Introduction to DataPower SOA

Appliances

© Copyright IBM Corporation 2009

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.3
4.0
Unit objectives
After completing this unit, you should be able to:
• Describe and define the role of an SOA appliance
• Identify the products in the WebSphere DataPower SOA
Appliance product line
• Describe how to use WebSphere DataPower SOA Appliances
in an enterprise architecture

© Copyright IBM Corporation 2009

XML-aware networking
After completing this topic, you should be able to:
• Explain the role of XML in a service-oriented architecture
(SOA)
• Identify the uses of XML within an SOA
• Explain the disadvantages and threats with deploying XML-
based applications in the enterprise
• Describe the features in an XML-aware network layer that
mitigate the risks of deploying XML-based applications

© Copyright IBM Corporation 2009

Role of XML in SOA
• Extensible Markup Language (XML) provides a text-based,
human-readable scheme for describing information in a
structured format
• Its simplicity and self-describing nature makes XML popular as
an interoperable data format
• XML is becoming the way to:
– Exchange data between disparate systems within and outside of an
enterprise system
– Enable application functions as interoperable services
• XML is also the foundation for a number of SOA specifications.

© Copyright IBM Corporation 2009

Uses of XML in SOA

Security server
IBM Tivoli Access
Manager

3 4
Security Security
tokens assertion

2 5
SOAP XML

1
WSDL WSDL

Order management Customer billing Customer

Web application application database
on IBM WebSphere on IBM WebSphere on IBM DB2
Application Server Process Server Universal Database
© Copyright IBM Corporation 2009
Some SOA specifications based on XML
Specification Description

XML schema Describes the structure of an XML document using an XML syntax.

SOAP Provides a standard structure for Web services requests and

response messages, in XML format.
WSDL Provides a language for defining the interface and binding details of a
Web service. WSDL documents are XML documents.
XSLT The language for transforming XML documents to another format.
Transform templates are described using XML.
XPath A platform-independent syntax for addressing parts of an XML
document tree.
XML digital Provides a standard for storing digital signatures of XML documents,
signatures in XML format.
XML encryption Provides a standard for storing encrypted parts of an XML document,
in XML format.
SAML Provides a standard for stating security assertions. Assertions can be
written in an XML format.

© Copyright IBM Corporation 2009

Disadvantages and threats with XML
• As a text-based, human-readable protocol, XML tends to be
more verbose
– Parsing, processing, and transforming XML data incur significant
overhead for application servers

• XML introduces new threats and security exposures

– Most companies disable XML validation due to performance costs
– Traditional network security devices do not protect against a new
class of XML-based attacks, such as:
• Entity expansion and recursion
• Malicious includes
• XML encapsulation

• Dealing with XML-based applications becomes a compromise

between performance and security
© Copyright IBM Corporation 2009
Web services as a security risk
• One of the advantages of Web services is its ability to easily
expose back-end systems to business partners and customers
– Web services often leverage HTTP, a widely supported and
unblocked protocol in most company networks

• Traditional Web servers and proxy servers do not inspect XML

and SOAP traffic for attacks

Binary traffic

XML traffic over HTTP

External
client
Internet Demilitarized Intranet
zone (DMZ)
© Copyright IBM Corporation 2009
Solution: Integrate an XML-aware network layer
• Address performance
XML-aware network
and security concerns
with XML-aware
network devices that
accelerate and secure
XML processing
– These network devices
complement your existing
network infrastructure
– XML-aware network
devices also offload
processor-intensive XML
processing and security
tasks from your
application infrastructure

• SOA appliances provide a quick way to deploy an XML-aware

network layer
© Copyright IBM Corporation 2009
SOA appliances in detail
• SOA appliances are purpose-built, easy-to-deploy network
devices that accelerate and secure your XML and Web
services deployments

• Compared to software solutions, SOA appliances are:

– Simpler to manage
– Easier to scale
– Easier to secure
– Quicker to deploy
– More robust against attacks
– More cost-effective – they provide lower total cost of ownership (TCO)

• IBM WebSphere DataPower SOA appliances are one of the

leaders in the SOA appliance space
© Copyright IBM Corporation 2009
DataPower SOA appliances: Built for security
• Consist of sealed network-resident devices in a tamper-proof
case
• Have no drives, no USB ports, and no spinning media
• Offer optimized hardware, firmware, and an embedded
operating system
• Single signed or encrypted firmware image prevents attackers
from installing arbitrary software
• By default, appliances ship with a locked-down configuration
• Offer secure hardware storage of encryption keys and locked
audit log
• Security vulnerabilities were minimized by using few third-party
components

