Accelerate Secure and Lntegrate With IBM WebSphere DataPower SOA Appliances - Vol 1

901-100-400
.'
IBM Training
--- -'I
-,
'
)
Accelerate, Secure and

lntegrate with IBM
WebSphere DataPower SOA
Appliances
)
)
)
)
')
(Course code W8555
i V8555)
TOMO
Student Notebook
ERC 2.0
')
,''
)
:)
.)
,)
)
)
)
)
)
.)
)
.)
.)
,)
)
!)
J
J
J
.)
J
J
J
J
J
J
Authorized
g$ffi^ | Training
WebSphere Education
t)
()
o
o
o
a
O
El color azul de la impresin garanliza la autenticidad de este docunrento

@ Copyright
rung
Trademarks
IBM@ is a registered trademark of lnternational Business Machines Corporation.
The following are trademarks of lnternational Business Machines Corporation in the United
States, or other countries, or both:
DataPower@
Approach@
DB2@
IMSrM
Notes@
Tivoli@
developerWorks@
Lotus@
Rational@
WebSphere@
DataPower device@
Domino@
MQSeries@
RDNrM
z/OS@
zSeries@
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion are
registered trademarks or trademarks (the "Marks") of VMware, lnc. in the United States
and/or other jurisdictions.
Edge of Network@ and ThinkPad@ are trademarks or registered trademarks of Lenovo in

the United States, other countries, or both.
Adobe is either a registered trademark or a trademark of Adobe Systems lncorporated in
the United States, and/or other countries.
lntel and Pentium are trademarks or registered trademarks of lntel Corporation or its
subsidiaries in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, lnc.
in the United States, other countries, or both.
Linux@ is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX@ is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, or service names may be trademarks or service marks of others.
May 2009 edition

The information contained in this document has not been submitted to any formal IBM test and is distributed on an "as is" basis without
any warranty ether express or implied. The use of this information or the implementation of any of these techniques is a customer
responsibility and depends on the customer's ability to evaluate and ntegrate them into the customer's operational environment. While
each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will
result elsewhere. Customers attempting to adapt these techniques to their own envronments do so at their own risk.
@ Copyright lnternational Business Machines Corporation 2009. All rights reserved.

This document may not be reproduced in whole or in part without the prior written permission of lBM.
Use, duplication or disclosure is subject to restrictions
Note to U.S. Government Users
Documentation related to restricted rights
set forth in GSA ADP Schedule Contract with IBM Corp.
El color azul de la mpresin
gaanliza la autenticidad de este documento

O Copyriqht
IBM Training
Contents
Trademarks
xvil
Course description
xix
Agenda
xxilt
Unit 1. lntroduction to DataPower SOA Appliances

Unit objectives
XMl-aware networking . .
1-1
1-2
Role of XML in SOA

Uses of XML in SOA
Some SOA specifications based on XML
Disadvantages and threats with XML
Web services as a security risk . .
Solution: lntegrate an XML-aware network layer
SOA appliances in detail
DataPower SOA appliances: Built for security
DataPower SOA appliances: Purpose-built solution . .
DataPower SOA appliances provide both performance and security
Topic summary
DataPower SOA appliance use cases
Use cases for SOA appliances . . .
Use case 1: Securing Web services
Layers of security for XML-based applications
Use case 2: Legacy integration and hub mediation
Enable Web services for legacy applications . . . .
Content based routing
Use case 3: Web service management . .
Enforce service level agreements with DataPower SOA appliances
Use case 4: Accelerate dynamic Web sites
Accelerate dynamic Web sites
)
)
)
)
1-3
1-4
1-5
1-7
1-8
1-9
1-10
1-1
...1-12
... 1-13
...1-14
... 1-15
... 1-16
1-17
.1-18
1-19
1-20
1-21
1-22
1-23
1-24
1-25
1-26
1-27
1-28
1-29
1-30
Topicsummary :;...
lntroduction to DataPower SOA appliances

IBM WebSphere DataPower product line .
XML Accelerator XA35 features
XML Security Gateway XS40 features
lntegration Appliance X150 features .
DataPower SOA appliances in the network stack
Features comparison (1 of 3)
Topic summary
Checkpoint . .
Unit summary
.)
.")
.,)
J
J
J
J
J
1-31
1-32
1-33
1-34
1-35
1-36
1-37
1-38
1-39
(J
a
o
o
a
G
Contents
Copyright IBM Corp. 2009
iii
Course materials may not be reproduced in whole or in part

without the prlor wrtten permission of lBM.
El color azul de la impresin garanliza la autentlcidad de este documento
O Copyright
rirg
2.
DataPower administration overview

Unit objectives
Administration through the WebGUl
DataPower SOA appliance administration
WebGUl Web administration application
Administration using the Web browser . . .
Navigation bar categories .
System control features (1 of 2)
System control features (2 of 2)
File management
File directories for configuration
File directories for security . . .
File directories for logging . . . .
Administrative access control
Create an application domain
Application domain
Configuration tab
Configuration Checkpoints . . . .
View application domain status
Create a user account and a user group
Manage user group details
Manage user account details
Export the system configuration . .
lmport a system configuration . . . .
Saving configuration changes . . . .
Topic summary
Alternate adm in istration
Administration by using the command line interface
lnitial CLI login screen
Quick initial configuration procedure
User and privileged modes
Retrieve system information using the CLI
Administration using Web service
XML Management: Create a new application domain
XML Management: Domain creation response
WSDM interface
Management interface summary
Topic summary . .
Unit
.2-1
.2-3
.2-4
.2-5
.2-6
.2-7
.2-8
2-10
2-12
2-13
2-14
2-15
2-16
)
.2-19
.2-20
.2-21
.2-22
.2-23
.2-25
.2-26
.2-27
.2-28
.2-29
.2-30
.2-31
.2-32
.2-33
.2-34
.2-35
.2-36
.2-37
.2-38
.2-39
.2-40
.2-42
.2-43
.2-44
Checkpoint.....
Unitsummary...
Unit 3. lntroduction to XSL transformations
j
)
)
)
)
)
)
)
.J
)
)
.)
J
-)
J
J
J
J
J
J
J
J
J
I
.3-2
.3-3
.3-4
.3-5
.3-6
.3-7
.3-8
"rpt.siont
Accelerate, Secure and Integrate with
.3-1
Unit objectives
lntroduction to Extensible Stylesheet Language
Three parts of Extensible Stylesheet Language (XSL)
XSL Transformations (XSLT) overview
The XSLT process
What is XPath? .
Example XPath
lv
')
DataPower

without the prior written permssion of lBM.
El color azul de la impresin garanliza la autenticidad de este documento
@ Copyrioht
o
o
o
o
IBM Trarmng
XPath current context
XPath step syntax . . .
XPath address notation
Example: XPath absolute addressing . . .
Example: XPath relative addressing . . . . . .
Anatomy of an XSL style sheet
The <xsl:template> element
The <xsl :apply-templates> element
The <xsl:value-of> element
XSLT style sheet elements to generate output
XML input as a tree
Desired HTML output
XML to HTML (1 of a)
XML to HTML Q ot Q
XML to HTML (3 of 4)
XSL style sheet control elements
The <xsl:for-each> element
The <xsl:if> element . . .
The <xsl:choose> element (1 of 2)
The <xsl:choose> element Q of 2)
Elements to generate output (XML to XML)
The <xsl:element> element
The <xsl:attribute> element
Topic summary
Custom style sheet programming
Using custom style sheets . . . . .
How to develop style sheets with DataPower extensions
XSLT variables
DataPower variables
DataPower variable scopes
Example
DataPower variables
Stylesheet using DataPower extension functions
Topic summary
Checkpoint
Unit summary
)
)
)
Unit
.')
J
.)
J
J
\)
()
O
O
o
o
G
3-11
3-12
3-13
3-14
3-15
3-16
. . .3-17
... 3-18
... 3-19
...3-20
. . .3-21
3-22
...3-23
3-24
. . 3-25
3-26
3-27
3-28
3-29
3-30
3-31
. . 3-32
. . 3-33
3-34
3-37
3-38
3-39
3-41
3-42
4.
DataPower services overview

Unit objectives .
Primary services
Services available on the DataPower appliance
XSL proxy service
XSL Coprocessor Service . . .
XML firewall service
Web service proxy service
Multi-protocol gateway service
Web application firewall service
DataPower services feature h ierarchy
.i
J
.)
Stu
4-1
4-2
4-3
4-4
4-5
4-6
4-7
..4-8
..4-9
.
Contents
4-10
4-11
v
Couse materials may not be reproduced n whole or in pan

without the prior written permission of lBM.
El color azul de la impresin garantza la autenticidacl de este documento
@ Copyright
rung
4-13
4-14
4-15
4-16
4-17
4-18
4-20
Choosing the service

Secondary services
Topic summary
Service configuration
Object oriented configuration
Message processing phases
Basic architectural model . .
Processing policy
Processing rules
Match action
Processing actions
Multistep processing rules
Multistep scope variables . . . .
Service types
URL rewriting
XML Manager .
Default XML Manager configuration
XML parser limits
Topic summary .
4-22
4-23
4-24
4-25
4-26
4-27
4-28
4-30
Unitsummary......
Unit 5. XML firewall service.
5-1
Checkpoint....:.:.
I
)
5-2
Unit objectives
What is an XML firewall service? (1 of 2) .
What is an XML firewall service? Q of 2)
Configuring an XML firewall service
Object model . . . .
Step 1: Create an XML firewall
Step 2: XML firewall configuration (1 of 2)
Step 2: XML firewall configuration (2 of
Planning for configuration migration
RequesVresponse message processing . . . .
Request/response attachment processing . .
Advanced XML firewall configuration
Header injection and suppression parameters
Associate monitors to XML firewall
XML threat protection
Step 3: lmplement a seruice policy .
CreateaMatchaction .. . .. .
Processing actions
More processing actions . . . .
Validate action
Transform acton .
Filter action
Replay attack
Filter action
Content based routing
Route action configuration
5-3
5-4
5-5
5-6
. .5-7
.5-8
.5-9
5-10
5-11
5-12
5-13
5-15
5-16
5-17
5-18
5-19
.5-20
.5-22
.5-23
.5-24
.5-25
.5-26
.5-27
.5-28
4-31
4-32
4-33
4-34
4-35
vl
DataPower
Course materials may not be reproduced in whole or n part

without the prior written permisson of lBM.
EI
color azul de ia impresin garanliza la autentcidad de esie documento

O Copyright
)
)
)
)
.)
.)
)
.)
,)
-)
-)
J
-)
J
J
J
J
J
J
J
I
(
a
o
o
o
o
IBM Trainirg
Student Notebook
Style sheet programming with dynamic routing . . .

Results action
Results asynchronous and multi-way results mode
Exporting XML firewall configuration
Cloning an XMLfirewall configuration . . . . . .
Troubleshooting an XML firewall configuration
Checkpoint
Unit summary
Unit
)
'
i
)
l
)
)
)
)
)
)
)
)
)
)
)
Logtargets
.)
.)
"_)
.,}
J
J
.)
J
Unit
J
J
a
o
o
o
3
...
6-2
6-3
6-4
6-5
6-6
6-7
.....6-8
.....6-9
.... 6-10
.... 6-11
. . . .6-12
.... 6-13
....6-14
...
...
6-15
6-16
. . .6-17
...6-18
...
6-19
...6-20
6-22
6-23
6-24
6-25
6-26
6-27
6-28
6-29
6-30
6-31
6-32
6-33
6-34
7. Handling errors in a service policy.
7-1
Unit objectives
Error handling constructs
Configure an On Error action
()
6-1
Log target configuration ...

Nine log target types .,. :',
Event filters
Object filters
Event subscriptions
Log action
Topic summary
Checkpoint . .
Unit summary
5-32
5-33
5-34
5-35
5-36
5-37
6. Problem determination tools
Unit objectives
Problem determination tools
Common problem determination tools
Appliance status information . . . . . . .
Troubleshooting panel
Troubleshooti ng: Network connectivity
Troubleshooting : Packet captu re
Troubleshooting: Generate error report . . . . . .
Troubleshooting: Send a test message . .
Troubleshooting: System log . .
Filtering system log . .
Troubleshooting: Generate Log Event
Troubleshooting: XML File Capture . . .
Troubleshooting: Multistep probe
Troubleshooting: Enabling the multistep probe
Multistep probe window
Multistep probe content
Problem determination with cURL
Communicating with DataPower support
Topic summary
Log targets
Logging basics
Available log levels
5-29
5-31
Contents
vii

El color azul de la impresin garanliza la autenticidad de este docurento
@ Copyright
ining
Creating an error rule .
Configure Transform action in error rule . . . . .
Style sheet programming using error variables
Example custom error style sheet
Error rule versus On Error action
Checkpoint
Unit summary
.7-5
.7-6
.7-7
.7-8
.7-9
7-10
7-11
8.
DataPower cryptographic tools

Unit objectives
Security problems
Message confidentiality
Security problem 1
Symmetric key encryption . .
Asymmetric key encryption
Message integrity
Security problem 2
Nonrepudiation
Security problem 3
Digital signature
soluo
Security problems
Digital certificates . . .
Distribution problem
DataPower crypto tools .
of 2)
Generating crypto (asymmetric) keys on board
Generating crypto (asymmetric) keys on board (2 of 2)
Download keys from temporary storage
Keys and ceftificates are objects
Crypto shared secret (symmetric) key
Crypto certificate
Certificates exist in a trust chain
Crypto identification credential
Crypto validation credential
Crypto profile
lmport and export crypto objects
Uploading keys .
Java keytool command
Certificates can expire or get revoked
Certificate revocation list (CRL) retrieval
Crypto certification monitor
Hardware security module (HSM)
Checkpoint .
Unit summary
Unit
8-1
8-2
. . .8-3
. . .8-4
. . .8-5
. . .8-6
. . .8-7
. . .8-8
. . .8-9
. .8-10
)
)
')
.8-13
.8-14
.8-15
.8-16
. .8-17
. .8-18
. .8-19
. .8-20
. .8-21
. .8-22
. .8-24
)
)
)
)
)
)
)
)
.8-25
.)
.8-26
.8-27
_)
.,)
.8-28
.8-29
.)
.)
.8-30
.8-31
J
,)
.8-32
.)
.8-33
")
Unit 9. Securing connections using SSL.
.9-1
.9-2
Unit objectives
Solving security problems
SSL features
SSL terminology .
SSL handshake
SSL handshake: client hello
viii
Accelerate, Secure and lntegrate with
J
J
J
.9-3
.9-4
J
J
J
.9-5
.9-6
.9-7
\)
DataPower
(,1

without the prior wrtten permission of lBM.
El color azul cle la impresin garanltza la aulenlicidad de este documento
@ Copyright
IBM Training
..9-8
..9-9
SSL handshake: server hello

SSL handshake: verify seruer certificate .
SSL handshake: client key exchange . . .
SSL handshake: reply with secret key
SSL handshake secured . .
DataPower support for SSL
SSL Proxy profile: crypto objects relationship
Securing connections from client to appliance
Step 1: Appliance supplies cryptographic certificate
Step 2: Configuring SSL server crypto profile
lf you do not have an SSL server crypto profile
Step 3: Verify SSL server proxy profile settings
Securing the connection from appliance to external application server
Step 1: Appliance validates presented certificate
Step 2: Configuring an SSL client crypto profile
Step 3: Verify SSL client proxy profile settings
SSL Proxy Profile list . .
. 9-10
. 9-11
9-12
9-13
9-14
9-15
9-16
.9-17
9-18
9-19
9-20
9-21
9-22
. . 9-23
. .9-24
. . 9-25
. . 9-26
9-27
9-28
9-29
Useragent....
Configuring a user agent

Create a user agent configuration . .
Checkpoint
....
Unit summary
Student Notebook
Unit 10. XML threat protection

Unit objectives
10-1
10-2
10-3
10-4
10-5
. . 10-6
. . 10-7
. . 10-8
10-9
10-10
10-11
What are the security concerns?

Traditional systems and exposure . .
Addressing the security concerns . .
Three high-level deployment patterns
Four types of XML attacks
XML denial of service (XDoS): Single-message attacks
XML denial of service (XDoS): Multiple-message attacks
Unauthorized access attacks
Data integrity and confidentiality attacks
System compromise attacks
XML parser limits
XML threat protection . . .
XML threat protection: Single message XDoS
XML threat protection: Multiple message XDoS
XML threat protection: Protocol threats
XML threat protection: XML virus
XML threat protection: Dictionary attack
Message tampering
SQL injection attack
SQL injection attack protection
Checkpoint
Unit summary
)
)
,)
)
)
.)
.J
.-)
.)
J
._)
J
J
..
. 10-12
10-13
10-14
...
...
...
...
...
...
...
...
10-15
10-17
10-19
10-20
10-21
10-22
10-23
10-25
10-26
10-27
-)
(^)
I
o
a
o
o
G
Contents
tx
Course materials may not be reproduced n whole or n part

El color azul de la impresin garanliza la autentlcidad de este docurento
@ Copyrighl
ning
Unit 11. Web service proxy service
Unit objectives
Web service proxy overview
Web service proxy architecture
Web service proxy benefits
Web service proxy features
Web service proxy basic configuration steps . .
Step 1: Obtain WSDL document
WSDL structure
Step 2: Creating a Web service proxy
Web service proxy object editor . .
Web service proxy GUI .
Step 3: Add WSDL document to Web service proxy
Step 4: Configure WSDL endpoint
Configure local endpoint handler
View WSDL services
Retrieve the "client'WSDL from the service
Modifying the location in the "client" WSDL
Step 5: Configuring Web seruice proxy policy (optional)
Configure Web service proxy policy rule
Default validation (user policies)
Create reusable rule
Advanced Web service proxy configuration
WS-Policy
Conformance policy
Conformance policy object
Service priority
Proxy settings (1 of 4) . .
..
Proxy settings (2 of
Proxy settings (3 of 4)
Proxy settings $ of $ .
Web service proxy SLM
WSDL cache policy
Troubleshooting Web service proxy
Checkpoint
Unit summary
1-5
1-6
11-7
1 1-8
1 1-9
1
1
.11-10
.1 1-11
.11-12
.11-13
.11-14
.11-15
.11-16
.11-17
.11-18
.11-19
.11-20
.11-21
.11-22
.11-23
.11-24
.11-25
.11-26
.11-27
.11-28
.11-29
)
)
.)
)
)
)
_)
12-1
12-2
12-3
. .12-5
Unit objectives
Review of basic security terminology . . .
Web services security . . .
Components of WS-Security
Specifying security in SOAP messages
Scenario 1: Ensure confidentiality with XML encryption
DataPower support for XML encryption
Encrypt action
Decrypt action
Field-level encryption and decryption
DataPower
.11-31
. .11-32
. .11-33
. .11-34
. .1 1-35
. .11-36
. .11-37
Unit 12. XML and Web services security overview
1-3
11-4
1-1
11-2
-)
J
J
J
..12-6
. .12-7
. .12-8
. .12-9
.12-10
.12-12
.12-13
@
J
J
J
J
J
J
\

without the pror wrtten permission of lBM.
El color azul de la impresin garanltza a autenticidad de este documenlo
@ Copyright
IBM Training
Student Notebook
XPath tool
Sample encrypted SOAP message
Scenario 2: Ensure integrity with XML signatures
DataPower support for XML signature
Sign action
Verify action
Verify action
Advanced tab
Field-level message signature and verification
Sample signed SOAP message
Checkpoint . . .
Unit summary
12-14
12-15
12-16
12-18
12-19
12-20
12-21
12-22
12-23
12-24
12-25
Unit 13. Authentication, authorization, and auditing (AAA)
13-1
Unit objectives
Authentication, authorizalion, and auditing
Authentication and authorization framework
AAA action and access control policy
How to define an access control policy (1 of 2)
How to define an access control policy (2 of 2)
Access control policy processing
Scenario 1: Authorize authenticated clients
Scenario 1: Sample SOAP request message
Scenario 1: ldentify the client
Scenario 1: Authorize access to resources
Scenario 2: Securitytoken conversion . . . . . .
Scenario 2: Sample HTTP request message
Scenario 2: Authorize access to resources . . .
Scenario 3: Multiple identity extraction methods
Scenario 3: Authorize access to resources . .
lnternal access control resources
AAA XML file
Example AAA XML file
Lightweight Third Party Authentication
External access control resource
Lightweight Directory Access Protocol
Security Assertion Markup Language
Types of SAML assertions
Scenario 4: Authorize valid SAML assertions . . . .
Scenario 4: SAML authentication statement . . . . .
Scenario 4: SAML attribute statement
Scenario 4: Authorize access to resources . . . . . .
Scenario 4: Match SAML attributes
Access control policy using SAML information . . .
13-2
)
)
13-4
13-6
13-7
13-8
13-9
13-10
.
. 13-1
. 13-12
1
3-13
13-14
13-15
13-16
13-17
1 3-18
1 3-19
13-20
13-21
1
)
)
)
)
)
)
)
.)
.-)
.)
J
.J
.J
J
J
..13-22
..13-23
. . 13-24
..
..
..
..
..
..
..
..
..
Checkpoint....
Unitsmmary
.J
..:
13-25
13-26
13-27
13-28
13-29
13-30
13-31
13-32
13-33
13-34
13-35
13-36
13-37
{)
O
a
o
o
a
G
Contents
xi

without the pror written permission of lBM.
El color azul de la impresn

@ Copyright
ning
Unit 14. Configuring LDAP using AAA
14-1
14-2
.
.14-3
"
. . .14-4
. . .14-5
. . .14-6
. . .14-7
Unit objectives
External access control resource . . .
Lightweight Directory Access Protocol
Directory services
Directories
Common LDAP attributes
Directory services structure
LDAP operations
LDAP Data lnterchange Format (LDIF)
LDAP URL
Directory services implementations
Example scenario
Authenticate the client using LDAP
Authorize the client using LDAP
Configure a load balancer group
Configure the load balancer group health settings
Checkpoint . . .
Unit summary . .
Unit 15. Multi-protocol gateway
. . .14-9
. .14-10
. .14-11
. .14-12
. .14-13
. .14-14
. .14-16
.14-17
.14-18
.14-19
. .14-20
service
.15-2
Unit objectives
What is a multi-protocol gateway?
Protocol handlers at a glance (1 of 2)
Protocol handlers at a glance (2 o 2)
Front-side protocol handlers . . . .
Static back-end gateway
Dynamic back-end gateway . . . .
Multi-protocol gateway and XML firewall compared
Multi-protocol gateway editor . .
Scenario 1: Provide HTTP and HTTPS access
Step 1: Configure the back-end transport .
Step 2: Create a document processing rule
Step 3: Create the front side handlers
Step 4: Configure the front side handler .
Step 5: Configure the SSL Proxy profile
Scenario 2: Dynamic back-end service
Step 1: Configure the back-end transport .
Sample service targeting style sheet . . . .
Scenario 3: Provide WebSphere MQ access . .
Scenario 4: Provide WebSphere JMS access
Scenario 5: Provide IMS Connect access
Comparing services
.15-3
.15-4
.15-5
.15-6
.15-7
.15-8
)
)
)
)
)
)
. .15-10
. .15-12
. .15-13
. .15-14
. .15-15
. .15-16
. .15-17
. .15-18
. .15-19
. .15-20
. .15-21
. .15-22
. .15-23
. .15-24
.15-25
.15-26
Unit 16. Monitoring objects
)
.)
.J
)
.)
.J
_)
r)
J
J
J
16-1
Unitobjectives ..;..
. . . .15-1
Checkpoint.....
Unitsumm"ty......
xii
16-2
DataPower

El color azul de la impresin garantiza ia autenticdad de este documento
@ Copyright
J
J
J
J
J
J
il
I
o
o
o
o
IBM Training
Message monitors
Monitor objects
Defining monitor objects
Step 1: Specifying particular traffic to monitor
Step 1: Matching on HTTP headers
Step 2: Message type configuration
Step 3: Message Filter Action configuration
Step 4C: Message count monitor configuration
Step 4C: Thresholds/Filters for count monitor . . .
Step 4D: Message duration monitor configuration
Step 4D: The transaction life cycle
Step 4D:Thresholds/Filters for duration monitor .
Step 5: Service-monitor association example . . .
Other types of monitors
Which monitor types are supported by a service?
Checkpoint
Unit summary
)
)
Stu
Unit objectives
What is service level monitoring (SLM)?
SLM in DataPower
Basic principles
Two ways to configure SLM
Service level monitor types in the Web service proxy . .
Service level monitor
Graphs
The WS-Proxy's SLM tab
SLM Rule action
SLM action granularity . . .
Configuring the SLM policy . . . . . . .
Constructing an SLM policy . . . . . . .
The SLM credential class
The SLM resource class
SLM resource class example
The SLM action
The SLM Schedule
SLM statement (1 of 2)
SLM statement (2 of 2)
16-5
16-6
....16-7
....
....
16-8
16-9
. . . 16-10
16-11
. . . 16-12
. . . 16-13
. . . 16-14
16-15
16-16
16-17
16-18
16-19
...
....
17-1
17-2
17-3
17-4
17-5
)
)
)
)
)
)
)
SLMpolicy...
.,)
Checkpointquestions . . .
-)
Unit summary
.l
.)
J
....
....
-)
16-3
....16-4
Unit 17. Service level monitoring
.J
F"
Unit 18. lntegration with WebSphere MQ

Unit objectives .
WebSphere MQ fundamentals
WebSphere MQ message . . .
..
..
..
..
..
J
J
Transactions
DataPower support for WebSphere MQ
Provide WebSphere MQ Access
\)
17-10
. . 17-11
. 17-12
. 17-13
. 17-14
. 17-15
. 17-16
. 17-18
. 17-19
17-20
17-21
17-22
17-23
..
18-1
18-2
18-3
18-4
18-5
18-7
18-8
{J
e
a
o
a
o
G
Contents
xiii

El color azul de la impresin garanltza la autenticidad de este docunrento
O Copyrght
ining
Step 1: Create an MQ queue manager (1 of 2)
Step 1 : Create an MQ queue manager (2 o12)
Step 1: Use SSL in mutual authentication mode
Step 2: Add an MQ front side handler
Step 3: Configure an MQ back-end transport .
Ordered processing of MQ messages
Controlling backout of MQ messages
Decision tree for the backout settings
MQ Header action in service policy
Typical uses of an MQ Header action
Transactions and WebSphere MQ
MQ front-side transactions
MQ back-side transactions
WebSphere MQ DataPower URL
MQ queue manager Group object
Checkpoint
.18-9
18-10
18-1
18-12
18-13
18-15
18-17
18-18
18-19
18-20
18-21
"
18-22
18-23
18-24
18-25
18-26
18-27
Unitsummary...
)
)
Unit 19. DataPower and Java Message Service (JMS)
19-1
19-2
Unit objectives
Messaging middleware
Java Message Service (JMS)
Why use JMS instead of HTTP?
JMS models
WebSphere
Service integration bus (SlBus)
JMS Queue resources on SlBus . .
JMS topic resources on SlBus
WebSphere JMS support . . .
WebSphere JMS interaction .
WebSphere JMS: Main
Messaging bus . . .
Main
WebSphere JMS:
Optional settings
WebSphere JMS - WebSphere JMS Endpoint
Communicating to WebSphere JMS
WebSphere JMS Front Side Handler . .
WebSphere JMS Backend URL .
TIBCO EMS JMS support
TIBCO EMS interaction
EMS host
TIBCO EMS: Main
TIBCO EMS: Main
Optional settings
TIBCO EMS: Load balancing and fail-over . . .
Communicating to TIBCO EMS
TIBCO EMS Front Side Handler
TIBCO EMS Backend URL
Ordered processing of JMS messages
Checkpoint
Unit summary
.)
19-3
.19-4
.19-5
.19-6
.19-7
.19-8
.19-9
19-10
19-11
)
)
19-12
19-13
19-15
19-16
19-17
19-18
19-19
19-20
19-21
.)
)
)
)
,)
)
19-22
19-24
J
J
19-25
19-26
J
J
J
J
J
J
19-27
19-28
19-30
19-31
i)
xiv
DataPower
o
o
o
o
El color azul de la impresin garantiza la autenticidad de este docunrento

@ Copyright
IBM Training
Student Notebook
Unit 20. DataPower architectural scenarios

Unit objectives
Agenda
Agenda
Enterprise Service Bus (ESB)
DataPower Xl50 usage as an Enterprise Service Bus
Example 1: DataPower Xl50 as an ESB .
Example 2: DataPower Xl50 as an ESB gateway . . .
DataPower Xl50 functionality within an ESB
Agenda
DataPower deployment scenarios for security
Example 1: Secure XML Web services
Example 1: Secure Web services in DV|Z .
Example 2: Federated identity within an organization . . . .
Example 2: lntranet identity federation diagram
Example 3: Federated identity among partners
Example 3: Extranet identity federation deployment diagram .
Example 4: DataPower as a Web application firewall
Example 4: DataPower as a Web application firewall diagram
Agenda
Example 1: Web service virtualization . .
Example 1: Web service virlualization diagram . . .
Example 2: Service level monitoring
Example 2: Service level monitoring deployment diagram
Example 3: SOA governance
Example 3: SOA governance diagram
Checkpoint
Unit summary
20-1
20-2
20-3
. 20-4
.20-5
. 20-6
.20-7
. 20-8
. 20-9
20-10
20-11
20-13
20-14
20-16
20-17
20-18
20-19
20-21
20-22
20-23
20-24
20-25
20-26
20-27
20-29
20-30
20-31
20-32
Unit 21. Course summary

Unit objectives
21-1
21-2
. . .21-3
. . .21-4
Course learning objectives

Course review (1 of 3)
DataPower services feature hierarchy
Class evaluation
Lab exercise solutions . . .
To learn more on this subject
References . . .
Unit summary
Unit summary
)
.J
.,)
...21-5
..
.21-6
...21-7
...21-8
. . .21-9
. .21-10
..1
.)
J
J
J
U
a
0
a
o
o
o
G
service
AppendixB. Checkpointsolutions
Glossary of abbreviations and acronyms.
Appendix A. Web application firewall
.. . . . A-1
....8-1
. . . X-1
Contents
xv

without the pror written permlssion of lBM.
O Copyriqht
(^,
"i"g
a)
o
o
n
ft
n
o
r)
n
o
o
o
o
o
o
o
o
o
o
o
()
o
()
o
o
o
o
o
()
o
o
o
(,
o
(
o
g
(,
()
o
e
e
a
xvi
Accelerate, Secure and lntegrate wth
DataPower
Copyright IBM Gorp. 2009
Course materlals may not be reproduced ln whole or n part

wthout the prlor wrltten permlsson of lBM.
El color azul de la impresin garanliza la autenticidad de este documento.
@ Copyright
o
a
o
o
O
IBM Traini.g
rr_fl
Student Notebook
Trademarks
The reader should recognize that the following terms, which appear in the content of this
training document, are official trademarks of IBM or other companies:
IBM@ is a registered trademark of lnternational Business Machines Corporation.
The following are trademarks of lnternational Business Machines Corporation in the United
States, or other countries, or both:
Approach@
D82@
IMSTM
Notes@
Tivoli@
DataPower@
developerWorks@
Lotus@
Rational@
WebSphere@
DataPower device@
Domino@
MQSeries@
RDNTM
z/OS@
zSeries@
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion are
registered trademarks or trademarks (the "Marks") of VMware, lnc. in the United States
and/or other j urisdictions.
Edge of Network@ and ThinkPad@ are trademarks or registered trademarks of Lenovo in

the United States, other countries, or both.
)
)
.)
.)
r.)
Adobe is either a registered trademark or a trademark of Adobe Systems lncorporated in

the United States, and/or other countries.
lntel and Pentium are trademarks or registered trademarks of lntel Corporation or its
subsidiaries in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, lnc.
in the United States, other countries, or both.
Linux@ is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX@ is a registered trademark of The Open Group in the United States and other
countries.
.i
Other company, product, or service names may be trademarks or service marks of others.
LJ
.,
r)
J
J
\)
fJ
o
o
a
Trademarks
xvii

El color azul de la impresin
ganIza la autenticidacl de este documento

@ Copyright
rung
xvii
Accelerate, Secure and Integrate wth
DataPower
Course materlals may not be reproduced ln whole or ln part

wlthout the pror wrltten permlsslon of lBM.
El color azul de la impresin garanliza la autenticdad de este documento.
@ Copyright
IBM Training
Student Notebook
Course description
Accelerate, Secure and lntegrate with IBM WebSphere DataPower SOA
Appliances
Duration: 5 days
Purpose
ln this 5-day instructor-led course, students learn the fundamental
skills required to implement IBM WebSphere DataPower SOA
Appliances.
The IBM WebSphere DataPower SOA Appliances allow an enterprise

to simplify, accelerate, and enhance the security capabilities of its
Extensible Markup Language (XML) and Web services deployments,
and extend the capabilities of its service-oriented architecture (SOA)
infrastructure.
Through a combination of instructor-led lectures and hands-on lab
exercises, students learn how to implement the key use cases for the
DataPower appliances, including XML acceleration and threat
protection, authentication, authorization, and auditing (AAA), Web
service virtualization, Web services security, and integrating with IBM
WebSphere MQ and Java Message Service (JMS).
Students also learn how to use various problem determination tools
such as logs, monitors, and probes, as well as techniques for testing
DataPower services and handling errors.
The hands-on exercises give students experience working directly with
an IBM WebSphere DataPower SOA Appliance by focusing on skills
such as creating XML firewalls, working with encryption and
cryptographic objects, configuring service level monitoring,
troubleshooting services, and handlng errors.
Audience
This course is designed for integration developers who configure
service policies on IBM WebSphere DataPower SOA Appliances.
Prerequisites
Before taking this course, students should be familiar with
.
@
Security-based concepts and protocols
Course
description
xix

El color azul de la impresin garantiza la autenticidad de este documento
O Copyright
ning
. XML-related technologies, such as XML schema, XPath, and XSLT
. Web service fundamentals and the Web Services Security
specification
Objectives
After completing this course, students should be able to:
.
.
.
Describe the key use cases and architectural scenarios for the IBM
WebSphere DataPower SOA Appliances
Describe how WebSphere DataPower Appliances are configured,
including the role of XSL Transformations (XSLT)
Configure an XML firewall to protect against a new class of
XML-based threats
. Create a Web services proxy to virtualize Web service applications

. lmplement Web services security
. Create and configure cryptographic objects
. Configure Secure Sockets Layer (SSL) to and from WebSphere
DataPower SOA Appliances
. Configure a multi-protocol gateway (MPG) to handle multiple

protocols for a single service
Configure a service level monitoring (SLM) policy to handle service

processing violations
Enforce service level policies to manage traffic to and from
. Configure support for IBM WebSphere
MQ and Java Message
Service (JMS)
. Troubleshoot services using logs and probes

. Handle errors in service policies
Contents
. Course introduction
. lntroduction to DataPower SOA Appliances
. DataPower administration overview
. lntroduction to XSL transformations
. DataPower services overview
. XML firewall service
xx
DataPower
Course materials may not be repfoduced in whole or in part

El color azul de la impresln garantiza la autenticidad de este documento
O Copyrighl
IBM Traini.g
Student Notebook
. Problem determination tools

