WIXLIB

Aug 4, 2010 17:53Appliances and SOA Security;DataPower and Z IntegrationRich SalzIBMAugust 5, 2010Session 7661

Aug 4, 2010 17:53Agenda DataPower SOA Appliances– Products– Uses DataPower and Z– Subsystems– Load Distribution and High Availability– Security– Management– Tooling Summary

Aug 4, 2010 17:53DataPower SOA Appliances

Aug 4, 2010 17:53Why an Appliance for SOA? Integrated Many functions integrated into a single device Addresses the divergent needs of different groups (architects, operators, developers) Integrates well with other IBM SWG and standards-based products Hardware reliability Dual power supplies, no spinning media, self-healing capability, failover support Security Higher levels of security assurance certifications require hardware (HSM, governmentcriteria) Inline application-aware security filtering and intrusion protection Higher performance with hardware acceleration Wire-speed application-aware parsing and processing Ability to perform costly XML security operations without slow downs Consumability Simplified deployment and management: up in minutes, not hours Reduces need for in-house SOA skills & accelerates time to SOA benefits

Aug 4, 2010 17:53DataPower ArchitectureSpecialized compilertechnology creates optimizedexecutable object code fromtransformations (eg. XSLT)that execute natively onhardwareHigh-performing throughputoptimized engine yields wirespeed capabilitiesEverything is viewed as atransformation that isextensible via DataPowercustom extension functionsPurpose-built hardware toexecute SOA workloadsand transformations

Aug 4, 2010 17:53DataPower SOA Appliances Product FamilyLow Latency Appliance XM70 High volume, low latency messagingEnhanced QoS and performanceSimplified, configuration-driven approach toLLMPublish/subscribe messagingHigh AvailabilityIntegration Appliance XI50 Hardware ESB“Any-to-Any” Conversion at wire-speed withWTXBridges multiple protocolsIntegrated message-level securityB2B Appliance XB60 B2B Messaging (AS2/AS3)Trading Partner Profile ManagementB2B Transaction ViewerUnparalleled performanceSimplified management and configurationXML Security Gateway XS40 Enhanced Security CapabilitiesCentralized Policy EnforcementFine-grained authorizationRich authentication

Aug 4, 2010 17:53Advantages of a DataPower Blade First-class support of new features: IPv6, 10GigE,XG4NG Increased load distribution and high availability options foroptimized application support Configuration transparency: 1U and blade Opportunities for additional future integrationDataPower XI50BBlade ApplianceDataPower XI50

Aug 4, 2010 17:53Use Cases Monitoring and control– Example: centralized ingress management for all Web Services using ITCAM SOA Deep-content routing and data aggregation– Example: XPath (content) routing on Web Service parameters Functional acceleration– Example: XSLT, WS Security Application-layer security and threat protection– Example: XML Denial-of-Service protection, WS SecurityIn-the-clearSOAP/HTTP Protocol and message bridging– Example: Convert between WS and legacy Cobol/MQSOAPIn-the-clearSOAP/HTTPEncrypted andSigned HTTPCobol/MQServiceProviders

Aug 4, 2010 17:53Deployment ScenariosInternetSOA tarizedZonePacket Filter5. LegacytransformationInternetuserPacket FilterXI50Packet intranetInternetinternaluserPacket Filterfederated extranetXS403. InternalsecurityXS401. Helps protect againstincoming attacks;Incoming access control2. Outgoing access control,SAML injection, role mappingsXI504. Web servicesmanagement

Aug 4, 2010 17:53DataPower and Z:Subsystem Integration

Aug 4, 2010 17:53Integration Goals Enable Web Services interfaces to z Subsystems Enhance communication mechanisms and intelligence– Load distribution and high availability choices and optimizations Allow integrated and centralized security– Promote System z as the enterprise-wide security focal point Integrated system administration and monitoring Holistic approach focusing on all aspects of the SOALifecycle Unified map tooling– Used to build binary transformations, e.g. CobolCopybook

