datapower steven cawn
TRANSCRIPT
© IBM Corporation 1
IBM DataPower Gateway: An update on IBM’s multi - channel security gateway
Steven Cawn
Worldwide DataPower Sales Leader
IBM Corporation 2
Why use an Appliance for connectivity?
• Purpose-built, fine-tuned, secure, and consumable hardware platform
• Fast performance with multiple layers of specialized hardware & software acceleration
Many functions incorporated in a single device
�Service level management
�Dynamic routing and load distribution
�Transport and message level security
�Policy enforcement
�Transport and message transformation
�Business to Business Partner Profile Management
Simplified maintenance model�Drop-in appliance form-factor
�Secures traffic in minutes
�Push-button flash upgrade process
�Integrates with existing operations
Provides high levels of certified security assurance�Transport Protocol Security (SSL/TLS)
�Message Level Security
�Authentication, Authorization, Audit (AAA)
�FIPS 140-2 Level 3
IBM Corporation 3
Potential Benefits for reduction in development laborUse cases Description Current environment
estimated development hours
DataPower estimated
development hours
B2B Protocol Handling
Integrate internal and external business partners based on industry standard B2B protocols and
message formats
200 20
B2B Partner Profile Manager
Onboard and manage new partners for B2B integration through gateway
10 5
B2B Transaction
Manager
B2B transaction audit and management capability for review, resend and problem resolution
10 5
Security AAA Consumer identification, authentication, authorization, and auditing security capabilities
360 18
Security Threat Protection
Non-repudiation, integrity, confidentiality and general threat protection security capabilities
1080 51
Routing Service virtualization of identity via dynamic content and context based routing
140 20
Protocol Bridging
Service virtualization of protocol via bridging (e.g. HTTP to/from MQ)
140 20
Message Transformation
Service virtualization of interface via message transformation to/from any format including XML
120 40
Service Level Management
Monitor against thresholds based on SLAs between
parties and support taking action when thresholds
are crossed
280 40
IBM Corporation 4
Become the leading Multi-Channel Gateway Platform for Developers, Customers, Partners and IBM Products to secure, integrate, control and optimize the delivery of Applications, APIs and Data across a variety of digital business channels in a growing landscape of public, private and hybrid cloud environments in addition to on premise setups.
DataPower Team
DataPower’s Core Strategic Vision
IBM Corporation 5
What is IBM DataPower?
• IBM® DataPower® Gateway appliance has been established as the leading security & integration gateway device for the industry
• DataPower gateway appliances help Secure, Control, Integrate and Optimize the delivery of full range of Mobile, Web, API, SOA, Cloud, and B2B applications and services
IBM DataPower Gateway
IBM Corporation 6
IBM DataPower - Converged Multi-Channel Gateway
Business
Channels
Users DEVELOPERSPARTNERSCONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
Enforcement Solutions
Applications
and Systems
DataPower
Appliance
ISAM for
DataPower
IBM Corporation 7
IBM DataPower Gateway
• Extend the capabilities by providing a multitude of functions:
– IBM DataPower Gateway (IDG) provides gateway functionality and is a security enforcement
point. Also supports intelligent load distribution and dynamic routing via the Application
Optimization module. IDG is used for service level management and monitoring, and is
available in two form factors: 2U Rack mounted physical appliance and a Virtual appliance
running on VMWare and Citrix, and elastic cloud environments (SoftLayer and Amazon AWS)
– IBM DataPower Gateway with Integration Module extends the IDG platform supporting a
wide range of integration and message mediation and transformation protocols, including
mainframe integration and enablement. The Integration Option is available for both physical
and virtual form factors.
– IBM DataPower Gateway with the ISAM Module IBM Security Access Manager for
DataPower is a new access management software module for IBM DataPower Gateways that
provides web access management and strong authentication enforcement for mobile
workloads integrated into the DataPower platform.
