DataPower Common Use Cases

Bharat Bhushan, Principal Connectivity Architect, IBM UK

Christopher Khoury, Worldwide Client Technical Leader, IBM US
Arif Siddiqui, Product Manager, IBM US

TIS 3089 2013 IBM Corporation

Please Note
IBMs statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBMs sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the users job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.

2 2013 IBM Corporation

Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

3 2013 IBM Corporation

 Introduction to DataPower Gateway
Appliances

IBM DataPower Gateway Appliances are the industry-leading

Security & Integration gateways that help provide security, control, integration
and optimized access to a full range of
Mobile, Web, API, SOA, B2B and Cloud workloads

4 2013 IBM Corporation

IBM DataPower Gateway Appliances

Security & Integration Gateway Appliances

Internet DMZ Trusted Domain
Consumer

DataPower DataPower Application or Service

Consumer

Securely expose enterprise data to external consumers/partners, while optimizing delivery of the workload
Securely connect apps/services within the enterprise, while optimizing delivery of the workload and
providing integration including XML offload, message validation/filtering, message/transport protocol
transformation, traffic control/quota enforcement, SOA governance & management, dynamic routing &
intelligent load distribution
Physical appliance that is purpose-built, tamper-evident with simplified deployment combining superior
performance, hardened security, increased ROI and reduced TCO
Provides high levels of certified Security assurance
e.g. Transport Protocol Security (SSL/TLS), Message Level Security, and Authentication, Authorization,
Audit
Simplified maintenance model
Drop-in appliance form-factor, Secures traffic in minutes, and Push-button flash upgrade process
Over a decade of innovation. 2000 worldwide installations. 10,000+ physical units sold
Virtual appliance provides deployment flexibility & reduced cost for development and test environments
5 2013 IBM Corporation
DataPower appliances used across a variety of scenarios

Internet DMZ Trusted Domain

Consumer
Application or Service

DataPower DataPower

System z

IBM Integration
1 Security Gateway 4 Internal Security Enforcement Bus
(Web Services/Apps/APIs)

2 Intelligent Content 5 Integration

Consumer Routing & Load Distribution 6 Runtime SOA Governance
3 B2B Partner Gateway 7 Web Service Management
8 Legacy Integration
Application Service File
Trading partners

6 2013 IBM Corporation

Use appliances to simplify & centralize critical functions

Secure, control, integrate & optimize multiple applications without code changes

Lower cost and complexity

Enable new business with unmatched performance

Before DataPower Appliances After DataPower Appliances

Secure

Control

Integrate
Route & Optimize

Secure, control, integrate, &

Update application optimize all applications instantly
servers individually No changes to applications

7 2013 IBM Corporation

IBM DataPower Gateway Appliance capabilities
Security Resilience Control
OAuth, SAML, XACML, WS- Operation admission control Service-level agreements
Security, LTPA, Kerberos, etc Failure re-routing Traffic control
Authentication & authorization XML threat protection Message accounting
Security token translation JSON threat protection Content-based routing
Message & transport protection Schema validation Governance & management
Integration Messages filtering Optimization
Convert payloads (JSON, XML, CSV, SSL & TLS offload
Cobol, binary, etc) Hardware accelerated crypto ops
Bridge transports (HTTP, MQ, FTP, XSLT & XQuery acceleration
WAS JMS, TIBCO EMS, etc) JSONiq acceleration
Database connectivity (DB2, IMS, Connection pooling, offload
Oracle, MS SQL, Sybase)
Intelligent load distribution
Mainframe integration (IMS Connect,
IMS Callout, CICS, etc) Caching: Local & external (XC10)
B2B integration (AS1,AS2,AS3,etc)

Service Providers
Encrypted and
In-the-Clear Signed Request
Request

Cobol/
MQ
Clients Malicious Appl
8 Request Cobol/MQ 2013 IBM Corporation
DataPower Family
Service Gateway XG45

Entry-level device, slim footprint (1U)

Security gateway (AAA, XML threat, etc)

Service level management and monitoring

Intelligent load distribution & dynamic routing

Lightweight integration functions (optional)

Available in Virtual Edition
Integration Blade XI50B/XI50z

Functionally equivalent to XI52

Form factor flexibility

XI50B: BladeCenter form factor

XI50z: zEnterprise BladeCenter Extension (zBX)
form factor
9 2013 IBM Corporation
Integration Appliance XI52

High density 2U form, XG45 functionality plus

Any-to-Any conversion at wire-speed

Bridges multiple transport protocols

Mainframe integration & enablement

Available in Virtual Edition
B2B Appliance XB62

High density 2U form, XI52 functionality plus

B2B Messaging (AS1/AS2/AS3/ebMS)

Trading Partner Profile Management

B2B Transaction Viewer
DataPower Appliances
Over a decade of innovation & over 2000 worldwide installations
Government
Agencies and ministries
Defense and security organizations
Crown corporations

Banking
Majority of the big US and European
banks
All of the big 5 Canadian banks
Numerous regional banks and credit
unions
Insurance
Used by 95% of top global insurances
firms
SaaS providers, ASPs, regulators, etc.

