IAG-1959 DataPower Web and Mobile Gateway – How to Lower Costs and Improve Efficiencies Timothy Smith DataPower Lead Engineer Sr Sw Eng, IBM Anil Ambati WAS Component Lead Software Engineer, IBM © 2014 IBM Corporation Please Note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2 Session Overview • WebSphere™ DataPower Overview • A Case for Consolidation • Link Aggregation • WebSockets • JSON and GatewayScript • Patterns • Caching • HTTP Enhancements • Application Optimization Feature • Self Balancing • Intelligent Load Distribution • On Demand Router 3 DataPower Gateway Appliances Over a decade of innovation & over 2000 worldwide installations Government Agencies and ministries Defense and security organizations Crown corporations Banking Majority of the big US and European banks All of the big 5 Canadian banks Numerous regional banks and credit unions Insurance Used by 95% of top global insurances firms SaaS providers, ASPs, regulators, etc. Many, many, more Healthcare, Retailers Utilities, Power, Oil and Gas Telecom, Airlines, … 4 DataPower Family Service Gateway XG45 Entry-level device, slim footprint (1U) Security gateway (AAA, XML threat, etc) Service level management and monitoring Intelligent load distribution & dynamic routing Lightweight integration functions (optional) Available in Virtual Edition Integration Appliance XI52 B2B Appliance XB62 High density 2U form, XG45 functionality plus “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement Available in Virtual Edition High density 2U form, XI52 functionality plus B2B Messaging (AS1/AS2/AS3/ebMS) Trading Partner Profile Management B2B Transaction Viewer Engaging Enterprise DataPower Web Gateway for Security and Connectivity Public Cloud Master Data Management Private Cloud Big Data Enterprise DMZ APP Mobile, PoS, ATMs APP Service DB Service DMZ APP APP DB APP DB Internet Internet Social & Internet Data sources API Internet of Things Sensors Developer & Customer communities Secure appliances enable controlled & optimized access to enterprise resources 6 Secure appliances integrate apps/data/services and partners while controlling and optimizing transactions Trading partner communities DataPower Web Gateway Strategy Enable additional use-cases with a single, policy-driven converged gateway Focus so far Web Service Gateway • • • • DMZ-ready Security gateway (AAA, XML threat) Service level management and monitoring Intelligent load distribution & dynamic routing Expanded focus Integration Gateway • • • “Any-to-Any” conversion at wire-speed Bridges multiple transport protocols Mainframe integration & enablement B2B Gateway • • • • DMZ-ready B2B Messaging (AS1/AS2/AS3/ ebMS) Trading Partner Profile Management B2B Transaction Viewer Web Application Gateway • • • • • DMZ-ready First-class integration with WAS Cache response content Web application security Traffic mgmt On-premise API Management • • • • DMZ-ready Web API security Monitor API use Enforce API consumption policies Form factors Physical Appliance for hardware performance & security Virtual Appliance for deployment flexibility 7 Mobile Application Gateway • • • • DMZ ready Mobile application security Support Worklight mobile platform Monitor and control mobile app access WebSphere™ DataPower Elastic Web Gateway Build a simple, robust, performant, secure, fast TTV, low TCO, policy-driven gateway with consistent enforcement of business methodologies across a broad set of application traffic patterns focused on these business priorities: SECURE your mobile application from advanced threats INTEGRATE with backend systems to deliver the data OPTIMIZE the data, transport and delivery of your application SCALE with intelligent load distribution and self-balancing RESILIENCE of the application delivery infrastructure CONSOLIDATE and simplify your infrastructure footprint GOVERN and enforce policy, such as quality of service MONITOR and analyze to empower decision making 8 Infrastructure -- Complex, Fragmented, and Brittle Internet DMZ IP-Based Load Balancing Link Aggregation Trusted Domain SSL Offloading Link Aggregation System z Web Sockets IP-Based Load Balancing Consumer Authentication Access Control