IBM Web Sphere Data Power SOA Appliances Simplify
IBM Web. Sphere Data. Power SOA Appliances Simplify, Help Secure & Govern Your SOA Sidney Antflick AP Web. Sphere Sales Leader antflick@au 1. ibm. com
Agenda • Web. Sphere Data. Power Overview • SOA Appliances’ Deployment & Scenario Summary • Why an Appliance is Smart for SOA • Web. Sphere Data. Power SOA Appliance Portfolio: Ø Integration Appliance XI 50 Ø XML Security Gateway XS 40 Ø XML Accelerator XA 35 • Major Categories of SOA Appliance Functionality • Summary
Web. Sphere Data. Power SOA Appliances An SOA Appliance… Creating customer value through extreme SOA connectivity, performance and security § Simplifies SOA and accelerates time to value § Helps secure SOA XML implementations § Governs and enforces SOA/Web services policies Web. Sphere Data. Power SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations.
Web. Sphere Data. Power SOA Appliances Exceptional growth and acceptance • Data. Power: Ø Market leader in integration and SOA appliances Ø Accepted and supported world -wide Ø Leads with standards in SOA, Security, Policy, etc. • Used by Ø banks, insurance cos. , mutual funds Ø telcos, Ø federal and local governments, Ø healthcare, Ø general business
Web. Sphere Data. Power SOA Appliances Address Critical Connectivity Issues Simplicity Governance Robustness Speed
Why an Appliance for SOA? • • Hardened, specialized hardware for helping to integrate, secure & accelerate SOA Many functions integrated into a single device: Ø Impact: connectivity will require service level management, routing, policy, transformation • Higher levels of security assurance certifications require hardware: Ø Example: government FIPS Level 3 HSM, Common Criteria • Enables run-time SOA governance and policy enforcement Ø Impact: dynamically control service availability, security, performance, and endpoint selection • Higher performance with hardware acceleration: Ø Impact: ability to perform more security checks without slow downs • Addresses the divergent needs of different groups: Ø Example: enterprise architects, network operations, security operations, identity management, web services developers • Simplified deployment and ongoing management: Ø Impact: reduces need for in-house SOA skills & accelerates time to SOA benefits • Proven Green / IT Efficiency Value Ø Example: Appliance performs XML and Web services security processing as much as 72 x faster than server-based systems Ø Impact: Same tasks accomplished with reduced system footprint and power consumption
Why an Appliance for SOA? TCO: Data. Power Appliance vs. Software Based Solution Top 10 Financial Services Company in North America • • Study compared expanding an existing software based solution vs. starting fresh with Data. Power appliances Three primary drivers: 1) Reduce maintenance burden associated with software based solution. 2) Reduce overall yearly costs. 3) Increase throughput and scale solution to meet growth in business. Cumulative Cost of Ownership over 3 years Software Appliance Infrastructure Operating Costs Application Development/Maintenance Capital Costs Product Maintenance charges Installation & Deployment Total $38, 400 $30, 096 $231, 000 $78, 000 $2, 000 $379, 496 $1, 728, 000 $118, 800 $1, 268, 640 $435, 456 $28, 800 $3, 579, 696 Note: above figures obtained from cost accounting dept, not IT
Why an Appliance for SOA? Configuration vs. Programming Configuration driven Web GUI Drag & Drop Workflow Style Implement Complex Policies No Programming, Less Errors All Functions Available via CLI & SOAP Interface
IBM SOA Appliance Deployment Basic Examples HTTP XML RESPONSE Web Services Client LEGACY REQ LY Q Integration & Governance XI 50 R EP HTTP XML REQ LEGACY RESP ITCAM for SOA WSRR Security Tivoli Access Manager ------Federated Identity Manager XS 40 Internet IP Firewall Application Server Acceleration XML HTML WML Client or Server XML XSL XA 35 Internet Application Server Web Server
