Post on 15-Apr-2020
2844 – Introducing Application Optimization in
WebSphere DataPower SOA Appliances
Adolfo Rodriguez, PhD, STSM, DataPower ArchitectAdolfo Rodriguez, PhD, STSM, DataPower Architect
Agenda
• DataPower: A Brief History
• Application, DMZ, and ESB Trends
• What is Application Optimization (AO)?
Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance
1
– Dynamic Configuration
– Intelligent Load Distribution
– Session Affinity
– Application Versioning
– Self-Balancing and HA in Local Multi-Appliance Scenarios
• Summary
conformance, and performance
DataPower SOA Appliances Product Family
Integration Appliance XI50 XML Security Gateway XS40
B2B Appliance XB60� B2B Messaging (AS2/AS3)
� Trading Partner Profile Management
� B2B Transaction Viewer
� Unparalleled performance
� Simplified management and config
Low Latency Appliance XM70� High volume, low latency messaging
� Enhanced QoS and performance
� Simplified, configuration-driven approach to LLM
� Publish/subscribe messaging
� High Availability
2
Integration Appliance XI50 � Hardware ESB
� “Any-to-Any” Conversion at wire-speed with WS-TX
� Bridges multiple protocols
� Integrated message-level security
XML Security Gateway XS40� Enhanced Security Capabilities
� Centralized Policy Enforcement
� Fine-grained authorization
� Rich authentication
Typical DataPower Use Cases
• Monitoring and control
– Example: centralized ingress management for all Web Services using ITCAM SOA
• Deep-content routing and data aggregation
– Example: XPath (content) routing on Web Service parameters
• Functional acceleration
– Example: XSLT, WS Security
• Application-layer security and threat protection
– Example: XML Denial-of-Service protection, WS Security
• Protocol and message bridging
In-the-clear SOAP/HTTP
3
• Protocol and message bridging
– Example: Convert to WS to legacy Cobol/MQ
Service Providers
Clients
In-the-clear SOAP/HTTP
MaliciousSOAP/HTTP
Service Provider
SOAP
SOAP
SOAP
Cobol/MQ Appl
Cobol/MQ
Encrypted and Signed SOAP/HTTP
Why an Appliance for SOA?
• Integrated
– Many functions integrated into a single device
– Addresses the divergent needs of different groups (architects, operators,
developers)
– Integrates well with other IBM SWG and standards-based products
• Hardware reliability
– Dual power supplies, no spinning media, self-healing capability, failover support
• Security
4
• Security
– Higher levels of security assurance certifications require hardware (HSM,
government criteria)
– Inline application-aware security filtering and intrusion protection
• Higher performance with hardware acceleration
– Wire-speed application-aware parsing and processing
– Ability to perform costly XML security operations without slow downs
• Consumability
– Simplified deployment and management: up in minutes, not hours
– Reduces need for in-house SOA skills & accelerates time to SOA benefits
The DataPower Secret Sauce
Specialized compiler technology creates
optimized executable object code from
transformations (eg. XSLT) that execute
natively on hardware
Everything is viewed as a transformation that is
extensible via DataPower custom extension functions
5
XSLT) that execute natively on hardware
High-performing throughput-optimized
engine yields wire-speed capabilities
Purpose-built hardware to execute SOA workloads and
transformations
Packet Filter
Packet Filter
intranet [Software + appliances]Internet
DMZ [Appliances ONLY]
datacenter
users
internaluser
identityfederation
application-awaretransformations
Security policy
enforcement
monitoringDataPowerXS40
IHS plugin, Proxy Server,Edge Server
XDoSprotection
QoS policyenforcement
WebSphere VE (XD)
WebSeal
SSL offload
extensible rules
Today’s DMZ
666
Packet Filter
Packet Filter
ESB
center
intrusiondetection
loadbalancing
WAN and connectionoptimization load
balancing
caching
intrusionprevention
trafficshaping
trafficshaping
ISS
NEPs
caching
NEPs
datacenter
offload
Fine grainAccess control
XI50, WESB, WMB
Increased processing
requirements in the DMZ
clouds
threats
WSJ2EEWebREST
Appliance Hygiene
Packet Filter
Packet Filter
intranet [Software + appliances]Internet
DMZ [Appliances ONLY]
datacenter
users
internaluser
SOA/XML
SOA/XML
Today’s DMZ
777
Packet Filter
Packet Filter
ESB
center
datacenter
clouds
threats
Web Application
IP/TCP(packets/conns)
WSJ2EEWebREST
Web Application
IP/TCP(packets/conns)
Packet Filter
Packet Filter
intranet [Software + appliances]Internet
DMZ [Appliances ONLY]