. Handling errors in a service policy
. DataPower cryptographic tools
. Securing connections using SSL
. XML threat protection
. Web service proxy service
. XML and Web services security overview
. Authentication, authorization, and auditing (AAA)
. Configuring LDAP using AAA
. Multi-protocol gateway service
. Monitoring objects
. Service level monitoring
. lntegration with WebSphere Me
. DataPower and Java Message Service (JMS)
. DataPower architectural scenarios
. Course summary
t,
)
)
J
.)
.)
J
c
o
o
o
C
Gopyright IBM Corp. 2009
Course
description
xxi

El color azul
dc la impresin garantza ra aurenticidad cre csle crocLrmento

@ Coryright
ning
xxii
DataPower
Course materals may not be reproduced in whole or in part

without the prlor wrltten permission of IBM'
El color azul de la mpresin garantiza la autenticidad de este documento.
@ Copyright
IBM Training
Stuat-lotlooT
Agenda
Day
Course introduction
Unit 2. DataPower administration overview
Exercise 1. Exercises setup
Exercise 2. Creating XML transformations
Unit 4. DataPower services overview
Exercise 3. Creating a simple XML firewall
Day 2
Unit 5. XML firewall service
Unit 6. Problem determination tools
Exercise 4. Creating an advanced XML firewall
Unit 7. Handling errors in a service policy
Exercise 5. Adding error handling to a service policy
Unit 8. DataPower cryptographic tools
Exercise 6. Creating cryptographic objects
Unit 9. Securing connections using SSL
)
Day 3
Exercise 7. Securing connections using SSL
Exercise 8. Protecting against XML threats
Unit 11 . Web service proxy service
Exercise 9. Configuring a Web service proxy
Unit 12. XML and Web services security overview
Exercise 10. Web service encryption and digital signatures
)
)
)
)
)
)
)
Day 4
.)
Unit 13. Authentication, authorization, and auditing (AAA)

Exercise 11. Web service authentication and authorization
Unit 14. Configuring LDAP using AAA
Exercise 12. Creating a AAA policy using LDAP
Unit 15. Multi-protocol gateway service
Exercise 13. Configuring a multi-protocol gateway service
Unit 16. Monitoring objects
Unit 17. Service level monitoring
._)
,J
J
J
\,
I
{
o
o
o
Agenda
xxiii

wthout the prior wrtten permission of lBM.
El color azul de la impresin garantiza la autentcidad de este documento
@ Copyright
ining
,
-Q
Day 5
Unit 18. lntegration with WebSphere MQ
Exercise 14. Configuring a multi-protocol gateway service with
WebSphere MQ
Unit 19. DataPower and Java Message Service (JMS)
Unit 20. DataPower architectural scenarios
Unit 21. Course summary
Appendixes
Appendix A. Web application firewall service
Exercise A. Creating a firewall and HTTP proxy for a Web application
Exercise B. Configuring WebSphere JMS
)
)
)
)
)
)
.)
-)
.J
.")
J
J
J
J
J
J
xxiv
\)
DataPower
@ Copyright IBM Corp. 2009

O Copyright
o
o
o
a
IBM Training
Unit
Student Notebook
1. lntroduction to DataPower SOA

Appliances
What this unit is about

This unit introduces the concept of SOA appliances: an XML-aware
network device that accelerates, secures, and integrates XML-based
applications and Web services.
What you should be able to do

After completing this unit, you should be able to:
.
.
'
)
)
Describe and define the role of an SOA appliance

ldentify the products in the WebSphere DataPower SOA Appliance
product line
Describe how to use WebSphere DataPower SOA Appliances in
an enterprise architecture
How you will check your progress

)
Checkpoint
References
http ://www. i bm co m/s oftwa reli nteg rati o n/d atapowe r/

.
)
)
)
)
.J
-)
.)
,)
J
J
(J
O
O
o
o
a
e
Copyright IBM Corp.
2009
1-1

without the pror written permssion of lBM.
E color azul de la impresn garantrza la aulenticidad de este documento
@ Copyright
rErrng
Unit objectives
. Describe and define the role of an SOA appliance
. ldentify the products in the WebSphere DataPower SOA
Appliance product line
. Describe how to use WebSphere DataPower
SOA Appliances
in an enterprise architecture
o Copyright IBM
'
Corporation 2009
wB5ss / v85552.0
Figure 1-1. Unit objectives
Nofes
.)
.J
.J
.)
.)
.)
,J
1-2
J
J
J
DataPower

El color azul de la impresin garantlza la autentlcidad de este documento
@ Copyrght
o
o
o
o
.
IBM Trainirg
Student Notebook
XML-aware networking
After completing this topic, you should be able to:
. Explain the role of XML in a service-oriented architecture
(SOA)
,^ rf
\1t\rt .^,i*lrin
a^ SOA
e/^li
of XML
within an
' ldentify the uses
o ic;',-' e't
\.
a,ia h tl u lut btn
. Explain the disadvantages
and threats with deploying XMLbased applications in the enterprise
. Describe the features in an XMl-aware network layer that

mitigate the risks of deploying XML-based applications
O Copyright IBM Corporation 2009
Figure 1-2. XMl-aware networking
w8555 / V85552.0
Notes:
)
)
)
-)
J
(.)
3
o
o
o
(_
Copyright IBM Corp.
2009
Unit 1. lntroducton to DataPower SOA Appliances
1-3

E color azul
cle la rnrprcsin garnnlza l aLtentcidad
dc esti: cioountcirtr
O Oopyr lllrl
rirg
Role of XML in SOA
. Extensible Markup Language

.
(XML) provides a text-based,

human-readable scheme for describing information in a
structured format
lts simplicity and self-describing nature makes XML popular as
an interoperable data format
. XML is becoming the way to:
- Exchange data between disparate systems within and outside of an
- Enable application functions as interoperable
enterprise system
services
. XML is also the foundation for a number of SOA specifications.
;
)
)
)
copyright IBM Corpotion 2009
w8555 / V85552.0
Figure 1-3. Role of XML in SOA
/Vofes.'
Extensible Markup Language (XML) is a way of encapsulating and describing data in a

text-based, human-readable manner.
.)
Being text-based, practically any computer system in existence can process the data
format. Compare this scheme with proprietary binary formats. Being human-readable
enables future developers to decipher the data format, years after the original developers
have retired.
)
.,)
.,)
.)
ln short, XML provides a self-describing container for data that is widely compatible today
and tomorrow.
J
J
J
J
J
J
J
For these reasons, XML is a natural choice within an SOA implementation, and for a
number of specifications that define SOA.
'-)
\rl
\)
1-4
DataPower

El color azul de la impresin garanliza a autenticidad de este docurnento
@ Copyrght
o
a
o
o
o
IBM Training
Student Notebook
Uses of XML in SOA

Security server
IBM Tivoli Access
Manager
Security
assertion.
. ie |,n ,alo
c /"NL
:
3
t.t
l:i
WSDL
Order management
Web application
Customer billing
application
Customer
database
on IBM WebSphere
Application Server
on IBM WebSphere
Process Server
on IBM DB2
Universal Database
O Copyrght
lBN.4
Corporaton 2009
Figure 1-4. Uses of XML in SOA
w8555 / V85552.0
Notes:
1.
Web Services Description Language (WSDL) provides an interoperable,

platform-independent format for describing the interface and binding details of a
network service. Since WSDL documents are also XML documents, they can be
consumed by virtually any computer system regardless of operating system,
program ming language, or- hardware differences.
2.
One of the more popular messaging formats for encapsulating an operation call
is SOAP. The SOAP specification defines an XML-based envelope format for
holding the message payload and processing instructions through the body and
header elements, respectively. As XML messages, a wide range of systems can invoke
and provide service functionality by consuming and producing SOAP messages,
regardless of the implementation differences between the client and the server.
3.
Additional information about messages can also be encapsulated in an XML format. For
example, the Web services security specifications provide a standard for encoding
security metadata in a SOAP message header. A wide range of security packages
support these security tokens, allowing the exchange of security information.
''.,
)
.)
,i
.)
J
\
{
a
o
o
o
Copyright IBM Gorp.
2009
Unit 1. lntroduction to DataPower SOA Appliances l-5
Course materials may not be reproduced n whole or in part

El color azul de la impresn garantiza la autenticidad cje este docur-nento
O Copyrichl
ining
4.
Security servers might choose to attach authentication, authorization, or additional

security characteristics on an incoming message as it passes through servers in the
enterprise. Security asseftions reduce the number of security checks from internal
applications and abstract security decisions from application developers.
5.
Applications can retrieve and store information to data stores using an XML stream or
XML messages. The use of XML abstracts the actual implementation of the data store
itself. lt provides information as a service.
)
")
)
l
)
)
)
)
.)
)
.)
j
I
.)
_)
U
",}
.j
J
J
J
')
J
J
1.6
DataPower

O Copyright
J
J
I
o
o
o
o
IBM Training
Student Notebook
Some SOA specfications based on XML

Specification
Description
XML schema
SOAP
Provides a standard structure for Web services requests and

response messages, in XML format.
WSDL
Provides a language for defining the interface and binding details of a

Web service. WSDL documents are XML documents.
XSLT
The language for transforming XML documents to another format.

Transform templates are described using XML.
XPath
A platform-independent syntax for addressing parts of an XML

document tree.
XML digital
signatures
XML encryption
Provides a standard for storing digital signatures of XML documents,

in XML format.
Provides a standard for storing encrypted parts of an XML document,

in XML format.
SAML
Provides a standard for stating security assertions. Assertions can be

written in an XML format.
@
Copyright IBM Corporation 2009
Figure 1-5. Some SOA specifications based on XML
w8555 / V85552.0
Nofes.'
WSDL: Web Services Description Language
XSLI XSL (XML Stylesheet Language) Transformations

XPath: XML Path Language
SAML: Security Assertion Markup Language
Copyright IBM Corp.
2009
Unit 1. Introduction to DataPower SOA Appliances
1-7

El color azul de la irrpresin ganIiza la autenticidad de este documento
O Copyright
ining
Disadvantages and threats with XML
. As a text-based, human-readable protocol, XML tends to be
more verbose
,\
- Parsing, processing, and transforming XML data incur significant
overhead for application servers
)
l
. XML introduces
new threats and security exposures

')
Most companies disable XML validation due to performance costs

Traditional network security devices do not protect against a new
class of XML-based attacks, such as:
)
)
)
. Entity expansion and recursion

. Malicious includes
)
)
. XML encapsulation
)
)
. Dealing with XML-based
applications becomes a compromise

between performance and security
@
I
)
Copyright IBM CorpoEtion 2009

)
w8555 / V8s552.0
Figure 1-6. Disadvantages and threats with XML
Notes:
Entity expansion and recursion attacks use entity declarations in an XML document header
that references itself. When an XML parser resolves the recursive reference, the size of the
entity expands exponentially, consuming all available memory and processing power on a
server.
.)
)
)
J
Malicious includes add a URL reference into an XML document. The reference itself
guesses at the name and location of privileged information, such as a UNIX password file.
.J
XML encapsulation exploits the CDATA reference, which attaches arbitrary non-XML data
into an XML document. Within the CDATA reference, malicious users can embed arbitrary
code or system commands. A poorly designed service might inadvertently execute the
code or the command.
.J
J
J
J
J
J
J
J
J
J
J
More information on XML threats will be discussed in a later lecture.
1-B
DataPower
\,,

El color azul de la impresin garanltza la autenticidad de este docul.lrento

@ Copyright
o
o
o
IBM Traini.g
Stu
Web services as a security risk
' One of the advantages of Web services is its ability to easily

expose back-end systems to business partners and customers
Web services often leverage HTTP, a widely supported and

unblocked protocol in most company networks
Traditional Web seryers and proxy servers do not inspect XML

and SOAP traffic for attacks
traffic
Bina
XML traffic over HTTP
External
client
Internet
@
tJ
Demilitarized
zone (DMZ)
)
)
)
)
-)
J
J
ll Intranet
Figure 1-7. Web services as a security risk

)
')
w8555 / V85552.0
Nofes.'
Many corporations allow inbound communications through port 80 in order to serue static
Web pages or results from dynamic Web sites (Web applications). Calls to Web
applications are considered lower in risk because they do not represent arbitrary calls to
applications on the system itself. That is, an attacker might succeed in disrupting service on
an application server, but the server system itself is not compromised.
Web services provide application functionality from a wide range of clients through the
exchange of XML messages. lmproper designs can expose sensitive applications that are
otherwise not meant to be accessed by external users.
The holes in both lP firewalls represent unfiltered traffic that passes freely through an
HTTP transport. Gateway servers within the demilitarized zone (DMZ) also do not inspect
-l
.)
J
J
\.)
()
e
o
o
o
o
G
Copyright IBM Corp.
2009
1-9

El coior azul de la tmpresirr garariiza la autentlcidacl de este doculento
@ Copyrght
iruinng
Solution: lntegrate an XMl-aware network layer

. Address performance
XML-aware network
and security concerns

with XML-aware
network devices that
accelerate and secure
XML processing
llqt
- These network devices

-
complement your existing

network infrastructure
XMl-aware network
devices also offload
processor-i ntensive XM L
processing and security
tasks from your
application nfrastructu re
49*
. SOA appliances
provide a quick way to deploy an XMl-aware
network layer
O Copyrght lBl\,.l Corporation 2009
w8555 / V85552.0
Figure 1-8. Solution: lntegrate an XMl-aware network layer
Notes:
The core issue is that traditional network architectures were not designed to handle
XML-based traffic. Software-based solutions perform adequately with XML data, but it is
not as fast as a dedicated hardware solution. Most hardware network devices simply do not
understand XML data. SOA appliances provide a solution to both issues: a
high-performance, hardware-based XML processing device.
'.)
)
)
)
)
)
)
1-10 Accelerate, Secure and lntegrate with DataPower
J
J
\)

withoul the prior wrtten permission of lBM.
E color azul de la rlpresin ga(arlza a autenticdad dc cste doculnento
@)
Copyriglrt
o
o
IBM Training
Slu
SOA appliances in detail
. SOA appliances
are purpose-built, easy-to-deploy network

devices that accelerate and secure your XML and Web
services deployments
. Compared to software solutions, SOA appliances are:

- Simpler to manage
- Easier to scale
- Easier to secure
- Quicker to deploy
- More robust against attacks
- More cost-effective - they provide lower total cost of ownership (TCO)
)
)
)
)
)
)
)
. IBM WebSphere
DataPower SOA appliances are one of the

leaders in the SOA appliance space
)
)
)
Copyright lBNl Corporation 2009
Figure 1-9. SOA appliances in detail
w8555 / V85552.0
lVofes
)
_)
)
)
)
)
.J
J
J
.)
J
J
\)
I
O
o
o
o
o
3
Copyright IBM Corp.
2009
1-1
Course matefials may not be reproduced in whole or in part

without the prior wrtten permisson ol lBM.
O Copyrlght
rrirg
DataPower SOA appliances: Built for security
. Consist of sealed network-resident
devices in a tamper-proof
case
. Have no drives, no USB ports, and no spinning media t^-
t la;n,J
I
.\
I
. Single signed or encrypted firmware image prevents attackers
.
.
.
from installing arbitrary software

By default, appliances ship with a locked-down configuration
Offer secure hardware storage of encryption keys and locked
audit log
Security vulnerabilities were minimized by using few third-party
components
')
')
)
)
)
)
)
@
Copyrght IBM Corporation 2009
w8555 / v85552.0
Figure 1-10. DataPower SOA appliances: Built for security
Notes:
There is no floppy drive or USB port, which eliminates the possibility of loading a device
with malicious software.
.)
)
There is less of a chance that security holes will be exploited since no third party software
or complex operating systems are installed.
._)
)
J
)
_)
J
J
J
J
J
J
J
J
J
\
1-12 Accelerate, Secure and lntegrate with
DataPower

@ Copyright
o
o
o
o
IBM Traini.g
Student Notebook
DataPower SOA appliances: Purpose-built
solution
Proprietary
software
Firmware
XML
library
Web
server
C library
Application
server
Development
platform
Database
Server
daemon
Operating system
Floppy
CD-ROM
drive
USB port
Hard disk
Hardware
IBM WebSphere DataPower
XML Security Server appliance
Purpose-built hardware and firmware
General-purpose hardware and software
@ Copyright IBM Corporation 2009
Figure 1-11. DataPower SOA appliances: Purpose-built soluton
w8555 / V85552.0
Notes:
)
-)
J
(,
(J
o
o
o
G
Copyright IBM Corp.
2009
Unt 1. lntroduction to DataPower SOA Appliances
1-13

wthout the prior written permission of lBM.
El color azLr
dc la inrpresin garantiza a autenticiclar,l de este docUtrcllto

G) Coltyr crht
ning
DataPower SOA appliances provide both
performance and security
. As a hardware solution, DataPower processes XML data near
wirespeed
. DataPower appliances
.
protect networks against traditional and

new XMl-based attacks
Wth DataPower, there is no compromise: you get both
performance and security in one package
,#
XML traffic over HTTP
External
client
Internet
ll
LI
ffiil>
U Intranet
Demilitarized
zone (DMZ)
I
@
Figure
1-1
2.
wBs55 / v85552.0
DataPower SOA appliances provide both performance and securty
Notes:
.)
)
,)
',
J
.)
.)
J
J
l)
DataPower

El color azul de la impresin garantiza la autentlcidad de este docurrento
O Copyrght
f
O
o
o
o
o
IBM Traini^g
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Explain the role of XML in promoting interoperability in an SOA
. ldentify the uses of XML within an SOA:
- Provides a platform-neutral interface format

- Defines a platform-neutral messaging format
- Encapsulates security metadata, such as tokens and assertions
- Enables information as a service, as opposed to implementation-specific
database protocols
. List the disadvantages and risks associated with XML adoption

- Lower performance compared to a compressed, binary format
- New class of attacks not anticipated with traditional devices
. Explain how SOA appliances accelerate and secure XMl-based
applications
Copyright IBM Corporaton 2009
Figure 1-13. Topic summary
w8555 / V85552.0
Notes:
.)
.)
.J
J
{J
I
o
a
a
Copyright IBM Corp.
2009
1-15

El
coor
azLrl c1e
la mpresin garanLza la rutenticiclacl dc
csLe dcclntento
O Copvriqlrt
rnrng

. Describe use cases for deploying IBM WebSphere
DataPower SOA appliances
IBM Corportion 2009
Figure
1-1
4.
w8555 / V85552.0
Notes:
DataPower

El color azul de la impresn gatantza la autenticdad de este documento
@ Copyright
IBM Trainirg
Student Notebook
Use cases for SOA appliances

1. Securing Web services
Provide secure access of back-end systems to business partners

and customers
2. Legacy integration and hub mediatio n :4odu i0
Enable mainframe or legacy applications as Web services
3. Web services management
4. Portal acceleration
'Pq. llfr,,t\ Ccac\a cL !r
c
O Copyrght IBM Corporation 2009
Fgure
)
1-1
5.
Use cases for SOA appliances
wB55s / V85552.0
Notes:
9( f)taL \MS
Yr.- exfov-en ws
.)
)
)
,)
J
J
()
t.
a
o
o
o
e
Copyright IBM Corp.
2009
Unit 1. Introducton to DataPower SOA Appliances
1-17

El color azul de la impresn garanliza la autenticidad de este docurelto
O Copyrght
ning
Use case 1: Securing Web services
. Traditional network
security devices do not secure XML or
SOAP-based traffic
- By design, lP firewalls do not distinguish between Web browser traffic

and application calls over HTTP
- Externally facing Web services are not protected against XMl-based
attacks
. Augment your existing network security infrastructure
with
XML-aware network devices acting as an XML firewall
First level:
. Deploy an XML Security Gateway to efficiently screen potential XML-
based attacks at wirespeed
- Second level:
. Leverage the security of existing application servers for additional
)
)
processing
o
Figure 1-16. Use case
)
w8555 / VBss52.0
Securing Web services
Notes:
)
.)
.)
..)
.)
.)
J
t,)
J
J
J
J
J
J
J
J
\)
1-18 Accelerate, Secure and Integrate with
DataPower
l,
Copyright IBM Cofp: 2009
Course materlals may not be reproduced in whole or in part

El color azul de la impresin garantiza la aulenlicidad de este documento
O Copyright
l.
o
o
o
O
il3ll{ Traimi*g
stuen tik'
Layers of security for XML-based applications

,
t
t
I
I
I
I
I
t'-,?:
{:::
::::i
,
,
,
I
I
I
I
I
t
I
External
client
Demilitarized
zone (DMZ)
I
Intranet
O Copyright IBN/l Corporation 2009
Figure 1-17. Layers of security for XML-based applications
w8555 / V85552.0
Notes:
1. Standard lP firewalls protect the edge of your corporate network.

2. A cluster of IBM WebSphere DataPower SOA appliances complements
your existing
network security infrastructure. These devices become a centralized gateway for all
XML-based applications, including Web seryices. The DataPower appliances screen
incoming and outgoing traffic for XML-based attacks, SOAP message validity, and
compliance to WSDL messages. IBM WebSphere DataPower SOA appliances can act
as a security policy enforcement point (PEP), authenticating and authorizing incoming
application requests.
3.
D ?. ( rcc K{ Loêjr , n\.e
i\1.-,n.!.- e")+
.)
(,)
o
o
e
DataPower services can fonvard information about the principal, in the form of security
tokens or assertions. Application servers consume these security artifacts and enforce
role-based security in its application.
Copyright IBM Corp.
2009
t /
k--
e\ .\:ernL
sv Jt
1. /
'^t
lrc^
ci/\ey
1-19

E co or azul cle a ntpresin
()t
anl)/t) a autcltLir;
tlLcl
de ostr: cloounlotllu
G)
Oot)y lcl ri
ning
. DataPower
SOA lntegration Appliance Xl50 features any-toany transformation
- The DataGlue engine within the DataPower SOA appliance uses XSL
-
transforms to manipulate non-XML data

Quickly provide a Web seruice endpoint to COBOL applications
without the use of complex connectors
. As a gateway to legacy systems, the lntegration Appliance
Xl50 provides:
- Protocol bridging
- Data transformation
)
)
. DataPower
SOA appliances can efficiently transform, route,

and log messages among XML applications and Web services
)
@
Figure
-1
8.
w8555 / V85552.0
IVofes
)
)
)
)
)
)
)
J
.J
J
J
.)
DataPower
J
J
J
J
\,
Course malerials may not be reproduced in whole or in part


@ Copyright
o
o
o
IBM Trainirg
str*ffioffi
Enable Web services for legacy applications
WebSphere
MQ messages
"Put" request
queue
-+
{+
"Get" reply
queue
+-
O Copyright IBN Corporaton 2009
Figure
1-1
9.
Enable Web services for legacy applications
w8555 / V85552.0
Notes:
With the lntegration Appliance X150, you do not need to modify your existing legacy
applications. The DataPower SOA appliance acts as an IBM Websphere MQ client to your
existing GET and PUT queues on Message Broker. With a multi-protocol gateway
DataPower service, Web service clients can now access your legacy applications.
)
.)
)
.)
.)
J
t)
()
e
o
o
O
G
Copyright IBM Corp.
2009
1-21

E coor azul dc ia inttres garanlza la autentcidrd cle esle d()cutn(iIto
(c) Colryrielht
rnrng
Gontent based routing
-=
'
:p
Purchase order
Service Vl
Application
servers
DataPower
External
client
SOA appliance
w8555 / V85552.0
Figure 1-20. Content based routing
Notes:
.)
1.
A DataPower SOA appliance service endpoint receives an XML message representing

a purchase order.
2.
The document processing policy in the service routes the message to the latest version
of the order fulfillment application, on the first application server.
3.
4.
This application server receives the bulk of the purchase orders.
A second message arrives at the same service endpoint. The message is sent from a
client, which uses the older version of the order fulfillment application. The routing
action redirects the order to the previous version of the order fulfillment application, on
the second application server.
)
)
.)
.,)
)
.',}
)
DataPower
J
J
I

wthout the pror written permission of lBM.
E color azu de la mpres r garatliza la autentlcidad de este doculnento

O Copyright
o
o
o
IBM Training
Student Notebook
Use case 3: Web servce management
. ln addition to monitoring against XMl-based
threats, XMLaware networks need to enforce service level agreements
(sLA)
- Record the amount and duration of Web services requests

- Notify system administrators if service levels are not met
-
Automatically reduce traffic frequency in order to avoid overloading

back-end systems
Limit or block traffic from a particular host
. DataPower SOA appliances
can enforce an SLA in addition to
a security policy
- Service levels and monitoring can be applied at the endpoint, service,

or operation level
Fgure 1-21. Use case 3: Web service management
w8555 / V85s52.0
Nofes.'
Copyright IBM Corp.
2009
1-23

El color azu de la impresin garanliza la autenticidad de este documento
@ Copyright
rmng
Enforce service Ievel agreements with DataPower
SOA appliances
Policy
Block clients that make more

than 500 requests per
minute. Clients are identified
by their IP address.
***
---+
Policy 2
Throttle (reduce rate) of
traffic from clents that make
more than 100 requests Per
minute.
l

,
w8555 / V85552.0
Figure 1-22. Enforce service level agreements with DataPower SOA appliances
Nofes.'
)
1.
2.
ln the first case, one particular client sends more than 500 requests within a minute.
According to the service level management policy, requests from the client are blocked
for a fixed time period.
ln the second case, another client makes more than 100 requests within a minute.
lnstead of blocking all subsequent requests, the policy reduces the rate of requests to a
fixed frequency threshold for a certain time period.
J
.,)
J
J
J
J
J
J
DataPower
tJ

El color azul de la impresin garantza la autenticidad de este documelrto
O Copyrioht
I
o
o
a
o
IBM Trainirg
Student Notebook
Use case 4: Accelerate dynamic Web sites
. Dynamic Web sites use XML to pass information flexibly between

application layers
- Sites use XML to encapsulate data between different application layers

- ln the final step, the presentation layer transforms XML data into an HTML
Web page
. However, XSL transformation creates performance
problems on
the portal server
. Offloading
processor-intensive XML transformations to the

DataPower SOA appliance significantly frees up resources on the
application server
lnclude XML-PI (processing instructions) in a raw XML response from the

portal server
he XML parser within DataPower SOA appliance automatically applies
the XSL transformation without additional configuration
@ Copyrght lB[4 Corporation 2009
Figure 1-23. Use case 4: Accelerate dynamic Web sites
w8555 / V8s552.0
Nofes;
)
)
)
)
._)
J
',,
J
J
J
J
I
o
O
o
o
o
3
Within an SOA, XML is widely becoming the choice for encapsulating data between
different systems. As a text-based protocol, XML suffers from performance issues
compared to fine-tuned binary data formats. On the other hand, portal systems need to
support a wide variety of clients, including Web browsers and mobile phones. Such
systems use XSL transforms to convert the raw XML output into an HTML Web page, WML
mobile phone Web page, or CHTML mobile phone page.
IBM WebSphere DataPower SOA appliances provides an easy drop-in solution for
offloading XML processing from portal servers. First, disable XSL transformation on the
portal server. On most software packages, this task can be accomplished without affecting
individual portlets or Web applications. Configure the portal server to specify a
transformation style sheet in the processing instructions section of an XML document,
XML-Pl. As the Pl header is part of the XML specification, any standards-based parser can
apply the style sheet to the XML data. A DataPower XSL accelerator service would
automatically transform the document as it parses the XML data.
Copyright IBM Corp.
2009
Unit 1. Introducton to DataPower SOA Appliances
1-25
Course materials may not be reproduced in whole or in pan

garaliza la autenticidad de este docunrento

@ Copyr
cht
ining
Accelerate dynamic Web sites
Raw XML
response
HTML
b page
Application
server or
poftal server
DataPower
External
client
SOA appliance
'i
w8555 / v85552.0
Figure 1-24. Accelerate dynamic Web sites
Notes:
1.
2.
The final presentation layer rendering is offloaded from the portal server to the
DataPower SOA appliance.
As specified in the XML-PI (processing instruction) header, the XML parser within the
DataPower SOA appliance automatically retrieves an XSL transform from a local
directory or from a remote file server. The service applies the transform to the raw XML
response. No additional configuration is necessary for the DataPower SOA appliance
service.
3. The DataPower
')
SOA appliance returns a properly formatted HTML Web page to the
original client.
.J
'.,}
)
.,)
J
J
\)
DataPower

El color azul de la irrpresln garanliza la autenticrdad de este documento
@ Copyright
o
o
o
o
IBM Trainirg
Student Notebook
Topic summary
. Describe use cases for deploying IBM WebSphere
DataPower SOA appliances:
- Secure Web service and XML applications
- lntegrate legacy systems

- Provide centralized Web service management
- Accelerate content rendering of dynamic Web sites
w8555 / V85552.0
l\lofes;
1
'
i
)
I
r-J
(.
o
3
Copyright IBM Corp.
2009
1-27

El color azul de la mpresin garantiza la autentic dad de eslc docunrelrto
@ Copyright
ining
Introduction to DataPower SOA appliances
. Describe the different features in the IBM WebSphere
DataPower SOA Appliance product line
. ldentify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
Copyright lBlV Corporaton 2009
w8555 / V85552.0
Figure 1-26. lntroduction to DataPower SOA appliances
Notes:
ll
._)
_)
t
.-,
,-
DataPower
J
J
Copyright IBM Corp, 2009
l
'J
Course materials my not be reproduced in whole or in part

El color azul de la irnpresin garantiza a autentlcidad de esle documento
G)
Copyrght
I
O
IBM Training
Student Notebook
IBM WebSphere DataPower product Iine
. IBM WebSphere
DataPower XML
Accelerator XA35
Offloads processor-intensive XML processing and

transformation tasks from application seryers
Protects against attacks on Web applications
. IBM WebSphere DataPower XML Security

Gateway XS40
iffimnnnr-,;M
Acts as a security policy enforcement point for

XML applications and Web services
Virtualizes Web services easily with dynamic

WSDL-based configuration
. IBM WebSpher
Appliance Xl50
,
)
)
)
Provides a Web service interface for mainframe

applications
Performs any-to-any data transformation at

d
l
@
lntegration
c.n s rmaco
Figure 1-27. IBM WebSphere DataPower product line
'\l)4 b'nc'r- a5
w8555 / V85552.0
Notes:
IBM WebSphere DataPower lntegration Appliance Xl50:

http ://www. i bm.com/software/i nteg ratio n/datapower/xi50/
)
)
)
IBM WebSphere DataPower XML Security Gateway XS40:

http ://www. i bm.com/software/i nteg ratio n/datapower/xs40/
IBM WebSphere DataPower XML Accelerator XA35:
http://www.i bm.com/software/integration/datapower/xa35/
.)
.)
.)
.)
J
-)
._)
J
J
..)
I
I
o
o
Copyright IBM Corp.
2009
1-29

wthout the prlor written permission of lBM.
El color azul de la inrpresin garantiza la autenticidad de este docurnento
O Copyright
ining
XML Accelerator XA35 features
. Accelerates dynamic content generation
- Transforms XML data into any presentation

. Offloads XML manipulation
layer format at wirespeed
through industry standard API

,
Performs XML processing and transformation through the Java API

for XML-based Parsing (JAXP)
)
)
Copyrght IBM Corporaton 2009
wBs55 / V85552.0
Figure 1-28. XML Accelerator XA35 features
Notes:
.)
)
)
)
)
)
)
.)
J
..1
J
.)
J
-)
DataPower
Course materals may not be reproduced in whole or n part

El color azul de la impresin garantiza la autentlcidad de este documento
@ Copyright
.l
J
J
J
I
I
e
IBM Trainirg
Stu
oT'
XML Security Gateway XS40 features

f) aahFolir
XML and Web services security provides:
- XML denial-of-service protection

* Field-level message encryption and digital signature
- Web services access control at the operation, interface, or endpoint level
- Service virtualization to abstract service endpoints within your network

- Authentication, authorization, and auditing (AAA) framework that supports
a variety of user password, security token, and other identity information
from requests
- Centralized policy management is enforced by a cluster of SOA appliances

- Service level management, policy management, and Web services
management support
"
Includes all XML acceleration features from the XA35 appliance
)
@
)
Figure 1-29. XML Security Gateway XS40 features
w8555 / V85552.0
Notes:
)
)
I
.-)
.)
J
J
.)
J
J
J
I
I
o
o
Copyright IBM Corp.
2009
1-31

El color azul de la impresin garanltza la autenticidad de este documento
@ Copyriqht
rung
lntegration Appliance Xl 50 features
Acceleration of existing integration hubs
Processor-intensive tasks such as XSLT processing, routing, and legacyto-XML conversion can be offloaded to the Xl50
. Mainframe modernization with Web services

- XMl-to-any conversion allows mainframe applications to be virtualized as
Web services
. Manages non-XML traffic as easily as XML data
- Can parse and transform arbitrary binary, flat text, and XML messages
- No custom programming needed to manipulate messages
. Offers support for popular messaging systems
- Xl50 appliances acts as an IBM WebSphere MQ client
'
lncludes all security and acceleration features from the XS40 and
XA35 appliances, respectively
@
Copyright lBlV Corporaton 2009
w8555 / V85552.0
Figure 1-30. lntegration Appliance X150 features
Notes:
DataPower

wthout the prior written permission of IBM'
El color azul de la impresin ga(anliza la aulenticidad de este documento
@ Copyr ght
IBM Training
Student Notebook
DataPower SOA appliances in the network stack

Multi-protocol
gateway
Web services
security
Application layer
SOAP
XML
HTTP
TLS/SSL
Transport layer
TCP
UDP
Network layer
IP
ICMP
Web
services
proxy
XML
firewall
XSL proxv
Web application
firewall
SNMP
lPSec
Data link layer

Physical layer
TCP/IP protocol
stack
@ Copyright IBM
Web services
standards
DataPower
services
Colporation 2009
Fgure 1-31. DataPower SOA appliances in the network stack
w8555 / V85552.0
lVofes.'
Listed below are some of the protocols associated with the TCP/IP stack:
. lP: lnternet protocol, communication across a packet-switched network

. ICMP: lnternet Control Message Protocol, for sending system-level error messages
. lPSec: lP Security, authentication and encryption at the lP packet level
. TCP:Transmission Control Protocol, virtual circuit protocol that guarantees reliable and
in-order data delivery
.
.
UDP: User Datagram Protocol, lightweight packet communication without ordering or

reliability guarantee
HTTP: Hypertext Transfer Protocol, transmitting information across the World Wide
Web (WWW)
. TLS/SSL: Transport Layer Security/Secure
Sockets Layer, authentication and
confidentiality over the lnternet
.
@
SNMP: Simple Network Management Protocol, monitors network-attached devices
Copyright IBM Corp.
2009
1-33
Course mateials may not be reproduced in whole or in part

wthout the pror wrtten permission of lBM.
El color azul de la lmpresin garanliza la autenticidad de este documento
@ Copyright
rirg
xs40
xt50
Feature
xA35
XSL transformation
XML and SOAP validation
HTM L-XM L transformation
Basic XML threat protection
SOAP V1.1 and V1.2 bindings
)
)
XSLT V1.0 and V2.0
Logging (on-board and off-device)
SSL termination and initiation
XML coprocessor mode
w855s / V85s52.0
Figure 1-32. Features comparison (1 of 3)
Notes:
)
)
)
)
_)
J
")
,)
.)
J
J
DataPower

El color azu de la impresin garantza la autenticidad de este documento
@ Copyright
J
J
J
J
IBM Trainirg
Student Notebook
Feature
xt50
xs40
xA35
SNMP management integration

Remote device management integration
WSDL V1.1
Content encryption and decryption
,
Sign XML content and verify digital signatures
Authentication, authorization, and auditing
)
)
Content-based routing and filtering
Fetch content from off-device locations
MIME, DIME, MTOM attachment processing
Figure 1-33. Features comparison (2 of
3)
W8555 / VBS5S2.0
)
)
Notes:
)
)
Message Transmission Optimizalion Mechanism (MTOM) is now available using the

MTOM policy for optimizing wire format transmissions of SOAP messages.
)
)
)
)
)
.)
.)
J
,)
-)
)
..)
J
J
\,,
Copyright IBM Corp.
2009
1-35

o
a
@ Coryright
ining
xs40
xt50
Feature
XA35
Full XML threat protection
Web application firewall
,/
WSDl-based configuration
Direct database
access g>n .Pfccnia
Multi-protocol gateway (HTTP, HTTPS)
)
)
TIBCO EMS support
IBM WebSphere MQ client
Binary-XM L transformations (DataGlue)
IBM Tivoli Access Manager support
O Copyright
w8555 / V85552.0
Figure 1-34. Features comparson (3 of 3)
)
)
Notes
)
)
)
.i
.,
J
.)
)
.J
.J
DataPower
J
J
J
J

El color azul de la impresin garantiza la autenticidad de este docurnento
@ Copyrioht
\)
\)
9
0
IBM Trainirg
Student Notebook
Topic summary
. Describe the different features in the IBM Websphere
DataPower SOA Appliance product line
- Application Integration Xl50

- XML Security Gateway XS40
- XML Accelerator XA35
' ldentify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
- Application layer device that operates on web applications, XMLbased applications, and Web services
O Copyright lB,4 Corporaton 2009
w8555 / V85552.0
Notes:
,)
.)
.
,i
.t
.j
J
L
I
J
Gopyright IBM Corp.
2009
1-37

El color azul de la impresn qatantza la
autelticidad (ie este clooL.utento

O Oopyrlcht
ining
Checkpoint
1. What is an XMl-aware network? Why is it important to
implement an XMl-aware network in an SOA?
2. What features of the DataPower SOA appliance make it

secure from attacks?
3. Name all IBM WebSphere DataPower SOA appliances

product offerings and their main features, respectively.
wB5s5 / V85552.0
Figure 1-36. Checoint
Nofes.'
Write your answers here:
)
.t
1.
_)
2.
3.
.)
)
.i
J
-J
J
J
J
J
J
J
DataPower
Copyright IBM Corp; 2009
without the prior written permlssion of lBM.
O Copyright
UI
ol
rl
IBM Training
Sfu
ook
Unit summary
Having completed this unit, you should be able to:
. Describe and define the role of an SOA appliance
. ldentify the products in the Websphere DataPower SOA

.
Appliance product line

Describe how to use WebSphere DataPower SOA Appliances
in an enterprise architecture
)
)
)
)
Figure 1-37. Unit summary
w8555 / V85552.0
Nofes.'
)
)
)
)
.,)
-)
)
.,)
.)
:)
.l
J
J
J
J
e
o
o
Copyright IBM Corp.
2009
1-39

wthout the prior written permisson of lBM.
O Copyright
r.l
rl
ng
(-)
.-)
a
.)
a
a
rl
a
o
o
O
o
o
o
o
o
(l
()
()
i)
()
O
o
O
O
o
O
()
o
o
O
o
(J
o
u
u
(,
\)
(,
(,
I
t)
DataPower

wlthout the prior wrtten permlsslon ot lBM.
El color azul de la impresin garantiza la autenticdad de este documento.

