Documente Academic
Documente Profesional
Documente Cultură
.'
IBM Training
--- -'I
-,
'
)
)
)
)
)
')
i V8555)
TOMO
Student Notebook
ERC 2.0
')
,''
)
:)
.)
,)
)
)
)
)
)
.)
)
.)
.)
,)
)
!)
J
J
J
.)
J
J
J
J
J
J
Authorized
g$ffi^ | Training
WebSphere Education
t)
()
o
o
o
a
O
rung
Trademarks
IBM@ is a registered trademark of lnternational Business Machines Corporation.
The following are trademarks of lnternational Business Machines Corporation in the United
States, or other countries, or both:
DataPower@
Approach@
DB2@
IMSrM
Notes@
Tivoli@
developerWorks@
Lotus@
Rational@
WebSphere@
DataPower device@
Domino@
MQSeries@
RDNrM
z/OS@
zSeries@
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion are
registered trademarks or trademarks (the "Marks") of VMware, lnc. in the United States
and/or other jurisdictions.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, lnc.
in the United States, other countries, or both.
Linux@ is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX@ is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, or service names may be trademarks or service marks of others.
IBM Training
Contents
Trademarks
xvil
Course description
xix
Agenda
xxilt
1-1
1-2
)
)
)
)
1-3
1-4
1-5
1-7
1-8
1-9
1-10
1-1
...1-12
... 1-13
...1-14
... 1-15
... 1-16
1-17
.1-18
1-19
1-20
1-21
1-22
1-23
1-24
1-25
1-26
1-27
1-28
1-29
1-30
Topicsummary :;...
.)
.")
.,)
J
J
J
J
J
1-31
1-32
1-33
1-34
1-35
1-36
1-37
1-38
1-39
(J
a
o
o
a
G
Contents
iii
O Copyright
rirg
2.
Unit
.2-1
.2-3
.2-4
.2-5
.2-6
.2-7
.2-8
2-10
2-12
2-13
2-14
2-15
2-16
)
.2-19
.2-20
.2-21
.2-22
.2-23
.2-25
.2-26
.2-27
.2-28
.2-29
.2-30
.2-31
.2-32
.2-33
.2-34
.2-35
.2-36
.2-37
.2-38
.2-39
.2-40
.2-42
.2-43
.2-44
Checkpoint.....
Unitsummary...
Unit 3. lntroduction to XSL transformations
j
)
)
)
)
)
)
)
.J
)
)
.)
J
-)
J
J
J
J
J
J
J
J
J
I
.3-2
.3-3
.3-4
.3-5
.3-6
.3-7
.3-8
"rpt.siont
.3-1
Unit objectives
lntroduction to Extensible Stylesheet Language
Three parts of Extensible Stylesheet Language (XSL)
XSL Transformations (XSLT) overview
The XSLT process
What is XPath? .
Example XPath
lv
')
DataPower
o
o
o
o
IBM Trarmng
XPath current context
XPath step syntax . . .
XPath address notation
Example: XPath absolute addressing . . .
Example: XPath relative addressing . . . . . .
Anatomy of an XSL style sheet
The <xsl:template> element
The <xsl :apply-templates> element
The <xsl:value-of> element
XSLT style sheet elements to generate output
XML input as a tree
Desired HTML output
XML to HTML (1 of a)
XML to HTML Q ot Q
XML to HTML (3 of 4)
XML to HTML (4 of 4)
XSL style sheet control elements
The <xsl:for-each> element
The <xsl:if> element . . .
The <xsl:choose> element (1 of 2)
The <xsl:choose> element Q of 2)
Elements to generate output (XML to XML)
The <xsl:element> element
The <xsl:attribute> element
Topic summary
Custom style sheet programming
Using custom style sheets . . . . .
How to develop style sheets with DataPower extensions
XSLT variables
DataPower variables
DataPower variable scopes
Example
DataPower variables
Stylesheet using DataPower extension functions
Topic summary
Checkpoint
Unit summary
)
)
)
Unit
.')
J
.)
J
J
\)
()
O
O
o
o
G
3-11
3-12
3-13
3-14
3-15
3-16
. . .3-17
... 3-18
... 3-19
...3-20
. . .3-21
3-22
...3-23
3-24
. . 3-25
3-26
3-27
3-28
3-29
3-30
3-31
. . 3-32
. . 3-33
3-34
3-37
3-38
3-39
3-41
3-42
4.
.i
J
.)
Stu
4-1
4-2
4-3
4-4
4-5
4-6
4-7
..4-8
..4-9
.
Contents
4-10
4-11
v
rung
4-13
4-14
4-15
4-16
4-17
4-18
4-20
4-22
4-23
4-24
4-25
4-26
4-27
4-28
4-30
Unitsummary......
5-1
Checkpoint....:.:.
I
)
5-2
Unit objectives
What is an XML firewall service? (1 of 2) .
What is an XML firewall service? Q of 2)
Configuring an XML firewall service
XML firewall service
Object model . . . .
Step 1: Create an XML firewall
Step 2: XML firewall configuration (1 of 2)
Step 2: XML firewall configuration (2 of
Planning for configuration migration
RequesVresponse message processing . . . .
Request/response attachment processing . .
Advanced XML firewall configuration
Header injection and suppression parameters
Associate monitors to XML firewall
XML threat protection
Step 3: lmplement a seruice policy .
CreateaMatchaction .. . .. .
Processing actions
More processing actions . . . .
Validate action
Transform acton .
Filter action
Replay attack
Filter action
Content based routing
Route action configuration
5-3
5-4
5-5
5-6
. .5-7
.5-8
.5-9
5-10
5-11
5-12
5-13
5-15
5-16
5-17
5-18
5-19
.5-20
.5-22
.5-23
.5-24
.5-25
.5-26
.5-27
.5-28
4-31
4-32
4-33
4-34
4-35
vl
DataPower
)
)
)
)
.)
.)
)
.)
,)
-)
-)
J
-)
J
J
J
J
J
J
J
I
(
a
o
o
o
o
IBM Trainirg
Student Notebook
Unit
)
'
i
)
l
)
)
)
)
)
)
)
)
)
)
)
Logtargets
.)
.)
"_)
.,}
J
J
.)
J
Unit
J
J
a
o
o
o
3
...
6-2
6-3
6-4
6-5
6-6
6-7
.....6-8
.....6-9
.... 6-10
.... 6-11
. . . .6-12
.... 6-13
....6-14
...
...
6-15
6-16
. . .6-17
...6-18
...
6-19
...6-20
6-22
6-23
6-24
6-25
6-26
6-27
6-28
6-29
6-30
6-31
6-32
6-33
6-34
7-1
Unit objectives
Error handling constructs
Configure an On Error action
()
6-1
5-32
5-33
5-34
5-35
5-36
5-37
Unit objectives
Problem determination tools
Common problem determination tools
Appliance status information . . . . . . .
Troubleshooting panel
Troubleshooti ng: Network connectivity
Troubleshooting : Packet captu re
Troubleshooting: Generate error report . . . . . .
Troubleshooting: Send a test message . .
Troubleshooting: System log . .
Filtering system log . .
Troubleshooting: Generate Log Event
Troubleshooting: XML File Capture . . .
Troubleshooting: Multistep probe
Troubleshooting: Enabling the multistep probe
Multistep probe window
Multistep probe content
Problem determination with cURL
Communicating with DataPower support
Topic summary
Log targets
Logging basics
Available log levels
5-29
5-31
Contents
vii
ining
Creating an error rule .
Configure Transform action in error rule . . . . .
Style sheet programming using error variables
Example custom error style sheet
Error rule versus On Error action
Checkpoint
Unit summary
.7-5
.7-6
.7-7
.7-8
.7-9
7-10
7-11
8.
Unit
8-1
8-2
. . .8-3
. . .8-4
. . .8-5
. . .8-6
. . .8-7
. . .8-8
. . .8-9
. .8-10
)
)
')
.8-13
.8-14
.8-15
.8-16
. .8-17
. .8-18
. .8-19
. .8-20
. .8-21
. .8-22
. .8-24
)
)
)
)
)
)
)
)
.8-25
.)
.8-26
.8-27
_)
.,)
.8-28
.8-29
.)
.)
.8-30
.8-31
J
,)
.8-32
.)
.8-33
")
.9-1
.9-2
Unit objectives
Solving security problems
SSL features
SSL terminology .
SSL handshake
SSL handshake: client hello
viii
J
J
J
.9-3
.9-4
J
J
J
.9-5
.9-6
.9-7
\)
DataPower
(,1
IBM Training
..9-8
..9-9
. 9-10
. 9-11
9-12
9-13
9-14
9-15
9-16
.9-17
9-18
9-19
9-20
9-21
9-22
. . 9-23
. .9-24
. . 9-25
. . 9-26
9-27
9-28
9-29
Useragent....
Checkpoint
....
Unit summary
Student Notebook
10-1
10-2
10-3
10-4
10-5
. . 10-6
. . 10-7
. . 10-8
10-9
10-10
10-11
)
)
,)
)
)
.)
.J
.-)
.)
J
._)
J
J
..
. 10-12
10-13
10-14
...
...
...
...
...
...
...
...
10-15
10-17
10-19
10-20
10-21
10-22
10-23
10-25
10-26
10-27
-)
(^)
I
o
a
o
o
G
Contents
tx
ning
Unit 11. Web service proxy service
Unit objectives
Web service proxy overview
Web service proxy architecture
Web service proxy benefits
Web service proxy features
Web service proxy basic configuration steps . .
Step 1: Obtain WSDL document
WSDL structure
Step 2: Creating a Web service proxy
Web service proxy object editor . .
Web service proxy GUI .
Step 3: Add WSDL document to Web service proxy
Step 4: Configure WSDL endpoint
Configure local endpoint handler
View WSDL services
Retrieve the "client'WSDL from the service
Modifying the location in the "client" WSDL
Step 5: Configuring Web seruice proxy policy (optional)
Configure Web service proxy policy rule
Default validation (user policies)
Create reusable rule
Advanced Web service proxy configuration
WS-Policy
Conformance policy
Conformance policy object
Service priority
Proxy settings (1 of 4) . .
..
Proxy settings (2 of
Proxy settings (3 of 4)
Proxy settings $ of $ .
Web service proxy SLM
WSDL cache policy
Troubleshooting Web service proxy
Checkpoint
Unit summary
1-5
1-6
11-7
1 1-8
1 1-9
1
1
.11-10
.1 1-11
.11-12
.11-13
.11-14
.11-15
.11-16
.11-17
.11-18
.11-19
.11-20
.11-21
.11-22
.11-23
.11-24
.11-25
.11-26
.11-27
.11-28
.11-29
)
)
.)
)
)
)
_)
12-1
12-2
12-3
. .12-5
Unit objectives
Review of basic security terminology . . .
Web services security . . .
Components of WS-Security
Specifying security in SOAP messages
Scenario 1: Ensure confidentiality with XML encryption
DataPower support for XML encryption
Encrypt action
Decrypt action
Field-level encryption and decryption
DataPower
.11-31
. .11-32
. .11-33
. .11-34
. .1 1-35
. .11-36
. .11-37
1-3
11-4
1-1
11-2
-)
J
J
J
..12-6
. .12-7
. .12-8
. .12-9
.12-10
.12-12
.12-13
@
J
J
J
J
J
J
\
IBM Training
Student Notebook
XPath tool
Sample encrypted SOAP message
Scenario 2: Ensure integrity with XML signatures
DataPower support for XML signature
Sign action
Verify action
Verify action
Advanced tab
Field-level message signature and verification
Sample signed SOAP message
Checkpoint . . .
Unit summary
12-14
12-15
12-16
12-18
12-19
12-20
12-21
12-22
12-23
12-24
12-25
13-1
Unit objectives
Authentication, authorizalion, and auditing
Authentication and authorization framework
AAA action and access control policy
How to define an access control policy (1 of 2)
How to define an access control policy (2 of 2)
Access control policy processing
Scenario 1: Authorize authenticated clients
Scenario 1: Sample SOAP request message
Scenario 1: ldentify the client
Scenario 1: Authorize access to resources
Scenario 2: Securitytoken conversion . . . . . .
Scenario 2: Sample HTTP request message
Scenario 2: ldentify the client
Scenario 2: Authorize access to resources . . .
Scenario 3: Multiple identity extraction methods
Scenario 3: ldentify the client
Scenario 3: Authorize access to resources . .
lnternal access control resources
AAA XML file
Example AAA XML file
Lightweight Third Party Authentication
External access control resource
Lightweight Directory Access Protocol
Security Assertion Markup Language
Types of SAML assertions
Scenario 4: Authorize valid SAML assertions . . . .
Scenario 4: SAML authentication statement . . . . .
Scenario 4: SAML attribute statement
Scenario 4: ldentify the client
Scenario 4: Authorize access to resources . . . . . .
Scenario 4: Match SAML attributes
Access control policy using SAML information . . .
13-2
)
)
13-4
13-6
13-7
13-8
13-9
13-10
.
. 13-1
. 13-12
1
3-13
13-14
13-15
13-16
13-17
1 3-18
1 3-19
13-20
13-21
1
)
)
)
)
)
)
)
.)
.-)
.)
J
.J
.J
J
J
..13-22
..13-23
. . 13-24
..
..
..
..
..
..
..
..
..
Checkpoint....
Unitsmmary
.J
..:
13-25
13-26
13-27
13-28
13-29
13-30
13-31
13-32
13-33
13-34
13-35
13-36
13-37
{)
O
a
o
o
a
G
Contents
xi
ning
Unit 14. Configuring LDAP using AAA
14-1
14-2
.
.14-3
"
. . .14-4
. . .14-5
. . .14-6
. . .14-7
Unit objectives
External access control resource . . .
Lightweight Directory Access Protocol
Directory services
Directories
Common LDAP attributes
Directory services structure
LDAP operations
LDAP Data lnterchange Format (LDIF)
LDAP URL
Directory services implementations
Example scenario
Authenticate the client using LDAP
Authorize the client using LDAP
Configure a load balancer group
Configure the load balancer group health settings
Checkpoint . . .
Unit summary . .
. . .14-9
. .14-10
. .14-11
. .14-12
. .14-13
. .14-14
. .14-16
.14-17
.14-18
.14-19
. .14-20
service
.15-2
Unit objectives
What is a multi-protocol gateway?
Protocol handlers at a glance (1 of 2)
Protocol handlers at a glance (2 o 2)
Front-side protocol handlers . . . .
Static back-end gateway
Dynamic back-end gateway . . . .
Multi-protocol gateway and XML firewall compared
Multi-protocol gateway editor . .
Scenario 1: Provide HTTP and HTTPS access
Step 1: Configure the back-end transport .
Step 2: Create a document processing rule
Step 3: Create the front side handlers
Step 4: Configure the front side handler .
Step 5: Configure the SSL Proxy profile
Scenario 2: Dynamic back-end service
Step 1: Configure the back-end transport .
Sample service targeting style sheet . . . .
Scenario 3: Provide WebSphere MQ access . .
Scenario 4: Provide WebSphere JMS access
Scenario 5: Provide IMS Connect access
Comparing services
.15-3
.15-4
.15-5
.15-6
.15-7
.15-8
)
)
)
)
)
)
. .15-10
. .15-12
. .15-13
. .15-14
. .15-15
. .15-16
. .15-17
. .15-18
. .15-19
. .15-20
. .15-21
. .15-22
. .15-23
. .15-24
.15-25
.15-26
)
.)
.J
)
.)
.J
_)
r)
J
J
J
16-1
Unitobjectives ..;..
. . . .15-1
Checkpoint.....
Unitsumm"ty......
xii
16-2
DataPower
J
J
J
J
J
J
il
I
o
o
o
o
IBM Training
Message monitors
Monitor objects
Defining monitor objects
Step 1: Specifying particular traffic to monitor
Step 1: Matching on HTTP headers
Step 2: Message type configuration
Step 3: Message Filter Action configuration
Step 4C: Message count monitor configuration
Step 4C: Thresholds/Filters for count monitor . . .
Step 4D: Message duration monitor configuration
Step 4D: The transaction life cycle
Step 4D:Thresholds/Filters for duration monitor .
Step 5: Service-monitor association example . . .
Other types of monitors
Which monitor types are supported by a service?
Checkpoint
Unit summary
)
)
Stu
Unit objectives
What is service level monitoring (SLM)?
SLM in DataPower
Basic principles
Two ways to configure SLM
Service level monitor types in the Web service proxy . .
Service level monitor
Graphs
The WS-Proxy's SLM tab
SLM Rule action
SLM action granularity . . .
Configuring the SLM policy . . . . . . .
Constructing an SLM policy . . . . . . .
The SLM credential class
The SLM resource class
SLM resource class example
The SLM action
The SLM Schedule
SLM statement (1 of 2)
SLM statement (2 of 2)
16-5
16-6
....16-7
....
....
16-8
16-9
. . . 16-10
16-11
. . . 16-12
. . . 16-13
. . . 16-14
16-15
16-16
16-17
16-18
16-19
...
....
17-1
17-2
17-3
17-4
17-5
)
)
)
)
)
)
)
SLMpolicy...
.,)
Checkpointquestions . . .
-)
Unit summary
.l
.)
J
....
....
-)
16-3
....16-4
.J
F"
..
..
..
..
..
J
J
Transactions
DataPower support for WebSphere MQ
Provide WebSphere MQ Access
\)
17-10
. . 17-11
. 17-12
. 17-13
. 17-14
. 17-15
. 17-16
. 17-18
. 17-19
17-20
17-21
17-22
17-23
..
18-1
18-2
18-3
18-4
18-5
18-7
18-8
{J
e
a
o
a
o
G
Contents
xiii
O Copyrght
ining
Step 1: Create an MQ queue manager (1 of 2)
Step 1 : Create an MQ queue manager (2 o12)
Step 1: Use SSL in mutual authentication mode
Step 2: Add an MQ front side handler
Step 3: Configure an MQ back-end transport .
Ordered processing of MQ messages
Controlling backout of MQ messages
Decision tree for the backout settings
MQ Header action in service policy
Typical uses of an MQ Header action
Transactions and WebSphere MQ
MQ front-side transactions
MQ back-side transactions
WebSphere MQ DataPower URL
MQ queue manager Group object
Checkpoint
.18-9
18-10
18-1
18-12
18-13
18-15
18-17
18-18
18-19
18-20
18-21
"
18-22
18-23
18-24
18-25
18-26
18-27
Unitsummary...
)
)
19-1
19-2
Unit objectives
Messaging middleware
Java Message Service (JMS)
Why use JMS instead of HTTP?
JMS models
WebSphere
Service integration bus (SlBus)
JMS Queue resources on SlBus . .
JMS topic resources on SlBus
WebSphere JMS support . . .
WebSphere JMS interaction .
WebSphere JMS: Main
Messaging bus . . .
Main
WebSphere JMS:
Optional settings
WebSphere JMS - WebSphere JMS Endpoint
Communicating to WebSphere JMS
WebSphere JMS Front Side Handler . .
WebSphere JMS Backend URL .
TIBCO EMS JMS support
TIBCO EMS interaction
EMS host
TIBCO EMS: Main
TIBCO EMS: Main
Optional settings
TIBCO EMS: Load balancing and fail-over . . .
Communicating to TIBCO EMS
TIBCO EMS Front Side Handler
TIBCO EMS Backend URL
Ordered processing of JMS messages
Checkpoint
Unit summary
.)
19-3
.19-4
.19-5
.19-6
.19-7
.19-8
.19-9
19-10
19-11
)
)
19-12
19-13
19-15
19-16
19-17
19-18
19-19
19-20
19-21
.)
)
)
)
,)
)
19-22
19-24
J
J
19-25
19-26
J
J
J
J
J
J
19-27
19-28
19-30
19-31
i)
xiv
DataPower
o
o
o
o
IBM Training
Student Notebook
20-1
20-2
20-3
. 20-4
.20-5
. 20-6
.20-7
. 20-8
. 20-9
20-10
20-11
20-13
20-14
20-16
20-17
20-18
20-19
20-21
20-22
20-23
20-24
20-25
20-26
20-27
20-29
20-30
20-31
20-32
21-1
21-2
. . .21-3
. . .21-4
)
.J
.,)
...21-5
..
.21-6
...21-7
...21-8
. . .21-9
. .21-10
..1
.)
J
J
J
U
a
0
a
o
o
o
G
service
AppendixB. Checkpointsolutions
Glossary of abbreviations and acronyms.
Appendix A. Web application firewall
.. . . . A-1
....8-1
. . . X-1
Contents
xv
O Copyriqht
(^,
"i"g
a)
o
o
n
ft
n
o
r)
n
o
o
o
o
o
o
o
o
o
o
o
()
o
()
o
o
o
o
o
()
o
o
o
(,
o
(
o
g
(,
()
o
e
e
a
xvi
DataPower
o
a
o
o
O
IBM Traini.g
rr_fl
Student Notebook
Trademarks
The reader should recognize that the following terms, which appear in the content of this
training document, are official trademarks of IBM or other companies:
IBM@ is a registered trademark of lnternational Business Machines Corporation.
The following are trademarks of lnternational Business Machines Corporation in the United
States, or other countries, or both:
Approach@
D82@
IMSTM
Notes@
Tivoli@
DataPower@
developerWorks@
Lotus@
Rational@
WebSphere@
DataPower device@
Domino@
MQSeries@
RDNTM
z/OS@
zSeries@
VMware@ and the VMware "boxes" logo and design, Virtual SMP and VMotion are
registered trademarks or trademarks (the "Marks") of VMware, lnc. in the United States
and/or other j urisdictions.
)
.)
.)
r.)
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX@ is a registered trademark of The Open Group in the United States and other
countries.
.i
Other company, product, or service names may be trademarks or service marks of others.
LJ
.,
r)
J
J
\)
fJ
o
o
a
Trademarks
xvii
rung
xvii
DataPower
IBM Training
Student Notebook
Course description
Accelerate, Secure and lntegrate with IBM WebSphere DataPower SOA
Appliances
Duration: 5 days
Purpose
ln this 5-day instructor-led course, students learn the fundamental
skills required to implement IBM WebSphere DataPower SOA
Appliances.
Audience
This course is designed for integration developers who configure
service policies on IBM WebSphere DataPower SOA Appliances.
Prerequisites
Before taking this course, students should be familiar with
.
@
Course
description
xix
O Copyright
ning
. XML-related technologies, such as XML schema, XPath, and XSLT
. Web service fundamentals and the Web Services Security
specification
Objectives
After completing this course, students should be able to:
.
.
.
Describe the key use cases and architectural scenarios for the IBM
WebSphere DataPower SOA Appliances
Describe how WebSphere DataPower Appliances are configured,
including the role of XSL Transformations (XSLT)
Configure an XML firewall to protect against a new class of
XML-based threats
Service (JMS)
. Course introduction
. lntroduction to DataPower SOA Appliances
. DataPower administration overview
. lntroduction to XSL transformations
. DataPower services overview
. XML firewall service
xx
DataPower
O Copyrighl
IBM Traini.g
Student Notebook
t,
)
)
J
.)
.)
J
c
o
o
o
C
Course
description
xxi
ning
xxii
DataPower
IBM Training
Stuat-lotlooT
Agenda
Day
Course introduction
Unit 1. lntroduction to DataPower SOA Appliances
Unit 2. DataPower administration overview
Exercise 1. Exercises setup
Unit 3. lntroduction to XSL transformations
Exercise 2. Creating XML transformations
Unit 4. DataPower services overview
Exercise 3. Creating a simple XML firewall
Day 2
Unit 5. XML firewall service
Unit 6. Problem determination tools
Exercise 4. Creating an advanced XML firewall
Unit 7. Handling errors in a service policy
Exercise 5. Adding error handling to a service policy
Unit 8. DataPower cryptographic tools
Exercise 6. Creating cryptographic objects
Unit 9. Securing connections using SSL
)
Day 3
Exercise 7. Securing connections using SSL
Unit 10. XML threat protection
Exercise 8. Protecting against XML threats
Unit 11 . Web service proxy service
Exercise 9. Configuring a Web service proxy
Unit 12. XML and Web services security overview
Exercise 10. Web service encryption and digital signatures
)
)
)
)
)
)
)
Day 4
.)
._)
,J
J
J
\,
I
{
o
o
o
Agenda
xxiii
@ Copyright
ining
,
-Q
Day 5
Unit 18. lntegration with WebSphere MQ
Exercise 14. Configuring a multi-protocol gateway service with
WebSphere MQ
Unit 19. DataPower and Java Message Service (JMS)
Unit 20. DataPower architectural scenarios
Unit 21. Course summary
Appendixes
Appendix A. Web application firewall service
Exercise A. Creating a firewall and HTTP proxy for a Web application
Exercise B. Configuring WebSphere JMS
)
)
)
)
)
)
.)
-)
.J
.")
J
J
J
J
J
J
xxiv
\)
DataPower
o
o
o
a
IBM Training
Unit
Student Notebook
.
.
'
)
)
Checkpoint
References
)
)
)
)
.J
-)
.)
,)
J
J
(J
O
O
o
o
a
e
2009
1-1
rErrng
Unit objectives
After completing this unit, you should be able to:
. Describe and define the role of an SOA appliance
. ldentify the products in the WebSphere DataPower SOA
Appliance product line
SOA Appliances
in an enterprise architecture
o Copyright IBM
'
Corporation 2009
wB5ss / v85552.0
Nofes
.)
.J
.J
.)
.)
.)
,J
1-2
J
J
J
DataPower
o
o
o
o
.
IBM Trainirg
Student Notebook
XML-aware networking
After completing this topic, you should be able to:
. Explain the role of XML in a service-oriented architecture
(SOA)
,^ rf
\1t\rt .^,i*lrin
a^ SOA
e/^li
of XML
within an
' ldentify the uses
o ic;',-' e't
\.
w8555 / V85552.0
Notes:
)
)
)
-)
J
(.)
3
o
o
o
(_
2009
1-3
dc esti: cioountcirtr
O Oopyr lllrl
rirg
Role of XML in SOA
enterprise system
services
;
)
)
)
w8555 / V85552.0
/Vofes.'
.)
Being text-based, practically any computer system in existence can process the data
format. Compare this scheme with proprietary binary formats. Being human-readable
enables future developers to decipher the data format, years after the original developers
have retired.
)
.,)
.,)
.)
ln short, XML provides a self-describing container for data that is widely compatible today
and tomorrow.
J
J
J
J
J
J
J
For these reasons, XML is a natural choice within an SOA implementation, and for a
number of specifications that define SOA.
'-)
\rl
\)
1-4
DataPower
o
a
o
o
o
IBM Training
Student Notebook
Security
assertion.
. ie |,n ,alo
c /"NL
:
3
t.t
l:i
WSDL
Order management
Web application
Customer billing
application
Customer
database
on IBM WebSphere
Application Server
on IBM WebSphere
Process Server
on IBM DB2
Universal Database
O Copyrght
lBN.4
Corporaton 2009
w8555 / V85552.0
Notes:
1.
2.
One of the more popular messaging formats for encapsulating an operation call
is SOAP. The SOAP specification defines an XML-based envelope format for
holding the message payload and processing instructions through the body and
header elements, respectively. As XML messages, a wide range of systems can invoke
and provide service functionality by consuming and producing SOAP messages,
regardless of the implementation differences between the client and the server.
3.
Additional information about messages can also be encapsulated in an XML format. For
example, the Web services security specifications provide a standard for encoding
security metadata in a SOAP message header. A wide range of security packages
support these security tokens, allowing the exchange of security information.
''.,
)
.)
,i
.)
J
\
{
a
o
o
o
2009
O Copyrichl
ining
4.
5.
Applications can retrieve and store information to data stores using an XML stream or
XML messages. The use of XML abstracts the actual implementation of the data store
itself. lt provides information as a service.
)
")
)
l
)
)
)
)
.)
)
.)
j
I
.)
_)
U
",}
.j
J
J
J
')
J
J
1.6
DataPower
O Copyright
J
J
I
o
o
o
o
IBM Training
Student Notebook
Description
XML schema
SOAP
WSDL
XSLT
XPath
XML digital
signatures
XML encryption
SAML
w8555 / V85552.0
Nofes.'
WSDL: Web Services Description Language
2009
1-7
O Copyright
ining
Disadvantages and threats with XML
. As a text-based, human-readable protocol, XML tends to be
more verbose
,\
)
l
. XML introduces
)
)
)
)
)
. XML encapsulation
)
)
I
)
w8555 / V8s552.0
Notes:
Entity expansion and recursion attacks use entity declarations in an XML document header
that references itself. When an XML parser resolves the recursive reference, the size of the
entity expands exponentially, consuming all available memory and processing power on a
server.
.)
)
)
J
Malicious includes add a URL reference into an XML document. The reference itself
guesses at the name and location of privileged information, such as a UNIX password file.
.J
XML encapsulation exploits the CDATA reference, which attaches arbitrary non-XML data
into an XML document. Within the CDATA reference, malicious users can embed arbitrary
code or system commands. A poorly designed service might inadvertently execute the
code or the command.
.J
J
J
J
J
J
J
J
J
J
J
1-B
DataPower
\,,
o
o
o
IBM Traini.g
Stu
traffic
Bina
External
client
Internet
@
tJ
Demilitarized
zone (DMZ)
)
)
)
)
-)
J
J
ll Intranet
')
w8555 / V85552.0
Nofes.'
Many corporations allow inbound communications through port 80 in order to serue static
Web pages or results from dynamic Web sites (Web applications). Calls to Web
applications are considered lower in risk because they do not represent arbitrary calls to
applications on the system itself. That is, an attacker might succeed in disrupting service on
an application server, but the server system itself is not compromised.
Web services provide application functionality from a wide range of clients through the
exchange of XML messages. lmproper designs can expose sensitive applications that are
otherwise not meant to be accessed by external users.
The holes in both lP firewalls represent unfiltered traffic that passes freely through an
HTTP transport. Gateway servers within the demilitarized zone (DMZ) also do not inspect
-l
.)
J
J
\.)
()
e
o
o
o
o
G
2009
1-9
iruinng
XML-aware network
llqt
49*
. SOA appliances
network layer
O Copyrght lBl\,.l Corporation 2009
w8555 / V85552.0
Notes:
The core issue is that traditional network architectures were not designed to handle
XML-based traffic. Software-based solutions perform adequately with XML data, but it is
not as fast as a dedicated hardware solution. Most hardware network devices simply do not
understand XML data. SOA appliances provide a solution to both issues: a
high-performance, hardware-based XML processing device.
'.)
)
)
)
)
)
)
1-10 Accelerate, Secure and lntegrate with DataPower
J
J
\)
Copyriglrt
o
o
IBM Training
Slu
. SOA appliances
)
)
)
)
)
)
)
. IBM WebSphere
)
)
)
w8555 / V85552.0
lVofes
)
_)
)
)
)
)
.J
J
J
.)
J
J
\)
I
O
o
o
o
o
3
2009
1-1
O Copyrlght
rrirg
DataPower SOA appliances: Built for security
devices in a tamper-proof
case
t la;n,J
I
.\
I
.
.
.
')
')
)
)
)
)
)
@
w8555 / v85552.0
Notes:
There is no floppy drive or USB port, which eliminates the possibility of loading a device
with malicious software.
.)
)
There is less of a chance that security holes will be exploited since no third party software
or complex operating systems are installed.
._)
)
J
)
_)
J
J
J
J
J
J
J
J
J
\
1-12 Accelerate, Secure and lntegrate with
DataPower
o
o
o
o
IBM Traini.g
Student Notebook
solution
Proprietary
software
Firmware
XML
library
Web
server
C library
Application
server
Development
platform
Database
Server
daemon
Operating system
Floppy
CD-ROM
drive
USB port
Hard disk
Hardware
w8555 / V85552.0
Notes:
)
-)
J
(,
(J
o
o
o
G
2009
1-13
ning
DataPower SOA appliances provide both
performance and security
. As a hardware solution, DataPower processes XML data near
wirespeed
. DataPower appliances
.