Many, many, more

Healthcare
Retailers
Utilities, Power, Oil and Gas
Telecom
Airlines
10 2013 IBM Corporation
etc.
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

11 2013 IBM Corporation

 Use Case: Security & Optimization Gateway
Securing the Enterprise & providing optimized access

12 2013 IBM Corporation

 IBM Software Group Enterprise Networking Software
DataPower security roles and objectives

 Secure access to
Web and legacy Mission-critical data
Authentication
applications
Authorization
User Federation
 Converged
security z/OS RACF for
enforcement User I&A
F
Authorization
 Rocksolid F
I I
Cert/keys
R
DataPower Internet R
E
W DMZ E
W
Intranet
platform A A
L
L
L L

 Leverages
enterprise
security and
policy managers

Protect data and other resources on
the appliance and protected servers
System availability
Protect against unwanted access,
denial of service attacks, and other
unwanted intrusion attempts from the
network
Only allow valid messages through
Identification and Authentication
Verify identity of network users
Authorization
Protect data and other system
13 13
Page
resources from unauthorized access

Protect data in the network using
cryptographic security protocols
Data End Point Authentication
Verify who the secure end point claims to be
Data Origin Authentication
Verify that data was originated by claimed
sender
Message Integrity
Verify contents were unchanged in transit
Data Confidentiality
Conceal clear-text using encryption
2010 IBM Corporation
Protection of data plus XML & JSON threat protection

Use DataPower to help resolve PCI compliance issues

Easily sign, verify, encrypt, decrypt any content

Configurable XML Encryption and Digital Signatures
Message-level, Field-level, Headers JSON Threat Protection

Security standards: OAuth, WS-Security, WS-Policy, WS- Label - Value Pairs
SecurityPolicy, SAML, XACML, WS-Trust, M Label String Length (characters)
Value String Length (characters)
Number Length (characters)
Threat Protection
XML Threat Protection Maximum nesting depth (levels)
Entity Expansion/Recursion Attacks
Message/Data Tampering Maximum document size (bytes)
Public Key DoS
Message Snooping
XML Flood
XPath or SQL Injection
Resource Hijack
XML Encapsulation
Dictionary Attack
XML Virus
Replay Attack
Mmany others

DataPower security is policy driven

Use WS-SecurityPolicy to define security requirements for your web services

DataPower natively consumes and enforces WS-SecurityPolicy statements
Integrity & Confidentiality, SupportingTokens, Message/Transport Protection

Use XACML to define access and authorization policies for your web services
DataPower natively consumes and enforces XACML policies
Resource-based Authorization
14
PEP, PDP 2013 IBM Corporation
 AAA : Authentication Authorization Auditing

HTTP Headers
WS-Security Tokens LDAP/Active Directory
WS-SecureConversation System/z NSS (RACF, SAF)
WS-Trust IBM Security Access Manager
Kerberos Kerberos
X.509/SSL WS-Trust
SAML Assertion Netegrity SiteMinder
IP Address RADIUS
LTPA Token SAML LDAP/ActiveDirectory
System/z NSS Add WS-Security
HTML Form LTPA
IBM Security Access Manager Generate z/OS ICRX Token
OAuth Verify Signature
Netegrity SiteMinder Generate Kerberos
Custom Custom
SAML Generate Spnego
XACML Generate SAML
Extract Map OAuth Generate LTPA
Identity Authenticate Identity Custom Map Tivoli Federated Identity

input Audit & output

Authorize Post-Process

Extract Map
Resource Resource

URL
XPath
SOAP Operation
HTTP Operation
Custom

External Access Control Server or Onboard Identity Management Store

15 2013 IBM Corporation

Security Gateway
Outside World DMZ Internal Internal Network
Consumer
Browsers Outgoing access control; Security Internal
Gateway Security
SAML injection etc
HTTP(s) Packaged Apps

Protocol Firewall
HTTP(s)

Domain Firewall
Partner Internet Security ESB Proprietary Apps
Apps HTML, JSON, XML, SOAP Gateway Data
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security Incoming access control;
ACL
WS-Security Policy Threat protection
SaaS
WS-Trust
SAML Tivoli (TAM)
OAuth 2.0 MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)

Proxying and Enforcement

Terminate incoming connection

Connection from client Terminate transport-level security (SSL/TLS offload)

Threat protection
Web Service Request
Basic Auth, OAuth 2.0,
Enforce Service Level Agreement policies
Consumer WS-Security UNT, etc Inspect message content and filter (Schema validate)
Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
Authentication, Authorization, Auditing (AAA) ACL
Virus
Call out to virus checker Scanner