@ Copyright
o
o
o
IBM Trainirg
Unit
Stu
2. DataPower administration
oo?.
overview

This unit introduces three management interfaces for the DataPower
SOA appliance: the WebGUl Web application, the command line
interface (CLl), and the XML Management interface.
List the methods that can be used to administer WebSphere

DataPower SOA Appl iances
. Manage user accounts and domains on the appliance

. Work with files on the WebSphere DataPower SOA Appliance
.
.
Checkpoint
Exercise 1: Exercise setup
References
WebGUl Guide, 3.7.1 Release
CLI Configuration Guide, 3.7.1 Release

)
lnstallation Guide, 3.7.1 Release
)
)
')
/
)
-)
.,)
-_)
l
_)
-)
-)
J
J
",
J
I
I
o
o
Copyright IBM Corp.
2009
Unt 2. DataPower administration overview
2-1

El color azul de la impresin garanliza la autenticidad de este docutrento
@ Copyright
ining
Unit objectives
. List the methods that can be used to administer WebSphere
. Manage user accounts and donnains on the appliance
. Work with files on the WebSphere DataPower SOA
Appliance
Figure
w8555 / V85552.0
2-1. Unit objectives
fofes
,)
.)
)
.)
,/

@ Copyrictht
)
J
J
J
J
I
()
IBM Trainirg
Student Notebook
Administration through the WebGUl

. Perform administration tasks on the IBM Websphere
DataPower SOA appliance through the WebGUl application
- Manage firmware levels and restart the appliance

- ldentify the file stores available on the appliance
- Configure role-based access management with application domains,
user groups, and user accounts
- Export and import the system configuration.

- Compare the differences between two system configurations
- Commit configuration changes made through the WebGUl
application
@ Copyright lBlV Corporation 2009
Figure 2-2. Admnistration through the WebGUl
w8555 / V85552.0
Notes:
)
)
)
.)
.-)
.)
\,
I
I
e
o
Copyright IBM Corp.
2009
2-3

EJ
color azu de la rll-rrcsin glnl za la autenttoidacl dc este cl.rorllcnto

(O Cotryriclht
ning
DataPower SOA appliance administration
. Perform administration
tasks on the DataPower SOA appliance

by using one of the following interfaces:
WebGUl Web application

Command-line interface (CLl)
- SOAP-based XML Management API f r.:h,c {ivo ,fve Lr

- Third party SNMP management and monitoring systems
Figure
Serial (1 port)
Ethernet (4 ports)
Command-line intedace
WebGUI Web application

Command-line interface (Telnet or SSH)
w8555 / V85552.0
2-3. DataPower SOA appliance administration
Notes:
Without modification, only the serial connection is active for use. The administrator must
enable the other three administration interfaces using the command line interface.
You can enable the WebGUl application, a CLI over Telnet or Secure Shell (SSH), or the
XML Management Web service over one of the four Ethernet interfaces, or all Ethernet
interfaces. Typically, the administration services should only be available over an internal
network connection while external traffic flows through the remaining Ethernet ports. The
fourth Ethernet port (eth4) has also been designated as the management port (mgtO).
The SOAP-based XML Management API is a Web service that accepts administration
commands. lt can also accept WS-Management and SNMP management commands on
the same endpoint.
2-4 Accelerate,
Secure and lntegrate with
DataPower

@ Copyr oht
ll{ Traini*g
Student Notebook
WebGUl Web administration application
. The WebGUl Web application
allows administrators to
configure and troubleshoot the DataPower SOA appliance
The WebGUl application must be activated through the command-line

inteface before its first use
- Role-based management restricts access to predefined administrators

and configurators
. Using a modern Web browser, navigate to the network

address and port assigned to the WebGUl application.
- The default port for the WebGUl application

f,fe
Edrt.
Uew l-tiqbry
Eoolqnrlts
f}
is 9090
looJs ildp
hts;lfdatapower,ihm,cnm:9090 :l:
O Copyrght lBlV Corporation 2009
Figure 2-4. WebGUl Web administration application
w8555 / V85552.0
Notes:
Remember to enter the https protocol in front of the network host name or address for
your DataPower SOA appliance. The default value provided in the documentation is port
9090 for the WebGUl application. However, you are free to assign any port number in
range for this administration interface.
)
)
]
,r
-i
}r
r,
0
o
Copyright IBM Corp.
2009
Unit 2. DataPower administration
overview
2-s

without the prior written permsson of lBM.
E color azul de Ia irprcsrc'rn tararrtrza la aulortlciclad dc csLc clocur
G)
rcrlL)
Copyricllrt
ining
Administration using the Web browser
admin @dpedol
fu laPowR xlGo
ffi
Domini de faul
ryEEor
--l
LoOwt
control eand
Trubeshting Enbled (Th pef.ctnrance of the Cevice my e impctedl)
tr
Control Panel
Seruiceg
"iffi,
ReYi i59,S ,1,2
1>l?37
r,Vebgphr tPrer Home
WbSerulce
Prexy
fitulti-P.otocol
ry'
XML Frewll
Gteway
Wb
Apliction
XSL
Accelrtor
Firewall
1999-3ooe tForYer
nc,
Monitorro dnd Troulrleshtins
r.., rE
n
g
,
viewLogs
Trcubleshootng
web sEruac
Viev Sttus
MonitoF
Fle6 and Adnrini5trdlon
Fl
anagemert Systm gontrol

@
fmport
coDfguation
Export
configurtion
Keys & Ceras

ll a naqement
wB5s5 / V85552.0
Figure 2-5. Administration using the Web browser
Nofes.'
1.
2.
The navigation bar provides access to configuration or management options.
3.
The monitoring and troubleshooting section provides a view of the DataPower SOA
appliance status, traffic, and load.
4.
The files and administration section manages the configuration files, access levels, and
cryptographic keys and certificates on the appliance.
The Control Panel allows quick access to common administration functions. The
services section allows you to create or modify the primary DataPower services.
.)
)
,)
.,
.)
J
2-6
DataPower
,)
"l

El
"l
r)
coor azu de la irnpresin garanLiza a autetrticidad de este docunrento

@ Copyright
J
l,
IBM TT armng
Student Notebook
Navigation bar categories

Category
Description
Status
Provides access to real-time operational

data maintan ed
management sys
itfl{ t1l ,
lPnt'
Configure services that accelerate,
secure, and integrate XML-based
applications
Services
Network
Configure network services and

interfaces and retrieve information on
network connectivity
Administration
Provides access to troubleshooting,

logging, access control, file and
confi 9u
on admin istration
U
)
Provides dire ccess to the object
Objects
s,/;t'c
O Copyright lBl\4 Corporaton 2009
Figure
2-6. Navigation bar categories
w8555 / V85552.0
Nofes;
)
The following set of slides focuses on the administration features found in the WebGUl
admin istration console.
)
)
,.)
J
J
J
I
I
o
o
Unit 2. DataPower adminstration overview
2-7

EI
color azul de la impresin garantiza la autentlciclad de este docuttento

(o CopyriohL
ining
System control features (1 o 2l
tlr*snrrfil
ilain
File l4anagement
System ControI
set Tme ond Dat
Stem CotFo{
Dat
Conftguration
lme
pplication omain
20c8-2-08
i 0:34:11
St Time and
tate
Export Configuration
Import Cenfguration
inone)
Compare Configuration
Bot Imge
Flrnrware Roll-Eack
rmware Rcll-Back
Selct Coflfgurtlon
Cnfiguraai[
canliq:/l
tstle
&ltnm Esntrcl,
Fetch...
Select Coniiouretiun
O copyright IBM Corporation 2009
w8555 / V85552.0
Figure 2-7. System control features (1 of 2)
Nofes;
The system control page groups together several system-wide updates that affect the
firmware, clock, and system certificate. Certain options are only available from the default
domain.
1.
Access the system control page through the Administration section of the navigation
bar.
2. Alternatively, select the system control icon in the Control Panel to open the same page.
3. Use the time and date features to set the current time in your locale. To modify the time
zone, select Administration > Device > Time Settings from the navigation bar. The
DataPower SOA appliance sets the clock in Coordinated Universal Time (UTC).
4.
The Boot lmage feature allows you to upgrade the system to a newer firmware level.
Use the Upload function to copy a new firmware image onto the DataPower SOA
appliance. Once complete, click Boot lmage to restart the DataPower SOA appliance
with the new firmware.
2-g
DataPower

El color azul de
la
mpresin garantza la autentrcidad de este documento

@ Copyright
IBM Training
Student Notebook
5.
lf you encounter problems using a new firmware level, click Firmware Roll-Back to
revert the DataPower SOA appliance to the previous firmware level.
6.
The Select Configuration section determines which configuration file should be used
on the next system restart.
Copyright IBM Corp.
2009
2-9
Course materials may not be reptoduced in whole or in part

El color azul de la impresin garantiza la autenticidad de este docut-nento
O Copyright
rmng
System control features (2 of 2l
Shutdown
Reload firmware
Mode
+.
Delay
Second{s)
shutiown
Changte Usr Password
tlld Pasvord
l{ew Fasxord
Passfc rd
Chnoe User FaEsword
Restrt Domain
Rstrt Dm
R6et omai
)
Gnrate Devce Crtifcte

cflflfiofl rne. (cN)
*.
Generate gelf-sqr?ed Certfcte
i.z)an l^)
alf *
eneraie Dev
)
Control Locate LED
()anQ)l *
8ltre Lordtr LEE
Cntrol LcGle LD
Figure
2-8. System control features
w8555 / V85552.0
(2 o1 2)
Nofes.'
This slide continues examning the system control page.
1.
Use the Shutdown option to reintialize the DataPower SOA appliance in one of three
modes:
a.
Reload firmware restarts the device without rebooting the DataPower SOA
appliance. Temporary files and applied but unsaved changes are kept intact.
b.
Reboot system restarts the DataPower SOA appliance. All temporary files and
unsaved configuration changes will be lost.
c.
Halt system shuts down the DataPower SOA appliance.
)
)
.,
)
2: The Change User Password section
allows you to assign a new password to the

currently logged in user. lf you are logged in as adrnin, this operation changes both the
WebGUl and CLI passwords for the user.
3.
.J
)
.)
Restart Domain reloads the configuration for the current application domain. Any
unsaved configuration changes will be lost.
DataPower
.J

E color azul de la impresin garantiza la autenticidad de este documento
@ Copyrght
J
J
J
J
IBM Training
Student Notebook
4.
Reset Domain erases any configured objects in the domain. Be carefulwhen using this
feature.
5.
Generate Device Certificate creates a digital certificate representing the current

DataPower SOA appliance. The common name must be mapped to a valid lP host
address.
6. Gontrol Locate LED controls
a blue "locate" LED on the front panel of the appliance.
)
)
)
)
)
)
)
I
)
)
')
)
-j
.J
,)
.J
,}
_)
I
J
J
\,
\,
I
O
o
o
Copyright IBM Corp.
2009
2-11

El color azul de la impresin garantiza la auienticidad de este documento
O Copyriaht
ininsc,
File management
I
H
tNtfrultr
C
Its,lw
File
Managernent l;che,o de
fs
R-rs.h F,+,u
Available Space: 89 lBytes (enerypted
V.e"
lrl
A.dions..
config:
Artions".
stude$t01-dom: in.cfg
Edir
;a
e),:po
Actions"..
;Cl
localr
Adions...
r
ctions...
logtemp:
Acticns.,,
log=tore
"iJ
Ed
; , !I
l- default-log-xml
5fi pubcerlr
default-lot
1]l
Ycl
d clr\r=osi/i
ue [-J.t- .. r.'i1,,
c:.\c\ omr.,.o,.,[ - i,'tu
Mo\rg
crt:
t ,irtr,r,o
,'
3 Mgytes {temporary)
Dtete
e{o
.le
2tO7-2-22 L7't21.21
L736
2A07-42-23 14r
734A
2807-02-23 L4:13:2I
13 r 21
sharedcert:
tlfi.store:
, 1] temporary:
Delete
)
o copyright
Figure
2-9.
IBM Corporaton 2009

I
w8555 / V85552.0
Fle management
l\lofes.'
1. From the navigation bar Administraton section, select Main > File Management.
2. Alternatively, you can open the File Management page through the icon of the same
name in the Control Panel.
,)
3.
The file stores are divided into different directories. Most directories are specific to one
application domain, with the exception of the store, pubcert, hd sharedcert
directories.
4.
Certain files, such as an application domain configuration file, can be directly edited
through the Web browser.
5.
The available space statistics display the amount of nonvolatile memory available for all
encrypted data and all temporary data in the system.
)
J
)
J
.J
DataPower

El color azul de la impresn garantiza la autentcidad de este docurnento
O Copyright
J
J
J
\,
9
e
O
IBM Trainirg
Student Notebook
File directories for configuration

Store
Scope
config:
Per application
4,
Usage
; not
export:
Per application
domain; not
Stores configuration files for the current application

domain
Holds any exported configuration created with the
Export Configuration operation
shared
local
Per application
domain;
shareable
temwide;
:o5
\e\6s
Cov
red
[o5
c.[orn'in io5
temporary
Per application
domain; not
Stores files used by local services, including XML style

sheets, XML schemas, and WSDL documents
. Use the
etting to view the local
file store
domains
Stores sample and default style sheets used by
DataPower services
. Best practice is to make a copy of these style sheets
into your local directory before making any changes
Temporary disk space used by document processing
rules and actions
shared
)
Figure 2-10. File directories for configuration

\
w8555 / VB5552.0
Notes:
i\"
bor ro t
x,+ e9
l.crce,r Lol. s
rc.do u\ s\.'\< o c\o*
in tos
..rJ;- * \cos \os
Ae-
'l&a{
lP
C1,.4-
ore
se3$
[rr
or
.-,
)
)
-)
-)
I
-)
.J
r.J
e
a
Copyright IBM Corp.
2009
Unit 2. DataPower administration
overview
2-13

El coior azul de la irnpresin garantiza la autenticiclaci de este documento
O Copyright
rirg
File directories for security
Store
cert: Dct&(
se rxqor\
las c\8uc>
sha
redcert:
pubcert
Scope
Usage
Per application
Location for storing prvate keys and digital ceftificates

. System automatically encrypts all files in this store.
. Once added, files cannot be copied or modified.
Vnrr rn dalafa linil,zl orfifiafac and nrirrafe lcrc
Stores digital certificates to be shared with paftners
. System automatically encrypts all files in this store
domain; not
shared
Systemwide;
shared
between
application
domains
Systernwide;
shared
between
application
domains
Provides security certificates for root certificate

authorities, such as ones used by Web browsers
. System automatically encrypts all files in this store.
. Files cannot be modified, but they can be copied.
o copyrght
)
)
IBM Corporation 2009
w8555 / v85552.0
Figure 2-11. File directories for security
IVofes.'
)
.)
-)
._)
-;
-,}
-i
sJ
J
a,
J
,)
DataPower
Copyright IBM Corp' 2009

El color azul de la impresin garar'liza la autenticidad de este docunrento
@ Copyright
J
J
J
J
I
I
e
o
IBM Training
Student Notebook
File directores for loggng

Store
Scope
Usage
logtemp
Per application
domain; not
Default location of log files, such as the system-wide

default log
. The file store size is fixed at 13 MB.
shared
logstore:
Per application
domain; not
Long-term storage space for log files
shared
)
)
)
)
)
)
)
@
)
Copyright lBl\4 Corporation 2009
Figure 2-12. File directories for logging
wBs55 / V85552.0
Notes:
ey\ \Jr\
L5
r" / l, .-h-,,na
<>
.)
)
)
)
.)
.)
.)
)
.l
J
.J
J
J
J
\,
I
e
o
o
Copyright IBM Corp.
2009
2-15

El color azul de la impresin garantiza la autenticidad de este docltnrento
O Copyright
rnmg
cl4
a^c)
AO cn
_i L)
Administrative access control

. Application domains provide a virtualized,
enclosed environment for services
- Only the default domain allows administrators
to perform system level tasks, such as
configuring an Ethernet interface
. User groups apply a specific access policy

to a set of user accounts
- Privileged access allows users to perform
system level tasks

User access provides read-only guest access
- Group-defined
relies on a user-defined, fine-
User accounts
. User accounts provide users with access to
the WebGUl administration console

@
Copyright
lBl\,,l
Corporation 2009
w8555 / v8s552.0
Figure 2-13. Administrative access control
Notes:
Users can also access more than one application domain by using the visible domain
setting for application domains.
Privileged access and user access levels represent the highest and lowest access levels
on the DataPower SOA appliance. The group-defined setting allows an administrator to
fine-tune the access level within either end of the spectrum.
l
)
)
User accounts created through the WebGUl interface also apply to the command line
interface (CLl) and XML Management interface as well.
.J
.J
.J
-/
J
)
J
J
2-1
DataPower

without the prior wratten permission of lBM.
El
coor azul de la impresin garcnliza la autenticidad de este documento

@ Copyrighl
J
J
J
J
\,
\)
(,
()
IBM Trainirg
Student Notebook
Create an application domain

tillsfttfil
Fw
Configure Applicaton omain
Han
Confiourtion
CLI Access
AppllcatioFr Donain
fltpi-il l-c""."t I
Export Canfiguration
Import Crnfiguration
Nme
5tu dentcl -dmain
Compare Configuration
Admn gtEt
Commnhs
Test dsmain ar sutdent

d
enabled
disabled
efault
Visible Domains
lueal : File Fermissions
Etr
Elllow files to be eopied from

@nllow fles ta be cnpied te
E liow fles to be deleted
E
E
Allo'r filE contnt tG be
llow iles to be run as scripts
@ nllow aubdirectare to be ceated
'lccal:'
Fil lonitoring
I
I
Enable Auditinq
Enable Logging
Figure 2-14. Create an application domain

)
w8555 / V85552.0
Notes:
1. From the WebGUl navigation
bar, expand the Administration section and select

>
Configuration Application Domain.
)
)
I
,)
.j
2. ln the listing of available application domains (not shown), click the Add button.
3. Provide a name for the new application domain; this field is mandatory.
4. Leave the Admin State at enabled. The administration state setting determines whether
a partcular DataPower object is available for use.
5. The visible
domains setting determines whether this domain can access files in the
local: file store of another application domain. ln the Figure, the student0l-doman can
access the files in the local file store of the default domain.
_)
)
)
.)
6.
.)
.)
Local file permissions determine the access rights to files stored in the local file store of
the current domain.
7. When enabled,
changes to files in the local file store generate auditing or logging
events
_)
iJ
J
\,
9
O
o
o
Copyright IBM Gorp.
2009
Unit 2. Datapower administration
overview
2-17

El color azul de la impresin garantiza la autenticidad cle este docurnento
O Copyright
ning
The Configuration tab allows you to specify whether the configuration is stored locally or
imported from a specified URL every time the configuration is saved or the system is
restarted.
The CLI Access tab allows you to specify users that can access the domain using CLl.
)
)
)
)
)
)
)
)
-)
'.
,)
.)
J
.,
)
.,)
,)
./
.J
J
DataPower
@ Copyright IBM Gorp. 2009
Course materals may not be repoduced in whole or in paft

wthout the prior written permission of IBM'
El color azul de la impresin gaat'tza la autenticidad de este documento
O Copyrighl
J
I
9
9
g
IBM Trarmng
a
Application domain
.
The Configuration
Mode specifies from
where you can retrieve
the domain's
configuration
)
)
Local indicates that the

configuration files are on
the local appliance's file
system
lmport indicates that

the configuration files
seryer
ll
Configu re Application Dornain

M
.
)
You can set the limit

on the number of
allowed Configuration
Checkpoints that can
be saved at one time
Configuratio[
cL Accsi
Application Domain : str.:dentg6-domair tupj
Aoolv
',:'::
'
l./iew Statu | Re.start Dcmain I Reset omain I Helo
Configuration
Checkpeint Limit
Configuration
Mode
Inp,rri
)
Gonfiguration tab
URL
Impnrt Format
Deployment
Policy
Lacal IP F;ewrite
71P
;q,ieni,ili*[*
4)on
ll
..
Soff *
O Copyrght lBl\4 Corporation 2009
Figure 2-15. Application domain

)
Configuration tab
w8555 / V85552.0
Notes:
)
)
)
)
)
.)
)
)
)
.)
J
J
\,
\,
I
o
o
Copyright IBM Corp.
2009
Unit 2. Datapower admnistration overview
2-19

El color azul de la impresin garanliza la autenticidad de este cjocumento
O Copyright
ning
GOnfigUfatiOn GheCkpOintS (c;rv.br co^f,6ucacio,"u)
A Configuration Checkpoint contains configuration data for an

application domain from a specific point in time
Saves the current state of the application domain without persisting it

An alternative to Save Gonfig
Can be used for continuing work between sessions
'
. Saving Configuration Checkpoints
- Navigate in WebGUl sidebar to ADMINISTRATION > Configuration >
Configuration Checkpoints.
Enter the name and click Save Checkpoint
H
I
Config u ration Checkpoi nts
Create a new Configuration Checkpoint

Checkpoint Name
Save
ration
w8555 / V85s52.0
Figure 2-16. Configuration Checkpoinb
Notes:
)
)
)
)
)
.)
)
.)
.)
J
.)
.)
DataPower

El color
azu de la mpresin garanliza a autelrtcidad de este documento

O Copyright
J
J
J
IBM Trainirg
Sfu
View application domain status

Configure App{ication omain
Refre..ph l-ist
fame
.Status
default
studentOl-dpmain
studentO2omain
saved
saved
saved
uP
uP
studentO3-domain
saved
up
studentO4-domain
student0S-domain
saved
saved
uP
student6-domain
studenttT-domain
saved
saved
student0E-domain
student 9-domain
saved
saved
studentl0-domain
saved
Conrments
Logs Admin 'State

up
'P
J
/
r,
tIF
utr
up
up
up
UF
"p
Copyright
enabled
enabled
enabled
nabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
lBN/l
Default System Domain

Test domain for .ctudent acceunt 1,
Test domin for student accsunt 02.
Test dsmain for .student ceeunt 03.
Test domain for student account 04.
Iest domain for student account 05.
Test domain f+r .student account 07"
Test domain for student acccunt 08.
Test domain fsr student ccsunt gTest domain for student account 10.
Corporation 2009
Figure 2-17, View application domain status
w8555 / V85552.0
Nofes,'
The main application domain page lists all configured domains on the DataPower SOA
appliance. This page is only visible from the default application domain.
)
)
)
.)
J
J
9
9
O
Copyright IBM Corp.
2009
2-21

El
coor azul de la irnpresi| gara[tiza a autentioidacl de este c]ocuIrelrlo

@ Copyr ght
ining
Greate a user account and a user group
Helo
Create a user account
EI
Should the user be restcted to a domain?

Selecting 'Yes' will restricl the user to a dcmain. Sefecting'No' wilt allor the user to login to all domeins.
Y*
tr
"1 , c.*a
ttlhat kind of user ccount do you vant to cret?
To which domain should the usr b restticted?

.select the doman:
User Doman
Selest one of the following:
studni01-dmE n
{}Developer (configuring services in a domain)
User (domain backup)

Domaan Account Typ' ffaackup(read-only in domainJ
SGuest
QlJser-Defined Group
Back
Next
)
)
Cncel
)
@
w8555 / V85552.0
Figure 2-18. Create a user account and a user group
l\lofes,'
The New User Account wizard allows you to create a user account and a user group at the
same time. To access this wizard, select Administration > Access > New User Account
from the Navigation bar.
)
)
1.
The first page asks whether you would like to create a user group to restrict access
permissions within the application domain.
2.
With a restricted user domain, you have the opton of either selecting one of the existing
user domains or creating a new application domain.
3.
With an application domain selected, you can choose from one of three preconfigured
domain account types. For greater flexibility, either select an existing user group or
create your own group.
The remaining wizard pages finalize the settings for the user account and the user group.
.)
'. ,}
J
.)
J
tJ
DataPower
J
J
J
Copyright IBM Corpj 2009
\)
Goulse materials may not be reproduced in wholc or in part

El color azul de
la mpresin garanliza la autentcidad de este docullento

@ Copyriqht
9
I
O
IBM Training
Student Notebook
Manage user group details

EditirE ,qccess Profile prperty
of User Group
Helo
errce
Addresc
,4pplication
stude ntXX-damain
omin
eeource
Type
IJ
Configure {-}ser Group
leb Service
Name
EastAd
Mtch (FcRE)
un
{-.lser GraL
fl
f
Fermissions
p : de'reloper_studento l-do maif
.,,,
tr.lrite
1c.r*l
If-D-t.tul,'
selete
Admin
Brecute
State
,1,,
St enabled disabled
Qeveleper gou for tha student
mBnts
sF..Y.P
tu pj
tead
flAdd
I
I
cLI command crauoc
ressSearch
Eancel
a'deFau
lV$?Aceess=r
x,8
*lstudent0t
Acess Prcfile
)
tsuld
Access Profile property syntax
ad d ress/ doma i n /
resource?Access = perm
ssi o n s&lfi e I d = va I u ef
Figure 2-19. Manage user group details
w8555 / V85552.0
)
)
Notes:
)
)
)
User groups provide a convenient way for applying an access profile to a set of user
accounts. The access profile policy syntax restricts the access permssion of any user to
which the user group is applied. lf two access profile policies affect the same resource, the
most specific policy is applied.
)
)
alias.
.
',
..)
. field d value allow you to specify a particular object, such as the name of a Web
.)
service proxy.
1.
-)
J
J
\)
I
I
e
o
O
domain specifies the name of one particular application domain.
o resorrrce represents one type of DataPower object within the configuration.

. permissions is one of r (read), w (write),'a (add), a (delete), or x (execute).
-)
,-)
address refers to the DataPower SOA appliance host name, lP address, or local host
ln the Figure above, users in the group have read access to all resources within the
default application domain and read, write, add, delete, and execute permissions for all
resources in the studentol- - domain domain.
Copyright IBM Corp.
2009
Unit 2. DataPower adminstraton overview
2-23

without the prior wrltten permission of lBM.
G) Copyright
.irg
2.
Click the Build button to use a graphical form to build the access profile policy.
The GLI Command Groups tab allows you to specify which sets of command line interface
commands are available to users within the user group.
2-24 Accelerate, Secure and Integrate wth DataPower

El color azul de la impresn garanliza la autentcidad de este documento
O Copyrght
IllM Training
Student Notebook
Manage user account details
uuttFtuttl
?rlin
File langemnt
Systm Cenirsi
t-lsea
Configure User Account
l.lan
Accouni : StudentXX
Configuratlon
Application omain
Impo Configuration
Exocri:l/iEwL! liew statuslFcrce Fassrvod chanael
Q enabled r-
Admn State
Cmpr Configuration
Accss
New UsF Account
Manq l.Jser G.Gus
up
lr;lylf-E-*"| lfE"l"*-l . ,,,
t4ange UsGr Acurs
sNlvlPv3 user Credentials
Cmmnts
o"u.lop",
drsabled
"."ornt
on tt'=, itu*nti
Pssword
Confirm Pa*cryord
Rel4 Settings
Access Level
rou-sfd
Usr Grou
developer_+tu
RAOIUS Settinqs
5N'l Settings
entt
1-d onra in
O Copyright lB[ Corporation 2009
Figure 2-20. Manage user account details
w8555 / V85552.0
Notes:
1.
From the navigation bar Administration section, select Access > Manage User
Accounts.
2. The Configure
User Account page allows you to modify the comments and the
password for a specified user in the application domain.
3. Select
one of three access level settings: privileged, user, or group-defined.
The SNMPv3 User Credentials tab allows you to associate SNMP users with the current
user account. SNMP users will be granted access to the local MIB (management
information base) for monitoring and configuring the DataPower SOA appliance.
)
)
)
J
._J
\)
I
I
c
o
O Copyright IBM Corp.
2009
Unit 2. DataPower admnistration overview
2-25

without the pror written permisson of lBM.
E color azul dc la impresaJn Jarantiza a autcnliccJld cJc estc-.
clocLill.rcnLo
O (--otryrlqhl
rirg
Export the system configuration
tr
ffiltrt
$
Q
Export
Create a backup af one or more application domaine

Export configuration and files from the current domin
copy or move configuration and files between domains

Create a backup of the entire system
The Export Configuration feature saves the definition of services,

application domains, user groups, and user accounts
Use the administrator account to export the system configuration

;
. Export configurations
-
-l
at a particular scope:
Entire system
One or more application domains
Specific configured objects and files in the current domain

@
)
)
wB55s / V85552.0
Figure 2-21. Export the system configuration
)
)
)
Notes:
Use the export configuration command to back up the current configuration or to duplicate
services and settings to new application domains. The export configuration command
writes a series of XML files following the DataPower XML Management schema. ln the last
step of the Export Configuration page, you will be given an oppotlunity to download the
. zip file containing the XML configuration files. Alternatively, you can retrieve the
configuration files from the ocport: file store associated with the current domain.
.,}
.)
I
,)
_
.J
Since certain certificates, keys, and objects are visible only to the administrator, log into the
administrator account before performing an export operation.
_)
J
J
J
J
.)
DataPower
Course materals may not be reproduced in whole of in part

El color azul de la impresin garanliza ia autenticidad de este documento
@ Copyright
J
J
J
J
J
J
J
9
O
trBM
Trainirg
Student Notebook
lmport a system configuraton

. The lmport Gonfiguration
feature updates the system
configuration with a
previously saved version
- Useful for duplicating
configured services from one

application domain to another
Administrator account must

be used to perform a total
system restoration
Administrator must confirm

changes that ovenrurite
already configured services
and interfaces
Import ConfiEuration
Select optons for Import

Fronr C).{l'1t
0zrP
'l
File
Browse-
| *
?e
,i0,6
a, co
c-arrt
o/3 ? .Je
tf or-/*rlo
Use Oeployment Policy

Reurrite Local Service Addresse
Next
LO'
onOet'f
Cancel
O Copyright lBl\il Corporation 2009
Figure 2-22. lmport a system configuration

)
w8555 / V85552.0
Notes:
The import configuration feature only accepts DataPower XML Management documents as
an XML file or as a . zip file. The other options listed are not available in the current
firmware release.
lUo
-se
l
"OeJa^
16;.eoi-;!icacLo\ni.iouu* r,.u*do
')
.)
._
./
)
r)
,J
J
9
I
Copyright IBM Corp.
2009
2-27

El color
azu de la inrrresrn garantiza la autenticicld do estc doctntento

(O
Coryright
ining
Saving configuration changes
Apply button
- Remember to click the
Apply button on each Web

page
Configuretion changes have not been svedl

Plese choose one nf the following options:
Review changes beore continung.
Switch domain w[thout savng"

Cancel {stay in th= domain}.
. Use the Save Gonfig button
-- . -.-t6.57.7)
OomEin
student0l-domain -
Save
config
r-",*
A warning window will

appear if you attempt to
switch application domains
or log out of the WebGUl
without saving applied
changes
on the top right corner of the

Web page to permanently
Ca.mhia i^,
@
Copyrght lBNl Corporation 2009
we5'ssYvasssz.o
Figwe 2-23. Saving configuration changes
Notes:
The Apply button submits configuration changes made in the current WebGUl application
page. However, such changes are stored in temporary memory. You must click the Save
Config button on the top right corner of the WebGUl interface to commit changes to
permanent storage. lf you attempt to switch application domains without committing your
changes, a warning dialog appears. This allows you to switch domains without saving any
changes, or you can save the changes immediately.
.)
.,)
.)
)
.)
'.,
-)
DataPower
..