Aug 4, 2010 17:53IMS Integration (1)Web Services Security and Management for IMS Web services SOAP/HTTPSOAP/HTTP Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) XML/SOAP Firewall Data Validation Field Level Security XML Web Services Access Control/AAA Web Services ManagementIMS SOAP GatewayWAS IMSconnector

Aug 4, 2010 17:53IMS Integration (2) DataPower provides W S-enablement to IMS applications Customer codes schema-dependent FFD or W TX data map toperform request/response mapping This is the preferred way to W S-enable IMS applications Requires MQ– MQ bridge to access IMS– MQ client is embedded in DataPower– Some push back against MQ requirement due to cost and complexityissuesZ ServiceProviderMQ ServerDataPowerXI50MQ ClientServiceOriginatorIMSCobol/MQMQBrdgOTMAIMS ApplicationSOAP/HTTP

Aug 4, 2010 17:53IMS Integration (3): WS-Enablement Remove MQ requirement– MQ still best alternative for scenarios requiring transactional support– IMS has few alternatives (IMS SOAP Gateway is an entry-levelsolution) “IMS Connect Client” (back-side handler) natively connects to IMSConnect using its custom request/response protocol 3.8.0 adds: Automatic chunking and de-chunking 3.8.1 adds: Commit mode 1, Sync level commit SOAP/HTTPIMS Appl1OTMAAppl2Appl3Cobol/TCPUser exit(eg.HWSSMPL0)DataPowerz ServiceProviderIMS Appl4OTMAAppl5Appl6

Aug 4, 2010 17:53IMS Integration (4): IMS Proxy Bring DataPower value add to standard IMS connect usage patternsProvide an “IMS Connect Client” on DataPower that natively connects to IMSConnectProvide an “IMS Connect Server” on DataPower that accepts IMS Connectclient connections and provides an intermediation framework that leveragesDataPower– Enables authentication checks, authorization, logging, SLM, transformation, route, DBlook-up, SSL offload, ct“Server”Cobol/TCPCobol/TCPUser exit(eg.HWSSMPL0)ServiceOriginatorz ServiceProviderIMS Appl1OTMAAppl2Appl3IMS Appl4OTMAAppl5Appl6

Aug 4, 2010 17:53DB2 Integration (1) Supports DB2,Oracle, Sybase,Microsoft– Parameter marking– Array-basedoperations– Perf enhancements– Stored procedures– Native XMLprocessing W eb service requests areaugmented with informationfrom the database (messageenrichment) Supports writing to DB alsoDB2– Logging and iderServiceOriginatorService requestAugmented servicerequest

Aug 4, 2010 17:53DB2 Integration (2) A standard W S façade to DB/2– Common tool (IBM Data Studio 1.2) generates WSDL and datamapping in both Data Web Services runtime and DataPower– SOAP call is mapped to an ODBC (DRDA) invocation Exposes database content (information) as a serviceService providerfaçade DB service requestDB2Content transformationXMLto SQL (generated)

Aug 4, 2010 17:53CICS Integration (1)Web Services Security and Management for CICS Web services SOAP/HTTPSOAP/HTTPCICS Web ServicesWAS CICS connectorClient Content-based Message Routing Protocol Bridging (HTTP, MQ, JMS, FTP, etc.) XML/SOAP Firewall Data Validation Field Level Security XML Web Services Access Control/AAA Web Services Management 3.8.0 adds: ID propagation

Aug 4, 2010 17:53CICS Integration (2) DataPower provides W S-enablement to CICS Customer codes schema-dependent XSL/FFD/W TX to performrequest/response mapping Requires MQ– MQ bridge to access CICS– MQ client capability is embedded in DataPowerZ ServiceProviderMQ ServerMQ ClientDataPowerCobol/MQCICSBrdgCICSSOAP/HTTPCICS ApplicationServiceOriginator

Aug 4, 2010 17:53CICS Integration (3) DataPower provides W S Security, XDoS to CICS W S back-end User creates schema-dependent transform to perform request/response mapping Payload transformation is pushed to DataPower SOAP Header information required at CICS W S back-end forcorrect operations, e.g. W S-AtomicTransactionsSOAP/HTTPSOAP/HTTPCICS Web ServicesDataPowerService requestSOAP with binary (Cobol)MTOM attachment

