IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 1
IBM CORPORATION
Moderator: Janice Bennett
March 28, 2010
8:03 am CT
Female: Thank you for joining the WebSphere DataPower podcast to hear Adolfo Rodriguez, IBM’s
Senior Technical Staff Member and DataPower SOA Appliances Architect present the latest
update in the Integration Appliance world including appliances for XML acceleration, XML secure,
ESB implementation, low latency MQ, B2B and others. Discover how WebSphere DataPower
can provide a bulletproof solution to tough issues like XML security and learn how to take
advantage of the simplicity of installing and configuring the WebSphere DataPower device to
address these issues.
Now, I will turn this podcast over to Adolfo Rodriguez.
Adolfo Rodriguez: So I assume that I’m getting those five minutes back because you know how I like to
talk. Everyone knows I’m very verbose. So my name is Adolfo Rodriguez. First question I
always get is did you come over with the acquisition. I always get that so I’ll just go ahead and
get that out of the way. I was part of the IBM team that evaluated DataPower initially and became
the architect that was responsible for integrating DataPower into IBM. So that was as much
about mentoring the engineers that came over as well as ((inaudible)) – as well as sort of
integrating with IBM the products that we have. That was in 2005, November maybe or so.
Andy, do you remember that?
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 2
Andy Grohman: Yes.
Adolfo Rodriguez: Something like that, and since then my role has kind of evolved – I’m going to get out
of the way – my role has kind of evolved, I’ve become the chief architect now for DataPower and
taking on more responsibilities within the product groups. So it’s really driving the technology and
allowing basically the engineering team to become better apt at serving the needs of our
customers.
It’s been an interesting ride. We’ve been here for you know all this time. You know essentially,
our problems have been changing, so if you look at us from where we were at day one, our day
one problems were always about function and it was always – there’s always the question, where
are we going to – what function are we going to have in this release? And where we’ve taken it
now is to one that certainly addresses function but now is really looking at the broader picture of
where our appliances are going to go.
So the issues that we’re tackling now and we’ve been tackling for the last couple of years are
things like lifecycle management, operational management, things that are very near and dear
and important to our hearts. There’s a large a number of you here in this room that have been
very influential in defining that vision and how we carry forward.
So you know I was talking with someone the other day and I said, “well, isn’t Charlotte you know
the Charlotte area kind of the hub now of DataPower?” And I started thinking and kind of
counting in terms of you know customers that are based here and the number of appliances and I
believe it is. I think it’s the number 1 DataPower area. All thanks in part to Andy Grohman who’s
very humble in the back.
And you know West Coast certainly an important area, Boston area an important area, a couple
other areas, Toronto area, but we have a lot of energy here in the Charlotte area with DataPower
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 3
SOA Appliances. So a quick show of hands, customers here that are DataPower customers
today ((inaudible)) is an idea. Others that are not but are interested in learning more about
DataPower? OK, so a good number of hands.
So what I’ll do is I’m going to give you a kind of a high level. I’m going to do a little – you know a
little dive here and there in terms of some of the interesting characteristics of our appliances,
what makes them tick, usually what always – you know people always want to know is what’s
inside. You can’t look inside by the way because there’s an intrusion detection switch that will
disable the appliances but – so don’t try it.
But what I’d like to do is every once in a while, we’ll talk about some interesting characteristics,
sort of where our direction is heading and what we’re thinking about. But of course at a higher
level, I want to give you a feel for what our appliances do and what’s going on in making them do
what they do.
So let’s talk about really the center of where DataPower Appliances came to be. It was an
observation long ago that – it was about 10 years ago, our founder Eugene Kuznetsov said, “I
think I can build middleware, but what does that really mean? I can make it more consumable. I
can make it faster and I can make it easier – easier to deploy, easier to manage, easier to utilize,
and I can do all this without sacrificing security.”
So at the end of the day, what happened was essentially, the appliances we’re born in a box,
inside the box is purpose-built hardware. It’s hardware that allows us to do what it does. So if
you look at it from a conceptual point of view, people always you know they try to figure it out,
maybe they’ve created their own ESBs in the past through software and usually, we talk to
software engineers and to try to understand really what’s inside. So, that marriage of taking this
broad range of middleware capabilities of middleware function and combining with that this
purpose-built hardware is really how our appliances came to be.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 4
We started with XML. We said, “Look, XML is hard. XML costs a lot of cycles. Security
processing, hard, costs a lot of cycles, right. Let’s build some hardware around it. Let’s build
some firmware around that hardware, package this together and make it simpler to use,” that’s
where we began.