Web. Sphere Data. Power SOA Appliance Product Line Integration Appliance XI 50 § § Hardware ESB “Any-to-Any” Conversion at Wirespeed Bridges multiple protocols Integrated message-level security XML Accelerator XA 35 § Offload XML processing § No more hand-optimizing XML § Lowers development costs XML Security Gateway XS 40 § § Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authentication
Provide Service Enrichment The ESB An Enterprise Service Bus (ESB) is a flexible connectivity infrastructure for integrating applications and services. An ESB performs the following between requestor and service } MATCHES & ROUTES communications between services ESB } CONVERTS between different transport protocols } TRANSFORMS between different data formats } IDENTIFIES & DISTRIBUTES business events Shape = Transport protocol Color = Data format
Integration Appliance XI 50 Purpose-built hardware ESB for simplified deployment and hardened security • Redefines the boundaries of middleware with specialized hardware • Many functions integrated into a single device • Simplified deployment and ongoing management • Routes messages based on content and policy • Secures services on the network with sophisticated web services access control, policy enforcement, message filtering, and field-level encryption • Optimized to bridge between leading standard protocols at wirespeed, including web services, messaging, files, and database access • Enables transformation between a wide range of data formats, including XML, legacy, and industry standards, and custom formats • Captures and emits events to facilitate web services management and enable business visibility in Business Activity Monitoring solutions
Extend your ESB to partners and customers Web. Sphere Data. Power XML Security Gateway XS 40 • XML firewall and filtering helps stop SOA threats • Message-level encryption and access control enforcement • Web services Authentication, Authorization & Auditing • Helps promote Compliance (e. g. PCI, Sarbanes, etc) ESB Message Web. Sphere Data. Power XML Security Gateway XS 40 Service
XML Security Gateway XS 40 Web service threat protection and message security • Centralizes XML security and policy enforcement • Hardened security appliance for DMZ deployments • Configuration-driven interface reduces need for specialized SOA skill sets • Heterogeneous interoperability enables secure integrations with partners, customers, and/or vendors • Secures next-generation applications with an XML and SOAP firewall that filters any content, metadata, or network variables at wirespeed. • Validates XML schemas and messages, protecting against XML attacks, buffer overflows, or vulnerabilities in malformed XML documents. • Provides field-level XML security through encryption/decryption and signing/verification of entire messages or individual XML fields. • Supports a variety of access control mechanisms, and can control access by rejecting unsigned messages and verifying signatures within SAML assertions.
XML Accelerator XA 35 Centralized XSLT Management, Offload XML Processing • Wirespeed XML/XSLT/XPath Processing • Schema validation, XML compression, XML caching • SSL termination and acceleration • Easy configuration and administration • Accelerates XML processing and SSL termination/acceleration, increasing throughput, decreasing latency, and reducing server workload. • Innovative XML pipeline processing and XML caching reduce impact of increased XML traffic, improving scalability of resource intensive applications. • Performs XML schema validation to ensure incoming/outgoing XML documents are legitimate and properly structured. • Fully integrated with industry standard IDEs such as Altova XML Spy and Eclipse allows developers to design, debug and deploy against a single XML and XSLT processor, saving valuable cycles from pilot to production.
