DataPower Gateway
advertisement
IBM DataPower Gateway & V7.1 Overview Arif Siddiqui, Principal Product Manager – Strategic Initiatives IBM DataPower Gateways & API Economy Ozair Sheikh, Senior Product Manager IBM DataPower Gateways © 2015 IBM Corporation Agenda DataPower Gateway Overview Recent Releases What’s New in DataPower Gateway & V7.1 Q&A 2 © 2015 IBM Corporation DataPower Gateways … SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads INTEGRATE Systems of Engagement with Systems of Record CONTROL & MANAGE Traffic and Service Level Agreements OPTIMIZE Data Delivery and User Experiences CONSOLIDATE & Simplify Infrastructure Footprint IBM DataPower Gateways provide a low startup cost, helping clients increase ROI and reduce TCO with specialized, consumable, dedicated gateway appliances that combine superior performance and hardened security in physical and virtual form factors 3 3 © 2015 IBM Corporation Gateway for the Multi-channel Enterprise Single security and integration gateway platform to provide security, integration, control & optimized access to a full range of Mobile, API, Web, SOA, B2B, & Cloud workloads Mobile Simplify mobile security with single, purpose-built gateway; control mobile traffic and accelerate delivery SOA Cloud Secure, integrate, control & manage SOA workloads in the DMZ and Trusted zones DataPower gateway functionality in a virtual appliance form factor, supports multiple hypervisor & cloud environments IBM DataPower Gateway API Web Easily secure, control, publish, monitor & manage your APIs Simplify web security with single, purpose-built gateway; control traffic and accelerate delivery for intranet and internet web applications Extend Connectivity & Integration beyond the B2B enterprise with DMZ-ready B2B edge capabilities 4 © 2015 IBM Corporation Common Use Cases IBM DataPower Gateway Appliances are the industry-leading Security & Integration gateways that help provide security, integration, control and optimized access to a full range of Mobile, Web, API, SOA, B2B, & Cloud workloads Internet DMZ Trusted Domain Consumer DataPower Gateway Application or Service DataPower Gateway Middleware Consumer 1 Mobile Gateway 2 API Gateway 3 Web Gateway 4 B2B Partner Gateway Trading partners 5 z System 5 SOA & API Gateway 6 ESB / Integration Gateway 7 Internal Security Enforcement 8 Web Services Governance & Management 9 Legacy Integration © 2015 IBM Corporation IBM API Management: One Integrated Platform design, secure, control, publish, monitor & manage APIs Developer Portal API Manager Management Console Explore API documentation Define and manage APIs Provision system resources Provision application keys Explore API usage with analytics Monitor runtime health Self-service experience Manage API user communities Scale the environment API Gateway (IBM DataPower) Enforce runtime policies to control API traffic 6 © 2015 IBM Corporation Features Secure Integrate Control Optimize Authentication, authorization, auditing Any-to-any message transformation Service level management SSL / TLS offload Security token translation Transport protocol bridging Quota enforcement, rate limiting Hardware accelerated crypto operations Message accounting JSON, XML offload Content-based routing JavaScript, JSONiq, XSLT, XQuery acceleration Threat protection Schema validation Message filtering & semantics validation Message digital signature Message encryption Message enrichment Database connectivity Mainframe connectivity B2B trading partner connectivity Failure re-routing Integration with management & visibility platforms Response caching Intelligent load distribution Simplify, offload & centralize critical functions Before DataPower Gateway After DataPower Gateway Consumer Secure Integrate Consumer Control Optimize Consumer Consumer 7 © 2015 IBM Corporation Deployment options Physical Virtual Purpose-built, DMZ-ready appliances provide physical security High density 2U rack-mount design 8 x 1 and 2 x 10 GbE ports Cryptographic acceleration card Trusted platform module Customized intrusion detection Optional HSM (FIPS 140-2 Level 3 certified) Virtual appliances provide deployment flexibility Support multiple hypervisors and cloud environments − VMware − Citrix XenServer − IBM PureApplication System (x86 nodes) − IBM PureApplication Service on SoftLayer (x86 nodes) − IBM SoftLayer bare metal instances using supported hypervisors 8 © 2015 IBM Corporation Enterprise grade security requires a secure platform Purpose-built hardware provides physical security • Sealed, tamper-evident case • No usable USB, VGA, other ports • Intrusion detection switch • Trusted Platform