Transform content & enrich message

Translate security token New connection to target
Provider
Dynamically route based on content and load balance Web Service Request
16
(Establish a new connection to pass results) SAML, LTPA, 2013 IBM Corporation
Cache data on-box or in centralized, shared XC10 grid Kerberos
Retail Service Provider
Securely expose services to consumers
Challenge

Consistent & secure delivery of online services to
partners that could be shared, integrated & flexible to
meet specific needs

Web services infrastructure needed to support highly
secure data routing with daily high volume & sensitive
nature of information

Solution

Implemented WebSphere DataPower to form the Web
services backbone

Through content-based routing, security policy Identity Mgmt

enforcement & data encryption, DataPower ensures safe

& efficient flow of confidential customer data

Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse

Benefits

Secure SOA on standards-based platform

Easily reuse Web services throughout enterprise

Boosts productivity of IT staff

Substantially shorten time to market for new services
17
Centralized Service Governance & Policy Enforcement

Use WebSphere Service Registry & Repository (WSRR) to store, publish, and
govern your web services
DataPower can subscribe or poll web services information from WSRR

Automatically expose services and policies in DataPower via WSRR subscription
Include WS-Policy, WS-Security Policy statements via WS-PolicyAttachment
Retrieve WSDLs by specific version number

Dynamically retrieve run-time routing information from WSRR

Complete SOA Governance solution
WSRR for web service life-cycle policy management
DataPower for web service run-time policy enforcement
WSRR (Policy Administration
Point) ITCAM for
SOA
(Policy
Monitoring
Point)

Centralized transaction monitoring

ITCAM for SOA Discover
Monitor
Services & Policy Services

Support for UDDI v2 and v3 for UDDI
registries
Message Message

Consumer Message Message Service

18 DataPower (Policy
Enforcement Point)
Service Level Monitor (SLM): Traffic Control / Rate Limiting

Service Level Monitoring (SLM) to protect your services and applications from
over-utilization and enforce quota
Frequency based on concurrency OR based on messages per time period
Take action when exceeding a custom threshold:
Notify (or log), Shape (or delay), Throttle (or reject)

19
Application Optimization Example
Public Enterprise
Slow
Response
(>10s)

High Load
User
WAS Application

{ "Task" : "AddEntry",
Scenario

JSON REST app to-do list
"Detail": "Create
presentation materials." }
Issues
High server load
Slow response time

Improve Server Load with SSL Offload

1. Client requests are secured via DP SSL concentrator
Public DMZ Data
Center
DataPower

Improved Load
1
1

User

20 WAS Application
Application Optimization Example PUT /joe/todos HTTP/1.1
Host: joe.org
Content-Type:
Manage Traffic with Application Fluency application/json
Content-Length: 69
2. DataPower enables application aware traffic management { "Task" : "AddEntry",
"Detail": Waste time." }

DataPower

Improved Load
2
1
1

User

WAS Application

Distribute Load Intelligently

3. Application Optimization effects load distribution intelligence
Leverage dynamic runtime conditions to distribute based on topology & workload

DataPower

Improved Load
2
1 3
1

Improved
Response
User Time

21 WAS Application
Application Optimization Example
Cache at the edge(s)
4. Application results are cached at the edge using XC10 caching grid OR locally on-box

DataPower
2

Low Load
1 3
1

Fast 4
User Response
REST
WAS Application

DataPower XC10

Faster application response time

Lower server load
Improved system throughput

22
Using XC10 As a Side Cache For DataPower
1. Client submits application request.
2. DataPower XI parses request and queries XC10. On a hit, skip to step 5.
3. On a miss, XI forwards request to target Provider.
4. XI adds application response to XC10.
5. Client receives response from XI.
Easily integrates into the existing business process
No code changes to the client or back-end application
Simply add the side cache mediation

Significantly reduces the load on the back-end system by
eliminating redundant requests

Improve client observed response time

DataPower XI Appliances
1 Large Response Time

Improved Load
3
User 5

Improved
Client Response
Time 2 Provider
4
REST

23 DataPower XC10
DataPower XI52 + XC10: Travel and Transportation

Online Reservations Reservations System

Before: 3-5 sec response time
After: .01 -.05 sec response time
Caching service requests
100x Improved the average response time of the Global
Distribution System requests for Fare Availability and
performance Category Availability
improvement 52% caching rate
10 minute cache resulted in 40% reduction in load on the
back-end systems
Maintained high data integrity. Faster responses were
also accurate
POC in 3.5 hrs

Improved reliability and scalability of reservation channels

Reduced traffic to backend systems

Deliver high performance & consistent response times

Scale with simplicity and lower TCO

24
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

25 2013 IBM Corporation

 Use Case: Mobile Connectivity
Securely & Rapidly connect Mobile Apps with
Enterprise Services

26 2013 IBM Corporation

Connect Mobile Apps with Enterprise Apps & Services
Security, Control, Integration & Optimization of mobile workload
Securely expose enterprise
data to Mobile Apps while
optimizing delivery of the
workload