,#
External
client
Internet
ll
LI
ffiil>
U Intranet
Demilitarized
zone (DMZ)
I
@
Figure
1-1
2.
wBs55 / v85552.0
Notes:
.)
)
,)
',
J
.)
.)
J
J
l)
1-14 Accelerate, Secure and lntegrate with
DataPower
f
O
o
o
o
o
IBM Traini^g
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Explain the role of XML in promoting interoperability in an SOA
. ldentify the uses of XML within an SOA:
w8555 / V85552.0
Notes:
.)
.)
.J
J
{J
I
o
a
a
2009
1-15
coor
azLrl c1e
csLe dcclntento
O Copvriqlrt
rnrng
Figure
1-1
4.
w8555 / V85552.0
Notes:
DataPower
IBM Trainirg
Student Notebook
4. Portal acceleration
'Pq. llfr,,t\ Ccac\a cL !r
c
O Copyrght IBM Corporation 2009
Fgure
)
1-1
5.
wB55s / V85552.0
Notes:
9( f)taL \MS
Yr.- exfov-en ws
.)
)
)
,)
J
J
()
t.
a
o
o
o
e
2009
1-17
O Copyrght
ning
Use case 1: Securing Web services
. Traditional network
SOAP-based traffic
attacks
with
XML-aware network devices acting as an XML firewall
First level:
- Second level:
. Leverage the security of existing application servers for additional
)
)
processing
o
)
Copyrght IBM Corporation 2009
w8555 / VBss52.0
Notes:
)
.)
.)
..)
.)
.)
J
t,)
J
J
J
J
J
J
J
J
\)
1-18 Accelerate, Secure and Integrate with
DataPower
l,
O Copyright
l.
o
o
o
O
il3ll{ Traimi*g
stuen tik'
t
t
I
I
I
I
I
t'-,?:
{:::
::::i
,
,
,
I
I
I
I
I
t
I
External
client
Demilitarized
zone (DMZ)
I
Intranet
w8555 / V85552.0
Notes:
your existing
network security infrastructure. These devices become a centralized gateway for all
XML-based applications, including Web seryices. The DataPower appliances screen
incoming and outgoing traffic for XML-based attacks, SOAP message validity, and
compliance to WSDL messages. IBM WebSphere DataPower SOA appliances can act
as a security policy enforcement point (PEP), authenticating and authorizing incoming
application requests.
3.
i\1.-,n.!.- e")+
.)
(,)
o
o
e
DataPower services can fonvard information about the principal, in the form of security
tokens or assertions. Application servers consume these security artifacts and enforce
role-based security in its application.
2009
t /
k--
e\ .\:ernL
sv Jt
1. /
'^t
lrc^
ci/\ey
1-19
()t
anl)/t) a autcltLir;
tlLcl
de ostr: cloounlotllu
G)
Oot)y lcl ri
ning
Use case 2: Legacy integration and hub mediation
. DataPower
- The DataGlue engine within the DataPower SOA appliance uses XSL
-
Xl50 provides:
- Protocol bridging
- Data transformation
)
)
. DataPower
)
@
Figure
-1
8.
w8555 / V85552.0
IVofes
)
)
)
)
)
)
)
J
.J
J
J
.)
DataPower
J
J
J
J
\,
o
o
o
IBM Trainirg
str*ffioffi
WebSphere
MQ messages
"Put" request
queue
-+
{+
"Get" reply
queue
+-
Figure
1-1
9.
w8555 / V85552.0
Notes:
With the lntegration Appliance X150, you do not need to modify your existing legacy
applications. The DataPower SOA appliance acts as an IBM Websphere MQ client to your
existing GET and PUT queues on Message Broker. With a multi-protocol gateway
DataPower service, Web service clients can now access your legacy applications.
)
.)
)
.)
.)
J
t)
()
e
o
o
O
G
2009
1-21
rnrng
-=
'
:p
Purchase order
Service Vl
Application
servers
DataPower
External
client
SOA appliance
w8555 / V85552.0
Notes:
.)
1.
2.
The document processing policy in the service routes the message to the latest version
of the order fulfillment application, on the first application server.
3.
4.
A second message arrives at the same service endpoint. The message is sent from a
client, which uses the older version of the order fulfillment application. The routing
action redirects the order to the previous version of the order fulfillment application, on
the second application server.
)
)
.)
.,)
)
.',}
)
1-22 Accelerate, Secure and lntegrate with
DataPower
J
J
I
o
o
o
IBM Training
Student Notebook
(sLA)
a security policy
w8555 / V85s52.0
Nofes.'
2009
1-23
rmng
Enforce service Ievel agreements with DataPower
SOA appliances
Policy
***
---+
Policy 2
Throttle (reduce rate) of
traffic from clents that make
more than 100 requests Per
minute.
l
w8555 / V85552.0
Figure 1-22. Enforce service level agreements with DataPower SOA appliances
Nofes.'
)
1.
2.
ln the first case, one particular client sends more than 500 requests within a minute.
According to the service level management policy, requests from the client are blocked
for a fixed time period.
ln the second case, another client makes more than 100 requests within a minute.
lnstead of blocking all subsequent requests, the policy reduces the rate of requests to a
fixed frequency threshold for a certain time period.
J
.,)
J
J
J
J
J
J
1-24 Accelerate, Secure and Integrate with
DataPower
tJ
O Copyrioht
I
o
o
a
o
IBM Trainirg
Student Notebook
problems on
. Offloading
w8555 / V8s552.0
Nofes;
)
)
)
)
._)
J
',,
J
J
J
J
I
o
O
o
o
o
3
Within an SOA, XML is widely becoming the choice for encapsulating data between
different systems. As a text-based protocol, XML suffers from performance issues
compared to fine-tuned binary data formats. On the other hand, portal systems need to
support a wide variety of clients, including Web browsers and mobile phones. Such
systems use XSL transforms to convert the raw XML output into an HTML Web page, WML
mobile phone Web page, or CHTML mobile phone page.
IBM WebSphere DataPower SOA appliances provides an easy drop-in solution for
offloading XML processing from portal servers. First, disable XSL transformation on the
portal server. On most software packages, this task can be accomplished without affecting
individual portlets or Web applications. Configure the portal server to specify a
transformation style sheet in the processing instructions section of an XML document,
XML-Pl. As the Pl header is part of the XML specification, any standards-based parser can
apply the style sheet to the XML data. A DataPower XSL accelerator service would
automatically transform the document as it parses the XML data.
2009
1-25
cht
ining
Accelerate dynamic Web sites
Raw XML
response
HTML
b page
Application
server or
poftal server
DataPower
External
client
SOA appliance
'i
w8555 / v85552.0
Notes:
1.
2.
The final presentation layer rendering is offloaded from the portal server to the
DataPower SOA appliance.
As specified in the XML-PI (processing instruction) header, the XML parser within the
DataPower SOA appliance automatically retrieves an XSL transform from a local
directory or from a remote file server. The service applies the transform to the raw XML
response. No additional configuration is necessary for the DataPower SOA appliance
service.
3. The DataPower
')
original client.
.J
'.,}
)
.,)
J
J
\)
1-26 Accelerate, Secure and lntegrate with
DataPower
o
o
o
o
IBM Trainirg
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Describe use cases for deploying IBM WebSphere
DataPower SOA appliances:
w8555 / V85552.0
l\lofes;
1
'
i
)
I
r-J
(.
o
3
2009
1-27
ining
Introduction to DataPower SOA appliances
After completing this topic, you should be able to:
. Describe the different features in the IBM WebSphere
DataPower SOA Appliance product line
. ldentify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
w8555 / V85552.0
Notes:
ll
._)
_)
t
.-,
,-
DataPower
J
J
l
'J
Copyrght
I
O
IBM Training
Student Notebook
. IBM WebSphere
DataPower XML
Accelerator XA35
iffimnnnr-,;M
. IBM WebSpher
Appliance Xl50
,
)
)
)
l
@
lntegration
c.n s rmaco
'\l)4 b'nc'r- a5
w8555 / V85552.0
Notes:
)
)
)
.)
.)
.)
.)
J
-)
._)
J
J
..)
I
I
o
o
2009
1-29
O Copyright
ining
XML Accelerator XA35 features
)
)
wBs55 / V85552.0
Notes:
.)
)
)
)
)
)
)
.)
J
..1
J
.)
J
-)
DataPower
.l
J
J
J
I
I
e
IBM Trainirg
Stu
oT'
management support
"
)
@
)
w8555 / V85552.0
Notes:
)
)
I
.-)
.)
J
J
.)
J
J
J
I
I
o
o
2009
1-31
rung
Processor-intensive tasks such as XSLT processing, routing, and legacyto-XML conversion can be offloaded to the Xl50
'
lncludes all security and acceleration features from the XS40 and
XA35 appliances, respectively
@
w8555 / V85552.0
Notes:
DataPower
IBM Training
Student Notebook
Application layer
SOAP
XML
HTTP
TLS/SSL
Transport layer
TCP
UDP
Network layer
IP
ICMP
Web
services
proxy
XML
firewall
XSL proxv
Web application
firewall
SNMP
lPSec
Web services
standards
DataPower
services
Colporation 2009
w8555 / V85552.0
lVofes.'
Listed below are some of the protocols associated with the TCP/IP stack:
.
.
.
@
2009
1-33
rirg
Features comparison (1 of 3)
xs40
xt50
Feature
xA35
XSL transformation
XML and SOAP validation
HTM L-XM L transformation
)
)
w855s / V85s52.0
Notes:
)
)
)
)
_)
J
")
,)
.)
J
J
1-34 Accelerate, Secure and Integrate with
DataPower
J
J
J
J
IBM Trainirg
Student Notebook
Features comparison (2 of 3)
Feature
xt50
xs40
xA35
)
)
3)
W8555 / VBS5S2.0
)
)
Notes:
)
)
)
)
)
)
)
.)
.)
J
,)
-)
)
..)
J
J
\,,
2009
1-35
o
a
@ Coryright
ining
Features comparison (3 of 3)
xs40
xt50
Feature
XA35
,/
WSDl-based configuration
Direct database
)
)
O Copyright
w8555 / V85552.0
)
)
Notes
)
)
)
.i
.,
J
.)
)
.J
.J
DataPower
J
J
J
J
\)
\)
9
0
IBM Trainirg
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Describe the different features in the IBM Websphere
DataPower SOA Appliance product line
' ldentify the sections of the TCP/IP network protocol stack that
are secured by DataPower SOA appliances
- Application layer device that operates on web applications, XMLbased applications, and Web services
w8555 / V85552.0
Notes:
,)
.)
.
,i
.t
.j
J
L
I
J
2009
1-37
ining
Checkpoint
1. What is an XMl-aware network? Why is it important to
implement an XMl-aware network in an SOA?
wB5s5 / V85552.0
Nofes.'
Write your answers here:
)
.t
1.
_)
2.
3.
.)
)
.i
J
-J
J
J
J
J
J
J
1-38 Accelerate, Secure and Integrate with
DataPower
O Copyright
UI
ol
rl
IBM Training
Sfu
ook
Unit summary
Having completed this unit, you should be able to:
. Describe and define the role of an SOA appliance
)
)
)
)
w8555 / V85552.0
Nofes.'
)
)
)
)
.,)
-)
)
.,)
.)
:)
.l
J
J
J
J
e
o
o
2009
1-39
O Copyright
r.l
rl
ng
(-)
.-)
a
.)
a
a
rl
a
o
o
O
o
o
o
o
o
(l
()
()
i)
()
O
o
O
O
o
O
()
o
o
O
o
(J
o
u
u
(,
\)
(,
(,
I
t)
1-40 Accelerate, Secure and Integrate with
DataPower
o
o
o
IBM Trainirg
Unit
Stu
2. DataPower administration
oo?.
overview
.
.
Checkpoint
References
WebGUl Guide, 3.7.1 Release
)
)
')
/
)
-)
.,)
-_)
l
_)
-)
-)
J
J
",
J
I
I
o
o
2009
2-1
ining
Unit objectives
After completing this unit, you should be able to:
. List the methods that can be used to administer WebSphere
DataPower SOA Appliances
. Manage user accounts and donnains on the appliance
. Work with files on the WebSphere DataPower SOA
Appliance
Figure
w8555 / V85552.0
fofes
,)
.)
)
.)
,/
)
J
J
J
J
I
()
IBM Trainirg
Student Notebook
w8555 / V85552.0
Notes:
)
)
)
.)
.-)
.)
\,
I
I
e
o
2009
2-3
ning
DataPower SOA appliance administration
. Perform administration
Figure
Serial (1 port)
Ethernet (4 ports)
Command-line intedace
w8555 / V85552.0
Notes:
Without modification, only the serial connection is active for use. The administrator must
enable the other three administration interfaces using the command line interface.
You can enable the WebGUl application, a CLI over Telnet or Secure Shell (SSH), or the
XML Management Web service over one of the four Ethernet interfaces, or all Ethernet
interfaces. Typically, the administration services should only be available over an internal
network connection while external traffic flows through the remaining Ethernet ports. The
fourth Ethernet port (eth4) has also been designated as the management port (mgtO).
The SOAP-based XML Management API is a Web service that accepts administration
commands. lt can also accept WS-Management and SNMP management commands on
the same endpoint.
2-4 Accelerate,
DataPower
ll{ Traini*g
Student Notebook
allows administrators to
configure and troubleshoot the DataPower SOA appliance
Edrt.
Uew l-tiqbry
Eoolqnrlts
f}
is 9090
looJs ildp
hts;lfdatapower,ihm,cnm:9090 :l:
w8555 / V85552.0
Notes:
Remember to enter the https protocol in front of the network host name or address for
your DataPower SOA appliance. The default value provided in the documentation is port
9090 for the WebGUl application. However, you are free to assign any port number in
range for this administration interface.
)
)
]
,r
-i
}r
r,
0
o
2009
overview
2-s
rcrlL)
Copyricllrt
ining
Administration using the Web browser
admin @dpedol
fu laPowR xlGo
ffi
Domini de faul
ryEEor
--l
LoOwt
control eand
Trubeshting Enbled (Th pef.ctnrance of the Cevice my e impctedl)
tr
Control Panel
Seruiceg
"iffi,
1>l?37
r,Vebgphr tPrer Home
WbSerulce
Prexy
fitulti-P.otocol
ry'
XML Frewll
Gteway
Wb
Apliction
XSL
Accelrtor
Firewall
1999-3ooe tForYer
nc,
r.., rE
n
g
,
viewLogs
Trcubleshootng
web sEruac
Viev Sttus
MonitoF
Fl
fmport
coDfguation
Export
configurtion
wB5s5 / V85552.0
Nofes.'
1.
2.
3.
The monitoring and troubleshooting section provides a view of the DataPower SOA
appliance status, traffic, and load.
4.
The files and administration section manages the configuration files, access levels, and
cryptographic keys and certificates on the appliance.
The Control Panel allows quick access to common administration functions. The
services section allows you to create or modify the primary DataPower services.
.)
)
,)
.,
.)
J
2-6
DataPower
,)
"l
"l
r)
J
l,
IBM TT armng
Student Notebook
Description
Status
Services
Network
Administration
Objects
s,/;t'c
O Copyright lBl\4 Corporaton 2009
Figure
w8555 / V85552.0
Nofes;
)
The following set of slides focuses on the administration features found in the WebGUl
admin istration console.
)
)
,.)
J
J
J
I
I
o
o
2-7
ining
System control features (1 o 2l
tlr*snrrfil
ilain
File l4anagement
System ControI
Stem CotFo{
Dat
Conftguration
lme
pplication omain
20c8-2-08
i 0:34:11
St Time and
tate
Export Configuration
Import Cenfguration
inone)
Compare Configuration
Bot Imge
Flrnrware Roll-Eack
rmware Rcll-Back
Selct Coflfgurtlon
Cnfiguraai[
canliq:/l
tstle
<nm Esntrcl,
Fetch...
Select Coniiouretiun
w8555 / V85552.0
Nofes;
The system control page groups together several system-wide updates that affect the
firmware, clock, and system certificate. Certain options are only available from the default
domain.
1.
Access the system control page through the Administration section of the navigation
bar.
2. Alternatively, select the system control icon in the Control Panel to open the same page.
3. Use the time and date features to set the current time in your locale. To modify the time
zone, select Administration > Device > Time Settings from the navigation bar. The
DataPower SOA appliance sets the clock in Coordinated Universal Time (UTC).
4.
The Boot lmage feature allows you to upgrade the system to a newer firmware level.
Use the Upload function to copy a new firmware image onto the DataPower SOA
appliance. Once complete, click Boot lmage to restart the DataPower SOA appliance
with the new firmware.
2-g
DataPower
la
IBM Training
Student Notebook
5.
lf you encounter problems using a new firmware level, click Firmware Roll-Back to
revert the DataPower SOA appliance to the previous firmware level.
6.
The Select Configuration section determines which configuration file should be used
on the next system restart.
2009
2-9
O Copyright
rmng
System control features (2 of 2l
Shutdown
Reload firmware
Mode
+.
Delay
Second{s)
shutiown
Changte Usr Password
tlld Pasvord
l{ew Fasxord
Passfc rd
Restrt Domain
Rstrt Dm
R6et omai
)
*.
i.z)an l^)
alf *
eneraie Dev
)
()anQ)l *
Cntrol LcGle LD
O Copyright IBM Corporation 2009
Figure
w8555 / V85552.0
(2 o1 2)
Nofes.'
1.
Use the Shutdown option to reintialize the DataPower SOA appliance in one of three
modes:
a.
Reload firmware restarts the device without rebooting the DataPower SOA
appliance. Temporary files and applied but unsaved changes are kept intact.
b.
Reboot system restarts the DataPower SOA appliance. All temporary files and
unsaved configuration changes will be lost.
c.
)
)
.,
)
3.
.J
)
.)
Restart Domain reloads the configuration for the current application domain. Any
unsaved configuration changes will be lost.
DataPower
.J
J
J
J
J
IBM Training
Student Notebook
4.
Reset Domain erases any configured objects in the domain. Be carefulwhen using this
feature.
5.
)
)
)
)
)
)
)
I
)
)
')
)
-j
.J
,)
.J
,}
_)
I
J
J
\,
\,
I
O
o
o
2009
2-11
O Copyriaht
ininsc,
File management
I
H
tNtfrultr
C
Its,lw
File
Managernent l;che,o de
fs
R-rs.h F,+,u
V.e"
lrl
A.dions..
config:
Artions".
stude$t01-dom: in.cfg
Edir
;a
e),:po
Actions"..
;Cl
localr
Adions...
r
ctions...
logtemp:
Acticns.,,
log=tore
"iJ
Ed
; , !I
l- default-log-xml
5fi pubcerlr
default-lot
1]l
Ycl
d clr\r=osi/i
ue [-J.t- .. r.'i1,,
c:.\c\ omr.,.o,.,[ - i,'tu
Mo\rg
crt:
t ,irtr,r,o
,'
3 Mgytes {temporary)
Dtete
e{o
.le
2tO7-2-22 L7't21.21
L736
2A07-42-23 14r
734A
2807-02-23 L4:13:2I
13 r 21
sharedcert:
tlfi.store:
, 1] temporary:
Delete
)
o copyright
Figure
2-9.
w8555 / V85552.0
Fle management
l\lofes.'
1. From the navigation bar Administraton section, select Main > File Management.
2. Alternatively, you can open the File Management page through the icon of the same
name in the Control Panel.
,)
3.
The file stores are divided into different directories. Most directories are specific to one
application domain, with the exception of the store, pubcert, hd sharedcert
directories.
4.
Certain files, such as an application domain configuration file, can be directly edited
through the Web browser.
5.
The available space statistics display the amount of nonvolatile memory available for all
encrypted data and all temporary data in the system.
)
J
)
J
.J
DataPower
O Copyright
J
J
J
\,
9
e
O
IBM Trainirg
Student Notebook
Scope
config:
Per application
4,
Usage
; not
export:
Per application
domain; not
shared
local
Per application
domain;
shareable
temwide;
:o5
\e\6s
Cov
red
[o5
c.[orn'in io5
temporary
Per application
domain; not
shared
)
w8555 / VB5552.0
Notes:
i\"
bor ro t
x,+ e9
l.crce,r Lol. s
rc.do u\ s\.'\< o c\o*
in tos
..rJ;- * \cos \os
Ae-
'l&a{
lP
C1,.4-
ore
se3$
[rr
or
.-,
)
)
-)
-)
I
-)
.J
r.J
e
a
2009
overview
2-13
O Copyright
rirg
File directories for security
Store
cert: Dct&(
se rxqor\
las c\8uc>
sha
redcert:
pubcert
Scope
Usage
Per application
domain; not
shared
Systemwide;
shared
between
application
domains
Systernwide;
shared
between
application
domains
o copyrght
)
)
w8555 / v85552.0
IVofes.'
)
.)
-)
._)
-;
-,}
-i
sJ
J
a,
J
,)
DataPower
J
J
J
J
I
I
e
o
IBM Training
Student Notebook
Scope
Usage
logtemp
Per application
domain; not
shared
logstore:
Per application
domain; not
shared
)
)
)
)
)
)
)
@
)
wBs55 / V85552.0
Notes:
ey\ \Jr\
L5
r" / l, .-h-,,na
<>
.)
)
)
)
.)
.)
.)
)
.l
J
.J
J
J
J
\,
I
e
o
o
2009
2-15
O Copyright
rnmg
cl4
a^c)
AO cn
_i L)
- Group-defined
User accounts
Copyright
lBl\,,l
Corporation 2009
w8555 / v8s552.0
Notes:
Users can also access more than one application domain by using the visible domain
setting for application domains.
Privileged access and user access levels represent the highest and lowest access levels
on the DataPower SOA appliance. The group-defined setting allows an administrator to
fine-tune the access level within either end of the spectrum.
l
)
)
User accounts created through the WebGUl interface also apply to the command line
interface (CLl) and XML Management interface as well.
.J
.J
.J
-/
J
)
J
J
2-1
DataPower
J
J
J
J
\,
\)
(,
()
IBM Trainirg
Student Notebook
Fw
Han
Confiourtion
CLI Access
AppllcatioFr Donain
fltpi-il l-c""."t I
Export Canfiguration
Import Crnfiguration
Nme
Compare Configuration
Admn gtEt
Commnhs
enabled
disabled
efault
Visible Domains
Etr
E
E
'lccal:'
Fil lonitoring
I
I
Enable Auditinq
Enable Logging
w8555 / V85552.0
Notes:
)
)
I
,)
.j
2. ln the listing of available application domains (not shown), click the Add button.
3. Provide a name for the new application domain; this field is mandatory.
4. Leave the Admin State at enabled. The administration state setting determines whether
a partcular DataPower object is available for use.
5. The visible
domains setting determines whether this domain can access files in the
local: file store of another application domain. ln the Figure, the student0l-doman can
access the files in the local file store of the default domain.
_)
)
)
.)
6.
.)
.)
Local file permissions determine the access rights to files stored in the local file store of
the current domain.
7. When enabled,
events
_)
iJ
J
\,
9
O
o
o
2009
overview
2-17
O Copyright
ning
The Configuration tab allows you to specify whether the configuration is stored locally or
imported from a specified URL every time the configuration is saved or the system is
restarted.
The CLI Access tab allows you to specify users that can access the domain using CLl.
)
)
)
)
)
)
)
)
-)
'.
,)
.)
J
.,
)
.,)
,)
./
.J
J
2-18 Accelerate, Secure and lntegrate with
DataPower
O Copyrighl
J
I
9
9
g
IBM Trarmng
a
Application domain
.
The Configuration
Mode specifies from
where you can retrieve
the domain's
configuration
)
)
ll
.
)
Configuratio[
cL Accsi
Aoolv
',:'::
'
Configuration
Checkpeint Limit
Configuration
Mode
Inp,rri
)
Gonfiguration tab
URL
Impnrt Format
Deployment
Policy
Lacal IP F;ewrite
71P
;q,ieni,ili*[*
4)on
ll
..
Soff *
Configuration tab
w8555 / V85552.0
Notes:
)
)
)
)
)
.)
)
)
)
.)
J
J
\,
\,
I
o
o
2009
2-19
O Copyright
ning
GOnfigUfatiOn GheCkpOintS (c;rv.br co^f,6ucacio,"u)
'
. Saving Configuration Checkpoints
- Navigate in WebGUl sidebar to ADMINISTRATION > Configuration >
Configuration Checkpoints.
H
I
Save
ration
O Copyrght IBM Corporation 2009
w8555 / V85s52.0
Notes:
)
)
)
)
)
.)
)
.)
.)
J
.)
.)
2-20 Accelerate, Secure and lntegrate with
DataPower
J
J
J
IBM Trainirg
Sfu
Refre..ph l-ist
fame
.Status
default
studentOl-dpmain
studentO2omain
saved
saved
saved
uP
uP
studentO3-domain
saved
up
studentO4-domain
student0S-domain
saved
saved
uP
student6-domain
studenttT-domain
saved
saved
student0E-domain
student 9-domain
saved
saved
studentl0-domain
saved
Conrments
'P
J
/
r,
tIF
utr
up
up
up
UF
"p
Copyright
enabled
enabled
enabled
nabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
lBN/l
Corporation 2009
w8555 / V85552.0
Nofes,'
The main application domain page lists all configured domains on the DataPower SOA
appliance. This page is only visible from the default application domain.
)
)
)
.)
J
J
9
9
O
2009
2-21
ining
Greate a user account and a user group
Helo
EI
Y*
tr
"1 , c.*a
User Doman
studni01-dmE n
Next
)
)
Cncel
)
@
w8555 / V85552.0
l\lofes,'
The New User Account wizard allows you to create a user account and a user group at the
same time. To access this wizard, select Administration > Access > New User Account
from the Navigation bar.
)
)
1.
The first page asks whether you would like to create a user group to restrict access
permissions within the application domain.
2.
With a restricted user domain, you have the opton of either selecting one of the existing
user domains or creating a new application domain.
3.
With an application domain selected, you can choose from one of three preconfigured
domain account types. For greater flexibility, either select an existing user group or
create your own group.
The remaining wizard pages finalize the settings for the user account and the user group.
.)
'. ,}
J
.)
J
tJ
DataPower
J
J
J
\)
9
I
O
IBM Training
Student Notebook
of User Group
Helo
errce
Addresc
,4pplication
stude ntXX-damain
omin
eeource
Type
IJ
leb Service
Name
EastAd
Mtch (FcRE)
un
{-.lser GraL
fl
f
Fermissions
.,,,
tr.lrite
1c.r*l
If-D-t.tul,'
selete
Admin
Brecute
State
,1,,
St enabled disabled
Qeveleper gou for tha student
mBnts
sF..Y.P
tu pj
tead
flAdd
I
I
ressSearch
Eancel
a'deFau
lV$?Aceess=r
x,8
*lstudent0t
Acess Prcfile
)
tsuld
ad d ress/ doma i n /
resource?Access = perm
ssi o n s&lfi e I d = va I u ef
w8555 / V85552.0
)
)
Notes:
)
)
)
User groups provide a convenient way for applying an access profile to a set of user
accounts. The access profile policy syntax restricts the access permssion of any user to
which the user group is applied. lf two access profile policies affect the same resource, the
most specific policy is applied.
)
)
alias.
.
',
..)
. field d value allow you to specify a particular object, such as the name of a Web
.)
service proxy.
1.
-)
J
J
\)
I
I
e
o
O
-)
,-)
address refers to the DataPower SOA appliance host name, lP address, or local host
ln the Figure above, users in the group have read access to all resources within the
default application domain and read, write, add, delete, and execute permissions for all
resources in the studentol- - domain domain.
2009
2-23
.irg
2.
Click the Build button to use a graphical form to build the access profile policy.
The GLI Command Groups tab allows you to specify which sets of command line interface
commands are available to users within the user group.
O Copyrght
IllM Training
Student Notebook
uuttFtuttl
?rlin
File langemnt
Systm Cenirsi
t-lsea
l.lan
Accouni : StudentXX
Configuratlon
Application omain
Impo Configuration
Q enabled r-
Admn State
Cmpr Configuration
Accss
New UsF Account
up
Export Configuration
Cmmnts
o"u.lop",
drsabled
"."ornt
on tt'=, itu*nti
Pssword
Confirm Pa*cryord
Rel4 Settings
Access Level
rou-sfd
Usr Grou
developer_+tu
RAOIUS Settinqs
5N'l Settings
entt
1-d onra in
w8555 / V85552.0
Notes:
1.
From the navigation bar Administration section, select Access > Manage User
Accounts.
2. The Configure
User Account page allows you to modify the comments and the
password for a specified user in the application domain.
3. Select
The SNMPv3 User Credentials tab allows you to associate SNMP users with the current
user account. SNMP users will be granted access to the local MIB (management
information base) for monitoring and configuring the DataPower SOA appliance.
)
)
)
J
._J
\)
I
I
c
o
2009
2-25
clocLill.rcnLo
O (--otryrlqhl
rirg
Export the system configuration
tr
ffiltrt
Export Configuration
$
Q
Export
. Export configurations
-
-l
at a particular scope:
Entire system
)
)
wB55s / V85552.0
)
)
)
Notes:
Use the export configuration command to back up the current configuration or to duplicate
services and settings to new application domains. The export configuration command
writes a series of XML files following the DataPower XML Management schema. ln the last
step of the Export Configuration page, you will be given an oppotlunity to download the
. zip file containing the XML configuration files. Alternatively, you can retrieve the
configuration files from the ocport: file store associated with the current domain.
.,}
.)
I
,)
_
.J
Since certain certificates, keys, and objects are visible only to the administrator, log into the
administrator account before performing an export operation.
_)
J
J
J
J
.)
DataPower
J
J
J
J
J
J
J
9
O
trBM
Trainirg
Student Notebook
Import ConfiEuration
0zrP
'l
File
Browse-
| *
?e
,i0,6
a, co
c-arrt
o/3 ? .Je
tf or-/*rlo
LO'
onOet'f
Cancel
w8555 / V85552.0
Notes:
The import configuration feature only accepts DataPower XML Management documents as
an XML file or as a . zip file. The other options listed are not available in the current
firmware release.
lUo
-se
l
"OeJa^
16;.eoi-;!icacLo\ni.iouu* r,.u*do
')
.)
._
./
)
r)
,J
J
9
I
2009
2-27
Coryright
ining
Saving configuration changes
Apply button
-- . -.-t6.57.7)
OomEin
student0l-domain -
Save
config
r-",*
Ca.mhia i^,
@
we5'ssYvasssz.o
Notes:
The Apply button submits configuration changes made in the current WebGUl application
page. However, such changes are stored in temporary memory. You must click the Save
Config button on the top right corner of the WebGUl interface to commit changes to
permanent storage. lf you attempt to switch application domains without committing your
changes, a warning dialog appears. This allows you to switch domains without saving any
changes, or you can save the changes immediately.
.)
.,)
.)
)
.)
'.,
-)
2-28 Accelerate, Secure and Integrate with
DataPower
..
'J
O Copyricht
I
{i)
ItsM Traini.g
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Perform system-wide
w8555 / V85552.0
Notes:
)
)
)
)
.,)
,)
2009
2-29
I
I
e
o
Copyright
ining
Alternate adm i n istration
After completing this topic, you should be able to:
. Manage services, domains, groups, and users on the
DataPower SOA appliance by using:
w8555 / V85552.0
lVofes
)
.)
)
.l
l
..)
.)