Module • Encrypted flash drive • FIPS 140-2 level 3 Hardware Security Module (option) for secure storage of private keys Hardened firmware provides platform security for physical & virtual gateways • Single signed and encrypted firmware by IBM • No arbitrary software • Optimized, embedded operating system • High assurance, “locked-down” configuration • Key materials are not exportable from the appliance * 9 © 2015 IBM Corporation Virtual Edition DataPower gateway functionality in virtual appliance form factor to rapidly secure, integrate, control & optimize access to Mobile, API, Web, SOA & B2B workloads in hypervisor & clouds platforms Use for development, test or production Supports multiple hypervisor & cloud platforms VMware Citrix XenServer IBM PureApplication System W1500/W2500 IBM PureApplication Service on SoftLayer (x86) IBM SoftLayer bare metal instances on x86 nodes Seamless configuration migration between physical and virtual appliances x86 Server Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments Utilizes the same industry-proven & purpose-built platform including an embedded, optimized DataPower Operating System, that powers the physical appliances 10 © 2015 IBM Corporation Virtual Edition Benefits Deployment flexibility and elasticity – “Right size” the deployment, quickly deploy where needed, & rapidly scale Workload isolation - Projects can use their own instances Unbounded memory scalability - Memory can be added to instances without additional licensing Low cost for Dev & Test environments - Developers & Non-Production versions include add-on software modules at no additional charge Free disaster recovery - Warm or cold backup without additional licenses when licensed for Production Flexible licensing and entitlement Sub-capacity licensing Monthly licensing option Entitlement to future product versions at no additional charge with active maintenance (S&S) 11 x86 Server Delivers purpose-built, highly consumable Security & Integration Gateway functionality in virtual appliance form factor for cloud deployments © 2015 IBM Corporation DataPower Gateways Over 14 years of innovation & over 2,000 global installations Government • Agencies and ministries • Defense and security organizations • Crown corporations Banking • Majority of the big US and European banks • All of the big 5 Canadian banks • Numerous regional banks and credit unions Insurance • Used by 95% of top global insurances firms • SaaS providers, ASPs, regulators, etc. Many, many, more • • • • • • Healthcare Retailers Utilities, Power, Oil and Gas Telecom Airlines Others 12 © 2015 IBM Corporation Did you know? DataPower has been trusted to be the exclusive gateway for Bluemix, IBM’s global Platform as a Service Mobile client Internet DataPower’ing IBM Bluemix!!! External External Service Services App App App App Application Manager Bluemix Tooling Service Service Service Service • • • • • • Security Control Filtering Content-Based Routing Load balancing Monitoring and Logging VM Open Stack 13 © 2015 IBM Corporation Agenda DataPower Gateway Overview Recent Releases What’s New in DataPower Gateway & V7.1 Q&A 14 © 2015 IBM Corporation Released June 2013 Highlights of DataPower v6.0 Provides the API gateway functionality for IBM API Management Quick integration with IBM Worklight to secure mobile web traffic Improved REST services handling with native JSON support including schema validation & query, extract, filter & transform through JSONiq New XML data query, extraction & manipulation support with XQuery 1.0 Enhanced security with new OAuth 2.0 capabilities, new support for Kerberos constrained delegation (S4U2Proxy), and TLS 1.1/1.2 Improved WS-MediationPolicy consumption from WSRR & SLAs for nonSOAP traffic Embedded On-Demand Router functionality for WAS ND environments Optimized application delivery with response caching on-the-box & seamless integration with elastic caching XC10 appliances New System z integration capabilities allowing IMS transactions to easily consume external web services & easy consumption of IMS data as a service Simple ability to create & deploy common DataPower configuration patterns 15 © 2015 IBM Corporation Released Dec 2013 Highlights of DataPower v6.0.1 Adds Application Optimization (optional add-on module) on XB62 Support for self-balancing and intelligent load distribution Eliminate load balancing hops - reducing cost & complexity + improving scalability & performance Empowers XB62 to provide API gateway functionality for IBM API Management solution Enables a converged solution for B2B and API management gateways NIST SP800-131a security standard compliance + FIPS 140-2 Level 1 certified cryptography module Enables U.S. Federal & Public sector customers to meet government mandated security standard Supported on both physical & virtual appliances Enhanced support for Web, Mobile & REST workloads Enhanced Configuration Pattern Console Improved error handling and description Adds version support for configuration patterns Important Note: This firmware is not supported on 9004 appliances, i.e. XS40, XI50 or XB60 Links: Release Notes: http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m1/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html 16 © 2015 IBM Corporation Released June 2014 Highlights of DataPower v7.0 GatewayScript: A JavaScript runtime that is secured, optimized and tuned for the gateway environment to simplify configuration for developers and provide an easier development paradigm for Mobile, Web, & API New Virtual Edition for Developers provides a low cost, per user pricing, and easy to use gateway for developers GatewayScript Support for Citrix XenServer hypervisor provides additional deployment flexibility on-premise & cloud deployments WebSocket Proxy support enables full-duplex, bidirectional, & low-latency communication for Mobile & Web applications, Internet of Things Improved security & traffic control functionality in support of IBM API Management offering 17 © 2015 IBM Corporation Agenda DataPower Gateway Overview Recent Releases What’s New in DataPower Gateway & V7.1 Q&A 18 © 2015 IBM Corporation IBM 7.1 Gateway Released Nov 2014 DataPower Secure. Integrate. Control. Optimize. Multi-channel gateway Consolidated product Utilize single gateway with integrated access enforcement from ISAM to secure & optimize delivery of mobile, API, web, SOA, B2B, cloud apps, and integrate with IBM MobileFirst & WebSphere platforms Single, modular & extensible gateway platform to secure, integrate, control, & optimize full range of workloads Enhanced security New hardware platform Enable additional flexible authentication from internet consumers & Non-Microsoft consumers to Microsoft systems Increase capacity & throughput while reducing latency with latest generation hardware B2B module Deployment flexibility Centralize B2B trading partner connectivity & transaction management with high performance secure entry point in the DMZ Use physical or virtual appliance with seamless configuration migration with on-premise & cloud deployments 19 © 2015 IBM Corporation Highlights of IBM DataPower Gateway & V7.1 Single multi-channel gateway platform to secure & optimize delivery of mobile, API, web, SOA, B2B, cloud apps, and integrate with IBM MobileFirst & WebSphere platforms Integrates industry-proven access enforcement capabilities of IBM Security Access Manager into the DataPower platform, available as add-on ISAM Proxy Module IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform Converges three existing products, XG45 / XI52 / XB62, into a single modular offering Physical appliance uses purpose-built latest generation hardware platform to provide increased performance & capacity Virtual appliance runs on VMware & Citrix XenServer hypervisors and cloud platforms that support them Easy-to-use & secure B2B integration capabilities, formerly on XB62 appliances only, available as add-on B2B Module Enable authentication from internet consumers & Non-Microsoft consumers to Microsoft systems with Kerberos S4U2Self support 20 © 2015 IBM Corporation Single, modular & extensible platform (1 of 2) IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform Converges three existing products, XG45 / XI52 / XB62, into a single modular offering Available in physical and virtual form factor Supports V7.1 and above Physical Appliance 2U rack mount appliance using latest generation hardware platform Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified) Each software module is licensed separately Virtual Edition Three editions: Developer, Non-Production, Production Developer includes all software modules at no additional cost, except TIBCO EMS Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy Production: Each software module is licensed separately Add-on software modules provide additional functionality that can be activated quickly when needed IBM API Management solution requires base IBM DataPower Gateway as runtime for executing API workloads 21 © 2015 IBM Corporation Single, modular & extensible platform (2 of 2) Modules B2B Module B2B DMZ gateway EDIINT AS1,AS2,AS3,ebXML Partner profile management B2B transaction viewer Any-to-Any message transformation Database connectivity ISAM Proxy Module User access control, session