'J
El color azul de la impresn garanliza la autenticidad de este documento
O Copyricht
I
{i)
ItsM Traini.g
Student Notebook
Topic summary
. Perform system-wide
administration tasks through the

WebGUl Web application
- Load and restart the DataPower SOA appliance on a new firmware

level
- Place and retrieve configuration files in the proper file store

- Manage access through application domains, user groups, and user
accounts
- Back up and restore system configuration changes

- Commit configuration changes to non-volatile memory
Figure 2-24, Topic summary
w8555 / V85552.0
Notes:
)
)
)
)
.,)
,)
Copyright IBM Corp.
2009
2-29
Course materials_may not be reproduced in whole or n part
I
I
e
o

El
coor azul dc la irnpresin ganlita la autenticidad de este docultcnto

(
Copyright
ining
Alternate adm i n istration
. Manage services, domains, groups, and users on the
DataPower SOA appliance by using:
' - The command-line interface

-
The XML Management Web service
. Describe the differences in the features
found in the three

management interfaces discussed in this module
w8555 / V85552.0
Figure 2-25. Alternate admi nistration
lVofes
)
.)
)
.l
l
..)
.)
DataPower

El color azul de la impresin garaniza la autenticidad de este documento
O Copyright
J
J
J
\,
,
I
9
IBM Trainirg
Student Notebook
Administration usng the command Iine interface

. The command-line interface (CLl) provides a text terminal for
administering the DataPower SOA appliance
- For security purposes, the CLI is not a complete command shell with
the ability to execute arbitrary programs
- However, the CLI allows you to configure every service and interface
available in the DataPower SOA appliance
- In the initial setup, you must enable the WebGUl application and
Ethernet ports with the CLI through a serial connection
- Administrators
have the option of enabling the CLI over a Telnet or

Secure Shell (SSH) connection
o copyrght
lBN4
Corporation 2009
wBss5 / V85552.0
Figure 2-26. Administration by using the command line interface
Nofes;
For security purposes, the CLI was not designed to be a generic command shell
environment. lts functionality is strictly limited to the configuration and administration of the
DataPower SOA appliance. Nonetheless, it is a powerful interface that has access to all of
the services and interfaces on the appliance itself.
By default, the DataPower SOA appliance is shipped with all four Ethernet interfaces
disabled. ln order to activate the ports, you must enable the interfaces within the CLI over a
serial port connection. The WebGUl administration Web application must also be enabled
in this way before it is used.
Once the DataPower SOA appliance has been properly configured, you can allow Telnet or
Secure Shell connections to the CLl.
Copyright IBM Corp.
2009
2-31

El color
azu de la impresin garantlza la autenticidad de este documento

O Copyright
ning
lnitial CLI Iogin screen
Unauthorized login prohibited
login:
admin
Pass\rord: admn
XI50 console configuration

(c) 200-2006 by DataPower lechnology, Inc.
Welcome o DataPower
Version: xI50 .3 .6 .0. I build

Serial number: 00t23 456'18
1-40575
on
2007
/02/76 08:30:
1-9
xi50# show system

description: DataPo!"er XI50
serial number: 001_23 45678
product id: 9002-xI50-03 lnev
OID:
1_.
uptime: 2
04]
L.
4.L.L4685.
1. 3
3. 6.
days 03:.24:.53
contact:
name:
location:
services:
@
wBsss / vB55s2.0
Figure 2-27. lnitial CLI login screen
Notes:
1.
You must provide a valid user login and password in order to access the command line
interface. At installation time, the default user name and password are adrnin nd
adrnin. After reviewing and accepting the license agreement (not shown), you must
provide a new password for the admin account.
2.
The initialwelcome message displays the firmware build level and date, as well as the
serial number of the DataPower SOA appliance.
3.
Use the show command to display system information on the interfaces, objects, and
the appliance itself.
)
I
-)
.l
.J
J
-l
J
.-)
J
J
,J
DataPower

El color azul de
la mpresin garanliza la autenticidad de este documento

@ Copyright
J
J
I
I
O
IBM Training
Student Notebook
Quick initial confguration procedure
. Enable the WebGUl application over the management

interface in the global configuration mode
xi50# configure terminalGlobal configuration mode
i
xi50 (confis) # incerface msto (elh", eY )
fnterface configuraton mode (mgtO
xi50 (conf is- if [eth4] ) # ip address l-0.0. 0.0/8
x50 (confis-if [eth4] ) # exit
x50 (conf is) # web-mgmt l-0.0.0.0 9090
Web management: successfully started
xi50 (conf is) # ssh l-0.0.0.0 22
\ .^. [;v^ e[
eo
Pending
t? d- \.^ t'.
/ lo u'.sccor
)
)
{gliv",. \.
oer
lc,,
nf e
'.
e web
EV,Lzz)
service listener enabled

xi50 (config) # exit
SSH
x50#
O Copyright lBlvl Corporaton 2009

)
Figure 2-28. Quick initial configuration procedure
w8555 / V85552.0
Nofes.'
)
)
)
)
)
)
.)
._)
After logging onto the DataPower SOA appliance for the first time over a serial connection,
perform these steps to enable the WebGUl administration Web application over the
management port (mgtO).
1. While logged in as the administrator, enter the global configuration mode.

2. Configure the management Ethernet interface (mgtO), also known as eth4.
3. Assign a static lP and a subnet mask for the management Ethernet port.
4.
ln the global configuration mode, create a new HTTP server with the WebGUl
administration application (web-mgmt).
5.
For convenience, enable CLI access over SSH on the designated port.
.l
.)
.J
.)
,)
J
J
J
J
\.)
I
e
o
o
o
Copyright IBM Corp.
2009
2-33

El color azul de la impresin garantiza la autentlcidad de este
doculrento
@ Copyright
ning
User and privileged modes
SOA appliance
- View the status of DataPower services

- Test a network connection from the DataPower SOA appliance
- Switch between application domains
to
inte
ode allows clients

n the DataPower SOA appliance
s and
- Set the system date and time
- Manage user accounts, groups, and application domains

- Manage any DataPower object through the global configuration mode
- Enable the appliance to query a network time protocol (NTP) server
- Restart or shut down the DataPower SOA appliance
. Use the enable and disable commands to switch
j
)
)
)
)
)
between the user mode and the privileged mode

@
Figure
)
)
w8555 / V85552.0
2-29. User and privileged modes
Nofes.'
_)
)
_)
)
.J
2-34 Accelerate, Secure and lntegrate wth DataPower
J
J
J
J
J
J
J
J
J
J
J
J
./
J
9

El color azul de la impresin ga(anliza la autenticidad de este documento
@ Copyrght
r)
c
o
IBM Trainirg
Student Notebook
Retrieve system information using the CLI

. show version
- Returns the serial number, firmware level and build date, XML
accelerator version, and additional libraries
. show services
- Returns a list of all active DataPower services and their respective

ports
. show users
- Lists all users that are currently logged into the device
. show log
- Returns the default log file
. show startup-config
- Displays the configuration,
in CLI commands, the device used when it

was last booted or restarted
. show route
- Displays the device routing table

@
Copyright lBlV Corporation 2009
wB5s5 / V85552.0
Figure 2-30. Retrieve system information using the CLI
Notes:
Copyright IBM Corp.
2009
2-35
Course materials may not be reproduced ln whole or in part

El color azul de la impresn
ganIiza la autenticidad de este docurnento

@ Copyright
ning
Administration using a Web service
. DataPower SOA appliances accept administration
commands
through a Web service
The Web service itself provides only one generic operation, request
The request operation takes one parameter, which maps to an
ad ministration category
. Within each category, your client can issue multiple administration
actions
- The response from the Web service call provides the results of each
administration action call
. The Eclipse plug-in for DataPower management retrieves
and
modifies the configuration of DataPower SOA appliances over

this interface
)
)

)
wBsss / v8s552.0
Figure 2-31. Administration using Web service
Notes:
)
\
)
)
)
.)
.)
.,)
.J
.,)
-)
.)
.J
,J
DataPower

El color azul de la impresn garantiza la autenticidad de este documento
@ Copyright
J
J
J
J
I
I
IBh{ Traini^g
Student Notebook
XML Management: Create a new application domain

<?xml version="1. 0,, encoding="UTF-8"?>
<env:Envelope
x,mlns : env= " ht tp : / / s cheuras . xn1 soap . o r g / soag / envelope/
"
>
<env: Body>
<dp: request
xmlns : d.p="an z / /vrvrw. datapower. com/schemas/management">
<dp: set - config>
<Domain name=,r s tudentOl - domain,, >
<UserSumnary>

</UserSummary>
<NeighborDomain clas
g=
"
domainr'
default
</trleghborDomain>
</Domain>
</dp: set - config>
</dp: request>
</env:Body>
</env:Envelope>
@
Copyrght IBM corporaton 2009
Figure 2-32. XML Management: Create a new application domain
w8555 / V85552.0
Notes:
When you export an application domain configuration through the WebGUl, the XML file
structure matches the elements within the dp:request element. That is, the SOAP
interface to the XML Management system uses the same XML schema as the XML
configuration files.
.i
-
.,}
',
1.,l
Copyright IBM Corp.
2009
2-37

E color azu de la iinpresior ga-antza la autetioidad cle este clocunrerto
O Copyr glrt
ining
XML Management: Domain creation response
<?xml version=111. 0tr encoding=rrUTF- 8tt?>
<env: Envelope
xmlns : env="http z / / schemas . xmls oap .org / soap/envelope/ ">
<env: Body>
<dp: response
xmlns: dpr=nan z / /wwr "datapower. com/schemas/management">
<dp: timestamp>
2007 - 02 - 22T1,5 z 22 z 04- 05 : 00
</dp: timestamp>
<dp: result>
OK
</ dp: result>

</dp: response>
</envzBody>
</ env: Envelope>
Copyrght lB[/ Corporaton 2009
w8555 / V85s52.0
Figure 2-33. XML Management: Domain creation response
Notes:
Each set configuration call returns a result value. lf the administration operation fails, an
error message and error code appear in the result field.
.
.)
.,)
')
".
)
-)
DataPower
-l

El color azul de la impresrn garantiza la autenticdad de este documento

@ Copyright
t,
{)
e
IBM Training
Student Notebook
WSDM interface
. DataPower includes an implementation
of the Web Services

Distributed Management (WSDM) protocol specification
(Version 1.0 OASIS, February 2006)
A protocol-specific interface for monitoring Web Service endpoints

that were instantiated through Web Service Proxy objects
The WSDM interface can be used to view:
- The number of client requests to a service

- The active users on the device
- The CPU usage on the device
- Accepted connections on the device
- And so on
This information can be gathered by using SOAP request
messages to the WSDM port
O Copyrght lBN4 Corporation 2009
Figure 2-34. WSDM interface
wB55s / V85552.0
Nofes.'
)
)
)
)
.)
-j
.)
)
J
-)
.J
9
o
o
o
Copyright IBM Corp.
2009
2-39

E color azul de la mpresin garariza la autenticidad de este documenlo
@ Copyright
rirg
Management interface summary
. WebGUl Web application
- Easy-to-use interface accessible over any Web browser

- Built-in online help for fields and operations
- Apply and save steps allow administrators
to discard changes after
testing
. Command-line interface (CLl)

- The only interface available as is, without modification
- Simple, UNIx-lke environment
. XML Management
Allows configuration of an application domain or the entire appliance

through a batch of commands
Structured XML request and response messages allow user-created
applications to parse through results
Web service (SOAP) interface allows third-party applications to
manase the DataPower
)
)
l
)
:$,.npg|g,j.?
w8555 / V85552.0
Figure 2-35. Management interface summary
Nofes.'
The WebGUl Web application is the simplest management interface to use. On most
pages, a help link provides online help through a pop-up browser window. Most fields also
provide inline help when selected. Lastly, the two-step process for committing configuration
changes provides an opportunity to discard changes.
The CLI provides a simple but powerful management interface. lts syntax should be
familiar to terminal users on a UN|X-like environment. Unlike the WebGUl, configuration
changes are immediately committed. An undo command allows administrators to revert to
a previous configuration. All administrators should be familiar with basic CLI commands as
this management interface is the only one available on first use. You must enable one of
the other management interfaces using the configure terminal command.
The XML Management interface provides a structured language for sending a batch of
configuration commands. This interface allows for a quick and automated configuration of
new application domains or entire DataPower SOA appliances. The SOAP interface
extends its functionality to third party Web service clients.
)
I
)
.)
)
rJ
-)
.)
.)
-)
)
r)
.)
J
DataPower

El color azul de
la
mpresin garantiza la aulenticidad de este docurnento

@ Copyright
t,
9
I
o
o
IBM Training
The SNMP interface is not mentioned on this list is. lt allows the monitoring and
configuration of the DataPower SOA appliance through an industry-standard APl.
)
)
')
)
)
)
)
)
)
)
)
)
)
.)
.)
.J
J
J
J
J
J
J
J
J
J
\,
9
e
o
o
o
Copyright IBM Corp.
2009
2-41

Ei color azul de la impresin garantiza la autenticidad de este documento
O Copyright
irring
Topic summary
. Manage seruices, domains, groups, and users on the
DataPower SOA appliance by using:
- The command-line interface

- The XML Management Web service
. Describe the differences in the features found in the three

management interfaces discussed in this module
w8555 / v85552.0
Nofes
.J
-_)
.)
J
)
-J
2-42 ccelerate, Secure and lntegrate with DataPower
)
J
J

El color azul
de a rnpresin garantiza a autenticldad de este documento

O Copyricht
a
o
IBM Trainirg
Student Notebook
Checkpoint
What is the purpose of an application domain? How do you
restrict access to an application domain?
2.
Describe the steps involved in upgrading the appliance

firmware. Which user account and application domain do
you need to use in order to perform an upgrade?
3. What are the advantages
th
)
in performing administration tasks
rough:
a. The WebGUl Web application?

b. The command-line interface (CLl)?
c. The XML Management
interface?
)
)
)
O Copyrght IBM Corporaton 2009
Figure 2-37. Checkpoint
wBs55 / V8s552.0
)
)
Nofes.'

1.
2.
3.
.j
.)
.J
.J
,)
J
J
J
\,
\J
I
o
o
Copyright IBM Corp.
2009
2-43

El color azul de la impresin garantza la autenttcidad de esle documento
G) Copyright
ining
Unit summary
. List the methods that can be used to administer
WebSphere
. Manage user accounts and domains

.
on the appliance
Work with files on the WebSphere DataPower SOA

Appliance
w8555 / V85552.0
Nofes
)
)
)
)
)
)
.J
.J
-l
.l
.)
)
.)
2-44 Accelerate, Secure and Integrate with DataPower
J
J
Copyright IBM Corp: 2009

El color azul de la irnpresin garanltza la autetrtlcidad de este documento
O Copyright
I
I
O
IBM Traini.g
Unit
Student Notebook
3. Introduction to XSL transformations

This unit introduces you to XSL transformations. You will learn how to
create XSLT style sheets to transform XML documents into other
formats. You will also learn how to write XPath expressions to retrieve
information from an XML document.

. Describe the Extensible Stylesheet Language (XSL) model

. Construct XPath expressions
. Create XSL stylesheets to apply XSL transformations
. Use and apply XSL templates in XSLT
. Describe the use of DataPower variables and extensions in XSL
)
)
stylesheets
.
.
Checkpoint
Exercise 2: Create an XSL style sheet
.)
)
)
.)
J
.)
_)
,)
_)
J
J
J
)
o
a
o
Copyright IBM Corp.
2009
Unit 3. Introducton to XSL transformations
3-1
Course materials may not be reproduced in whole or in parl

El color azul de la impresin garanliza a autenticidad cle este documcnto
O Copyright
nlng
Unit objectives
. Describe the Extensible Stylesheet Language (XSL) model
. Create XSL stylesheets to apply XSL transformations
. Use and apply XSL templates in XSLT

. Describe the use of DataPower variables and extensions
in
XSL stylesheets
Figure
w8555 / V85552.0
)
)
l\lofes,'
)
)
..)
.)
.)
.l
.J
,}
)
")
.)
Copyright IBM Corpr 2009

El color azul de la impresin garanliza la auteticiciad cle este docurnento
O Copyrgllt
J
J
J
!,
()
O
IBM Trainiog
Student Notebook
lntroduction to Extensible Stylesheet Language

i. Explain the purpose of the Extensible Stylesheet Language
(XSL)
. Construct XPath
expressions to describe a location within an
XML document
. Write a template to transform the structure and the content of

an XML document
Figure
3-2. lntroduction to Extensible Stylesheet Language
w8555 / V85552.0
Nofes.'
Copyright IBM Corp.
2009
Unit 3. Introduction to XSL transformatons
3-3

El
coor azu cle la iinpresin gaiaDllza la artentcrdad de eslc.locuref lo

@)
Coryr
1ht
ning
Three parts of Extensible Stylesheet Language (XSL)
XSL
)
(Optional)
tl
S( re
Tnansfonmatin
ffaa'aga,*age
A anguage for
addressing parts of an
XML document
,)
An XML vocabulary
for specifying
formatting semantics
')
'l
J
)
)
J
w8555 / V85552.0
Figure 3-3. Three parts of Extensible Stylesheet Language (XSL)
Notes:
.)
Extensible Stylesheet Language

to how
e sheets
compr ised of two m
specifications:
.
.
) d
XML data. lt is analogous

bes how to d
eb pages. XSL itself is
ribe the
on
.)
./
-.)
A transformation language, XSLT, for processing XML data.

Formatting objects, XSL-FO, a vocabulary for formatting objects received from XSLT
into a result tree. lt allows for a large array of print, display, or oral presentations.
,)
,.J
-)
XSLT also provides a language to describe the location of data within an XML docume nt,
known as XPath
'.)
.)
.,,
.)
J
J
i,
J
3-4
DataPower
i,
I
I
Course materials may not be reproduced in whole or ln part

without the prior written permsslon of lBM.
El color azul de la lmpresin garantiza la autenticidad de esle documenlo
@ Copyrighl
o
a
ItlM Trainirg
Sfu
oo'F
XSL Transformatons (XSLT) overvew

XML
document
XSL style
Source tree
ransformation
Formatting
Transform result
Output ( result tree )
XML application
@
Figure
Copyright lBN4 Corporation 2009
3-4. XSL Transformations (XSLT) overview
w8555 / V85552.0
Notes:
An XSL style sheet processor accepts an XML document that is represented as a tree
structure and processes it to produce a result tree.
The XSL s
sheet defines the rules for transformation based on the XML elements and
n the source tree. The style sheet ma also
formatti
information called
or
and applies those objects against the transformation
Note that XSL does not require the use of XSL-FO for formatting.
An example use of XSL is to transform XML into well-formed HTML, that s, XML that uses
the element types and attributes defined by HTML.
.)
)
)
)
(,)
()
O
O
Copyright IBM Corp.
2009
Unit 3. Introduction to XSL transformatons
3-5

El
coor azul de a inrpresin garanlza a autcntcidad de este
droumclrtcr
@)
Copyr cjht
rning
The XSLT process

f..ê \o*\*lu
XSL style sheet

(transformation)
+.no
match pattern
select correct
template
apply further
templates?
create result
node
Result tree
Copyright
lBN4
Corporation 2009
w8555 / v85552.0
Figure 3-5. The XSLT process
Notes:
)
XSLT uses the ideas of pattern matching and templafes. A style sheet includes templates,
which contain rules that associate them with one or more elements or attributes in the XML
document.
The templates contain the rules for transformation and, optionally, the formatting that is
applied to the matching nodes.
A template can also contain further pattern matching and instructions to apply further
templates.
)
.J
)
)
)
.)
3-6
DataPower

El color azul de
la
mpresin garantiza a autenticldad de este documeto

O Copytight
J
\r)
3
O
IBM Training
What is XPath?
. As
cation for describin a locatio
an XML docu
- Shared by many XMl-based standards and technologies

. Used by XSLT, XPointer, and XQuery
. Allows you to address elements of a document that meet
specified criteria
- Example: ln XML for a book on Java, find the chapters with JDBC in
the title.
' Provides the ability to retrieve a subset of an XML document in
)
)
any direction
- Fonvards, backwards, or sideways
)
)
)
)
)
@
)
Copyright lB[,] Corporaton 2009
Figure 3-6. What is XPath?
w8555 / V85552.0
)
)
Notes:
)
)
W3C recommendation (Nov. 16, 1999):
. XQuery provides standardized access to RDBMS data stores using XML.

. XPointer allows forward and backward addressing to specific XML locations internal to
)
)
a document and to locations in external XML documents. Think of this as an enhanced

version of HTML's HREF linking.
)
)
. When XPath is used in an XML document, it usually appears as an attribute value. For
example, it appears as an attribute value within
,_)
fl
<xs1: tenrplate> element in XSLT.
.l
.)
.)
-)
.J
.,)
-)
J
J
\.)
o
o
o
Copyright IBM Corp.
2009
Unit 3. Introduction to XSL translormations
3-7

El color azul de ia impresin garantiza la autelrticidad de este docunreirto
@ Copyright
ining
Example XPath expressions
<?xml version=tr 1. 0 tr ?>
<book>
<author>'Jane Doe</author>
<ti tle>pataPower AppI iances</ t it1 e>
<price>$6.00</price>
</book>
ROOT
rice>
LTane
Doert
IDataPO\êf
ppliances
"
"$6.00"
addresS
"
"/book,,
<-
address = /book/ *"
,l
ro8
.|.t.i:t "
address =
, " fsirc t:rn ,{'( xPl
/book/:Frl-ce/ text O
Ac.!e o-[ vcolo r de gric e
"
"
Figure
- /"
addfesS =,, /book/prie"
<_
A=
rr
address
Copyright lBl\4 CorpoEton 2009
w8555 / V85552.0
3-7. Example XPath expressions
Notes:
There is a single "root" node, which contains several other types of nodes.
There are seven node types in XML:
. Root nodes
. Element nodes
. Text nodes
. Attribute nodes
. Namespace nodes
' Processing instruction nodes
. Comment nodes
3-8
DataPower

El
coor azu de la impresin garanltza la autenticdad de este doculnento

O Copyriqht
IBM Trainirg
Student Notebook
XPath current context

The active element within the XPath address step
- /Root / . . ./AncesLor/Parent/ SELF/ chi I d/Des cendent
{2
/ (Root)
e\
e'
/rcestor
"rLt
)*o'F
/Parent
ob
orJu^
?(o
preceding-
/s
sibling
o11 o$r].ng
(context node)
Note: Self is always a

single node. lt can only have
one parent and one root, lt may have
multiple children, ancestors, and so forth.
@
sibting
/child
\
,/Descendanl/
...
Copyright IBM corporation 2009
Figure 3-8. XPath current context
w8555 / V85552.0
Notes:
The current context is simply a "you are here" designation within a complete XPath
address.
ted to a child node that exists further down.
For example, if " book/title ,' is the path, then book remains the context node, even
though you are not matching against it.
)
)
)
)
)
.)
)
J
J
U
(,
o
o
o
Copyright IBM Corp.
2009
Unit 3. Introduction to XSL transformations
3-9
without the prior written permission of lBM,

El color azul de la irnpresin garantiza lt arrtenticdad de este
doourento
O CoDyright
*irg
XPath step syntax
o An XPath location path is made up of one or more steps separated by a
fonryard slash (/)
o Each step within the path consists of an:
Branch of the node tree relative to the current context node
- Axis:
. Use keywords such as: ancestor, attribute, child, descendent,
and so on
.lodeest: Consists of the node name used to test node for inclusion
Predicate: Optional filter of matched nodes
o Abbreviated syntax is allowed for several different axes
- "child: : " has an empty default as it is the default axis.

- "/child.: : catalog/child: : tools/" is the same as ",/catal og / EooIs /"
o Exp.re
- '/.,..,/ t
-
".
t,'auvtt'
element node.' legaluless
regardless et
of location.
ode.
"
"@[atribute-name]
"
os c
>t
=)
q))e
node.
f the current
selects an attribute.
-J^-)lr
r u4
co)nt t(o
o Example:
Locate all titles in the book that contain the string
/}:,a<>k/chitd:
till lcontains (text

..
'xPathr
O , 'XPathr ) ]
/ axLs: :nodt,esL [predicate] /. . .
O Copyright lBNl Corporation 2009
w8555 / V85552.0
Figure 3-9. XPath step syntax
lVofes.'
XPath uses a path notation similar to URLs. Location paths are specified using a list of
steps separated by a foruvard slash (/).
XPath provides a simple method to traverse an XML tree structure and select a slice of
information in any direction that is defined by the axis.
roo
through
Paths starting with a forward slash (l) are absolute paths from the
the document tree. Paths that do not begin with a slash are relative to the current (context)
node of the node list.
See http://www.w3.org/TR/xpath#axes for a complete listing of XPath axes.
DataPower
without the prior wrilten permission of lBM.

El color azul de la impresin garanTiza la autenticidad de este documento
@ Copyright
IBM Trainirg
Student Notebook
XPath address notation

. An XPath expression consist of two types of paths
- Absolute location path:
. Starts search at the root of the tree

. Search begins with a fonvard slash (/)
- Relative location path:

. Sequence of one or more location steps, or referenced from the current
context node
)
)
)
)
)
)
)
)
)
)
)
O Copyright IBIV Corporation 2009
Figure 3-10. XPath address notation
w8555 / V85552.0
Nofes;
The absolute path is addressed based from the document's root.
.)
,)
.)
-)
/ctrld: zcaLalog/child::tools
full syntactic expression that returns all tools
-Thethat appear under the document's root

element children of the catalog element
. /catalg/tools
-
The Snort torm
The relative path is based on the current context of the addressing path.
. child: : tools/child: :
. tools/s The short form
.J
.)
The full expression of a path relative to the context node
.,)
J
.)
J
J
9
I
o
a
o
o
o
o
Copyright IBM Corp.
2009
Unit 3. Introducton to XSL transformations
3-r
without the prior written permlssion of lBM.

Ef
color azul de la impresin garanliza la autenticidad de este documento

G) Copyright
.O
\J
ining
\g
//
h absolute addressing
Example:
/'aper/ chapter lLl ,seetion [2] /t,if le

2. / paper I chapter/ bt le
1.
3. lpaper/ tltit1e
Title for first chapter, second section
Titles lor all chaplers

Any title that is a child of any element child of paper
root
paper
pter
title
appendix
)
)
title
section
title
section
section
title
section
section
)
.)
title
section
title
title
title
title
section
title
title
@
Figure 3-11
)
)
w8555 / VB5552.0
Example: XPath absolute addressing
Nofes.'
All direct addressing starts at
1.
The results of running the above XPath expression against the XML source tree are shown
below.
.)
1. section 1.2 title

2. chapter 1 title, chapter
3. chapter 1 title, chapter
.)
2 title
.,}
2 title, appendix 4.1 title
-)
,J
J
J
J
.)
J
J
*)
{.1
3-12 Accelerate, Secure and ntegrate with DataPower

El color azul de la inrpresin garantza la autenticidad de este documento
O Copyright
o
o
o
a
IBM Training
Student Notebook
Example: XPath relative addressing

)
)
/paper/clrapter [2] /section [1]

1. parent :node (I or ..
2. self :node O or .
a/
v,
. . / . .
4. child::*
(default)
5. . /following-siblng:
:node O /@status
Absolute path to "current context"

Parent ofcurrent coniext
Context node (self)
Parent of parent of context node
Children of the current context node
Status attribute of any following sibling
node siblings
root
2
paper
)
)
title
chapter
title
section
chapter
appendix
)
)
section
section
title
section
)
)
title
section
title
title
title
title
section
title
title
@
Copyrght BN4 Corporation 2009
Figure 3-12. Example: XPath relative addressing
w8555 / V855s2.0
Notes:
)
)
)
)
.)
.;
.)
,.)
.)
The above expressions (1 - 5) are run after the initial absolute path to the current context is
executed. The current context is indicated by the black box.
The results of running the above XPath expression against the XML source tree are in the
elements shown below.
1.
2.
3.
chapter 2, chapter 2 title, section 2.1, section 2.1 title, section 2.2, section 2.2 title
section 2.1, section 2.1 title
paper (**everything in the instance file..)
4. section 2.1 title

5. section 2.2 status
-)
.,)
'J
.,
t
a
a
a
o
4,,
Copyright IBM Corp.
2009
Unit 3. lntroducton to XSL transformations
3-13

El color azul de la impresin garanliza la autenticrdad de este docunrento
O Copyright
r.arng
Anatomy of an XSL style sheet .Ju*g\"k" )

ldentify XML
document.
<?:<n1
Document level elements: for

example, import, include, output,
strip-space, key, and more.
Must erclcse lf:* sntirs

style sheet. lr:cud*
na,{frspeee nd v*rs *r
version=rt
1 . 0 rr
coding=
-8r?>
rt
<xsl : st.ylesheet xmlns : xs1="htt / /ww,t. w3 . org / :-.999 /xSL

,/Transform'r version=u L . 0 rr>
g\ xYjo t one or more


</xsl: tenplate>
@
Copyright IBM Corp.
2009
wi th - param>
3-25

without the pror wrilten permission of lBM.
El color azul de fa impresn
galiza la autentcidad de este documento

@ Copyright
*irg
The <xsl :for-each> element
o
r>
(xs1: for- each select="
- Used to iterate over the result of the select expression

- Selected node becomes the current node
<list>
<book ID=tr666tr>
<author>rTin Blue</auhor>
<title>Blue Flowers</title>
</book>
<book ID=n888tr>
<author>ilohn Smith<,/author>
<ti tle>New Cars</ it1e>
</book>
<book ID=tr999 rr>
<author>Dan aig</author>
<title>Large Stories</ti1e>
</book>
<xsl : templaEe match=tt /n>

<xsl : for_ each seLect=,, //booku>
<p><xs1:va1ue-of
select=r 1en /></p>
</xs1: for- each>
</xsL: template>
Books.xsl
<p>Blue Flowers</p>
<p>New Cars</p>
<p>IJarge Stories</p>
</list>
Books.htrwl
Books.xml
@
w8555 / V85552.0
Figure 3-25. The <xslJor-each> element
Notes:
Ihe
"
/"
in
"/
/book, is used as a wildcard to search for nodes anywhere in the XML
document relative to the current context node.
,)
.)
)
-)
DataPower
.J
@ Copyright IBM Corpj 2009

El color azul de
la mpresin garantiza la autentrcidad de este documento

@ Copyright
)
J
J
-r)
IBM Traini.g
stu
bF"
The <xsl:if> element

o
(xsl: if test=,'F E\ennYmMatehtt)

- Used to conditionally process the matched expression
- Can also be used with the ical not statement
<Iigt>
<e6 P=r665r'
<author>dlim BIue</autbor>
<author>Mihe YeI lor+</auhor>
<author>Dan Fam</author>
Blue Flowers by ,Jim Blue, Mike

Yellow, and, Dan Farm
<tic1e>Blu Flowers</tit1e>
</book>
</lis>
BOOkS,Xml
<xsl : templae match=r1ist/booktr>

<xsl value - of select= n title r, /> by
<xs1: f or-each Eelec=lrauthorn>

<xsI:value-of EeIecL=
/>
<xsl:if test="positionO"' l=lasC O ">, </xsl:if>
<xsI: if t,est=trposition O =tas O - 1n> and <,/xs1:
</xEL: for-each>
</xs1: emplate>
if>
Books.xsl
Figure 3-26. The <xsl:if> element
w8555 / V85552.0
Notes:
The functiors
position O and last
The position
are XSLT functions.
function returns an integer representing the number of author nodes
processed.
The last
The xs1:
if
function returns an integer for the number of author nodes.
conditional can be used to test for a certain situation within a template. lt can
in
be used conjunction with other actions.
More than one
xsl:
if
action can appear within a template.
,)
)
.)
)
.)
.J
J
J
J
J
Copyright IBM Corp.
2009
3-27

El color azul de la impresin _ganItza la autenticidad de este docurnento
@ Copyrighl
ning
The <xsl:choose> element
(l oI 2)
. Multiple tests can be implemented

. The (xsl: otherwise> element is optional and must be the
last child element of <xs1: choose>
- Used as a default if the other tests fail
<xs
I : choose>
<xs 1 : when tes t= 't Effis tCnd.
tontt7


<xsI :variable name="dpErrorCode" select=
t'dp:variable ('var: / / servce/error-code' ) "/>
<xs1 :variabLe name="dpErrorsubcode select=
dp : vara.b1e (' var : / / servce / error - subcode' ) " />

name=ttdpErrorMessagerr selec=
t'
<xs1
:variable
"dp:variable ('var: / /servce/ error-message') tt />

<xsl :variable nane=trdpTransactionld" select=
"dp:variable ('var: / / servce/ransaction- id' ) u/>


<env:Envelope:an1ns:env=rrhttp://schenas.xmlsoap.orq/soa,/envelope/">
<env: Body>
<env:Fau1t> (details onitted) ... </env:Fault>
</env:Body>
</env: Envelope>
)
)
</xsl-: template>
</xsr-: stylesheet>
o copyrght
IBM Corporaton 2009
w8555 / V855s2.0
FigureT-7. Example custom error style sheet
Nofes;
This example style sheet includes some common DataPower extension functions that can
be used when building a custom error message.
)
)
The service variables shown are also visible in the multistep probe.
This style sheet is only a template of an actual error style sheet. A custom error style sheet
can customize the amount of detail to include in an error message.
,i
J
.J
J
J
._)
J
J
7-g
DataPower

El color azul de la impresin ga(anliza la autenticldad de este documento
O Copyright
J
J
J
I
e
o
IBM Training
Student Notebook
Error rule versus On Error action

. The presence
of the On Error action precludes an error rule

within the same service policy from being selected to handle
an error
- On Error action itself can optionally execute an error rule
The error rule executes in the absence of an On Error action

when an error occurs in the current processing rule
- The current processing rule is aborted and the execution of the error
rule starts
. Multiple On Error actions can be defined in a processing rule

- Each On Error action handles errors for subsequent actions within the
same processing rule
. When the next On Error action within a rule is executed, it handles
errors for the next set of
.1:,tJ8r1*corporation200s
Figure
7-8. Error rule versus On Error action
w8555 / V85s52.0
,)
l\lofes
)
)
)
)
,)
.)
.)
..J
.J
I
-)
.)
J
.J
J
J
9
a
o
o
Copyright IBM Corp.
2009
7-9

El color azul de la impresin garantza la autenticidad de este documento
@ Copyright
ning
Gheckpoint
1
True or False: When a rule with an On Error action

encounters an error, the rule is always terminated.
2. True or False: An error rule is unidirectional.

3.
A service policy has an error rule and a request rule with an

On Error action. How does the firmware select the errorhandling option?
w8555 / V855s2.0
Notes:
1.
2.
3.
DataPower

@ Copyriqht
IBM Traini.g
Student Notebook
Unit summary
. Configure an On Error action in a service policy
. Configure an Error rule in a service policy
. Describe how On Error actions and Error rules are selected

during error handling
Copyrght IBM corporation 2009
w8555 / V85552.0
Nofes.'
.,)
)
,)
.)
J
J
J
u
o
o
a
Copyright IBM Corp.
2009
7-11

El color azul de la irrpresin garantiza la autenticidad de este documerto
O Copyright
r-
ning
a
a
/t,
'l
')
)
.)
.)
-')
a
.)
.-)
a)
'')
,)
a)
')
,)
)
)
)
)
.)
.)
.)
J
:._)
J
J
J
J
U
U
O
\)
U
J
\)
\)
I
I
c

without the prior written permsson of IBM'
@ Copyright
o
o
o
o
IBM Training
Unit
8.
Stu
on"
DataPower cryptographic tools

This unit describes how to use the cryptographic tools to create keys
and certificates. You will also set the DataPower objects that are used
to validate certificates and configure certificate monitoring to ensure
that only valid certificates exist on board.