Message Oriented,
Legacy Apps

IBM DataPower Gateway Appliance

Worklight, WAS ND

SSL Offload
e.g. REST (JSON/XML) Threat Protection e.g. SOAP
Rate Limiting Web Apps, Services
over HTTPS over HTTPS
Validation, Filtering
now with Native JSON Support**
Authentication
Authorization
Security Token Translation
Transformation
Content-Based Routing
Intelligent Load Distribution
now with On Demand Router for WAS ND**
Response Caching Locally or to XC10 **

Enhanced form-based authentication support for quick integration with Worklight applications running on mobile devices **
Ready-to-use configuration pattern as reverse proxy & security policy enforcement point in front of Worklight Server**

27 2013 IBM Corporation

** Available in DataPower firmware version 6.0
A closer look at some Mobile Connectivity scenarios
REST Service Gateway for Mobile Apps

SSL offload
Centralized management and monitoring point
Traffic control / Rate limiting

Enforcement point for centralized security policies
Authentication, Authorization, OAuth 2.0, Audit
Routing / Intelligent load distribution to Provider
Threat protection for XML and JSON

RESTful faade to non-REST Provider
Message validation and filtering
REST Proxy
REST JSON / XML / SOAP
JSON or XML / HTTP(s)

IBM DataPower Gateway Provider

Mobile Consumer

Application Acceleration for Mobile Apps

Offload heavy lifting of message transformation from the Provider
Cache response data from Provider

Transform to a format best suited for the requesting Mobile App Locally on the appliance
JSON for native/hybrid app Externally to elastic caching XC10
HTML/XHTML for browser based

HTTP(s) GET HTTP(s) GET

JSON or HTML/XHTML XML Provider

IBM DataPower Gateway
Mobile Consumer
28 2013 IBM Corporation
29 2013 IBM Corporation
Client examples using DataPower for Mobile use cases

Several examples of businesses using DataPower as a Mobile Gateway for

their Security & Integration needs
Large international bank has mobile banking goes through DataPower
Large Mobile company in the UK has traffic from handsets, REST
service calls, being secured via DataPower
Large global phone company has their RESTful service calls using
JSON and XML from Mobile devices and consumer browsers are
secured and load balanced using DataPower
Large retailer went live recently with DataPower proxying Mobile traffic
Retailer secures their provisioning iPad traffic through DataPower
A wireless carrier secures mobile traffic to account data through
DataPower

30 2013 IBM Corporation

Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

31 2013 IBM Corporation

 Use Case: API Management
Securely & Rapidly Create, Socialize & Manage
Business APIs to engage with a Developer ecosystem

32 2013 IBM Corporation

IBM API Management V2.0 (On-Premise)
Secure, control and optimize access to APIs through DataPower
Create, Manage, Socialize APIs
Dev Ops Dashboard for easy assembly of new APIs and to secure and manage APIs from an IT Ops
perspective, API lifecycle mgmt
Business Ops Dashboard with analytics and controls to publish APIs, document APIs, set quotas,
manage communities and monitor service levels
Application Developer Portal with Self-Service registration and with hooks into social communities
On-Premise DMZ-ready API Gateway
Rapid on-ramping of APIs
API security; SSL termination, Threat protection, Authentication, Authorization with OAuth
Quota enforcement / Traffic control; Enforce API consumption policies
Monitors API use
Caching support for both on-box local and remote caching using XC10
Intelligent routing and load distribution

App Developer Portal Web Apps

Dev Ops
Dashboard
Enterprise
Services
DataPower
Business Mobile
Ops Dashboard
On Premise
33 2013 IBM Corporation
Secure Mobile App Integration + API Management

Mobile Apps Security & Integration Gateway

& Web consumers IBM DataPower Appliance
Applications & Services
Caching Appliance on App Servers
IBM DataPower XC10 (WAS, WAS ND,
Worklight or
other Provider)

API consumers API owners

& App Developers Create, Publish, Manage & Socialize APIs
IBM API Management**

Multi-device development
IBM Worklight
** Available in IBM API Management 2.0
34 2013 IBM Corporation
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

35 2013 IBM Corporation

 Use Case: Enterprise Integration
Consumable integration solution for securely connecting
applications & services while optimizing delivery of workload

36 2013 IBM Corporation

Integration
Outside World DMZ Internal Network
Packaged Apps
Proprietary Apps Packaged Apps
HTTP(s) Data Proprietary Apps
FTP(s) Data
Browsers
SFTP(SSH)

Protocol Firewall

Domain Firewall
HTTP
WMQ(s) WMQ
WS JMS
Enhanced TIBCO EMS DataPower Packaged Apps
Partner Internet Security Proprietary Apps
Apps DMZ LDAP
Gateway IMS Connect
Data
ACL
FTP
ODBC JMS NFS
SaaS DB
EMS
Packaged Apps
Packaged Apps Proprietary Apps
Proprietary Apps Data
Data