2-30 Accelerate, Secure and lntegrate with
DataPower
O Copyright
J
J
J
\,
,
I
9
IBM Trainirg
Student Notebook
- For security purposes, the CLI is not a complete command shell with
the ability to execute arbitrary programs
- However, the CLI allows you to configure every service and interface
available in the DataPower SOA appliance
- In the initial setup, you must enable the WebGUl application and
Ethernet ports with the CLI through a serial connection
- Administrators
o copyrght
lBN4
Corporation 2009
wBss5 / V85552.0
Nofes;
For security purposes, the CLI was not designed to be a generic command shell
environment. lts functionality is strictly limited to the configuration and administration of the
DataPower SOA appliance. Nonetheless, it is a powerful interface that has access to all of
the services and interfaces on the appliance itself.
By default, the DataPower SOA appliance is shipped with all four Ethernet interfaces
disabled. ln order to activate the ports, you must enable the interfaces within the CLI over a
serial port connection. The WebGUl administration Web application must also be enabled
in this way before it is used.
Once the DataPower SOA appliance has been properly configured, you can allow Telnet or
Secure Shell connections to the CLl.
2009
2-31
ning
lnitial CLI Iogin screen
Unauthorized login prohibited
login:
admin
Pass\rord: admn
Welcome o DataPower
1-40575
on
2007
/02/76 08:30:
1-9
1_.
uptime: 2
04]
L.
4.L.L4685.
1. 3
3. 6.
days 03:.24:.53
contact:
name:
location:
services:
@
wBsss / vB55s2.0
Notes:
1.
You must provide a valid user login and password in order to access the command line
interface. At installation time, the default user name and password are adrnin nd
adrnin. After reviewing and accepting the license agreement (not shown), you must
provide a new password for the admin account.
2.
The initialwelcome message displays the firmware build level and date, as well as the
serial number of the DataPower SOA appliance.
3.
Use the show command to display system information on the interfaces, objects, and
the appliance itself.
)
I
-)
.l
.J
J
-l
J
.-)
J
J
,J
2-32 Accelerate, Secure and lntegrate with
DataPower
J
J
I
I
O
IBM Training
Student Notebook
t? d- \.^ t'.
/ lo u'.sccor
)
)
{gliv",. \.
oer
lc,,
nf e
'.
e web
EV,Lzz)
x50#
w8555 / V85552.0
Nofes.'
)
)
)
)
)
)
.)
._)
After logging onto the DataPower SOA appliance for the first time over a serial connection,
perform these steps to enable the WebGUl administration Web application over the
management port (mgtO).
4.
ln the global configuration mode, create a new HTTP server with the WebGUl
administration application (web-mgmt).
5.
For convenience, enable CLI access over SSH on the designated port.
.l
.)
.J
.)
,)
J
J
J
J
\.)
I
e
o
o
o
2009
2-33
doculrento
@ Copyright
ning
User and privileged modes
SOA appliance
to
inte
s and
j
)
)
)
)
)
Figure
)
)
w8555 / V85552.0
Nofes.'
_)
)
_)
)
.J
J
J
J
J
J
J
J
J
J
J
J
J
./
J
9
r)
c
o
IBM Trainirg
Student Notebook
- Returns the serial number, firmware level and build date, XML
accelerator version, and additional libraries
. show services
. show users
- Lists all users that are currently logged into the device
. show log
. show startup-config
. show route
wB5s5 / V85552.0
Notes:
2009
2-35
ning
Administration using a Web service
. DataPower SOA appliances accept administration
commands
The Web service itself provides only one generic operation, request
The request operation takes one parameter, which maps to an
ad ministration category
. Within each category, your client can issue multiple administration
actions
- The response from the Web service call provides the results of each
administration action call
and
)
)
wBsss / v8s552.0
Notes:
)
\
)
)
)
.)
.)
.,)
.J
.,)
-)
.)
.J
,J
2-36 Accelerate, Secure and Integrate with
DataPower
J
J
J
J
I
I
IBh{ Traini^g
Student Notebook
"
>
<env: Body>
<dp: request
xmlns : d.p="an z / /vrvrw. datapower. com/schemas/management">
<dp: set - config>
<Domain name=,r s tudentOl - domain,, >
<UserSumnary>
<NeighborDomain clas
g=
"
domainr'
default
</trleghborDomain>
</Domain>
</dp: set - config>
</dp: request>
</env:Body>
</env:Envelope>
@
w8555 / V85552.0
Notes:
When you export an application domain configuration through the WebGUl, the XML file
structure matches the elements within the dp:request element. That is, the SOAP
interface to the XML Management system uses the same XML schema as the XML
configuration files.
.i
-
.,}
',
1.,l
2009
2-37
O Copyr glrt
ining
XML Management: Domain creation response
<?xml version=111. 0tr encoding=rrUTF- 8tt?>
<env: Envelope
xmlns : env="http z / / schemas . xmls oap .org / soap/envelope/ ">
<env: Body>
<dp: response
xmlns: dpr=nan z / /wwr "datapower. com/schemas/management">
<dp: timestamp>
2007 - 02 - 22T1,5 z 22 z 04- 05 : 00
</dp: timestamp>
<dp: result>
OK
w8555 / V85s52.0
Notes:
Each set configuration call returns a result value. lf the administration operation fails, an
error message and error code appear in the result field.
.
.)
.,)
')
".
)
-)
2-38 Accelerate, Secure and Integrate with
DataPower
-l
t,
{)
e
IBM Training
Student Notebook
WSDM interface
wB55s / V85552.0
Nofes.'
)
)
)
)
.)
-j
.)
)
J
-)
.J
9
o
o
o
2009
2-39
rirg
Management interface summary
. WebGUl Web application
testing
. XML Management
)
)
l
)
:$,.npg|g,j.?
w8555 / V85552.0
Nofes.'
The WebGUl Web application is the simplest management interface to use. On most
pages, a help link provides online help through a pop-up browser window. Most fields also
provide inline help when selected. Lastly, the two-step process for committing configuration
changes provides an opportunity to discard changes.
The CLI provides a simple but powerful management interface. lts syntax should be
familiar to terminal users on a UN|X-like environment. Unlike the WebGUl, configuration
changes are immediately committed. An undo command allows administrators to revert to
a previous configuration. All administrators should be familiar with basic CLI commands as
this management interface is the only one available on first use. You must enable one of
the other management interfaces using the configure terminal command.
The XML Management interface provides a structured language for sending a batch of
configuration commands. This interface allows for a quick and automated configuration of
new application domains or entire DataPower SOA appliances. The SOAP interface
extends its functionality to third party Web service clients.
)
I
)
.)
)
rJ
-)
.)
.)
-)
)
r)
.)
J
2-40 Accelerate, Secure and lntegrate with
DataPower
la
t,
9
I
o
o
IBM Training
The SNMP interface is not mentioned on this list is. lt allows the monitoring and
configuration of the DataPower SOA appliance through an industry-standard APl.
)
)
')
)
)
)
)
)
)
)
)
)
)
.)
.)
.J
J
J
J
J
J
J
J
J
J
\,
9
e
o
o
o
2009
2-41
O Copyright
irring
Topic summary
Having completed this topic, you should be able to:
. Manage seruices, domains, groups, and users on the
DataPower SOA appliance by using:
w8555 / v85552.0
Nofes
.J
-_)
.)
J
)
-J
)
J
J
a
o
IBM Trainirg
Student Notebook
Checkpoint
What is the purpose of an application domain? How do you
restrict access to an application domain?
2.
th
)
rough:
interface?
)
)
)
wBs55 / V8s552.0
)
)
Nofes.'
2.
3.
.j
.)
.J
.J
,)
J
J
J
\,
\J
I
o
o
2009
2-43
ining
Unit summary
Having completed this unit, you should be able to:
WebSphere
on the appliance
w8555 / V85552.0
Nofes
)
)
)
)
)
)
.J
.J
-l
.l
.)
)
.)
2-44 Accelerate, Secure and Integrate with DataPower
J
J
O Copyright
I
I
O
IBM Traini.g
Unit
Student Notebook
)
)
stylesheets
.
.
Checkpoint
Exercise 2: Create an XSL style sheet
.)
)
)
.)
J
.)
_)
,)
_)
J
J
J
)
o
a
o
2009
3-1
O Copyright
nlng
Unit objectives
After completing this unit, you should be able to:
. Describe the Extensible Stylesheet Language (XSL) model
. Construct XPath expressions
. Create XSL stylesheets to apply XSL transformations
in
XSL stylesheets
Figure
w8555 / V85552.0
)
)
l\lofes,'
)
)
..)
.)
.)
.l
.J
,}
)
")
.)
J
J
J
!,
()
O
IBM Trainiog
Student Notebook
. Construct XPath
XML document
Figure
w8555 / V85552.0
Nofes.'
2009
3-3
Coryr
1ht
ning
Three parts of Extensible Stylesheet Language (XSL)
XSL
)
(Optional)
tl
S( re
Tnansfonmatin
ffaa'aga,*age
A anguage for
addressing parts of an
XML document
,)
An XML vocabulary
for specifying
formatting semantics
')
'l
J
)
)
J
w8555 / V85552.0
Notes:
.)
.
.
) d
.)
./
-.)
,)
,.J
-)
XSLT also provides a language to describe the location of data within an XML docume nt,
known as XPath
'.)
.)
.,,
.)
J
J
i,
J
3-4
DataPower
i,
I
I
o
a
ItlM Trainirg
Sfu
oo'F
XSL style
Source tree
ransformation
Formatting
Transform result
XML application
@
Figure
w8555 / V85552.0
Notes:
An XSL style sheet processor accepts an XML document that is represented as a tree
structure and processes it to produce a result tree.
The XSL s
sheet defines the rules for transformation based on the XML elements and
n the source tree. The style sheet ma also
formatti
information called
or
and applies those objects against the transformation
Note that XSL does not require the use of XSL-FO for formatting.
An example use of XSL is to transform XML into well-formed HTML, that s, XML that uses
the element types and attributes defined by HTML.
.)
)
)
)
(,)
()
O
O
2009
3-5
droumclrtcr
@)
Copyr cjht
rning
+.no
match pattern
select correct
template
apply further
templates?
create result
node
Result tree
Copyright
lBN4
Corporation 2009
w8555 / v85552.0
Notes:
)
XSLT uses the ideas of pattern matching and templafes. A style sheet includes templates,
which contain rules that associate them with one or more elements or attributes in the XML
document.
The templates contain the rules for transformation and, optionally, the formatting that is
applied to the matching nodes.
A template can also contain further pattern matching and instructions to apply further
templates.
)
.J
)
)
)
.)
3-6
DataPower
la
J
\r)
3
O
IBM Training
What is XPath?
. As
an XML docu
- Example: ln XML for a book on Java, find the chapters with JDBC in
the title.
)
)
any direction
)
)
)
)
)
@
)
w8555 / V85552.0
)
)
Notes:
)
)
)
)
)
)
. When XPath is used in an XML document, it usually appears as an attribute value. For
,_)
fl
.l
.)
.)
-)
.J
.,)
-)
J
J
\.)
o
o
o
2009
3-7
ining
Example XPath expressions
<?xml version=tr 1. 0 tr ?>
<book>
<author>'Jane Doe</author>
<ti tle>pataPower AppI iances</ t it1 e>
<price>$6.00</price>
</book>
ROOT
rice>
LTane
Doert
IDataPO\^ef
ppliances
"
"$6.00"
addresS
"
"/book,,
<-
,l
ro8
.|.t.i:t "
address =
, " fsirc t:rn ,{'( xPl
/book/:Frl-ce/ text O
Ac.!e o-[ vcolo r de gric e
"
"
Figure
- /"
<_
A=
rr
address
w8555 / V85552.0
Notes:
There is a single "root" node, which contains several other types of nodes.
There are seven node types in XML:
. Root nodes
. Element nodes
. Text nodes
. Attribute nodes
. Namespace nodes
' Processing instruction nodes
. Comment nodes
3-8
DataPower
IBM Trainirg
Student Notebook
/ (Root)
e\
e'
/rcestor
"rLt
)*o'F
/Parent
ob
orJu^
?(o
preceding-
/s
sibling
o11 o$r].ng
(context node)
sibting
/child
\
,/Descendanl/
...
w8555 / V85552.0
Notes:
The current context is simply a "you are here" designation within a complete XPath
address.
ted to a child node that exists further down.
For example, if " book/title ,' is the path, then book remains the context node, even
though you are not matching against it.
)
)
)
)
)
.)
)
J
J
U
(,
o
o
o
2009
3-9
doourento
O CoDyright
*irg
XPath step syntax
o An XPath location path is made up of one or more steps separated by a
fonryard slash (/)
o Each step within the path consists of an:
Branch of the node tree relative to the current context node
- Axis:
. Use keywords such as: ancestor, attribute, child, descendent,
and so on
.lodeest: Consists of the node name used to test node for inclusion
Predicate: Optional filter of matched nodes
o Exp.re
- '/.,..,/ t
-
".
t,'auvtt'
element node.' legaluless
regardless et
of location.
ode.
"
"@[atribute-name]
"
os c
>t
=)
q))e
node.
f the current
selects an attribute.
-J^-)lr
r u4
co)nt t(o
o Example:
/}:,a<>k/chitd:
'xPathr
O , 'XPathr ) ]
w8555 / V85552.0
lVofes.'
XPath uses a path notation similar to URLs. Location paths are specified using a list of
steps separated by a foruvard slash (/).
XPath provides a simple method to traverse an XML tree structure and select a slice of
information in any direction that is defined by the axis.
roo
through
Paths starting with a forward slash (l) are absolute paths from the
the document tree. Paths that do not begin with a slash are relative to the current (context)
node of the node list.
DataPower
IBM Trainirg
Student Notebook
context node
)
)
)
)
)
)
)
)
)
)
)
w8555 / V85552.0
Nofes;
.)
,)
.)
-)
/ctrld: zcaLalog/child::tools
. /catalg/tools
-
The relative path is based on the current context of the addressing path.
. child: : tools/child: :
. tools/s The short form
.J
.)
.,)
J
.)
J
J
9
I
o
a
o
o
o
o
2009
3-r
.O
\J
ining
\g
//
h absolute addressing
Example:
3. lpaper/ tltit1e
root
paper
pter
title
appendix
)
)
title
section
title
section
section
title
section
section
)
.)
title
section
title
title
title
title
section
title
title
@
Figure 3-11
)
)
w8555 / VB5552.0
Nofes.'
1.
The results of running the above XPath expression against the XML source tree are shown
below.
.)
.)
2 title
.,}
-)
,J
J
J
J
.)
J
J
*)
{.1
O Copyright
o
o
o
a
IBM Training
Student Notebook
a/
v,
. . / . .
4. child::*
(default)
5. . /following-siblng:
:node O /@status
root
2
paper
)
)
title
chapter
title
section
chapter
appendix
)
)
section
section
title
section
)
)
title
section
title
title
title
title
section
title
title
@
w8555 / V855s2.0
Notes:
)
)
)
)
.)
.;
.)
,.)
.)
The above expressions (1 - 5) are run after the initial absolute path to the current context is
executed. The current context is indicated by the black box.
The results of running the above XPath expression against the XML source tree are in the
elements shown below.
1.
2.
3.
chapter 2, chapter 2 title, section 2.1, section 2.1 title, section 2.2, section 2.2 title
section 2.1, section 2.1 title
paper (**everything in the instance file..)
-)
.,)
'J
.,
t
a
a
a
o
4,,
2009
3-13
O Copyright
r.arng
<?:<n1
version=rt
1 . 0 rr
coding=
-8r?>
rt
template>
</xs1 : stylesheet>
xs
sheet
W8555 / V85552.0
Notes:
The main elements that make up the XSL style sheet and the order they appear.
The forward slash (/) expression in XSLT also matches the root element node.
./
]
-/
DataPower
l.
a
o
o
fr
IBM Trainirg
Student Notebook
A style sheet has one or more template tags with the structure:
. Specifies:
- A tc?' *xpr*ssin"r defines when the template is called
. An XPath expression
. Test against the nodes in the XML source tree
- Literal result text is written to the output tree or XSLT elements are
executed
element
WB5S5
/ VBSS52.0
Nofes;
)
The <xs1: tenrplatet tag is a container for a set of rules that apply actions against the
source tree to yield a result tree.
he match='tltr lliste matches the root node, which provides access to namespaces,
The following functions are available for accessing the respective elements:
.
.
.
.)
-)
-)
Namespaces: namespaceo
Processing instructions:
processing-instruction o
Comments: conrnert 0
,,)
J
J
C)
()
o
o
o
O
2009
3-15
O Copyright
ning
The <xsl :apply-templates> element
- None -
Gurrent node
l
)
</xs1: template>
A od
(a/
.Lo f\ ,L,
fa-*
Ghild of
current node
@
Figure 3-1
)
)
w8555 / V85552.0
Notes:
)
)
The apply- tenplates tag gives you automatic recursion because the template executes
for each instance of the node.
j
.l
)
.)
..)
._)
J
J
J
J
J
\,
(,
3-16 Accelerate, Secure and lntegrate with
DataPower
I
o
o
o
o
o
e
IBM Trainirg
Student Notebook
Flr",ryP
<list>
<book l = rllln
<author>Dan Big</author>
Result
<tile>Large stories</ti1e>
<price>$7.00</price>
<td.>Large Stories<,/td>
</book>
</Iist>
)
)
)
)
)
)
o copyrght
w8555 / V85552.0
Nofes;
)
)
tirle
)
)
)
)
.)
J
-)
:J
.J
J
J
\)
I
O
o
o
o
o
e
I
2009
3-17
ining
Outputs the value of the current node when no matching template is found
<xs 1 : value
- <xsl: text>
.
.
)
l
)
)
)
)
I
@
output
W8555 / V85552.0
)
Nofes,'
xst
element.
.)
Using the <xs1:conrnent> is not the same as testing for the presence of a comment within
function in the test's predicate.
the source nodes. That test is done using the conrnent
)
.)
)
J
J
J
J
J
J
J
J
J
\)
3-18 Accelerate, Secure and Integrate with DataPower
o
o
o
o
IBM Trainirg
Student Notebook
uTF-Ir?>
<IDOCTYPB
lise
SYSTEM
.boohg.dtd.>
--
<1ist>
. ,r- -- --.
-..
<book fD = 888'>
<titIe>New CarE</i1e>
<price>$ I . 0 0</price>
</book>
<book ID = 1999.>
<aubor>Daq Big</aubor>
<CitIe>IJarge Stories</ t1e>
<price>$7 . 0 O</Drice>
</book>
</1e>
<book>
is
subelement
l;
of <1is>
<book
autho
" 888
<book
"999
title>
<price>
rrNew
".Tohn
Smith"
Carsrl
r'
Books.xml
These children
are text nodes
"$8.00"
Subelements
of <book>
w8555 / V85552.0
Notes:
This is an example of a Books.lcnl file that will be transformed by an XSL style sheet.
HTML produced by XSLT must be XHMTL compliant, so that a valid XML tree structure is
produced. lf you have invalid HTML (for example, with no closing tag), the XSLT processor
will throw an error.
2009
3-19
Coryrc1ht
ining
Desired HTML output
The HTML that is
produced must be
well-formed
<htm1>
<bl>Book List</bl>
Data taken
from the XML
document (nodes)
<cd>999</td>
<td>Lalge gorleE</d>
<td>t7.00<,/td
</Er>
</tboda
</t.a.bl>
</body>
</httnl>
Book List
Figure
w8555 / V85552.0
Notes:
HTML produced by XSLT must be XHTML compliant so that produces a valid XML tree
structure.
lf you have invalid HTML (for example, no closing tag is used), the XSLT processor will
throw an error.
-)
.i
.i
,)
.
.l
r)
r.f
iJ
J
3-20 Accelerate, Secure and lntegrate with
DataPower
0
o
o
IlM Trainirg
Student Notebook
XML to HTML (1 o
<l,ist>
The processor looks for a
<book ID = 888>
<author>dlohn Sni tb</author>
<Citle>New Cars</tit.Ie>
<price>$8 . 0 0</price>
</book>
<1ist>.
Books.xml
</1ist>
1= !
ht tr : / /www. w3 . otg /
L9 9 9
/XSL/Tran
or>
match= r r>
<htm1>
<head><title>Book LiEt</itle></head>
<body>
<bod]
</table>
<tbody>
</body>
</htnl>
(remaining templat,eg onitted for clarity)
tTlVlL artpwt
Books.xsl
o
Figure 3-20. XML to HTML (1 of
2009
4)
WB55S / VB55S2.O
Notes:
The first pattern match is the root element. ln this case, it would not matter if it is
match="/" or match="1ist", since plain HTML code is transferred over to the output tree.
2009
transformations
3-21
.looUilleric)
(o Coryrighl
tffiTrug
XML to HTML (2 of 4)
llinpearnos
ct-
ur."J.
<title>New cats</E
<price>f 8 . 0 0</price>
It
template.
Books.xml
</Iis>
<xs1
/>
<htm1>
a.rpf"C.t
<body>
match='book'>
Eelect='title
:value-of select=rtqlDt't
1:
oo,l* f *f;o."
</book>
/os
<book ID = 1888>
./*"f
a_
<tbody>
<Er>
I Drice />
c,. (
<Ld>888</d>
i'
</Et>
</xs1: tetrlp1aCe>
HTttlfL autput
Books.xsl
@
Figure 3-21
w8555 / v85552.0
XML to HTML (2 of 4)
Nofes
.)
.)
)
-/
J
3-22 Accelerate, Secure and lntegrate with
DataPower
\)
(,
o
o
o
o
6
IBM 1'raini^g
Student Notebook
fr<c'icr
Books.xml
<book ID = 1888>
<itle>New Car6</title>
8.0
ice>
</1ist.>
<xsl : tetrllat mach=book!>
<r>
<td><xsl:value- of
<xsI:apply-tempI
select="ti1e
<html>
/></Ed>
</t
<tbody>
</xELz
<tr>
<xs
I : templaEe
'ti1e I price'>
<td>888</td>
. /></td>-
<d><xs1:value</xsI: template>
<td>New cars</td>
<td>Ss. oo</d>
r)
>
</t-r>
HTML &utput
Books.xsl
@ Copyright IBM Corporaton 2009
w8555 / V85552.0
Notes:
The <xs1 : apply- tenplates select=" title I prce" /> tag accepts matches for both the
<titl-e> nd <price> children of <lcook>.
The <xsl:value-of select =rr. rr> writes the value of the element node to the output
tree.
The
.
.
/>
template:
')
)
._;
)
)
J
J
(
o
o
o
o
2009
3-23
rzul
inirng
XML to HTML (4 of
<1is>
<book fD = 1999'>
<t.it1e>f,arge Stori
<priee>17
</book>
.0
itle>
0</price>
Books.xml
</list>
<xs1 3 temDlaEe match= rbookr >
<hml>
<tr>
select="i1e
<td>888</td>
<td>New Cars</td>
</ Er>
</xs1: empfate>
<rd>$8,00</Ed>
</ Er>
<tr>
mat.ch="title I price.>
<dxxE1:value-of select=r .. /></E
<xs1 : emglate
<td>999<,/td>
<hd>Large St,ories</td>
<td>97 . oo</td>
</xs1: tem!lace>
</tr>
(Other templates have been omtled for clari)
IITML outpt
Books.xsl
O Copyright lBlV Corporaton 2009
4)
W8555 / V85552.0
Notes:
After processing the first node, processing of the flXt <book> element takes place.
)
)
.)
.)
_t
.)
.)
)
3-24 Accelerate, Secure and lntegrate with
DataPower
trf
J
r
o
o
IBM Training
Slu
sheet:
attribute, if specified
<xsl: call - t,emplate name= " templateName " />
Calls a template, that is <xsl : template . . . >
"templateName"
Znvoar
l*pl^t
- <xsl : if>
.
.
.
Copyright
lBN4
Corporaton 2009
wBs55 / V85s52.0
Notes:
Unlike the <xsl:apply-tenrplate> tag, the <xs1:call-tenrplate> does not call the
template multiple times for each instance of the node.
call - tenrplate>
,-.)
..)
.l
)
.)
.)
)
.)
.)
)
J
J
J
J
J
J
"
/><|nl>
2009
wi th - param>
3-25
*irg
The <xsl :for-each> element
o
r>
<title>Blue Flowers</title>
</book>
<book ID=n888tr>
<author>ilohn Smith<,/author>
<ti tle>New Cars</ it1e>
</book>
<book ID=tr999 rr>
<author>Dan aig</author>
<title>Large Stories</ti1e>
</book>
Books.xsl
<p>Blue Flowers</p>
<p>New Cars</p>
<p>IJarge Stories</p>
</list>
Books.htrwl
Books.xml
@
w8555 / V85552.0
Notes:
Ihe
"
/"
in
"/
,)
.)
)
-)
3-26 Accelerate, Secure and lntegrate with
DataPower
.J
)
J
J
-r)
IBM Traini.g
stu
bF"
<e6 P=r665r'
<author>dlim BIue</autbor>
<author>Mihe YeI lor+</auhor>
<author>Dan Fam</author>
<tic1e>Blu Flowers</tit1e>
</book>
</lis>
BOOkS,Xml
if>
Books.xsl
O Copyrght IBM Corporation 2009
w8555 / V85552.0
Notes:
The functiors
The position
processed.
The last
The xs1:
if
conditional can be used to test for a certain situation within a template. lt can
in
be used conjunction with other actions.
More than one
xsl:
if
,)
)
.)
)
.)
.J
J
J
J
J
2009
3-27
ning
The <xsl:choose> element
(l oI 2)
I : choose>
tontt7
>
</xs1:when>
<xs1: otherwise>
</xsL: otherwise>
</xsl : choose>
w8555 / V85552.0
Notes:
)
)
)
_)
.)
.)
J
J
.r)
J
J
J
J
DataPower
J
J
J
J
J
J
J
J
J
IBM Trainirg
Student Notebook
<chaper>Fi rs t Chapter</chapter>
<chalter>Second, Chapter</chapter>
</tisr>
Books'xml
Baaks.htm
<xs1:value-of selec=n.n /)
</p>
</xs1: for- each>
</xeL: tenplate>
</xsL: styleshee>
Eooks.xsl
@ Copyright IBM Corporation 2009
w8555 / V85s52.0
Notes:
)
)
)
)
)
)
.l
J
J
J
J
2009
3-29
cJocurnento
@ Copyrighl
mng
(./
A nulo
&r
gqltilc
XML:
<xs1: element>
- <xs1 : attribute>
. Creates an attribute within an <xs1: element>
- <xsl: copy>
. Copies current node and namespace node from source tree to result tree
- <xsl copy- of>
. Gopies current node, namespace
s
<xs1
processing'instruction>
. Add a processing
instruction node
o copyright
Figure
w8555 / V85552.0
Notes:
A common use of XSLT is to translate and transform from one XML vocabulary to another
XML vocabulary.
XSLT provides some built-in elements to help with these types of transformations.
The <xs1:copy-of> function is similar to the <xsl:copy> tag except that the child and
.)
.)
f
,)
)
)
,)
J
3-30 Accelerate, Secure and Integrate with
DataPower
.-)
J
J
J
J
J
IBM Trainirg
Student Notebook
- <xs1 : attribute>
- <xsl: element>
- Text
(create attribute)
(create child element)
<! - -
>
</xs1: element>
I
Alternative: <elemen
<elemen -name>
<! = - content;
</elemerit-name>
->
w8555 / V85552.0
)
)
Nofes.'
he attributes
2009
3-31
ining
The <xsl:attribute> element
. Example:
ffiffirnd "id"
</xsl : attribute>
XPath: attribute
"ro' tf current
node
id
wBsss / v855s2.0
Nofes.'
The
<xsl:attribut+
)
)
.)
.)
-.)
..)
)
.J
.)
3-32 Accelerate, Secure and Integrate with
DataPower
J
J
J
J
J
J
J
IBM Traini.g
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Describe the role of the three main specifications in XSL:
. Construct a location
on an XML
document
w8555 / V85552.0
Notes:
,t
.)
2009
,,)
..J
)
.)
transformatons
3-33
O Copyright
ining
Gustom style sheet programming
After completing this topic, you should be able to:
. Use variables in an XSL style sheet
. Create an XSL style sheet using DataPower extension
fu
nctions
w8555 / V85552.0
Notes:
.i
_)
DataPower
.)
'.)
O Copyright
IBM Trainirg
Student Notebook
For example, style sheets that use a SAXON node-set function can be
mapped to a DataPower equivalent function
by the
DataPower appliance
sheets
W8555 / V85552.0
Notes:
Mapping custom extension functions to DataPower extension functions saves the effort of
rewriting or modifying style sheets. To configure this mapping, use the XML Manager
object.
DataPower supports the
XStf
2009
3-35
rirg
How to develop style sheets with DataPower extensions
1. Write the XSL style sheet using an XML editor:
For example:
/l
lrt
Transform
myStylesheet.xsl
@
w8555 / V85552.0
Notes:
)
)
Create custom XSL style sheets using the XML editor of your choice. The Eclipse 3.2 Web
Tools is an open source solution that provides an XML editor for designing XSL style
sheets and XML schema files. Based on the same Eclipse platform is IBM Rational
Application Developer, which provides the same level of XML functionality plus XSL style
sheet compile and debug features.
)
)
)
)
You can also use the DataPower Eclipse plug-ins on either product. There are two sets of
plug-ins: the coprocessor and management. The former offloads complex XML processing
tasks to the DataPower SOA appliance, while the latter allows you to control multiple
DataPower appliances from the Eclipse workbench.
.)
.,
J
.l
.t
These plug-ins do not support auto-completion using DataPower extension functions. See
the DataPower reference guide for documentation.
_)
.
-,)
-i
)
.-,}
)
.f
3-36 Accelerate, Secure and lntegrate with
DataPower
J
J
J
J
J
J
IBM Training
XSLT variables
'
- Use {fivariabl-e}
support a nodeset
<?xml- version=
rr
1.0
rr
?>
I : variabl e
c ep " >
</xsl-: template>
</xsl: stylesheet>
O Copyright lBlV Corporation 2009
w8555 / V85s52.0
Notes:
XSL variables can be global by defining them outside of any <xsr: tenplare> tags.
The <xsl:param> is also used in style sheet programming and behaves similar to the
<xs1:variable> tag except that it can provide an alternative value if passed as a style
sheet parameter.
A node set represents a set of nodes on an XML document. Some XSL functions or tags
expect a node set value type. For example, in the <xs1:value-of> tag, the select attribute
requires a set of nodes.
2009
3-37
ning
DataPower variables
A'
function
there is no
Figure
'
w8555 / V85s52.0
Nofes.'
DataPower variables allow for additional flexibility over XSLT variables because they can
be modified.
-)
J
J
,)
J
J
J
J
J
.)
3-38 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
J
J
J
J
IBM Training
Student Notebook
. DataPower scopes
- Local: Single processing rule
Per transaction (request and response rule)
- Service:
. Do not create variables in the service scope
Per transaction (request and response rule)
- Context:
.
User-defined variables per transaction
Copyright
lBN4
Corporation 2009
scopes
WBS55 / VBSS52.0
l\lofes;
)
)
A transaction is defined as the multistep action in a processing rule for both the request and
response.
The service scope contains built-in variables used in transactions, configuration, load
balancer, and WebSphere MQ-specific services.
An example transaction variable
is var: / /conLx:/serviceURr.
DataPower variable storage views DataPower variables with an empty node set as a sign
for deletion.
)
See Appendix R-2 for list of read-only and read/write service variables.
)
)
)
)
)
Variables created in the context scope must have at least three levels defined, for example,
varz / /context/1evel1,/Ievel2 but not varz / /contoct/leve]j-/. The latter example
does not allow you to read the variable you define.
System variables are deleted when the appliance is shut down.
.l
.J
J
J
J
J
2009
3-39
O Copyr oht
ning
t
-
-c
. Error handling
. Headers
. Information
. Persistent connections
. Routing
. Statistics
. URL
)
)
)
)
)
)
.)
',)
.)
J
.)
.)