Transformation Application Caching Identity Federation Consumer Protocol Mediation Monitoring Caching Application Validation Traffic Shaping JSON 9 Discussed Use DataPower to Consolidate your Infrastructure Internet DMZ Trusted Domain System z Application DataPower Consumer Application Trading partners 10 Benefits of Consolidation TCO dramatically reduced • Fewer boxes to purchase • Fewer boxes to keep current, manage, and configure • Reduction in separate learning curves for each hardware and software package Network infrastructure simplified • One tier of appliances versus a collection of networking equipment, appliances, and specialized software packages. Performance enhanced • Fewer network hops means fewer trips up and down protocol stacks – Lower Latency – Higher throughput Better security with a secure device. ١١ Link Aggregation (New in 7.0) Make multiple physical interfaces act as one logical interface • Simplify your configuration • Increase your bandwidth • Add high availability automatically Characteristics • • • • Any number of physical interfaces Treated as a single logical interface Failover occurs without disruption ** Must be consistent with network design 12 Link Aggregated DMZ Pattern Redundancy With Multiple NICs – Non-Aggregated NICs Load Balancer Group Front Side Protocol Handlers IP 1 NICs IP 3 MPGW Service IP 2 IP 4 Complex Routing Table Redundancy With Multiple NICs – Using Link Aggregation NICs Load Balancer Group Front Side Protocol Handler NICs 2 1 IP 1 IP 2 MPGW Service Simplified Routing Table Aggregation 1 3 1. Single IP per aggregation 2. Single Front Side Handler 3. Simplified Routing Table 13 1 Aggregation 2 WebSockets in DataPower (New in R7.0) WebSockets (RFC 6455) – Client to server direct connectivity • Full Duplex connection – Server can send to client without waiting for a request – Good for mixing video with text – Good for gaming interactions • Supported by all major browsers • 2 Stage setup – Initial stage is with an HTTP exchange – Once negotiated, existing connection is used as a bi-directional pipe 14 WebSockets – DataPower Implementation During negotiation • Full multistep capabilities (e.g. AAA, SLM concurrent request, etc.) available on initial upgrade request Once WebSocket handshake completed • Request and Response rule processing is bypassed • SSL characteristics remain unchanged – SSL Proxy Profile for Front and Back side continues • Optional inactivity timeout will break TCP connection to client and server Can override configuration via stylesheets or GatewayScript • • • • var://service/http/websocket-upgrade (read/write) Only valid in request rule DP sets to ‘1’ when upgrade request is received May write to ‘0’ to disable upgrade. 15 WebSockets Config Configured via HTTP or HTTPS front side protocol handler • ‘HTTP version to client’ -- must be set to HTTP 1.1 • ‘HTTP 1.1’ allowed version must be enabled • ‘GET’ method must be enabled • ‘Allow WebSocket Upgrade’ must be enabled • ‘WebSocket Idle Timeout’ (optional) 0 – 86400 seconds – 0 is no timeout (default) 16 Extended HTTP Support (New in V7.0) Proxy Support for Extended Methods and Status Codes • Custom Method support: – Includes methods not defined or reserved in HTTP 1.1 Specification – Only in MPGW – var://service/protocol-method (read and write) populated upon request reception. – Custom method may be set or proxied from front end to back. – Once enabled, ALL custom method values must be addressed – No support for the following: – side calls (dp:urlopen()) – Header Rewrite action – SLM, Count, Duration or other monitoring based on ‘custom’ method name • Custom Status Code support: – Includes status codes not defined or reserved in the HTTP Specification – 0XX through 9XX (Updated in 7.0); Does not include 1XX series responses – Write via x-dp-responsecode or service variable. 17 Extended HTTP Support – Enable Custom Methods Enable custom method handling on the Front Side Protocol Handler Select to allow custom methods to be processed. 