Web. Sphere Data. Power Appliances Benefits • Flexible Connectivity: an XML appliance shields the applications from security requirements, protocol changes and service versioning - no application modifications needed • Reduce Complexity: Replace software servers functionality with an XML appliance, reduce infrastructure footprint, and off-load heavy processes to dedicated XML appliances • Lower TCO: Dedicated XML appliances have shown to reduce operational costs by as much as 50% • Improved Agility by Reduced Time to Market: dramatically decrease the testing time and amount of development required to upgrade your environment, most policies are configuration driven as opposed to development driven • Reduce Risk: the XML appliance provides the connectivity layer without requiring application modification, and delivers improved security and audit support • Configuration Driven: The XML appliance is configuration driven to do policy definitions, it does not involve development to support your infrastructure
Web. Sphere Data. Power Base Qualities & Features diagram key WSDL Major Quality Governance Strategic Theme Maslow’s Hierarchy of Enterprise Needs WSRR Service Level Management Off-box Management Specific Feature UDDI WS-Policy Data. Glue WS-SIB Smart SOA Connectivity / Integration Database Connectivity WS-MQ Hardened Security Interoperability Consumability Role-Based Management Web App Firewall TAM / TFIM XACML Optimally tuned firmware WS-* Standards Web GUI WS-Security. Policy Clustering and High Availability HTTP 1. 1 SSL / TLS Flexible LDAP XG 4 XG 3 Enterprise Service Bus WS-TX WS-Secure. Conversation WS-Federation WS-Security Performance Tibco EMS XSLT SOAP. Net SKI Crypto Acceleration IBM patented technology de facto Standards XSD Schema WS-I Basic Profile XML Hardware & Firmware Tightly Coupled Eclipse Plug-In SOAP Management Multistep SNMP v 3 CLI FTP/ FTPS Monolithic, Secured Firmware ITCAM for SOA
Web. Sphere Data. Power 3. 7. 1 Feature Additions diagram key Major Quality Maslow’s Hierarchy of Enterprise Needs WSRR / WS-Policy Integration Governance Strategic Theme Specific Feature MQ Ordered Messaging Connectivity / Integration Updated MQ sync point support Improved Database Connectivity Enhanced Tibco connectivity Updated WS-Security. Policy Security Updated XACML support MQ Performance Interoperability WS-Policy interop with BEA and MSFT Improved WTX interop Locator beacon Consumability Tibco WS-Policy GUI Improvements Customer-driven enhancements RBM integration Configuration Profiler Out of the box SNMP configuration CLI Install Wizard
Web. Sphere Data. Power 3. 7. 1 Feature Additions Governance integration diagram key Major Quality Maslow’s Hierarchy of Enterprise Needs Strategic Theme Governance Further improvements in central policy control Specific Feature WSRR / WS-Policy Integration MQ Ordered Messaging Connectivity / Integration Broader applications for MQ Updated MQ support More business problems can be solved in existing MQ environments Security Policy-driven SSL cert validation Database Stored Procedure return value Enhanced Tibco connectivity LDAP bind-search-rebind AAA cache invalidation control Centralized security policy enhancements Performance Interop for fast time to value Interoperability Testing and validation Consumability MQ Ordered Messaging Easily enable and disable users from one central location Tibco enhancements Improved WTX interop Locator beacon Usability improvements Even easier to operate GUI Improvements and manage Better RBM LDAP integration For handling larger deployments and new users alike WS-Policy interop with BEA and MSFT Configuration Profiler Configuration Mediations CLI Install Wizard
Web. Sphere Data. Power SOA Appliances v 3. 7. 1 – Latest Innovations in Firmware • Centralized policy and governance between WSRR and Data. Power Ø WSRR administrator submits WS-Policy and WSDL Ø Data. Power subscribes to and enforces Policy on WSDL endpoints • Policy-driven security and flexibility improvements Ø Policy-driven SSL client cert validation Ø AAA cache invalidation improvements for performance and policy enforcement Ø LDAP bind-search-rebind semantics useful for large LDAP repositories (for example) • Web. Sphere family enhancements to satisfy a greater class of applications (financial services, etc. ) Ø MQ Ordered messaging improvements Ø MQ browse, better sync point support, more automated Reply. Q behavior, better backout queue support Ø WTX interop • Configuration file handling for better production elevations Ø Profiler to identify non-standard practices Ø Environment-specific configuration mediation components (IP addresses, variables) • Interoperability with other products for even better heterogeneous environment support Ø Database stored procedure return value support Ø WS-Security