Professional Documents
Culture Documents
Datapower Xa/Xs/Xi Appliance: New in Version 3.8.0
Datapower Xa/Xs/Xi Appliance: New in Version 3.8.0
380DataPower.ppt Page 1 of 43
New 3.8.0 features
This list contains a snapshot of the new features and improvements that were made to the
existing functionalities. You will see “DataPower option for Application Optimization”,
“MQ Enhancement”, “zKeys support”, “Online Certificate Status Protocol”,
“Microsoft WCF integration” and “Tivoli Security Policy Manager Integration”
separately. In this set of slides, you will see all the remaining new features and
enhancements for firmware release 3.8.0.
380DataPower.ppt Page 2 of 43
Support for remote DPA
type xformbin
input INPUT
tx-mode dpa
tx-map http://192.168.3.59:2065/MyMap.dpa
output trx-bin
To do the binary transformation, like from XML to binary or binary to XML, you need to use
the xformbin action and specify a DPA file as the WTX map.
Before release 3.8.0, a DPA file under local directory is used in the xformbin action. Now
you may specify a DPA file at remote server instead. It will be fetched from the remote
server to do the binary transformation.
380DataPower.ppt Page 3 of 43
Support for remote DPA (continued)
admin-state enabled
......
Only two protocols are supported – http and https. The other ones, like ftp, mq, and so on,
are not supported
The DPA file will be fetched for every transaction. However, the map does not change
often. So to improve the performance, you should enable the document cache for DPA
files. Then it will be fetched and cached.
380DataPower.ppt Page 4 of 43
DataPower Oracle RAC support
380DataPower.ppt Page 5 of 43
Oracle database high availability
380DataPower.ppt Page 6 of 43
RAC example - Topology
380DataPower.ppt Page 7 of 43
RAC example – DataPower perspective
Database ID
(Oracle SID) ServiceName
380DataPower.ppt Page 8 of 43
RAC example – Behind the scenes
RAC connection
ServiceName
380DataPower.ppt Page 9 of 43
RAC configuration
380DataPower.ppt Page 10 of 43
RAC configuration - Caveat
380DataPower.ppt Page 11 of 43
Ability to customized deployment policy
Before 3.8, users had to manually enter the configuration property that they wanted the
Deployment Policy to effect. They can now use a dropdown list to choose the appropriate
property.
380DataPower.ppt Page 12 of 43
SOMA modify-config improvement
� SOMA modify-config can now update properties that are a vector of complex properties with
an index
– BaseWSDL is an example of a property that is a vector of complex properties with an
index (WSDLSourceLocation)
• The modify-config operation uses the index to determine what to add and what to
replace.
– There are two other types of vector properties, both of which will have all their members
replaced by a modify-config. This is the same behavior as before 3.8.0
• Vectors of complex properties without indexes
• Simple vectors: The property contains a list of values.
Before 3.8, you could not use the SOMA modify-config request to modify configuration object properties that are a vector
of complex properties.
The most common configuration object property that you might be frustrated in trying to modify, was the BaseWSDL
property of WSGateway objects.
The BaseWDL property of a WSGateway is a vector of complex properties. Before 3.8.0, a vector of complex properties
would be always replaced by a SOMA modify-config request. Now modify-config will merge the elements of an indexed
vector of complex properties with the existing indexed vector property elements.
Resulting configuration from applying previous SOMA request before 3.8.0
<WSGateway name=“myWSGW">
<BaseWSDL>
<WSDLName>b.wsdl</WSDLName>
</BaseWSDL>
</WSGateway>
<BaseWSDL>
<WSDLName>a.wsdl</WSDLName>
</BaseWSDL>
<BaseWSDL>
<WSDLName>b.wsdl</WSDLName>
</BaseWSDL>
</WSGateway>
380DataPower.ppt Page 13 of 43
New all-domains CLI command
The new all-domains CLI command allows an administrator to enable or disable the admin
state of all the domains on an appliance. This new command would be useful in problem
determination, where one or more domains is interfering with the operation of the
appliance.
380DataPower.ppt Page 14 of 43
Better support of IMS messages > 32K using segmentation (1 of 3)
380DataPower.ppt Page 15 of 43
Better support of IMS messages > 32K using segmentation (2 of 3)
This is an example of the page in the WebGUI where message segmentation can be
configured. It can also be configured using the CLI
380DataPower.ppt Page 16 of 43
Better support of IMS messages > 32K using segmentation (3 of 3)
380DataPower.ppt Page 17 of 43
Support for IMS-LLLL response header (1 of 2)
� Some responses from IMS contain an initial 4-byte LLLL header, the total response
message length
� Pre-3.8.0: these responses resulted in errors, as DataPower did not accept them
� 3.8.0: a toggle is included in the IMS Connect object configuration to specify whether to
expect this header
380DataPower.ppt Page 18 of 43
Support for IMS-LLLL response header (2 of 2)
This is an example of the page in the WebGUI where the LLLL Response Header could be
configured. It can also be configured from the CLI
380DataPower.ppt Page 19 of 43
Up to 175 custom log categories are now supported
� The Custom log category has to be unique across the entire appliance.