.
.
.
.
Generate cryptographic keys using the WebSphere DataPower

tools
Create a crypto identification credential object containing a
matching public and private key
Create a crypto validation credential to validate certificates
Set up certificate monitoring to ensure that cenificates are
up-to-date
.
.
Copyright IBM Corp.
Checkpoint
Exercise 6: Creating cryptographic objects
2009
8-1
Course materals may not be reproduced n whole or in part

El color azul de la impresn garantza la aulenticrdad de este documento
O Copyriqht
ining
Unit objectives
. Generate cryptographic keys using the WebSphere
DataPower tools
. Create a crypto identification credential object containing a
. Create a crypto validation credential to validate certificates

. Set up certificate monitoring to ensure that certificates are upto-date
Figure 8-1
copyright lBl\4 Corporation 2009
wBs55 / V85552.0
Unt objectives
Nofes;
,-)
)
._)
,)
)
.)
._)
8-2 Accelerate,
Secure and Integrate with
DataPower
J
J
J
I

E color azul de la impresrn garantiza la autenticidad de este docurnerlto
(o Coryright
o
o
IBM Training
Student Notebook
Security problems
1
How do you prevent anyone from

Message confidentially
looking at your message?
at the message and changed it? due na.\;e

3
How do you know who the party o n the

Nonrepudiation
other end is? E=\o, >(d c\e- .orr luieh *S/
Figure
Copyright
lBN4
Corporation 2009
w8555 / V85552.0
8-2. Security problems
Notes:
)
)
-)
.)
,)
I
-)
.,)
.)
J
,J
\,
I
o
o
copyright IBM corp.
2009
unit 8. DataPower cryptographc tools
8-3

@ Copyright
ritg
Security problem
Message confidentially
. How do you prevent anyone from looking at your message?

- Use cryptography
. Study of techniques used to transform information into an unreadable

.
format called a cipher

Only the party for whom the information is intended can decipher the
message
. Modern cryptography uses algorithms
and keys to manipulate
data
- Keys are pieces of data that are used to alter how the algorithm
behaves
- Knowing the algorithm does not help an attacker . Most algorithms are published publicly
. Keys are usually protected and hidden
@
Figure 8-3. Security problem |
they need the key
wB55s / V85s52.0
Nofes.'
PKI (public key infrastructure) uses the processes of encryption to hide a text message and
decryption to recreate the message.
.)
.i
)
_i
t
_)
.)
.)
,.)
-
*
.)
.,
)
J
J
8-4 Accelerate,
DataPower
.J

El color azul .de la impresin garantiza la autenticidad de este documento
@ Copyright
o
o
IBM Trainirg
Student Notebook
Symmetric key encryption
. Symmetric
key: A secret key that is used to both encrypt and

decrypt messages
- Known only by sender and receiver

- Relatively fast
- Challenges - Exchanging keys with many people
A sample of
plain text to
be converted
to cipheftext
tD lTlXtrn.il'(.E0t
plain text
')
A sample of
plain text to
be converted
to ciphertext
plain text
ciphertext
)
)
{i f6OE.llL tr
trosxr antE t
4rfl, nltr..'.r'(oinL..
O Copyrght lBlV Corporaton 2009
Figure
8-4. Symmetric key
encryption
W8555 / V85552.0
Notes:
)
)
)
)
The disadvantage of symmetric keys is that the same key is needed for encryption and
decryption, and both parties must have the same keys.
Typical symmetric algorithms are:
. DES (DEA)
. Triple DES (TDEA)
. AES
. RC2
. RC4
. IDEA
)
)
.)
.)
._)
.)
'.)
J
.)
J
J
J
,
e
a
a
o
o
Copyright IBM Corp.
2009
8-5

El color azui de la inrpresin gan|iza la autenticidad de este docurnento
O Copyright
ning
Asymmetric key encryption
. Two keys
- Public key: Published key known to everyone
- Private key: Secret key known only by the recipient
.
The cryptographic process uses keys
Encryption: The process of applying a key to create a cipheftexf message

Decryption: When an a key is applied to a ciphertextto recreate the original
message
Private key
Public key
@ru
A sar"nple of
piain text to
be converted
to ciphe*ext
Asymn:etric
key {-*.
iri r$OtrollL tt
tr.6xr lttttrl ttr
.fllt rttrr*[LlilLrt
A sample of
plain text tc
convertcd
to ciphertext
ciphertext
plain text
0tr rlxtrlL0lTLtrl-dj
plain text
Copyright IBM CorpoEton 2009
w8555 / V85552.0
Figure 8-5. Asymmeic key encryption
Notes:
)
With asymmetric key encryption, the encryption and decryption keys are different.
The private key is mathematically linked to the public key.
)
)
Modern day public-key crypto systems are designed so that it is computationally infeasible
to derive the prvate key from the public key.
\
._)
.)
Mathematically, either the private key or the public key can be used to encrypt, and the
other key is used to decrypt. lf you are using PKl, then by definition the public key is used
to encrypt.
.)
._)
Typical asymmetric encryption algorithms are:
.
.
.
DH (Diffie-Hellman)
DSS (Digital Signature Standard)
RSA encryption algorithm (PKCS)
.)
J
J
J
8-6
DataPower
\)

wthout the pror written permission of IBM'

@ Copyright
o
o
o
IBM Training
Student Notebook
Security problem 2
Message ntegrity
o How do you know if anyone has looked at the message and changed it?
Use a cryptographic hash.
o A cryptographic hash function is an algorithm that transforms a string of

characters into a shorter number of a fixed length. This value is called
the message digest.
lf anyone tampers with the message, it results in a different message digest or

hash number.
o Purposefully creating two separate messages that create the same hash
code is extremely difficult.
Shorter value
fixed length
Cryptographic hash
String of characters
Figure 8-6. Security problem 2

)
Message
digest
w8555 / V85552.0
Message integrity
Notes:
)
)
)
)
The cryptographic hash computes a message digest or message authentication code

(MAC), which is unique to that message.
It is computationally infeasible to find two messages that hash to the same thing.
Any change in a cryptographic hash, even a small one, will result in a change to the hash
number.
Common hash functions are:
. MD5
. SHAI
,,)
)
."I
.)
)
.)
.J
J
\,
a
o
o
Copyright IBM Corp.
2009
8-7

El color azul de la impresin garantiza la autenticidad de este docutnento
@ Copyright
rnrng
-r-u
Security problem 3 Nonrepudiation

. How do you know who the party on the other end is?
- Use digital signatures
. Digital signatures
provide the ability to authenticate who sent
the message
- Provided within a digital certificate

- lncorporates the use of asymmetric keys and cryptographic
hash
functions
The digital signature is:
- Encrypted with the sender's private key

-
Verified when the certificate is checked
Figure 8-7. Security problem 3
Copyrght IBM corporation 2009

)
w8555 / V85552.0
Nonrepudiation
.)
Notes
.)
)
)
)
_)
.J
J
J
)
.)
)
J
)
J
8-8
Accelerate, Secure and Integrate wth
DataPower
J
\)

@ Copyrioht
I
I
o
IBM Training
Student Notebook
Digital signature
Joe
Client
Private
Joe creates his

plain text document.
- is
The message digest
encrypted using Joe's private
key to create the signature.
The message digest

is created using the
hash function.
Public
-l
Using Joe's public- key,

Kate decrypts the signed hash
to get the message digest.
Message
digest
Kate
lf both messages
digested are equal,
then the message
has not been
tampered with,
and only Joe could
have signed it.
Kate hashes the plain text

to produce a message digest.
Server
@ Copyrght IBM Corporation 2009
Figure
8-8. Digital signature
w8555 / V85552.0
Notes:
1. Joe creates a message.

2. The message is then hashed to create the message digest.
3. The message digest is then encrypted using Joe's private key. This creates the digital
signature.
4.
The message is then sent, along with the signature. The signed message is usually
encrypted at this point.
5.
Kate receives the message and two processes are run against the signed message
(after decryption, if necessary).
6. The received signed
hash is decrypted using Joe's public key; this creates a message

digest (hash number).
7.
The received message is also hashed again using the cryptographic hash algorithm;
this also produces another message digest (hash number).
8.
lf these two hash numbers are equal, then the message has not been tampered with.
Copyright IBM Corp.
2009
8-9

El color azul de a lmpresin garanliza la aulenticidad de este documelrto
O Copyr ght
ri.g
Security problems
. Message confidentiality
seeing my message?
Solved
How do you keep anyone from
- Symmetric and asymmetric keys can encrypt and decrypt messages
. Message integrity
How do you know if anyone has

intercepted the message and tampered with it?
- Cryptographic
hash algorithms: These algorithms can be used to

detect whether or not a message has been tampered
. Nonrepudiation
How do you verify the sender and

authenticate they are who they say they are?
- Digital signatures:
By using a public key, it can be determined if the

message was sent by the supposed originator
)
)
Figure 8-9. Security problems
w8555 / V85552.0
Solved
Notes
.)
)
.)
.J
.)
.J
,J
J
J
J
J
J
J
J
J
\)
DataPower
\,
I
9

El color azul de la impresn garanltza la autenticidad de este documento
O Copyright
o
o
IBM Training
Student Notebook
Digital certificates
. The problem with public-private key pairs is that they do not
identify anyone
- Given a message encrypted (or signed) using a private key, you can
determine which public key goes wth it, but so what?
The solution is digital certificates

- A special kind of public key
- Contains your identity information in the form of a distinguished name

- A. digital certificate contains:
.)
.
.
The certificate holder's name

A serial number
Validity dates
A copy of the certificate holder's public key
A digital signature, to verify that the certificate has not been altered
since it was signed by the issuer
'[s
An indication of the issuer of the certificate
trusted signer"
- A digital certificate does nof contain the private key although the
private key and certificate together are often referred to as "the

certificate"
)
)
)
)
O Copyright IBM corporation 2009
Figure 8-10. Digtal
certificates
W8555 / V85552.0
Notes:
,)
)
)
)
A digital certificate is a data structure used in a public key system to bind a particular,
authenticated individual to a particular public key.
A certificate may be internally created and distributed, and the company would be its own
CA (seltsigned).
,)
J
J
J
.J
-)
J
J
J
J
U
9
I
o
o
O
Copyright IBM Corp.
2009

Course materials may not be reproduced in whole o in part
8-11

@ Copyriqht
ining
Distribution problem
. First step is to create public-private
.
key pairs to communicate
securely
Second step is to create a digital certificate to send to the party
with whom you want to communicate
- Digital certificate contains your digital signature with public key
. Problem:
How to send your certificate to everyone with whom

you want to communicate?
- You also need signed certificate with a public key from everyone with
whom you want to communicate
. Solution.
Create a certificate authority (CA) to resolve this
issue
- lnstead of issuing self-signed digital certificates to everyone, sign your

-
digital certificate using a CA certificate

Parties validate digital signature of CA certificate that signed your
digital certificate
)
@
Figure 8-11
copyright lBl\4 Corporation 2009
wB55s / V85552.0
Dstribution problem
Notes:
You need to download all the common CA digital certificates to verify a certificate that
signed by a CA.
is
lmagine that every business entity had to create, digitally sign, and send out a certificate to
each person who wants to use its service. This would cause a distribution nightmare.
The CA is the "issuer" of many certificates.
)
)
)
)
)
-)
.)
.J
')
J
J
-)
J
-)

El color azul de la impresin garaItza la autenticidad de este documento
O Copyrlqht
J
J
J
I
o
o
o
IBM Trainirg
Student Notebook
DataPower crypto tools

. Two methods for creating a private cryptographic key and selfsigned digital certificate:
- Generated on-board using the DataP

- Uploading key files to the DataPower
. Supports Java Key Store
Upload
)
Generate
Crypto Tools
Generate Key
Figure 8-
2.
wB5s5 / V85552.0
DataPower crypto tools
l\lofes,'
)
)
)
A self-signed certificate implies that there is no third party certificate authority validating the
certificate.
All key files are placed in an encrypted storage area on the appliance; the appliance can
read them, but the values cannot be displayed to users.
The appliance supports the uploading of files from a Java Key Store (JKS) to the appliance
flash.
.)
)
.)
.)
I
.)
)
J
.)
J
J
9
o
o
o
Copyright IBM Corp.
2009
8-13

El color azul de la impresrn garanliza la autentcidad de este documento
@ Copyright
ning
Generating crypto (asymmetric) keys on board (1 oI 2l
. From WebGUl
vertical navigation
bar, expand
ADMINISTRATION
and select
Miscellaneous
Grypto Tools
4era
/''I)
Crypto Tools
t=tl
-
Generte
Key
Export Cryoto
Obiect
Imoort Crvqto Obiect
Generate KeV
LDAP
(reverse) order of
Country Name
RDNs
(t)
CA
stt or Frovince (ST)
ON
Lorality (L)
Enter key information

Only Gommon Name
is required
Toronto
.
rganiaation {O)
IBM
)
orgrizationl Unit (oU)
Orqanizotional Unit 2 (EU)
rgnzatonl unt 3 {ou)
6N
tlrganztonal Unit 4 (OU!

)
Common Nne (CNl

RSA
fef
Alice
Lenqth
Fle Nne
Yalidity Period
@
365
Copyrght lBlV corporation 2009
Figure 8-13. Generating crypto (asymmetric) keys on board (1 of
2)
W8555 / V85552.0
Notes:
The files to submit to a certification authority are created by default.
The fields from Country Name down to Common Name are part of the distinguished
name.
The file name for the key file generated is of the form cert: / / /name-privkey.pem. lf the
field is left blank, the system creates this file automatically
e>
"L^
i,-t
nir^ râ/1o/A J'
exfo,/on
ht
.)
'.-)
J
J
J
)
,)
DataPower
)
J
J
J
\,
I

O Copyright
o
o
o
IBM Trainirg
Student Notebook
Generating crypto (asymmetric) keys on board (2 oi 2l
. Keys cannot be exported from DataPower appliance to workstation

-
Except when Export Private Key is selected

Also exported to temporary: directory.
. The entered object name is used to represent the key and certificate object
. Click Generate Key to generate the key and certificate
Password
Passuord Alias
QonSoff
Export PrautG Kel
Qon @oft
Generate Self- Signed ertificate
Qon Qoff
EHport Self-Signed Certfaf, te
$onoff
QonQoff
Generte Key end Certfcate Objects
Object Name
AliceKevObi
Usng Er{istnq Key bject

Generate Key
@
)
w8555 / V85552.0
Figure 8-14. Generating crypto (asymmetric) keys on board (2 of 2)
)
)
)
Notes:
The password for the key file is generated.
Select on for Generate Self-Signed Gertificate to generate a self-signed certificate for the
key.
lf Export Self-Signed Certificate or Export Private Key is off, then the generated key or
certificate is placed in the cert directory, where it cannot be edited.
.,)
.l
.)
.)
-)
.l
J
J
\.1
I
e
o
o
a
o
Copyright IBM Corp.
2009
Unit 8. DataPower cryptographc tools
8-15

El color azul de
la mpresin garanliza la autenticidad de este documcnto

O Copyright
ning
Download keys from temporary storage
'
Keys can be downloaded from temporary storage if Export Private

Key or Expo Self-Signed Gertificate is on
. From the Control Panel, select the File Management icon

. Right-click the file to Save Target 4s...
i fl
temporary
in
I n
n
studentf eyobj-sscert
studentxe,obj,csr
File
Management
:
9r \'
eiut^
,u.oo
o copyright
Figure
lBl\ Corporation 2009
w8555 / V85552.0
8-15. Download keys from temporary storage
Notes:
The appliance has on-board memory where it stores files. These files are organized in
directories. Each directory has its own associated permissions and visibility.
)
)
)
.)
.)
.)
J
,)
.)
J
.J
J
DataPower

El
coor azul de la impresln garantiza a autenticidad de este documento

@ Copyright
J
J
9
0
o
IBM Trainirg
Student Notebook
Keys and certificates are objects

.
The key and certificate generated are accessed using object

names
- Entered in object name field when generating key

- Another level of security by providing indirection reference to the file
Confgure Crypto Cetificate
Hain
Crypio Certificate : AliceCert
up
.j
::
view Loo | .Jew 5t
Caffel
() enabled
dmD StBte
Private key
file
ceft:l//
Fle Name
Q dibled
Alice-sscert,
Fetth
Pswoad
Ccnfirm Pasword
Pswcrd
AUas
Ignore Expiration
CGn
ates
@
)
)
ff
Qan li
Figure 8-16. Keys and certificates are objects
w8555 / V85552.0
Notes:
The page shown in this slide can be accessed from the vertical navigation bar, by selecting
Objects > Crypto > Crypto Key.
Selecting Password Alias to be on means that the password entered for key is a
password alias.
)
.,)
.)
.J
.J
I
O
a
a
a
Copyright IBM Corp.
2009
8-17

without the pror wrtten permission of !BM.
l color azul de la inrpresin garantiza la autentlcidad de cste docunrerrto
O Copyright
ining
Grypto shared secret (symmetric) key
. Generate a secret key object using key file:
- From vertical navigation bar, select Objects > Crypto > Crypto Shared
Secret Key.
The
Shared Secret Key page allows you to create a secret key object
- for Crypto
the symmetric key
. Provides additional level of security by providing indirection reference to file
+l
rLt
Configure Crypto Shared Secret Key
{ain
Crypto Shared Secret Key
tJpp]r l
Cancel
Nme
Admin State
r] enabled O disabled
File Name
certi
o Copyright
wBs55 / V85552.0
Figure 8-17. Crypto shared secret (symmetric) key
Notes:
A secret key is generated using symmetric key encryption
The key file can be uploaded from this page.
.)
)
_)
".
,J
Course materals may nol be reproduced in whole or in part

E color azul de a impresin garantiza la autentic dad de este docure nto
@ Copyright
J
9
IBM Trainirg
Sfu
Grypto certificate
. Create certificate object from key file
- From vertical navigation bar, select Objects > Crypto > Grypto Gertificate
- Provides additional level of security by providing indirection reference to file
Crypto Certificate
Na me
Public key or
cert file
Admin State
File Name
cert:
enabled
disabled
none
Password
Confirm Password
Passrrord Alias
Ignore Expiration Dates

Figure 8-18. Crypto certificate
w8555 / V85552.0
Notes:
An object created on this page is used to create a crypto identification credential discussed
on the next slide.
Selecting Password Alias to be on means that the password entered for key is a
password alias.
lgnore Expiration Dates controls whether the appliance enforces the certificate's validity
date.
Certificates can also be uploaded using this page if they do not already exist on the
DataPower appliance.
')
,)
.)
)
I
J
U
o
o
o
Copyright IBM Corp.
2009
8-19

El color azul de la impresn garantiza a autentlcidad de este docun.erto
@ Copyirght
ining
Gertificates exist in a trust chain
.
A certificate trust chain is a linked path of certificates from a

certificate to a trusted certificate authority (CA)
- A certificate signed by a CA can be assumed to have undergone some

level of validation
Certificates issued by a root trusted certificate

authority (CA)
&
Authority might be granted to

another intermediate authority
-t1
0
The chain may be several levels deep. PKIX chain checking drills
to the root trust authority. The root certificate is self-signed.
O Copyrght lBN4 Corporaton 2009
w8555 / V85552.0
Figure 8-19. Certficates exist n a trust chain
Notes:
Cryptographic certificates exist in a trust chain, that is, certificates are issued by a root
trusted certificate authority. This trusted root may then grant the authority to issue
certificates to an intermediate authority, which then issues the certificate used in the field.
PKIX Chain Checking drills to the trusted root authority to establish a complete trust chain.
lf the complete chain is not trusted, then the presented certificate is not trusted.
lntermediate CA certificates maybe necessary if the root trusted certificate is not trusted.
Additional intermediate certificates may be required if that particular intermediate certificate
is not trusted.
-.)
..)
.)
)
J
J
J
DataPower
Course materals may not be reproduced ln whole or in part

El color azul de la lmpresin gatanliza la autenlicidad de este documento
@ Copyright
J
J
I
I
o
o
IBM Trainirg
Stu
Ptro 6riia(
Crypto identification credential al
clia.
, Create a crypto identification credential
- Consists of crypto key object and crypto certificate object
- Contains public (certificate) and private key pair that is used for SSL
oA"
\ cer l; [;r.clc,
authentication
From vertical navigation bar, select Objects > Crypto > Grypto
ldentification Credentials
Configure Crypto ldentifcation Credentiats
Hain
Idellification Credentals : AliceldCred

" ,:i
'
t c"n"-t j
tpqtd;l;
r- :i,
ffi
Crypto key
{upl
enabled
disabled
Crypto
certificate
4liceCert
m
Intermedate CA Certificate
Figure 8-20. Crypto identification credential
w8555 / V85552.0
Notes:
Enter a name for the crypto identification credential.
ln the Crypto Key field, select the Crypto Key object from the drop-down list. You can use
the + and ... buttons to create or edit a crypto key object.
ln the Certificate field, select a certificate object from the drop-down list. You can use the +
and ... buttons to create or edit a certificate object.
lf they are available, specify the lntermediate CA Certificates by clicking the Add button.
This establishes a trust chain consisting of one or more certificate authority (CA)
certificates.
You can also create a crypto identification credential by selecting Keys and Certification
Management > ldentification Credentials from the Control Panel.
Copyright IBM Corp.
2009
8-21

@ Copyright
ning
Grypto val idation credential
o Used to validate the authenticity
Configure Crypto Valdation Credentlals
of certificates and digital

signatures
- Who will vouch for the certificate
ll n
and that you are who you say you

are?
o The appliance consists of

certificates from:
Crypto Validatlon CrEdentials : pl,bcert tuFl
Icunorlfol-1.l
Common public certificates stored

in pubcert: directory.
Certificates imported onto the
appliance
Certificates generated on the
appliance
Admin
",
Stats
ffienaled
NX-Netsrk-c-by-ST-Fem
certifict
sociaciqn-Nacisnl-del-Notrido-1excano-CJ
Bltmre-EZ-by-osT-pm
lqd
'
cRL
Rqui.e CRL
rq"t" ""rt
Aan {}oif
Use
Crypto key
dibled
AmriEtsn-EKrs-Global-c/t-Fm
certitiate validaiicn
Crypto
identification
credential
AAA-ECOM-Rot-C-pm
CRL Distibution Points
Handling
on G) ff
If*"i"-.-;:
""l"-l "i
i-.Jii iit".
Ll
)'t'e)u a lenl| o>

r'Yo)os
Crypto certificates
created from pubcert
directory or manually
added.
Crypto
certificate
wBs55 / V8s552.0
Figure 8-21. Crypto validation credential
Notes:
Creating a validation credential based on the certificates stored in the pubcert directory
creates a crypto certificate object for each certificate inside the pubcert directoq. The
Create ValCred from pubcefi: button on the Configure Crypto Validation Credentials
page does just that. An SSL client validates a presented certificate by verifying the issuing
CA certificate against its list of common public CA certificates that it contains locally. lf the
certificate is self-signed, the client must have access to the self-signed certificate,
otherwise it cannot verify the server's identity.
,)
)
)
.)
.)
You can create a crypto validation credential based on well-known CA certificates already
stored on the appliance or ones that you have added or imported. The button is available
when clicking the Crypto Validation Credentials page.
.J
The certification validation mode specifies how to validate the presented certificate.
._)
Two options are available:
1.
J
.)
Match exact cerlificates or immediate issuer: The certificate presented or immediate

issuer of the certificate must be available on the appliance.
DataPower
._f

El color azul de la impresin garanliza la aulenlicidad de este documento
@ Copyrighl
J
J
J
I
9
o
o
o
IBM Training
2.
Student Notebook
Full certificate chain checking (PKIX): The certificate presented and any intermediate
certificate chained back to the root certificate must be trusted. This applies to all uses of
the validation credential.
The Use CRLs field is used to check if certificates in the trust chain should be monitored
for expiration.
copyright IBM corp.
2009
unit 8. DataPower cryptographc tools
8-23

without the prior wrtten permisson of lBM.
El color azul de la impresin garanliza la autenticidad de este documenio
@ Copyrlght
ining
Grypto profile
r
ldentifies profiles that can be

used in SSL connections
SSL server profile will have an

identification credential (private
and public key pair), and maybe a
validation credential (certificate
chain that validates the presented
certificate)
SSL client profile will have a
validation credential
Confgure Crypto Frofile
Flan
Crypo Frofie : StudentserverCP lupl
, ;;r,. t-c""*flt.I-t"l,
t ::
Exoart I Vierv Loo I riew status I Help
, Admin
State
ffienabled [disabled
Identification
Credentials
)
\ali dation
Credentials
f,:iphers
Crypto
identification
credential
(none)
DEFA,ULT
Crypto valid
credential
,i
Options
Crypto key
Crypto
certificate
Send Client
LJ{ LIII
ffon
@off
O copyright IBM Corporaton 2009
wB5s5 / V85552.0
Figure 8-22. Crypto profile
Notes:
SSL will be covered later.
The Ciphers property refers to the cipher suites supported by this profile, and indicates
encryption strength, hashing algorithm, and key-encryption algorithms.
.,)
,)
.)
The Options property allows you to specify support for SSL and TLS protocols.
.)
The Send Client GA List property allows you to specify whether the SSL server should
send the client CA list during a request for the client certificate.
.,1
-)
")
.,)
.J
-t
")
.)
'.)
DataPower
J
J
J

without lhe pror wrtten permission of lBM.
l)
.f
El color azul de la impresin garantiza la autenticidad de este documenlo

@ Copyright
I
0
e
IBM Training
Student Notebook
lmport and export crypto objects

. Export certificate objects to a file
- File is exported to temporary: directory on appliance
. Crypto objects reference certificates file
- Eliminates need to create object for certificate
. lmport Crypto Object brings in exported certificate objects
- File can be in another directory, or uploaded
O
Genert
K6y
E8port Crypto
object
ImDoft crYoto obiect
Export Crvpto bject

tbject Type
certif icate
object Nme
Output File Name
Expo Crypto Object
wBsss / v85552.0
Figure 8-23. lmport and export crypto objects
Nofes;
This page is accessed from the vertical navigation bar by selecting ADMINISTRATION >
Miscellaneous > Crypto Tools.
Certificates are exported to the temporary directory. They can be downloaded by using
File Management.
. Only certificates can be exported and imported.

. The object name typed of the exported crypto object must be exact.
. For an imported crypto object, a password alias can be supplied if the password is not
entered.
)
)
.,)
-)
.)
J
J
J
'J
(/
o
o
o
copyright IBM corp.
2009
unit 8. DataPower cryptographic tools
8-25

El color azul de la impresin garantiza la autenticidad de este docurnerto
G) Copyright
ining
Uploading keys
. From the vertical navigation bar, select OBJECTS > Crypto >
Grypto Key.
. On Crypto Key page, click Upload button to upload key file from:
- Key store file
- Java Key Store
Crypto Key
t=J
r{tr.
File Management
l-Jpload File
Nm
to Drectory cert:
.-+l
Admin State
f.) enabled
File Name
ce
sorr"", f$
File
disabled
lava Key Store (Requires Sun JRE 1.4.2 or
better)
to upload:
rt:
non
Save 5 i
Password
Confirm Pssword
Password Alias
overwrite Existing File
QonQoff
@
w8555 / V85552.0
Figure 8-24. Uploading keys
Notes:
Selecting the Java Key Store radio button opens a new window with a Java applet. You
must have a JRE 1 .4.2 or higher installed in lnternet Explorer to view the applet.
A keystore file can be generated using the Java
keytool
command.
)
)
J
.J
J
.)
J
J
J
J
J
DataPower
\.,
Copyright IBM Corpi 2009

@ Copyright
I
e
o
o
o
IBM Trainirg
Student Notebook
Java keytool command
r IBM JDK includes a keytool

-
utility to generate a key store
A key store is a database of private keys and an X.509 certificate chain, where
the first certificate in the chain contains the public key
Users can create their own public-private key and self-signed certificate
The
keytool
command has the following syntax:

-genkey
keytool
{-alias alias} {-keyalg keyalg}
{-keysize keysize} {-sgalg sigalg} [-dname dnane]
[-keyIass kelpassl {-validity valDays} {-storetlpe storetlpe}
[-keystore keystore] [-storepass storepass] [-provider provider_class_name]
-v}
j avaortion}
{
{-
Exampl keytool command:

keytool -genkey -v -alias dpedu -keypass dpadmin -keystore dpedu.p12
-storepass dpadnin -storetl4)e "pkcsL2" -dname "cn=dpedu, o=ibm, c=ca"
-keyalg /'RSA"
. Generates a key store file called dpedu.pl2 that contains a public-private key pair
"
Generates a self-signed certificate containing the public key and entity name with
values given by -dname flag
Figure 8-25. Java keytool command
wBs55 / v85552.0
Notes:
J
The default key store is implemented as a file. Private keys are protected with passwords.
The X.509 standard describes how the information is contained within a certificate and the
format of that information.
For more information on the keytool command, see

http://java.sun.com/j Zsel 1.5.0/docs/tooldocs/wi ndows/keytool. html
The default keystore implementation is a Java Key Store (Jl(S). You can specify other
formats by using the -storetlzpe flag.
_)
.J
-)
.)
_)
J
,
J
I
I
e
a
Copyright IBM Gorp.
2009

Course materials may not be repfoduced in whole of in part
8-27

@ Copyright
ining
Gertificates can expire or get revoked
Certificates are valid only for a certain period of time
and can expire.
Valid Until 01-1 1-2009
A certificate monitor can constantly check

certificates stored on the appliance and warn
before expiration invalidates the certificate. This
default
object is UP
IJ
J"l
Configure Crypto Ceificate lolonitor

ilan
crypto ceruncte lvonitor [up]
Certificates can also be revoked by issuing authority
The appliance can check certificate revocation lists

(CRL) for revoked certificates.
Configure CRL Retrieval
Figure 8-26. Certilicates can expire or get
Main
cRL PolGY
revoked
W8555 / V85552.0
Notes:
Warnings posted by the certificate monitor are posted to the system log and should be
checked.
Expired certificates are not trusted.
,)
.)
.i
.)
)
J
.J
la mpresin garantiza a auleticdad de este documento
J
I
9
DataPower

El color azul de
O Copyricht
e
O
IBM Training
Student Notebook
Gertificate revocation Iist (CRL) retrieval

.
A certificate revocation list (CRL) is a list of certificates which have

been revoked and are no longer valid
. -Set up a CRL list from vertical navigation bar by selecting Objects >
Need to periodically check the validity of certificates
Crypto > CRL Retrieval
- Click CRL Policy to configure a CRL update policy

Adding new CRL Policy property
of CRL Retreval
CRL Retrieval
Crypto Certificate
Crypto Certificate Monitor
Crypto Firewall Credentials
Crypto Identifrcation
Credentials
Pulicy Name
Protocol
240
Refresh
Crypto Validation
Credentials
Intervl
Kerberos KDC Server
Cryptograph c
Kerberor Keytab
SSL Proxy Profile
minutes
Profile
Fetch URL
@
Etr
Validation
CredentialE
Crypto Profile
'|r.
CRL Issuer
CryFto Key
http
w8555 / V85552.0
Figure 8-27. Certificate revocation list (CRL) retrieval
)
)
Notes:
)
)
)
Any trust chain that uses a revoked certificate is broken.

The CRL policy can be configured to fetch CRL lists from a CRL server and check for
validity using the selected CRL lssuer Validation Credential object.
)
)
.)
The protocol is either http or ldap. Appropriate fields will display to support the protocol.
The Cryptographc Profile identifies the crypto profile to use to connect to the CRL issuer
using SSL.
.l
)
.-)
.)
.)
.)
-l
,.J
,)
J
J
J
\,
9
I
e
Copyright IBM Corp.
2009
8-29

El color azul de la impresin garantiza la autenlicidad de este documento
O Copyright
ining
Grypto certification monitor
. Periodic task running on the appliance that checks expiration date of

certificates
. Configure
a Crypto Gertification Monitor from vertical navigation bar

by selecting Objects > Grypto > Crypto Certificate Monitor
Expired certificates are written to log file with a specified warning
Crypto
CRL Retrieval
Configure Crypto Ceificate Montor
Crypto Certificate
Crypto Certificate
ldin
Mo
Crypto Firet'vall Credentials
Certificate Mofl itor iuFl
Crypto Identification
)
Credentials
Crypto Key
Admn State
Crypto Profile
enabled
disabled
Crypto Validation
Credentials
30
Kerberos KDC Server
Prox
wrnt
Kerberos Keytab
n Jaft
Profile
@
*'

)
w8555 / V85552.0
Figure 8-28. Crypto certification monitor
Notes:
)
The polling interval specifies the frequency that certification expiration dates are checked
Remember, time refers to the number of days before the certification expiration event is
written to the log file.
..)
.)
._)
J
.l
.l
.J
J
J
J
Coutse matefals may not be reproduced in whole or in part

(,
El color azul de la inrpresin garantiza la autenticdad de este documento
O Copyright
I
o
o
IBM Traini.g
Student Notebook
Hardware securty module (HSM)

. Appliances
with hardware security module (HSM) hardware

installed can export or import private keys
- Appliance where key is exported or imported must also have HSM

hardware installed
DataPower supports FIPS 140-2level 2 and level 3 security
O'd
Frivate Key Expoable via

hmkwk
ti
on
li
off
Export Private Key
{, on
f,
off
Generate Self-Signed eificate
fi, on
{i
off
Export Self-Signed eificate
fonfoff
Generate Key and Ceftificate
Objerts
fl, on 1 off
Object Name
Generate Key on HSM
{*, on off
Figure 8-29. Hardware security module (HSM)
w8555 / V85552.0
Notes:
HSM is a piece of hardware with associated software and firmware that can perform a
number of security functions. At the time you order DataPower, you can add an HSM to
your appliance.
FIPS 140-2level security is a standard for validating HSMs. For some specialized
circumstances, FIPS 140-2 Level 3 security is needed. The appliance supports this through
HSM hardware.
To export private keys on HSM hardware, the Private Key Exportable via hsmkwk must
be selected from the Crypto Tools page. The HSM options appear only if you have an HSM
installed.
Copyright IBM Corp.
2009
8-31

El color azul de la impresin garanliza la autenticidad
dc este documento
@ Copyright
ning
Checkpoint
1. What is the difference between
asymmetric and symmetric
key encryption?
2.
3.
4.
What is a digital certificate?

True or False: Keys generated on-board cannot be
exported.
What is the purpose of a crypto identification credential?
Copyrght lBlvl Corporation 2009
wBs55 / V85552.0
fVofes.'
)
)
1.
2.
3.
4.
J
.)
J
_)
-)
.J
J
J
DataPower
J
J
'J
Course materals may not be repfoduced in whole or n part

El color azul de la rmpresin garantiza la autenticidad de este documento

@ Copyright
!l
I
()
IBM Traini*g
Student Notebook
Unit summary
. Generate
.
cryptographic keys using the WebSphere

DataPower tools
Create a crypto identification credential object containing a
. Create a crypto validation credential to validate certificates

. Set up certificate monitoring to ensure that certificates are upto-date
w8555 / V85552.0
Figure 8-31. Unt summary
Nofes
Copyright IBM Corp.
2009
8-33

El color
azu de li,r rnpresn gararrtiza la uter'trcidacl de cstc doc-rL,rrcnto

G)
Copyriq ri
.itg
'l
-)
'')
')
)
)
)
')
')
,)
')
:)
t')
)
a)
a)
')
)
)
)
)
)
,)
.)
.J
.)
:)
.J
tJ
J
J
J
J
\)
O
J
J
J
J
.)
J
J
J

@ Copyright
\.)
\)
9
I
I
IBM Training
Student Notebook

This unit describes how to secure connections using SSL to and from
the DataPower appliance.