management, web SSO enforcement Advanced mobile security: mobile SSO, context-based access, onetime password, multi-factor authn Integration with ISAM for Mobile TIBCO EMS Module Integrate with TIBCO EMS messaging middleware Support for queues & topics Load balancing & fault-tolerance Application Optimization Module Frontend self-balancing Backend intelligent load distribution Session affinity z Sysplex Distributor integration Integration Module Any-to-Any message transformation Database connectivity Mainframe IMS connectivity IBM DataPower Gateway (Base) Secure Integrate Authentication, authorization Security token translation Service / API virtualization Threat protection Message validation Message filtering Message digital signature Message encryption AV scanning integration Transport protocol bridging Message enrichment Message transformation & processing using JavaScript, JSONiq, XQuery, XSLT Mainframe integration & enablement Flexible pipeline message processing engine Control & Manage Optimize & Offload Service level management Quota & rate enforcement Content-based routing Message accounting Integration w/ management & visibility platforms including IBM API Management & WSRR for policy enforcement SSL / TLS offload Hardware accelerated crypto* JSON, XML offload JavaScript, JSONiq, XSLT, XQuery acceleration Local response caching Distributed caching with WXS or XC10 Backend load balancing 2U Physical or Virtual Edition 22 © 2015 IBM Corporation Latest Generation Hardware Platform Purpose-built, high density 2U rack mount design Trusted Platform Module Increased capacity ‒ Higher performance CPU & memory ‒ Faster cryptographic acceleration card ‒ New RAID controller w/ large write cache Customized intrusion detection 192 GB memory Runtime Hardware Diagnostic Two 1.2 TB high speed hard drives Intelligent Platform Management Interface Three management traffic ports 1 RJ45 serial port 2 x 1 GbE ports Supercapacitor Powered Flash-backed RAID Cache Cryptographic Acceleration Card Hardware Security Module (Optional, FIPS 140-2 Level 3 certified) Multiple Replaceable Units – Customer Replaceable Units (CRU) • Fan, Power Supply, HDD, Network Module – Field Replaceable Units (FRU) • Appliance, CPU, Memory, Flash Drive, Coin Battery, Supercapacitor for RAID • Cryptographic Acceleration Card, HSM Card, RAID Card Ten application traffic ports ‒ 8 x 1 GbE ports ‒ 2 x 10 GbE ports RAID mirroring across two drives 8 1-Gigabit Ethernet NICs 2 10-Gigabit Ethernet NICs 23 © 2015 IBM Corporation Comparison with older products Previously 3 Products (XG45/XI52/XB62) 2 Physical appliances (1U & 2U) 2 Virtual appliances (XG45/XI52) IBM WebSphere DataPower Service Gateway XG45 (1U Physical, Virtual Edition) Now 1 Product 1 Physical appliance (2U only) 1 Virtual appliance IBM DataPower Gateway IBM WebSphere DataPower Integration Appliance XI52 (2U Physical, Virtual Edition) IBM DataPower Gateway + Integration Module (2U Physical, Virtual Edition) (2U Physical, Virtual Edition) IBM WebSphere DataPower B2B Appliance XB62 IBM DataPower Gateway + B2B Module (2U Physical) (2U Physical, Virtual Edition) Integration & B2B Module are independent & can be purchased separately IBM DataPower Gateway Virtual Edition provides the same functionality & modules as physical appliances with the exception of HSM (that provides FIPS 140-2 Level 3 certification) IBM DataPower Gateway 2U rack mount physical appliance is available with optional HSM (FIPS 140-2 Level 3 certified) 24 © 2015 IBM Corporation Firmware V7.1, Modules & Supported Platforms Firmware V7.1 delivers ISAM Proxy Module to enable advance access enforcement of mobile & web use cases B2B Module to enable secure B2B integration capabilities, formerly available on XB62 only Integration Module to enable integration functionality including any-to-any message transformation, database connectivity & mainframe connectivity Kerberos S4U2Self functionality to provide flexible authentication for Microsoft environments Increase in XML Names maximum to allow for large configurations, RAS & other enhancements V7.1 supports the following IBM DataPower Gateway (Physical and Virtual Edition) XG45 (Physical and Virtual Edition) XI52 (Physical and Virtual Edition), XI50B (2426 & 4195 models) XB62 (Physical) ISAM Proxy module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition) XG45 (Physical, and Virtual Edition) XI52 (Physical, and Virtual Edition) XB62 (Physical) B2B module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition) XG45 (Physical, and Virtual Edition) XI52 (Physical, and Virtual Edition) Integration module requires V7.1 and is available on the