose only as needed Single Point of entry Manage Services with common Policies Inspect payload

Less complexity in development

minimum set of WSDLs No need for standard DataPower Actions to be developed in the WAS Runtime (e.g. Transform, Verify)

Less complexity in the Operational Model

No need for running additional services

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

19

Use Case 2

MQ CONNECTIVITY

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

20

IBM WebSphere Datapower Use Cases

Public Domain DMZ Trusted Domain

Application

Consumer

1 B2B Gateway

3 Low Latency Gateway

Internet
Application

2 Security Gateway
(Web Services, Web Applications)

Consumer

4 Internal Security 5 Enterprise Service Bus 6 Web Service Management 7 Legacy Integration 8 XML Acceleration

System z

Quelle: IBM 2009

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

21

Context
Connectivity between WAS at Partner A and WMQ at Partner B Protocol to be used is MQ, payload is XML XML payload is a proprietary format widely used within the organisation B Connection is intercepted in the DMZ of Partner A with a single MQ-IPT --> Due to various additional needs (Operability, Stability), the connection has to be made redundant
29.10.2009 Reto Hirt / schlag&rahm gmbh 2009 22

Using MQ IPT Simple

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

23

Using MQ IPT Failover

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

24

Using DataPower XI50

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

25

Benefits
Higher security level
Inspect Payload upon termination AAA in DMZ

Less complexity in the Operational Model

No need for MQ IPT No need for SIBus on WAS, incl. MQ Link No need for excessive Firewall configurations

Less complexity in development

Stylesheet Transformation (XSLT) instead of full-fledged SIBus Mediations based on Java

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

26

Resources
IBM WebSphere Datapower SOA Appliance Handbook, Hines, Rasmussen, Ryan, ISBN 978-0-13-714819-6 IBM DataPower Product Page, http://www.ibm.com/software/integration/datapower/ IBM Support, http://www.ibm.com/support/
WebSphere DataPower and WebSphere MQ interoperability documentation,
http://www.ibm.com/support/docview.wss?uid=swg21255199

IBM Developerworks, http://www.ibm.com/developerworks/

Integrating WebSphere DataPower SOA Appliances with WebSphere MQ,
http://www.ibm.com/developerworks/websphere/library/techarticles/0703_crocker/0703_crocker.ht ml

IBM Redbooks, http://www.redbooks.ibm.com/

DataPower XM70 Use Cases and Patterns, REDP-4515-00,
http://www.redbooks.ibm.com/abstracts/redp4515.html?Open

IBM WebSphere DataPower B2B Appliance XB60 Revealed, SG24-7745-00,

http://www.redbooks.ibm.com/abstracts/sg247745.html?Open

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

27

Questions & (hopefully) Answers

VIELEN DANK!

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

28

Disclaimer
The contents of this PowerPoint presentation and the related views expressed by the speaker are solely the views of the author and speaker and their respective entities, and do not necessarily reflect the opinions, views, or beliefs of any other person or entity, implied or otherwise. Accordingly, all correspondence concerning this presentation should be sent directly to the named speaker. IBM, WebSphere, DataPower, WSRR, IT CAM for SOA, Tivoli Access Manager, Federated Identity Manager , XM70, XB60, XI50, XS40, XA35 are registered trademarks or trademarks of International Business Machines Corporation in the United States, other countries, or both.

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

29

BACKUP SLIDES

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

30

Zone Concept

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

31

One box in multiple Zones?

29.10.2009

Reto Hirt / schlag&rahm gmbh 2009

32