Integration Scenario
Content based routing
AAA, Threat protection Intelligent content based routing
Message enrichment
Message validation & filtering Intelligent load distribution
Message transformation
Traffic control / Rate limiting Local and distributed caching
Transport protocol translation

Message Format & Transport Protocol Mediation Example

Format & transport
bridging

Cobol / MQ
SOAP / HTTP(s)

MQ Queue Provider
37 2013 IBM Corporation
Consumer Manager
UK Government Agency
enables integration capabilities using DataPower
Challenge

Data held in the back-end systems vital to delivering Other UK Other EU
citizen services, fraud detection across various layers of Departments Countries
the Governments across the EU

Vulnerable back-end services
 Security
 Capacity/ SLA Government

Consistent usability experience for internal or external network
service consumers Internal Users

Solution

DataPower in key network zones within and outside of
the department

Thorough content-based validation, routing, and security Integration Layer
policy enforcement

Integrated seamlessly into heterogeneous environment
increasing interoperability & promoting reuse

Benefits

Ease of integration

Security assurance of the architecture

Secure SOA on standards-based platform Core Services

Consistent experience and policy for all users
38 2013 IBM Corporation
Core Data
Security & Integration Scenario Financial Firm

39
39
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

40 2013 IBM Corporation

Use Case: Mainframe integration & enablement
Offload processing for reduced MIPS
Web Services Enablement for IMS, CICS, DB2

41 2013 IBM Corporation

An Irish Bank
Enabling retail banking
Challenge

Retail application contained 7000 screens; slow
response times over dedicated proprietary network. Branch Application (web based)

Cost of processing XML on the mainframe.

Message transformation needed before the core
banking platform could process requests.

Solution Branch Network

DataPower in trusted network exposed services for
XML/ HTTP(S) and protocol bridging to WebSphere MQ

Message validation and transformation using
WebSphere Transformation Extender (WTX)
DataPower
Benefits

Retail application acceleration through transformations
and caching Q Q Q Q Q

Optimized platform for handling, parsing and processing
payloads
Core banking platform on Z

42 2013 IBM Corporation

High Street Clothing and Fashion Accessories Retailer
Increase customer interaction and loyalty
Challenge

Highly competitive industry; first mover advantage

Weak customer loyalty

Multi channel customer experience

Complex supply chain and service providers

Solution Open Internet

DataPower acted as a reverse proxy for:

Outbound messages via a service provider

Inbound customer updates/ delivery notifications

Transform SOAP/ XML payload to COBOL copybook
messages for CICS application DataPower

Benefits

Create customer interaction and value through innovative Q Q
business strategy.

Integrate various suppliers using standards based
interfaces securely. Customer & Product related

Graphical configuration driven appliance; short learning application and systems on Z
curve

43 2013 IBM Corporation

Broad integration with System z
DataPower
Connect to existing applications over WebSphere MQ XI50z
Transform XML to/from COBOL Copybook for legacy
needs Additional benefits with integrated DataPower XI50z
Integrate with RACF security from DataPower AAA blade form factor
Dynamic crypto material retrieval & caching, or offload
Fast secure network between DataPower blade and
crypto ops to z target servers
Connect to IMS
Virtual Network Provisioning
Via IMS Connect client

Dynamic Load Balancing (via Sysplex Distributor)
Via Web Services
Via WebSphere MQ
HMC Console Integration
Connect to CICS
Blade Hardware Management
Via WebSphere MQ
Energy Monitoring and Management of DP Blades
Via Web Service

DP Firmware Load and Update
Connect to DB2
Via Web Service
Monitoring and Reporting
As direct ODBC call with ODBC Client option

IMS SOAP Gateway

WAS+IMS connector
SOAP/HTTP

IMS Application
CCB / MQ IMS
DataPower

MQ Server
SOAP/HTTP O
MQ T
M
Brdg A
Client

DRDA
DB2
44 2013 IBM Corporation
Enhanced value for System z & IMS
New integration capabilities between DataPower and IMS
IMS Callout feature allows IMS transactions to easily consume external web
services via DataPower, with minimal application updates required

IMS Callout
IMS
App1
SOAP / REST IMS O
TCP/IP T App2
Connect M
A
DataPower
Service Provider

Service Consumer

IMS DB feature supports DataPower integration

with IMS database through SQL interface
Enrich messages with database content
Expose data as a service to remote applications

SOAP / REST DRDA

DataPower
Client

45 2013 IBM Corporation

Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

46 2013 IBM Corporation

 Use Case: B2B integration
Extend integration beyond the enterprise
to partner community