– IBM DataPower Gateway with Business to Business (B2B) Module provides a high-
throughput, secure entry point at the edge for B2B traffic into enterprises. The B2B options
build on the capabilities of IDG, offering partner profile management, and inter-enterprise
messaging and document support. The B2B option is available in both physical appliance and
virtual form factors
NOTE: Other modules are: Application Optimization (routing and load balancing);
Tibco (connectivity to Tibco EMS)
IBM Corporation 8
Security Gateway
New connection to target
Proxying and Enforcement
• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance (Establish a new connection to pass results)
• Cache data on-box or in centralized, shared XC10 grid
Connection from client
ACL
Virus
Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0, WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENC
WS-SecurityWS-Security Policy
WS-TrustSAML
OAuth 2.0
Internet
SaaS
Partner Apps
Browsers
Pro
toco
l F
irew
all Security
Gateway
Packaged AppsProprietary Apps
Data
HTTP(s)ESB
ISAMMS Active Directory
Any LDAP, e.g. OracleCA SiteMinder
PDP (XACML, SAML, other)
Do
main
Fir
ew
all
ACL
Security
Gateway
InternalConsumer
Incoming access control; Threat protection
Outgoing access control; SAML injection etc
Internal Security
Web Service Request
SAML, LTPA, Kerberos
IBM Corporation 9
AAA : Authentication Authorization Auditing
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom
Authenticate
ExtractResource
URLXPathSOAP OperationHTTP OperationCustom
LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
AuthorizeAudit &
Post-Process
MapIdentity
MapResource
LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
IBM Corporation 10
• Data format & language– JavaScript‒ JSON‒ JSON Schema ‒ JSONiq‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0
• Security policy enforcement‒ OAuth 2.0‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication
(LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with
z/OS ‒ Internet Content Adaptation Protocol‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital
signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy‒ WS-SecureConversation 1.3
Supported standards & protocols• Transport & connectivity
– HTTP, HTTPS, WebSocket Proxy– FTP, FTPS, SFTP – WebSphere MQ– WebSphere MQ File Transfer Edition
(MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout– NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2
• Public key infrastructure (PKI)‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management‒ Simple Network Management Protocol
(SNMP) ‒ SYSLOG ‒ IPv4, IPv6
• Open File Formats‒ Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)‒ VMware Virtual Machine Disk Format
(VMDK)
Link to DataPower Information Center
• Web services– WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing– WS-Notification – Web Services Distributed
Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message
Encapsulation (DIME) – Multipurpose Internet Mail
Extensions (MIME) – XML-binary Optimized Packaging
(XOP) – Message Transmission Optimization
Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery,
and Integration (UDDI versions 2 and 3), UDDI version 3 subscription
– WebSphere Service Registry and Repository (WSRR)
IBM Corporation 11
Protection of data plus XML & JSON threat protection
� Use DataPower to help resolve PCI compliance issues
� Easily sign, verify, encrypt, decrypt any content
� Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
� Security standards: OAuth, WS-Security, WS-Policy, WS-SecurityPolicy, SAML, XACML, WS-Trust, …
� Use WS-SecurityPolicy to define security requirements for your web services– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
� Use XACML to define access and authorization policies for your web services– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization• PEP, PDP
DataPower security is policy driven
XML Threat Protection• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
� Message/Data Tampering
� Message Snooping
� XPath or SQL Injection
� XML Encapsulation
� XML Virus
� …many others
JSON Threat Protection
• Label - Value Pairs‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)
• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)
IBM Corporation 12
VISA InternationalProvide Greater Agility, Flexibility & Adaptability
Solution
� Implemented DataPower Security Gateway XG45 to form the backbone of Web services infrastructure
� Through content-based message routing, security policy enforcement & data encryption, the XG45 helps to ensure safe & efficient flow of confidential customer data between Web site & backend systems
� Integrated seamlessly into existing heterogeneous environment increasing interoperability & promoting reuse
Benefits
� Secure SOA on standards-based platform
� Easily reuse Web services throughout enterprise
� Boosts productivity of IT staff
� Substantially shorten time to market for new services
� WebSphere DataPower Security Gateway XG45
� WebSphere Application Server
Challenge
� Consistently & securely delivery of online services to members that could be shared, integrated & flexible to meet specific needs
� Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information
IBM Corporation 13
Multi-channel gateway for Mobile workloads
• ISAM for DataPower module provides the reverse proxy
component that enables
– Centralized user authentication & coarse-grained authorization
– Advance session management, & web SSO
– Enforcement of context based access & mobile SSO policies
– Strong authentication including one-time password and multi-factor authentication
ISAM Module
ISAM for Mobile
DataPowerIBM
MobileFirst
MobileApplication
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway
IBM Corporation 1414
Challenge–Missing out on new opportunities in mobile advertising
–Aggressive growth in mobile creating new opportunities
–Differentiation with Sprint profile information
–How to increase topline revenue
–Increase in competition from non-traditional companies – no longer
just the other carriers
Solution–WebSphere DataPower Integration Appliance XI52 and XC10 Caching Appliance for mobile access control and security, wirespeed performance & consistent operational environment–Deployed as a Mobile gateway, providing schema validation & trust formations–Augmented existing infrastructure
Benefits–Fast speed to market–Low development cost–Well established operational support (within Sprint)–Deployed within secured Sprint network–Secure connectivity to dependent systems–Sprint controlled data security–Scalable as volumes grow–Ability to maintain a consistent interface to clients regardless of backend changes
Enterprise Application Integration
Web Services GatewayPlatform
XI52
Adapte
rs
Back-officeSystems
Back-officeSystem
Web Services
SOAP
ServiceConsumers
XI52
Message Broker
CustomCode
XC10
Customer Testimonial: http://www.youtube.com/watch?v=0hpZcnrG26Q
IBM Corporation 15
Multi-channel gateway for API workloads
� Assemble business APIs easily
� Provide Secure or Open APIs
� Control APIs at a fine-grained level
Explore API documentation
Interactively exercise APIs
Provision application keys
Developer Portal API Manager Management Console
Define and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway (DataPower)
� Analyze API usage
� Manage private, partner, public app developers
� Provide self-service app developer onboarding
API configurations are deployed to the gateway,
which provides the enforcement point for runtime
policies to control API traffic.