� The same category can not be used in multiple domains.
380DataPower.ppt Page 20 of 43
� The goal was to make WMQ, WebSphere® JMS and Tibco EMS more usable as back end of
WS-Proxy.
� Before 3.8.0
– WMQ, JMS and EMS could be used as WS-Proxy backend only using dynamic routing
(action or service variable)
– DP specific protocols (dpmq://, dptibems://, dpwasjms://, mq:// and tibems://) were not
supported for endpoint binding in actual WSDL file.
The goal is to provide the support without using dynamic routing, and to provide a way to
express the support in the wsdl.
380DataPower.ppt Page 21 of 43
WS-Proxy support of non-HTTP backend (2 of 3)
� WMQ, Tibco EMS and WebSphere JMS become a first-class citizens both in WS-Proxy
wizard and on WS-Endpoint Rewrite Policy object screens.
� WS-Proxy wizard has been changed to show only properties relevant for selected
protocol, that is, Queue Manager if dpmq:// is selected or WebSphere JMS Server if
dpwasjms:// is selected, and so on..
� WMQ, EMS and JMS protocols are supported for service binding in WSDL:
<service name="ActivityServices">
<port name="ActivityServicesSoap" binding="s0:ActivityServicesSoap">
<soap:address location="dpmq://QM/?RequestQueue=Q1&ReplyQueue=Q2"/>
</port>
</service>
In 3.8.0, WMQ, Tibco EMS and WebSphere JMS becomes first class citizen in WS-Policy
wizard, and they can selected from the WebGUI.
In addition to that, the given protocol can be expressed in the wsdl directly.
380DataPower.ppt Page 22 of 43
WS-Proxy support of non-HTTP backend (3 of 3)
380DataPower.ppt Page 23 of 43
Support Tibco EMS map messages (1 of 3)
This feature allows DataPower to convert the map message to XML format, for future
processing.
380DataPower.ppt Page 24 of 43
Support Tibco EMS map messages (2 of 3)
<Message>
<Array>
<Element>100000</Element>
<Element>25</Element>
</Array>
</Field>
<Field name="stringy" type="string">This is a quick brown fox.</Field>
</Message>
</Field>
</Message>
</Field>
380DataPower.ppt Page 25 of 43
Support Tibco EMS map messages (3 of 3)
The green box is the Tibco EMS server with the blue one being the DataPower appliance.
The message is converted to XML in the DataPower for processing and the output will be
converted from XML to a format that is understood by Tibco EMS.
380DataPower.ppt Page 26 of 43
Tibco EMS and WebSphere JMS transactions
� Goal was to provide the same level transactions support that exists for WMQ
� Visible changes
– URL Opener parameter “Transactional” - makes EMS or JMS call as part of transaction.
– URL Opener parameter “Sync” - performs COMMIT after Send operation.
� Other changes
– Transacted JMS session is shared between FSH, back side and processing actions to
provide guaranteed “once-and-only-once” message delivery.
– Error handling coupled with transaction semantics, var://service/error-ignore to commit
transactions in case of error.
380DataPower.ppt Page 27 of 43
New version of XMS library
380DataPower.ppt Page 28 of 43
JMS session allocation for transaction
This provides a transaction semantic which covers both the front and backend. This
guarantees the message will be delivered. This should be similar to what MQ provides in
its transaction support.
380DataPower.ppt Page 29 of 43
TCP window scaling
This provides a way to turn TCP window scaling. The default value is on.
Some of the network environment may require this setting to be off. This provides a way to
turn off TCP window scaling.
380DataPower.ppt Page 30 of 43
HTTP headers retention policy (1 of 3)
You can modify the policy from both WebGUI or using CLI command.
380DataPower.ppt Page 31 of 43
HTTP headers retention policy (2 of 3)
380DataPower.ppt Page 32 of 43
HTTP headers retention Policy (3 of 3)
380DataPower.ppt Page 33 of 43
Support for ICRX token (1 of 3)
The ICRX token is used to support the Distributed ID Propagation among different IBM
products.