47 2013 IBM Corporation

DataPower B2B Functionality
Extend beyond the enterprise to integrate with partners
B2B Gateway Service
AS1, AS2, AS3 and ebMS v2.0 DataPower
Plaintext email support
EDI, XML and Binary Payload routing B2B Gateway Service
Front Side Protocol Handlers
Hard Drive Archive/Purge policy Partner Connection Internal Partner
Front Side Handlers Destinations
CPA and Partner Profile Associations
MQ File Transfer Edition integration
External Partner Integration
Trading Partner Profiles Destinations Front Side Handlers
Two Types Internal and External
ebXML CPPA v2.0
Multiple Business IDs
Multiple Destinations (URL Openers)
Partner
Certificate Management (S/MIME Security)
Profiles
Multi-step processing policy
B2B Viewer
B2B transaction viewing
MQ FTE transaction viewing Metadata Document
Transaction resend capabilities Store Store
Transaction and Acknowledgement correlation (DB) (HDD)
Role based access
Persistent Storage
AES Encrypted B2B document storage
Option for Off-Box Storage (NFS or iSCSI) B2B Viewer
Transaction Store
B2B metadata storage
B2B state management
48 2013 IBM Corporation
UK Logistics and Distribution

Challenge

AS2, File and Web Services based interfaces to 100s of B2B customers.

Messages are exchanged at least once a day

Secure proxy solution in the DMZ

Complex incumbent supplier chain

Benefits

Create customer interaction and value through innovative business strategy.

Integrate various suppliers using standards based interfaces securely.

Graphical configuration driven appliance; short learning curve

49
UK Logistics and Distribution

External Internal
Systems Systems

Internal
System
External Internal
Systems Systems
Internal
System

50
DataPower Appliances Benefits

Reduce Complexity: Replace software servers functionality with

DataPower Appliances, reduce infrastructure footprint, and off-load
systems intensive processes.

Lower TCO: DataPower Appliances have demonstrated reducing
operational costs by as much as 50%

Reduce Time to Market: DataPower Appliances dramatically decrease
the testing time and amount of development required to upgrade your
environment, most policy are configuration driven as opposed to
development driven

Reduce Risk: DataPower Appliances provide the communication layer
without requiring application modification, and deliver improved security
and audit

Flexibility & Security: DataPower Appliances shield business
applications from security requirements, protocol changes and service
versioning - no application modifications needed
51
DataPower resources

IBM DataPower Web Page (support, technotes, doc)

http://www-01.ibm.com/software/integration/datapower/

developerWorks DataPower Discussion Area

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198

Vast library of published articles:

http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.html
(Also search for DataPower within WebSphere, SOA/Web Services and XML)

http://www.ibm.com/developerworks/views/websphere/libraryview.jsp (Search DataPower)

IBM Redbooks:

http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower

IBM WebSphere DataPower SOA Appliance Handbook

http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194

YouTube:

http://www.youtube.com/watch?v=uWYBDviv5Ts&feature=channel

DataPower Podcasts:

http://www.ibm.com/podcasts/software/websphere/datapower/index.rss

52
www.ibm.com/software/integration/datapower 2013 IBM Corporation
We love your Feedback!
Dont forget to submit your Impact session and speaker feedback!
Your feedback is very important to us we use it to improve next years
conference
Go to the Impact 2013 SmartSite (http://impactsmartsite/com):
Use the session ID number to locate the session
Click the Take Survey link
Submit your feedback

53 2013 IBM Corporation

54 2013 IBM Corporation
Legal Disclaimer

IBM Corporation 2013. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMs current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus Sametime Unyte). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
If you reference Adobe in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
If you reference Java in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
If you reference UNIX in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.

55 2013 IBM Corporation

 BACKUP Material

56 2013 IBM Corporation

Health Insurance Provider

Industry Pains:

HIPAA Security requirements
Smarter Business Outcomes:
for transporting data over the

Reliable and secure routing of customer sensitive data
Internet

HL7 v3.0 XML threat protection
Easy to use and maintain; no additional skill needed

Complexity of B2B for
XML Messages with attachments are authenticated, authorized,
and virus scanned
healthcare

Value of DataPower B2B Appliances for Extending Connectivity?

Secure appliance form factor providing secure connections to trading
partners, advanced threat protection and reliable file delivery of
57
confidential medical information 2013 IBM Corporation
 EDIINT Flow: Simple AS2 transaction flow with Transform

Partner A Partner B

B2B Hub XB62

2 3b
1
AS2 B2B
EDI 3a XML
(EDI)
AS2 Process Gateway
AS2
Service
(MDN)
Internet 4
Application Application
Data
Store

Transaction
5
Viewer

Browser

Note: This flow works the same for any AS protocol as well as for ebMS B2B messages.

58
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

59 2013 IBM Corporation

Why use an Appliance for connectivity?