© Copyright IBM Corporation 2009

DataPower SOA appliances: Purpose-built solution

Config Config Config Config

Proprietary Web Application

Config Database
software server server

Config

Firmware XML Development Server

C library
library platform daemon

Config

Operating system

XML Crypto
Hardware
acceleration acceleration
CD-ROM
Floppy USB port Hard disk Hardware
drive

IBM WebSphere DataPower XML Security Server appliance

Purpose-built hardware and firmware General-purpose hardware and software

© Copyright IBM Corporation 2009

DataPower SOA appliances provide both performance
and security

• As a hardware solution, DataPower processes XML data near

wirespeed
• DataPower appliances protect networks against traditional and
new XML-based attacks
• With DataPower, there is no compromise: you get both
performance and security in one package

XML traffic over HTTP

External
client
Internet Demilitarized Intranet
zone (DMZ)
© Copyright IBM Corporation 2009
Topic summary

Having completed this topic, you should be able to:

• Explain the role of XML in promoting interoperability in an SOA
• Identify the uses of XML within an SOA:
– Provides a platform-neutral interface format
– Defines a platform-neutral messaging format
– Encapsulates security metadata, such as tokens and assertions
– Enables information as a service, as opposed to implementation-specific
database protocols
• List the disadvantages and risks associated with XML adoption
– Lower performance compared to a compressed, binary format
– New class of attacks not anticipated with traditional devices
• Explain how SOA appliances accelerate and secure XML-based
applications

© Copyright IBM Corporation 2009

DataPower SOA appliance use cases
After completing this topic, you should be able to:
• Describe use cases for deploying IBM WebSphere
DataPower SOA appliances

© Copyright IBM Corporation 2009

Use cases for SOA appliances
1. Securing Web services
– Provide secure access of back-end systems to business partners
and customers

2. Legacy integration and hub mediation

– Enable mainframe or legacy applications as Web services

3. Web services management

– Monitor and shape Web service traffic through service level
management

4. Portal acceleration
– Speed up XML-to-HTML rendering for dynamic content generation

© Copyright IBM Corporation 2009

Use case 1: Securing Web services
• Traditional network security devices do not secure XML or
SOAP-based traffic
– By design, IP firewalls do not distinguish between Web browser traffic
and application calls over HTTP
– Externally facing Web services are not protected against XML-based
attacks

• Augment your existing network security infrastructure with

XML-aware network devices acting as an XML firewall
– First level:
• Deploy an XML Security Gateway to efficiently screen potential XML-
based attacks at wirespeed
– Second level:
• Leverage the security of existing application servers for additional
processing

© Copyright IBM Corporation 2009

Layers of security for XML-based applications

1 2 3

External Demilitarized
Intranet
client zone (DMZ)

© Copyright IBM Corporation 2009

Use case 2: Legacy integration and hub mediation
• DataPower SOA Integration Appliance XI50 features any-to-
any transformation
– The DataGlue engine within the DataPower SOA appliance uses XSL
transforms to manipulate non-XML data
– Quickly provide a Web service endpoint to COBOL applications
without the use of complex connectors

• As a gateway to legacy systems, the Integration Appliance

XI50 provides:
– Protocol bridging
– Data transformation

• DataPower SOA appliances can efficiently transform, route,

and log messages among XML applications and Web services

© Copyright IBM Corporation 2009

Enable Web services for legacy applications

XML Web WebSphere

services MQ messages

"Put" request
queue

"Get" reply
queue

© Copyright IBM Corporation 2009

Content based routing

3
1
Purchase order
Service V2
2

Purchase order
Service V1
4

External DataPower Application

client SOA appliance servers

© Copyright IBM Corporation 2009

Use case 3: Web service management
• In addition to monitoring against XML-based threats, XML-
aware networks need to enforce service level agreements
(SLA)
– Record the amount and duration of Web services requests
– Notify system administrators if service levels are not met
– Automatically reduce traffic frequency in order to avoid overloading
back-end systems
– Limit or block traffic from a particular host

• DataPower SOA appliances can enforce an SLA in addition to

a security policy
– Service levels and monitoring can be applied at the endpoint, service,
or operation level

© Copyright IBM Corporation 2009

Enforce service level agreements with DataPower SOA
appliances

Policy 1
Block clients that make more
than 500 requests per
minute. Clients are identified
by their IP address.