IBM Corporation 16
Improved User Experience: Pattern-basedConfiguration
Reduce time-to-value, increase productivity & quality of DataPower solutions
� Pattern captures a tested solution to a common recurring problem
� Built-in, intuitive, new interface for creating & deploying common DataPower configuration patterns
• Reduce time to value through accelerated user configuration & deployment for both new & experienced users
• Increase developer productivity by leveraging working examples of common use cases
• Improve quality through reuse of configuration created by skilled roles
� Pre-built and user-defined patterns
• Ten new pre-built web application & web services patterns
Deploy new
service from
a pattern
Create service
pattern for
reuse
Browse patterns
IBM Corporation 17
Supports on-premise & cloud deployment
� Purpose-built, DMZ-ready appliances provide physical security
� High density 2U rack-mount design
� 8 x 1 and 2 x 10 GbE ports
� Cryptographic acceleration card
� Trusted platform module
� Customized intrusion detection
� Optional HSM (FIPS 140-2 Level 3 certified)
� Virtual appliances provide deployment flexibility
� Support multiple hypervisors and cloud environments− VMware
− Citrix XenServer
− IBM PureApplication System (x86 nodes)
− IBM PureApplication Service on SoftLayer(x86 nodes)
− IBM SoftLayer bare metal instances using supported hypervisors
VirtualPhysical
IBM Corporation 18
New Cloud Offerings
Secure Gateway for Bluemix Applications
Easier DevOps with new REST API
Secure. Integrate. Control. Optimize.
GatewayScript Enhancements
Robust Platform Security
7.2 Features
Deploy DataPower Gateways on Amazon EC2 and SoftLayer CCI to provide enhanced cloud elasticity for cloud workloads.
Enhanced hybrid cloud integration to securely connect between IBM Bluemix applications and on-premise services protected using DataPower Gateways
Protect mission-critical applications from security vulnerabilities with enhanced TLS protocol support using Elliptic Curve Cryptography, Server Name Indication, and Perfect Forward Secrecy
New REST-based management API to build deployment and automation scripts, enabling easier devops for continuous software delivery and quicker problem resolution.
Enhanced Mobile and API security
Easily transform between XML and JSONmessages to quickly integrate System of Records data sources with Systems of Engagement interfaces
Increased mobile and API security for protecting mission-critical transactions with JSON Encryption, JSON Signature, JSON Key, and JSON Token
AvailableJune 19th,
2015
AnnounceMay 26th, 2015
IBM Corporation 19
19
Summary
IBM DataPower Gateway provides these benefits for security and integration needs within an enterprise:
• Ease of Use: Solves complex security and integration challenges in a secure, easy to consume and extremely low TCO network device. DataPower appliances are configuration driven not program driven which simplifies deployment
• Performance: DataPower is a network device that operates at wire speed. Greater processing power is realized with every new firmware release. This is even more critical with the advent of mobile.
• Flexibility: Secure, integrate, bridge and version applications without application modification
• Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy”
• Lower TCO: Customers’ own data has shown that DataPower can be 7X-8X less expensive to operate in the data center than traditional alternatives.
IBM Corporation 20
Questions
&
Answers
IBM Corporation 21
Where can I get more information?