.
.
.
Configure the WebSphere DataPower SOA Appliance to

communicate using SSL
Associate an SSL proxy profile with keys and certificates

Configure a user agent to initiate requests

)
.
.
Checkpoint
Exercise 7: Configuring SSL on DataPower services
)
I
)
)
)
)
)
'
,.)
.)
-)
.)
-)
,l
J
(,
e
o
o
o
O
C
Copyright IBM Corp.
2009
Unit 9. Securing connectons using SSL
9-1

@ Copyright
ining
Unit objectives
. Configure the WebSphere DataPower SOA Appliance to
. Associate an SSL proxy profile with keys and certificates
. Configure a user agent to initiate requests
Figure
Copyright lBlvl Corporation 2009
w8555 / V85552.0
lVofes
)
)
.)
)
.)
.J
9-2
DataPower
J
\)

without the pror wrilten permission of lBM.
El color azul de la impresin garanliza la autenticidad de estc documento

@ Copyright
o
o
o
IBM Training
Student Notebook
Solving security problems

. Solves the following security problems:
- Message confidentiality - Preventing anyone from looking at your
message
- Message integrity -
Disallowing anyone from looking at a message
and changing it
- Non-repudiation -
ldentifying the party with whom you are
communication
. Uses the following processes:

- Symmetric and asymmetric keys
- Encryption techniques
- Digital signatures
- Digital certificate
. These processes
are combned together n a protocol called

the Secure Sockets Layer (SSL)
.J
O Copyrght IBM Cooration 2009

I
Figure
9-2. Solving security problems
w8555 / V85552.0
Notes:
.)
.,1
.)
)
\i
.i
-)
r/'
.,,
t,)
-)
J
\,
r)
a
a
f
a
o
Gopyright IBM Corp.
2009
9-3

El color azul de la impresn garantiza la autenlicidad de este documento
@ Copyright
(,.
I
ining
SSL features
. SSL provides:
. Uses asymmetric and symmetric key encryption
. Uses a handshake when initiating contact
The handshake establishes a session key and encryption algorithm between

both parties prior to any messages being sent
Message integrity
. Uses the combination of shared secret key and cryptographic hash
function
Ensures that the contents of any messages are not modified
Mutual authentication
. Server always authenticates to client

. Client optionally authenticates to server
. Occurs during handshake
wB55s / V8s552.0
Figure 9-3. SSL features
.)
Notes:
.)
)
)
)
.)
.
.l
.,}
..J
-l
r)
.,
')
'a,
9-4 Accelerate,
DataPower
J
I
I
I
Course materals may not be reproduced in whole or in pan

@ Copyright
a
o
IBM Training
Student Notebook
SSL terminology
. CipherSpec is a combination
- A cryptographic hash function
of:
. Used to create the message digest or message authentication
code
(MAc)
- Encryption method algorithm

- Encryption method algorithm + hash function = CipherSpec
. Cipher suite is a combination of:
- CipherSpec
- Authentication-key exchange algorithm
- CipherSpec + authentication-key
Figure
excharge = cipher suite
9-4. SSL terminology
w8555 / V85552.0
Notes:
Copyright IBM Corp.
2009
9-5

without the pror written permisson of lBM.
El color azul de la impresin garanliza la autenticiclad de este documento
@ Copyright
rung
SSL handshake
. The handshake
is the technique used to establish a secure
communication link between a client and a server
. During handshake process, SSL will:

- Negotiate the level of SSL to use
- Decide on a cipher suite that both parties can use
- Authenticate the server and (optionally) the client
- Build a secret key that is to be used for this session only
. The handshake
is initiated by the client, sending a "hello"

message to a server
)
@
wBsss / v85552.0
Figure 9-5. SSL handshake
lVofes,'
.)
)
.)
._)
,J
J
J
\-.,
J
J
J
J
J
J
J
\)
9-6
DataPower

@ Copyrighl
I
o
o
o
o
a
o
IBM Trainirg
Sfu
oT
SSL handshake: client hello
Joe (client) sends Kate (server) a hel1o message

- The initial hello message contains a list of cipher suites that Joe
(client) can use
Joe is considered the client since he initiated communication
Joe
Kate
Client
Server
Hello Kate
O Copyrght lgM Corporaton 2009
Figure 9-6. SSL handshake: client hello
w8555 / VB5552.0
Notes:
Copyright IBM Corp.
2009
9-7

El color
azu de la rmpresin garantza la autenticidad de este documcnto

@ Copyright
rirg
SSL handshake: server hello
. Kate (the server) responds with a Hello

- Response contains the cipher suite that Kate has selected from the list Joe
sent her
. Kate also sends Joe a signed digital certificate containing her public key
- Joe should have a signed certificate in a keystore that he will use to verify
Kate's signature
Joe
- client
Kate
server
,
)
Hello Kate
.)
,)
Hello Joe
)
Server
certificate
I
)
Figure
w8555 / V85552.0
9-7. SSL handshake: server hello
Nofes
.)
)
)
J
.,)
.)
(J
J
J
J
9-8
DataPower
Course materials may not be reproduced in whole ol in part

without the prior wrtten permssion of lBM.
@ Copyright
J
J
J
J
J
I
e
o
o
o
o
G
IBM Trainirg
-,
-q
Student Notebook
SSL handshake: verify server certificate
. Receive Kate's public key from certificate

. Check server certificate for:
-
Certificate expiration
Verification of certificate's signature against a signed certificate in a key store
Check certification revocation list to see if the certificate should no longer be trusted
lf client authentication is being used, then Kate would request a digital

certificate from the client
Joe
- Client
Kate
Server
Hello Kate
Hello Joe
Server
certificato
It
I
is
-fuhr*
kev
Kate
Figure
w8555 / V85552.0
9-8. SSL handshake: verify server certificate
Nofes
Copyright IBM Corp.
2009
9-9

O Copyright
rirg
SSL handshake: client key exchange
. The client builds and sends the server a secret,??essage that
is encrypted using Kate's (server) public key
.)
Kate
Joe
Client
Server
)
)
Hello Kate
)
)
')
Hello Joe
Server
ceificate
.)
't
Secret message
W public
Kate's
@**r
key
Encryp*d using Kate's public key
It is Kate
)
o Copyright
Figure
BM Corporation 2009
w8555 / V85552.0
9-9. SSL handshake: client key exchange
.)
IVofes
.)
..)
,.)
,.)
',
J
.)
J
J
\)
.)
J
J
J
J
.J
J
r
{,
DataPower

@ Copyright
a
o
o
o
?
IBM Training
-r-e
Student Notebook
SSL handshake: reply wth secret key

. Kate (server) decrypts secref ,essage using her private key
. Both the client and the server oenerate a secret kev usinq the oremaster secret in
the secref /nessage and rando-m data generated dring iitial
Joe
hel1o
handshakes
Messages are encrypted using the symmetric secret key
Client
Kate
Server
Hello Kate
Hello Joe
Server
cert
ecrypt
secret
m'ssage
Secret message
It is Kate
Change cipher
tn ish
Secret key
o copyright
T
e
Kate's prvafe key
G*g'
w8555 / V85552.0
Figure 9-10. SSL handshake: reply with secret key
Nofes.'
Copyright IBM Corp.
2009
Unt 9. Securing connections using SSL
9-11

@ Copyright
tritg
SSL handshake secured
. Joe (client) and Kate (server)
have agreed upon the following:
.,
- Cipher suite
- Have set up a CipherSpec
- Exchanged secret keys
)
)
)
. Messages are sent inside a secure connection
Joe
Client
Kate
.)
Server
:)
l
)
)
)
)
)
@
w8555 / V85552.0
Figure 9-11. SSL handshake secured
l\lofes
)
.)
)
)
.)
J
'-,,
J
J
J
J
J
J
J
J
(,
9-12 Accelerate, Secure and lntegrate wth
DataPower

@ Copyright
I
o
o
o
o
a
o
IBM Traini.g
Student Notebook
DataPower support for SSL

a
sp n[o 55 4artencrnc
6'
DataPower appliance supports SSL:
Ser
-From remote client to appliance

-From appliance to external application server
r clcs
co M\c cl
server.
-From appliance to external resource such as authentication
Endpoint
application
servers
Client
SSL-encrypted
request
SSL-encrypted
request
SSL-encrypted reply
SSL-encrypted reply
SSL-encrypted
request
SSL-encrypted reply
External
resources
@ Copyrght IBM Corporaton 2009
Figure 9-12. DataPower support for SSL
w8555 / V85552.0
lVofes
..)
.)
c
o
a
o
o
(
Copyright IBM Corp.
2009
9-13

El color azul
dc a
nrpresin garantza a aulentioclad de este docuntentcr

@ Co:yriq rt
ri.g
SSL Proxy profile: crypto objects relationship
. Relationship between SSL proxy profile and crypto objects

- Server: Appliance is server, receives request to participate in SSL
- Client: Appliance is client, initiates request for SSL (client-Hel1o)
)
Crypto profile
Crypto
Crypto valid
identification
credential
credential
.[.^ caf ?ffd'
)
)
Crypto
ceftificates
created from
pubcert directory
or manually
Crypto certificate
Crypto
key
)
)
added
@
wBsss / v855s2.0
Figure 9-13. SSL Proxy profile: crypto objects relationship
lofes.'
.)
J
.)
.)
)
.)
,J
J
J
'J
J
J
)
\,
,

wlthout the pror written permission of lBM.

@ Copyright
o
o
o
IBM Trainirg
Student Notebook
Securing connections from client to appliance
To set up SSL between client and appliance, you need to perform the
following:
DataPower appliance needs to supply a cryptographic certificate

. Matching private key for certificate is maintained by appliance (lD credential)
Configure an SSL server crypto profile with cryptographic objects linking to
certificate-key pair
Verify the settings in the SSL proxy profile
Client will validate the certificate presented by the appliance (often

included in certificate chain (server-only authentication))
Appliance may request a certificate from client and validate (mutual

authentication)
Appliance may use certificate authority (CA) certificates (there are many in
pubcert: directory) to validate client certificates
Client SSL-encrypted
request
SSL-encrypted
reply
@
Figure 9-14. Securing connections
w8555 / V85552.0
fom client to applance
Nofes:
Copyright IBM Corp.
2009
9-15

without the pior wrtten permission of lBM.
El color azul de la impresin garantlza la autenticdad de este docunrento
@ Copyrght
ning
Step 1: Appliance supplies cryptographic certificate
Optional: required if server

validates client cetificate
Crypto profile
Crypto valid
credential
Crypto
identification
credential
Crypto
key
Crypto
Crypto
certificate
certificates
created from
pubcert:
directory or
manually
)
)
added
)
@
w8555 / V85552.0
Figure 9-15. Step 1:Appliance supplies cryptographic certiticate
)
)
)
Notes:
)
.)
J
.)
,)
DataPower
Course matefials may not be reproduced ln whole or n part

wthout the prior wrtten permission of IBM'
El color azul de la impresin garantiza la autenticdad de este documento
@ Copyrghi
J
J
J
J
J
J
J
J
J
J
o
o
o
o
IBM Trainitg
stu
---
&''
Step 2: Configuring SSL server crypto profile
. Configure
a SSL server crypto profile with cryptographic

objects linking to the certificate-key pair
- From the Gonfigure XML Firewall page, select an SSL Server

Crypto Profile from the dropdown list
Front End
Back End
.Server Addnegs
Server Fort
Sevice Address
0.0.0.t
Select AliaE
Device Pert
#
'55L .Senrer CryPto
Profile
55L Client
StudentClientCP
Profile
+
w8555 / V85552.0
Figure 9-16. Step 2: Configuring SSL server crypto profile
Nofes;
c) Copyright IBM Corp.
2009
9-17

El
coor azul de la irnpresln garalrtiza la aulenticidad de este docunrcnto

G) Copyr ght
rnmg
. Create a profile:
the plus (+) button
- Click
+!e!f4 *
(new) on the Configure XML
Front
End
Devce Addre5
0.0,0,0
Side 5SL
SSL Server
(none)
Firewall page
Objects > Grypto > Grypto
Profile
Profle Nme
ii".""l
SrcGr Pfivt Key
Prvte XcV Psrword
..-
cnfrrm Psrword
l)
i,
Crypto Proflle : Student5ervrCP
on (;-t oir
Server C6rtfcats
(none)
Serser Cfcate Pairword
!Confrrm Psiwrd
'
i-E""*rl
0let
I Yivr 5tt0s
Alnin iat
li:nbled i)ditbi
IdetificiicD
Cie.lenirls
stdnudcrd
i1iiCiion
QonQoff t
Certif(ate5
ilrl
db
Use Pasword Alis
Authntct/ Yld6te
Crypto Proiile
Hn
l--14
Configu re
creCntik
ciph:.s
;;r
,-,,18
EFAIJL'i
i4 Emble ieiault sertings

Dlet.
crtfct6/
Cedlflcdte Authorte5
@
Password
f
;;_.:; _
i
_-; -@
Figure
9-17.
i confirm Pasword
opiiont
ii
^.,--;- -.-:--_-_,,-;- :_: -..r;:t
i] Disble -qSL re.sioD 2

it_urlale
,. ):L
__.
ve.lron i
SelC C|lent
Copyrght lBlV Corporation 2009
Drsabl
lis
yer-qion
an (;ift
w8555 / V85552.0
/Vofes
.J
,)
.)
._)
J
")
DataPower
J
o
t)
o
o
o
o
E color azul de la rmpresin gararTiza la autenticidad de este documento

O Copyright
IIIM Traini.g
Student Notebook
Step 3: Verfy SSL server proxy profile settings
An SSL proxy profile is

automatically created
when you specify an
SSL server crypto
SSL Proxy Frofle : MyTransformFi:'ewall lupl

Cancel
profile
ln the vertical
navigation bar, expand
Objects and select
Grypto > SSL Proxy
Expori
Delete
Admin State
fi enabled , disabltd
35L Urrectron
Rerers
I rie,r, Lso | !i
StudentServeCP
t.
Profile
(;) n (-l ctf
ln the Configure SSL

Proxy Profile list page,
click the newly created
SSL proxy profile
3fl0
seconds
30
entries (x 1024)
The reverse crypto

profile is automatically
populated
Client .uthentication
Ie Opiional
()
Al,,Yays Request
on
Qon
Client uthentication
Ooff
g off
w8555 / V85552.0
Figure 9-18. Step 3: Verify SSL server proxy profile settings
Nofes.'
)
)
)
,)
J
U
Copyright IBM Corp.
2009
9-19

E color azul de la imllrcsn garantiza a auteDtcidacl cle este .loct]lIento
O ColryriglrL
iming
Securing the connection from appliance to external
application server
To set up SSL between the appliance and an external

application server, you need to perform the following:
- The DataPower appliance needs to validate the certificate supplied

by the external applications server
. The list of certificates used to validate is stored on the appliance

. The application server contains a matching private key for the
certificate
- Configure an SSL client crypto profile with cryptographic objects

linking to validation credentials
- Verify the settings in the SSL proxy profile
uppl.T1jnoi".ru"r,
SSL-encrypted
request
-=
SSL-encrypted
reply
O Copyright lBlV corporation 2009
wB5s5 / V85552.0
Figure 9-19. Securing the connection from appliance to external application server
lVofes.'
DataPower
.)

Fl color
azu de la impresin garantza la autenticidacl do este docuetrto

G) Copyriclht
\.)
IBM Trainitg
-l-l
Student Notebook
Step 1: Appliance validates presented certificate
Crypto profile
(si
o ? \ft6'
Crypto valid
credential
added
Crypto
certificates
I)
Crypto ceftificates
created from pubceft:
directory or manually
e)
(pubcert)
)
)
)
)
)
)
@ Copyright IBM Corporaton
2009
wBsss / v85552.0
Figure 9-20. Step 1: Applance validates presented certificate
)
)
Notes:
)
)
)
-)
)
)
._)
.J
J
-)
.J
.l
J
J
J
I
(
o
o
o
o
@)
Gopyright tBM Corp.
2009
9-21
Course materials may nol be reproduced in whole or n part

wlthout the pror wrtten permission of IBM'
@ Copyrioht
ining
Step 2: Configuring an SSL client crypto profile
. Configure
an SSL client crypto profile that validates presented
certificate.
- From the Configure XML Firewall page, select an SSL Glient Crypto
Profile from the dropdown list
Back End
Front End
Server Addre.ss
Bevice ddress
Select Alias
,server Port
Eevice Fort
*.
^SSL Server Crypto Frofile
55L Client Cnpto Frofile

StudentClientCF
none'j
Copyright lBl\rl Corporation 2009
w8555 / V85552.0
Figure 9-21. Step 2: Configuring an SSL client crypto profile
Nofes
DataPower

El color azul de la impresn garanliza a autentcidad de este docurnento
O Copyright
IBM Training
Student Notebook
Step 3: Verify SSL client proxy profle settings

. An SSL proxy profile is automatically populated with the SSL
client crypto profile that was selected
- ln the vertical navigation bar, select Objects > Crypto > SSL Proxy
-
Profile
ln the Configure SSL Proxy Profile list page, click the SSL Proxy
Profile
The Fonruard Crypto

Profile is automatically
populated
SSL Proxy Profile : MyEasicFrewall tupi

",:,.:t,,,,.
The SSL Direction is

two-way if the appliance
supports SSL for both
client and server
:fC""el I tnetee-l
":l
-.
enabled
disahled
dmin Stte
55L Direstion
Forrya rd
Farward {Client) Crypto Frofile
StudentClientCP
Client-side Sessisn Caching
fien off
Figure 9-22. Step 3: Verify SSL client proxy profile settings
w8555 / V8s552.0
Notes:
Copyrght IBM Corp.
2009
9-23

El color azul de la impresin garanliza a autenticidad de este docunrento
@ Copyright
ining
SSL Proxy Profile list
. The list shows which SSL proxy profiles are using which
crypto profiles
An SSL proxy profile that functions as a client and a server will have
both types of crypto profiles
Configure SSL Proxy Profile
Refresh
Nme
M
yBa sicFirewall
MyTransformFirewall
TwoWyDemo
Status Op-State Logs Direction Forward {Client) Crypto Profile Reverse (Server) Crypto Profile
studenrclientcP
fo rward
sved
up
sav ed
up
new
UP
reve rse
StudentclentcP
StudentserverCP
StudentserverCP
Copyright IBNI corporation 2009
w8555 / V85s52.0
Figure 9-23. SSL Proxy Profile list
Notes
.)
.)
)
.)
',J
J
DataPower
,J

El coor azul de la impresin garantza la autenticidad de esle documento
@ Copyright
a
a
o
o
IBM Training
Student Notebook
User agent )"|.Ae
como. rlonnos
uE\.^LIecer
cmaiac dn coo
ei hF on,l
. User agents communicate with the back-end servce

- Example: Configure a user agent to execute an SSL profile proxy if
matched by a matching expression
- Policies are applied using a URL match expression

. Multiple policies can be associated to a user agent and triggered based
on different URL strings
Request
Client-Side
Service Policy
Server-side
User Agent
Policy
External
Resources
Figure 9-24. User agent
w8555 / V85552.0
Notes:
.)
)
)
)
.)
J
r)
o
o
o
Copyright IBM Corp.
2009
9-25

El color azul de la rnrpresn garantiza la autct.ticidacl de este documento
O Copyr ght
nlng
Gonfiguring a user agent
. The XML manager default object uses a default user agent
- Alternatively, from the vertical navigation bar, select Network > User
Agent to display or create a user agent
. Create a user agent configuration
- In the Main tab, enter the user agent name and set HTTP settings
- Many techniques to setup communication:
. Proxy policy: Specifies a URL match expression to fonryard to a remote
.
.
address and port

Basic authentication policy: Associates a user name and password with a
set of URLs
SOAP action policy: Associates a SOAP action HTTP header with a set
of URLs
Public key authentication policy: Associates a specific private key to use
during public key authentication
I
)
)
Configure User Agent
)
)
Mn
Proxy
Policy
SSL Proxv Profila
Policv
Bsic-Auth
Polid
Soao-Action
Policv
Pubkcv-Auth
Poli
)
)
w8555 / V85552.0
Figure 9-25. Configuring a user agent
Nofes
)
)
)
)
.)
)
,)
J
J
J
J
J
J
J
\,
(,
I
o
Course materals may not be reproduced in whole of in part


@ Copyright
o
o
o
IBM Training
Sfu
Greate a user agent confguration
. Configure
a user agent to use an SSL proxy profile to

communicate with the back-end service
- Select the SSL Proxy Profile Policy tab

- Specify a URL match expression and a corresponding
SSL proxy
profile
SSL Proxy
Profile Policy
Cancel
URL Hatching Expression

+,1re,seurce
55L proxy profile

ldyBasicFirewall
tiil
I
)
Figure 9-26. Create a user agent configuration
w8555 / V85552.0
Notes:
)
)
.)
.)
.)
.l
\
.)
J
\")
(J
I
O
o
o
o
Copyright IBM Corp.
2009
9-27

@ Copyrght
ning
Gheckpoint
1
2.
3.
What occurs during an SSL handshake?

What is the difference between an SSL proxy profile and
an SSL crypto profile?
What are the three steps involved in securing a connection
from the appliance to an external application server using
SSL?
wBsss / v85552.0
Nofes
)
)
.)
)
)
.)
'-J
)
.J
J
J
.J
DataPower

El color azul de la impresn garantiza a autenticidad de este documento
@ Copyrght
J
J
I
9
IBM Trainirg
Student Notebook
Unit summary
. Configure the WebSphere DataPower SOA Appliance
to

" Associate an SSL proxy profile with keys and certificates
. Configure a user agent to initiate requests
Figure
9-28. Unit summary
w8555 / V85552.0
Notes:
Copyright IBM Corp.
2009
9-29

El color azul de la iinpresin garatiza la autcnticdad dc cste cloculnerto
@)
Copyrqht
ptoirg
,l
')
I
t)
)
:)
,}
')
l
)
)
)
)
,)
.)
..)
.J
i,
.)
iJ
J
'-)
.J
,.)
J
.J
J
J
J
J
J
t,
J
\,


@ Copyright
9
9
c
IBM Training
Student Notebook

This unit covers the vulnerabilities that exist in XML messaging.
)

I
Explain possible attack scenarios involved in XMl-based

applications
.
.
Describe the various types of XML attacks

Use the WebSphere DataPower SOA Appliance to protect against
XML attacks
.
'
)
)
)
Checkpoint
Exercise 8: Protect against XML threats
)
)
)
)
)
)
)
)
)
)
)
.)
,)
.l
J
J
J
J
J
!.)
I
I
Copyright IBM Corp.
2009
Unit 10. XML threat
o
o
3
(-
protecton
10-1

@ Copyright
ining
Unit objectives
. Explain possible attack scenarios involved in XMl-based
applications
. Describe the various types of XML attacks
. Use the WebSphere DataPower SOA Appliance to protect
against XML attacks
O Copyrght lBlvl Corporation 2009
w8555 / V85552.0
Figure 10-1. Unit objectives
Nofes
J
J
J
(,
1O-2 Accelerate, Secure and Integrate with
DataPower

El color azul de
la mprcsin garanliza la autenticidad de este docurnento

G) Copyright
c
o
o
o
IBM Training
Student Notebook
What are the security concerns?
' xMl-based web services easily expose back-end systems to

customers and partners
' Traditional security devices do not secure xML and SoAp

traffic
Giant holes in firewalls
t
ieb $crver
\IdSGW
Server
lP Firewal
Figure 10-2. What are the security concerns?
w8555 / V85552.0
lVofes;
Web services are based on SOAP, XML, and HTTP. Many of the messages using these
services and protocols are sent to port 80, so they pass through the firewall.
These protocols have gained widespread attention because of their simplicity and ease of
use. However, along with their security, a new class of issues and problems is introduced.
This new class of problems is known collectively as XML threats.
trl
\)
(,
I
a
a
o
(.
Copyright IBM Corp.
2009
10-3

El color azul de ia impresrn garanliza la aulenticidad de este documento
O Coryright
ining
Traditional systems and exposure
.
The "firewall-safe" feature of SOAP/XML can easily be

exploited to launch XML attacks
- XML validation is typically "off'for performance reasons
. No rate-limiting functions exist either with the product or built

into the architecture
Lack of traffic throttling, classification and screening

. These should occur up front in the architecture
' Potentially malicious messages should be filtered before they are
allowed to flow to the back-end systems

- Otherwise damage would already be initiated, introducing system stability
and availability issues
. Traditional edge devices are not smart enough to check for

these attacks
@
Copyright lBlVl Corporation 2009
w8555 / V85552.0
Figure 10-3. Traditional systems and exposure
Notes:
An XML firewall can perform any and all of the following:
. XML denial of service

. Unauthorized access
. Data integrity and confidentiality
. System compromise
Rate-limiting functions: ln computer networks, rate limiting is used to control traffic sent or
received on a network interface. Traffic that is less than or equal to the specified rate is
sent, whereas traffic that exceeds the rate is dropped or delayed. A device or mechanism
that performs rate limiting is called a rate limiter. Rate limiting is performed by defining and
enforcing a policy that encapsulates the parameters within which rate limiting is
administered.
Edge devices: The EoN, or Edge of Network, refers to the part of the network topology
where traffic enters or leaves a corporate network. Typically, these are devices in the D\llZ,
for example, firewalls, load balancers, and proxy servers.
DataPower
Course malerials may not be reproduced in whole or in part

O Copyright
",}
.,)
.J
.)
.J
J
I
c
a
o
IBM Training
Stu
ook
Addressing the security concerns

. Multiple levels of defense: "Defense in depth" strategy
" First level
- XML security gateway for enhanced security, scalability, and simplicity
. Second level
- Application server for additional
processing
)
)
Figure 10-4. Addressing the security concerns
w8555 / V85552.0
)
)
Notes:
Web services security can be enforced at two levels:
)
)
First level of defense: XML Security Gateway
- Performance
At least ten times more improvement over software
- Scalability Can minimize the number of servers

- Manageability Fewer enforcement points simplify configuration
- Availability XDos checking protects application and web servers
)
)
.)
.J
.J
Second level of defense: Web services application
- Manageability Can integrate with container-based security

' Security - Business-specific security is embedded within an application
J
.J
.l
_)
J
J
J
t)
0
o
o
o
o
o
Copyright IBM Corp.
2009
10-5

El coior azul de la impresin garantiza la autelrticidacj c1e este clocurenlo
@ Copyright
rmng
Three high-level deployment patterns

a
Three typical deployment patterns:
lntranet
Internet
Federated extranet
Internl
Web Servlces
Usr
Web Servlses
x540
lntern*l
Da[aower
DtPorrer
x5{o
1. t{el
f*{X
qtin$t
{rr:onrng altackt
I
Company 81.
?,
irt
thl4L
llorl(l
ncai'n
r(:{-i
tnJ*e<{orr, r *[e
{ce* :r'trf
qotroE,
r'r.t)ir4l
Company A
O Copyrght lBlV Corporaton 2009
w8555 / V85552.0
Figure 10-5. Three high-level deployment patterns
Notes:
)
1.
XS40 in the DMZ of company A. lt is set up with an XML firewall. Schema validation is
enabled to offload the application server. XML threats settings are configured to valid
sizes. lt uses AAA to check the client's lD and authority.
2.
XS40 deployed in the DMZ of company B. lt is also set up with an XML firewall to
verify outgoing requests. Outbound AAA verifies the lD and authority. Company B and
company A have implemented a federated extranet (perhaps using Tivoli Federated
ldentity Manager). XS40 injects SAML assertions and attributes into outbound
messages.
3.
XS40 deployed in the intranet of company A. Since the requests are coming from
within, company A has decided to apply different security rules. An XML firewall is
defined to allow only specific lP addresses access to the internal application.
)
)
)
)
)
.)
_)
.J
DataPower
J
J
o

El color
azu de la impresin garantiza la autenticidad de este docurnento

O Copyright
e
o
o
o
IBM Training
Sfu
ooT
"
Four types of XML attacks

.
XML denial of service (XDoS) D",..ego.Jn
de serviro
Slowing down or disabling a Web service so that service requests

are hampered or denied
nuu,;*. SerU rcio>

aJo,ecL
Gaining unauthorized access to a Web service or its data
" UnauthOrized access fite. no
' Data integrity and confidentialty Z^-l-,r,doJ I
conlien co-\; d.
- Data integrity attacks of Web seruice requests, responses, or

underlying databases
. System compromise
- Corrupting the Web service itself or the servers that host it
@
Figure 10-6. Four types of XML attacks
w8555 / V85552.0
Notes:
These attacks are discussed in detail in subsequent slides
Copyright IBM Corp.
2009
10-7

El color azul de 1a impresrn garantza la auienticidad de este documento
@ Copyricrht
ining
XML denial of service (XDoS): Single message attacks
o Jumbo
payloads xu'tL D.rv.ertso
Sending a very large XML message to exhaust memory and CPU on the target
system
'='n\
ni{O
cecscs rr e
o Recursive elements X
ML
XML messages that can be used to force recursive entity expansion or other
repeated processing to exhaust server resources
Mega
tags rlonnbe do nodos
Othenryise valid XML messages with excessively long element names, may lead
to buffer overruns
o Coercive
parsing He,rsa ma-t nlencb"odos
XML messages constructed to be difficult to parse that consume the resources of

the machine
e Public key
nrnensos'
DoS t aloc*rub'
so-
Jo.u
es lcoqdr pa6. f..s/i/'ir r- ol

g?t'v ' 9> L
)
j
'
Forcing resource exhaustion on the recipient by utilizing the asymmetric nature of

public key operations
Transmitting a message with a large number of long-key-length, computationally
)
)
expensive digital signatures
)
@
w8555 / V85552.0
Figure 10-7. XML denial of service (XDoS): Single-message attacks
Nofes
)
_)
,)
J
)
J
J
J
J
J
10-B Accelerate, Secure and Integrate with
DataPower

@ Copyright
I
o
o
o
o
IBM Training
Student Notebook
XML denial of service (XDoS): Multiple message attacks
' XM L flood
f-l
yr(oa
n$e
'':-de
- Sending thousands of useless messages per second to tie up a Web

service
. This attack can be combined with a replay attack, to bypass
authentication for example, and single message XDoS to increase its
impact
. Resource hijack 5< c'vrrlier r..rhos rterrvfl +oe co^srv\e n rr^lur

rcursoJ
- Sending messages that lock or reserve resources on the target server
as part of a never-completed transaction
. For example, messages that intentionally force lock contention on
resources or similar situations
@ Copyright IBM
Corporation 2009
w8555 / V8s552.0
Fgure 10-8. XML denial of service (XDoS): Multiple-message attacks
)
)
Nofes
)
)
-)
.)
J
J
J
J
I
o
O
o
o
C
Copyright IBM Gorp.
2009
Unt 10. XML threat protection
10-9

El color azul de la impresin garantiza l autenlicidad de este documento
@ Copyright
pining
Unauthorized access attacks
. Dictionary attacks A,*^7ue a- u/r thoarr'o *o .no^{,o[ su qonlracen

fo
password
force search
valid
using
a
brute
of
a
user
Guessing
the
through dictionary words
. Falsified messages \tanpola.in ,g r.,reFrs e,*. [^ ,J- Faking that a message is from a valid user
. Using a "man in the middle" to gain a valid message and then modifying
it to send a different message
)
. Replay attack
- Resending a previously valid message for malicious effect
. Possibly where only parts of the message (such as the security token)
are replayed
)
)
)
@
w8555 / V855s2.0
Figure 10-9. Unaulhorized access attacks
Notes:
)
.J
,)
-)
_)
J
.)
J
J
9
DataPower
{,

El color azul de la impresin garanTiza la autenticidad de este documento
@ Copyright
o
o
o
o
o
IBM Training
Student Notebook
Data integrity and confdentiality attacks

undetected
. Data tampering
- Exploiting weaknesses in the access control mechanism that permits the
attacker to make unauthorized calls to the Web service to alter data
. Message snooping
- A direct attack on data privacy by examining all or part of the content of a
message
XPath or XSLT injection
lnjection of expressions into the application logic
. SQL injection
- Modifying SQL in XML to obtain additional data than the service was
.
designed to return
WSDL enumeration
Examining the services listed in the WSDL to guess at and gain access to
unlisted services
. Routing detour
- Using SOAP routing headers to access internal Web services
@
Figure 10-10. Data integrity and confidentiality attacks
wB555 / V85552.0
Notes:
-)
.)
.)
)
J
J
J
()
a
o
a
O
copyright IBM corp.
2009
unit
10. xML threat
protecton
10-11

El color azul de la impresin garartliza la autenticidad cJe este docurnento
@ Copyright
rrung
System compromise attacks
. Malicious include
-
Causes a Web service to:
.
.
lnclude invalid externaldata in output

Return privileged files from the server file system
For example, using embedded "file:" URLs to return UNIX password files or other
privileged data to the attacker
. Memory space breach

-
Accomplished by using stack overflow, buffer overrun, or heap error

Allows execution of arbitrary code supplied by the attacker with permission of host
processes
XML encapsulation
Embedded system command in XML payload, for example, using the CDATA tag
XML virus (X-Virus)
Using SOAP with attachments or other attachment mechanisms to transmit

malicious executables, such as viruses or worms
w8555 / V855s2.0
Figure 10-11. System compromse attacks
)
)
Notes:
)
)
.)
)
..)
";
")
)
-J
-,
.,
,)
J
J
'J
lO-12 Accelerate, Secure and Integrate with
DataPower
J
u
Course materals may not be reproduced n whole of n part

El color azul de
la mpresin garanliza la autenticidad de este documento

@ Copyrioht
a
a
IBM Traini.g
Student Notebook
XML parser limits

. ln the Configure XML
.
.
Manager page, select the

XML Parser tab
This enhances security
and stability by protecting
against DoS attacks and
runaway data
XML parser limits:
lmpose limits on various
characteristics of XML
documents parsed by
the device
Parser limits are assigned
to an XML manager, and
any service supported by
that manager inherits
these limits
Note: These inherited
properties can be
overridden by seruicespecific settings
ure Xl4L lanager
XHL
parser
Document Cadre
XML Manager
i,ir:: , I
c"*"t
XML Bytes Scanned
4194304
XML Element Depth
5L2
XML Attribute Count
L28
XML Maximum Noda Size
33554432
XML External Reference Handling
Forbid
@
)
Main
ytes
bytes
Figure 10-12. XML parser limits
w8555 / V85552.0
Notes:
)
)
You can get to the list of XML Managers by going to OBJECTS > XML Processing > XML
Manager.
Parser limits:
. XML Bytes Scanned: The maximum number of bytes scanned by the XML parser
. XML Element Depth: The maximum depth of element nesting
' XML Attribute Count: The maximum number of attributes allowed per XML element
. XML Maximum Node Size: The maximum size of an individual XML node (bytes)
.)
)
.)
...)
.l
.)
.)
\)
(J
9
o
o
o
o
e
Copyright IBM Corp.
2009
Unit 10. XML threat
protecton
10-13

O Copyright
rung

(
-;.
General
rt:
. ,.[C"".el
Advanced
lj-tf
XlL
Params
Th
Heeders
Monitors
the device fcr protection against the follorrying
Single llessage XML Denal of Service IXDoS) protect]Gn

Hax, ]e.ssage Sze
KB
: on
flonrl
aI
Maximize protection against

XML-based threats
XML threat protection types:
XML denial
- Single message
of service (XDoS) protection
* Multiple message XML denial
of service (MMXDoS)
off
Conio
threats:
protection
lverride X{L llanager parser limits QcnQoll

Rcursive Entty Protecton
XML
'
.
Dictionary Attack Proteton
VlIl
llfllYflnG
Dnfoinn
Figure
reat Protection Confi gu ration
Single Message XML Denil of Service (XDoS) Proie.ction