J
J
J
-)
DataPower
.l
J
J
\.1
J
J
J
J
IBM Trainirg
Student Notebook
Example
DataPower variables
. This short example demonstrates the usage of XSLT and DataPower
variables
- The XSLT variable named ex1 is assigned from the DataPower variable
var : / / cont ext/example / x
- The XSLT variable ex1 is assigned the value abc
- An element called var is created from the previously assigned variables
<xs 1 :variable name=rrex1il
select=rr tvar: / / conEext/example/7, " />
<dp : set-variable rlame=rr$ex1" val-ue=rrabc!, />
<xs1 : element name=rrvarrr)
<xsI : attribute name=rrsomething">
<!-
Figure
3-39.
Example
w8555 / VBs552.0
DataPower variables
Nofes.'
Surround DataPower variables with single quotes when accessing them from attributes
that expect an XML node set.
The value of the variable is retrieved twice, first from the
from the dp:variable O.
<xsl:value-of>
and second,
A DataPower XSL style sheet can also reference variables passed from an HTML form.
Perform the following steps inside an XSL style sheet:
1
2.
)
Add an <xs1:param> tag with the same name as the passed HTML parameter.
For example, if the name in the HTML form field is lname, then add the following:
<xs1 :param name=r'dp,que4: lname" />
3.
The value can be referenced using the name declared in the <xs1:param> tag.
For example, <xs1
)
)
)
J
rJ
J
J
2009
transformations
3-41
Tiza la
ining
Style sheet using DataPower extension functions
<xsl : stylesheet version=tr 1. 0'
=' Body' ]
</xsl:when>
<xsI: otherwise>
<d.p: set - target>
<host>lO . 10 . 36 . 11</host>
<port>8 0 8 0</port>
</ dp z set - target>
</xs1: otherwise>
</xs1: choose>
</xsJ-: template>
</xsL: stylesheet>
wBs55 / V85552.0
Notes:
DataPower extension functions use the namespace. See:
http ://www.
atapower.com/exte
ns
ons
is
ap.
ln this example, the back-end host and port are set using the <dp: set- target> extenson
function based on the name of the operation inside the SOAP message.
.
..,
)
-)
3-42 Accelerate, Secure and Integrate with
DataPower
,i
-)
-,
J
J
ItsM Trainirg
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Use variables in an XSL style sheet
wB55s / VBsss2.0
Nofes.'
)
)
)
)
)
)
.)
2009
J
J
J
J
3-43
docutelto
O Copyrighl
.i.g
Gheckpoint
1
2.
rr
...
rr . . . />
)
1)
w8555 / V85552.0
)
)
Nofes;
.)
1.
2.
)
)
3.
.)
.J
.J
.)
_)
)
.-)
.)
3-44 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
J
J
J
J
IBM Traini.g
Student Notebook
Unit summary
Having completed this unit, you should be able to:
Describe the Extensible Stylesheet Language (XSL) model
. Construct XPath expressions
'
in XSLT
wB55s / V85552.0
Notes:
2009
3-45
O Copyright
rung
-r-o
)
)
,)
,)
,)
)
,)
)
)
)
)
.)
.)
._)
-)
,)
-)
.J
J
J
J
J
J
J
J
J
DataPower
J
J
J
J
J
\,
J
IBM Trainirg
Unit
Stu
booK
.
.
Checkpoint
Exercise 3: Create a simple XML firewall
)
)
)
)
)
)
)
.)
.)
)
)
_)
.,)
)
.)
-)
.)
J
J
J
J
J
\,
2009
4-1
nrng
(t
Unit objectives
After completing this unit, you should be able to:
. List the supported services on the WebSphere DataPower
SOA Appliance
. Compare and contrast the features supported by each
WebSphere DataPower service
Figure
wB55s / V85552.0
Notes:
)
)
.)
)
.)
,)
J
.J
.)
.)
)
J
-)
)
J
4-2
DataPower
J
J
J
J
J
J
IBM Traini.g
Student Notebook
Primary services
After completing this topic, you should be able to:
. ldentify the services that can be configured by the DataPower
appliance
. Select a service based on policy requirements
Figure
Copyright
IBN/l
Corporation 2009
w8555 / V85552.0
Notes:
2009
4-3
O Copyright
ining
Services available on the DataPower appliance
a
XSL proxy
Accelerates XML processing such as schema validation and
XSL transformations
XSL
Accelerator
XML firewall
Secures and offloads XML processing from back-end XMLbased applications
XlL
Firewall
web serure
Pro*t
Threat
a
mediation,
Figure
web Applation
Firewall
cryption,
Multi-Protocol
Eteur,
"Y:";,',gl3iiil;, 3?.1.*o
w8555 / V85552.0
Notes:
AAA: authentication, authorization, and auditing.
The five primary DataPower services are listed above. You can create these services
through the Control Panel in the WebGUl.
The XSL Coprocessor Service, which is not included in the list above, contains the same
functionality as an XSL proxy except that it can also obtain input from a remote Java
process and return the results. The API used for communication is JAXP.
The Web service proxy configuration is WSDL-based. lt is the only service that requires a
WSDL file.
All services support monitors and logging.
4-4
DataPower
O Copyricht
IBM Trainirg
Student Notebook
xsl Accererator
using SSL
. Use cases
- Portal-based applications that require large quantities of transformations
- Offloading XSL transformations from the portal server onto the DataPower
appliance
w8555 / V85552.0
Notes:
)
)
)
The XSL proxy service supports XML validation and transformation at wire speed.
The term "wire speed" is often used to describe the XML processing performance of a
DataPower SOA appliance. That is, the average XML processing rate is almost as high as
the network connection transmission rate. Runtime variables, such as the complexity of
XML messages and the XSL transform, affect processing speed.
Companies that provide XML applications or Web services often skip the XML schema
validation step due to performance overhead. With the XSL proxy service, these
companies can validate XML messages against an existing schema without significant
degradation in performance. This solution also requires no modification to the existing
back-end service.
)
)
2009
4-5
ning
XSL Coprocessor Service
. Provides the same features as the XSL proxy, with the added
ability to accept XSL tasks from external applications
Perform validation
or transformation
lnput
Client
Results
Figure
w8555 / V855s2.0
,)
.)
Notes:
You can install the Eclipse DataPower plug-ins to act as a remote host to communicate with
_)
)
I
,I
.,
I
.)
-)
.J
,)
,)
J
.)
4.6
DataPower
J
J
!)
IBM Training
Student Notebook
l"
,\cc-b
to
Pose lrot
e
G\.,'.
XHL Firewall
in the message
w8555 / VBsssz.0
Notes:
,)
)
)
)
)
,)
The features listed for the XML firewall are not exhaustive. The XML firewall also supports
the same features mentioned previously for the XSL proxy.
An XML firewall uses a docu
ti
to en
tioned in
ES e. For example, a firewall policy can require messages to be encrypted an then
cheialidated. Other features such as XML signatures, access control, and dyn amic
routing have associated actions that are used in a firewall policy.
XML threat protection and SSL communication are configured at the service level instead
of the policy level.
.)
,)
)
)
,)
.)
.)
.)
.',
J
*,
.J
.J
2009
4-7
O Copyright
rnrng
rl
_ WSDL.
Iti
aeK-nd
Web Service
Proxy
confi uration
Web services
Proxy policies
-=
l:l
n:J
wBs55 / vB5ss2.0
Notes:
An XML firewall can be created from a WSDL file as well. However, the Web service proxy
is simpler to configure with the WSDL file since it includes built-in support for creating rules
at different levels of the WSDL, and service virtualization.
.)
.,}
)
Multiple WSDL files can be associated with the Web service proxy.
The Web service proxy must have a Backend URL. lt does not support the loopback proxy
mode, which is supported by the XML firewall and the XSL proxy.
You can receive requests over multiple transports (front side handlers) such as HTTP,
HTTPS, WebSphere MQ, and more.
>(
ell,n, c/at
")
.J
\NS Dc
.)
-)
-l
.)
.,
.)
.)
)
4-8
DataPower
t.)
J
J
IBM Trainirg
'oF
Sfu
y'ar^ l.*ns
, rnacono &
Troloec\os
Hulti-Protocol
Gateway
HTTPS
MQ
Figure
w8555 / V85552.0
Nofes.'
The multi-protocol gateway does not support the loopback proxy mode as supported by the
XML firewall.
The protocol used on the client side of the gateway need not be the same as that on the
, rO
back-end.
The supported protocols are HTTP, HTTPS, FTP, NFS, raw XML, WebSphere MQ, TIBCO
EMS, WebSphere JMS, IMS Connect.
IBM WebSphere MQ support is available on an Xl50 IBM WebSphere DataPower SOA
appliance with the appropriate license.
The gateway can use GET and PUT queues to communicate using WebSphere MQ
messages.
Raw XML is an implementation that allows messages to flow from the client to the
back-end server and back again using persistent TCP connections.
2009
4-9
rung
Web application firewall service
.
lVeb Application
by listening for
requests on multiple Ethernet interfaces and TCP ports
Firewall
connections to
. Customized
Web application
HTTP or
HTTPS
firewall
HTTPS
External
client
Threat
mediation
@
vtuA
Web
Rate
application
limiting
w8555 / V85552.0
Notes:
The Web application firewall service contains functionality required for securing, load
balancing, and accelerating Web-based applications. This is unlike the other services,
which focus on XML-based applications.
Thread mediation is provided by checking for malicious JavaScript within HTTP messages.
The concept of the Web application firewall is similar to other services except that it applies
to HTTP traffic.
_)
The Web application firewall provides features specific to Web applications such as
session management, Web-based validation, and cookie handling.
J
,)
.i
J
J
J
.)
_.)
DataPower
J
J
J
J
J
J
J
J
IBM Training
Sfu
tebook
Validation, transformation,
transport level security
+
XML firewall
+
Web service
proxy
:)
)
Service-level
management, Web
service virtualization,
WSDL-based
configuration
J'
''"a^
+
Multi-protocol
gateway
Service-level
management, multiple
front and back-side
protocol support
Loopback proxy
Loopback proxy
O Copyright IBM Corporaton 2009
Figure 4-1
0.
w8555 / V85s52.0
Notes:
)
)
.)
)
)
his diagram illustrates the object relationship between the different services covered in
this course.
The XSL proxy provides XML schema validation, XML transformation, and support for
transport level security (SSL connections). All three DataPower appliances
XA35, XS40
and Xl50
support the XSL proxy service.
The latter three services are unique to the XS40 and Xl50 DataPower appliances.
,)
)
)
)
)
)
The XML firewall provides security features for XML applications, at the message header
and payload level.
The Web service proxy inherits all the abilities of the XML firewall and adds Web
seruice-specific features. Web service virtualization allows a Web service proxy to support
many back-end Web service applications. ln addition, the WSDL-based configuration
feature allows developers to set processing rules at a service, portType (interface), or
operation level. Although this level of granularity is possible using an XML firewall, it is up
)
)
)
.-)
J
J
J
J
J
2009
4-11
ining
to the developer to apply a processing policy to an element of a Web service using custom
XPath expressions.
Finally, the multi-protocol gateway allows any-to-any mapping of connections, using a set
of front- and back-end protocol handlers.
The loopback proxy option, used mainly for testing, is not available in the multi-protocol
gateway or Web seruice proxy.
Both the Web service proxy and multi-protocol gateway services support service level
management policies.
The Web application firewall, which is not shown on this diagram, is a service that has a
feature set similar to the XML firewall, but is designed for non-XML traffic.
)
)
)
)
j
)
)
.J
.J
-)
.)
.)
)
)
)
4-12 Accelerate, Secure and lntegrate with
DataPower
O Copyright
J
J
J
J
J
J
IBM Training
Student Notebook
. lf WSDL-based,
.
- Has the same capabilities as an XML firewall, but allows for extension
to additional protocols
ecific needs
Service
Scenario
Multi-protocol gateway
XML firewall
" Non-XML
XSL proxy
Figure 4-11
traffic
wB555 / V85552.0
/Votes.'
)
The Web service proxy is the most popular DataPower service in use by customers.
Most of the XML traffic flowing through these organizations originate from Web service
calls, almost all of which are described by WSDL files.
'\
)
)
)
)
)
.)
)
.)
,)
./
J
J
J
)
2009
4-13
ning
Secondary services
. Three secondary services
- HTTP
-
ervice
TCP proxy service
SSL proxy s rvice u*..f.X'ora el, St
s
Other Services
HTTF Service
.
'
connect
w8555 / V855s2.0
Notes:
)
I
By default, the appliance does not create an HTTP service on port 80. lt must be explicitly
created. This service is meant for low-volume or testing purposes; there is not much room
for the disk requirements of a typical Web server.
l
)
The TCP and SSL Proxy seruices listen for requests using the specified port number and
forward the requests to a remote host address and port.
.)
.)
.)
)
..1
I
.)
I
J
._)
)
4-14 Accelerate, Secure and Integrate with
DataPower
J
J
J
J
J
J
)
IBM Trainirg
Student Notebook
Topic summary
Having completed this topic, you should be able to:
services
w8555 / VBs552.0
Notes:
2009
4-15
mng
Service configuration
After completing this topic, you should be able to:
" Create a policy that matches requests and processes them
using actions
. Describe the relationship between services, policies, rules,
and actions
. Create a URL rewrite policy to replace the client URL
o Copyright
w8555 / V85552.0
Notes
,)
)
.)
)
)
)
,)
.-,}
.)
O Copyrighl
J
J
)
IBM Traini.g
Student Notebook
r{3n
Ittrork Sttngr
FTP
Quoted Commands
IMS Connert
Load Balanuer Group
r4Q
bar,
expand OBJEGTS
Queue Manager
Per 6roup
lVeb5phere JMS
Protocol Handle=
Ft
r Foiler Front
5lde
Handler
FTF Server Fr.ont Side
Handler
HTT Frftnt -qrlP HffllFr
w8555 / V85552.0
Nofes.'
The objects listed in this graphic do not make up an exhaustive list. Some options for
certain operations are only available when configuring the object.
')
.)
)
)
.j
..,
)
,)
,)
J
,)
J
,)
2009
4-17
O Copyright
rung
3. Server-side
. Streaming,
URI propagation, user agent, and SSL, load balancer, HTTP options
Requesf
Service pol tcy
Client-side
Remote
clients
n-nb'
b,
e9
L.-lf,'
Server-side
x hce n
a
l.f
rJ
Endpoint
application
SETVCTS
Response
@
w8555 / V85552.0
Notes:
Response messages from the server then pass through these phases in reverse.
Response processing is the same as request processing except that the server must deal
with errors from the back-end service.
)
)
During client-side processing, the URL submitted by the client may be rewritten, the HTTP
headers altered, and the format of the message validated (SOAP or XML).
During service policy processing, the message may be transformed in any number of ways,
as well as filtered, encrypted, decrypted, signed, verified, or duplicated and sent to a third
party resource for handling.
During server-side processing, the message may be routed, TCP and HTTP options set, or
SSL connections negotiated.
URI propagation refers the part of the URL after the host-port combination.
A user agent can be configured with an SSL Proxy profile to communicate securely to the
back-end service.
DataPower
IBM Training
Student Notebook
A load balancer object is used to provide redundancy for multiple back-end servers. The
service will send the message to the load balancer group instead of the back-end server.
The load balancer group will choose the back-end server.
Multistep scope refers to the sequence of actions executed on the request and response
Variables can be set to pass information between the actions.
2009
4-19
O Copyright
ning
Basic architectural model
. One appliance has many services
*
o XSL proxy
. XML firewall
Error
Response
atew
@
Actions
Request
. WS proxy
o Multi-
?k
model
W8555 / V85552.0
lVofes.'
The asterisk (.) implies 0 or more. The 1..1 means exactly
1.
.
srvice uses a processing policy to examine and manipulate messages.
. A policy consists of one or mo
are reusable across policies.
. A rule consists of one or more
as validate and transform.
. An action may use an XSLT processing control file to manipulate the message.
"
Rules can be configured to act upon both request and response messages.
O Copyright
IBM Trainirg
stuniffitbii
Processing policy
. A service defines a single policy
Each rule
cont
/
e Sr vc.lo/\oS ct ejecJ laf
&
gt
action
l,>h,b { -Y
Filter
aco,9
cAg,oo'&.f)
Sign
'I
ctcconJl O ,o
e ,<o/a vamo\
A u, /, to,
reV:
Match
. Defines criteria to determine if incoming traffic is processed by the rule
Processing actions:
. A rule defines one or more actions taken on the submitted message
1>
Route
Results Avnced
l-'
,{A
CLIENT
Processi ng Actions
Match action
lf the request matches the conditions set in the Match action, then the actions are
executed.
O Copyrght lBlV Corporation 2009
policy
W8555 / V85552.0
Nofes;
This example defines a rule called Rule #1 with a Match action and two actions (AAA and
Results).
2009
4-21
Cotyriqht
ruinE
Processing rules
. Rules have the following '
directions:
. Other capabilities
*
-
Rule Direction:
Rule Name:
Client tc Server
3oth Qirections
Nerv t(ule
Server
Delete Rule
ErroF
t-r l.l
-".u l-
Figure
LDAPTest_rqucst Client to
LDAPTeEt_Rule-1
Srver to
LDAPTest Rule 2
ErrSr
Clien
Notes:
A specific matching rule can match on the
URLs using the asterisk (.).
FJ
cu
de
ra(
er
,q
r-
delele rule
delete rule
delete rule
w8555 / V85552.0
lZes3ons"r-
*/test.
Processing in rules occurs sequentially in the order that the actions appear. New actions
that allow for programmatic processing, such as looping and if-then-else statements, were
introduced in the 3.6.1 firmware.
DataPower
IllM Traini*g
Student Notebook
Match action
. A Match action allows you to
provide different processi ng
based on matching conditions
+
URL
Error trode
Full URL
Host
HTTP
_ URL
- XPath expression
w8555 / V85552.0
Notes:
A Match action allows you to define criteria that will be matched against the incoming traffic
to determine if the actions configured in the rule are applicable.
Each rule is configured with a Match action.
The error code is not an HTTP error code, but a DataPower internal error code value.
2009
4-23
Cotyriqht
Processing actions
.
click
Cret
C !ri
Sign
Filtr
Edit ru[e:
onto
actor
o?
'@O'$
1,
Fout
,e
- /k( to/l
It
79
Arz
r,,,c
Pl
CLIENI
'Ji)r. i
,\,
\r \r:*i,
,r-; l(J
@rJ
,l:li3
LDAPTe5t Rule r
EI
,:i:
SErver to Clrent
r l
l:t-- l |:
contexts and variables set during the request processing are available to the actions
used in the response processing because of a shared scope
O Copyrght
Figure
Y
c-
l,t
'f"'-,,,
lBN.4
Corporaton 2009
w8555 / V85552.0
Nofes
ables can be set using a Set Variable action (Advanced > Set Variable).
L"
(
)e"
Contexts are temporary variables containing XML data, binary non-XML data, user or
system variables.
The Log action is a good example of asynchronous processing. You may want to log
asynchronously so that subsequent processing can continue without delay while logging is
being completed. lf you want to wait until later and continue after your previous
asynchronous actions have completed, you can add an Event Sink action. ln this action,
you can list previous asynchronous actions that you will wait on.
The Conditional action implements if-then-else processing based on XPath expression
values.
The For-each action implements a loop on designated actions based on XPath expression
values.
IL
'x,,
Y
t, r.r.trm
f'll (L
(^('
(L'.
LC l0l
"lu,
CC nt e I (-)
crr n
r/[ 'q.' [,.{o
Le"lo
,h
e*e(rq
() t> t/L .!n e'( .tr, /
c0/1
j tl
cr-Ot Lzt]
ril) :
:ltie i(lcJlrt
cJl
c:;i(] alot,:'.1 lt
(,r)
Lrr
(lo|y (l i
IBM Traini.g
Student Notebook
. A context
Context
.!"
*r[J.' (. e\
wres_e
w8555 / V85552.0
Notes:
Each action has an input and output. lt can be explicitly defined or generated by the
appliance.
._)
r,)
.,
The tmpl context variables are temporary variables that are used to pass information
between the
,.rr,,
actions.
The INPUT and OUTPUT context variables are predefined by the appliance to represent
the input and output messages, respectively.
A multistep processing rule refers to a rule with at least one processing action.
r)
.)
./
.)
.)
.)
.J
J
"J
.J
2009
4-25
J
J
@ Copyright
lrung
/os
c4 to
ne
ldentifies a context whose output is used as the input of the next action.
Every action that outputs to PIPE must be followed by an action that inputs
from PIPE
- NULL Nu .on-i,ene
.
/1^en9)e
'
When used in Output context, silently discards any data generated by the
action.
When used in lnput context, passes no message to the action. Such empty
input can be useful when executing a style sheet that does not require
in p U t '
copyrshr rBM corporation 2ooe
@
w8555 / V85552.0
Notes,'
It is not always necessary to specify a context within an action. The WebGUl provides
.)
,)
.r
,)
.)
.)
)
4-26 Accelerate, Secure and Integrate wth
DataPower
.J
_)
.-)
O Copyright
J
)
_)
IBM Trainirg
Student Notebook
Service types
Remote
Clients
/7"t
Jt
lpclceal.
no b*Ke
,.51
tEt
Dynamic back-end ( no so
l@-l
sabe 1ou
L-, \aan.t
&c.IsL
=
frr+>
t@It
/ (*
-t.=
ti
)o,
,ol
, )
r-,.1
Loopback
fEt
/o
IEII
ffi
rfa e\
2rtlo
X'\
@
F
Copyright IBM Corporaton 2009
L;cn
J evu eiue
W^
se Ic^
0rl lienE,
tet/''g
"
w8555 / V85552.0
l\lofes.'
The static back-end forwards traffic to a statically defined endpoint.
The dynamic back-end forwards traffic based on the execution of a policy, which specifies
the back-end host address and port.
A loopback proxy does not fonryard the message to a back-end service once processing is
complete. This service type is often useful for validation and transformation services.
)
)
)
)
,)
.-)
2009
4-27
c"r
ining
URL
http: I I 1 0.44.31
.1
23 I order
Hel
rule
Specify expression to
match URL
- Define replacement
expresson
Match Expres*ion(FCRE)
Un.Ecpe
URL ltlormalization
Figure
4-25. URL
rewriting
W8555 / V85552.0
Notes:
The URL rewrite policy executes at the service level and before the service policy.
Rewriting the URL at the service level affects the matching rule of the service policy. lf you
rewrite the URL, make sure it still matches one of the matching rules.
A URL rewrite policy can also be executed within a processing policy by adding a Header
Rewrite acton to the policy header and referencing a URL rewrite policy.
PCRE refers to Perl-compatible regular expression. The match expression must be
entered using this syntax.
The five options available under URL Rewrite Type are:
3.
4.
.)
J
)
.)
-)
.J
DataPower
J
,)
J
J
J
IBM Training
Student Notebook
The Stylesheet Replace Expression is used to specify a style sheet that will transform or
filter a document identified by a rewritten URL.
The lnput URL Unescape is used to specify if URl-encoded characters (that is, >"2r) are
rewritten to literal character equivalents.
The Stylesheet URL Unescape is used to specify if the style sheet identified in Stylesheet
Replace Expression is subject to literal character replacement of URl-encoded
characters.
The URL Normalization field is used to enable normalization of URL strings (for example,
").
Optionally, if the URL Rewrite Type is Header-rewrite, then a Header Name field is
available to specify a target HTTP header field.
)
)
)
2009
4-29
ning
xML Manager
.
;^
ob
CA (
7\)
(j
*r]ene
l^
los
)/, ras
Jo f\l\G f\3
er(
/u
fvay
cte xyw
"'^
Qrt
&, nett
The XML Manager obtains and manages XML documents, no= rlx,
style sheets, and other resources on behalf of one or more
f*
".
SETVCES
Manager
.
-D.|ine la .^.k - T*nsrn'acatt " corocbrc Y/n xw(,
Processing > XML
w8555 / v85552.0
Notes:
Select OBJECTS > XML Processing > XML Manager to display the XML Manager
objects, which provides the list of XML Managers that are currently configured, along with
their configuration details.
)
)
)
)
)
)
4-30 Accelerate, Secure and Integrate with
DataPower
.)
J
J
J
J
IBM Training
Stu
ook
XML Manager
EiTl
xr"tl Par
Oocument
Cacfle
Extcnscn Fundions
: default .upl
[ aGi-l, ,..r',
Admn Stt
Qenabled Q disabled
Cqmmnts
Defult XML-Mnqer
(nsne)
{nonel
L LACne 3t?e
256
lv
srr\lesheets
SHAL cching
Sttc oEUment cll
XSLT Exprssin optmtion
Han
Copyright
lBN4
defauft
Corporation 2009
configuration
W8555 / V85552.0
Nofes.'
Each XML Manager maintains a cache of compiled style sheets to facilitate wire speed
XML processing.
A load balancer group, or server pool, provides redundancy among back-end resources.
.)
)
.)
l.)
.)
l
.)
)
)
)
._)
)
-)
-l
.-)
J
J
-)
2009
4-31
ning
XML parser Iimits
.
In the Configure XML Manager page, select the XML Parser tab
Parser limits are automatically associated to a service through the XML Manager object
Can be overridden by service-specific settings in the XML threat protection page
Main
xHL Parser
f-c"n-l ,
upJ
Exoort
,,^
4194304
51?.
fG
33354?
Forbid lw
Figure
Document Cache
copyright
lBN4
View Loa
bytes
bytes
Corporaton 2009
limits
W8555 / V85552.0
Notes.'
The XSL proxy service does not have an XML threat protection page.
Parser limits:
XML Bytes Scanned: The maximum number of bytes scanned in one message by the
XML parser. "0" indicates no restriction.
,)
appliance.
.)
.)
)
)
)
)
-)
DataPower
.)
J
J
J
)
IBM Traini.g
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. Create a seruice policy with actions that process the client
request or server response
- XML Manager
- URL rewriting
w8555 / V85552.0
Notes:
2009
4-33
mng
rr-o
Gheckpoint
I
2.
3.
4.
o Copyright IBM
Corporation 2009
w8555 / V85552.0
Notes:
1.
2.
3.
4.
J
.)
J
_)
J
4-34 Accelerate, Secure and Integrate with
DataPower
J
J
J
J
J
J
)
IBM Trainirg
Student Notebook
Unit summary
Having completed this unit, you should be able to:
SOA Appliance
supported by each
w8555 / V85552.0
Notes:
.l
.,j
.)
.)
)
.l
.)
.r)
J
J
J
2009
4-35
oirg
'\
,)
r)
t)
.)
)
)
)
)
)
.)
.)
,)
i)
.)
-)
J
a-,
.)
'lJ
J
J
J
J
J
J
J
J
J
J
J
J
J
J
J
J
J
IBM Training
Unit
5.
Student Notebook
SOA Appliance
.
.
Checkpoint
Exercise 4: Create an advanced XML firewall
t.)
,)
.,)
,,)
,-)
\J
')
.l
.)
.,
..)
.j
_)
.J
.J
J
J
J
2009
5-1
O CoDyriqht
ining
Unit objectives
After completing this unit, you should be able to:
. List the features and functions of an XML firewall service
. Configure an XML firewall service on a WebSphere
DataPower SOA Appliance
Figure 5-1
w8555 / V85552.0
Unit objectves
Nofes
..j
.)
.)
5-2
DataPower
J
.J
IBM Training
Student Notebook
XML Firewall
- Most organizations
w8555 / V85552.0
Notes:
2009
5-3
nlng
What is an XML firewall service? Q of 2l
IHL Firer+all
attacks
wB55s / V85552.0
Notes:
)
The XML firewall service also supports the field-level encryption and signing of messages.
The XML firewall seruice is the entry-level service for XML-based applications. These
features are also inherited by the multi-protocol gateway and Web service proxy.
,)
.,\
-)
.l
)
-,)
5-4
DataPower
J
J
J
J
J
J
J
IBM Training
Student Notebook
2009
w8555 / V85552.0
Notes:
2009
5-5
rirg
XML frewall service
Object model
Crypto Shared Seet Key
Crypto FW Creds
Crypto Key
SSL Proxy Profle
Crypto Certificate
Crypto lD Creds
Profile
Kerberos KDC Se
XML Firewall
- Processing
sge
Duration Monitor
Message Match
Message Filter
Count Monitor
Statistics
Log Target
Log Category
Host Alias
wBsss / v8s552.0
Object model
Notes:
)
This diagram represents a subset of the objects used by the XML firewall service. The
objects in bold are the ones that are used often.
)
)
')
)
.)
.")
5-6
DataPower
)
J
J
J
J
J
IBM Traini.g
Student Notebook
ffiffi
2"
Web Service
Multi-Protocol
Froxy
Gteuray
Wffi
l(HL Firewall
Web
pplication
XSL
Accelerator
Firewall
3. All configurations
Add Advaneed
firewall page
@
w8555 / V85552.0
Notes:
)
)
Click the XML Firewall icon in the DataPower WebGUl to take you to the page where you
can choose to create an XML firewall using either the wizard or the manual approach.
)
)
,'')
)
,)
)
.)
)
)
.)
-)
.,)
r)
J
J
J
J
2009
5-7
rung
Loopback
o
o Static back-end
o Dynamic back-end
t Configure
G)
General
types:
' ffi,X:ijli:SJ#::';53"[i
S. Decide whether to implement a URL
rewrite policy
XML FirewalT
Advanced
Stviesheet
Params
Headerc
Monitors
clone I Export I vier,rr Loo I vew Sttus I Show probe I validate Conformance I Helq
XML Frewall Service statusr [up]
eneraf Conflrguration
Frewall Name
x1L
default
Firewall
Summry
URL Revrite
Firewall Type
Static Eackend
':
*
@
w8555 / v85s52.0
Notes:
The firewall policy object enforces the security policy. This is discussed later in this
presentation.
By default, a new XML firewall service uses the "default" XML Manager. You do not need to
explicitly create the "default" XML Manager object.
5-8
DataPower
IBM Trainirg
Student Notebook
ORIGIN
OTPOWER
SERVER
XI6{I
OLIENT
Eack End
Front End
Seruer Address
Dvice Addres
2.
.0. G"
Srver Port
90s0
Devce Prt
i69+? :
SSL Client
Prcfile
SgL Seroer
Profile
ResFons Type
SAAP
5P
Response Attchntents
Attaclment5
5trip.
C6\
(osfvi
eL bo.kun"L
Figure
CA
O Copyrght
L-
Describe the
network location and
port for clients to
access the XML
firewall
3. Select the secure
sockets layer (SSL)
settings for the front
and back-end
connections
4. Choose the
expected message
and message
attachment types for
the front- and backend connections
cl en law8555 / V85552.0
2)
Nofes.'
2009
5-9
.)
@ Copyrighi
")
ining
-r-O
Remu*b-b,,t-
fe a'Lq/oroa
?/)
<son
The idea is to not hardcode external references /1/
rtur,e
J'P<
no
(on t)na rP
Static Host
Name the servers of the back-end resources
*
Front End
Back End
WSserver99
externa
Figure
ed Alias
w8555 / V85552.0
Nofes.'
Hardcoding server names and the appliance's Ethernet addresses makes it difficult to
migrate the configuration through the various states before it hits production. By using
aliases, a configuration can remain constant as the configuration is migrated.
An appliance administrator defines the aliases in the default domain, and they are
appliance-wide.
.)
)
-_)
DataPower
.J
.)
-)
.,
IBM Trainirg
Student Notebook
SOAP
XML
SCAP
nse Attachments
Attachments
Strip
Strip
w8555 / V85552.0
Notes:
Selecting a non-XML message type does not allow you to execute many of the processing
actions in a service policy since actions expect the XML message type.
lf no action in a response rule modifies the message, then the response type is set to
Pass-Thru.