following IBM DataPower Gateway (Physical and Virtual Edition) 25 © 2015 IBM Corporation Silos of security & control are impeding business agility Business Channels B2B Users Security & Control Solutions PARTNERS B2B GATEWAY SOA MOBILE APIS PARTNERS DEVELOPERS SOA GATEWAY DEVELOPERS API GATEWAY Application Applications and Systems Middleware 26 ESB WEB CONSUMERS CONSUMERS EMPLOYEES EMPLOYEES MOBILE GATEWAY WEB ACCESS PROXY Service z System © 2015 IBM Corporation CLOUD ALL CLOUD GATEWAY Reduce cost + improve security & control with a single gateway Business Channels B2B Users PARTNERS SOA PARTNERS DEVELOPERS WEB MOBILE APIS DEVELOPERS CONSUMERS CONSUMERS EMPLOYEES EMPLOYEES DataPower Gateway Security & Control Solutions Physical appliance Virtual appliance Application Applications and Systems Middleware 27 ESB Service z System © 2015 IBM Corporation CLOUD ALL IBM Multi-channel gateway Leverage the combined capabilities of IBM DataPower Gateway and IBM Security Access Manager in a single, converged security and integration gateway New in V7.1 B2B SOA (Web Services) API Native Mobile Hybrid Mobile Web 2.0 (AJAX) Mobile Web Web Browsers and Portals IBM DataPower Gateway IBM DataPower Gateway ISAM Module App, Service & API security User access security Traffic control & optimization Connectivity & transformation ISAM for DataPower module provides the reverse proxy component that provides enforcement for Centralized user authentication & coarse-grained authorization Session management, & web SSO Context based access & mobile SSO Strong authentication including one-time password and multi-factor authentication 28 © 2015 IBM Corporation What is ISAM for DataPower Module? • ISAM for DataPower module provides the reverse proxy component that is available on ISAM for Web and ISAM for Mobile appliances Base Appliance • Reverse Proxy ISAM Module DataPower IBM Security Access Manager for Mobile • Context based Access (CBA) • One-time Password (OTP) / Multi-factor Authentication (MFA) • Advanced Security IBM Security Access Manager for Web • Load Balancer • Protocol Analysis Module (PAM) ISAM for Web was formerly known as Tivoli Access Manager for E-Business (TAMeb) 29 © 2015 IBM Corporation Rapidly Connect Mobile Apps with Enterprise Services Securely expose enterprise data & APIs to Mobile Apps while optimizing delivery /apimanagement Middleware / ESB, Legacy Apps IBM DataPower Gateway ISAM Module Apps, Services Native, Hybrid, Mobile Web SSL Offload Threat Protection Rate Limiting / SLA Enforcement Validation, Filtering Authentication Authorization Context-based Access Mobile SS0 Security Token Translation Message Transformation Content-Based Routing Intelligent Load Distribution Response Caching 30 © 2015 IBM Corporation Mobile Gateway solution for on-premise and cloud Rapidly deliver secure integration & optimized access for enterprise mobile applications • DataPower appliance with ISAM module for security enforcement, traffic control & management, application acceleration, transport bridging & message transformation • ISAM for Mobile as decision point for context based access (CBA), mobile SSO, strong authentication including one-time password (OTP) & multi-factor authentication (MFA) ISAM for Mobile (Security Decision Point) ISAM Module DataPower Gateway Apps, Services, Middleware, (Security Enforcement Point) z System 31 © 2015 IBM Corporation Multi-Channel Gateway for MobileFirst & WebSphere Products 32 © 2015 IBM Corporation Response Caching Integration with WXS In addition to support for XC10 DataPower Improved Load Large Response Time 1 3 5 Client Improve Response Time 2 Provider 4 REST 1. Client submits application request. 2. DataPower parses request and queries WXS. On a hit, skip to step 5. WebSphere Extreme Scale (WXS) http://www-01.ibm.com/support/docview.wss?uid=swg21697033 3. On a miss, DataPower forwards request to target Provider. 4. DataPower adds application response to WXS. 5. Client receives response from DataPower. 