18 Extended HTTP Support – Matching Action Matching against a custom Method • Select ‘custom’, and provide the custom method name • Matching action accepts no wild cards Select ‘custom’ Specific method name to match. (case insensitive) 19 JSON Processing in DataPower JSON is a critical technology for Web 2.0 and Mobile Apps Use DataPower to secure and manipulate any JSON payload • Schema Validation • JSONiq • GatewayScript DP 7.0 JSON threat protection DP 6.0 DP 5.0.0 GatewayScript R1 (JavaScript based) DP 3.8.0 JSON schema validation High speed JSON parsing JSONiq - extract, filter, query, transform Ensure JSON is well-formed Native JSON no XML required Generic JSON to XML (JSONx) REST Policy Framework Web and Mobile Patterns Web Proxy Enhancements 20 Focus on Input and Output JSON Schema Validation (6.0) Verify the integrity of your JSON payload Payload: { " name" JSON Schema: : " John Smi t h" , " sku" : " 20223" , " pr i ce" : " 23. 95" , { "type": "object", "properties": { "name": { "type": "string" }, "sku": { "type": "string" }, "price": { "type": "number" }, "shipTo": { "type": "object", "properties": { "name": { "type": "string" }, "address": { "type": "string" }, "city": { "type": "string" }, "state": { "type": "string" }, "zip": { "type": "string" } } }, "billTo": { "type": "object", "properties": { "name": { "type": "string" }, "address": { "type": "string" }, "city": { "type": "string" }, "state": { "type": "string" }, "zip": { "type": "string" } } } } " shi pTo" : { " name" : " Jane Smi t h" , " addr es s" : " 123 Mapl e St r eet " , " ci t y" : " Pr et endvi l l e" , " st at e" : " NY" , " zi p" : " 12345" }, " bi l l To" : { " name" : " John Smi t h" , " addr es s" : " 123 Mapl e St r eet " , " ci t y" : " Pr et endvi l l e" , " st at e" : " NY" , " zi p" : " 12345" } } } 21 JSONiq Query Example (6.0) • An SQL like language for transforming JSON • Example: Query all people who made purchases of at least $100 Input: [{ { { { { { " gi " gi " gi " gi " gi " gi ven" ven" ven" ven" ven" ven" : : : : : : "J ohn" , " Al i c e" , " J ohn" , " Bob" , " Sc ot t " , " J i m" , "s ur name" " s ur name" " s ur name" " s ur name" " s ur name" " s ur name" : : : : : : "Smi t h", " Br own" , " Smi t h" , " Gr een" , " J ones " , " Lee" , "s ku" " s ku" " s ku" " s ku" " s ku" " s ku" JSONiq transform: dec l ar e opt i on j s oni q- ver s i on " 0. 4. 42" ; f or $x i n j n: member s ( . ) wher e $x( " pr i c e" ) >= 100. 00 or der by $x( " s ur name" ) r et ur n c onc at ( $x( " gi ven" ) , ' ' , $x( " s ur name" ) , ' 
 ' ) Output: Al i c e Br own Bob Gr een Sc ot t J ones J ohn Smi t h 22 : : : : : : " 20223" , " 54321" , " 23420" , " 90231" , " 54321" , " 89820" , " pr i " pr i " pr i " pr i " pr i " pr i c e" c e" c e" c e" c e" c e" : : : : : : 23. 199. 104. 300. 199. 46. 95} , 95} , 95} , 00} , 95} , 50} ] GatewayScript (New in 7.0) – the Right Tool for the Right Job Debugger GatewayScript Action • • • • • ‘INPUT’ context Context Variables JavaScript Based Familiar and friendly APIs Secure execution Native JSON manipulation Comprehensive access to DataPower libraries and internal variables • Modular, extendable foundation • Very high performance • For more details, please join session IAG1760 V 1 V 2 error() Console (log) … V n Body Meta data modules / libraries ‘input’ readAs….() context GS Action write() ‘output’ context ‘named’ context metadata ‘named’ context Utilities Logging JavaScript Engine 23 Testing DataPower Templates and Patterns Too much choice may not be a good thing • Limit the configuration options to only the important things. • Make a pattern to enforce consistency • Make an overlay of default configuration options 24 DataPower Side Caching Documents that are retrieved off box • • • • Schemas Transforms Other documents Held in Document Cache transform.xslt schema.dtd ... 