Now, there’s some movement now. There’s a drumbeat that has kind of picked up. We
expanded that business into many other areas, but at the very heart, at the very core of
DataPower SOA Appliances is this notion of hardware function. All right, if you – when we began
this journey, everything was really focused on you know point integration but mostly focused on
standards.
Today, our story is still very much focused on open standards. It’s about you know SOA. It’s
about XML. It’s about HTTP. It’s about you know FTP. It’s about IMS Connect and a bunch – a
large collection of open standards but since our acquisition, since the DataPower acquisition of
IBM, it’s also been about a large amount of integration with IBM – the IBM product portfolio. So
you’re going to see some of that spread throughout.
One interesting thing I’ll talk to you about is the hardware itself. In DataPower, there are two sort
of easy to confuse security – the aspect with security of function that kind of go hand in hand but
it’s important to really realize that those two things are separate. Our appliances today are DMZ
ready. They’re locked down; they’re (one-year) appliances. If you have never seen one, it’s a
(one-year) piece of box that slides into a rack. The network adapters are in the front much like a
network device.
The appliance itself is hunkered down and secure. There’s no open ports by default for example.
Let’s talk about the intrusion detection switch. There’s an option called the (HSM) that is a fifth
grade key store that if opened, all security material is lost. There is no way to run third party
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 5
code. You can’t load code onto this device. It doesn’t run Java. It’s not a general purpose
server. It’s very, very locked down.
This is the aspect of our security device. With those security functions is what they are powered
to do, right, XML field encryption, XML denial of service protection, authentication, authorization;
these are functions that our devices perform but in that first part, that’s a little bit interesting when
you look at how our appliance business is evolving because we’re leveraging that in other
aspects. Today, DataPower deals with security from a Web services’ data perspective, transfer
perspective but as we’re evolving this line, that security aspect is going to become relevant in
many other spaces. So it’s important to note what those two things are.
We have five shipping DataPower Appliances as it stands today. One of them which was our first
appliance, the green appliance. I would imagine there’s no customer here that is an XML XA35
customer. True? I know that because there aren’t very many. Again, this was our heritage
appliance. Most of our customers are geared towards the XS40, the XI50; now, subsequently,
the XB60 and XM70.
I will give you a little bit more detail as to what these appliances do in a second. Again, three key
things; it’s about simplification, it’s about security, and it’s about performance. And so as you look
at the product portfolio that we have at IBM with our name WebSphere, you’ll see how these
aspects can be leveraged in many environments. Many of our customers use them together with
other ESB products. So there’s Message Broker WESB. There are broader solutions that
leverage these aspects in many different scenarios.
System z, a huge business for us. Our System z patterns are ever growing. We have now a
large emphasis on improving our integration with System z as a whole and our customers have
really lodged on to that one big aspect; not the only aspect of course but one ever growing usage
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 6
model. The more historical appliances are the XS40 and XI50. They were introduced into the
market some number of years ago. We began with the XS40.
It was sort of the next wave in our appliance business after the XA35 that focused mostly on XML
payloads, XS “S” standing for security. It is about doing policy enforcement. It’s about providing
rich security services like authentications, authorizations, denial of service protection, ensuring
things like PCI compliance, et cetera, et cetera. Most difficult deployments with an XS40 are in
the DMZ but certainly, some customers use them for partner trading but mostly for DMZ facing
aspects.
The step-up from that which actually is embedded in a lot of things ((inaudible)) XS40 is our XI50
integration appliance that is essentially ESB in a box. It’s a hardware ESB and what it adds is
this capability of doing within any transformation and within any transport from a transport
perspective as well as a format perspective. So we would say again you know HTTP with SOA
for example; we can convert that to essentially anything; COBOL copybook over an MQ or any
other kind of binary data that we would want as long as we could specify the transformations with
our tooling. That is at the very core of our XI50 appliance.