Policy interop testing and validation with Microsoft. net and BEA WL 10 Ø Active. Directory search improvements for role-based management • Tibco support improvements Ø Active/passive server config Ø Improved LB/failover behavior • Connectivity enhancements Ø Better url-open timeout control, per-transaction timeout, non-XML input size reporting • Other Usability, Serviceability improvements for better operations Ø MOTD and banner support, CLI Wizard, SNMP ease-of-use etc. Ø Expanded support for native code sets. Data traffic can be sent in DBCS and other code sets. (http: //www 306. ibm. com/software/globalization/icu/index. jsp) Ø Domain deletion safety Ø Ethernet interface disable control Ø Better workflow with in-situ file viewer / edit
Deployment Scenarios for Advanced Connectivity Internet SOA platform XS 40 SOAP enabled enterprise application Internet user Packet Filter 5. Legacy transformation Packet Filter XI 50 Demilitarized Zone Internet internal user Packet Filter Demilitarized Zone legacy enterprise application intranet Packet Filter federated extranet XS 40 3. Internal security XS 40 1. Helps protect against incoming attacks; Incoming access control 2. Outgoing access control, SAML injection, role mappings XI 50 4. Web services management
Hardware superiority • High reliability (swappable redundant components, whole-box VRRP-style failover, careful design, RAID 1 for HDD options, non-HDD options avail) • High security assurance Øphysical intrusion detection Øcrypto acceleration Øsigned firmware Øonly Ethernet and serial ports ØXS 40 and XI 50 § locked-down structure (undergoing CC EAL 4) § HSM option (FIPS-140 -2 Level 3) • High performance (dedicated tightly optimized HW and FW engineering, XG 4 available, crypto, low latency and high throughput, patented technology) • Monitoring and management (self-monitoring and self-healing, rich remote monitoring and administrative capabilities) “The Data. Power [XS 40]. . . is the most hardened. . . it looks and feels like a datacenter appliance, with no extra ports or buttons exposed… " - Info. World
Simplicity without sacrifice • WSDL-based policy creation • Hierarchical policies applied at WSDL, service, port, operation level • Drag & drop policy creation screen allows flexible chaining of operations • Configure and install in minutes Ease of Use Example – Graphical User Interface providing drag and drop services, in order desired, for XML filtering, signing, verification, schema validation, encryption, decryption, transformation, routing, access control, service level monitoring, and advanced operations
Data. Power’s Unique Appliance Agility Hardware Performance + Highly Customizable Configuration • More future-proof solution required for today's emerging SOAs: Ø Evolving specifications, varied corporate policies, changing security requirements Ø Efficient Processing needed for XML Web services integration Ø High Customization required for broad-based SOA • Data. Power Agility (“DA”) Architecture Enables Flexibility & Performance: Ø Advanced Patented XML Processing Engine for wirespeed performance Ø Customizable XML configuration files for highly flexible configuration Ø Easily adapts to changes in standards, service requirements and customer needs • Benefits: Ø No need to wait for software or hardware code change, QA, and patch upgrade Ø Quicker time to market and reduced maintenance cost
Integration across the IBM Software Portfolio • Mature integration within Web. Sphere software portfolio Ø Ø Web. Sphere MQ with Web. Sphere Data. Power: 4+ years, numerous customers Industry-leading SOA Runtime Governance with WSRR + Data. Power Many more examples: WTX for data maps, WS-Security for WMB Auto-configure XML firewall by importing Web. Sphere service descriptors • Complete SOA Security and Management solution with Tivoli products • Robust enterprise integration through native DB 2 and IMSConnect Ø Deliver data as Web services into new or existing SOA solutions with Data. Power/Data Studio integration • IBM Autonomic Integration – CBE/CEI Certified RAD, Eclipse Web. Sphere MQ, HTTP, JMS, Web Services WSRR, WTX, WS-Security WS-Policy IMSConnect TAM, TFIM, ITCAM 4 SOA, WS-Trust, SAML, SQL, Xquery, XACML Data Studio LDAP, SNMP, Syslog, AMP, Net. View
Integration with the Competition • • Standards-based integration with third party vendors Tighter integration with some key competitors No platform dependencies – hardware or software Exceptional interoperability through industry profiles and testing HTTP/SOAP LDAP SAML XACML LDAP, OCSP XKMS LDAP SAML SNMP HTTP SQL HTTP/SOAP, MQ HTTP/SOAP SQL HTTP/SOAP SNMP XML SQL HTTP UDDI HTTP EMS
Customer Success Stories