Many functions incorporated in a single device

Service level management
Dynamic routing and load distribution
Transport and message level security
Policy enforcement
Transport and message transformation

Simplified maintenance model

Drop-in appliance form-factor
Secures traffic in minutes
Push-button flash upgrade process
Integrates with existing operations

Provides high levels of certified security assurance

Transport Protocol Security (SSL/TLS)
Message Level Security
Authentication, Authorization, Audit (AAA)
FIPS 140-2 Level 3

Purpose-built, fine-tuned consumable platform

Achieves fast performance with multiple layers of specialized acceleration
60 2013 IBM Corporation
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

61 2013 IBM Corporation

DataPower & Tivoli Offerings
DataPower integrates with Tivoli offerings to provide authentication and authorization
policy enforcement point solution
Tivoli Security Policy manager (TSPM)
Allows authoring of XACML policy to be Locally cached TAM policy
database reduces network
enforced by DataPower. [PAP] latency and traffic congestion
TSPM can also act as PDP to make
Authorization decisions [PDP]
DataPower will enforce
the decision. [PEP]

Tivoli Federated Identity Manager (TFIM)

Tivoli Access Manager (TAM) Provides federated identity
Provides a single point of decision management and a single IdP
making for Authentication and enterprise solution [Federation]
Authorization. [PDP]

PAP: Policy Authoring Point

PDP: Policy Decision Point
PEP: Policy Enforcement Point

62
Application Optimization
Application Optimization (AO) is about leveraging application knowledge in the network to better
optimize application behavior, conformance, and performance

Internet DMZ Trusted Domain

Application Optimization
- Application Intelligence
- Application Security
- SSL Acceleration
System z

Consumer

Application

SOA Optimization
Application
Consumer - XML Intelligence
- XML Security
- Routing, Transformation, Mediation

63
Application Optimization

Self Balancing: Self balance across a cluster of appliances

Replace front-end IP load balancer

New support (introduced in firmware version 4.0.2) enables connections to be
preserved, without loss, during failover scenario

Dynamic and Intelligent Load Distribution to backend systems

Replace backend load balancer

Front-end IP load
balancers not needed

Self balancing (IP

spraying)

64
Application Optimization
Provides application-aware Intelligent Load Distribution

Auto-discovers application targets and distributes load using dynamic
feedback mechanism

Topology learning for WAS ND and VE

Uses intelligent weighted distribution algorithms based on current server load

Weighted Least Connection load balancing algorithm

Provides several options for enabling Session Affinity

DataPower performs dynamic back-

side routing and load distribution Failure of target
(leveraging dynamic information appliances are masked
from back-ends) by appropriate weighted
65 distribution
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

66 2013 IBM Corporation

Integration
Content-Based Routing

Dynamically route based on any message content
Attributes such as the originating IP, requested URL, protocol headers, etc.
Data within the message such as SOAP Headers, XML, Non-XML content, etc.

Query a repository for routing information
WebSphere Service Registry & Repository, XML files, Databases, Web Servers

Unclassified
Requests
Service
Providers
Any-To-Any Message Transformation

Transform the message format with ultimate flexibility
Leverage WebSphere Transformation Extender for data mapping

Input Output
Message Message

? ?
<XML/> TEXT binary <XML/> TEXT binary
67
WebSphere TX Design Studio
Integration
Transport Protocol Translation

Integrate disparate transport protocols with extreme ease
No dependencies between inbound front-side and outbound back-side
Examples: HTTP(s), WebSphere MQ, WebSphere MQ FTE, WebSphere JMS, Tibco
EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server)

Support synchronous, asynchronous, pub-sub, assured-delivery, once-and-only once
message patterns

WebSphere
HTTP(s) JMS

WebSphere TIBCO
MQ, MQ FTE EMS

FTP(s) Database
DB2, SQL Server,
Oracle, Sybase,
SFTP
IMS NFS

68
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

69 2013 IBM Corporation

IMS Integration
Web Services Security and Management for IMS Web Services

Content-based Message Routing

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)

XML/SOAP Firewall

Data Validation

Field Level Security

XML Web Services Access Control/AAA

Web Services Management
DataPower

SOAP/HTTP IMS SOAP Gateway

SOAP/HTTP
WAS+IMS connector
Client

70
IMS Integration
Web Services Enablement for IMS-based Services

DataPower provides WS-enablement to IMS applications

User codes schema-dependent WTX data map to perform
request/response mapping

Requires WebSphere MQ for z/OS
MQ bridge to access IMS
MQ connectivity is embedded in DataPower

IMS Application
IMS

MQ Server
DataPower

O
SOAP/HTTP T
CCB / MQ MQ M
Brdg A
Client

71
IMS Integration
Web Services Enablement for IMS-based Services (contd)

DataPower provides WS-enablement to IMS applications

User codes schema-dependent WTX data map to perform
request/response mapping

IMS Connect Client (back-side handler) natively connects to IMS
Connect using its custom request/response protocol

IMS IMS
Appl1
Connect O
T Appl2
M
DataPower

A Appl3
SOAP/HTTP
CCB / TCP
User exit IMS
Appl4
Client (e.g.. O
HWSSM T Appl5
M
PL0) A Appl6

72
IMS Integration
IMS Connect Reverse Proxy

Bring DataPower value add to standard IMS connect usage patterns

Provide an IMS Connect Client on DataPower that natively connects to
IMS Connect

Provide an IMS Connect Server on DataPower that accepts IMS Connect
client connections and provides an intermediation framework that
leverages DataPower
Enables authentication checks, authorization, logging, SLM,
transformation, route, DB look-up, SSL offload, etc.

