Async Multistep Policy Datapower

®

IBM Software Group

© IBM Corporation

DataPower Release 3.6.1 New Features

Ren JIngAn

Cheng Long

IBM Software Group | WebSphere software / DataPower

IBM WebSphere DataPower SOA Appliances

Software

Skills &Support

An SOA Appliance…

WebSphere DataPower SOA Appliances redefine the boundaries of

middleware extending the SOA Foundation with specialized,

consumable, dedicated SOA appliances that combine superior

performance and hardened security for SOA implementations.

� Simplifies SOA with specialized devices

� Accelerates SOA with faster XML throughput

� Helps secure SOA XML implementations

Creating customer value through

extreme SOA performance and

security


Why an Appliance for SOA

� Hardened, specialized hardware for helping to integrate, secure & accelerate SOA

� Many functions integrated into a single device:

�Impact: connectivity will require service level management, routing, policy, transformation

� Higher levels of security assurance certifications require hardware:

�Example: government FIPS Level 3 HSM, Common Criteria

� Higher performance with hardware acceleration:

�Impact: ability to perform more security checks without slow downs

� Addresses the divergent needs of different groups:

�Example: enterprise architects, network operations, security operations, identity management, web services developers

� Simplified deployment and ongoing management:

�Impact: reduces need for in-house SOA skills & accelerates time to SOA benefits

IBM Software Group | WebSphere software

IBM Internal Use Only

IBM SOA Appliance Product LineSpecialized network devices simplify, help secure & accelerate SOA

� Accelerates XML processing and transformation

� Increases throughput and reduces latency

� Lowers development costs

� Transforms messages (Binary to XML, Binary to Binary, XML to Binary)

� Bridges multiple protocols (e.g. MQ, HTTP, JMS)

� Routes messages based on content and policy

� Integrates message-level security and policy functions

� Help secure SOA with XML threat protection and access control

� Combines Web services security, routing and management functions

� Drop-in, centralized policy enforcement

� Easily integrates with exiting infrastructure and processes

XML Accelerator XA35

XML Security Gateway XS40

Integration Appliance XI50


IBM SOA Appliance Deployment Summary

XMLXML

XSLXSL

InternetInternet

XMLXML

HTMLHTML

WMLWML

XA35XA35ClientClientoror

ServerServer

XS40XS40

Tivoli Access Manager------------Federated Identity Manager

�� HTTP XML REQHTTP XML REQ

HTTP XML RESPONSE HTTP XML RESPONSE

��

Web Services Web Services ClientClient

�� LEGACY REQLEGACY REQ

LEGACY RESP LEGACY RESP ��REPLY Q

REPLY Q

XI50XI50

IP FirewallIP FirewallInternetInternet

Web TierWeb Tier

SecuritySecurity

Integration & Management TiersIntegration & Management Tiers

Application ServerApplication Server

Application Server Web ServerApplication Server Web Server

ITCAM for SOA

`

Client


DataPower 3.6.1 Feature Summary

• Multistep v3 processing features

• Configurable QoS

• SOAP 1.2 enhancements

• Reliable Messaging

• WS-Policy

• WS-I Profile enhancements

• DB2 v9 and IMS Connect

• Many more

Interaction

Services

Information

Services

Partner

Services

Business

App ServicesAccess

Services

Development

Services

Management

Services

Infrastructure

Services

Apps &

In

fo A

ssets

Process

Services

Business

Services

Enterprise Service Bus


MultiStep v3

New Processing Flow Features:

Conditional action execution – if then else

•If XPath = true then execute named

Processing Action

For-Each Loop:

•For each node in nodeset execute

named Processing Action

•For each increment of counter

execute named Processing Action

Parallel Processing Features:

•Mark any Processing Action

Asynchronous

•Synchronize parallel

asynchronous action execution to

rule processing

•Target multiple Results

destinations in parallel


MultiStep v3Asynchronous Action

Causes action to execute async

to the rest of MultiStep. MultStep

moves immediately to the next

action in the rule without waiting

for an async action to complete.

Particularly good for fire/forget.

Can reduce network I/O latency

by executing multiple Actions in

parallel. Must use Event-sink

action to resync to rule.

Beware the race condition!

Nearly any action can be marked

Asynchronous!


MultiStep v3Event-sink Action

Causes MultiStep to wait for

designated async actions to

complete.

Output contexts of included async

actions become reliably available to

other MultiStep actions.

Limit “wait time” with Timeout value.


MultiStep v3MultiWay Results

New properties added to Results

action allows for parallel execution

of Results action with multiple

destinations.

User can control multiple

destination behavior with Multi-Way

Results input.

May use Multiple Outputs feature to

capture response from each

destination in separate Output

context. Creates contexts

Outputname1,Outputname2,

Outputname3, etc.

Can mark entire action

Asynchronous.

var://context/mine/dests:

<url>http://host.domain.com/spp1</url>




Quality of Service

Service Priority

Control the service scheduling priority. When system resources are in high

demand, "high" priority services will be favored over lower priority services.