datacenter
internaluser
• SOA Support• XML Intelligence• XML Security
SOAOptimization
• SOA Integration• SOA Support• XML Intelligence
users
Deployment Trends
888
Packet Filter
Packet Filter
center
datacenter
• Web 2.0 Support• Application Intelligence• Application Security
DMZ Convergence ESB Convergence
• Application Integration• Web 2.0 Support• Application Intelligence
ApplicationOptimization
clouds
threats
Packet Filter
Packet Filter
intranet [Software + appliances]Internet
DMZ [Appliances ONLY]
datacenter
internaluser
Application Optimization (AO) is about leveraging application knowledge in the network to better optimize application behavior, conformance, and performance
users
Application Optimization Clearly Defined
999
Packet Filter
Packet Filter
center
SOA and Application
Optimization in the ESB
datacenter
SOA and Application
Optimization in the DMZ
clouds
threats
Dynamic Middleware Information
Dynamic Configuration (3.8.0, AO Option)
10
Clients
DataPower learns of deployed back-end
applications
WebSphere (or other) Service
Providers
Static vs Dynamic Configuration
• Static / Persisted Configuration
– LBGroup configuration saved in non-volatile storage
– Entered by an administrator or through SOMA
– Initial Runtime Configuration
– Static configuration is immediately available after a change is applied and before any dynamic population takes place.
• Dynamic Configuration
11
– Runtime only. (Does not show up on configuration panels)
– Overrides the static configuration when new information is retrieved
• Members added / disabled
• Member weights changed
• Session Affinity tables changed
– Shows up via the Load Balancer Group Status provider
Usability Model
• Create a static LBGroup configuration to verify connectivity, service configuration, and data flow.
• Install the ODCInfo Application on the DM of the WebSphere Cell.
• Verify the ODCInfo Installation
– ODCInfo verification script
– Browser: http://dm_host_name:9060/ODCInfo/ODCInfo?c=cluster_name
• Create WebSphere Cell object (points to ODCInfo app)
– Retrieves the WebSphere Cell information
12
– Retrieves the WebSphere Cell information
– One WebSphere Cell object can support multiple clusters
Configure the WebSphere Cell Object
13
Weight Information
Intelligent Load Distribution (3.8.0, AO Option)
14
Clients
DataPower performs dynamic back-side
routing and load distribution (leveraging
dynamic information from back-ends)
WebSphere (or other) Service
Providers
Load Balancer Group
15
New Config
Questions
Load Balancer Group Status Provider
16
Weighted Least Connections Algorithm
• Imposes weight infrastructure on top of Least Connections.
– The larger the weight, the larger the percentage of connections that will go to a given server.
– The smaller the number of connections, the more likely that a server will receive the next connection.
– member_wlc = constant * (member_connections / member_weight); The member with the lowest member_wlc
17
member_weight); The member with the lowest member_wlc receives the next connection attempt.
• Reference Count used to track number of connections on
each member
Session Affinity - Overview
• Cookies – the basis for persistent client state• Session Affinity - uses cookies to more efficiently provide the
persistent (session) information to an Application by forwarding every request within a session to the same server. – Required for efficient Session Management in application servers.
• A Session ID contains a name and a value– Session information (Ignored by DataPower)
– Routing information (Clone ID, Partition ID, or a hash value)
18
– Routing information (Clone ID, Partition ID, or a hash value)
• With Session Affinity enabled– If DataPower recognizes the session ID format and can resolve the
routing information, it uses the routing information to forward the request.
– If no session ID, or the routing information cannot be resolved, the request is load balanced.
Session Affinity
• Passive– Only available though WLM (ODCInfo) feedback
– Least aggressive
– Only applies to WebSphere servers (must understand cookie format)
– DataPower monitors and forwards the requests based on Partition ID or Clone ID contained in the Session ID.
• Active-Conditional– Applies to any back-end server
– Set-Cookie monitored on Reply. If present, DataPower inserts its own Set-Cookie (e.g. DPJSESSIONID)
19
Cookie (e.g. DPJSESSIONID)
– DataPower routes any subsequent request based on the DPJSESSIONID.