2
Policy 2
Throttle (reduce rate) of
traffic from clients that make
more than 100 requests per
minute.

© Copyright IBM Corporation 2009

Use case 4: Accelerate dynamic Web sites
• Dynamic Web sites use XML to pass information flexibly between
application layers
– Sites use XML to encapsulate data between different application layers
– In the final step, the presentation layer transforms XML data into an HTML
Web page

• However, XSL transformation creates performance problems on

the portal server

• Offloading processor-intensive XML transformations to the

DataPower SOA appliance significantly frees up resources on the
application server
– Include XML-PI (processing instructions) in a raw XML response from the
portal server
– The XML parser within DataPower SOA appliance automatically applies
the XSL transformation without additional configuration
© Copyright IBM Corporation 2009
Accelerate dynamic Web sites

3 1
HTML Raw XML
Web page response

XSL
transform

External DataPower Application

client SOA appliance server or
portal server

© Copyright IBM Corporation 2009

Topic summary
Having completed this topic, you should be able to:
• Describe use cases for deploying IBM WebSphere
DataPower SOA appliances:
– Secure Web service and XML applications
– Integrate legacy systems
– Provide centralized Web service management
– Accelerate content rendering of dynamic Web sites

© Copyright IBM Corporation 2009

Introduction to DataPower SOA appliances
After completing this topic, you should be able to:
• Describe the different features in the IBM WebSphere
DataPower SOA Appliance product line
• Identify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances

© Copyright IBM Corporation 2009

IBM WebSphere DataPower product line
• WebSphere DataPower XML Accelerator XA35
– Offloads processor-intensive XML processing and
transformation tasks from application servers

• WebSphere DataPower XML Security Gateway

XS40
– Acts as a security policy enforcement point for XML
applications and Web services

• WebSphere DataPower Integration Appliance

XI50
– Provides ESB functionality, bridging protocols and
performing any-to-any transformations

• WebSphere DataPower Low Latency XM70

– Delivers low latency messaging and routing for data
distribution

• WebSphere DataPower B2B Appliance XB60

– Purpose-built B2B hardware providing AS2 and AS3
messaging

© Copyright IBM Corporation 2009

XML Accelerator XA35 features

• Accelerate dynamic content generation

– Transform XML data into any presentation layer format at wire speed

• Offload XML manipulation through industry standard API

– Perform XML processing and transformation on XA35 through the
Java API for XML Parsing (JAXP)

© Copyright IBM Corporation 2009

XML Security Gateway XS40 features

• XML and Web services security provides:

– XML denial-of-service protection
– Field-level message encryption and digital signature
– Web services access control at the operation, interface, or endpoint
level
– Service virtualization to abstract service endpoints within your network
– Authentication, authorization, and auditing (AAA) framework
supporting a variety of user password, security token, and other
identity information from requests
– Centralized policy management enforced by a cluster of SOA
appliances
– Service level management, policy management, and Web services
management support
• Includes all XML acceleration features from XA35 appliance
© Copyright IBM Corporation 2009
Integration Appliance XI50 features

• Acceleration of existing integration hubs

– Processor-intensive tasks such as XSLT processing, routing, and legacy-to-XML
conversion can be offloaded to the XI50.
• Mainframe modernization with Web services
– XML-to-any conversion allows mainframe applications to be virtualized as Web
services.
• Manage non-XML traffic as easily as XML data
– Parse and transform arbitrary binary, flat text, and XML messages.
– No custom programming needed to manipulate messages.
• Support for popular messaging systems
– XI50 appliances acts as an IBM WebSphere MQ client.
• Includes all security and acceleration features from the XS40 and XA35
appliances, respectively.

© Copyright IBM Corporation 2009

WebSphere DataPower Low Latency XM70

• Low Latency Messaging (LLM) appliance for high throughput

messaging
• Enhanced QoS and performance with purpose-built hardware
– High speed message routing and filtering
– Optimized to bridge between leading standard messaging protocols
such as WebSphere MQ, Tibco, WebSphere JMS, HTTP, and HTTPS
• Simplified deployment, configuration, and management
providing rapid configuration of LLM-based applications
• Govern low latency multicast and unicast messaging through
consolidated processing point