2009
5-11
ning
Request/response attachment processi ng
fype
SOAP
EOAP
Request Attach
ttachments
slflp
Strip
Figure
5-1
w8555 / V85552.0
Notes:
The DIME format can also be supported instead of MIME by setting the variable
varz / /Ioca1/_ectension/attactrmentformat to application/dime in a service policy
.,)
-J
.-)
J
-)
)
-,t
DataPower
,J
J
J
J
)
IBM Training
Stu
General
Advanced
Stvleheet
Parmr
Haader
Nonitors
(-CS
_
-'
ure the
_A-dv_anced_
- --':
- _ t
-__-Etylesheetparams___
- t--_
--J
_Hgade_rs- Mqnitors
sheet
xMLThreatprotection
Parameter l,lame
t//www,data
ldecryptkev
or Custom Name
ir-key
http:/
Frameter value
Submk
crlcel
wBsss / vBsss2.0
Notes:
)
)
)
)
)
)
,)
.)
.)
.)
Access control lists allow you to control by lP address who can access the service.
The default style sheet namespace values for the DataPower parameters are
http: / /ttwt.datapo\rer.ccrn/param/conf.ig and for query parameters are
h t tp : / / t,twt . datapcr^/er . com,/param / quezy
ln the Advanced tab, the Firewall Credentials list identifies the keys and certificates that
are available to support firewall processing. Only those specific keys and certificates listed
in the Firewall Credentials list are available to this XML firewall.
ln the Stylesheet Params tab, the four parameters that can be passed are:
decrlpt-key: his is used for decryption operations. lt is the name of the Key object
that will be used.
. kel4>air-key: This is used for signing operations. lt is the name of the Key object that
will be used.
..)
kelr>air-cert: This is used for signing operations. lt is the name of the Certificate
object to be used.
.)
.J
J
J
J
J
J
2009
5-13
mng
.
rr-c
recipient:
)
)
)
I
)
)
)
-)
J
J
._)
)
,J
:)
5-14 Accelerate, Secure and Integrate wth
DataPower
J
J
J
J
J
J
J
IBM Trainirg
stuai-uote-oT'
Genral
Advanced
Stvleheet
htr'
Drecton
Params
H-e"d"i. [4onitors
C-Vecoltt'r
Heade.r ]{ame
Header Value
Ad
r c-becf
[}rectaon
a-S
Header Tag
Add
@ Copyrght IBM Corporaton 2009
parameters
W8555 / V85552.0
Notes:
The Headers tab is used to modify HTTP headers before the execution of the service
policy. Headers can be inserted or removed from either the request or response message.
)
)
)
@
-)
J
J
,)
2009
5-15
ining
'
-o
Service level
monitors
Monitors traffic
from a Web
services endpoint
Needs WSDL file
General Advanced
Stvlesheet
Params Headers
tql"nif
i"i
Monitors
(empty)
A- Q
t /)
Durton
(emptyl
CL NJ C)
(empty)
lve
Notes:
Corportion 2009
n lo
gr\en accong ,
&x
w8555 / V85552.0
\^5
Service level monitors are not the same monitors used by the Web seruice proxy and
multi-protocol gateway, although they use the same name.
.,}
)
.)
.,}
DataPower
J
J
.J
O Copyright
J
J
J
J
IBM Trainirg
Student Notebook
l".* d+ nr
llf
dvrcd
c.*"rll-8"r"6.
stvthert
P'm6 Hde
ritonits
.i.lit.::ir[F_i,-,"itif
sttusr :ul
.
.
.
.
.
.
.
protection
.
-
co@l
f>ibQ^
RecuBve nttv
r{B
lmits Q
Protclon on
on
off
off
SQL
hjection Protector
O Copyright IBM Corporaton 2009
w8555 / V85552.0
lotes,'
The XML threat protection page lists all of the techniques available to protect against
XMl-based attacks. The single and multiple message denial-of-service protection can be
configured on this page. Similarly, the valid protocols accepted can be configured here too
The remaining options, such as SQL injection, scanning for viruses in attachments, and
dictionary attack, are configured as part of a service policy.
Use the ICAP (lnternet Content Adaptation Protocol) protocol to communicate with virus
scanning software.
e/ros
e'(
YYIL f\^a-^
.)
)
)
.)
.)
J
.)
J
J
J
2009
5-17
ining
Step 3: lmplement a service policy
. Create (+) or modify (...) a firewall policy for the XML firewall
- Policies can be reused across services
- Each policy has multiple rules
- Each rule has a single Match action and one or many processing actions
Xl.tL Hanaqr
defauli
Firewll
EasiddresSerEh
URL
Rewrite
?o
FlEr
Ein
A,@O.&$
Vlt.
V.h
o copyrght
1,
R.sulB A6v.n.rd
w8555 / VBss52.0
Notes:
._j
)
)
1
.)
5-18 Accelerate, Secure and lntegrate with
DataPower
)
)
-)
J
.J
Student Notebook
FuIl
uRL, Host,
Mrn
Jvlatching Rule
Cncel
Filter
Sign
Htclrng Rule
AddressRouter_ltiatchAll
uo;
:a.j
tl atch in g
HTTP
Type
Header fg
HTTF Value
Match
u,L
Erro
Htch
cod
xPath
Expreison
ud
Del
ete
@
CLENI
ORIGIH
EERVER
action
wBsss / v85552.0
Notes:
The match type URL matches the part of the URL string after host:porr.
The match type Full URL matches the entire URL string.
The match type Host matches the host name.
The match type HTTP matches HTTP header name-value pairs.
The match type XPath specifies an XPath expression on the incoming message to
determine a match.
The Error Gode matching action provides the ability to support customized, user-designed
error processing.
2009
5-19
r,1
11
ining
t
-
-o
Processing actions
Action
Description
on incoming documents () onVjtT
Filter
Filtor
Sign
Verify
Validate
Encrypt
Decrypt
Transform
Sign
Verlfy
,
V dts
Encrypt
Ocrypt
Route
AAA
Results
Advanced
9
Tran#orm
$
Rout
@
AAA
utt
Rcsu
1,
Advanccd
w8555 / V855s2.0
Notes:
The Encrypt and Decrypt actions are used for XML encryption. The Sign and Verify
actions are used in XML signatures. These actions are discussed in the Web services
security unit.
The AAA action is discussed in the AAA lecture.
The Advanced actions are:
. Anti-Virus: This action scans a message for viruses using an external ICAP server
. Call Processing Rule: This invokes a named rule; processing resumes on the next
- step
. Conditional: This selects an action for processing based on an XPath expression
. Convert Query Params to XML: This converts non-XML CG|-encoded input (an HTTP
)
)
Crypto Binary: This performs a cryptographic operation (sign, verify, encrypt, decrypt)
on binary data
")
IBM Traini.g
.
.
Student Notebook
.
.
.
.
Fetch: This retrieves an identified external resource and places the result in the
specified context
For-each: This defines looping based on a count or expression
Header Rewrite: This rewrites HTTP headers or URLs
Log: This sends the content of the specified input context as a log message to the
destination URL identified here
.
.
. Set Variable: This sets the value of a variable for use in subsequent processing
. SQL: This sends SQL statements to a database
. Strip Attachments: This removes either all or specific MIME or DIME attachments
. SLM Rule: This invokes an SLM (service level monitor) policy
. Transform (using processing instruction): This transforms by using XSLT that is
specified by processing instructions within the XML document; the parameters may be
passed
such
2009
5-21
ining
More processing actions
Action
Description
For-each
Conditional
Event-sink
Antivirus
w8555 / V85552.0
Notes:
Many actions have an asynchronous option. Event-sink is used in processing rules to wait
for certain asynchronous actions to complete before processing continues.
-i
.,)
I
)
)
-)
5-22 Accelerate, Secure and lntegrate with DataPower
.l
.)
')
J
.J
IBM Training
Student Notebook
Validate action
. Perform schema-based validation of XML documents:
-
Scans the document for xsi: schemalocation attribute, applies a URL rewrite policy, and
uses the result to find schemas to apply to the document
Specifies a schema URL of an XML schema file
an
rts
Avufid.t"
QJ r,.alidate Ocument vi Sche'ma URL
gchem URL
(_7
fi
' lo-i'l/J-ntsir"-."r.
lacal:l
li
*n
URL
Fetch.,.
w8555 / V85552.0
Notes:
The Validate action is used to validate the schema of XML documents. The schema URL
can reference either a local or remote file.
A schema exception map object uses an XPath expression to specify the encrypted and
unencrypted parts of an XML document. lt allows for encrypted XML documents to be
validated using XML schemas that do not support XML encryption.
The Fetch button can be used to download a style sheet from a URL and store it on the
appliance.
'
)
)
)
.)
)
._)
.)
J
J
J
J
J
2009
5-23
O Copyright
ining
Transform action
. Use XSLT to perform XSLT processing on XML documents
-
ldentifies the XSL style sheet referenced in the Processing Control File (PCF) field
if vilable
ll:',/1
URL
Retrte Polcy
(none-)
.Asynchronous
onSoff
Output
dFvr_l
O Copyright IBM Corporaton 2009
action
W8555 / V85552.0
Notes:
The Transform action is also used for supporting custom XSLT actions.
The PCF can either be referenced from the appliance or uploaded from a remote site.
The URL Rewrite Policy rewrites external references contained within the input document.
)
)
)
5-24 Accelerate, Secure and lntegrate with
DataPower
la mpresrn
O Copyrlght
J
J
J
J
IBM Trainirg
Sfu
- tT
Filter action
. A Filter action accepts or rejects an incoming message
Basic
Advanced
? pilt*t
Processing Gontrol File
local:fl!
*
AddresE-filter.xsl
w8555 / V85552.0
Notes:
A standard filter employs the selected XSLT style sheet to either accept or reject the
submitted document.
2009
5-25
ning
Filter action
$asic
Replay attack
Advanced
?rirt.,
Ataon Type
Filter Hethod
Filter
Control File
S Replay Filter
S Required Elements Filter
Q WS-security Message Layout
Filter
,F
replay- flter,xsl
staretf/
Stvlesheet
Standard Filter
Procssing
\ufirf t
Check
hr
Fetch
lJpload...
replay attacls
QonSoff
WS-Addressinq Message I
=." I
60
Custom XPath
save
XPath Tool
Expreision
Figure
save
I gave
w8555 / V85552.0
Replay attack
Nofes,'
A replay attack protects against hackers sending a valid message multiple times. This
attack occurs when the intruder intercepts a valid message and sends that message on
behalf of someone else. To protect against replay attacks, messages should pass unique
values in each message. The unique values supported by the replay attack are
WS-Addressing messages containing a message lD, a WS-Security username token with
a nonce value, or a custom XPath. A nonce is bit string generated to produce a unique
string. lt is used in authentication and security situations to create a unique lD.
The replay attack filter uses a standard style sheet,
messages are executing replay attacks.
replay-filter.xsl,
.)
)
,)
to check if
.)
.J
.J
.)
_)
Custom XPath uses content from the XML message to detect replay attacks
5-26 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
J
J
J
IBM Training
Student Notebook
Gontent-based routing
. Example:
- Route requests to different servers based on <state>
Data Power Config
<state
>
NC</state>
value
ration
EastAddressSearch
XML firewall
Request
AddressRouter
se
EastAddressSearch
Web service
XML firewall
Client
WestAddressSearch
<state>CA</state>
XML firewall
L
WestAddressSearch
Web service
wBsss / v8s552.0
lVofes.'
The content-based routing example shown in this slide routes the message to separate
Web services based on the value of the <srare> field in the message. The AddressRouter
XML firewall uses an XPath expression to extract the state value. lf the value is "NC" (North
Carolina), an eastern state in the United States, the message is fonruarded to the
EastAddressSearch XML firewall, which sends the message to the EastAddressSearch
Web service. lf the value is "CA" (California), a western state in the United States, the
message is forwarded to the WestAddressSearch XML firewall, which forwards the
message to the WestAddressSearch Web service.
2009
5-27
ining
Route action configuration
. Dynamically
number
\ARoute {tlsing Stylesheet er XPath Expression}
Sefection Hethod
Routing l,lap
fi
Uee XFath
to Select Destination
{none)
rt
r, S
IV\
t/.c;
wB5s5 / v85552.0
Notes:
The XPath Routing Map allows you to specify static destinations based on the evaluation of
an XPath expression.
)
)
The XSL style sheet used in a Route action can use the DataPower extension function
<dp: set- target> to set the endpoint.
)
)
.-)
.J
I
-)
-)
)
.)
J
5-28 Accelerate, Secure and Integrate with
DataPower
lBM.
2009
part
"t" i:il;,
J
J
J
J
J
J
IBM Training
Student Notebook
ss/ProxyProfile't
/>
target=!http z / / example.
httpHeader
/>
'la t& co
soapAction,
or\ ^
routing
W8555 / V85552.0
Notes:
The following is an example usage of dp: soap-call in an XSL style sheet.
Set up a variable
in a variable,
resulr.
Example:
<xs1
.)
)
)
variable
name-" SOAPctionl
select="dp:http-request-header
The SOAPAction parameter needs single quotes (') because the function expects an
XPath expression.
._)
a,)
r)
J
J
J
J
2009
5-29
ining
The equivalent usage of the <dp: set - target> ( . . . ) can also be accomplished using
DataPower service variables. For example, to set the back-end URI in a style sheet, use
the following:
<dp : set-rrariable name=rr var z / / service/routing-ur1''r'
value=" http: / /1.2.3.1:2g6gt tt /7r
<.1F: set-rrariable name=rr var z / / service/URI ""
\a1ue= rr / Someeank/ senri ces /checking t tt / > r
)
)
-,
. _.1
,)
)
)
.)
.)
5-30 Accelerate, Secure and lntegrate with
DataPower
J
J
J
J
J
J
IBM Traini^g
Student Notebook
. Use the Results action in the middle of the rule to send results
asynchronously
- Select Asynchronous to send results to destination and continue processing
in
the rule
ElResutts
onfinff
w8555 / V85552.0
Notes:
The Results action is typically the last action in every rule, since it is used to return a
response at the end of the service policy. Make sure the input context contains the variable
with the document to return to the client.
The default Results action copies the input context to the output context.
i
J
)
)
I
J
-)
J
_)
2009
5-31
O Copyright
ning
9Results Asynchronous
oestination
http:/l
I
Humber or netries
0
I
netrv rntervari
1C00
mgec
http:y'
Output Type
fult
Asynchronous
Hulti-Way Results Hode
on
{j olf
Firsl "l.vailable
t{umber of Retries
O Copyrght IBM Corporation 2009
Figure
wBs55 / V8s552.0
Notes:
A regular Results action can be set to asynchronous mode, which can be used in
conjunction with an Event Sink action to wait for the remote server response.
Attempt All sends the results in the input context to all destinations and succeeds even if
all of the remote servers fail.
First Available attempts each destination in order and stops with success after
successfully sending the input to at least one remote server.
Require All sends the input context to all destinations and fails if any of the remote servers
fail.
..)
.-.)
..)
")
t,J
DataPower
-)
-
J
J
O Copyriqht
IBM Trainirg
Student Notebook
General
Advanced
Stvle-heet
Cneel
Farams
I
exoort
Headers
Monitars
-'rralidate
| '/ie,r'{ Sttus I ghow Probe |
conformance I Help
lupl
General Configuration
Firewall Name
x'tL
defa ult
Firewall
5ummary
an e)tam
r.
EE*
URL Rewrte
Fevall
(nonel
Static Backend
w8555 / V85552.0
Nofes;
Click the Export button to download a . zip file of the XML firewall configuraton. The
file only contains configuration data and files of the selected XML firewall service.
zip
Use the Administraton > Export Configuration to have more control over the objects
and files that are exported.
)
)
)
)
2009
.)
J
J
J
El
5-33
ining
Gloning an XML frewall configuration
. Cloning
a "near-copy" of an existing XML firewall
- Creates
.
Referenced objects such as a service policy are referenced but are not copied
minor changes
FI Configure
f
General
XML Firewall
Advanced
Sltleeheet
, .',-.'{EJ-lt-p"ki.l
Params
Clone
l view Lco
F4ontors
Headers
lviE'i status
General Configuration
XHL Hanager
default
Firewall Name
! : :.
l: lld
tl :
+.
Summary
Ei.str{d
EE*
Firewall Policy
d
rc,sssea rch
URL Rewrte
Firewall
Static Backend
{noneJ
@
configuration
W8555 / V85552.0
Nofes.'
Use the Clone button to initiate the cloning process.
Since the XML firewall is a top-level object (no other objects depend upon it), you can
delete a firewall at any time. Deleting the XML firewall does not delete any of the objects
used by the firewall (such as the policy, for example).
Make sure to change the port number of the cloned XML firewall.
CVno
\\
e.\
-Se-r ! tcio L
layto
ic'>
"bj
sf \l to
e
lcA
-so
to no [o>
roty2/G
,1)/os
obielos
J.
-y los
O Copyright
IBM Trainirg
Stu
oT''
Select the "magnifying glass" icon to open the System log for entries on the selected
XML firewall
Firewall Name I op-stut" I Los,
n"q-rrp.
i"o El '"'o
AddressRouter
Local Address
0.0,0 ,0
Port
Resp-T'pe
2050
5Op
Remote Address
$-(t
t-=r\
lEi:Ei;;=l
ritt".r
"a.ris&
fti!ffif
'
f("-*)
f &-
,lt
lr
tir,*v
k
irterr!
i*iei
id ilf
<iiel
rn{trI
atJ-tt
l-,,>r,
le:t 5 iirc ii
16r19!45:mgmt
notce 31
0x00350016 xmlfirewall
state down
0x
Ox O0
on pott
3500
x |]34
!-r
configuration
W8555 / VB5552.0
Notes:
The system log opened by the XML firewall is a filtered version of the main system log,
which only shows events generated by your XML firewall.
2009
5-35
{0 Copyright
ning
Gheckpoint
1
2.
3.
Fgure
wBs55 / V85552.0
5-32. Checoint
Nofes.'
.)
1.
2.
3.
.)
J
._l
.J
._)
)
.)
.J
.)
5-36 Accelerate, Secure and lntegrate with
DataPower
J
J
J
J
J
J
J
IBM Trainirg
Student Notebook
Unit summary
Having completed this unit, you should be able to:
w8555 / V85552.0
Notes
2009
5-37
O Copyright
rung
,)
I
')
)
i)
)
l
)
)
)
)
)
.)
.)
J
l-)
J
.J
J
J
DataPower
J
J
J
J
J
J
J
J
J
J
J
\.1
O Copyright
J
J
J
IBM Traini.g
Unit
6.
Student Notebook
.
)
.
.
I
)
Checkpoint
Problem determination steps in Exercise 4: Create an advanced
XML firewall
.)
.)
.)
)
.)
.)
,.)
.)
i
.)
-)
)
.)
.J
.)
J
J
\)
J
J
2009
6-1
ning
Unit objectives
After completing this unit, you should be able to:
. Capture information using system logs from messages
passing through the WebSphere DataPower SOA Appliance
. Configure a multistep probe to examine detailed information
about actions within rules
. List the problem determination tools available on the
WebSphere DataPower SOA Appliance
Figure 6-1
wBs55 / V85552.0
Unt objectves
Nofes,'
l
)
'
)
)
)
)
.J
6-2
DataPower
-)
.-)
J
J
J
IBM Trainirg
Student Notebook
Figure
w8555 / V855s2.0
Notes:
2009
6-3
ning
Gommon problem determination tools
Default system log
Displays system-wide log messages
Log messages can be filtered by object and priority
Audit log
Displays changes to the configuration of the appliance and fles stored on the appliance
,T
Displays actions, messages, variable values as processing rule executes
,r)in,
*i"
Ping remote
el
.\
* ryob*'
secicios/)
w8555 / V85552.0
Notes:
llo Y
3lr"
i-
lqs:
x
/"5s
6^raden
=>
mens* fut n
.)
)
)
.)
,")
6-4
DataPower
.)
,)
O Copyrght
-)
IBM Traini.g
Student Notebook
Fr Encryted Space
6
233
223
a")
247
lnformation
4
10 sec
1 mrr
a
CPU usage
min
hour
1O
2A
2A
za
r-
interval
10t0
m3e
load
o/
work lid
System usage
Displays load and work queues status
Status > System > System Usage
@
w8555 / V85552.0
Nofes.'
It is a recommended practice to check the appliance's file system memory for available
space. The logging system can fill up the available file storage space, which can prevent
the system from writing log entries. This situation will prevent the system from processing
messages.
Temporary Space is used by the appliance for processing, logging, and debugging.
lnternal Space is used for import, export, firmware upgrades, and debug data.
System Usage indicates the current load on the machine and the length of the work
queue. lf the machine suddenly slows down or becomes unresponsive, this may be one
possible reason. lf the system has a throttle in place, the high memory usage (load) may be
causing the throttle to refuse connections.
2009
6-5
O Copyright
ning
Troubleshooting panel
. The Troubleshooting page contains the following tools
- Ping Remote
.
.
.
Error Report
. lncludes the running configuration and relevant system log entries for errors
. E-mails error report to an e-mail address
Probe
w8555 / VBs552.0
Notes:
The best tool to use first when a problem occurs often depends on how the appliance is
being used at the time.
During the development phase, the default system log is often the best place to start,
followed by use of the multistep probe.
During the testing phase, generating an error report (which contains the running
configuration of the appliance and the relevant log entries) is an excellent first step,
followed by use of the multistep probe.
,'
During the production phase, first check the system usage for load and work lists, then
object status for objects that have transitioned to the down state, and finally the default
system log.
)
)
)
)
)
6-6
DataPower
.)
)
J
J
J
J
J
IBM Traini*g
StuctffiT6to:oF
Ping Remote
Remote Host
Pino
Remote
destination.
TCP Connection Test
Remote Host
,u
Remote Fort
)t(
w8555 / V855s2.0
Notes:
The first test you should perform when you cannot access the back-end application server
is to ping the remote server from the DataPower appliance to make sure it is up and
accessible.
.)
J
.J
2009
6-7
dc cste documcnto
O Copyright
rmng
Troubleshooting : Packet capture
.
Captures full network-level exchange between the appliance and other endpoints
Captured in pcap format
Tools such as Ethereal can be used to view the traffic in detail
or
for Downloading
*
*
*
Ethrnet
(nonej
Timed
Ethernet
*
Sto Packet Capture
seconds
14dxinrum
(none)
Size
directory
t00,
Kex
Sta-t Packet Cqture
@
w8555 / V85552.0
Notes:
ln the Troubleshooting Web page, scroll down to the packet capture section. Click the
Packet Gapture icon to begin the capture. A dialog box confirms the action. When the
capture is complete, a Download Packet Capture icon appears on the Troubleshooting
page.
)
)
)
You can control the network interface to monitor the duration of monitoring and the number
of KB that can be captured.
J
.)
)
.-)
)
J
6-8
DataPower
J
./
J
J
J
J
IBM Trainirg
Student Notebook
Send
frror Report
SHTF
5e"ver
Sonfioff
'*
.#
I
Send
w8555 / V85s52.0
Nofes;
)
)
)
Click the Generate Error Report button. A dialog window asks for confirmation and
indicates the location of the resulting file.
lf an error report is available, an icon appears that allows immediate access to the file.
.)
.l
.)
l'
)
)
)
)
.)
-)
J
J
J
J
J
2009
6-9
ining
Troubleshooting: Send a test message
Control Panel
>
C)
ADMINISTRATION >
Request
Debug>SendaTest
TJRL:
Message
Builds a SOAP request with
a customized header,
content, and body that is
used for testing
Requst Headers:
Vdb
Hcader ilma
2
Add
1. A URL can be
generated using the
different helpers
Request Body:
4. The response
Response
is
Response code:
Rsponse Headers:
Response Body:
displayed here
@
w8555 / v85552.0
Notes:
Using the Send a test message tool versus cURL
The test message tool is a quick and useful tool for creating SOAP requests and it can be
used in place of open source tools like cURL. However, when using the test message tool,
you cannot simply upload a file to the DataPower box to send; you need to copy and paste
text. You also cannot persist the test message after it has been created, which is an
advantage of using tools like cURL that can just send files directly from the file system.
,. .)
')
..
DataPower
.)
J
J
J
J
J
IBM Traini.g
Student Notebook
.
.
emergency
aleft
criti ca
H
I
error
wrnrng
n
oti ce
nfo
debuu
i
Troubleshooti
El
@
nivei
?",
deb-.n s-etttiflq=
Fanetr
elec\o er rof
wB5s5 / V85552.0
Notes:
The highest priority is emergency and the lowest priority is debug.
The target will only capture messages at or above the configured level. For example, the
error level captures messages at the error, critical, alert, and emergency levels. To capture
all messages, set the log level'to debug.
Setting the level to either info or debug causes a blue Troubleshooting Enabled notice to
appear on all WebGUl pages.
t,
.)
.
..,
I
,J
2009
6-11
.J
@ Copyright
ining
Filtering system Iog
. In the default domain, the system log shows all log entries
- ln non-default domains, log entries are only shown for the objects in that domain
. Filter the system log by:
* Log Target
- Domain (shown only in the default domain)
- DataPower objects (xmlfirewall, ws-proxy, and more)
- Log level type (debug, info, and more
q
t
pqfr*-sh
cL.,/rnt
r-aer turq"t'
li;;;l
Thu ir
lt
la+al
i: r,/
iir
iid
mif!
ne)
rt
nsrd
(none)
(none)
.i
rnEss
t5 20f
11116102:mgmt :notice.
r
Filter:
Log level
tm ?
1103
Object
Domain
System Log
:-:t,i:
lti:i
16 i auth
31
notice .1r**
i-
'
r g, Zg, gS. f
0x8100003f: domain
)' r
wc t Doman confgurton
gf 0x81000033
i
into'/'a>4
!4 f0trT
!Vd
^4sr
r*!qqrl.
frot
705q
r-1xts07
O Copyrght IBM Corporaton 2009
w8555 / V85552.0
Notes:
The system log is defined as a log target. A log target receives log entries from objects to
post. Each domain always has a log target called default-log to represent the default
system log. Additional log targets can be defined and customized with the log entries from
objects to post.
The most recent log entries are shown at the top of the system log.
The logs can be sorted by the categories listed at the top.
.)
..)
,.j
DataPower
.)
-/
")
\J
J
J
.)
IBM Training
Sludent Notebook
Event
Lg
yFe
notice
Level
Ls
E' 'l
fnone)
LGg
*
*
'*.
flessage
Event
Code
)
w8555 / V85552.0
l
)
Notes:
)
)
The system log captures log messages from all objects. Log targets can be configured to
capture messages from specific objects. To test these types of log targets, the generate log
event tool is an excellent test tool.
.)
.)
.)
I
.)
)
I
)
.J
.J
J
J
J
J
J
J
J
2009
6-13
ning
Troubleshooting: XML Fle Gapture
. Captures XML messages from any service
- XML messages that services cannot parse can also be captured
. File capture can fill the available storage space
* Files are cycled FIFO
- Maximum of 5000 files or 200 MB can be captured
- Stored in compressed format
- Supported by using RAM-Disk
. XML File Capture should only be enabled in test environments
Significant performance penalties are incurred when mode is set to always or
- errors
. Default domain only
Xtill
Fi[e Capture
?'
Flode
None
w8555 / V85552.0
Notes:
)
)
To support file capture, the DataPower system creates a RAM-disk to store a WebGUl
accessible virtual file system. A RAM-disk is a segment of RAM memory used for
secondary storage.
)
.)
The XML file capture tool is only available in the default domain.
_)
,)
.l
J
t
J
J
J
J
6-14 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
J
J
J
J
IBM Training
Sfu
ok
rules
performance
rq
Probe enabled
Probe disabled
Probe disabled
Time
)
Figure
.)
6-
4.
wBs5s / V855s2.0
Notes:
)
)
)
)
ln the diagram on the slide, four messages are sent to the probe. Only message 2 and
message 3 are captured. The probe functions like a recorder. When the probe is enabled, it
starts recording messages that enter the appliance. Once the probe is disabled, recording
is stopped; no more messages are captured by the probe.
.)
)
.)
)
)
I
)
)
J
J
J
J
J
J
2009
6-15
O Copyright
rairng
Main
XSL
Frobe
conformance Validator
P.oxy gervace
Add
Test
.d
Debuo
dd Frole
dresERs.uter
'
General
Cancel
A.dvanced
Delete
Stylesheet
Params
Headers
l'4onitors
I sho', Prebe
| etE
w8555 / V85552.0
lVofes;
Probes are enabled for the following services:
MQ host
DataPower
IBM Traini*g
Student Notebook
Enable Frobe
results
orepowrr
Refresh
iable Probe
Flush
Exprt Capture
Vie, Log
Send Messge
error
lE":.1
outbound-url
http:/,
httpl/./\4Sserue199:9
http://WSserver99 r9
w8555 / V85552.0
Nofes.'
The multistep probe window opens with the probe disabled when you enable the probe
from the service configuration page.
Rules that generate an error while executing are displayed in red text inside the multistep
probe window.
The Flush button clears the requests inside the multistep probe window.
Restarting the appliance disables all probes.
)
)
.)
,)
.)
2009
6-17
ining
Multistep probe content
'INPUT' of Step I
Input
Pre vo us
rr-@
;B r, E;8,,
Next
E ;;
E,,
Content
Atlchments
Headers
Local
Variables
Global
Variables
Service Variables
of context'INPUT':
<so.:p*nr,;n'elnpe:;nrlrtsrr,:apan.i="http://schr>rztn*,vm?s*a.arqf
:
htt
:u
"
p 1 y'
<so,:p*nvlBody>
< q rfindE'Lo,:alj,:n >
< cit,/ />
<./soapenv :Bn
</soapenu
sr**tr>f
tz*v*]rpe1"
+u
y>
t* rre"
w8555 / V85552.0
Notes:
The magnifying glass to the left of the action represents the input message. The magnifying
glass to the right of the action is the result of executing that action.
Click the Next and Prevous buttons to view the message step-by-step as it is executed by
the processing rule.
The local, context, global, and service variables are DataPower variables generated by the
appliance.
)
!
.)
.)
)
.i
6-18 Accelerate, Secure and Integrate with
DataPower
.J
)
J
J
J
IBM Training
Student Notebook
-v
curl
- - trace-
-d
@AddressReq.xml
http z / /dpeduLz2064
@
cURL
W8555 / V85552.0
Notes:
The -v verbose flag produces a lot of information output. lt allows the user to see all of the
clienVserver interaction.
2009
6-19
.i.g
Communicating with DataPower support
Obsol*J-.
. Contact
w8555 / V85552.0
Notes:
For a comprehensive list of all the information required to communicate with support, see
h ttp ://www. i b m co m/s u p po rVd ocv ew. ws s ? r s=2362&u d = swg 2 1 236322
.
For detailed information on how to perform the steps to generate the files required by
s u pport, see http ://www. i bm.com/s uppordocvi ew.wss ?u id=swg2 1 235587
.)
.)
._)
)
.,'
:)
6-20 Accelerate, Secure and Integrate with
DataPower
J
-
,)
J
")
IBM Training
Student Notebook
Topic summary
Having completed this topic, you should be able to:
. ldentify a troubleshooting strategy to use when debugging
problems on the DataPower appliance
. Use the multistep probe to debug service policies
w8555 / V85552.0
Nofes.'
)
)
)
)
)
.,I
..)
,_)
)
)
)
)
.)
_)
)
J
J
J
J
J
J
2009
6-21
ning
Log targets
After completing this topic, you should be able to:
. Create log targets to capture messages generated by objects
on the appliance
. Use the Log action in a service policy to log the entire
message
Figure
w8555 / V85552.0
Notes:
)
.)
)
)
.)
.)
Copyrioht
J
J
J
IBM Training
Student Notebook
Logging basics
. Logging system is based on the publish/subscribe
- Objects publish events
- Subscribers subscribe to events of interest
. The DataPower
model
,rr .G
G t'.-#"
arbrt
g:J-
{u-o=
logging system uses log targets as
wBs5s / V85552.0
Notes:
Log files can be encrypted or signed for additional security.