Look on the Advanced Settings page of the Service to set this.

Use the Priority twizzle on a Web Service Proxy Policy page to set this.


SOAP 1.2

Configure WS-Proxy from WSDL with SOAP 1.2 (both document and rpc)

Must support:

SOAP Request-Response Message Exchange Pattern

SOAP Response Message Exchange Pattern (support for HTTP GET binding)

SOAP Web Method Feature

SOAP Action Feature

Configure a WS-Proxy from a WSDL with both SOAP 1.1 and 1.2 bindings

SOAP 1.1 messages would be routed to the 1.1 endpoint and

SOAP 1.2 messages to the 1.2 endpoint

Support includes, but is not limited to:

• Importing WSDLs with SOAP 1.2 bindings

• SOAP 1.2 envelope validation

• SOAP 1.2 message validation

• Co-existence of SOAP 1.1/1.2 service definitions

• Ability to convert between SOAP 1.1 and 1.2 requests


SOAP 1.2

Mediation between SOAP 1.1 and 1.2 requests/responses (WS-Proxy)

Scenario: Expose a SOAP 1.1 or 1.2 service and allow both SOAP 1.1 and 1.2 clients

An "Additional bindings" GUI option will the administrator to direct the WS-Proxy

to allow additional bindings, beyond what is specified in the WSDL. The option is

additive, and specifying a binding already in the WSDL is harmless. Incoming requests

will be processed using any of the allowed bindings, converted as necessary to

what the WSDL specifies the server uses, and outgoing responses are similarly

"back-converted" as necessary.


Reliable Messaging

WS-ReliableMessaging specification describes a protocol that allows messages

to be transferred reliably between nodes implementing this protocol in the

presence of software component, system, or network failures.

The protocol is described in a transport-independent manner allowing it to be

implemented using different network technologies.

To support interoperable Web services, a SOAP binding is defined within its

specification.

The protocol depends upon other Web services specifications for the

identification of service endpoint addresses and policies (notably WS-

Addressing).


Reliable Messaging

Supported Requirements

• RM Destination (MPGW front side): message acknowledgement, duplicate and

"out-of-sequence" message detection. It also should be able to act as RM

Source to deliver response messages as WS-RM Sequence

• RM Source (MPGW backend, "Results" action, "dp:soap-call" extension

function): Sequence management (create, close, terminate), injecting RM

headers in the outcoming SOAP message, ability to retransmit lost messages,

Endpoint to receive Acknowledgement messages.

Non-Requirements

• No multibox WS-RM


Reliable Messaging

Users can enable Reliable Messaging

through:

WS-RM Policy Assertion embedded in

the WSDL underlying a WS-Proxy.

Enabling WS-RM through the GUI

(shown at right).

Options on ReliableMessaging tab

control Global, Destination and Source

behaviors.

Reliable Messaging dependent on

WS-Addressing mode for some

configurations and for interoperability

with some implementations (notably

WebSphere).

Extensive Online Help on this page!


WS-Policy/WS-Security Policy

WS-Policy is a specification that defines metadata to enable

interoperability between web service consumers and web service providers.

The WS-Policy specifications enable organizations to automate their

service governance models creating a concrete instance of web service

governance.

New Features:

• Parse WSDL with policy elements already included in the WSDL and

recognize standardized policy “domains” [i.e. WS-SecurityPolicy, WS-

ReliableMessaging Policy]

• Retrieve WSDL’s from registries: WSRR or UDDI

• Includes customizable policy templates (e.g. UsernameSignEncrypt)

• Ability to attach policies to subjects not embedded in the WSDL



Configuration of WS-Policy begins with the WSDL. Once loaded into a Web

Service Proxy, additional configuration actions become available through the

Policy tab (shown below).



The interface affords the user methods

for creating policy attachments, as well

as enabling Policy Subjects.


Enhanced OASIS and WS-I Profile Support

• SOAP with Attachments Profile 1.0/1.1

• WS-I Attachments Profile 1.0

• WS-I Basic Profile 1.1

• WS-I Basic Security Profile 1.0


SOAP with Attachments Profile 1.0/1.1

The "encrypt" verb will provide options to:

- WS-Sec encrypt SOAP Body only

- WS-Sec encrypt the attachments of SwA message only

- WS-Sec encrypt both SOAP Body and the attachments of SwA message

When the attachments are encrypted the SwA Profile version is configurable.

The result of the "encrypt" action for SwA Profile 1.1 [2] will conform to BSP10 [12].

The "decrypt" verb for both entire message/doc decryption and field-level

decryption automatically decrypts the data in conformance with

both WS-Sec and the SwA Profiles (1.0 [1], 1.1 [2]).


SOAP with Attachments Profile 1.0/1.1

The "sign" and "verify" actions will be enhanced to support all of the

transformations identified in SwA Profile 1.0 [1] and 1.1 [2].