There are these two newer appliances, the XB60 and the XM70; the XB really geared at sort of
the next step from an XS40 adding more partnering capabilities for business transactions. It’s
about AS2/AS3. Internally, the XB60 appliance is a little bit of a novelty for us because we have
to remember some state for a longer amount of time. We’ll talk more about that and how that’s
becoming more important in some of the use cases we have.
At a high level, DataPower is a stateless device. If you look inside the appliance, that appliance
has configuration. Inside is an internal flash. The flash itself houses the configuration and allows
it to do what it does. You boot up the appliance. These things get instantiated and now we could
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 7
begin to process data flows. By and large almost all use cases that we’ve seen historically had
been leveraging that stateless aspect.
So if something happens, the device would just be turned off or someone hits it with a
sledgehammer, then upon recovery – well, it depends on the size of the sledgehammer but upon
recovery then the device would just simply start over again and begin processing transactions
again, so leveraging the sort of nature of the payloads that we wanted to service.
This is the way that we can get away with it because it’s Web services payload, it’s Web
application payload, right. So as we continue to evolve this story and look at other functional
areas, our business is now seeking other ways to advance how we handle these payloads. We’ll
talk more about this notion.
XM70 low latency messaging appliance has – you know essentially, allows us to do – to embed
some interesting technology for low latency messaging, so that we can deliver messages that
have these low latency requirements particularly evidenced in sectors like financial industry and
an evolving story as we continue to add more and more payload support for dealing with those
types of use cases then we’ll get that.
So probably, what I’ll do tomorrow is a little bit more of a deep dive of the XB60 and 70.
Obviously, we have questions about that. Let me know, I’m here all day and I’m here tomorrow
too, so if you want to have some focused discussions whatever’s on your mind, nothing’s off the
table, so anything that you want to discuss, we could talk about that.
High level here is some typical deployment for our appliances. Again, our appliances, all our
appliances are DMZ ready, secure lock down, so they can be deployed in the DMZ. It really
depends on the use case. We have some appliances that are most often deployed in the DMZ
because they make sense there.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 8
So if I have a Web-facing application and I would like to instantiate a Web application firewall, the
XS40 is a nice solution for that allowing you to say provide authentication services, authorization
services, et cetera, et cetera. The XI50 is most typically deployed behind the DMZ because it in
general is very frequently deployed in ESB scenario. It’s an integration hub. It’s an application-
aware hub.
So the idea is I can route, I can transform, I can process, I can do some auditing mechanisms, all
sorts of different ways to transform route process computed upon the data as it was to the
network. A lot of our customers are actually using these things in conjunction now with one
another. So we have at the DMZ level, security-based you know general security-based services
here and inside in the ESB more and more integrated functions that would be required.
((Inaudible)) use cases would let’s say I have a System z or some other application; I’d like to
virtualize those services using SOA. I could do that by creating a ((inaudible)) or Web service
facade back to this application and now have a more standardized, more transparent way of
invoking that particular service.
This centralization here allows us to do many things. It can do centralized control, centralized
governance affect the traffic in a certain way. It instantiates the quality of service policy that says,
if I’m buying socks, I’d like to give that less priority than to say I’m buying cars based on that
content, based on the actual application data provided you know for security policies to provide a
particular, say, a WS security policy or any kind of policy that would need to be enforced with
DataPower. All that could be done here.
So a couple of things to note, the hardware and the infrastructure enables us to keep up with
demands of what you see deployed in this picture. The centralization, the import, the (in-west)
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 9
point allows us a convenient place to aggregate function, so that we can apply security policy,
use quality of service and these types of things.
We’ll talk about the XS40 security part; again, DMZ ready, DMZ capable appliances that support
the typical DMZ characteristics. If you look at our appliances you know we say the terms
application awareness a lot. What does that really mean? Well, it really means being able to
operate and function on the payload, right, so it’s about the SOA, right. It’s about understanding
the sub-content or the XML content as being able to do things with it but that’s not the only thing
that our DataPower Appliances can do.
They can also operate on the transports themselves, the transport information. So let’s say I
have a Web service and I’d like to secure it with HTTP basic one and maybe I’d like to go and
provide essentially common services for all my Web services to leverage. If I have, let’s say, a
well-known, well-understood, well-architected mechanism for doing authentication and
authorization calls, maybe it’s LDAP, maybe it’s TAM, Tivoli Access Manager, maybe – whatever
it is.