2 3 1 4 5 User Client Improved Response Time DataPower XI/XG/XB Appliances 25 Provider Static/Dynamic Content Back-end Caching (6.0) Investments in caching on-box • Take advantage of the larger memory space picture.jpg index.html ... DataPower XI/XG/XB Appliances GET /picture.jpg HTTP/1.1 1 Large Response Time 2 3 User Client Improved Response Time Web Server 26 Response Caching (V6) 'Document Cache‘ (Pre-6.0) • Existing, 'on-box' cache for caching responses to HTTP(S) GET side-call requests Expanded functionality of 'Document Cache‘ (6.0) • Cache more data 'on-box' with 7198/7199 hardware platforms • Improved observation of HTTP 1.1 Cache-Control headers – Operate on conditional requests (If-Modified-Since) – RESTful cache invalidation (Put and Post requests) • Specify a cache key different than URL (x-dp-cache-key) • Optionally, return stale documents 27 Application Optimization and Intelligent Management 28 What is the Application Optimization Feature? The Application Optimization (AO) feature for DataPower includes a collection of functions that are intended to consolidate the required components for an ESB or DMZ device into a single product. AO contains the following major components. • Self Balancing • Intelligent Load Distribution (Load Balancer Group per Cluster) • On Demand Router – Super Load Balancer (Cell Basis) 29 DataPower AO – Self Balancing Eliminates the need for Front Side Load Balancing (3.8.0) High Availability; Gratuitous ARP takeover (4.0.2) Additional Distribution Algorithm (6.0) Front-end IP load balancers not needed for AO workloads IP-Based Load Balancing Active/Active failover using standby control (4.0.2) Service Provider Clients Failure of target appliances are masked by appropriate weighted distribution Self balancing (IP spraying) s 30 DataPower AO – Intelligent Load Distribution (3.8.0) Used for Non-WebSphere Back ends • • • • Dynamic Configuration – XML Topology Document Session Affinity – Active and Active-Conditional Weighted Least Connections Configured on a per Load Balancer Group basis Topology Information Clients Non -WebSphere Service Providers DataPower performs dynamic back-side routing and load distribution (leveraging dynamic information from back-ends) 31 Unified On Demand Router (ODR) Strategy ODRLIB is a common C library which is used by both: 1) DataPower physical and virtual appliances; and 2) WebSphere web server plugin for Apache/IHS DataPower w/ ODRLIB ODRLIB is the single strategic web-based connector to the WebSphere Application Server Application Servers WAS ND Cluster AppServer Tier ODRLIB WebSphere Connector Advantages: Use of the single premier WebSphere connector Increased resilience/quality/ease-of-use Ease of migration between offerings IHS/Apache w/ ODRLIB 32 AppServer Tier DataPower plus Intelligent Management (IM) Overview IM REST service Application Cluster WebSphere Application Cell 1 Servers WAS ND Cluster DataPower w/ AO Virtual or Physical IM REST service Application Cluster The IM REST service is automatically available in the Deployment Manager and in each nodeagent on the XD_AGENT port of WebSphere 8.5.5+. DP/AO fails over the REST control traffic to another IM service for highly available connectivity to WebSphere. Legend: HTTP request traffic: REST control traffic: 33 WebSphere Cell N Connecting DataPower to WebSphere 8.5.5+ 1) No changes to WebSphere (i.e. no applications to install) 2) For each WebSphere cell with security enabled, the following is required: WebSphere's SSL certificate to SSL Proxy Profile in DataPower Connector end point (hostname, XDAGENT_PORT) of node agent / DMGR Application Servers WAS ND Cluster Click here to to add a new connector group for each WebSphere cell 34 Intelligent Management REST Service Ports Application Servers WAS ND Cluster 35 Intelligent Management Features Overview 1) Automatic routing ‒ Automatically discovers and recognizes all changes which affect routing: server/cluster create/start/stop/delete, application install/start/stop/uninstall, virtual host updates, session affinity configuration changes, dynamic server weight Application Servers changes, etc. WAS ND Cluster ‒ Lower administrative overhead. Simply connect a cell and go. When new clusters are created in target cells, no configuration change is required in DataPower, i.e. no need to create a new load balancer group. ‒ Efficient & responsive delta processing in DataPower when changes occur in a WebSphere cell R OD or ect n n Co Deployment Manager ODR Library SERVICE Cluster 1 Cluster 2 ODR-LBG XML FW MPGW WAF … Cluster 3 36 Intelligent Management Features Overview (continued) 2) Application edition routing ‒ Continuous availability was supported during atomic/group