Multiple l"lessaEe XML Llenial of Service (lFlXtroSJ Protection
Mesage Tam perin g rotectien
SQL lnjection Protecton
Frotocnl Threat Prteti tn
XklL Vrus (X-Virus) Froteton
l,l--:a
"lfl
lup]
This pagp lets Vou configure
rl+nla
lcq
4's
rO4
e< { rC rO
Clone I Eroort I view l-oo I View Status I show preba
"t"l
XML Firewall Service status:
Miscella neous
Strlesheet
aCI- (
Message tampering
protection
Protocol threat protection
XML virus (X-Virus)
protecton
Dictionarv attack orotection
w8555 / V85552.0
0-13. XML threat protection
Nofes;
)
Using a coordinated set of objects and firewall configuration objects, it is possible to

maximize firewall protecton against XML threats (malicious attempts to disrupt service by
the firewall or the back-end server).
)
,)
)
)
J
I
J
.J
)
.)
.)
DataPower

El color azul de la impresin garantiza la autenticidad de este docunrelrto
O Copyrght
J
J
J
I
o
o
o
IBM Trainirg
Student Notebook
XML threat protection: Single message XDoS

. XML threat protection settings:
-
a br-eecr
ie
",itl
xrv\
Maximum message size

Override XML Manager parser limits
. Max. XML Attribute Gount
. Max. XML Bytes Scanned
. Max. XML Element Depth
. Max. XML Node Size
. Attachment Byte Count Limit
Stngle Messge XilL Denl of Service (XDoS) Pr<ltection
Hdx. Plessge ,sze
WF
Override XflL Hanager par=er
limits ffionoff
I
)
Hax. XHL ttribute Count
128
Hx. XHL Blfts scnned
4L943t&
byte= x
t{ax. XHL Element Bepth
5L2
bYtee x
Hax. XlL Hode.Size
ttachment BVte Count Lmat
bYtes
200000t00
:lt
en off
Recurtivc Entity Frotection

@
)
Copyright IBNI Corporaton 2009
Figure l0-14. XML threat protection: Single message XDoS
w8555 / V85552.0
)
)
lVofes;
,}
These settings provide protection against a single malicious XML message. A number of
the parameters used to provide this kind of protection are set in the XML Manager. This
page offers the opportunity to override the XML Manager with firewall-level settings (go to
Override XML Manager parser limits and select the on or the off radio button).
.
.)
)
.)
.J
.)
J
J
J
Max. Message Size: The maximum allowed size, in KB, of any given message. The
range is 0 - 256. The default is 0, which means that no limit is enforced.
Override XML Manager parser limits: When left at the default of Off , the parser limits
set in the XML Manager used by this firewall will remain in effect.
Max XML Attribute Count: This is an integer value that limits the number of attributes
for any given element.
Max XML Bytes Scanned: This limits the number of bytes contained in any given XML
message. A value of 0 enforces no limit.
Max XML Element Depth: This limits the depth of nested elements in an XML
message.
\.)
9
e
o
o
o
G
Copyright IBM Corp.
2009
Unit 10. XML threat
protecton
10-15

El color azul de la impresin garantiza la aulentlcidad de esle documento
O Copyright
lt
rirg
.
.
Max. XML Node Size: This limits the size of any one XML node. The minimum value
allowed is 1. Note: This value may be larger than the Max. XML Bytes Scanned value,
but the limit on the total number of bytes scanned takes precedence.
Attachment Byte Count Limit: This limits the size, in bytes, of any single attachment
to the message. Enter 0 to enforce no limit. Note that this property setting is not
available in the XML Manager parser limits.
)
)
-)
J
J
J
J
J
J
J
DataPower
Course materials may not be reproduced in whole o in part

@ Copyright
\)
(
o
o
o
o
IBM Trainirg
Stu
XML threat protection: Multiple message XD oS ,
udo
Protects against a denial of service attack with multiple XML messages sent to a servic
XML threat protection settings:
Max. Duration for a Request
lnterval for Measuring Request Rate from Host

Max. Request Rate from Host
Interval for Measuring Request Rate for Firewall
Maximum Request Rate for Firewall
Block lnterval
Log Level
llultiple ftlessge XML Deial of Serice (l.lltxDos) protection
Enablinq NIMKDoS ill create durtsn and count msnilors nd attch them fo this firewalf.
Enable llMxDog Protecton $onffoff
mec fl
Hax. uraton for a Request
fnterul for Hesurng Request Rte from Host
msec t
100 0
Hax, Request Rtefron Host
messages../interval
ftrtrual for Hesurng Rquest Rate for FrryalJ
msec s
100
messages/interual *
Hx. Re.quest Rate for Firewall

Elock lnterul
msec *
rj
Log Level
EITOT
Figure 10-15. XML threat protection: Multiple message XDoS
wBs55 / V85552.0
Notes:
.
.
Max. Duration for a Request: This indicates the maximum number of milliseconds
allowed for processing any one request.
lnterval for Measuring Request from Host: This is an integer in milliseconds, used for
measuring the rate of requests from any given host. The default is 1000, and it
measures requests per second.
.
.
.
.
Max. Request Rate from Host: This is an integer that sets the maximum number of
requests that can be received, within the interval period, from any one host.
Interval for Measuring Request Rate for Firewall: This is an integer that sets the
interval, in milliseconds, for measuring the request rate for the entire firewall.
Max Request Rate for Firewall: This is the maximum number of requests that can be
receved, within the interval period, by the firewall.
Block lnterval: This is an integer that sets the period of time, in milliseconds, for which
the firewall will block access after one of the other thresholds has been reached.
Copyright IBM Corp.
2009
Unit 10. XML threat
protection
10-17

El color azui de la impresin garanliza la autenticidad de este docutrento
O Copyright
ning
.
Log Level: This is the level at which log messages are generated by those threat
protection thresholds. When a threshold is reached, the firewall generates a log
message.
)
)
)
)
)
)
)
)
)
)
.)
.)
.)
)
)
-)
.)
J
.J
J
J
)
J
J
.J
\,
I
10.18 Accelerate, Secure and lntegrate with
DataPower
o
a
Course materials may not be reproduced in whole or n paft

El color azul de la impresin garanliza la aulenticidad de este documenlo
@ Copyright
o
o
IBM Traini.g
Student Notebook
XML threat protection: Protocol threats

o
Protocol threat protection prevents messages that are

formatted according to unauthorized protocols from passing
through the firewall
Protocol Threat Protection settings:

jt \
Request Type
Response Type
Request HTTP Version
Response HTTP Version
|r
l.
Protocol Threat Protection

Request HTTP Yersion
Response HTTP lersion
Figure 10-16. XML threat protection: Protocol threats
w8555 / V85552.0
Nofes.'
)
)
)
)
.j
.-
.)
\
.)
.J
.)
U
I
a
o
o
o
o
copyright IBM corp.
2009
unit 10. xML threat protecton
10-19

El color azul de la impresin garantiza la aulenttcidad de este documento
O Copyright
rirg
XML threat protection: XML virus
ha.c,c.
c o /)
tln"lTu',,
x'
V")
oViruses are typically contained in message attachments

o First, specify how to handle request/response attachments
olf you allow attachments, you can use the following in the processing
policy to invoke an external virus r canning service:
Filter action
Results action
Anti-virus action (V3.6.1)
XillL Virus {X-Virus) Protecion
h
Req
uestr rith Attach
ents
QUnprccessed
Select a firewall pracessing policy which includes a Filter action that uses the Frocessing ontrol File
"storetl/lVirus-scanAttachnrents.xsl". This Filter action must secify,3n Output context neme (for exampten
"',:ttachments") and must also enrplolr a stylesheet parampter named "{httpll/www.datapower.comfaram
/configlSendIo" with the ralue set to the URL of your trus scanner.
You mil'f elect to dd , Filter action as described above to en existing or new processing pslicy. Use the
Firewall Policy inputs under ''MessaEe Tamperinq Proteclion" to selecto edit or create the desired firewll
processing policy "
)
@
Figure
w8555 / v85552.0
0-17. XML threat protection: XML virus
.)
Notes:
These settings provide protection against viruses that typically flow as message
attachments.
..)
You can use either a Results acton or Filter acton to call the external virus scanner
service.
For the Filter action approach, use the style sheet
store: / / /virus-scarattachment.xsl, with a style sheet parameter containing the URL
of the virus scanner.
With 3.6.1, there is a new Anti-Virus action that can be used to specify interaction with an
external virus scanning service. The Results action and Filter action approaches will
cntinue to work.
.
_
ln all cases, communication with the external virus scanning service is performed by using
ICAP (lnternet Content Adaptation Protocol).
")
.rl
')
3
J
J
DataPower
t,
Gourse materials may not be reproduced in whole or in part

El coior azul de la impresin garantiza a autenticidad de este documento
@ Copyright
a
o
o
o
IBM Traini.g
Student Notebook
XML threat protection: Dictionary attack
'
Dictionary attacks are detected by repeatedly denied requests for

access
- A message count monitor is employed to provide dictionary attack protection
' A service can monitor access requests through a AAA action that is
activated on every request for a service
When the count of rejected access requests reaches a certain level, the service
can send a notification and even deny service for a certain period of time
Ohctionary Attack Protection
Dictionary attacks are detected by repeatedly denied requests for access, rvhieh is typically a ,isible symptam
of somenne probinE for data dictionar-y definitions to exploit. The firewall can rnonitor'arcess Fequests throuqh
n !q,q [uthentication end Authorization) Action that is activaLed n Every request for seruice. When the
count of rejected access request reaches a certain level, the firewall cn send notifcation and even deny
seryice for e period of time"
)
)
this protection, it is necessary lo crete a Count Monitor cbject which has its Measure property set
to "xpath'. You can invoke the page to create new Count Monitor by clicking + alongside thp Count Monitor
To _create
inputs below,
This Count Monitor must then be identified wlfhin an AA action as the Rejecled Counter. This a1:tion must be
part of the Firerall Policy identified for this firewall. You can add this aclioh to the current pohcy by clicking the
.." butLon alongside the policy input under ''lessage Tamering" abave. Then draE dn AA icsn orito the prouessing line and double-click the icon.
Finally, the count monitor created for this urpose must be listed as one of the Count l'lonitors associated
with this frewall. Use the Count Monitors inputs on the lttonitors ab to accomplish this task.

)
Figure 10-18. XMLthreat protection: Dictionary attack
w8555 / V85552.0
Nofes,'
)
)
(-.a ,..Jo un suAl r(J

f.."t e>rr. L*..(s
rC)' A ve
T^ rY ue@4. < clnace l" stc,',
ctc"r,'.[[
)14
r.
Se uc.\i
P
Ct
,)
)
)
(r
,..
rrce url ''net'sq//:
/ek
.)
..)
.,)
.,}
.J
.J
.)
J
J
J
I
3
o
o
o
G
Copyright IBM Corp.
2009
10-21

without the praor wrtten permisson of lBM.
El color azui de la impresin ga@nIiza la autenticidad de este documento
@ Copyright
ffirlng
Message tampering
o Message tampering protection can employ the following:
- Encrypt and decrypt the message to hide the content

- Sign and verify the message to ensure message integrity
- Validate the schema of the message content for proper structure
v
Flter
Sign
A,OO'&
Verify Vlidete Encrypt Oecrypt
^4,
v
$
Transform
1,
,uA!A. Re:ults Advanced
Route
'6+/k+&+'eF-.'
OLIENl
O Copyrght lBl\4 Corporaton 2009
w8555 / v85552.0
Figure 10-19. Message tampering
lVofes.'
Message tampering protection employs schema validation that is performed on submitted
messages to prevent messages that have been altered and no longer pass validation from
reaching the back-end server endpoints.
You can also add a Verify action to check incoming digitally signed documents.
Your policy can use a Sign action to digitally sign a document leaving the service so that
the receiver can check against the signature upon receipt.
,
,)
)
)
.
J
DataPower
'.)

El color
azu de la mpresin ga(anliza a autenticidad cle este documetrto

O Copyr qlrt
I
I
o
O
IBM Trainirg
Student Notebook
SQL injection attack

. A hacking technique that attempts to pass SQL commands
through a Web application or Web service for execution by a
back-end database
. Enabled by application
code that does not properly screen

SQL statement data received from a client or Web form input
(for example, SQL keywords, statements, comments)
. Example: Database query from a Web form

-
Expected: SELECT
Actual: SELECT
'y'='y'
id
id
FRoM logins wHERE userName='S'

FROM logins WHERE userName='Tom' OR
. Example: Building a database

product
query from a Web form
products
Expected: SELECT
LIKE 'eoChairs'
Actual: SEIJECT product FROM products WHERE pName

LIKE 'eoChairs' uNroN SELECT username FROM dba users
WHERE username like'eo'
FROM
ITIHERE pName
Figure 10-20. SQL injection attack
w8555 / V85552.0
Notes:
he problem occurs because the application code does not properly filter the SQL strings
coming in from the client, either as fields from a Web page form, or as data in an XML
message.
The underlined text indicates the text that is being entered in the Web form or sent in the
XML document. The "expected" is what the developer expected to receive, and the "actual"
is what the hacker actually sent.
ln first example, the developer expects just a single user name to be received. The hacker
entered the underlined code, which includes an OR that will always return true. The effect
is to return all lDs from the table.
.')
;
,.)
.-?
The second example is supposed to return a list of all selected products. The hacker adds
a union of another table, which returns all the database users in the application. The
resulting table contains the selected product rows, as well as all the database users.
Clearly, this is not what the developer intended.
The typical exposure is when:
\)
U
o
o
C
Copyright IBM Corp.
2009
Unit 10. XML threat
protection
10-23

wthout the prior wrtten permisson of lBM.
El color azul de la impresin garantiza a autenlicidad de este docunrento
@ Copyr ght
rirg
1.
2.
lnput parameters are not properly screened, allowing one of two attacks:
a.
Additional SQL keywords cause the boolean condition to always return a result,
such as the entire list of user names and passwords.
b.
Additional SQL statements are slipped in. lf the interface allows read/write access,
the attacker can add his or her own user name and password.
The two dashes (--) are appended to the end of the parameter to comment out the rest
of the original SQL statement.
SQL injection is one of the most common application layer attacks. An attacker passes a
string input to an application in hopes of manipulating the SQL statement to his or her
advantage. The complexity of the attack involves exploiting an SQL statement that may be
unknown to the attacker. Open-source applications and commercial applications delivered
with source code are more susceptible since an attacker can find potentially vulnerable
statements prior to an attack.
l
)
)
)
)
.)
-t
-.)
.)
.)
..,
)
.)
)
J
J
DataPower

El color azul de la impresin ga..'liza la autenticidad de este documento

@ Copyright
o
o
o
IBM Trainirg
Student Notebook
SQL injection attack protection
. DataPower SQL injection attack protection uses a style sheetbased approach to filter out potentially risk SQL strings
- Add a Filter action to a firewall processing policy

- Configure the processing control file to use
store z / / / SAt- Inj ection- Filter. xsl
The style sheet sets a parameter named
{hUtp z / /vww. datapower. com/param/conf ig} SQLPatternFile

z / / / SQL-Injection-patterns.xml
You may customize it to point to a custom SQL injection pattern file
to store
n:
Action TVpe; filter

)
: stere
)
trynamic Style"sheet
: off
@
)
Figure 10-21 . SQL injection aack protection
w8555 / V85552.0
Notes:
)
.)
)
)
ln a Web service scenario, the SQL query that is entered would be included inside a Web
service request that will be used to perform a database operation.
Under the Advanced tab in the Configure Filter Action page, you can specify the
sQL-rnjection-Fi1ter.xsl style sheet, and the SQL injection pattern file. The SQL
injection pattern file defaults to sQL-rnjection-patterns.rsnl, but you can change it to
any other pattern file you want.
-.)
.l
_)
J
J
J
\.)
I
O
o
o
o
o
Copyright IBM Corp.
2009
Unit 10. XML threat
protection
10-25

@ Copyright
ining
Gheckpoint
1. What are the four types of XML threats?
2. True or False: XML virus protection is a periodic virus
3.
scanning utility offered by the DataPower SOA appliance.

True or False: The Validate action is sufficient to protect
against message tampering.

)
w8555 / v85552.0
Figure 1 0-22. Checkpoint
,)
Nofes,'
)
1.
2.
3.
.J
)
J
)
J
.)
DataPower

wthout the pror written permission of IBM'
El color azul de la impresin garanliza la autentcidad de este documento
O Copyright
J
J
J
J
I
I
IBM Trainirg
Stu
ebook
Unit summary
. Explain possible attack scenarios involved in XML-based
applications
. Describe the various types of XML attacks

. Use the WebSphere DataPower SOA Appliance
to protect
against XML attacks
w8555 / V85552.0
Fgure 10-23. Unitsummary
Notes:
'
)
)
)
)
,)
J
J
J
(,
I
e
o
Copyright IBM Corp.
2009
Unit 10. XML threat
protection
10-27

El color azul de la impresin garantiza a autcnticidad cle este documcLo
(c)
Copyright
rirg
'-l
:l
'^)
.)
,.1
')
'l
,)
')
)
,)
)
r')
,.)
i)
a
,)
)
a)
,.I
)
)
)
)
)
,)
.)
)
._)
t)
.J
.J
.J
J
J
J
J
'J
J
J
J
J
J
\-l
J
\)
DataPower
\,

Y)
gaIiza la autenticidad de este documento

@ Copyright
I
I
e
o
IBM Training
Student Notebook

This unit discusses the Web service proxy service and its role in an
XML-Aware Web seruices-based network. The configuration steps
required to create and manage a Web services proxy are discussed
Advanced Web service configuration steps, such as proxy-level
security, SOAPAction policy, and Web service endpoint are also
explained.
'

I
.
.
)
)
)
)
)
Describe the Web service proxy architecture

List and explain the configuration steps needed to create a Web
service proxy
Create and configure a Web service proxy policy at various levels
of the Web Services Description Language (WSDL) file
)
)
.
.
Checkpoint
Exercise 9: Configure a Web service proxy service
)
)
.)
)
.)
)
)
.)
.l
J
J
J
J
J
J
J
u
o
o
o
o
a
Copyright IBM Corp.
2009
1-1
Course materials may not be repoduced in whole or in part

without the prior written permission of lBM,
El color azul de la impresin garariiza la autenticidad de este documento
@ Copyright
ning
Unit objectives
. Describe the Web service proxy architecture
. List and explain the configuration steps needed to create a
Web service proxy
. Create and configure
a Web service proxy policy at various

levels of the Web Services Description Language (WSDL) file
Figure 11-1
w8555 / V85552.0
Unit objectves
Notes:
.)
.J
-t
J
J
J
\,
{J
DataPower
o
o
o

El
coor azul de la impresin garantiza ia autenticidad de este documento
O Copyright
o
L
IBM Training
Student Notebook
Web service proxy
overview
Poro \frslec.io/
\Mg
' A Web seruice proxy is a middleware component that exists

between the client and the Web service
. Hides Web service endpoint address from client

' Flexibility to change back-end address without affecting client code
-
Performs security, validation, and transformation on a request or

response to offload these tasks from the back-end Web service
' The xS40 and Xl50 DataPower appliances allow you to create
a Web service proxy to accelerate and mediate communication
between a client and a Web service
- Rules associated with different parts of a WSDL interface

- Supports multiple WSDL documents
- Fine-grained policy control
- Built-in service-level monitoring (SLM) capabilities
@
Figure 11-2. Web service proxy overview

)
)
)
w8555 / V85552.0
Notes:
The client does not need to know the endpoint address of the Web service. lt will always be
forwarded to the Web service proxy. lf the Web service endpoint changes, only
modifications to the Web service proxy are required. The client is unaffected.
Performing security, validation, and transformation on DataPower appliance for Web
seryice proxy requests improves application performance because it is done at a hardware
level. lt is offloaded from the application server, which would perform these tasks in
software. You can also apply a standard security policy for your Web service proxy on the
DataPower appliance since all requests pass through the appliance.
.)
\
.)
)
._)
J
J
I
t,
o
o
o
o
Copyright IBM Corp.
2009
Unit 11. Web service proxy
service
11-3

O Copyr ght
ning
Web service proxy architecture
Web services
Web service (WS) proxy
Glient
H
WS proxy WSDL
Service:
host.com/Operation
WSDL I
Operation A
ahost.co.com : 7000/Service
Operation A
Operation B
Operation C
c-
0^
\ ie
WSDL 2
Operation B
ahost.co.com : 7001 /Service
Lre',rh va a v
3 oyezrac'
rr.b No ve
6\e\
WSDL 3
Operation C
ahost.co.com : 7002/Service
ses vc io
@
Copyrght IBN Corporaton 2009
w8555 / V85552.0
Figure 11-3. Web service proxy architecture
l\lofes.'
The Web service proxy has a WSDL file listing the operations that it supports. These
operations can be aggregated from multiple WSDL files that are in different locations.
)
)
The Web service proxy maintains a mapping of a local endpoint and remote endpoint for
each WSDL file.
J
J
,)
-)
)
J
J
*)
DataPower

El
coor azul de la impresin garanliza la autenticidad de este documento

@ Copyright
\,
9
o
o
o
o
IBM Training
Student Notebook
Web service proxy benefits

. Web service proxy quickly virtualizes your existing services
- Virtualizes a service simply by loading a WSDL document
.
Clients now connect directly to Web service proxy and not the back-end service
Creates processing policy with rules and actions at fine-grained level
Request and response messages can be processed by rules at a proxy, service, port,
or operation level
- Automatic schema validation of request, response, and fault messages (user

policy)
. User does not need to create a processing policy for this
- lntegrates with a service directory of published WSDL
. Connects to UDDI repository to publish the WSDL file
- Service virtualization can occur in real time
. Web service proxy can update the proxy WSDL automatically when underlying WSDL
is updated
Can enforce policy and monitor performance of services

Multiple appliance suppo rt for virtual services
+u
Nfta> cre \ts D L. t
Las
poc\ec -eir f ranu a .d
(-
ccts
vc.r
rv( . g
Nive I d le{4c@rt
tl/\t
VA.A O\
vicb
w8555 / V85552.0
Figure 11-4. Web service proxy benefits
Notes:
A user policy allows you to schema validate request, response, and fault messages. lt is
automatically created when you create a Web service proxy.
The Web service proxy is built on top of the XML firewall. Therefore it provides all of the
functionality of an XML firewall such as encryption, validation, AAA, and more.
UDDI is a service repository that is used to search for WSDL files of a service.
Creating a WSDL cache policy enables the proxy WSDL file to be updated automatically
when the underlying WSDL changes.
You can create an SLM peer group to share SLM data and enforce SLM policy between
multiple DataPower appliances.
,)
.J
.)
rJ
J
()
a
,
a
a
(,
Copyright IBM Corp.
2009
Unt 11. Web service proxy service
1-5

@ Copyright
immg
Web service proxy features
tr
T upor
SLM
SLM
WSDLs
Helo
Configure Web Service Proxy

ws
dn d, Wo -
Services
Policv
Proxv Settinqs
Advanced Proxy Setnq
Monitors and shapes traffic entering the Web service proxy

Uploads or associates a WSDL document with a Web service proxy
Configures proxy and remote URI (address, port) of services contained in WSDL document
Services
Listing of services defned in each WSDL document

Can publish services to UDDI registry
Configures a Web service proxy policy
Specifies method of forwarding to service, security, XML manager, and HTTP settings
Configures advance connection settings
o Policy
o Proxy Settings
o Advanced Proxy Settings
Headers/Params
Add or remove HTTP headers and pass style sheet parameters
WS-Addressing (click right arrow to view this option)
Specifies the WS-Addressing mode for this service
o XML Threat Protection (click right arrow to view this option)

- Provides protection against XML threats"opvrishr rBM corpofaton 2o0e
w8555 / V85552.0
Fgure 11-5. Web service proxy features
Nofes.'
There are configuration options for each tab in the Web service proxy GUI
.i
)
-,
,i
l,
DataPower

El color azul de la inrprcsin garantiza la autentic dad de cste documento
@ Copyright
o
a
IBM Trainirg
sru
;7"
Web service proxy basic configuration steps
2. Use the DataPower WebGUl to create a Web service proxy

-Web Service Proxy icon in DataPower WebGUl Control Panel
or
-Using vertical navigation bar, select SERVICES > Web Service
Proxy > New Web Service Proxy
3. Upload the WSDL document and add it to the Web service
-Define both proxy URI and endpoint URI for each service in WSDL
document.
)
)
5. Specify a processing policy consisting of rules for the Web
service (optional)
)

)
w8555 / V85s52.0
Figure 11-6. Web service proxy basic configuration steps
Notes:
)
)
)
)
The URI consists of an address and port.

Step 5 is optional because a default processing policy is generated by the appliance. The
default processing policy applies at the proxy level for each service. You can override the
default processing policy with a more specific policy at a fine-grained level for each service,
poft, or operation. Only one policy is executed per request or response.
You can also perform these additional configuration steps:
. Configure how the proxy forwards requests to the back-end Web service. By default,
.)
,)
.)
the URI defined in the WSDL document is used to determine the back-end Web service
. Select the SOAP action policy to specify how to consume messages with a SOAPAction
header.
. Configure security settings such as proxy-wide AAA settings, decryption key, and SSL
.)
.)
Proxy profile to a back-end service.
J
J
\)
L)
I
o
o
o
o
c,
Copyright IBM Corp.
2009
11-7

@ Copyright
.irg
Step 1: Obtain WSDL document
. A WSDL document that describes your Web service
is
required before creating a Web service proxy
. A WSDL document describes a Web service interface using

XML
- Uses the W3C XML schema type system for type information
- Contains operations and messages that are bound to a network
protocol and message format
- lncludes binding and location information for published Web services
. DataPower
creates a Web service proxy based on the

structure of a WSDL document
- WSDL-based configuration
)
)
consists of a service, ports, and
operations
SLM and policy configuration can be defined at various levels of the
WSDL dOCUment
.copyrshrBir corporaton 20os
)
I
w8555 / V85552.0
Figure 11-7. Step 1: Obtain WSDL document
Notes:
)
)
A WSDL document describes the service operations that can be invoked together with their
messaging protocol, transport, and endpoint address.
.)
)
Each operation contains an input and output message, whose types are defined by the
XML schema type system.
-)
J
-)
J
J
J
J
J
J
a,
l1-8
DataPower
(.

@ Copyright
o
o
o
o
IBM Trainirg
Student Notebook
WSDL structure
. portType
portType
operation b
- Abstract definition of a service

- Same idea as a Java interface
operation a
. binding
- How to access the portType
- Multiple bindings per portType
- HTTP, JMS, SMTP, and so on
. port
- Represents an individual endpoint
.
m
l^ C
inMessage
outMessage
faultMessage
binding
(soAP+HTTP)
oloco
seryice
lo "
rtY\gn saJ9
- Something that can be invoked

- Represents a collection of ports
@
Figure 11-8. WSDL
lrcx)
port
port
structure
W8555 / V85552.0
Notes:
This diagram shows the general structure of a WSDL and the relationships of the elements
to each other.
.)
)
)
)
.,)
J
(J
o
o
o
(
Copyright IBM Corp.
2009
11-9

E color azul dc a rrpresn larantiza la autentlcidad de estc docurnerlo
O
Ool.rytit.;lrt
iruing
Step 2: Creating a Web seruice proxy

. A Web service proxy can be created by:
- Clicking the Web Service Proxy icon in the DataPower WebGUl Control
Panel and clicking Add on the Configure Web Service Proxy listing page
Configure Web Service Proxy
Control Panel
lleb Servire Pror' Nme 0p-State Logs
Seruices
tM.s*x&mq
up
rt
@
3lrrt
llult-Proto
Gteurt
XML Firewall
Edt xML Firewall
New Advanced Firewall
Using the vertical navigation bar,

select SERVICES >
Web Service Proxy >
New Web Service Proxy
Import from WebSphere

XML Fir,all Policy
Web Service Proxy

Edit Web Service Prox
Service Proxy
Browse UDDI
w8555 / v85552.0
Figure 11-9. Step 2: Creating a Web service proxy
Notes:
You can use either approach in creating a Web service proxy. The Web pages are
identical.
._)
.J
)
.J
DataPower

E color azul de ia impresn gararTza la autenticdad de este documento
{o Copyrght
J
\,
I
o
o
o
a
G
IBM Trainirg
Student Notebook
Web servce proxy object editor

. A Web service proxy can be created by configuring the objects
that compose the Web service proxy
- From the vertical navigation bar, select OBJECTS > Services > Web
Service Proxy
- All configuration options are available

Ltr?
9sffce Configuration
HTIP Service
Multi-Protscsl Gatewry
51Froxy Serviee
TCF Prnxy Serri
UDDI Subccription
I/deb
#eb Service
o
)
copyriqht IBM Corporation 2009
w8555 / V85552.0
Figure 11-10. Web service proxy object editor
lVofes.'
)
)
The WSDL cache policy and user policies are example configurations that are only
possible using this editor.
)
)
..)
.l
.l
.J
.)
_)
.)
J
J
(,)
I
o
o
o
o
Copyright IBM Corp.
2009
Unit
11
Web service proxy
service
1-11

O Copyright
ning
Web seryice proxy GUI
. Two GUls for creating

1. Control pahel
Configure
2. Object editor
a Web seruice proxy
Conf?gure Web Servlce Proxy
Man
Servlce Proxy
Pry
sttnq
HTTP
OBton
paEtr Limtr
Web Seruice Proxy : AddresssearchProxy tupl
wsors
Web Seruce
Pcld
Sdl@
Nare
wsettin
: r,.:. :l-c.r* l-p.r"t
'')')
expo | view L | vew slat! | show probe I validte confoman
Crl
vierv Crations
Adrn Stte
$enabled Qdisabled
Comments
llreb Service Prory WSDL5
SeFViEe Pricrty
Edt WSDr-15ubftrition
C r.dd iqsDL
O
O
X4L Manaqer
Add uDI subscrtrton
FropEgEte URI
t,rlh.] .
Con {.}ff
dd WSRR subscription
Lod Balancer
Hash Header
W50LSw< LMtlon
Endpoiut ilndler
;I
loe{///Westdder5each.dl 1 up/ I
i- labl/ lEzshdces5e*c.wdf
tr !F
Suffi.y
conigd
congured
4sage
Request rule in order
Proceesing
Backend
F4odes
fi R"p.n..
TYFE
Stlic frcm I*SDL
crder
rule in order
in,
EndpRnt Rewrite
@
wB5s5 / V85552.0
Figure 11-11. Web service proxy GUI
Notes:
This slide shows the two GUls available for configuring a Web service proxy. Using the
Control Panel, you can create a Web service proxy with similar objects grouped together.
Using the object editor, you can create a Web service proxy by configuring the objects that
compose the Web service proxy.
-)
Either approach can be used. The Control Panel approach is simpler since similar objects
are grouped together.
-)
The Advanced XML Threat Protection tab is not shown in the screen capture, but is also
available.
-)
.)
The configuration steps using the object-oriented approach are spread out in the various
tabs. Some options, such as the WSDL cache policy, are only available using this
approach.
..,)
J
J
J
The remaining slides will use the Web service proxy GUI in the DataPower Control Panelto
demonstrate the different options.
DataPower

O Copyright
J
J
\,
I
o
o
o
o
IBM Training
Student Notebook
Step 3: Add WSDL document to Web servce proxy

Add on the Gonfigure
Web Seruice Proxy listing
page
-The WSDLs tab is the first
page shown
2. Enter the Web Service Proxy
Name on the creation page
3. Select Add WSDL
4.Add the WSDL file using one
of the following approaches:
- Enter WSDL File URL
(remote or local URL)
- Upload WSDL file to
1 . Click
local:
Or
store:
E Configure
wsol-s
Proxy
gLM
Fp Sttinor
SiCs
Web Srvice Proxy Nme
l_upj
Vierv Loo I l"tiew stE
Refresh
Web Service Prory WSDLs

(jr
Edit WS VSubscri ption
0
*
dd wsDL
dd W,SRR subscrptDn
Add uaDI Subscription
WSDL FIe URL
lccal:l//
U5e
(nonej
w5-Policy References
QonQoff
directory
WS-Poliy Paramete set
Ei
- Select previously uploaded
Enforcement Hode
WSDL document
enforce
- Browse UDDI
5. Click Next
@
Figure
11 -1
2.
w8555 / v85552.0
Step 3: Add WSDL document to Web service proxy
Notes:
The first step listed in this slide, creating a Web service proxy, is not shown.
Click the Upload button to upload a WSDL file to the DataPower appliance. The WSDL file
can be uploaded to the 1ocal: directory (which is accessible in the current domain) or to
the store: directory (which is accessible in all domains).
When you upload a WSDL file, the WSDL File URL is automatically populated.
You can upload and add multiple WSDL files.
You can also enter an HTTP URL into the WSDL File URL, and the Web page populates
the fields with information from the WSDL file.
)
,,1
.)
.J
-l
J
J
J
I
0
a
Copyright IBM Gorp.
2009
Unt 11. Web service proxy
service
11-13

without the prior wrtten permsson of lBM.
El color azul de la impresrn garantiza la autenticidad de este documento
@ Copyrght
infurg
Step 4: Gonfigure WSDL endpoint

' After clicking Next, specify the Local and Remote URI of the WSDL service
- Local (what the client sees): - Remote (where the Web service really is):
. Local endpoint handler
' Web service endpoint (protocol, host
name' port' and URI)
' Specify URI invoked by client
Con uL
Edh/Remoue
Local Endpoint Handler
rqi-L
c1nh
llub Je
rrr4
?ctYl'
Add
r-^_--
(t
el
Pruorol lloihmc (I Addrner)
ttp
myWSserver.com
Pubtihed
Next
Remrte URI
Po
9999
/E astA
dres s/serv ice s/Add res s Se
Use tocal
LNCE
o Copyright
lBlV Corporation 2009
w8555 / V85552.0
Figure 11-13. Step 4: Configure WSDL endpoint
Notes:
The Local section contains information that the client needs to call a service on the Web
service proxy. You need to create a local endpoint handler to specify a port number that
listens for requests of a particular service and forwards to the remote destination.
Under Local, the URI field is what the client uses prefaced with the host name of the
DataPower appliance and the port specified in the Local Endpoint Handler object.
The Remote section contains information about the Web seruice endpoint address that the
Web service proxy will call. Make sure you change the default host name of localhost to
the correct host name.
.)
J
DataPower
\,
L

El color azul de la
irlpresn garanlza la autcnticldad de estc docunenlo

@ Copyright
a
a
IBM Traini.g
Student Notebook
fud,
elr
DP sc lo sor
P,,
Configure local endpoint handler ol 0tQ. / ,HTIP
'
Click the plus (+) button to create a new local endpoint

handler object
+l
ff
Specify the appliance local

lP address and port number
to listen for requests

Can also restrict access
based on HTTP
attributes
Configure HTTP Front Side Handler
Mn
HTTP Front Side Handler
'
r.,
'f
n"el-
'4
Name
Lo(d
Ll
dd
Endpofii Handler
i)
Admin State
IJRI
Local IF Address
0,0,t,0
Poft Number
80
HTTP Verson
to Clent
Protocol
i;ttp:SJ
disabled
,(
lrr:
EHTTP 1,0
E HrrP 1.1
FIP Seruer Front Side Handler
l)
Comments
rssrDhFSl
n@t.
enabled
I'lQ Front ,Sde Handler

.statful Raw XHL Handler
Statelese Rw XtL Handler
Wbsphers lltg Front sde Handler