Common use case for our XS40 in the DMZ deployment; one of the interesting things that we do
is this notion of XML denial of service protection but we did really a good job of you know maybe
15 or so years ago of shutting down every port known to mankind except for port 80 and (8043)
and a few others and it was all really great because we really frustrated people that like to use
(Telmag) and FTP but now with that’s done is sort of changed the point of attack to a different
spectrum now.
So I’m not attacking those services by port but I might be attacking your services by format or by
payload; maybe I’ll send you some XML and then that XML is poisoned somehow; maybe it’s
really, really big or it has some cyclical characteristics. So our appliances and particularly the
XS40, the XI50 also has are capabilities intrinsic that allow you to provide for XML denial of
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 10
service protection, let me do some validation and I’m not talking about just simple you know
((inaudible)) checking, schema validations; those things are straightforward.
And of course we do that but higher level validation to ensure that a particular XML has – is going
to have characteristics that once passed on inside the enterprise might result in some non-
desired behavior. So a broad level of things there.
Let’s see – let’s continue here. Our hardware an aspect from hardware perspective, we talked
about this sort of hunkered down, this sort of you know DMZ-ready capabilities. We talked a little
about FIPS and our HSM options – HSM options recently a couple years ago, a year ago, we had
a common criteria certification, so you know it’s rigorous certification that enables us you know
security aspects if you will regarding the appliance.
So we don’t just do these things in a vacuum but we have third parties evaluate our capabilities
as well. If you look at – if you look at the box itself, the appliance was engineered from a
hardware perspective with certain things in mind, certainly security as an aspect of that; no USB
port that you can’t plug in anything; you can’t run any third party or arbitrary software; there’s no
Java; there is no way really to install anything other than a DataPower firmware. Once it’s out in
the field, there’s one mechanism to do that, it’s a firmware upgrade and once you’ve upgraded
the firmware you know let’s say you could roll back or upgrade the firmware but you can’t do
anything else with the hardware, it’s specifically made for that.
I think we’ve talked about the majority of this, so let’s keep going. That was security aspect, this
is security function. Again, triple A framework; authentication, authorization, auditing. The notion
is we receive a request; we get an input message ((inaudible)). We can extract the resource
that’s being accessed and we can extract the identity of who is actually performing the access, so
the notion is fairly straightforward; provide a menu by which you can do these things, so let me
quickly configure what resource it is whether it’s some ((inaudible)) or something like that.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 11
I can quickly configure the user’s identity and run that through an authentication step. Is this user
allowed – is this a valid user? Do I know this user? Do they adhere to the standards that I have
from a corporate perspective? We map the resource and the credentials of the user into an
authorization step. We say is this particular user allowed now access to this particular resource?
If so, let him through and if not, I may like to do some auditing or some sort of accounting that
allows me to determine what happened. There’s a notion of culpability et cetera, et cetera.
So it’s a very common use case for our appliances, lots of customers are using this. I would say
80% or so of our customers use DataPower in some way, shape form with this framework. If you
look at this list to this white – the white text here, you see that you know it’s a long list, it’s a non-
exhaustive list by the way and it’s a list that we constantly address, so we’re constantly revving
our architecture to provide for the best class integration points.
One of the recent ones we did for example is, let’s see here, this should actually say SAF but
someone misspelled it, probably Andy – this is a z-based security mechanism. If you’re not
familiar with System z, basically, it’s a way of providing authorization rules in a System z-based
environment and I’ll tell you a little bit more about the significance of that.
All right, we talked ((inaudible)) a large part about this; so again, security encryption, digital
signature aspects across the entire spectrum of the flow, so if we have anyone that understands
the seven-layer OSI model, please raise your hand. Seven-layer OSI model. OK, we’ve got a
few. We’ve got a few. I’m just trying to make sure you’re awake. I wasn’t really going to talk
about it.
Now, the point I was going to make is if you look at that – if you look at you know how we layer
things – you know IP, TCP, HTTP, the content, right, XML, SOAP that DataPower has capabilities
of addressing all aspects of those from an encryption level and certainly transport level encryption
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 12
whether it’s SSL, we can you know enable that with HTTPS or if you want to have XML-eccentric
you know XML digital signatures, WS security from a SOA perspective, all those things are
capable of addressed by the appliance.