IMS IMS
Appl1
Connect O
T Appl2
IMS Connect TCP M
DataPower

A Appl3

Client CCB / TCP

User exit IMS
Appl4
(e.g.. O
HWSSM T Appl5
M
PL0) A Appl6

73
DB2 Integration
Information as a Service

DataPower provides a standard WS faade to DB/2

Common tool (IBM Data Studio 1.2+) to generate WSDL and data mapping in both Data Web
Services runtime and DataPower
SOAP call is mapped to an ODBC (DRDA) invocation

Exposes database content (information) as a service

Leverages extensive Web Services security and management capabilities of
DataPower to more securely expose critical data to the enterprise

DB2
DataPower

SOAP/HTTP
DRDA

Client

74
CICS Integration
Web Services Security and Management for CICS Web Services

Content-based Message Routing

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.)

XML/SOAP Firewall

Data Validation

Field Level Security

XML Web Services Access Control/AAA

Web Services Management

Support CICS ID propagation
DataPower

CICS Web Services

SOAP/HTTP
SOAP/HTTP WAS+CICS connector

Client

75
CICS Integration
Web Services Enablement for CICS Applications

DataPower provides WS-enablement to CICS applications

User codes schema-dependent WTX data map to perform
request/response mapping

Requires WebSphere MQ for z/OS
MQ bridge to access CICS
MQ connectivity is embedded in DataPower

CICS Application
DataPower

CICS
MQ Server
SOAP/HTTP

CCB / MQ
CICS
Client Brdg

76
Agenda

DataPower Quick Overview

Security & Optimization Gateway
Mobile Connectivity
API Management
Integration
Mainframe Integration & Enablement
B2B

77 2013 IBM Corporation

 Web Services bridged to AS2 File Transfer Pattern

Partner A Partner B

B2B Hub XB62

B2B Flat
1
Flat Gateway 5
Pre-Process
Service

WS Client 4
SOAP Internet AS2 Data
Store
3
2
Web Service Web Service
Process Proxy
6

Transaction 7
Viewer

Browser

Note: A Multi-Protocol Gateway Service can also be used to support this flow as well as receiving and
sending data over any of the 16 supported protocol handlers. When Services are tied together in
front of or behind a B2B Gateway Service they are handled like pre and post processes.
78
MQ FTE Integration Pattern Inbound File to Message
Enterprise

Browser
(Admin)

XB62
Trading Partner

Queue Server
Queue Manager
2a Manager
B2B Source
4
1
Gateway
Service
2 MQFTE Agent
Data
Internet Network
Queue Target
Store
3 5
Queue Manager Agent
Profile 6
Data Manager
Mgmt Store
XB60
Transaction
Applications
Viewer DB (DB2 or Oracle)
Logger
MQ
Explorer

Browser
(Partner view)

Browser
(LOB User)

79
ebXML with CPPA Pattern
DMZ

Public Network
WebSphere DataPower Secured
Network
B2B Appliance

B2B Gateway Service

3
2 ebXML
ebMS 1 Collaboration Partner
(ebXML)) Agreement
Collaboration
Entries
Protocol
Internet ebMS Collaboration
Agreement EntryPartner
(Ack) CPAIdAgreement Entries
/ Collaboration Applications
CPAId / Collaboration
4 CPAId
Internal / Collaboration
Collaboration
PartnerCollaboration
Internal Profile
External Partners PartnerCollaboration
Internal Profile
External Collaboration
Partner Profile
PartnerCollaboration
External Profile
Partner Profile
External Collaboration
Partner Profile

Transaction
Viewer Browser

80
Health Level 7 3.x to 2.x Transform Pattern
Partner B
Partner A Hospital
Regional Healthcare Center
B2B Appliance
B2B Hub
B2B Gateway
AS2 Process
Service
AS2 (HL7 V3)
1
2
AS2/MDN
5 Profiles
Any Transport
External Profile

HL7 V3
HL7 V2.x
Hospital Healthcare
Applications
Internal Profile 4
Regional
Internet 3 Center
Any Transport
HL7 V3.x
Validate XML and
Transform to any
V.2.x format

6
Transaction
Healthcare Viewer
Applications

81
Securing HL7 over the Internet with Integration to the WebSphere
Healthcare Connectivity Pack

Healthcare Provider

Browser
(Admin) 5 Clinical Trials
HL7/MLLP System
XB62
Trading Partner

2a HL7/MQ 4 XML/HTTP
AS2 B2B
(HL7)) Gateway
1 Service
Internet
2
WebSphere Billing
3 MQ
WebSphere Healthcare System
AS2 Profile Connectivity Pack
Data
(MDN)) Mgmt Store
HL7/MLLP
Transaction
HL7/MLLP
Viewer Patient
Administration
System
Browser Pharmacy
(Partner view)

82