N-S Poller Front Side Handler
FTP Poller Front Side tlandler
lls Conn<t Harrdler
@
Figure 11-14. Configure local endpoint
Copyrght lBN4 Corporation 2009
handler
W8555 / VBS5S2.0
Notes:
)
Another choice for local endpoint handler not visible in the context menu is IMS Connect
Handler.
)
)
The local lP address of 0. o. o. o means that the endpoint handler listens for requests on
all of the appliance interfaces.
Make sure that the port number you specify here is unique.
..)
)
)
.J
.J
J
\,)
{)
3
o
o
o
3
Copyright IBM Corp.
2009
Unit
11
Web service proxy
service
1-15

EI
coor azul de la mpresin garanliza la autenticidad de este documento

@)
Copyright
ining
View WSDL services
'Ioos
tos
Ser
vicros
*,6o^ I o( lo:
ws
. Click the Services
tab to view the services extracted from

the WSDL document
- Click the Publish to UDDI button to configure a connection to a
UDDI registry
SL+l
WSDLs
Services
Policv
Proxv Setlinos
Web Seruice Proxy Name [up]

4
rjr-it'l i
r;.:, c"..: r r:lri:,-'f
ti
c'
Delete
Vier+ Loo I View Status I View onerations
Refresh
Seruices
Serrire
Publish
AddrcScrthSenrite
to UDDI
Copyright lBl\4 Corporaton 2009
w8555 / v85552.0
Figure 11-15. View WSDL services
Notes:
The seruices in this tab are automatically generated by the appliance when you add a
WSDL file to the Web service proxy.
)
Universal Description, Discovery, and lntegration (UDDI) is an XMl-based registry used to

search for WSDL documents.
UDDI is implemented as a Web service that you can publish and search for Web services.
The DataPower appliance does not provide a UDDI registry, only a connection.
The View Operations button opens another window that lists the operations defined in the
WSDLs exposed by this service.
)
)
.)
.)
.)
J
'J
\)
DataPower
Copyright IBM Corp.2009

El
coor azul de la irnpresin garantiza la autenticidad de este documento

O Copyrght
I
o
o
o
o
a
IBM Training
Student Notebook
>8
l
Retrieve the "client" WSDL from the servce
. You can retrieve the client-facing
ca
"/.3 |
lv
9\
nl
QN
HrrP/1,0
M HrrP/l.1
WSDL from the service

- Edt the front side
handler to allow
HTTP GET
Enter:
POST
GET
l"no
PUT
Atto,ed Mthods and versions
neno
oPrroNS
aclivar
- http
/ /myDPappliance . com : 69 9 9 /EastAddressSearch?wsdl
'-b
. 6999: The port number of the WS-Proxy service
z
. /EastAddressSearch:
'
The local or client URI to invoke Web service
Returned WSDL contains the appliance's lP address or service port as

the WSDL <address location= >
- Original
' <wSdl:port binding=rr . . .rr name=!'AddressSearghu>
. <address location=rrhttp z / / traning. ibm. com: 9080/
EastAddress/services/eddresssearch,, /> </wsdl :port>
Retrieved by ?wsdl
- <wsdl:port
bindng=rr . . .rr name=rrAddressSearch")
<address location="http z / /L92. 168. L0.4L: 6999/EastAddresssearchrr />
</wsdl:port>
@
Figure
11 -1
6.
Retrieve the "client" WSDL from lhe service
w8555 / V85552.0
Notes:
The original WSDL used in defining the WS-Proxy contains a "location" that is no longer
correct for the Web service proxied by this service.
When you append a awsdl to the URL that the client uses to access the Web service by
using the appliance, the appliance will return a WSDL with:
. The appliance's lP address

. The WS-Proxy's port
. The URI that the client uses to access the Web service
'on\t r tt o \ Se-t tct cuo I
?o.\ a
Y* { a \ c\ ..,.L 7 WdJ
. b-
,l
,-!
..,
(.
.J
.J
sVtAl la
d"l ec-l''
?o,
.)
i wD(
o
c,s
u;
>.1 n4
e4ot
'Jor
l St /
Jor/,'va.Ja
()
a
a
o
o
C
Copyright IBM Corp.
2009
11-17

@ Copyrglrt
ning
Modifying the location in the "client" WSDL
. The WSDL retrieved from the WS-Proxy service using ?wsdl by default
places the appliance's lP address and port in the "location"
. <wsdl:port binding="
. <address
location=r'http
</wsdl:port>
.rr
name=rrAd.dressSearchrr>
/ /L92.168.10 .41 6999 /EastAddressSearch"
/>
You caR specify a different host name or port to be placed in the WSDL
- Clear Use Local to enter your own values
Rtc
Prrtot
http
FHcd
Pt
FIoste {IF ddresr}

my,webservices. com
RenEte UR
980
,1East"Ad d
aJr e\ W's
si e\c\rrrE no>
ue Locl
resqlservi ces/
Protocol
, ,'l pa^ci'io
lo t P cl-eJ
DP" sr o
http
cdnno
Now retrieved by zwsdl
. <wsdl:port binding=Ir . . .rr

. <add.ress
location='rhttp
</wsdl:port)
r1a
/ /myDPapplian
@
w8555 / v85552.0
Fgure 11-17. Modifying the location in the "client" WSDL
Notes:
The WSDL retrieved
WS-Proxy service.
by awsat
contains the lP address and port of the appliance and
By clearing the Use Local checkbox, you can explicitly specify the host name, port, and
URI that are to be included in the retrieved WSDL.
This becomes especially useful if you have a load balancer fronting the appliance. By using
the explicit approach, you can specify the load balancer's details in the retrieved WSDL so
the clients send their requests to the correct host name, port, or URI on the load balancer.
Of course, the load balancer needs to be configured to forward requests to the appliance's
host name, port, or URl.
,)
-)
-)
_)
l
_t
.J
J
DataPower
I
J

garaIiza a auienticidad de este documento

O Copyright
o
a
o
G
IBM Trainirg
Student Notebook
Step 5: Configuring Web service proxy policy (optional)

r Click the Policy tab to view Web service proxy policy
- The Web service proxy policy consists of rules
- Rules can be executed at a specific level per request or response
o The proxy generates a default request and a default response rule
Request rule consists of an SLM and a Results action

Response rule consists of a Results action
c You can arrange a hierarchy of policy rules

the Add Rule button to create rules at various levels of the WSDL document
- Click
. proxy, wsdl, service, poft, or operation
Default proxy-level rules
Web Seruice Proxy Policy
Open tree
Pr(en
cl 'efec
to: Proxy I WSDLs I Services I Ports I Operations
efau
eT
ec\
co-
nddressSearchPolicy-default-requ... (request-rule)
$ |
i:
l!
Normal
AddressSearchPolicy-default-resp...(response-rule)'Q
Tq
EI
,wsdl
i-W-s-
-"
I,
Jl.
2.
-c-Sio-n n-S,
t.
(n on e)
ffi!ffi
Normal
n cacta
tu Vu.rln^
ndevas
fr lr
w8555 / V85552.0
Figure 11-18. Step 5: Configuring Web service proxy policy (optional)
)
)
Notes:
)
)
)
)
)
The default proxy-level rule contains two actions, an SLM Rule action and a Results
action. The SLM Rule action is a checkpoint event that calls the Web seruice proxy SLM
policy. You can verify the SLM Rule action by double-clicking it and noting the SLM policy
name. Click the SLM tab to verify that the proxy name listed in the page is the same as the
SLM Rule action.
..)
.)
,.)
.J
-)
._)
J
J
J
)
I
o
o
o
o
Q
Copyright IBM Corp.
x
..
AddressSearchPolicy
V
)
lo
2009
service
11-19

El color azul de la impresin garanliza la autentcidad de este docLrmento
O Copyright
ining
Gonfigure Web service proxy policy rule
. View the rule configuration
by clicking the Add Rule button or

selecting a previously configured rule
Expand or collapse sections of wsdl flle
Web Service Proxy Policy

open tree to: Proxy I WSDL5 | Services I Portr I Opertions
i-
- proxy: AddresssearchPolicy
(default)
(none) ii'[y-i tror-.t

.l-! !! 4ddressSearchPolicy_default-requ... (request-rule)
}[
EI
AddressSearchPolicy-default-resp., (response-rule)
Configure rule
Add Rule
Y usdl: ErtAddrersserch.wsdl
Rul Nmar
?
Fht
..1 : .j : J t-l l..j L.l
J ::::::i:i1; iir;
.'l
Rul oirection:
A,OO.&o
Vrify Vldt. Encrypt
Dcrypt
ll"tts"* f f
Trn.fom RoR.
AAA
D"l"t"
R3ultt
R"l"l
1,
SLM
Adencd
oLt4t
crete Reusble Rule
o copyright
lBlV Corporation 2009
w8555 / V85552.0
Figure l1-19. Configure Web service proxy policy rule
Notes:
You can define multiple rules at a specific level and reorder them using the up and down
arrows to the left of the rule.
The Match action is shown only when the rule is highlighted.

The icons to the right of the rule under Web Service Proxy Policy do not show the Match
action.
At the bottom of the rule configuration area, you can specify the directionality of the rule:
Server to Client (response), Client to Server (request), Both Directions (request and
response), or Error (when error occurs during document processing).
To create multiple rules, click the
'
Add Rule button multiple times.

)
)
)
)
J
DataPower
\..)

El colo azul de la irnpresin garantiza la autertlcidad de este documento
O Copyriqht
o
o
3
IBM Trainirg
Student Notebook
Default validation (user policies)

o By default,
each level of the proxy (proxy, wsdl, service, port, operation) defines a user
policy to:
Schema validate messages (against schema in WSDL)
Request, response, and fault
Schema validate SOAP headers (against schema in WSDL)

Enable or disable a component
Publish a component in the proxy WSDL file
Use WS-Addressing
Use WS-ReliableMessaging
Proxv
Web Serv
!
)
(response-rule)
Addres5serchPol
FJ
r'l Add Rule
wsdl: EstAddressSearch.wsdl
i ws-Policyr (defult)
o add nule
eruice:AddressSearchservice
i- - rlyq-!q!1g'
Effe.tv
Ylue
i
)
(def uli)
t.)
i"' * nd aule
l-' portr AddressSerch
0rdl:WestAddreiiSrch.wsdl "
lws-Poliglr (defut)
i +
CLOSE
Local YaluB
g Enble thir component

Publish in WSDL
E Schem vldte fults messge'
El Schem vldate requert messges
E Schema validate response messsges
E Schem vlidte SOAP hedr5
E Use Ws-Addressng
E UreWS-RelibleMessgng
Add Rute
The user policy

executes before
the proxy policies
/o ra
les
Click anywhere here to

open the User Policy
dialog window
open tree to: Proxy I WSDLS I Servces I Ports
,,/a
/t'/ac
laf
t')/1
-:/ ,l,l
w8555 / v85552.0
Figure 11-20. Default validation (user policies)
/+
)
)
lofes;
)
)
)
Click any of the icons at each level to view the user policy pop-up.
The first checkmark enables the component or policy. Each option shown in the pop-up
maps to an icon with a green checkmark or red X.
)
)
Each policy level contains a user policy that can be enabled or disabled.
The Web seruice proxy policy and user policy are separate from each other;the user policy
is executed before the Web service proxy policy.
\
t'
DetcvcltVqt
.l
sVctc.t\Q5
l
.)
)
.)
)
J
J
J
J
\.)
I
9
o
a
Copyright IBM Corp.
2009
service
11-21

El color azui de la impresin garanliza la aulenticidad de estc docurrento
@ Copyright
i mi rug

o
The rule configuration area allows you to select a set of actions to be

invoked as a reusable rule
1.
2.
3.
Click the Create Reusable Rule button.

Draw a box around the actions that should be included in the reusable rule
Click Apply. A grey rectangle appears around the reusable rule in the rule
configuration area. Note the new rule name.
Rule Directron
Rule Name:
-^.
Y\J
Filter
Sign
Verify
Client to
,oo'$
Vlidte Encrypt Decrypt Transform Rout
Server -
AAA
lete Rule
FJ
Results SLM
1,
Adunced
ORIGIN
CLIENT
SEFUER
Create Reuable Rule
4. Use Advanced - Call Processing

@
Figure 11-21
Rule action to reuse the rule
Copyright IBM corporaton 2009
wBsss / v85552.0
Notes:
Reusable rules are useful for applying a common set of actions at many levels of the Web
service proxy. Additional actions can be added before or after the reusable rules. lt allows
you to more easily manage a set of actions repeating across many levels of the Web
service proxy.
Reusable rules can be defined in the other service type processing policies, such as an
XML firewall policy.
)
)
)
)
.)
DataPower

t-r)
El color azul de la impresin ga-antiza la aLrtentlcidacl de este cloctltl-len[o
O Copyrlght
{,
O
IBM Training
Student Notebook
Advanced Web seruice proxy configuration

. Additional
options available for advanced Web services proxy

configuration:
)
')
Proxy Settings
.
.
.
.
Security settings (AAA, cryptographic key)

SOAP Action Policy
XML Manager
Advanced Proxy Settings

. HTP connection settings
Headers/Params
Adds or removes HTTP headers and passes style sheet parameters
Ws-Addressing
lndicates support for WS-Addressing for front-end or back-end
l
)
Web service proxy type
Provides protection against XML threats
Proxy
settnqs
Advanced Proxv
Settinqs
@
)
Figure 11-22. Advanced Web service proxy
Hcader/Params WS-Addreinq
XMLThTI Protection
configuration
W8555 / VB5552.0
Notes:
)
)
)
)
)
ln this presentation, only the proxy settings are examined. See the DataPower WebGUl
Guide for information on the settings contained in the Advanced Proxy Settings,
Headers/Params, and WS-Addressing tabs.
The XML threat protection settings are discussed in the XML threat protection presentation.
,)
..)
-.)
,)
.)
.)
J
J
J
J
I
I
o
o
o
a
Copyright IBM Corp.
2009
service
11-23

O Copyrght
rirg
WS-Policy s.*"
yv, \c(,p-{..( ^Nei\sGJ.e
. Ws-Policy is a specification that defines metadata to enable

interoperability between Web service consumers and Web
service providers
. The WS-Policy
specifications enable organizations to automate

their service governance models by creating a concrete
instance of Web service governance
. New behaviors:
- Parse WSDL with policy elements already included in the WSDL and
recognize standardized policy "domains"

. WS-Security Policy, WS-ReliableMessaging Policy
DataPower supports retrieving WSDL by using WebSphere Service
Registry and Repository queries
)
)
DataPower supports retrieving WSDL by using a UDDI interface
Copyright lBN4 Corporaton 2009

)
w8555 / V85552.0
Figure 11-23. WS-Policy
Notes:
WS-Policy is used to assert policies on security, QoS, required security tokens, privacy,
and other items. A Web service can stipulate what it can provide, and a consumer can
stipulate its requirements.
.,)
.)
.)
.J
.)
.)
,)
)
J
DataPower
Couse materals may not be reproduced in whole or in part

El color azul de la impresin garantiza la autenticidad de este documerto
O Copyright
J
J
J
I
I
[)
IBM Training
Student Notebook
Gonformance policy
. Defines which profiles that will be used to validate whether

received messages are in conformance to the selected profiles
When a client sends non-conforming requests for a conforming

back-end server:
The conformance policy can be used to fix non-conforming requests

during message processing
. For signed and encrypted non-conforming data:

- The cryptographic protection must be removed before and after
conforma nce correction
. lt can be added to a WS-Proxy in the Policy editor
v..... pro+y: AddressSearchPolicy
ffi
(defautt)
:.j
tt
$
t
--.-ll.
WS-I Conforrr
nne
Prio
: Normel
nddressse Operation Conformance Policy
fi
ft
Addressse
Add Rule
\A^-!
(none)
Done
f f -^--^
policy
Figure 11-24. Conformance
CLOSE
W8555 / V85552.0
Notes:
Supported profiles:
. WS-l Basic Profile version 1.0

. WS-l Basic Profile version 1.1
. WS-l Attachments Profile version 1.0
. WS-l Basic Security Profile version 1.0
Any conformance correction must be coded in a style sheet; it is not automatically provided
by the appliance.
',)
,
_)
.)
.)
..)
J
J
iJ
I
e
a
Copyright IBM Corp.
2009
service
11-25

El color azul de la impresn garanltza la autenticdad de este documento
@ Copyright
mng
Gonformance policy object

.
Basic
XSL sheets to be invoked after

conformance analysis
The degree of non-conformance
that causes a report to be
recorded
The degree of non-conformance

causing a rejected message
Use analysis as a result
Deliver conformance analysis

report as an action result
Tq/o abs
.dvanccd
Cuntormance Pclicy Na
!&
E ws-r
sP
l.r
Record
Rejct
m55a1
, Nver
[ ruitur.
wrninq
C.Al{rry.E
Ignored Requi
Reject non-conforming
messages
ffifri"*; '''--
Csnfarmance Policy Namel

AddressSe rch Proxy
Conformance requirements to
ignore
Record Report
Corrective Stylesheets
Profiles against which

conformance is checked
lgnored Requirements
Operation Conformance
Profiles
Cnel
Stylesheets
tepct:y'rac'
(emotyl
l,PS
ERher optong
U*e analysis as iesult
()
off
Figure
11
w8555 / V85552.0
-25. Conformance policy object
Notes:
lgnored requirements are entered as a text string. For example, gspl- .02R4227 would
ignore requiremenlR422l in the Basic Security Profile V1.0.
_)
Record report options:
. Never: Never record reports

. Failure: Record reports with conformance failures
. Warning: Record reports with conformance warnings
. Always: Record reports for all outcomes
Reject nonconforming messages
:)
. Never: Never reject messages

. Failure: Reject messages with conformance failures
. Warning: Reject messages with conformance warnings or failures
.',
.)
)
)
*)
.,,)
DataPower
J
J
J

without the pror wrtten permission ol lBM.
|)
El coior azul de la impresin garanltza la aulenticdad de este documento

@ Copyright
J
l,
IBM Training
Student Notebook
Service priority ?,'*, J"A t" [oo rrll*t

. The WS-Proxy Policy editor has a Priority field
- Sets priority for resource allocation and scheduling
i^.. proxy:
I
y
AddressearchPolicy
FIS:esltsp (defeult) |ws-I conrorrnecei lnon* )
{-y X
AddressSearchFolicy-default-requ {re
I AddresssearchPolicy-default-resp... (resp
: ll
; S Add Rule
t wsdl: WestAddressSearch,rrysdl t t":'i: l-l l.-l l-i l.j
Hiqh
Normal
Low
. The different levels of priority are:
- High
. Receives above normal priority
- Low
. Receives below normal priority
- Normal
. (Default) Receives normal priority
O Copyrght IBN/l Corporation 2009
w8555 / V85552.0
Figure 11-26. Service priority
Notes:
)
)
)
)
.)
,l
J
J
u
I
I
Copyright IBM Corp.
2009
11-27

El color
azu de la rnpresin garantiza a autet.tcidad de este docutrento

O Copyright
mng
Proxy settings (1 of 4)
. Click the Proxy Settings tab to view the proxy settings
- Many options have default values
'
Type
Static Backend: Web seruice proxy fonrards to single back-end server

Dynamic Backend: Web service proxy determines back-end server during
document processing
Static from WSDL (default): Back-end server is determined by service section
in
WSDL file
XHL
AAA PoIcY
lvp
ih;....-
oynamic Bckend
)stc Fc(enf
{Sttic from wSL
(^
,- XEt
')
Clent
Stver
Kerbero5 Keytb
:;;jJ [+ I
SOP Acton Policy
Qt^r"
r-]afi
ilstrict
@
Copyrght IBM Corporton 2009

)
wBss5 / V85552.0
Figure 11-27. Proxy settngs (1 ot 4)
)
)
Notes:
When the Web service proxy receives requests from a client, it forwards them to a
back-end server for a service request.
)
)
The Type section specifies how that back-end server is determined. A back-end server is
identified by a URL and port. The default option is Static from WSDL, which uses the
WSDL file to determine the back-end server. The Dynamic Backend option determines
the back-end server during document processing, and the Static Backend option always
forwards to a single back-end server.
)
)
.J
-)
.)
J
)
..)
J
.)
DataPower

O Copyright
)
J
J
J
\,
J
J
IBM Trainirg
Sfu
ooT'
Proxy settngs Q of al
. Decrypt Key
-
Selects a cryptographic key object to decrypt the message payload.
. Glient Principal
- The client principal name when decrypt is required. Used when the encryption
uses a Kerberos session key or uses a key that was derived from the session key
. Server Principal
- The server principal name when decrypt is required. Used when the encryption
uses a Kerberos session key or uses a key that was derived from the session key
Commentg
XHL Hangt
Type
A Pollcy
DynaHic Bcknd
JPr,lt
il"gt-.t
Osttc Backend
.. -
lJ
<)sttc liom !vsDL
Decrypl Key
i*,s"i
.\o e
[Ea.I
Clint
err -i -'
ld"ra ,iteNc r;
'
ST]AP AGton PoIcy
QIL^"
iaff
(-^jStiict
@
wBsss / v85552.0
Figure 11-28. Proxy settings (2 of 4)
Notes:
The message payload refers to the message body.
Encrypting a message introduces new elements into the SOAP message that would cause
automatic message validation to fail, since a typical schema validation does not check for
these elements.
An example SOAP message with encrypted payload may look like the following:
<SOAP:Bod1z>
<:crlptedData ...>
.)
)
.)
)
_)
.J
Using a cryptographic key ensures that a message can pass automatic validation by
decrypting the message payload before validation. The entire message must be encrypted,
not fields within the message.
The Client Principal field contains the full name of the client principal when the Web
Service Proxy needs to automatically decrypt encrypted requests. Use this property when
the encryption uses a Kerberos session key or uses a key that was derived from the
session key.
.)
J
!)
9
I
I
o
Copyright IBM Corp.
2009
11-29

El color azul de la rmpresin garantiza a autenticidad de este documento
@ Copyright
ning
a.
-r-C
e\
ln a similar fashion, the Server Principal field specifies the full name of the server principal
when the Web Service Proxy needs to automatically decrypt encrypted responses.
-l
o
a
.l
a)
'l
-)
-)
)
r-)
o
o
a)
i)
()
)
l)
.)
.)
:)
'.)
rl
')
.)
O
U
J
r)
U
U
U
U
(J
()
()
L)
iJ
O
\)
(J
DataPower
I
I
I
I

wlthout the prior written permsson of lBM.
El color azul de la impresin garanll:.a la autenticidad de este documento,
@ Copyright
9
O
IBM Training
Student Notebook
Proxy settngs (3 of a)
. Kerberos Keytab
-
Selects the Kerberos keytab file that contains the principals
. SOAP Action Policy: Validates messages containing a SOAPAction

HTTP header
Lax: Validates messages with empty SOAPAction HTTP header or empty string
within SOAPAction HTTP header
Off: SOAPAction HTTP header is ignored

Strict: Message must contain exact match of SOAPAction header provided
WSDL file
XlL ilnaqer
ir;rr----
, --.,,!ll.tlf .;;l
in
AAA
fYpe
r'3vnmic .i<nd
5tatc Bckend
l.)Stati from WSL
:!JEEI
Prncp.l
ftrut
I
Kelbero' Xeytb
ii;",-,;jrfiE
S P cton Folcy
(:)Lax
cfr
i,_5!fld
)
w8555 / V855s2.0
Notes:
)
)
,)
)
I
,_)
Select the Kerberos Keytab object that contains the principals for the Kerberos Keytab
list. The Web Service Proxy uses these principals to automatically decrypt encrypted
requests and responses.
The WSDL file for a service defines the value that a SOAPAction header must contain for a
SOAP request. The SOAPAction header is defined in the HTTP header, not the SOAP
header.
The SOAP Action Policy setting specifies how to validate messages with a SOAPAction
HTTP header.
,)
.l
.J
.,)
J
J
(J
o
o
o
o
c
Copyright IBM Corp.
2009
service
11-31

El color azul de la impresn garantiza la autenticidad de este docunrento
O Copyright
ining
Proxy settings @ of al
. XML Manager: Assigns an XML manager to the Web service
proxy
. A/A/A Policy: Selects or creates a AAA policy to apply to all

service endpoints configured for this Web service proxy
- AAA policy can also be applied at a fine-grained level in the Policy

tab
Commetrtj
XflL
rfnag.
deiult
'.*
+
,
AAA
TYPE
(lynmrc Bckend
Sttic gckend
G)Stic f.om WSDL
D<rypt Key
|]GILZ
isii;rl
clcnt
Seruer
)
evtb
l-t'j
qlAP Actio
r."
Pollcy
orf
OEtriEt
O Copyright IBM corporaton 2009
)
w8555 / V85552.0
lVofes.'
)
)
A AAA policy specifies how incoming messages are authenticated and authorized. The last
A is for Audit.
)
)
The proxy AAA policy is applied for all service endpoints within the proxy.
.l
)
.,j
J
J
J
J
.)
J
J
\)
()
f 1-32 Accelerate, Secure and lntegrate with
DataPower
Course materials may nol be reproduced in whole or in part

El color azul de la impresln
ganIiza la autenticidad de este documento

@ Copyright
o
o
o
o
c
I
IBM Trainirg
Student Notebook
Web service proxy
SLM
,ri
s f cc."sa.,c
7-oe od,ar^.s
a.
. Click the SLM tab to monitor requests entering the Web

service proxy
- Provides monitoring at a fine-grained level

- Controls traffic entering the Web service proxy using the Throttle and
Shape action
Can view graph to see results of the traffic
Web Service Proxv SLM

open tre to: Proxy I WSOIs I Services I Ports I Opertons
Requert
Filure
Interual
Inte
(sec)
Limit
7 proxy: AddressSearchPolicy
r+sdl: EastAddressSearch,wsdl
; i-- servce:
AddressSearchservice
60
; trndByLoction
i port-operation:findByName
100
Figure
11 -31
Web service proxy SLM
lVofes.'
Actio n
""t,f, -:-l
""ttrv=
l""ttfp
.J
l.*,fr .
f
f;,rr-
sh
1""-ifv
Lmt
ltr
ffi-,rr-
port-opertion: retrieveAll
(se c)
l*tf
| - - port-operation:
al
1 lffir,ry .I
V' - port: AddressSearch
AEton
ru
.rtift-'
qraph
'
Copyrght IBM
elt'c
-q,* 6 0'-
1.,
(L
)
)
Under Request, you can count the number of transactions that occur with a specific
interval and if the transaction limit is exceeded, you can specify an action to:
. Notify: Generate a log message if the transaction limit is exceeded

. Throttle: Additional transactions above the limit are discarded
. Shape: The first 2500 transactions in excess of the maximum transaction rate are
I
)
,i
.)
queued for later transmission, and subsequent transactions in excess of the 2500 limit
are dropped
Under Failure, you can specify the same information as Request, except that these
settings apply to error messages.
._)
,)
J
U
o
o
o
o
(r
Copyright IBM Corp.
2009
1-33

El color azul de la impresin garantiza la autelriicidad de este docunento
O Copyright
ining
WSDL cache policy ".-ohl drl. wsu
. Create a WSDL cache policy to update the WSDL proxy with changes from
underlying WSDL file
Scheduled poll of underlying WSDL
lf changes are detected, then the proxy WSDL is automatically updated
. Option is only available from vertical navigation bar:

> Web Service Proxy then
- Select OBJECTS > Service Gonfiguration
proxy
click an existing Web service

Use the arrows at the top to select the WSDL Cache Policy tab
Gtfreneler
'WSDL Cache Folicy
Probe Trioogrs
Web Service Proxy : AddressSearchPolicy t"pl
Export
Cancel
URL Mtch
,,1
hra
expresson
http ://myWSDLs erver,co m/Add ress
TTL
)
earch/+
I 00
Delete
l
o Copyright lBlvl Corporaton
2009
w8555 / V85s52.0
Figure 11-32. WSDL cache policy
Nofes.'
Click Add to create a new WSDL cache policy.
The URL match expression is used to match the URL of the WSDL file (that is, its location)
Time to Live (T.fL) is expressed in seconds. lt specifies how long the current WSDL file
exists until it is automatically refreshed when a corresponding URL match expression is
)
)
matched.
-)
The WSDL file may exist on an external server.
J
J
J
J
J
\,
{J
l f -34 Accelerate, Secure and Integrate with
DataPower
o
o
o
Course materals may not be repfoduced in whole or n part

without the pror wrtten permission of IBM'
El coior azul de la impresin garantza la autenticidad de este documento
@ Copyright
o
o
o
(_
IBM Trainirg
Student Notebook
Troubleshooting Web servce proxy
!:r'i.re::
vc{ l
laD
"1
Web service operations using STATUS > Web

Service > Web Services Operations.
o Check active
WSProx
Inteace
AddressSe archProxy
0.0 ,0.0
AddressSearchProxy
AddressSearchProxy
0,0,0,0
0,0,0.0
Port
3001
3001
3001
Arton
SOAP Eody
Status
findByLocation
findByName
re?ieveAll
Registered
Registered
Reoistered
o List of validation checks for Web service proxy

- .Request
Web service proxy active and listening on port
. Verify that client submitted correct URI
, Web service proxy received request
. SOAPAction header should agree with operation name in SOAP body
' Passed automatic schema validation (user policy)
. Back-end service active and available

. Request transmitted to correct Backend URL
- .Response
Response received from back-end service
. Response passed automatic schema validation (user policy)
. Response transmitted completely to client
j
l
I
SOAP
URL
a stA d d re s sA d dres s S e a rch
/Ea stAd d ressAdd ressS earch
/E astq d dre ss A d d res s S e a rch
Figure
1-33. Troubleshooting Web service proxy
w8555 / V85552.0
Notes:
)
)
The default error messages returned by the Web service proxy are intentionally vague so
that no clues are provided to an intruder trying to compromise the system. For example:
I{frP/1,.0 500 Error
_)
X-Backside-Transport : FAIL
Connection: close
Content-Ilpe : toct/>cr
<?)cnl- version= t 1.0 t ?>
<env:Envelope rcnlns: eilF'http: / /schenas.rcnlsoap. org/soap/envelope/'>
.)
._)
..
,)
<errv:Body>
_.)
<env:Fault>
<f aul tcode>General</ f au1 tcode>
< f aul ts tring>Internal Error< / f au1 ts
"_.)
.J
tring>
</vzFault>
)
J
J
</env:Body>
</vzErvelope>
()
3
o
a
o
o
o
Copyright IBM Corp.
2009
Unit
11
. Web service proxy
service
1-35

El color azul de la impresn garanliza la autenticrdacl de este documento
@ Copyright
oirg
Checkpoint
1. True or False: A Web service proxy and SLM policy can be
defined at a fine-grained level.
2.
Which of the following levels can be configured with a Web

service proxy policy?
a) proxy
b) message
c) service
d) port
3. True or False: A WSDL must be uploaded onto the appliance

4.
5.
when creating a Web service proxy.

What is a user policy?
)
)
)
List the three options under the SOAPAction policy.
)
)
I
)
wBsss / v85552.0
Notes:
)
)
1.
2.
.)
.J
3.
.)
4.
.J
5.
J
I
._)
J
J
-)
DataPower

without lhe prior written permission of lBM.
O Copyright
J
J
J
J
J
J
J
9
I
IBM Training
Student Notebook
Unit summary
. Describe the Web service proxy architecture
. List and explain the configuration
steps needed to create a
Web service proxy
. Create and configure a Web service proxy policy at various

levels of the Web Services Description Language (WSDL) file
w8555 / v85552.0
lVofes
,)
,l
)
,J
-)
(-)
()
Copyright IBM Corp.
2009
service
11-37

El color azul cle la inrpresin garantza la
autcnlodad de este documeto

CO
Coryrght
etninS
('
r\
('
:l
i--l
I
.l
rl
o
{)
()
tl
'l
:)
1)
.)
,j
1.)
!_
i)
i)
U
U
(,)
U
U
U
U
u
U
U
()
\)
DataPower
\J
rJ

without the prlor written permission of lBM.
El color azul de la impresin garantiza la autenticidad de este documento,
@ Copyrght
I
I
9
9
{)
L
reas Formativas:
WebSphere
Java
pSeries
iSeries
xSeries
e-business
Rational
M icrosoft Technologies
Lotus Technologies
Comunicaciones/Redes
Usuario Final
Gestin de Sistemas
Tvoli
Data Management
Transactions Systems
OS/390 y zlOS
Almacenamiento
AIX
Linux
Mobile
ITIL
Conferencas Tcn icas:

IBM WebSphere Portal Technical Conference
IBM System p, AIX 5L and Linux

IBM WebSphere Portal
IBM SYSTEM z9 and zSeries Expo
IBM Content Management
IBM D82 lnformation Management
IBM lnformation On Demand 2006 global conference
I MS Technical Conference
IBM System x and xSeries
SecureWorld
IBM System i Fall
WebSphere Technical Exchange
IBM System p, AIX 5L and Linux
Transaction and Messag n g Tech n ical Conference
WebSphere Technical Conference
i
Para ms informacin sobre conferencias accede a

bm.com/trai n n g/es/confe rences
pertenecen a olras compaas
@ 2006 IBM Corporation, Todos los derechos
cualquier funcional idad equivalente

Inpreso en Espaa
Printed ln Spain
Copyright IBl\/ Corporation 2006
reservados

Accelerate Secure and Lntegrate With IBM WebSphere DataPower SOA Appliances - Vol 1

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Accelerate Secure and Lntegrate With IBM WebSphere DataPower SOA Appliances - Vol 1

Încărcat de

Drepturi de autor:

Formate disponibile

901-100-400

Accelerate, Secure and

(Course code W8555

El color azul de la impresin garanliza la autenticidad de este docunrento

Edge of Network@ and ThinkPad@ are trademarks or registered trademarks of Lenovo in

May 2009 edition

@ Copyright lnternational Business Machines Corporation 2009. All rights reserved.

set forth in GSA ADP Schedule Contract with IBM Corp.

El color azul de la mpresin

gaanliza la autenticidad de este documento

Unit 1. lntroduction to DataPower SOA Appliances

Role of XML in SOA

lntroduction to DataPower SOA appliances

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

DataPower administration overview

Accelerate, Secure and Integrate with

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

DataPower services overview

Copyright IBM Corp. 2009

Couse materials may not be reproduced n whole or in pan

Choosing the service

Unit 5. XML firewall service.

Accelerate, Secure and Integrate with

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or n part

color azul de ia impresin garanliza la autentcidad de esie documento

Style sheet programming with dynamic routing . . .

7. Handling errors in a service policy.

Log target configuration ...

6. Problem determination tools

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

DataPower cryptographic tools

Unit 9. Securing connections using SSL.

Accelerate, Secure and lntegrate with

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

SSL handshake: server hello

Configuring a user agent

Unit 10. XML threat protection

What are the security concerns?

Copyright IBM Corp. 2009

Course materials may not be reproduced n whole or n part

Unit 12. XML and Web services security overview

Accelerate, Secure and Integrate with

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

Unit 13. Authentication, authorization, and auditing (AAA)

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or n part

gaanliza la autenticidad de este documento

Unit 15. Multi-protocol gateway

Unit 16. Monitoring objects

Accelerate, Secure and Integrate with

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

Unit 17. Service level monitoring

Unit 18. lntegration with WebSphere MQ

Copyright IBM Corp. 2009

Course materials may not be reproduced in whole or in part

Unit 19. DataPower and Java Message Service (JMS)

Accelerate, Secure and lntegrate with