The "sign" verb will provide options to:

- WS-Sec sign SOAP Body only

- WS-Sec sign the attachments of SwA message only

- WS-Sec sign both SOAP Body and the attachments of SwA message

When the attachments are signed the SwA Profile version is configurable.

The result of the "sign" action for SwA Profile 1.1 [2] will conform to BSP10 [12].


WS-I Attachment Profile

Supporting Attachment Profile in

DataPower means all of the

followings:

1. Verifying the incoming Soap

Message with Attachments [SwA]

is properly formed.

2. The fault message DataPower

generates conforms to AP.

3. Any SwA messages DataPower

generates conform to AP.


WS-I Basic/Basic Security Profile

These profiles can be applied to

messages passing through a

Web Service Proxy. The device

can take a number of actions

depending upon the results of

the analysis.

Shown here is the complete

Conformance Policy object. This

object is the result of using the

Conformance interface offered

by the Web Service Proxy Policy

page (shown on the next page).


WS-I Basic/Basic Security Profile

The WS-I Conformance buttons on the Web Service Proxy Policy page

offer the user the ability to configure these policy conformance checkers.

Note also the Validate Conformance link to check the configuration of the

service itself.


VLAN

The DataPower device can

participate in a virtual LAN using

the VLAN Sub-Interface.

Note that implementing a VLAN

on a physical Ethernet interface

enables that interface, even if

no real IP address has been

assigned to it.

VLAN can be configured in the

default domain only.


PKIX Enhancements

Full PKIX certificate chain checking now applies to all uses of a validation

credential, not just in SSL. Note that this will not apply to messages with

multiple signature certificates.


DB2 v9 support

The device can now connect natively to

a DB2 v9 database, running a range of

platforms including z/OS.

The DataPower device can use the XML

capabilities built into v9 to:

• Insert XML directly into the DB

• Modify XML stored in the DB

• Query XML using XQuery & SQL

• Retrieve XML


NFS v4

Authentication protocol to use for this NFS

mount.

AUTH_SYS : Use the original system level

authentication, based solely on IP address

and host name.

krb5 : Use Kerberos Version 5 for

authentication of mounts, with no protection

of the integrity or confidentiality of NFS data.

krb5i : Use Kerberos Version 5 for

authentication of mounts, with a secure

hash to provide data integrity protection.

krb5p : Use Kerberos Version 5 for

authentication of mounts, with date

confidentiality protection.

Uses encryption to protect the data from

being read by the network, in addition to

using a secure hash to protect against

undetected corruption by the network.


ICAP Enhancements

New Anti-Virus Processing Action

eases configuration and use of

this capability. Additional Host

Types added.

Policy can be set directly on the

Action configuration page.


WSDM II

<s12:Header>

<wsa:Action>

http://docs.oasis-open.org/wsrf/2004/06/WS-

ResourceProperties/GetResourceProperty

</wsa:Action>

<wsa:To s12:mustUnderstand="1">

https://127.0.0.1:5550/service/wsdm10

</wsa:To>

<dpt:DomainDisambiguator>default</dpt:DomainDisambiguator>

</s12:Header>

<s12:Body>

<wsrp:GetResourceProperty>

dpm:status.system

</wsrp:GetResourceProperty>

</s12:Body>

</s12:Envelope>

<s12:Body>

<wsrp:GetResourcePropertyResponse xmlns:mows-

1-1="http://docs.oasis-open.org/wsdm/mows-2.xsd">

<status.system

xmlns="http://www.datapower.com/schemas/manage

ment">

<SystemUsage>

<Interval>1000</Interval>

<Load>37</Load>

<WorkList>0</WorkList>

</SystemUsage>

</status.system>

</wsrp:GetResourcePropertyResponse>

</s12:Body>

Request Response

Enhanced query and status support through WSDM interface.


WebSphere MQ Enhancements

• Ability to use either SSL Proxy

Profile or backward-compatible

SSL Key/Cipher config

• Channel Heartbeat added

• Under-the-covers code refresh with

full backward compatibility


RBM for CLI

RBM can now apply to CLI access.

Note: Turning ON RBM for CLI and then

clicking Apply causes RBM to extend

to the CLI immediately.

When RBM uses any Auth Method other

that Local Usergroup, it is possible to

configure Fallback Users to ensure

ongoing access in the event of Auth

Method failure.

Admin user can be restricted to the

Serial Port only for added security.


Configuration Comparison II

Enhanced Configuration Comparison includes

ability to do the following:

• Determine Checkpoint Limit

• Set Checkpoints per Application Domain

• Roll Back Application Domain to Checkpoint

• Compare Checkpoint Config to Other Targets


IMS


IMS


IMS

IMS Connect Front Side Protocol Handler

for accepting IMS-based client requests

passing through a MultiProtocol Gateway

IMS Connect object for basic

connection configuration values.

Note Default Header tab for

critical connection values.

MPGW IMS Destination URL with URL

Builder help. Uses IMS Connect object.


Questions

Async Multistep Policy Datapower

Documents

Transcript of Async Multistep Policy Datapower