33 © 2015 IBM Corporation Integration with QRadar Security Intelligence Platform Enhance security intelligence and compliance through integration with QRadar security information and event management (SIEM) platform Coming soon: Device Support Module (DSM) for DataPower Gateways to parse event information DataPower User Provider Client QRadar SIEM 34 © 2015 IBM Corporation DataPower on GitHub Repository of DataPower related tools & collateral Open source Community driven: Use, collaborate, contribute http://ibm-datapower.github.io/ DataPower Configuration Manager Tool for DataPower configuration management & migration Standalone command line or IBM UrbanCode Deploy plugin https://github.com/ibm-datapower/datapower-configuration-manager https://github.com/ibm-datapower/datapower-configuration-manager/wiki/Easy-On-Ramp DPXMLSH Bash script / shell library for working with DataPower’s XML Management interface Interactive & scripted use https://github.com/ibm-datapower/datapower-xml-shell 35 © 2015 IBM Corporation IBM 7.1 Gateway Released Nov 2014 DataPower Secure. Integrate. Control. Optimize. Multi-channel gateway Consolidated product Utilize single gateway with integrated access enforcement from ISAM to secure & optimize delivery of mobile, API, web, SOA, B2B, cloud apps, and integrate with IBM MobileFirst & WebSphere platforms Single, modular & extensible gateway platform to secure, integrate, control, & optimize full range of workloads Enhanced security New hardware platform Enable additional flexible authentication from internet consumers & Non-Microsoft consumers to Microsoft systems Increase capacity & throughput while reducing latency with latest generation hardware B2B module Deployment flexibility Centralize B2B trading partner connectivity & transaction management with high performance secure entry point in the DMZ Use physical or virtual appliance with seamless configuration migration with on-premise & cloud deployments 36 © 2015 IBM Corporation Agenda DataPower Gateway Overview Recent Releases What’s New in DataPower Gateway & V7.1 Q&A 37 © 2015 IBM Corporation Getting Social with IBM DataPower Gateways LinkedIn DataPower on Slideshare Online User Forum IBM DataPower Gateway Group YouTube Twitter IBM DataPower Gateway Channel @IBMGateways • • • • • • • • • developerWorks Blog YouTube Channel: IBM DataPower Gateways Slideshare: IBM DataPower Gateway Twitter: @IBMGateways LinkedIn Group: IBM DataPower Gateway developerWorks blog: IBM DataPower Gateway GitHub: IBM DataPower Gateway Online User Forum Product page on ibm.com Product documentation 38 © 2015 IBM Corporation Available Now: DataPower Handbook, Second Edition, Volume 1 Known as the ‘bible’ of DataPower planning, implementation, and usage. New content to cover previous six years of new products/features, including 9006/7.1! Volume 1 consists of Chap 1 DataPower Intro, Chap 2 Setup Guide, new Preface and two invaluable new appendices for physical and virtual appliances. Available in softcover and e-book formats 39 © 2015 IBM Corporation BACKUP 40 © 2015 IBM Corporation Simple and Secure Architecture Simple Architecture: Purpose-built firmware + hardware Complete gateway platform delivered as firmware Guiding philosophy is to centralize common security, integration, control, traffic management, acceleration functions and optimize them in a security-hardened gateway appliance Purpose-built Gateways config Commodity Gateways config Proprietary Software DataPower Gateway Platform Digitally Signed and Encrypted Firmware libxml config JVM glibc config Apache HTTPD JSP Engine config App Server config database config Linux Daemons config Full Linux OS (including shells and user accounts) IBM Optimized Embedded Operating Environment Crypto Acceleration Flash Memory Hardware 41 Display Ports Bootable Bootable CDROM USB Drive Ports © 2015 IBM Corporation Hardware Configuration-driven approach speeds time to market • Enforce security standards with zero coding • Uses intuitive pipeline message processing • Import/export configurations between environments • Transaction probe shows message content between actions for debugging 42 42 © 2015 IBM Corporation Single, modular & extensible platform IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform Converges three existing products, XG45 / XI52 / XB62, into a single modular offering Available in physical and virtual form factor Physical Appliance 2U rack mount appliance using latest generation hardware platform Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified) Each software module is licensed separately Virtual Edition Three editions: Developer, Non-Production, Production Developer includes all software modules at no additional cost, except TIBCO EMS Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy Production: Each software module is licensed separately All software modules are field upgradeable ISAM Proxy Module Integration Module B2B Module AO Module TIBCO EMS Module Supports V7.1 & above (2U Physical, Virtual Edition) 43 © 2015 IBM Corporation Capabilities Rapidly deliver secure integration & optimized access for a full range of workloads Secure • Secure & protect your back-end systems from harmful workloads and unauthorized users & apps Integrate • Convert payloads, bridge transports and connect to