• Active– Applies to any back-end server
– Most Aggressive
– Private Cookie (DPJSESSIONID) monitored on Request.
• If present, Request is routed to the corresponding server
• If not present, a Set-Cookie with the private cookie value (DPJSESSIONID) is inserted into the Reply
• The first request is load balanced. All subsequent requests are forwarded to the same server as the first request.
Passive Session Affinity Flow
drouter_xi50
aocServer1
aocClustercid3
cid8
aocServer1:8080
aocServer2:8080
CID/Host:Port Table
P_A.1
P_A.2
cid3
cid8
PID/CID Table
Version23
20
drouter_xi50aocServer2
Client
PID/CID Table
Version25
Req (JSESSIONID=PAKZZ:P_A.1)
Req (JSESSIONID=PAKZZ:P_A.1, WS_HAPRT_WLMVERSION=Version23)
Reply (WS_HAPRT_WLMVERSION=Version25, $WSPT=PID:CID;)
Reply()
Active-Conditional Session Affinity Flow
drouter_xi50
ServerLeft
Client
xyzCluster
21
drouter_xi50
ServerRight
Req ()
Req ()
Reply(SetCookie: JSESSIONID=…)
Reply (SetCookie: JSESSIONID= … ; SetCookie: DPJSESSIONID=PBC5YS:-2342213232;)
Active Session Affinity Flow
drouter_xi50
ServerLeft
Client
xyzCluster
22
ServerRight
Req ()
Req ()
Reply()
Reply (SetCookie: DPJSESSIONID=PBC5YS:-2342213232;)
Session Affinity Configuration
Enable
Switch
23
Switch
Use for non-WebShere
backends
Insertion Cookie
Information
Application version
information
Ve
rsio
n 1
Application Version Routing (3.8.1)
24
Clients
DataPower performs back-side application version routing *and*
load ramping
WebSphereService
Providers
Ve
rsio
n 2
Enabling Application Version Routing
25
Active/Passive failover of
distributor using standby control
����
Front-end IP load balancers not needed for AO workloads
Self Balancing and HA of Co-located Appliances
26
Service Provider
Self balancing (IP spraying)
����Clients
Failure of target appliances are masked
by appropriate weighted distribution
Enabling Self Balancing
8000
10000
12000
14000
Self Balancing DataPower Appliances
LVS with strict round robin
Tra
nsactions p
er
Second
Round Robin
Scaling Self-Balancing
Cluster TPS TPS per Host0
2000
4000
6000
8000
Direct to 1 DP 2 DP Appliances 3 DP Appliances
Tra
nsactions p
er
Second
DataPowerSelf Balancing
Fronting IP Sprayer
Sysplex Distributor
IP Sprayer
DataPower
z/OS
z/LinuxUnder
development
Distribution and High Availability Options
29
Clients
Tier 1 distribution
options
Tier 2 distribution
options
Self Balancing
DataPowerILD (ODC)
DataPower Tier
Any service provider
on p, x, or z
DataPowerload distribution
WebSphereon p, x, or z
Red = Connection distribution; White = Request distribution
Quiesce Support (3.8.1)
• Operational maintenance of DataPower appliances due to– Upgrade firmware– Promote configuration packages
Service ProviderClients
30
– Promote configuration packages– Apply dynamic configuration changes
• Design goals– Ensure all existing transactions complete without error – Indicate administrator quiesced state– Various levels of granularity
• FSPH (configuration changes)• Service object (configuration changes)• Application domain (configuration promotion)• Entire appliance (firmware upgrades and proactive recycles)
• Usage model– Prevent new connections from arriving at an appliance through external load balancer
configuration– Special hooks automatically remove quiesced targets from self-balanced sets
We Value Your Feedback !
• Please complete the session survey for this session by:
• Accessing the SmartSite on your smart phone or computer at: http://imp2010.confnav.com
– Surveys / My Session Evaluations
• Visiting any onsite event kiosk
31
– Surveys / My Session Evaluations
• Each completed survey increases your chance to win an Apple iPod Touch with daily drawing sponsored by Alliance Tech
Copyright and Trademarks
© IBM Corporation 2009. All rights reserved. IBM, the IBM logo, ibm.com and the globe design are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the Web at "Copyright and trademark information"
32
on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. Other company, product, or service names may be trademarks or service marks of others.