hard/soft rollout (previously supported) ‒ Validation mode, application edition routing rules, multiple concurrently active Application Servers editions (newly supported) WAS ND Cluster Cluster 1 Edition 1.0 DataPower w/ AO Virtual or Physical Edition 2.0 Cluster 2 37 Intelligent Management Features Overview (continued) 3) ODR-enforced health policy support ‒ Excessive Response Time ‒ Excessive Request Timeout Application Servers WAS ND Cluster 38 Intelligent Management Features Overview (continued) 4) Node and server maintenance mode ‒ When a node or server is placed into maintenance mode, application optimization automatically routes appropriately Application Servers WAS ND Cluster Node 1 in normal mode DataPower w/ AO Virtual or Physical Node 2 in maintenance mode Route only requests with affinity to Node 2 while in maintenance mode. Also observe server maintenance mode 39 Intelligent Management Features Overview (continued) 5) Multi-cell routing ‒ Application Optimization automatically routes to different applications in multiple cells ‒ Routing to the same application in multiple cells is not yet supported Cell 1 Application Servers WAS ND Cluster Deployment Manager Cell 2 Cluster 1 Cluster 2 Cluster 3 DataPower w/ AO Virtual or Physical Cell 3 40 Intelligent Management Features Overview (continued) 6) WLOR (Weighted Least Outstanding) load balancing ‒ Evens out response times due to dynamically changing weights ‒ Quick to send less traffic to slow or hung servers Application Servers WAS ND Cluster Example Example server1 server1isisresponding responding10 10times times more morequickly quicklythan thanserver2 server2 DWLM DWLMadjusts adjustsweights weightstoto20 20and and22 DP DPsends sends100 100times timesas asmany many requests to server1 than requests to server1 thantotoserver2 server2 server1 Healthy and responding Quickly weight=20 DataPower with Application Optimization server2 Sick and responding slowly or not at all weight=2 41 DWLM DWLM controller controller dynamically dynamically adjusts adjusts weights weights Intelligent Management Features Overview (continued) 7) Highly-available REST-based control connection to WebSphere ‒ DMZ-friendly ‒ no application to install or additional configuration required ‒ REST-based service automatically available in WAS 855 dmgr and nodeagent Application Servers ‒ plugin fails over when needed WAS ND Cluster RESTful RESTfulcontrol control connection connectionfail failover over DataPower with DataPower with Application Application Optimization Optimization Deployment Manager 1 2 Node Agent 1 Node Agent 2 42 ODR Features Not Yet Supported by DataPower 1. Load balancing or failover between cells for the same application Same application means same <virtualHost,virtualPort,contextRoot> Different applications in different cells IS supported Application Servers 2. CPU or memory overload protection WAS ND Cluster 3. Request prioritization ‒ No queuing and re-ordering of requests based on service policies 4. Highly available deployment manager 5. Application edition-aware caching 6. Per-request conditional tracing 43 Questions? 44 We Value Your Feedback Don’t forget to submit your Impact session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Use the Conference Mobile App or the online Agenda Builder to quickly submit your survey • Navigate to “Surveys” to see a view of surveys for sessions you’ve attended 45 45 Thank You Legal Disclaimer • © IBM Corporation 2014. All Rights Reserved. • The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. • References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. • If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. • If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. • Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. • If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • If you reference Java™ in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. • If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. • If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. • If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. • If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only. 47
© Copyright 2024