existing services at wire-speed Control • Limit & shape traffic based on service level agreements, and route based on message content Optimize • Improve response times, reduce load on backend systems and intelligently distribute load Before DataPower Gateway After DataPower Gateway Secure Consumer Integrate Control Consumer Optimize Consumer Consumer 44 © 2015 IBM Corporation Connect Mobile Apps with Enterprise Services Securely expose enterprise systems & APIs to Mobile Apps while optimizing delivery SSL Offload Threat Protection Rate Limiting / SLA Enforcement Validation, Filtering Authentication, Authorization Context-based Access, Mobile SS0 Security Token Translation Message Transformation Content-Based Routing Intelligent Load Distribution Response Caching 45 © 2015 IBM Corporation DataPower Gateway: Supported standards & protocols • • Data format & language – ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ JavaScript JSON JSON Schema JSONiq REST SOAP 1.1, 1.2 WSDL 1.1 XML 1.0 XML Schema 1.0 XPath 1.0 XPath 2.0 (XQuery only) XSLT 1.0 XQuery 1.0 Security policy enforcement ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ ‒ • Transport & connectivity – – – – – – – – – – • • HTTP, HTTPS, WebSocket Proxy FTP, FTPS, SFTP WebSphere MQ WebSphere MQ File Transfer Edition TIBCO EMS WebSphere Java Message Service IBM IMS Connect, & IMS Callout NFS AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) DB2, Microsoft SQL Server, Oracle, Sybase, IMS Transport Layer Security ‒ ‒ OAuth 2.0 SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries • XACML 2.0 Kerberos (including S4U2Self, S4U2Proxy) SPNEGO RADIUS RSA SecurID OTP using RADIUS LDAP versions 2 and 3 Lightweight Third-Party Authentication Microsoft Active Directory FIPS 140-2 Level 3 (w/ optional HSM) • FIPS 140-2 Level 1 (w/ certified crypto module) SAF & IBM RACF® integration with z/OS Internet Content Adaptation Protocol W3C XML Encryption • W3C XML Signature S/MIME encryption and digital signature WS-Security 1.0, 1.1 WS-I Basic Security Profile 1.0, 1.1 WS-SecurityPolicy WS-SecureConversation 1.3 TLS versions 1.0, 1.1, and 1.2 SSL versions 2 and 3 Public key infrastructure (PKI) ‒ ‒ ‒ Web services – – – – – – – – – – – – – – – – – – RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP – PKCS#1, PKCS#5, PKCS#7, PKCS#8, – PKCS#10, PKCS#12 XKMS for integration with Tivoli Security Policy Manager (TSPM) – WS-I Basic Profile 1.0, 1.1 WS-I Simple SOAP Basic Profile WS-Policy Framework WS-Policy 1.2, 1.5 WS-Trust 1.3 WS-Addressing WS-Enumeration WS-Eventing WS-Notification Web Services Distributed Management WS-Management WS-I Attachments Profile SOAP Attachment Feature 1.2 SOAP with Attachments (SwA) Direct Internet Message Encapsulation Multipurpose Internet Mail Extensions XML-binary Optimized Packaging (XOP) Message Transmission Optimization Mechanism (MTOM) WS-MediationPolicy (IBM standard) Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription WebSphere Service Registry and Repository (WSRR) Management ‒ ‒ ‒ Simple Network Management Protocol SYSLOG IPv4, IPv6 Open File Formats ‒ ‒ ‒ 46 Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) Virtual Machine Disk Format (VMDK) Virtual Hard Disk (VHD) Link to Product Documentation © 2015 IBM Corporation Over 14 years of innovation & 2000+ global installations Optimized Interpreter and Compiler XA35 2000 XS40 2001 2002 Optimized Hardware Acceleration XI50 2003 2004 Gigabit/Sec HW Solution Model 7993 (aka 9003) 2005 2006 XB60 2007 XI50B Blade 2008 Acquisition WebSphere Transformation Extender Model 9235 (aka 9004) ITCAM for SOA (Transaction Monitoring) 2009 2010 XI50z Blade XG45, XI52 & XB62 2011 Application Optimization (Self-Balancing & Intelligent Load Distribution) Virtual Edition 2012 WebSphere Appliance Management Center Virtual Edition (PureApplication System) Virtual Edition (VMware) 2013 2014 (for Developers + XenServer) Optimized & secure JavaScript Multi-channel Gateway Consolidated Gateway Platform ISAM Proxy Module 47 47 © 2015 IBM Corporation IBM DataPower Gateway The adoption of cloud, analytics, mobile, and social computing is forcing organizations to open IT assets to new business channels 73% of organizations discovered cloud usage outside of IT or security policies Between 2005 and 2020, the amount of data in the world will grow 300X, from 130 to 40,000 exabytes. 81% of adults use personally owned mobile devices for conducting business 70% of employees are engaged in social activities both internally and externally …and challenging them to rethink the way they have traditionally approached security & control 48 © 2015 IBM Corporation