It is for kind of a similar scenario using LTPA. DataPower is put in between of other
applications to do the security or token conversion.
The ICRX is a a binary contains IDID, both are defined by z/OS RACF development team.
The ICRX, as a WS-Sec token, is then base-64 encoded and wrapped as a WS-Security
Binary Security Token.
380DataPower.ppt Page 34 of 43
Support for ICRX token (2 of 3)
� How to use it ?
– Configure an AAA Policy as usual for access control
– Use the new PP method to convert the token to ICRX
The AAA identity, authentication, resource and authorization processing are working for the access control
purpose to consume the input message/token.
Then the authenticated user information, called as mapped-credential in AAAPolicy, is then converted by the
</soapenv:Header>
<soapenv:Body>
380DataPower.ppt Page 35 of 43
Support for ICRX token (3 of 3)
� Customization
– The ICRX is generated with the User DN and Realm, which are un-escaped UTF8 string.
– User DN is from the AAA mapped-credentials, attempted as the following:
The <username/> element value, Programmable
Or the certificate's subject DN if the authentication was "validate-signer".
Or the SSL client certificate's subject DN if the authentication was "client-ssl".
Or the X509 BST token subject DN value if the authentication was based on the BST token extracted from EI
step.
Otherwise, the string value of the whole mapped-credential will be used, such as the "zosnss“, “ldap”
authentication.
– User Realm is from the AAA config or mapped-credentials, attempted as the following:
The "ICRX Realm" setting, if it is not empty. One static value per AAAPolicy
Or the value of the <realm/> element in mapped-credential, if it exists. Programmable.
Or the value of the <configured-realm/> element in mapped-credential, if it exists
otherwise, ICRX realm is an empty string.
The IDID contains the DN and Realm, both have un-escaped the UTF8 hexpair into byte
as required by RACFMAP command. For example, the sequence {‘\\’, ‘A’, ‘B’, ‘\\’, ‘C’, ‘D’}
actually is {0xAB, 0xCD} in the IDID.
The User DN info from DataPower is LDAP DN format, not X.500 format.
The ICRX will generate the ICRX with out-of-box AAA methods as defined as the above.
You can also use the Map Credential method to customize its output, then DataPower will
get the programmable result for the User DN or User Realm.
380DataPower.ppt Page 36 of 43
Flow control
Flow control helps streaming of large document in DataPower Appliance without incurring
a memory growth on the appliance.
380DataPower.ppt Page 37 of 43
Configuring an MPGW with flow control
This screen capture shows the bottom of a Multi-protocol Gateway configuration page with
required attributes highlighted.
380DataPower.ppt Page 38 of 43
How to troubleshoot flow control
� During a large file transfer monitor the memory usage with the CLI command “show mem”.
Once the transaction is started you should not see any growth in Memory Usage.
Unauthorized access prohibited.
login: admin
Password: *****
Memory Usage: 45 %
xi50#
During a large file transfer monitor the memory usage with the CLI command “show mem”.
Once the transaction is started you should not see any growth in Memory Usage.
380DataPower.ppt Page 39 of 43
Support of DELE command in transparent mode
You now have the ability to delete files in FTP with RFC 959 DELE support for FTP front
side protocol handler in transparent mode. The DELE command must be enabled in the
FSH configuration.
380DataPower.ppt Page 40 of 43
Support of DELE command in Transparent Mode (continued)
The ability to delete files with SFTP front side handler was added by enabling the
SSH_FXP_REMOVE command. This must be enabled in the FSH configuration.
380DataPower.ppt Page 41 of 43
Feedback
You can help improve the quality of IBM Education Assistant content by providing
feedback.
380DataPower.ppt Page 42 of 43
Trademarks, copyrights, and disclaimers
IBM, the IBM logo, ibm.com, and the following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law
trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM
trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml
Microsoft, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries, or both.
Java, and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or
typographical errors. IBM may make improvements or changes in the products or programs described herein at any time without notice. Any statements regarding IBM's future direction
and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply
that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this
document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectual property rights, may be
used instead.
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products
are warranted, if at all, according to the terms and conditions of the agreements (for example, IBM Customer Agreement, Statement of Limited Warranty, International Program License
Agreement, etc.) under which they are provided. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related
to non-IBM products.
IBM makes no representations or warranties, express or implied, regarding non-IBM products and services.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright
licenses should be made, in writing, to:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. All customer examples described are presented as illustrations of
how those customers have used IBM products and the results they may have achieved. The actual throughput or performance that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance
can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Note to U.S. Government Users - Documentation related to restricted rights-Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract and IBM Corp.
380DataPower.ppt Page 43 of 43