Major Credit Card Provider Standard Security Across All Platforms Challenge • • Consistently & securely deliver online services to members that could be shared, integrated & flexible to meet specific needs Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information Solution • Implemented Web. Sphere Data. Power XML Security Gateway XS 40 to form the backbone of Web services infrastructure Ø Content-based message routing Ø Ø • Security policy enforcement & data encryption Helps to ensure safe & efficient flow of confidential customer data Integrated seamlessly into existing heterogeneous environment increasing interoperability & promoting reuse Benefits Ø Ø Secure SOA on standards-based platform Easily reuse Web services throughout enterprise Boosts productivity of IT staff Substantially shorten time to market for new services • Web. Sphere Data. Power XML Security Gateway XS 40 • Web. Sphere Application Server
Top 5 Bank Content Based Load Balancing Clients Challenge • Existing shared integration infrastructure for Retail Bank unstable and unscalable (120 servers, 480 JVM’s!!!) • Require content-based load balancing solution to be extended to offload functionality from existing solution Solution • 5 1 2 Implemented Web. Sphere Data. Power Integration Appliance XI 50: Ø Primary function of XI 50 is content-based load balancer for HTTP(s) and MQ traffic • Additional tier of XI 50’s planned for proxying to backend services (MQ, HTTP and IMSConnect) Benefits • • • Able to handle traffic bursts from third party partners Enhanced security on existing message flows Sophisticated mechanism for proactive identification and “route away” from degrading JVM’s • Providers Broken through their “scaling barrier”, able to do more with less cost • Web. Sphere Data. Power Integration Appliance XI 50 • Web. Sphere MQ
Online Service Provider Scalable & Secure Online Transactions Challenge • To deploy a more scalable infrastructure for supporting secure online transactions and enhancing the scalability, manageability & reliability of IT environment. Solution • Implemented Web. Sphere Data. Power Integration Appliance XI 50 & Web. Sphere Data. Power XML Security Gateway XS 40. Ø Ø Ø The XI 50 provides message and protocol mediation functions and interfaces with the TIBCO messaging bus. The XI 50 secures, transforms & routes web services calls to the appropriate service providers. The XS 40 is deployed in the DMZ for web services security-enforcement by performing a full range of security functions. Benefits • Increased scalability and security for high volume online income tax preparation as well as credit card authorization services. • Faster to implement than software-only solution with significantly lower maintenance costs. • Web. Sphere Data. Power Integration Appliance XI 50 • Web. Sphere Data. Power XML Security Gateway XS 40
Wachovia Secure SOA Integration of Web Services and Legacy Systems Challenge • High profile Check 21 initiative to leverage SOA • • Enhance ATM message integration Replace legacy system reducing cost, enhancing security Solution • • Deployed Web. Sphere Data. Power Integration Appliance XI 50 Message-level security & XML threat protection Benefits • • Improved efficiency with on-demand routing of remote deposits from branch office ATMs SOA message-level security, content validation, & threat protection Reduced VAN charges by using HTTP without sacrificing security compliance Reallocated resources to focus on core business tasks Web. Sphere Data. Power Integration Appliance XI 50
Charles Schwab ESB Infrastructure Challenge • 1) New web services security for internal and external applications and 2) replace existing ESB/RR Bus • Previous home-grown ESB (called RR Bus) was unmanageable with 48 servers at end of 2007, with dramatically increased loads expected in 2008 Solution • Implemented Web. Sphere Data. Power XML Security Gateway XS 40 and Web. Sphere Data. Power Integration Appliance XI 50 • 2 Data. Power XS 40 XML Security Gateway Appliances provide standards-based web services security for Internet and intranet applications • RR Bus – 4 Data. Power XI 50 Integration Appliance XI 50 s replaced 48 servers System z SOP/HTTP SOAP/HTTP XI 50 Client XS 40 Benefits • • Offered new service to business partners: Secure Web Services • • Forecasted ROI with break even mid way through year one Simplification of the home grown routing solution – easier to support and maintain 4 appliances vs. 48 servers High-performing routing of transactions to mainframe • Web. Sphere Data. Power Integration Appliance XI 50 • Web. Sphere Data. Power XML Security Gateway XS 40 • Web. Sphere MQ