© Copyright IBM Corporation 2009

WebSphere DataPower B2B Appliance XB60

• Purpose-built B2B gateway for simplified deployment and

hardened security
• Extend integration beyond the enterprise with a securely
deployed B2B gateway in the DMZ
• Easily manage and connect to trading partners using industry
standards
• Improve the performance and scalability of B2B interfaces
• Govern B2B integration points through consolidated trading
partner management

© Copyright IBM Corporation 2009

DataPower SOA appliances in the network stack
Multi-protocol
gateway

Web services Web

security services
Application layer XML
SOAP proxy firewall

XML XSL proxy

HTTP TLS/SSL SNMP Web application

firewall

Transport layer TCP UDP

Network layer IP ICMP IPSec

Data link layer

Physical layer

TCP/IP protocol Web services DataPower

stack standards services

© Copyright IBM Corporation 2009

Features comparison (1 of 4)
LM70 XB60 XI50 XS40 XA35

XSL transformation 9 9 9 9 9

XML and SOAP validation 9 9 9 9 9

HTML-XML transformation 9 9 9 9 9

Basic XML threat protection 9 9 9 9 9

Logging (on-board and off-device) 9 9 9 9 9

SSL termination and initiation 9 9 9 9 9

XML coprocessor mode 9 9 9

SNMP management integration 9 9 9 9 9

Remote device management integration 9 9 9 9 9

© Copyright IBM Corporation 2009
Features comparison (2 of 4)
LM70 XB60 XI50 XS40 XA35

Content encryption and decryption 9 9 9 9

Sign XML content, verify digital
9 9 9 9
signatures
Authentication, authorization, auditing 9 9 9 9

Content-based routing and filtering 9 9 9 9

Fetch content from off-device locations 9 9 9 9

MIME and DIME attachment processing 9 9 9 9

Full XML threat protection 9 9 9 9

Web application firewall 9 9 9

WSDL-based configuration 9 9 9 9
© Copyright IBM Corporation 2009
Features comparison (3 of 4)
XM70 XB60 XI50 XS40 XA35

Direct database access 9 9 9 9

Multi-protocol gateway 9 9 9 9
TIBCO EMS support 9 9 9 9
IBM WebSphere MQ client 9 9 9
Binary-XML transformations,
9 9 9
DataGlue
IBM Tivoli Access Manager support 9 9 9 9
ODBC — database support 9 9 9
B2B message protocol support 9
Transaction viewer 9
Low latency messaging 9
© Copyright IBM Corporation 2009
Features comparison (4 of 4)
XM70 XB60 XI50 XS40 XA35

Web 2.0/REST and JSON/JSONX

1 1 9 9
support
Intelligent load distribution 9 9
TIBCO Rendezvous support 9

© Copyright IBM Corporation 2009

Topic summary
Having completed this topic, you should be able to:
• Describe the different features in the IBM WebSphere
DataPower SOA Appliance product line
– Application Integration XI50
– XML Security Gateway XS40
– XML Accelerator XA35
– IBM WebSphere DataPower Low Latency Appliance XM70
– IBM WebSphere DataPower B2B Appliance XB60
• Identify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
– Application layer device that operates on Web applications, XML-
based applications, and Web services

© Copyright IBM Corporation 2009

Checkpoint

1. What is an XML-aware network? Why is it important to

implement an XML-aware network in an SOA?
2. What features of the DataPower SOA appliance make it
secure from attacks?
3. Name all IBM WebSphere DataPower SOA appliances
product offerings and their main features, respectively.

© Copyright IBM Corporation 2009

Unit summary
Having completed this unit, you should be able to:
• Describe and define the role of an SOA appliance
• Identify the products in the WebSphere DataPower SOA
Appliance product line
• Describe how to use WebSphere DataPower SOA Appliances
in an enterprise architecture

© Copyright IBM Corporation 2009

Checkpoint solutions
1. An XML-aware network layer is comprised of hardware and
software components that are specifically designed to deal with
XML-based network traffic. This layer protects your enterprise
against a new class of XML-based attacks. It is also purpose-
built as a high-performance XML parsing and transformation
solution.
2. The DataPower SOA appliance is hardened against physical
intrusion. Its specialized firmware makes it robust against attacks
from the network.
3. There are three main IBM WebSphere DataPower SOA
appliances
a) Application Integration XI50: Provides any-to-any transformations and IBM
WebSphere MQ support
b) XML Security Gateway XS40: Provides XML and Web services security
support
c) XML Acceleration XA35: Provides wirespeed XML transformation
© Copyright IBM Corporation 2009