• IBM DataPower Gateway product page on ibm.com
• IBM DataPower Gateway product documentation
• IBM DataPower Gateway user forums:– External forum
• YouTube Channel: IBM DataPower Gateways
• Slideshare: IBM DataPower Gateway
• Twitter: @IBMGateways
• LinkedIn groups: IBM DataPower Gateway
• DeveloperWorks blog: IBM DataPower Gateway
• IBM Security Access Manager product page on ibm.com
IBM Corporation 22
Available Now: DataPower Handbook, Second Edition, Volume 1
� Known as the ‘‘‘‘bible’’’’ of DataPower planning, implementation, and usage.
� New content to cover previous six years of new products/features, including 9006/7.1!
� Volume 1 consists of Chap 1 DataPower Intro, Chap 2 Setup Guide, new Preface and two invaluable new appendices for physical and virtual appliances.
Available in softcover and e-book formats
© IBM Corporation 23
Backup
IBM Corporation 24
Public/Private
Cloud
Trusted ZoneDemilitarized Zone(DMZ)
Mobile enhancements (1 of 2)• Provide enhanced message-level security for mobile, API, and web
workloads‒ JSON Web Encryption for message confidentiality
‒ JSON Signature for message integrity
‒ JSON Web Token to assert security assertions for Single Sign On (SSO).
‒ JSON Web Key (JWK) to represent cryptographic key
• Provides end-to-end security between Mobile application and System of Record applications
• Secure sensitive data (credit card data) between multiple untrusted or unmanaged systems without compromising the data and support PCI compliance
DataPowerSystems of
RecordMobile
Application
IBM Corporation 25
Mobile enhancements (2 of 2)
• GatewayScript enhancements to transform between
XML and JSON messages
– Easily integrate System of Records data sources with Systems of Engagement interfaces
• GatewayScript can be used to build a microservices
architecture that can quickly adapt to changes
required to support your digital marketing strategy
Systems of Engagement
Systems ofRecord
MobileApplication
JSON XMLJSON <-> XML
IBM Corporation 26
Platform Security Enhancements
• Protect mission-critical applications from security
exposures with enhanced TLS protocol support by
using Elliptic Curve Cryptography (ECC), Perfect
Forward Secrecy (PFS), and Server Name Indication
(SNI)
– ECC provides robust security without compromising
performance to help prevent security vulnerabilities
– PFS helps prevent security exposures of prior traffic
when crypto keys are compromised
– SNI extends the TLS protocol to provide connectivity to multiple hosts on the same machine
DataPowerServiceProvider
MobileApplication
TLS TLS
IBM Corporation 27
New management API using REST architecture
• Quickly build DataPower automation and
deployment migration scripts for easier devops by
using the new REST-based management API.
– Accelerate adoption of DevOps to quickly make
configuration changes to support continuous delivery
– Easily integrate with build tools such as Urban Code Deploy
Development
Test
Production
Build Server
REST API
REST API
REST API
IBM Corporation 28
Enhanced product integration• Enhanced reliability of IMS transactions with support for
IMS Commit mode 0.
• Supports distributed caching with IBM WebSphere eXtreme Scale 8.6+ to provide increased response time and better application performance.
• IBM Security Access Manager (ISAM) migration tools for
easier promotion between ISAM products
DataPowerIMSMobile
Application
ISAM for Mobile
WebSphere Extreme Scale
ISAM Module
IBM Corporation 29
DataPower Gateway for Cloud
• Current: DataPower Virtual Edition supports SoftLayer bare metalinstances
– Similar deployment and licensing
model to on-premise virtual
environments
• New Support: DataPower Virtual Edition includes support for SoftLayer CloudLayer Computing Instance (CCI) and Amazon Elastic Compute Cloud (EC2)
– Enhanced cloud elasticity for
DataPower Gateways in cloud
environments.
– Scale workloads at lower costs
when computing requirements
change
– BYOL model using Passport
Advantage (PPA) – perpetual or
monthly licensing options available
BareMetal Server
Cloud ComputingInstance
Amazon EC2
New
New
IBM Corporation 30
Hybrid cloud integration using Secure Gateway Service
• Enhanced hybrid cloud integration using Secure Gateway service to securely connect between IBM Bluemixapplications and on-premise services protected using
DataPower Gateways
‒ Quickly setup connectivity without making enterprise firewall changes while still allowing controlled access from cloud services
‒ Supports multiple gateways instances, load balancing and fault tolerance
‒ Manage and monitor gateway instances and usage
Bluemix
On Premise Datacenter
ServicesRuntimes
New