Route. One LLC Leveraged SOA to Integrate & Connect People, Process and Finance Information Challenge • Deploy a single highly secure, scalable & flexible credit system Solution • • • Deployed Web. Sphere Data. Power XML Security Gateway XS 40 to simplify, help secure & accelerate Service based integration of backend systems with online & Web services Connected 22, 000 franchised Automotive Dealers, including Daimler. Chrysler, Ford Motor Co, General Motors & Toyota, to a single highly secure, scalable and flexible credit application management system Benefits • • • Reduced function in numerous existing heterogeneous systems SOA Appliance architecture offers central point of control, manageability & scale Dynamic credit applications shorten processing times Web. Sphere Data. Power XML Security Gateway XS 40
Commonwealth of Massachusetts Executive Office of Health & Human Services SOA Governance & Interaction Among Heterogeneous Applications Challenge • Introducing “synchronous” messages of existing services for both internal and external users Ø Ø Ø Threat protection risk for Web services SLA imposed high performance requirements Ease of integration with existing platform Solution • • • Implemented Web. Sphere Data. Power Integration Appliance XI 50 for easy Web services management, wirespeed performance & flexibility Deployed as a reverse proxy, providing schema validation & trust formations Augmented existing in-house service bus & Web. Sphere MQ Benefits • • • Web. Sphere Data. Power reduces EOHHS’s monthly total cost of ownership expenses Satisfied EOHHS’ security & reliability concerns Centralized Web services management No measurable impact on existing infrastructure Accelerated SOA adoption across the enterprise Effectively integrates emerging standards with legacy systems and data • • Web. Sphere Data. Power Integration Appliance XI 50 Web. Sphere MQ
Sprint ESB for Policy Enforcement of SOA Challenge • To deploy an ESB that provides message security & mediation functions in a highly reliable & scalable fashion, while keeping capital expenditures, development & minimal ongoing management costs Solution • • Implemented Web. Sphere Data. Power Integration Appliance XI 50 in the DMZ & the Enterprise Network The XI 50 s accept HTTP/SOAP traffic and provide policy enforcement for external users Ø Filtering & validating incoming XML traffic Ø Authentication & authorizing users Ø Routing messages to appropriate end points based on defined rules Ø Converting XML to binary Ø Mediating between HTTP, SOAP, MQ Benefits • • ESB that is scalable, easy-to-deploy, quick to configure & simple to manage Faster time to market enables Sprint to meet project deadlines • Web. Sphere Data. Power Integration Appliance XI 50 • Web. Sphere MQ
MIB Group, Inc. SOA Security & Integration Challenge • • Difficult to modify home-grown custom software application Adopt SOA to increase revenues, while reducing costs & increasing the security of the service Solution • • Deployed Web. Sphere Data. Power Integration Appliance XI 50 for SOA security and to transform & route messages Acts as a gateway by forwarding messages to System z mainframe to be checked against database Integrates ACORD XML services with existing Web. Sphere MQ Integrates Schema. Tron validate to generate XSLT to load the generated XSLT onto the XI 50 for runtime execution & filtering Benefits • • • More than 10 times faster than internally developed custom software Fraud-protection processes are faster, more secure & less error prone Web service allows MIB to offer more services to customers while reducing overhead cost • Web. Sphere Data. Power Integration Appliance XI 50 • Web. Sphere MQ • System z
Customer Testimonials "What Data. Power brought to the table for us was an extremely high performance level for the exact same function at, honestly, a better price point…They’re a full order of magnitude faster than our software-based solution was…It’s really reduced the amount of additional time that’s incurred in processing our security functions. ” - Lincoln Fellingham “IBM’s sophisticated Web. Sphere integration software, DB 2 database and REST Web services are enabling us to maintain our leadership position by building a secure and powerful SOA on our z. Series enterprise server, thereby protecting our existing investments in technology while building a foundation for the future. ” - Alexander Klevitsky
Summary – IBM Specialized Hardware for Smart SOA Connectivity • Hardened, specialized product for helping integrate, secure & accelerate SOA • Many functions integrated into a single device • Broad integration with both non-IBM and IBM software • Higher levels of security assurance certifications require hardware • Higher performance with hardware acceleration • Simplified deployment and ongoing management http: //www. ibm. com/software/integration/datapower/ SOA Appliances: Creating customer value through extreme SOA performance and security § Integrates SOA with specialized devices § Accelerates SOA with faster XML throughput § Helps secure SOA XML implementations
Thank you
- Slides: 40