Objects that generate log messages have different priorities. These messages range from
extremely verbose debugging to the more infrequent critical or emergency level message.
O4oo "s,bt,n"l
2009
eS
.s{os
elmaLonat
Se
t?,.,tll'o,l a 4
T'
los
tyt
v'
]r.u d'l &" Pi'[
6-23
rung
l-e Leval
F.
Enable Internal
LGg
gng
off
*ff
w8555 / V85552.0
Notes:
The default system log is set up as a log target that subscribes to all events generated by
the appliance.
Log targets only capture messages at or above the configured level.
This input sets the level at which the default system log captures messages.
Enable lnternal Logging and Enable RBM Debug are available in the default domain
only.
.,)
.)
.)
.)
_)
)
-)
6-24 Accelerate, Secure and Integrate with
DataPower
.)
u)
J
,)
IBM Trainirg
Student Notebook
Log targets
'
t'
Objects
Events
Sc..bscribe
serricia
FbIEsF
Eventl
XML
firewall
HR
log target
FblEsr
Swbsq,rTfuw
WS-Proxy
Event2
Finance
Fbisfi
log target
Event3
AAA
w8555 / V85552.0
Notes:
The diagram in the slide shows two log targets, an HR and Finance log target. These log
targets subscribe to certain types of events that are generated or published by objects on
the DataPower appliance.
)
Use the Generate Log Event tool in the Troubleshooting panel to test if log messages are
captured by log targets.
)
)
)
)
.l
J
J
J
J
J
2009
tools
6-25
ining
Log target configuration
t
. Configuring log target tabs
- Main
. Target type
Filters
- Event
.
Can restrict messages by
event code
Object Filters
Can restrict messages that
appear in a target by object
Event Subscriptions
Subscribed to event
categories or object class
Predefined event categories
are: auth, mgmt, xslt, and
more
Categories have a priority
-.
-.
.
.
-
level
Log target needs to subscribe
to at least one event category
@
llin
Event
FrltE
obiad Flt
Target
t"r'.ll
Nme
yL Ta rg
et
3) rnahled
l.l
Admin State
disabled
CommEnts
Ta.gt Tye
Frle
Lcg Formt
KIV]L
TimestmF Fsrmt
sysloo
50
File Nam
RotatE rw
rchive lrlade
lumber f Rctatong
Siqnin! todg
on l3) off
EncrFptcn Moci
Feedback DtEction
(,) on l off
()
Backu Lg
Incne)
+n
/$ off
w8555 / VBs5s2.0
Nofes
)
)
)
)
)
.)
.)
)
6-26 Accelerate, Secure and lntegrate with
DataPower
)
.)
O Copyright
J
J
J
J
J
IBM Training
Stu
bF''
Gache
Gonsole
File
File
_ NFS
_ SNMP
SOAP
syslog
syslog-ng
wB55s / V8s552.0
lVofes.'
The log entries stored on a Iocal or NFS file can be rotated, e-mailed, or uploaded to other
locations. The entire file can also be encrypted and signed.
SNMP is a network protocol that allows for the exchange of management information
between network devices. This protocol is included in the TCP/IP protocol suite.
Syslog is the format and protocol used to send messages over TCP or UDP to a Syslog
daemon (syslogd). lt allows for log messages to be collected from many applications.
.)
..)
.)
)
)
)
)
)
_l
J
J
J
J
J
J
2009
6-27
nmg
Event filters
. In the Configure Log Target Web page, select the Event Filters tab
. Event filters create filters for a log target based on event codes
-
Main
Filters
fvrt
Qbied Filters
Log Target
f-c"*"|
Svrity
0e153001
JG
4f
Gxl
1 00S1
cPtl
aG'1
hoo0
cryplo
critffii
Gxglb20C03
crypto
rilcal
tired
DrGl b200'{
crypto
cricrl
Hgtl
failed
oxgl
005
ery?lo
0^01 bl 000"
cryplo
lEi
P: Pto
r lrl
x1b1007
[r1h?ffi
lemotyl
Event 5ub=crption Filter
llsag
Cstegry
CodG
hrt
Micrcode fl6
lrt
I nril
Code
PE leqitr
f.l
ol
out
faund
Hqil
^c-wrd
lrin irbd
(:mpty)
Select Cde
Figure
w8555 / V85552.0
Notes:
You can subscribe the current log target to particular event code categories. Some
example event codes include out of memory, failed to install on local port, and more
)
)
)
)
)
DataPower
J
J
J
IBM Traini.g
Student Notebook
Object filters
'
'
'
ln the Configure Log Target web page, select the object Filters tab
Object filters allow only those messages generated by selected objects
to be written to a log target
lt is possible to create a log target that only collects log messages for a
particular class of objects
- Exampls' A/tu{ policy object called MyTest
of Log Target
'l
t,p&
AAA Policy
object Type
t(
Object
MyTest
Name
/Voo
Add
eI
Referenced
)+*
^ on fi, off
Objects
(-Ct
seve
cncet
@
w8555 / V85552.0
Nofes,'
The object filter is more specific than the object class name. This filter collects log message
of a particular instance of a class.
For example, a log target would collect messages from an XML firewall named MyFirewall
and not all XML firewall instances.
.)
)
,)
)
@
.,
.J
.J
J
J
2009
6-29
la
ning
Event subscriptions
. In the Configure Log Target Web page, select the Event Subscriptions
tab
. Log targets subscribe to particular event categories.
.
.
.
Event Category
.*
Minimum Event
P
rio
debug
rity
save
cancel
@
Figure
6-29. Event
Helo
subscrptions
W8555 / V85552.0
Notes:
Event categories is the same term used to describe an object's class name.
At least one event category must be defined for a log target to capture messages.
)
.)
.)
)
-)
6-30 Accelerate, Secure and Integrate with DataPower
..J
J
J
J
J
J
IBM Trainirg
Log acton
Student Notebook
4:
Q^^
Advamed
context to a destination
URL
Inut
(auioi
la
utal
ElLos
oestination
.
.
lexample.com/logging
I
Log Lvel
Log Type
Asynchronous
Log Type
n0itce
Q on ) off
Output
- Log priority
Log Level
Event category
O Copyright lBlV Corporaton 2009
wB55s / V85552.0
lVofes.'
The response to the action, if any, is stored in the output context, if one is specified.
lf no output context is specified, the Log action sends the contents and does not wait for a
response.
An output context should be specified on the Log action if the policy administrator wishes
the failure of the Log action in a policy rule to cause an error condition in the processing of
the rule.
Physical log files can be stored on the appliance using logrtelru: / / /<f.lremrne>. You can
use the file management utilities to copy or view this file.
2009
6-31
ining
Topic summary
Having completed this topic, you should be able to.
set of log
messages
wB5s5 / V85552.0
Nofes,'
.)
-)
.)
)
,]
I
.J
.J
O Copyright
,)
.)
IBM Training
Student Notebook
Gheckpoint
w8555 / V85552.0
Notes:
Write your answers here
1.
2.
3.
2009
6-33
inng
Unit summary
Having completed this unit, you should be able to:
. Capture information
. Configure
w8555 / V85552.0
Notes
DataPower
Copyr ghL
IBM Training
Unit
7.
Student Notebook
error handling.
.
.
.
.
.
Checkpoint
Exercise 5: Adding error handling to a service policy
2009
policy
7-1
O Copyright
ning
Unit objectives
After completing this unit, you should be able to:
. Configure an On Error action in a service policy
' Configure an Error rule in a service policy
. Describe how On Error actions and Error rules are selected
during error handling
Figure
w8555 / VBs5s2.0
Notes:
)
-)
)
.J
.J
)
)
)
)
.")
7-2
DataPower
J
J
J
J
\)
I
I
IBM Training
Student Notebook
Two methods fo
on Error
.
.
gD\a rccn
action
continue proc
execut
a
Er
. Automatically
.
jecr a \
t..lotndo
c rrent
execution
c{e
6en.", ol wefLl- se 9'eo s'at Lo' ruyriuts\a
t"7 ott:Y
'n+*tne
e rol
\
f
en c"l 'P
al c/t, ettE
constructs
W8555 / V85552.0
Nofes.'
These error handling constructs are used to handle errors that occur during execution of a
service policy.
2009
7-3
'
ining
Ccl rnG
- Optional: Execute a
Error Hode
t &9t
PFocssing Rule
Var uilder
Contin ue
Error fnput
tnone)
Error Output
(none)
Asyn<hronous
A
Done
.
.
.
Cncel
e9a^
d'l
[on];nv a
e(
Can
c^
lF"
Cancel
.
.
action
W8555 / V85552.0
l
Nofes.'
To configure an On Error action, execute the following steps:
The Error lnput and Error Output context in an On Error action provide the context for
the actions within the error rule (if selected).
.)
Use the context OUTPUT in the Error Output field to return the error message to the
client.
,J
.J
-)
.)
)
.)
,)
7-4
DataPower
J
J
J
!,
l)I
9t
el
IBM Traini.g
Student Notebook
Rule Name:
NBw R!
Error
Rsle
Delete Ru
FJ
AEOO,&{>
Sgn
1'
Reults AdvncGd
Route
Cl.'BT
.
Crete Reus
:-
1l
'ir
J,:
Rule
Te*_.e.que$
clent to serYer
to Client
i i
Tst_rue_1
ffi
e u
e tl
Error
Automatically executes
when configured in a
service policy
Can be used to log or
send a custom error
message to the client
. Use the Log action to
log entire message
. Use the Transform
action to build custom
error message
w8555 / V85552.0
IVofes;
The rule directionally (request or response) does not apply to an error rule; it can execute
on either the request or the response rule.
s.
-/L
Kc'y r\}
Q- t t
0l
t { [
ctCcL
CIC+ r\
r]
nct
er @f
,)(l
( Fn/eu-
/c
"t
!
.r)
J
\,
c
o
a
2009
7-5
.irg
Gonfigure Transform action in error rule
E
Ba5c
Advnced
Input
U-5
INFUT
IV
t&Transform
Dorument Procesiing
lnstructons
tro(essing
control
Fle
lacal:l/,t
URL
Rewrite Policy
(no neJ
Asynchronous
QonQoff
Output
UTPIJT
UTPUT
Cncl
o copyrght
w8555 / V85552.0
Notes:
7-6
DataPower
IBM Traini.g
Student Notebook
te
p.r orlon^
U C e\
Pr ob
<xs1:message
dp: type= rws -proxyr
</xs1:message>
. The following
)
)
Example
var z / /
id
var : / / servce/transaction-
Figure
Example
w8555 / V8s552.0
)
)
Notes:
)
)
)
)
The example log message generated in the slide will have a log priority of error with class
name ws-proxy. The log message generated is the contents of the variable errtest.
The variable listed in the slide can also be viewed when executing the multistep probe and
selecting the Service Variables tab.
The dp: type attribute in the <xsl:message> tag can be caught by a log target, enabling
user-defined debug messages to be captured in logs.
.)
.)
.)
.l
_)
J
J
\)
I
O
o
o
o
2009
7-7
ining
Example custom error style sheet
<xs1: stylesheet
xmlns :xs1="http : / /wt tt.w3.org / L999 /xsl/Transform"
rsrlns : dpr= I an . / / www . datapower . com/extens ions "
extens ion - element - pref ixes= " dp rr exclude - resul t - pref ixes= " dp
<xs1
:variable
</env:Body>
</env: Envelope>
)
)
</xsl-: template>
</xsr-: stylesheet>
o copyrght
w8555 / V855s2.0
Nofes;
This example style sheet includes some common DataPower extension functions that can
be used when building a custom error message.
)
)
The service variables shown are also visible in the multistep probe.
This style sheet is only a template of an actual error style sheet. A custom error style sheet
can customize the amount of detail to include in an error message.
,i
J
.J
J
J
._)
J
J
7-g
DataPower
O Copyright
J
J
J
I
e
o
IBM Training
Student Notebook
- The current processing rule is aborted and the execution of the error
rule starts
w8555 / V85s52.0
,)
l\lofes
)
)
)
)
,)
.)
.)
..J
.J
I
-)
.)
J
.J
J
J
9
a
o
o
2009
7-9
ning
Gheckpoint
1
w8555 / V855s2.0
Notes:
Write your answers here
1.
2.
3.
DataPower
IBM Traini.g
Student Notebook
Unit summary
Having completed this unit, you should be able to:
. Configure an On Error action in a service policy
w8555 / V85552.0
Nofes.'
.,)
)
,)
.)
J
J
J
u
o
o
a
2009
7-11
O Copyright
r-
ning
a
a
/t,
'l
')
)
.)
.)
-')
a
.)
.-)
a)
'')
,)
a)
')
,)
)
)
)
)
.)
.)
.)
J
:._)
J
J
J
J
U
U
O
\)
U
J
\)
\)
I
I
c
o
o
o
o
IBM Training
Unit
8.
Stu
on"
.
.
.
.
.
.
Checkpoint
Exercise 6: Creating cryptographic objects
2009
8-1
O Copyriqht
ining
Unit objectives
After completing this unit, you should be able to:
. Generate cryptographic keys using the WebSphere
DataPower tools
. Create a crypto identification credential object containing a
matching public and private key
Figure 8-1
wBs55 / V85552.0
Unt objectives
Nofes;
,-)
)
._)
,)
)
.)
._)
8-2 Accelerate,
DataPower
J
J
J
I
o
o
IBM Training
Student Notebook
Security problems
1
Figure
Copyright
lBN4
Corporation 2009
w8555 / V85552.0
Notes:
)
)
-)
.)
,)
I
-)
.,)
.)
J
,J
\,
I
o
o
2009
8-3
ritg
Security problem
Message confidentially
data
- Keys are pieces of data that are used to alter how the algorithm
behaves
- Knowing the algorithm does not help an attacker . Most algorithms are published publicly
. Keys are usually protected and hidden
@
wB55s / V85s52.0
Message confidentiality
Nofes.'
PKI (public key infrastructure) uses the processes of encryption to hide a text message and
decryption to recreate the message.
.)
.i
)
_i
t
_)
.)
.)
,.)
-
*
.)
.,
)
J
J
8-4 Accelerate,
DataPower
.J
o
o
IBM Trainirg
Student Notebook
. Symmetric
A sample of
plain text to
be converted
to cipheftext
tD lTlXtrn.il'(.E0t
plain text
')
A sample of
plain text to
be converted
to ciphertext
plain text
ciphertext
)
)
{i f6OE.llL tr
trosxr antE t
4rfl, nltr..'.r'(oinL..
Figure
encryption
W8555 / V85552.0
Notes:
)
)
)
)
The disadvantage of symmetric keys is that the same key is needed for encryption and
decryption, and both parties must have the same keys.
Typical symmetric algorithms are:
. DES (DEA)
. Triple DES (TDEA)
. AES
. RC2
. RC4
. IDEA
)
)
.)
.)
._)
.)
'.)
J
.)
J
J
J
,
e
a
a
o
o
2009
8-5
O Copyright
ning
Asymmetric key encryption
. Two keys
- Public key: Published key known to everyone
- Private key: Secret key known only by the recipient
.
Public key
@ru
A sar"nple of
piain text to
be converted
to ciphe*ext
Asymn:etric
key {-*.
iri r$OtrollL tt
tr.6xr lttttrl ttr
.fllt rttrr*[LlilLrt
A sample of
plain text tc
convertcd
to ciphertext
ciphertext
plain text
0tr rlxtrlL0lTLtrl-dj
plain text
w8555 / V85552.0
Notes:
)
With asymmetric key encryption, the encryption and decryption keys are different.
)
)
Modern day public-key crypto systems are designed so that it is computationally infeasible
to derive the prvate key from the public key.
\
._)
.)
Mathematically, either the private key or the public key can be used to encrypt, and the
other key is used to decrypt. lf you are using PKl, then by definition the public key is used
to encrypt.
.)
._)
.
.
.
DH (Diffie-Hellman)
.)
J
J
J
8-6
DataPower
\)
o
o
o
IBM Training
Student Notebook
Security problem 2
Message ntegrity
o How do you know if anyone has looked at the message and changed it?
o Purposefully creating two separate messages that create the same hash
code is extremely difficult.
Shorter value
fixed length
Cryptographic hash
String of characters
Message
digest
w8555 / V85552.0
Message integrity
Notes:
)
)
)
)
Any change in a cryptographic hash, even a small one, will result in a change to the hash
number.
Common hash functions are:
. MD5
. SHAI
,,)
)
."I
.)
)
.)
.J
J
\,
a
o
o
2009
8-7
rnrng
-r-u
. Digital signatures
the message
hash
functions
w8555 / V85552.0
Nonrepudiation
.)
Notes
.)
)
)
)
_)
.J
J
J
)
.)
)
J
)
J
8-8
DataPower
J
\)
I
I
o
IBM Training
Student Notebook
Digital signature
Joe
Client
Private
- is
The message digest
encrypted using Joe's private
key to create the signature.
Public
-l
Kate
lf both messages
digested are equal,
then the message
has not been
tampered with,
and only Joe could
have signed it.
Server
Figure
w8555 / V85552.0
Notes:
4.
The message is then sent, along with the signature. The signed message is usually
encrypted at this point.
5.
Kate receives the message and two processes are run against the signed message
(after decryption, if necessary).
7.
The received message is also hashed again using the cryptographic hash algorithm;
this also produces another message digest (hash number).
8.
lf these two hash numbers are equal, then the message has not been tampered with.
2009
8-9
O Copyr ght
ri.g
Security problems
. Message confidentiality
seeing my message?
Solved
. Message integrity
- Cryptographic
. Nonrepudiation
- Digital signatures:
)
)
w8555 / V85552.0
Solved
Notes
.)
)
.)
.J
.)
.J
,J
J
J
J
J
J
J
J
J
\)
8-10 Accelerate, Secure and lntegrate with
DataPower
\,
I
9
O Copyright
o
o
IBM Training
Student Notebook
Digital certificates
. The problem with public-private key pairs is that they do not
identify anyone
- Given a message encrypted (or signed) using a private key, you can
determine which public key goes wth it, but so what?
.)
.
.
- A digital certificate does nof contain the private key although the
)
)
)
)
certificates
W8555 / V85552.0
Notes:
,)
)
)
)
A digital certificate is a data structure used in a public key system to bind a particular,
authenticated individual to a particular public key.
A certificate may be internally created and distributed, and the company would be its own
CA (seltsigned).
,)
J
J
J
.J
-)
J
J
J
J
U
9
I
o
o
O
2009
8-11
ining
Distribution problem
. First step is to create public-private
.
securely
Second step is to create a digital certificate to send to the party
with whom you want to communicate
. Problem:
- You also need signed certificate with a public key from everyone with
whom you want to communicate
. Solution.
issue
)
@
Figure 8-11
wB55s / V85552.0
Dstribution problem
Notes:
You need to download all the common CA digital certificates to verify a certificate that
signed by a CA.
is
lmagine that every business entity had to create, digitally sign, and send out a certificate to
each person who wants to use its service. This would cause a distribution nightmare.
)
)
)
)
)
-)
.)
.J
')
J
J
-)
J
-)
J
J
J
I
o
o
o
IBM Trainirg
Student Notebook
Upload
)
Generate
Crypto Tools
Generate Key
Figure 8-
2.
wB5s5 / V85552.0
l\lofes,'
)
)
)
A self-signed certificate implies that there is no third party certificate authority validating the
certificate.
All key files are placed in an encrypted storage area on the appliance; the appliance can
read them, but the values cannot be displayed to users.
The appliance supports the uploading of files from a Java Key Store (JKS) to the appliance
flash.
.)
)
.)
.)
I
.)
)
J
.)
J
J
9
o
o
o
2009
8-13
ning
Generating crypto (asymmetric) keys on board (1 oI 2l
. From WebGUl
vertical navigation
bar, expand
ADMINISTRATION
and select
Miscellaneous
Grypto Tools
4era
/''I)
Crypto Tools
t=tl
-
Generte
Key
Export Cryoto
Obiect
Generate KeV
LDAP
(reverse) order of
Country Name
RDNs
(t)
CA
ON
Lorality (L)
Toronto
.
rganiaation {O)
IBM
)
6N
fef
Alice
Lenqth
Fle Nne
Yalidity Period
@
365
2)
W8555 / V85552.0
Notes:
The fields from Country Name down to Common Name are part of the distinguished
name.
The file name for the key file generated is of the form cert: / / /name-privkey.pem. lf the
field is left blank, the system creates this file automatically
e>
"L^
i,-t
exfo,/on
ht
.)
'.-)
J
J
J
)
,)
DataPower
)
J
J
J
\,
I
O Copyright
o
o
o
IBM Trainirg
Student Notebook
. The entered object name is used to represent the key and certificate object
. Click Generate Key to generate the key and certificate
Password
Passuord Alias
QonSoff
Qon @oft
Qon Qoff
$onoff
QonQoff
Object Name
AliceKevObi
@
)
w8555 / V85552.0
)
)
)
Notes:
The password for the key file is generated.
Select on for Generate Self-Signed Gertificate to generate a self-signed certificate for the
key.
lf Export Self-Signed Certificate or Export Private Key is off, then the generated key or
certificate is placed in the cert directory, where it cannot be edited.
.,)
.l
.)
.)
-)
.l
J
J
\.1
I
e
o
o
a
o
2009
8-15
ning
Download keys from temporary storage
'
temporary
in
I n
n
studentf eyobj-sscert
studentxe,obj,csr
File
Management
:
9r \'
eiut^
,u.oo
o copyright
Figure
w8555 / V85552.0
Notes:
The appliance has on-board memory where it stores files. These files are organized in
directories. Each directory has its own associated permissions and visibility.
)
)
)
.)
.)
.)
J
,)
.)
J
.J
J
8-16 Accelerate, Secure and Integrate with
DataPower
J
J
9
0
o
IBM Trainirg
Student Notebook
Hain
up
.j
::
Caffel
() enabled
dmD StBte
Private key
file
ceft:l//
Fle Name
Q dibled
Alice-sscert,
Fetth
Pswoad
Ccnfirm Pasword
Pswcrd
AUas
Ignore Expiration
CGn
ates
@
)
)
ff
Qan li
w8555 / V85552.0
Notes:
The page shown in this slide can be accessed from the vertical navigation bar, by selecting
Objects > Crypto > Crypto Key.
Selecting Password Alias to be on means that the password entered for key is a
password alias.
)
.,)
.)
.J
.J
I
O
a
a
a
2009
8-17
O Copyright
ining
Grypto shared secret (symmetric) key
. Generate a secret key object using key file:
- From vertical navigation bar, select Objects > Crypto > Crypto Shared
Secret Key.
The
Shared Secret Key page allows you to create a secret key object
- for Crypto
the symmetric key
. Provides additional level of security by providing indirection reference to file
+l
rLt
{ain
tJpp]r l
Cancel
Nme
Admin State
r] enabled O disabled
File Name
certi
o Copyright
wBs55 / V85552.0
Notes:
A secret key is generated using symmetric key encryption
.)
)
_)
".
,J
J
9
IBM Trainirg
Sfu
Grypto certificate
. Create certificate object from key file
- From vertical navigation bar, select Objects > Crypto > Grypto Gertificate
- Provides additional level of security by providing indirection reference to file
Crypto Certificate
Na me
Public key or
cert file
Admin State
File Name
cert:
enabled
disabled
none
Password
Confirm Password
Passrrord Alias
w8555 / V85552.0
Notes:
An object created on this page is used to create a crypto identification credential discussed
on the next slide.
Selecting Password Alias to be on means that the password entered for key is a
password alias.
lgnore Expiration Dates controls whether the appliance enforces the certificate's validity
date.
Certificates can also be uploaded using this page if they do not already exist on the
DataPower appliance.
')
,)
.)
)
I
J
U
o
o
o
2009
8-19
ining
Gertificates exist in a trust chain
.
&
-t1
0
The chain may be several levels deep. PKIX chain checking drills
to the root trust authority. The root certificate is self-signed.
O Copyrght lBN4 Corporaton 2009
w8555 / V85552.0
Notes:
Cryptographic certificates exist in a trust chain, that is, certificates are issued by a root
trusted certificate authority. This trusted root may then grant the authority to issue
certificates to an intermediate authority, which then issues the certificate used in the field.
PKIX Chain Checking drills to the trusted root authority to establish a complete trust chain.
lf the complete chain is not trusted, then the presented certificate is not trusted.
lntermediate CA certificates maybe necessary if the root trusted certificate is not trusted.
Additional intermediate certificates may be required if that particular intermediate certificate
is not trusted.
-.)
..)
.)
)
J
J
J
8-20 Accelerate, Secure and Integrate with
DataPower
J
J
I
I
o
o
IBM Trainirg
Stu
Ptro 6riia(
Crypto identification credential al
clia.
, Create a crypto identification credential
- Consists of crypto key object and crypto certificate object
- Contains public (certificate) and private key pair that is used for SSL
oA"
\ cer l; [;r.clc,
authentication
From vertical navigation bar, select Objects > Crypto > Grypto
ldentification Credentials
Hain
'
t c"n"-t j
tpqtd;l;
r- :i,
ffi
Crypto key
{upl
enabled
disabled
Crypto
certificate
4liceCert
m
Intermedate CA Certificate
w8555 / V85552.0
Notes:
Enter a name for the crypto identification credential.
ln the Crypto Key field, select the Crypto Key object from the drop-down list. You can use
the + and ... buttons to create or edit a crypto key object.
ln the Certificate field, select a certificate object from the drop-down list. You can use the +
and ... buttons to create or edit a certificate object.
lf they are available, specify the lntermediate CA Certificates by clicking the Add button.
This establishes a trust chain consisting of one or more certificate authority (CA)
certificates.
You can also create a crypto identification credential by selecting Keys and Certification
Management > ldentification Credentials from the Control Panel.
2009
8-21
ning
Grypto val idation credential
o Used to validate the authenticity
ll n
Icunorlfol-1.l
Admin
",
Stats
ffienaled
NX-Netsrk-c-by-ST-Fem
certifict
sociaciqn-Nacisnl-del-Notrido-1excano-CJ
Bltmre-EZ-by-osT-pm
lqd
'
cRL
Rqui.e CRL
rq"t" ""rt
Aan {}oif
Use
Crypto key
dibled
AmriEtsn-EKrs-Global-c/t-Fm
certitiate validaiicn
Crypto
identification
credential
AAA-ECOM-Rot-C-pm
Handling
on G) ff
If*"i"-.-;:
""l"-l "i
i-.Jii iit".
Ll
Crypto certificates
created from pubcert
directory or manually
added.
Crypto
certificate
wBs55 / V8s552.0
Notes:
Creating a validation credential based on the certificates stored in the pubcert directory
creates a crypto certificate object for each certificate inside the pubcert directoq. The
Create ValCred from pubcefi: button on the Configure Crypto Validation Credentials
page does just that. An SSL client validates a presented certificate by verifying the issuing
CA certificate against its list of common public CA certificates that it contains locally. lf the
certificate is self-signed, the client must have access to the self-signed certificate,
otherwise it cannot verify the server's identity.
,)
)
)
.)
.)
You can create a crypto validation credential based on well-known CA certificates already
stored on the appliance or ones that you have added or imported. The button is available
when clicking the Crypto Validation Credentials page.
.J
The certification validation mode specifies how to validate the presented certificate.
._)
1.
J
.)
DataPower
._f
J
J
J
I
9
o
o
o
IBM Training
2.
Student Notebook
Full certificate chain checking (PKIX): The certificate presented and any intermediate
certificate chained back to the root certificate must be trusted. This applies to all uses of
the validation credential.
The Use CRLs field is used to check if certificates in the trust chain should be monitored
for expiration.
2009
8-23
ining
Grypto profile
r
validation credential
Flan
, ;;r,. t-c""*flt.I-t"l,
t ::
, Admin
State
ffienabled [disabled
Identification
Credentials
)
\ali dation
Credentials
f,:iphers
Crypto
identification
credential
(none)
DEFA,ULT
Crypto valid
credential
,i
Options
Crypto key
Crypto
certificate
Send Client
LJ{ LIII
ffon
@off
wB5s5 / V85552.0
Notes:
The Ciphers property refers to the cipher suites supported by this profile, and indicates
encryption strength, hashing algorithm, and key-encryption algorithms.
.,)
,)
.)
The Options property allows you to specify support for SSL and TLS protocols.
.)
The Send Client GA List property allows you to specify whether the SSL server should
send the client CA list during a request for the client certificate.
.,1
-)
")
.,)
.J
-t
")
.)
'.)
DataPower
J
J
J
l)
.f
I
0
e
IBM Training
Student Notebook
Genert
K6y
E8port Crypto
object
certif icate
object Nme
Output File Name
Expo Crypto Object
wBsss / v85552.0
Nofes;
This page is accessed from the vertical navigation bar by selecting ADMINISTRATION >
Miscellaneous > Crypto Tools.
Certificates are exported to the temporary directory. They can be downloaded by using
File Management.
entered.
)
)
.,)
-)
.)
J
J
J
'J
(/
o
o
o
2009
8-25
ining
Uploading keys
. From the vertical navigation bar, select OBJECTS > Crypto >
Grypto Key.
. On Crypto Key page, click Upload button to upload key file from:
- Key store file
- Java Key Store
Crypto Key
t=J
r{tr.
File Management
l-Jpload File
Nm
to Drectory cert:
.-+l
Admin State
f.) enabled
File Name
ce
sorr"", f$
File
disabled
better)
to upload:
rt:
non
Save 5 i
Password
Confirm Pssword
Password Alias
QonQoff
@
w8555 / V85552.0
Notes:
Selecting the Java Key Store radio button opens a new window with a Java applet. You
must have a JRE 1 .4.2 or higher installed in lnternet Explorer to view the applet.
keytool
command.
)
)
J
.J
J
.)
J
J
J
J
J
8-26 Accelerate, Secure and lntegrate with
DataPower
\.,
I
e
o
o
o
IBM Trainirg
Student Notebook
A key store is a database of private keys and an X.509 certificate chain, where
the first certificate in the chain contains the public key
Users can create their own public-private key and self-signed certificate
The
keytool
{
{-
"
Generates a self-signed certificate containing the public key and entity name with
values given by -dname flag
wBs55 / v85552.0
Notes:
J
The default key store is implemented as a file. Private keys are protected with passwords.
The X.509 standard describes how the information is contained within a certificate and the
format of that information.
The default keystore implementation is a Java Key Store (Jl(S). You can specify other
formats by using the -storetlzpe flag.
_)
.J
-)
.)
_)
J
,
J
I
I
e
a
2009
8-27
ining
Gertificates can expire or get revoked
Certificates are valid only for a certain period of time
and can expire.
IJ
J"l
Main
cRL PolGY
revoked
W8555 / V85552.0
Notes:
Warnings posted by the certificate monitor are posted to the system log and should be
checked.
Expired certificates are not trusted.
,)
.)
.i
.)
)
J
8-28 Accelerate, Secure and Integrate with
.J
J
I
9
DataPower
O Copyricht
e
O
IBM Training
Student Notebook
. -Set up a CRL list from vertical navigation bar by selecting Objects >
Need to periodically check the validity of certificates
CRL Retrieval
Crypto Certificate
Crypto Identifrcation
Credentials
Pulicy Name
Protocol
240
Refresh
Crypto Validation
Credentials
Intervl
Cryptograph c
Kerberor Keytab
minutes
Profile
Fetch URL
@
Etr
Validation
CredentialE
Crypto Profile
'|r.
CRL Issuer
CryFto Key
http
w8555 / V85552.0
)
)
Notes:
)
)
)
)
)
.)
The protocol is either http or ldap. Appropriate fields will display to support the protocol.
The Cryptographc Profile identifies the crypto profile to use to connect to the CRL issuer
using SSL.
.l
)
.-)
.)
.)
.)