Aug 4, 2010 17:53DataPower and ZLoad Distribution and HA

Aug 4, 2010 17:53Application Optimization (AO): Self-Balancingand high availability HA of AppliancesFront-end IPload balancersnot needed forAO workloads Active/Passivefailover of distributorusing standbycontrolServiceProviderClientsSelf balancing(IP spraying)22Failure of targetappliances are maskedby appropriateweighted distribution

Aug 4, 2010 17:53AO Intelligent Load Distribution (ILD) Request distribution, not connection distribution This provides better distribution under persistent connections Today: WAS ND and VE are supportedTier 2 Distributionusing intelligentdynamic back-sideload distributionClientsDynamic back-side informationfrom target environment (here,WAS via ders

Aug 4, 2010 17:53Distribution and HA Options Todayz/OSSysplexDistributorFrontingIP Sprayerz/LinuxIP SprayerDataPowerSelf BalancingDataPowerload distributionDataPowerTierClientsTier 1distribution optionsAny serviceprovideron p, x, or zDataPowerILD (ODC)ODCTier 2distribution optionsRed Connection distribution; Black Request distributionWebSphereon p, x, or z

Aug 4, 2010 17:53Emerging Distribution and HA StrategiesNew rDataPowerload distributionDataPowerTierClientsAny serviceprovideron p or xASBDataPowerILDTier 2distribution optionsCODTier 1distribution optionsWebSphereon z/OS orz/LinuxODCDataPowerSelf Balancingz/LinuxWebSphereon p or xRed Connection distribution; Black Request distributionzBX

Aug 4, 2010 17:53DataPower and Z:Security IntegrationSan Francisco, CANovember 2 – November 6, 2009

Aug 4, 2010 17:53Remote SAF Security IntegrationRACFAdministratorTSOMNSS provides remote interface to RACFfor I&A, and access control requests.Can request RACF certificate namefiltering. z/OS R10.Auditrecordsz/OSRequest NSS on z/OS to identifyand access administrative usersand to perform access controloperations when access toDataPower resources is requested.GA 3.7.2.NSSRACF Usersand resourcesRACFI & A, AC req /respClientplatformNSS clientTarget applicationor middleware

Aug 4, 2010 17:53Crypto IntegrationNSS performs requested keyoperation using certificates andkeys stored in RACFRequest NSS on z/OS to performoperations that require access to RACFkeyring. This includes signing, validatingsignatures during security initialization, keyunwrapping, and key downloading.NSS Key req /respTLSEndpointsClientNSS yServicesRACF KeyringRACFTarget applicationor middleware

Aug 4, 2010 17:53DataPower and Z:Management Integration

Aug 4, 2010 17:53Management Integration Monitoring - many different “levels” of monitoring, all areimportant– System-level monitoring (CPU, memory, SNMP)– Service-level monitoring (W S, SOAP, W SDM)– Business-level monitoring (Key performance indicators, BPEL) Operational management– Configuration lifecycle management: Need to manage disparateconfiguration assets in the deployment lifecycle (developmentthrough production)– Control firmware upgrades Runtime management– How can we dynamically configure and affect DataPower incollaboration with other runtimes in our enterprise?– Peer-to-peer approach vs policy-driven approach: both areimportant

Aug 4, 2010 17:53Monitoring OverviewService ConsumerConsumersSCAWSRPB2BOthe rWebSphereBusinessMonitorBusiness Processesprocess choreographyServicesPortle tIntegrated ConsoleITCAM forSOA Allow for seamlessviews across differentlayers of abstraction.atomic and compositeITCAM forService Components WebSphereService ProviderOperational SystemsISVITCAM om AppsPlatformUnixOMEGAMON Supporting MiddlewareXE familyITM FamilyOS/390MQDB2Integrated Reporting Generate enterprisewide service levelreporting