-l
,.J
,)
J
J
J
\,
9
I
e
2009
8-29
O Copyright
ining
Grypto certification monitor
. Configure
Crypto
CRL Retrieval
Crypto Certificate
Crypto Certificate
ldin
Mo
Crypto Identification
)
Credentials
Crypto Key
Admn State
Crypto Profile
enabled
disabled
Crypto Validation
Credentials
30
Prox
wrnt
Kerberos Keytab
n Jaft
Profile
@
*'
w8555 / V85552.0
Notes:
)
The polling interval specifies the frequency that certification expiration dates are checked
Remember, time refers to the number of days before the certification expiration event is
written to the log file.
..)
.)
._)
J
.l
.l
.J
J
J
J
(,
O Copyright
I
o
o
IBM Traini.g
Student Notebook
O'd
ti
on
li
off
{, on
f,
off
fi, on
{i
off
fonfoff
Objerts
fl, on 1 off
Object Name
Generate Key on HSM
{*, on off
w8555 / V85552.0
Notes:
HSM is a piece of hardware with associated software and firmware that can perform a
number of security functions. At the time you order DataPower, you can add an HSM to
your appliance.
FIPS 140-2level security is a standard for validating HSMs. For some specialized
circumstances, FIPS 140-2 Level 3 security is needed. The appliance supports this through
HSM hardware.
To export private keys on HSM hardware, the Private Key Exportable via hsmkwk must
be selected from the Crypto Tools page. The HSM options appear only if you have an HSM
installed.
2009
8-31
dc este documento
@ Copyright
ning
Checkpoint
1. What is the difference between
key encryption?
2.
3.
4.
wBs55 / V85552.0
fVofes.'
)
)
1.
2.
3.
4.
J
.)
J
_)
-)
.J
J
J
8-32 Accelerate, Secure and Integrate with
DataPower
J
J
'J
!l
I
()
IBM Traini*g
Student Notebook
Unit summary
Having completed this unit, you should be able to:
. Generate
.
w8555 / V85552.0
Nofes
2009
8-33
Copyriq ri
.itg
'l
-)
'')
')
)
)
)
')
')
,)
')
:)
t')
)
a)
a)
')
)
)
)
)
)
,)
.)
.J
.)
:)
.J
tJ
J
J
J
J
\)
O
J
J
J
J
.)
J
J
J
8-34 Accelerate, Secure and lntegrate with DataPower
\.)
\)
9
I
I
IBM Training
Student Notebook
.
.
.
.
.
Checkpoint
Exercise 7: Configuring SSL on DataPower services
)
I
)
)
)
)
)
'
,.)
.)
-)
.)
-)
,l
J
(,
e
o
o
o
O
C
2009
9-1
ining
Unit objectives
After completing this unit, you should be able to:
. Configure the WebSphere DataPower SOA Appliance to
communicate using SSL
. Associate an SSL proxy profile with keys and certificates
Figure
w8555 / V85552.0
lVofes
)
)
.)
)
.)
.J
9-2
DataPower
J
\)
o
o
o
IBM Training
Student Notebook
- Message integrity -
and changing it
- Non-repudiation -
communication
. These processes
.J
Figure
w8555 / V85552.0
Notes:
.)
.,1
.)
)
\i
.i
-)
r/'
.,,
t,)
-)
J
\,
r)
a
a
f
a
o
2009
9-3
(,.
I
ining
SSL features
. SSL provides:
Message confidentiality
. Uses asymmetric and symmetric key encryption
. Uses a handshake when initiating contact
Message integrity
. Uses the combination of shared secret key and cryptographic hash
function
Mutual authentication
wB55s / V8s552.0
.)
Notes:
.)
)
)
)
.)
.
.l
.,}
..J
-l
r)
.,
')
'a,
9-4 Accelerate,
DataPower
J
I
I
I
a
o
IBM Training
Student Notebook
SSL terminology
. CipherSpec is a combination
- A cryptographic hash function
of:
code
(MAc)
- CipherSpec + authentication-key
Figure
w8555 / V85552.0
Notes:
2009
9-5
rung
SSL handshake
. The handshake
. The handshake
)
@
wBsss / v85552.0
lVofes,'
.)
)
.)
._)
,J
J
J
\-.,
J
J
J
J
J
J
J
\)
9-6
DataPower
I
o
o
o
o
a
o
IBM Trainirg
Sfu
oT
Joe
Kate
Client
Server
Hello Kate
w8555 / VB5552.0
Notes:
2009
9-7
rirg
Kate's signature
Joe
- client
Kate
server
,
)
Hello Kate
.)
,)
Hello Joe
)
Server
certificate
I
)
Figure
w8555 / V85552.0
Nofes
.)
)
)
J
.,)
.)
(J
J
J
J
9-8
DataPower
J
J
J
J
J
I
e
o
o
o
o
G
IBM Trainirg
-,
-q
Student Notebook
Certificate expiration
Verification of certificate's signature against a signed certificate in a key store
Check certification revocation list to see if the certificate should no longer be trusted
- Client
Kate
Server
Hello Kate
Hello Joe
Server
certificato
It
I
is
-fuhr*
kev
Kate
O Copyrght IBM Corporaton 2009
Figure
w8555 / V85552.0
Nofes
2009
9-9
O Copyright
rirg
SSL handshake: client key exchange
. The client builds and sends the server a secret,??essage that
.)
Kate
Joe
Client
Server
)
)
Hello Kate
)
)
')
Hello Joe
Server
ceificate
.)
't
Secret message
W public
Kate's
@**r
key
It is Kate
)
o Copyright
Figure
BM Corporation 2009
w8555 / V85552.0
.)
IVofes
.)
..)
,.)
,.)
',
J
.)
J
J
\)
.)
J
J
J
J
.J
J
r
{,
9-10 Accelerate, Secure and lntegrate with
DataPower
a
o
o
o
?
IBM Training
-r-e
Student Notebook
Joe
hel1o
handshakes
Client
Kate
Server
Hello Kate
Hello Joe
Server
cert
ecrypt
secret
m'ssage
Secret message
It is Kate
Change cipher
tn ish
Secret key
o copyright
T
e
Kate's prvafe key
G*g'
w8555 / V85552.0
Nofes.'
2009
9-11
tritg
SSL handshake secured
.,
- Cipher suite
- Have set up a CipherSpec
- Exchanged secret keys
)
)
)
Joe
Client
Kate
.)
Server
:)
l
)
)
)
)
)
@
w8555 / V85552.0
l\lofes
)
.)
)
)
.)
J
'-,,
J
J
J
J
J
J
J
J
(,
9-12 Accelerate, Secure and lntegrate wth
DataPower
I
o
o
o
o
a
o
IBM Traini.g
Student Notebook
sp n[o 55 4artencrnc
6'
Ser
r clcs
co M\c cl
server.
-From appliance to external resource such as authentication
Endpoint
application
servers
Client
SSL-encrypted
request
SSL-encrypted
request
SSL-encrypted reply
SSL-encrypted reply
SSL-encrypted
request
SSL-encrypted reply
External
resources
@ Copyrght IBM Corporaton 2009
w8555 / V85552.0
lVofes
..)
.)
c
o
a
o
o
(
2009
9-13
dc a
ri.g
SSL Proxy profile: crypto objects relationship
Crypto profile
Crypto
Crypto valid
identification
credential
credential
)
)
Crypto
ceftificates
created from
pubcert directory
or manually
Crypto certificate
Crypto
key
)
)
added
@
wBsss / v855s2.0
lofes.'
.)
J
.)
.)
)
.)
,J
J
J
'J
J
J
)
\,
,
9-14 Accelerate, Secure and lntegrate with DataPower
o
o
o
IBM Trainirg
Student Notebook
To set up SSL between client and appliance, you need to perform the
following:
Client SSL-encrypted
request
SSL-encrypted
reply
@
w8555 / V85552.0
Nofes:
2009
9-15
ning
Step 1: Appliance supplies cryptographic certificate
Crypto profile
Crypto valid
credential
Crypto
identification
credential
Crypto
key
Crypto
Crypto
certificate
certificates
created from
pubcert:
directory or
manually
)
)
added
)
@
w8555 / V85552.0
)
)
)
Notes:
)
.)
J
.)
,)
DataPower
J
J
J
J
J
J
J
J
J
J
o
o
o
o
IBM Trainitg
stu
---
&''
. Configure
Front End
Back End
.Server Addnegs
Server Fort
Sevice Address
0.0.0.t
Select AliaE
Device Pert
#
Profile
55L Client
StudentClientCP
Profile
+
w8555 / V85552.0
Nofes;
2009
9-17
rnmg
lf you do not have an SSL server crypto profile
. Create a profile:
the plus (+) button
- Click
+!e!f4 *
(new) on the Configure XML
Front
End
Devce Addre5
0.0,0,0
Side 5SL
SSL Server
(none)
Firewall page
Objects > Grypto > Grypto
Profile
Profle Nme
ii".""l
..-
cnfrrm Psrword
l)
i,
on (;-t oir
Server C6rtfcats
(none)
!Confrrm Psiwrd
'
i-E""*rl
0let
I Yivr 5tt0s
Alnin iat
li:nbled i)ditbi
IdetificiicD
Cie.lenirls
stdnudcrd
i1iiCiion
QonQoff t
Certif(ate5
ilrl
db
Authntct/ Yld6te
Crypto Proiile
Hn
l--14
Configu re
creCntik
ciph:.s
;;r
,-,,18
EFAIJL'i
crtfct6/
Cedlflcdte Authorte5
@
Password
f
;;_.:; _
i
_-; -@
Figure
9-17.
i confirm Pasword
opiiont
ii
SelC C|lent
Drsabl
lis
yer-qion
an (;ift
w8555 / V85552.0
/Vofes
.J
,)
.)
._)
J
")
DataPower
J
o
t)
o
o
o
o
IIIM Traini.g
Student Notebook
profile
ln the vertical
navigation bar, expand
Objects and select
Grypto > SSL Proxy
Expori
Delete
Admin State
fi enabled , disabltd
35L Urrectron
Rerers
I rie,r, Lso | !i
StudentServeCP
t.
Profile
3fl0
seconds
30
entries (x 1024)
Client .uthentication
Ie Opiional
()
Al,,Yays Request
on
Qon
Client uthentication
Ooff
g off
w8555 / V85552.0
Nofes.'
)
)
)
,)
J
U
2009
9-19
iming
Securing the connection from appliance to external
application server
SSL-encrypted
request
-=
SSL-encrypted
reply
O Copyright lBlV corporation 2009
wB5s5 / V85552.0
Figure 9-19. Securing the connection from appliance to external application server
lVofes.'
DataPower
.)
\.)
IBM Trainitg
-l-l
Student Notebook
Crypto profile
(si
o ? \ft6'
Crypto valid
credential
added
Crypto
certificates
I)
Crypto ceftificates
created from pubceft:
directory or manually
e)
(pubcert)
)
)
)
)
)
)
2009
wBsss / v85552.0
)
)
Notes:
)
)
)
-)
)
)
._)
.J
J
-)
.J
.l
J
J
J
I
(
o
o
o
o
@)
2009
9-21
ining
Step 2: Configuring an SSL client crypto profile
. Configure
certificate.
- From the Configure XML Firewall page, select an SSL Glient Crypto
Profile from the dropdown list
Back End
Front End
Server Addre.ss
Bevice ddress
Select Alias
,server Port
Eevice Fort
*.
none'j
w8555 / V85552.0
Nofes
DataPower
O Copyright
IBM Training
Student Notebook
- ln the vertical navigation bar, select Objects > Crypto > SSL Proxy
-
Profile
ln the Configure SSL Proxy Profile list page, click the SSL Proxy
Profile
:fC""el I tnetee-l
":l
-.
enabled
disahled
dmin Stte
55L Direstion
Forrya rd
StudentClientCP
fien off
w8555 / V8s552.0
Notes:
2009
9-23
ining
SSL Proxy Profile list
. The list shows which SSL proxy profiles are using which
crypto profiles
An SSL proxy profile that functions as a client and a server will have
both types of crypto profiles
Configure SSL Proxy Profile
Refresh
Nme
M
yBa sicFirewall
MyTransformFirewall
TwoWyDemo
Status Op-State Logs Direction Forward {Client) Crypto Profile Reverse (Server) Crypto Profile
studenrclientcP
fo rward
sved
up
sav ed
up
new
UP
reve rse
StudentclentcP
StudentserverCP
StudentserverCP
w8555 / V85s52.0
Notes
.)
.)
)
.)
',J
J
9-24 Accelerate, Secure and lntegrate with
DataPower
,J
a
a
o
o
IBM Training
Student Notebook
como. rlonnos
uE\.^LIecer
cmaiac dn coo
ei hF on,l
Request
Client-Side
Service Policy
Server-side
User Agent
Policy
External
Resources
w8555 / V85552.0
Notes:
.)
)
)
)
.)
J
r)
o
o
o
2009
9-25
O Copyr ght
nlng
Gonfiguring a user agent
. The XML manager default object uses a default user agent
- Alternatively, from the vertical navigation bar, select Network > User
Agent to display or create a user agent
. Create a user agent configuration
- In the Main tab, enter the user agent name and set HTTP settings
- Many techniques to setup communication:
. Proxy policy: Specifies a URL match expression to fonryard to a remote
.
.
I
)
)
)
)
Mn
Proxy
Policy
Policv
Bsic-Auth
Polid
Soao-Action
Policv
Pubkcv-Auth
Poli
)
)
w8555 / V85552.0
Nofes
)
)
)
)
.)
)
,)
J
J
J
J
J
J
J
\,
(,
9-26 Accelerate, Secure and Integrate with DataPower
I
o
o
o
o
IBM Training
Sfu
. Configure
SSL proxy
profile
SSL Proxy
Profile Policy
Cancel
tiil
I
)
w8555 / V85552.0
Notes:
)
)
.)
.)
.)
.l
\
.)
J
\")
(J
I
O
o
o
o
2009
9-27
ning
Gheckpoint
1
2.
3.
wBsss / v85552.0
Nofes
)
)
.)
)
)
.)
'-J
)
.J
J
J
.J
DataPower
J
J
I
9
IBM Trainirg
Student Notebook
Unit summary
Having completed this unit, you should be able to:
to
Figure
w8555 / V85552.0
Notes:
2009
9-29
Copyrqht
ptoirg
,l
')
I
t)
)
:)
,}
')
l
)
)
)
)
,)
.)
..)
.J
i,
.)
iJ
J
'-)
.J
,.)
J
.J
J
J
J
J
J
t,
J
9-30 Accelerate, Secure and lntegrate with DataPower
\,
9
9
c
IBM Training
Student Notebook
.
.
.
'
)
)
)
Checkpoint
Exercise 8: Protect against XML threats
)
)
)
)
)
)
)
)
)
)
)
.)
,)
.l
J
J
J
J
J
!.)
I
I
2009
o
o
3
(-
protecton
10-1
ining
Unit objectives
After completing this unit, you should be able to:
. Explain possible attack scenarios involved in XMl-based
applications
. Describe the various types of XML attacks
. Use the WebSphere DataPower SOA Appliance to protect
against XML attacks
w8555 / V85552.0
Nofes
J
J
J
(,
DataPower
c
o
o
o
IBM Training
Student Notebook
t
ieb $crver
\IdSGW
Server
lP Firewal
w8555 / V85552.0
lVofes;
Web services are based on SOAP, XML, and HTTP. Many of the messages using these
services and protocols are sent to port 80, so they pass through the firewall.
These protocols have gained widespread attention because of their simplicity and ease of
use. However, along with their security, a new class of issues and problems is introduced.
This new class of problems is known collectively as XML threats.
trl
\)
(,
I
a
a
o
(.
2009
10-3
O Coryright
ining
Traditional systems and exposure
.
w8555 / V85552.0
Notes:
DataPower
",}
.,)
.J
.)
.J
J
I
c
a
o
IBM Training
Stu
ook
. Second level
- Application server for additional
processing
)
)
w8555 / V85552.0
)
)
Notes:
)
)
- Performance
)
)
.)
.J
.J
J
.J
.l
_)
J
J
J
t)
0
o
o
o
o
o
2009
10-5
rmng
lntranet
Internet
Federated extranet
Internl
Web Servlces
Usr
Web Servlses
x540
lntern*l
Da[aower
DtPorrer
x5{o
1. t{el
f*{X
qtin$t
{rr:onrng altackt
I
Company 81.
?,
irt
thl4L
llorl(l
ncai'n
r(:{-i
tnJ*e<{orr, r *[e
{ce* :r'trf
qotroE,
r'r.t)ir4l
Company A
w8555 / V85552.0
Notes:
)
1.
XS40 in the DMZ of company A. lt is set up with an XML firewall. Schema validation is
enabled to offload the application server. XML threats settings are configured to valid
sizes. lt uses AAA to check the client's lD and authority.
2.
XS40 deployed in the DMZ of company B. lt is also set up with an XML firewall to
verify outgoing requests. Outbound AAA verifies the lD and authority. Company B and
company A have implemented a federated extranet (perhaps using Tivoli Federated
ldentity Manager). XS40 injects SAML assertions and attributes into outbound
messages.
3.
XS40 deployed in the intranet of company A. Since the requests are coming from
within, company A has decided to apply different security rules. An XML firewall is
defined to allow only specific lP addresses access to the internal application.
)
)
)
)
)
.)
_)
.J
DataPower
J
J
o
e
o
o
o
IBM Training
Sfu
ooT
"
de serviro
conlien co-\; d.
. System compromise
- Corrupting the Web service itself or the servers that host it
@
w8555 / V85552.0
Notes:
These attacks are discussed in detail in subsequent slides
2009
10-7
ining
XML denial of service (XDoS): Single message attacks
o Jumbo
Sending a very large XML message to exhaust memory and CPU on the target
system
'='n\
ni{O
cecscs rr e
o Recursive elements X
ML
XML messages that can be used to force recursive entity expansion or other
repeated processing to exhaust server resources
Mega
Othenryise valid XML messages with excessively long element names, may lead
to buffer overruns
o Coercive
e Public key
nrnensos'
DoS t aloc*rub'
so-
Jo.u
)
j
'
)
)
)
@
w8555 / V85552.0
Nofes
)
_)
,)
J
)
J
J
J
J
J
10-B Accelerate, Secure and Integrate with
DataPower
I
o
o
o
o
IBM Training
Student Notebook
' XM L flood
f-l
yr(oa
n$e
'':-de
@ Copyright IBM
Corporation 2009
w8555 / V8s552.0
)
)
Nofes
)
)
-)
.)
J
J
J
J
I
o
O
o
o
C
2009
10-9
pining
Unauthorized access attacks
. Falsified messages \tanpola.in ,g r.,reFrs e,*. [^ ,J- Faking that a message is from a valid user
. Using a "man in the middle" to gain a valid message and then modifying
it to send a different message
)
. Replay attack
- Resending a previously valid message for malicious effect
. Possibly where only parts of the message (such as the security token)
are replayed
)
)
)
@
w8555 / V855s2.0
Notes:
)
.J
,)
-)
_)
J
.)
J
J
9
10-10 Accelerate, Secure and Integrate with
DataPower
{,
o
o
o
o
o
IBM Training
Student Notebook
. Data tampering
- Exploiting weaknesses in the access control mechanism that permits the
attacker to make unauthorized calls to the Web service to alter data
. Message snooping
- A direct attack on data privacy by examining all or part of the content of a
message
XPath or XSLT injection
lnjection of expressions into the application logic
. SQL injection
- Modifying SQL in XML to obtain additional data than the service was
.
designed to return
WSDL enumeration
Examining the services listed in the WSDL to guess at and gain access to
unlisted services
. Routing detour
- Using SOAP routing headers to access internal Web services
@
wB555 / V85552.0
Notes:
-)
.)
.)
)
J
J
J
()
a
o
a
O
2009
unit
protecton
10-11
rrung
. Malicious include
-
.
.
For example, using embedded "file:" URLs to return UNIX password files or other
privileged data to the attacker
XML encapsulation
Embedded system command in XML payload, for example, using the CDATA tag
w8555 / V855s2.0
)
)
Notes:
)
)
.)
)
..)
";
")
)
-J
-,
.,
,)
J
J
'J
lO-12 Accelerate, Secure and Integrate with
DataPower
J
u
a
a
IBM Traini.g
Student Notebook
XHL
parser
Document Cadre
XML Manager
i,ir:: , I
c"*"t
4194304
5L2
L28
33554432
Forbid
@
)
Main
ytes
bytes
w8555 / V85552.0
Notes:
)
)
You can get to the list of XML Managers by going to OBJECTS > XML Processing > XML
Manager.
Parser limits:
. XML Bytes Scanned: The maximum number of bytes scanned by the XML parser
. XML Element Depth: The maximum depth of element nesting
' XML Attribute Count: The maximum number of attributes allowed per XML element
. XML Maximum Node Size: The maximum size of an individual XML node (bytes)
.)
)
.)
...)
.l
.)
.)
\)
(J
9
o
o
o
o
e
2009
protecton
10-13
O Copyright
rung
-;.
General
rt:
. ,.[C"".el
Advanced
lj-tf
XlL
Params
Th
Heeders
Monitors
KB
: on
flonrl
aI
off
Conio
threats:
protection
XML
'
.
VlIl
llfllYflnG
Dnfoinn
Figure
l,l--:a
"lfl
lup]
rl+nla
lcq
4's
rO4
e< { rC rO
"t"l
Miscella neous
Strlesheet
aCI- (
Message tampering
protection
Protocol threat protection
XML virus (X-Virus)
protecton
Dictionarv attack orotection
w8555 / V85552.0
Nofes;
)
)
,)
)
)
J
I
J
.J
)
.)
.)
DataPower
J
J
J
I
o
o
o
IBM Trainirg
Student Notebook
a br-eecr
ie
",itl
xrv\
WF
limits ffionoff
I
)
128
4L943t&
byte= x
5L2
bYtee x
bYtes
200000t00
:lt
en off
w8555 / V85552.0
)
)
lVofes;
,}
These settings provide protection against a single malicious XML message. A number of
the parameters used to provide this kind of protection are set in the XML Manager. This
page offers the opportunity to override the XML Manager with firewall-level settings (go to
Override XML Manager parser limits and select the on or the off radio button).
.
.)
)
.)
.J
.)
J
J
J
Max. Message Size: The maximum allowed size, in KB, of any given message. The
range is 0 - 256. The default is 0, which means that no limit is enforced.
Override XML Manager parser limits: When left at the default of Off , the parser limits
set in the XML Manager used by this firewall will remain in effect.
Max XML Attribute Count: This is an integer value that limits the number of attributes
for any given element.
Max XML Bytes Scanned: This limits the number of bytes contained in any given XML
message. A value of 0 enforces no limit.
Max XML Element Depth: This limits the depth of nested elements in an XML
message.
\.)
9
e
o
o
o
G
2009
protecton
10-15
O Copyright
lt
rirg
.
.
Max. XML Node Size: This limits the size of any one XML node. The minimum value
allowed is 1. Note: This value may be larger than the Max. XML Bytes Scanned value,
but the limit on the total number of bytes scanned takes precedence.
Attachment Byte Count Limit: This limits the size, in bytes, of any single attachment
to the message. Enter 0 to enforce no limit. Note that this property setting is not
available in the XML Manager parser limits.
)
)
-)
J
J
J
J
J
J
J
10-16 Accelerate, Secure and lntegrate with
DataPower
\)
(
o
o
o
o
IBM Trainirg
Stu
udo
Protects against a denial of service attack with multiple XML messages sent to a servic
XML threat protection settings:
mec fl
msec t
100 0
messages../interval
msec s
100
messages/interual *
msec *
rj
Log Level
EITOT
O Copyrght IBM Corporation 2009
wBs55 / V85552.0
Notes:
.
.
Max. Duration for a Request: This indicates the maximum number of milliseconds
allowed for processing any one request.
lnterval for Measuring Request from Host: This is an integer in milliseconds, used for
measuring the rate of requests from any given host. The default is 1000, and it
measures requests per second.
.
.
.
.
Max. Request Rate from Host: This is an integer that sets the maximum number of
requests that can be received, within the interval period, from any one host.
Interval for Measuring Request Rate for Firewall: This is an integer that sets the
interval, in milliseconds, for measuring the request rate for the entire firewall.
Max Request Rate for Firewall: This is the maximum number of requests that can be
receved, within the interval period, by the firewall.
Block lnterval: This is an integer that sets the period of time, in milliseconds, for which
the firewall will block access after one of the other thresholds has been reached.
2009
protection
10-17
O Copyright
ning
.
Log Level: This is the level at which log messages are generated by those threat
protection thresholds. When a threshold is reached, the firewall generates a log
message.
)
)
)
)
)
)
)
)
)
)
.)
.)
.)
)
)
-)
.)
J
.J
J
J
)
J
J
.J
\,
I
10.18 Accelerate, Secure and lntegrate with
DataPower
o
a
o
o
IBM Traini.g
Student Notebook
Request Type
Response Type
Request HTTP Version
Response HTTP Version
|r
l.
w8555 / V85552.0
Nofes.'
)
)
)
)
.j
.-
.)
\
.)
.J
.)
U
I
a
o
o
o
o
2009
10-19
O Copyright
rirg
XML threat protection: XML virus
ha.c,c.
c o /)
tln"lTu',,
x'
V")
h
Req
ents
QUnprccessed
Select a firewall pracessing policy which includes a Filter action that uses the Frocessing ontrol File
"storetl/lVirus-scanAttachnrents.xsl". This Filter action must secify,3n Output context neme (for exampten
"',:ttachments") and must also enrplolr a stylesheet parampter named "{httpll/www.datapower.comfaram
/configlSendIo" with the ralue set to the URL of your trus scanner.
You mil'f elect to dd , Filter action as described above to en existing or new processing pslicy. Use the
Firewall Policy inputs under ''MessaEe Tamperinq Proteclion" to selecto edit or create the desired firewll
processing policy "
)
@
Figure
w8555 / v85552.0
.)
Notes:
These settings provide protection against viruses that typically flow as message
attachments.
..)
You can use either a Results acton or Filter acton to call the external virus scanner
service.
For the Filter action approach, use the style sheet
store: / / /virus-scarattachment.xsl, with a style sheet parameter containing the URL
of the virus scanner.
With 3.6.1, there is a new Anti-Virus action that can be used to specify interaction with an
external virus scanning service. The Results action and Filter action approaches will
cntinue to work.
.
_
ln all cases, communication with the external virus scanning service is performed by using
ICAP (lnternet Content Adaptation Protocol).
")
.rl
')
3
J
J
10-20 Accelerate, Secure and lntegrate with
DataPower
t,
a
o
o
o
IBM Traini.g
Student Notebook
'
' A service can monitor access requests through a AAA action that is
activated on every request for a service
When the count of rejected access requests reaches a certain level, the service
can send a notification and even deny service for a certain period of time
Ohctionary Attack Protection
Dictionary attacks are detected by repeatedly denied requests for access, rvhieh is typically a ,isible symptam
of somenne probinE for data dictionar-y definitions to exploit. The firewall can rnonitor'arcess Fequests throuqh
n !q,q [uthentication end Authorization) Action that is activaLed n Every request for seruice. When the
count of rejected access request reaches a certain level, the firewall cn send notifcation and even deny
seryice for e period of time"
)
)
this protection, it is necessary lo crete a Count Monitor cbject which has its Measure property set
to "xpath'. You can invoke the page to create new Count Monitor by clicking + alongside thp Count Monitor
To _create
inputs below,
This Count Monitor must then be identified wlfhin an AA action as the Rejecled Counter. This a1:tion must be
part of the Firerall Policy identified for this firewall. You can add this aclioh to the current pohcy by clicking the
.." butLon alongside the policy input under ''lessage Tamering" abave. Then draE dn AA icsn orito the prouessing line and double-click the icon.
Finally, the count monitor created for this urpose must be listed as one of the Count l'lonitors associated
with this frewall. Use the Count Monitors inputs on the lttonitors ab to accomplish this task.
w8555 / V85552.0
Nofes,'
)
)
Ct
,)
)
)
(r
,..
/ek
.)
..)
.,)
.,}
.J
.J
.)
J
J
J
I
3
o
o
o
G
2009
10-21
ffirlng
Message tampering
Flter
Sign
A,OO'&
^4,
v
$
Transform
1,
Route
'6+/k+&+'eF-.'
OLIENl
w8555 / v85552.0
lVofes.'
Message tampering protection employs schema validation that is performed on submitted
messages to prevent messages that have been altered and no longer pass validation from
reaching the back-end server endpoints.
You can also add a Verify action to check incoming digitally signed documents.
Your policy can use a Sign action to digitally sign a document leaving the service so that
the receiver can check against the signature upon receipt.
,
,)
)
)
.
J
10-22 Accelerate, Secure and Integrate with
DataPower
'.)
I
I
o
O
IBM Trainirg
Student Notebook
. Enabled by application
Expected: SELECT
Actual: SELECT
'y'='y'
id
id
products
Expected: SELECT
LIKE 'eoChairs'
FROM
ITIHERE pName
w8555 / V85552.0
Notes:
he problem occurs because the application code does not properly filter the SQL strings
coming in from the client, either as fields from a Web page form, or as data in an XML
message.
The underlined text indicates the text that is being entered in the Web form or sent in the
XML document. The "expected" is what the developer expected to receive, and the "actual"
is what the hacker actually sent.
ln first example, the developer expects just a single user name to be received. The hacker
entered the underlined code, which includes an OR that will always return true. The effect
is to return all lDs from the table.
.')
;
,.)
.-?
The second example is supposed to return a list of all selected products. The hacker adds
a union of another table, which returns all the database users in the application. The
resulting table contains the selected product rows, as well as all the database users.
Clearly, this is not what the developer intended.
The typical exposure is when:
\)
U
o
o
C
2009
protection
10-23
rirg
1.
2.
lnput parameters are not properly screened, allowing one of two attacks:
a.
Additional SQL keywords cause the boolean condition to always return a result,
such as the entire list of user names and passwords.
b.
Additional SQL statements are slipped in. lf the interface allows read/write access,
the attacker can add his or her own user name and password.
The two dashes (--) are appended to the end of the parameter to comment out the rest
of the original SQL statement.
SQL injection is one of the most common application layer attacks. An attacker passes a
string input to an application in hopes of manipulating the SQL statement to his or her
advantage. The complexity of the attack involves exploiting an SQL statement that may be
unknown to the attacker. Open-source applications and commercial applications delivered
with source code are more susceptible since an attacker can find potentially vulnerable
statements prior to an attack.
l
)
)
)
)
.)
-t
-.)
.)
.)
..,
)
.)
)
J
J
10-24 Accelerate, Secure and lntegrate with
DataPower
o
o
o
IBM Trainirg
Student Notebook
. DataPower SQL injection attack protection uses a style sheetbased approach to filter out potentially risk SQL strings
to store
n:
: stere
)
trynamic Style"sheet
: off
@
)
w8555 / V85552.0
Notes:
)
.)
)
)
ln a Web service scenario, the SQL query that is entered would be included inside a Web
service request that will be used to perform a database operation.
Under the Advanced tab in the Configure Filter Action page, you can specify the
sQL-rnjection-Fi1ter.xsl style sheet, and the SQL injection pattern file. The SQL
injection pattern file defaults to sQL-rnjection-patterns.rsnl, but you can change it to
any other pattern file you want.
-.)
.l
_)
J
J
J
\.)
I
O
o
o
o
o
2009
protection
10-25
ining
Gheckpoint
1. What are the four types of XML threats?
2. True or False: XML virus protection is a periodic virus
3.
w8555 / v85552.0
,)
Nofes,'
)
1.
2.
3.
.J
)
J
)
J
.)
10-26 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
J
I
I
IBM Trainirg
Stu
ebook
Unit summary
Having completed this unit, you should be able to:
. Explain possible attack scenarios involved in XML-based
applications
to protect
w8555 / V85552.0
Notes:
'
)
)
)
)
,)
J
J
J
(,
I
e
o
2009
protection
10-27
Copyright
rirg
'-l
:l
'^)
.)
,.1
')
'l
,)
')
)
,)
)
r')
,.)
i)
a
,)
)
a)
,.I
)
)
)
)
)
,)
.)
)
._)
t)
.J
.J
.J
J
J
J
J
'J
J
J
J
J
J
\-l
J
\)
10-28 Accelerate, Secure and lntegrate with
DataPower
\,
Y)
I
I
e
o
IBM Training
Student Notebook
.
.
)
)
)
)
)
)
)
.
.
Checkpoint
Exercise 9: Configure a Web service proxy service
)
)
.)
)
.)
)
)
.)
.l
J
J
J
J
J
J
J
u
o
o
o
o
a
2009
1-1
ning
Unit objectives
After completing this unit, you should be able to:
. Describe the Web service proxy architecture
. List and explain the configuration steps needed to create a
Web service proxy
Figure 11-1
w8555 / V85552.0
Unit objectves
Notes:
.)
.J
-t
J
J
J
\,
{J
11-2 Accelerate, Secure and lntegrate with
DataPower
o
o
o
O Copyright
o
L
IBM Training
Student Notebook
overview
Poro \frslec.io/
\Mg
' The xS40 and Xl50 DataPower appliances allow you to create
a Web service proxy to accelerate and mediate communication
between a client and a Web service
)
)
w8555 / V85552.0
Notes:
The client does not need to know the endpoint address of the Web service. lt will always be
forwarded to the Web service proxy. lf the Web service endpoint changes, only
modifications to the Web service proxy are required. The client is unaffected.
Performing security, validation, and transformation on DataPower appliance for Web
seryice proxy requests improves application performance because it is done at a hardware
level. lt is offloaded from the application server, which would perform these tasks in
software. You can also apply a standard security policy for your Web service proxy on the
DataPower appliance since all requests pass through the appliance.
.)
\
.)
)
._)
J
J
I
t,
o
o
o
o
2009
service
11-3
O Copyr ght
ning
Web service proxy architecture
Web services
Glient
H
WS proxy WSDL
Service:
host.com/Operation
WSDL I
Operation A
ahost.co.com : 7000/Service
Operation A
Operation B
Operation C
c-
0^
\ ie
WSDL 2
Operation B
ahost.co.com : 7001 /Service
Lre',rh va a v
3 oyezrac'
rr.b No ve
6\e\
WSDL 3
Operation C
ahost.co.com : 7002/Service
ses vc io
@
w8555 / V85552.0
l\lofes.'
The Web service proxy has a WSDL file listing the operations that it supports. These
operations can be aggregated from multiple WSDL files that are in different locations.
)
)
The Web service proxy maintains a mapping of a local endpoint and remote endpoint for
each WSDL file.
J
J
,)
-)
)
J
J
*)
11-4 Accelerate, Secure and lntegrate with
DataPower
\,
9
o
o
o
o
IBM Training
Student Notebook
Clients now connect directly to Web service proxy and not the back-end service
Request and response messages can be processed by rules at a proxy, service, port,
or operation level
Las
(-
ccts
vc.r
rv( . g
Nive I d le{4c@rt
tl/\t
VA.A O\
vicb
w8555 / V85552.0
Notes:
A user policy allows you to schema validate request, response, and fault messages. lt is
automatically created when you create a Web service proxy.
The Web service proxy is built on top of the XML firewall. Therefore it provides all of the
functionality of an XML firewall such as encryption, validation, AAA, and more.
UDDI is a service repository that is used to search for WSDL files of a service.
Creating a WSDL cache policy enables the proxy WSDL file to be updated automatically
when the underlying WSDL changes.
You can create an SLM peer group to share SLM data and enforce SLM policy between
multiple DataPower appliances.
,)
.J
.)
rJ
J
()
a
,
a
a
(,
2009
1-5
immg
tr
T upor
SLM
SLM
WSDLs
Helo
dn d, Wo -
Services
Policv
Proxv Settinqs
Services
Specifies method of forwarding to service, security, XML manager, and HTTP settings
o Policy
o Proxy Settings
o Advanced Proxy Settings
Headers/Params
Nofes.'
There are configuration options for each tab in the Web service proxy GUI
.i
)
-,
,i
l,
DataPower
o
a
IBM Trainirg
sru
;7"
-Define both proxy URI and endpoint URI for each service in WSDL
document.
)
)
service (optional)
)
w8555 / V85s52.0
Notes:
)
)
)
)
. Configure how the proxy forwards requests to the back-end Web service. By default,
.)
,)
.)
the URI defined in the WSDL document is used to determine the back-end Web service
. Select the SOAP action policy to specify how to consume messages with a SOAPAction
header.
. Configure security settings such as proxy-wide AAA settings, decryption key, and SSL
.)
.)
J
J
\)
L)
I
o
o
o
o
c,
2009
11-7
.irg
Step 1: Obtain WSDL document
. A WSDL document that describes your Web service
is
- Uses the W3C XML schema type system for type information
- Contains operations and messages that are bound to a network
protocol and message format
. DataPower
- WSDL-based configuration
)
)
operations
SLM and policy configuration can be defined at various levels of the
WSDL dOCUment
.copyrshrBir corporaton 20os
)
I
w8555 / V85552.0
Notes:
)
)
A WSDL document describes the service operations that can be invoked together with their
messaging protocol, transport, and endpoint address.
.)
)
Each operation contains an input and output message, whose types are defined by the
XML schema type system.
-)
J
-)
J
J
J
J
J
J
a,
l1-8
DataPower
(.
o
o
o
o
IBM Trainirg
Student Notebook
WSDL structure
. portType
portType
operation b
operation a
. binding
- How to access the portType
- Multiple bindings per portType
- HTTP, JMS, SMTP, and so on
. port
- Represents an individual endpoint
.
m
l^ C
inMessage
outMessage
faultMessage
binding
(soAP+HTTP)
oloco
seryice
lo "
rtY\gn saJ9
lrcx)
port
port
structure
W8555 / V85552.0
Notes:
This diagram shows the general structure of a WSDL and the relationships of the elements
to each other.
.)
)
)
)
.,)
J
(J
o
o
o
(
2009
11-9
Ool.rytit.;lrt
iruing
- Clicking the Web Service Proxy icon in the DataPower WebGUl Control
Panel and clicking Add on the Configure Web Service Proxy listing page
Control Panel
Seruices
tM.s*x&mq
up
rt
@
3lrrt
llult-Proto
Gteurt
XML Firewall
Edt xML Firewall
New Advanced Firewall
Service Proxy
Browse UDDI
w8555 / v85552.0
Notes:
You can use either approach in creating a Web service proxy. The Web pages are
identical.
._)
.J
)
.J
DataPower
J
\,
I
o
o
o
a
G
IBM Trainirg
Student Notebook
- From the vertical navigation bar, select OBJECTS > Services > Web
Service Proxy
9sffce Configuration
HTIP Service
Multi-Protscsl Gatewry
51Froxy Serviee
TCF Prnxy Serri
UDDI Subccription
I/deb
#eb Service
o
)
w8555 / V85552.0
lVofes.'
)
)
The WSDL cache policy and user policies are example configurations that are only
possible using this editor.
)
)
..)
.l
.l
.J
.)
_)
.)
J
J
(,)
I
o
o
o
o
2009
Unit
11
service
1-11
O Copyright
ning
Web seryice proxy GUI
Configure
2. Object editor
Man
Servlce Proxy
Pry
sttnq
HTTP
OBton
paEtr Limtr
wsors
Web Seruce
Pcld
Sdl@
Nare
wsettin
'')')
Crl
vierv Crations
Adrn Stte
$enabled Qdisabled
Comments
SeFViEe Pricrty
Edt WSDr-15ubftrition
C r.dd iqsDL
O
O
X4L Manaqer
FropEgEte URI
t,rlh.] .
Con {.}ff
dd WSRR subscription
Lod Balancer
Hash Header
W50LSw< LMtlon
Endpoiut ilndler
;I
loe{///Westdder5each.dl 1 up/ I
i- labl/ lEzshdces5e*c.wdf
tr !F
Suffi.y
conigd
congured
4sage
Proceesing
Backend
F4odes
fi R"p.n..
TYFE
crder
rule in order
in,
EndpRnt Rewrite
@
wB5s5 / V85552.0
Notes:
This slide shows the two GUls available for configuring a Web service proxy. Using the
Control Panel, you can create a Web service proxy with similar objects grouped together.
Using the object editor, you can create a Web service proxy by configuring the objects that
compose the Web service proxy.
-)
Either approach can be used. The Control Panel approach is simpler since similar objects
are grouped together.
-)
The Advanced XML Threat Protection tab is not shown in the screen capture, but is also
available.
-)
.)
The configuration steps using the object-oriented approach are spread out in the various
tabs. Some options, such as the WSDL cache policy, are only available using this
approach.
..,)
J
J
J
The remaining slides will use the Web service proxy GUI in the DataPower Control Panelto
demonstrate the different options.
DataPower
O Copyright
J
J
\,
I
o
o
o
o
IBM Training
Student Notebook
local:
Or
store:
E Configure
wsol-s
Proxy
gLM
Fp Sttinor
SiCs
l_upj
Refresh
0
*
dd wsDL
dd W,SRR subscrptDn
lccal:l//
U5e
(nonej
w5-Policy References
QonQoff
directory
WS-Poliy Paramete set
Ei
- Select previously uploaded
Enforcement Hode
WSDL document
enforce
- Browse UDDI
5. Click Next
Copyrght IBM Corporation 2009
@
Figure
11 -1
2.
w8555 / v85552.0
Notes:
The first step listed in this slide, creating a Web service proxy, is not shown.
Click the Upload button to upload a WSDL file to the DataPower appliance. The WSDL file
can be uploaded to the 1ocal: directory (which is accessible in the current domain) or to
the store: directory (which is accessible in all domains).
When you upload a WSDL file, the WSDL File URL is automatically populated.
You can upload and add multiple WSDL files.
You can also enter an HTTP URL into the WSDL File URL, and the Web page populates
the fields with information from the WSDL file.
)
,,1
.)
.J
-l
J
J
J
I
0
a
2009
service
11-13
infurg
Con uL
Edh/Remoue
rqi-L
c1nh
llub Je
rrr4
?ctYl'
Add
r-^_--
(t
el
ttp
myWSserver.com
Pubtihed
Next
Remrte URI
Po
9999
/E astA
Use tocal
LNCE
o Copyright
w8555 / V85552.0
Notes:
The Local section contains information that the client needs to call a service on the Web
service proxy. You need to create a local endpoint handler to specify a port number that
listens for requests of a particular service and forwards to the remote destination.
Under Local, the URI field is what the client uses prefaced with the host name of the
DataPower appliance and the port specified in the Local Endpoint Handler object.
The Remote section contains information about the Web seruice endpoint address that the
Web service proxy will call. Make sure you change the default host name of localhost to
the correct host name.
.)
J
11-14 Accelerate, Secure and lntegrate with
DataPower
\,
L
a
a
IBM Traini.g
Student Notebook
fud,
elr
DP sc lo sor
P,,
Configure local endpoint handler ol 0tQ. / ,HTIP
'
+l
ff
Mn
'
r.,
'f
n"el-
'4
Name
Lo(d
Ll
dd
Endpofii Handler
i)
Admin State
IJRI
Local IF Address
0,0,t,0
Poft Number
80
HTTP Verson
to Clent
Protocol
i;ttp:SJ
disabled
,(
lrr:
EHTTP 1,0
E HrrP 1.1
l)
Comments
rssrDhFSl
n@t.
enabled
handler
W8555 / VBS5S2.0
Notes:
)
Another choice for local endpoint handler not visible in the context menu is IMS Connect
Handler.
)
)
The local lP address of 0. o. o. o means that the endpoint handler listens for requests on
all of the appliance interfaces.
Make sure that the port number you specify here is unique.
..)
)
)
.J
.J
J
\,)
{)
3
o
o
o
3
2009
Unit
11
service
1-15
Copyright
ining
View WSDL services
'Ioos
tos
Ser
vicros
*,6o^ I o( lo:
ws
SL+l
WSDLs
Services
Policv
Proxv Setlinos
rjr-it'l i
ti
c'
Delete
Refresh
Seruices
Serrire
Publish
AddrcScrthSenrite
to UDDI
w8555 / v85552.0
Notes:
The seruices in this tab are automatically generated by the appliance when you add a
WSDL file to the Web service proxy.
)
The DataPower appliance does not provide a UDDI registry, only a connection.
The View Operations button opens another window that lists the operations defined in the
WSDLs exposed by this service.
)
)
.)
.)
.)
J
'J
\)
11-16 Accelerate, Secure and Integrate wth
DataPower
I
o
o
o
o
a
IBM Training
Student Notebook
>8
l
Retrieve the "client" WSDL from the servce
. You can retrieve the client-facing
ca
"/.3 |
lv
9\
nl
QN
HrrP/1,0
M HrrP/l.1
POST
GET
l"no
PUT
neno
oPrroNS
aclivar
- http
/ /myDPappliance . com : 69 9 9 /EastAddressSearch?wsdl
'-b
. 6999: The port number of the WS-Proxy service
z
. /EastAddressSearch:
'
Figure
11 -1
6.
w8555 / V85552.0
Notes:
The original WSDL used in defining the WS-Proxy contains a "location" that is no longer
correct for the Web service proxied by this service.
When you append a awsdl to the URL that the client uses to access the Web service by
using the appliance, the appliance will return a WSDL with:
,l
,-!
..,
(.
.J
.J
sVtAl la
d"l ec-l''
?o,
.)
i wD(
o
c,s
u;
>.1 n4
e4ot
'Jor
l St /
Jor/,'va.Ja
()
a
a
o
o
C
2009
11-17
ning
Modifying the location in the "client" WSDL
. The WSDL retrieved from the WS-Proxy service using ?wsdl by default
places the appliance's lP address and port in the "location"
. <wsdl:port binding="
. <address
location=r'http
</wsdl:port>
.rr
name=rrAd.dressSearchrr>
/>
You caR specify a different host name or port to be placed in the WSDL
- Clear Use Local to enter your own values
Rtc
Prrtot
http
FHcd
Pt
RenEte UR
980
,1East"Ad d
aJr e\ W's
si e\c\rrrE no>
ue Locl
resqlservi ces/
Protocol
, ,'l pa^ci'io
lo t P cl-eJ
DP" sr o
http
cdnno
</wsdl:port)
r1a
/ /myDPapplian
@
w8555 / v85552.0
Notes:
The WSDL retrieved
WS-Proxy service.
by awsat
By clearing the Use Local checkbox, you can explicitly specify the host name, port, and
URI that are to be included in the retrieved WSDL.
This becomes especially useful if you have a load balancer fronting the appliance. By using
the explicit approach, you can specify the load balancer's details in the retrieved WSDL so
the clients send their requests to the correct host name, port, or URI on the load balancer.
Of course, the load balancer needs to be configured to forward requests to the appliance's
host name, port, or URl.
,)
-)
-)
_)
l
_t
.J
J
11-18 Accelerate, Secure and lntegrate with
DataPower
I
J
o
a
o
G
IBM Trainirg
Student Notebook
Open tree
Pr(en
cl 'efec
efau
eT
ec\
co-
nddressSearchPolicy-default-requ... (request-rule)
$ |
i:
l!
Normal
AddressSearchPolicy-default-resp...(response-rule)'Q
Tq
EI
,wsdl
i-W-s-
-"
I,
Jl.
2.
-c-Sio-n n-S,
t.
(n on e)
ffi!ffi
Normal
n cacta
tu Vu.rln^
ndevas
fr lr
w8555 / V85552.0
)
)
Notes:
)
)
)
)
)
The default proxy-level rule contains two actions, an SLM Rule action and a Results
action. The SLM Rule action is a checkpoint event that calls the Web seruice proxy SLM
policy. You can verify the SLM Rule action by double-clicking it and noting the SLM policy
name. Click the SLM tab to verify that the proxy name listed in the page is the same as the
SLM Rule action.
..)
.)
,.)
.J
-)
._)
J
J
J
)
I
o
o
o
o
Q
x
..
AddressSearchPolicy
V
)
lo
2009
service
11-19
O Copyright
ining
Gonfigure Web service proxy policy rule
. View the rule configuration
i-
- proxy: AddresssearchPolicy
(default)
}[
EI
AddressSearchPolicy-default-resp., (response-rule)
Configure rule
Add Rule
Y usdl: ErtAddrersserch.wsdl
Rul Nmar
?
Fht
J ::::::i:i1; iir;
.'l
Rul oirection:
A,OO.&o
Dcrypt
ll"tts"* f f
Trn.fom RoR.
AAA
D"l"t"
R3ultt
R"l"l
1,
SLM
Adencd
oLt4t
o copyright
w8555 / V85552.0
Notes:
You can define multiple rules at a specific level and reorder them using the up and down
arrows to the left of the rule.
'
)
)
)
J
11-20 Accelerate, Secure and Integrate with
DataPower
\..)
O Copyriqht
o
o
3
IBM Trainirg
Student Notebook
each level of the proxy (proxy, wsdl, service, port, operation) defines a user
policy to:
Schema validate messages (against schema in WSDL)
Web Serv
!
)
(response-rule)
Addres5serchPol
FJ
wsdl: EstAddressSearch.wsdl
i ws-Policyr (defult)
o add nule
eruice:AddressSearchservice
i- - rlyq-!q!1g'
Effe.tv
Ylue
i
)
(def uli)
t.)
i"' * nd aule
l-' portr AddressSerch
0rdl:WestAddreiiSrch.wsdl "
lws-Poliglr (defut)
i +
CLOSE
Local YaluB
Add Rute
/o ra
les
,,/a
/t'/ac
laf
t')/1
-:/ ,l,l
w8555 / v85552.0
/+
)
)
lofes;
)
)
)
Click any of the icons at each level to view the user policy pop-up.
The first checkmark enables the component or policy. Each option shown in the pop-up
maps to an icon with a green checkmark or red X.
)
)
Each policy level contains a user policy that can be enabled or disabled.
The Web seruice proxy policy and user policy are separate from each other;the user policy
is executed before the Web service proxy policy.
\
t'
DetcvcltVqt
.l
sVctc.t\Q5
l
.)
)
.)
)
J
J
J
J
\.)
I
9
o
a
2009
service
11-21
i mi rug
1.
2.
3.
Rule Name:
-^.
Y\J
Filter
Sign
Verify
Client to
,oo'$
Server -
AAA
lete Rule
FJ
Results SLM
1,
Adunced
ORIGIN
CLIENT
SEFUER
Figure 11-21
wBsss / v85552.0
Notes:
Reusable rules are useful for applying a common set of actions at many levels of the Web
service proxy. Additional actions can be added before or after the reusable rules. lt allows
you to more easily manage a set of actions repeating across many levels of the Web
service proxy.
Reusable rules can be defined in the other service type processing policies, such as an
XML firewall policy.
)
)
)
)
.)
11-22 Accelerate, Secure and Integrate with
DataPower
t-r)
O Copyrlght
{,
O
IBM Training
Student Notebook
)
')
Proxy Settings
.
.
.
.
XML Manager
Ws-Addressing
l
)
Proxy
settnqs
Advanced Proxv
Settinqs
@
)
Hcader/Params WS-Addreinq
XMLThTI Protection
configuration
W8555 / VB5552.0
Notes:
)
)
)
)
)
ln this presentation, only the proxy settings are examined. See the DataPower WebGUl
Guide for information on the settings contained in the Advanced Proxy Settings,
Headers/Params, and WS-Addressing tabs.
The XML threat protection settings are discussed in the XML threat protection presentation.
,)
..)
-.)
,)
.)
.)
J
J
J
J
I
I
o
o
o
a
2009
service
11-23
O Copyrght
rirg
WS-Policy s.*"
. The WS-Policy
. New behaviors:
- Parse WSDL with policy elements already included in the WSDL and
)
)
w8555 / V85552.0
Notes:
WS-Policy is used to assert policies on security, QoS, required security tokens, privacy,
and other items. A Web service can stipulate what it can provide, and a consumer can
stipulate its requirements.
.,)
.)
.)
.J
.)
.)
,)
)
J
11-24 Accelerate, Secure and Integrate with
DataPower
O Copyright
J
J
J
I
I
[)
IBM Training
Student Notebook
Gonformance policy
ffi
(defautt)
:.j
tt
$
t
--.-ll.
WS-I Conforrr
nne
Prio
: Normel
fi
ft
Addressse
Add Rule
\A^-!
(none)
Done
f f -^--^
policy
CLOSE
W8555 / V85552.0
Notes:
Supported profiles:
',)
,
_)
.)
.)
..)
J
J
iJ
I
e
a
2009
service
11-25
mng
Basic
Tq/o abs
.dvanccd
Cuntormance Pclicy Na
!&
E ws-r
sP
l.r
Record
Rejct
m55a1
, Nver
[ ruitur.
wrninq
C.Al{rry.E
Ignored Requi
Reject non-conforming
messages
ffifri"*; '''--
Conformance requirements to
ignore
Record Report
Corrective Stylesheets
lgnored Requirements
Operation Conformance
Profiles
Cnel
Stylesheets
tepct:y'rac'
(emotyl
l,PS
ERher optong
U*e analysis as iesult
()
off
Figure
11
w8555 / V85552.0
Notes:
lgnored requirements are entered as a text string. For example, gspl- .02R4227 would
ignore requiremenlR422l in the Basic Security Profile V1.0.
_)
:)
.',
.)
)
)
*)
.,,)
DataPower
J
J
J
|)
J
l,
IBM Training
Student Notebook
I
y
AddressearchPolicy
{-y X
AddressSearchFolicy-default-requ {re
I AddresssearchPolicy-default-resp... (resp
: ll
; S Add Rule
t wsdl: WestAddressSearch,rrysdl t t":'i: l-l l.-l l-i l.j
Hiqh
Normal
Low
- High
. Receives above normal priority
- Low
. Receives below normal priority
- Normal
. (Default) Receives normal priority
O Copyrght IBN/l Corporation 2009
w8555 / V85552.0
Notes:
)
)
)
)
.)
,l
J
J
u
I
I
2009
11-27
mng
Proxy settings (1 of 4)
. Click the Proxy Settings tab to view the proxy settings
- Many options have default values
'
Type
in
WSDL file
XHL
AAA PoIcY
lvp
ih;....-
oynamic Bckend
)stc Fc(enf
{Sttic from wSL
(^
,- XEt
')
Clent
Stver
Kerbero5 Keytb
:;;jJ [+ I
Qt^r"
r-]afi
ilstrict
@
wBss5 / V85552.0
)
)
Notes:
When the Web service proxy receives requests from a client, it forwards them to a
back-end server for a service request.
)
)
The Type section specifies how that back-end server is determined. A back-end server is
identified by a URL and port. The default option is Static from WSDL, which uses the
WSDL file to determine the back-end server. The Dynamic Backend option determines
the back-end server during document processing, and the Static Backend option always
forwards to a single back-end server.
)
)
.J
-)
.)
J
)
..)
J
.)
DataPower
O Copyright
)
J
J
J
\,
J
J
IBM Trainirg
Sfu
ooT'
Proxy settngs Q of al
. Decrypt Key
-
. Glient Principal
- The client principal name when decrypt is required. Used when the encryption
uses a Kerberos session key or uses a key that was derived from the session key
. Server Principal
- The server principal name when decrypt is required. Used when the encryption
uses a Kerberos session key or uses a key that was derived from the session key
Commentg
XHL Hangt
Type
A Pollcy
DynaHic Bcknd
JPr,lt
il"gt-.t
Osttc Backend
.. -
lJ
Decrypl Key
i*,s"i
.\o e
[Ea.I
Clint
err -i -'
ld"ra ,iteNc r;
'
QIL^"
iaff
(-^jStiict
@
wBsss / v85552.0
Notes:
The message payload refers to the message body.
Encrypting a message introduces new elements into the SOAP message that would cause
automatic message validation to fail, since a typical schema validation does not check for
these elements.
An example SOAP message with encrypted payload may look like the following:
<SOAP:Bod1z>
<:crlptedData ...>
.)
)
.)
)
_)
.J
Using a cryptographic key ensures that a message can pass automatic validation by
decrypting the message payload before validation. The entire message must be encrypted,
not fields within the message.
The Client Principal field contains the full name of the client principal when the Web
Service Proxy needs to automatically decrypt encrypted requests. Use this property when
the encryption uses a Kerberos session key or uses a key that was derived from the
session key.
.)
J
!)
9
I
I
o
2009
11-29
ning
a.
-r-C
e\
ln a similar fashion, the Server Principal field specifies the full name of the server principal
when the Web Service Proxy needs to automatically decrypt encrypted responses.
-l
o
a
.l
a)
'l
-)
-)
)
r-)
o
o
a)
i)
()
)
l)
.)
.)
:)
'.)
rl
')
.)
O
U
J
r)
U
U
U
U
(J
()
()
L)
iJ
O
\)
(J
11-30 Accelerate, Secure and Integrate with
DataPower
I
I
I
I
9
O
IBM Training
Student Notebook
Proxy settngs (3 of a)
. Kerberos Keytab
-
Lax: Validates messages with empty SOAPAction HTTP header or empty string
within SOAPAction HTTP header
XlL ilnaqer
ir;rr----
, --.,,!ll.tlf .;;l
in
AAA
fYpe
r'3vnmic .i<nd
5tatc Bckend
l.)Stati from WSL
:!JEEI
Prncp.l
ftrut
I
Kelbero' Xeytb
ii;",-,;jrfiE
S P cton Folcy
(:)Lax
cfr
i,_5!fld
Copyright IBM Corporaton 2009
)
w8555 / V855s2.0
Notes:
)
)
,)
)
I
,_)
Select the Kerberos Keytab object that contains the principals for the Kerberos Keytab
list. The Web Service Proxy uses these principals to automatically decrypt encrypted
requests and responses.
The WSDL file for a service defines the value that a SOAPAction header must contain for a
SOAP request. The SOAPAction header is defined in the HTTP header, not the SOAP
header.
The SOAP Action Policy setting specifies how to validate messages with a SOAPAction
HTTP header.
,)
.l
.J
.,)
J
J
(J
o
o
o
o
c
2009
service
11-31
O Copyright
ining
Proxy settings @ of al
. XML Manager: Assigns an XML manager to the Web service
proxy
Commetrtj
XflL
rfnag.
deiult
'.*
+
,
AAA
TYPE
(lynmrc Bckend
Sttic gckend
G)Stic f.om WSDL
D<rypt Key
|]GILZ
isii;rl
clcnt
Seruer
)
evtb
l-t'j
qlAP Actio
r."
Pollcy
orf
OEtriEt
O Copyright IBM corporaton 2009
)
w8555 / V85552.0
lVofes.'
)
)
A AAA policy specifies how incoming messages are authenticated and authorized. The last
A is for Audit.
)
)
The proxy AAA policy is applied for all service endpoints within the proxy.
.l
)
.,j
J
J
J
J
.)
J
J
\)
()
DataPower
o
o
o
o
c
I
IBM Trainirg
Student Notebook
SLM
,ri
s f cc."sa.,c
7-oe od,ar^.s
a.
Requert
Filure
Interual
Inte
(sec)
Limit
7 proxy: AddressSearchPolicy
r+sdl: EastAddressSearch,wsdl
; i-- servce:
AddressSearchservice
60
; trndByLoction
i port-operation:findByName
100
Figure
11 -31
lVofes.'
Actio n
""t,f, -:-l
""ttrv=
l""ttfp
.J
l.*,fr .
f
f;,rr-
sh
1""-ifv
Lmt
ltr
ffi-,rr-
port-opertion: retrieveAll
(se c)
l*tf
| - - port-operation:
al
1 lffir,ry .I
AEton
ru
.rtift-'
qraph
'
Copyrght IBM
elt'c
-q,* 6 0'-
1.,
(L
)
)
Under Request, you can count the number of transactions that occur with a specific
interval and if the transaction limit is exceeded, you can specify an action to:
I
)
,i
.)
queued for later transmission, and subsequent transactions in excess of the 2500 limit
are dropped
Under Failure, you can specify the same information as Request, except that these
settings apply to error messages.
._)
,)
J
U
o
o
o
o
(r
2009
1-33
O Copyright
ining
WSDL cache policy ".-ohl drl. wsu
. Create a WSDL cache policy to update the WSDL proxy with changes from
underlying WSDL file
Scheduled poll of underlying WSDL
lf changes are detected, then the proxy WSDL is automatically updated
Gtfreneler
Probe Trioogrs
Export
Cancel
URL Mtch
,,1
hra
expresson
TTL
)
earch/+
I 00
Delete
l
o Copyright lBlvl Corporaton
2009
w8555 / V85s52.0
Nofes.'
The URL match expression is used to match the URL of the WSDL file (that is, its location)
Time to Live (T.fL) is expressed in seconds. lt specifies how long the current WSDL file
exists until it is automatically refreshed when a corresponding URL match expression is
)
)
matched.
-)
J
J
J
J
J
\,
{J
l f -34 Accelerate, Secure and Integrate with
DataPower
o
o
o
o
o
o
(_
IBM Trainirg
Student Notebook
!:r'i.re::
vc{ l
laD
"1
o Check active
WSProx
Inteace
AddressSe archProxy
0.0 ,0.0
AddressSearchProxy
AddressSearchProxy
0,0,0,0
0,0,0.0
Port
3001
3001
3001
Arton
SOAP Eody
Status
findByLocation
findByName
re?ieveAll
Registered
Registered
Reoistered
j
l
I
SOAP
URL
a stA d d re s sA d dres s S e a rch
/Ea stAd d ressAdd ressS earch
/E astq d dre ss A d d res s S e a rch
Figure
w8555 / V85552.0
Notes:
)
)
The default error messages returned by the Web service proxy are intentionally vague so
that no clues are provided to an intruder trying to compromise the system. For example:
_)
X-Backside-Transport : FAIL
Connection: close
Content-Ilpe : toct/>cr
<?)cnl- version= t 1.0 t ?>
<env:Envelope rcnlns: eilF'http: / /schenas.rcnlsoap. org/soap/envelope/'>
.)
._)
..
,)
<errv:Body>
_.)
<env:Fault>
<f aul tcode>General</ f au1 tcode>
< f aul ts tring>Internal Error< / f au1 ts
"_.)
.J
tring>
</vzFault>
)
J
J
</env:Body>
</vzErvelope>
()
3
o
a
o
o
o
2009
Unit
11
service
1-35
oirg
Checkpoint
1. True or False: A Web service proxy and SLM policy can be
defined at a fine-grained level.
2.
a) proxy
b) message
c) service
d) port
)
)
)
)
)
I
)
wBsss / v85552.0
Notes:
)
)
1.
2.
.)
.J
3.
.)
4.
.J
5.
J
I
._)
J
J
-)
DataPower
O Copyright
J
J
J
J
J
J
J
9
I
IBM Training
Student Notebook
Unit summary
Having completed this unit, you should be able to:
. Describe the Web service proxy architecture
w8555 / v85552.0
lVofes
,)
,l
)
,J
-)
(-)
()
2009
service
11-37
Coryrght
etninS
('
r\
('
:l
i--l
I
.l
rl
o
{)
()
tl
'l
:)
1)
.)
,j
1.)
!_
i)
i)
U
U
(,)
U
U
U
U
u
U
U
()
\)
11-38 Accelerate, Secure and lntegrate with
DataPower
\J
rJ
I
I
9
9
{)
L
reas Formativas:
WebSphere
Java
pSeries
iSeries
xSeries
e-business
Rational
M icrosoft Technologies
Lotus Technologies
Comunicaciones/Redes
Usuario Final
Gestin de Sistemas
Tvoli
Data Management
Transactions Systems
OS/390 y zlOS
Almacenamiento
AIX
Linux
Mobile
ITIL
reservados