Now, you can leverage that in certain ways and you could be – when you architect a solution, you
can leverage the menu if you will of options that you have to better optimize your system, so one
example is in the context of last month’s security, so some of our customer would say, “I really
want to – I really want to promote a (WSS-centric) methodology but I’m afraid that it’s from a
performance perspective, I’m trading off too much. How can I do that?”
So some customers will say, “Well, do that on the front side of DataPower and then enable some
different last month security, say transport level security like SSL on the backside or the last mile
if you will,” and so that – you don’t – you end up not sacrificing you know the security
ramifications but you can sort of mitigate some of the performance penalty that’s associated with
that. A large number of customers that have looked in the things like that.
One area we’re looking at is in the Cloud space and you know Cloud is – you know it’s a great
buzz word. Everyone loves Cloud now as they get at this point. When I hear Cloud you know it’s
just kind of my eyes roll in the back of my head and say, “Oh, this is great.” What does Cloud
mean to me? Well, a couple of different things. A few different directions we’re heading at, from
a provisioning perspective, obviously, Cloud is important.
We of course are a conduit, a secure conduit by which seniors get into the enterprise. It’s a fairly
straightforward statement. I deploy DataPower appliance in the DMZ. I now have capabilities of
having things from outside get inside and so that I can access some servers. So from a Cloud
perspective, that’s where we’re headed. We’re looking at ways to ensure that when ((inaudible))
Cloud, that will enable us – you know DataPower would enable us a secure conduit by which we
can access data that resides in the cloud – in the enterprise.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 13
So being that – being that bridge. Now, today, a lot of the capabilities that we have are very
relevant in this space, right, where about fire-walling is certainly a relevant part of discussion
here, the fact that we’re DMZ ready, so on and so forth. That’s all I’m going to say about this for
now. Maybe, I’ll come back to this tomorrow.
So let’s take a look at the example. This is an example that someone threw together; it wasn’t
me, probably Andy, that describes our XS40 appliance used in conjunction with a number of
backend. So in this case, they wanted to you know reach about security, promote a Web
services infrastructure, and what I think here is that this provides a centralized point of doing
policy enforcement.
So in this case, we’re actually going off to some – doing some sort of identity mapping and
probably injecting some ((inaudible)) on the backend whether it’s ((inaudible)) or something else
based on some authentication or authorization step that takes place here.
So the interesting thing about this is that, well, these are heterogeneous providers here, right, and
as you’ll see with XI50, we can get – we can get broader than Web services by using some of our
integration mechanisms but at the end of the day we’re intermediary architecture that’s providing
a virtualized layer and allowing instantiation of a number of policies that will enable us to do
things like authentication, authorization, and so forth.
All right, the XI50; the XI50 add the capabilities of integration particularly of transformation to
XS40 set of appliances. So if you look at the transport, there’s a number of transports that is
deployed, things like JMS, things like MQ, even third party vendors such as (Tipco); missing on
this list is IMS Connect, SFTP; there may be a couple more.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 14
The other aspect of DataPower that completes this picture is this notion of format transformation,
the notion of extending this SOA virtualization and being to transform the data to things are of
heritage or legacy services, COBOL copybook or (DLX) copybook or whatever – whatever the
case might be being able to convert an XML payload to a binary payload via this internal
component that we call DataGlue.
We also provide access to a number of databases from our XI50 appliance. So we have
connectivity DB2, Sybase, Microsoft SQL server and – Andy, I’m counting on you – Oracle, thank
you. I was you know – it took a while. All right, it was something like that. I thought of it but I
don’t want to say it. So the canonical patterns here are two folds; one is this notion of message
enrichment.
So I have a request; the request comes into the architecture and I’d like to inject some aspects of
something that I feel – some information that I can extract from a database. So (three-wire) are
our configuration essentially in our programming model which is XSLT based. I’ll talk about that
in a minute. We can actually go off to that database, extract some field and inject that into the
processing payload, en route to the data whether it’s data on the way in or data on the way out.
You can consider that kind of a (T) model for going off the box.
The other aspect is viewing the database as service endpoint itself, all right. So a large number
of legacy services might include say stored procedures in a database environment and I’d like to
enable that via a virtualized layer via a Web service call. So being able to convert SOA over –
you know XML SOA over HTTP to say SQL over DRDA, we would be able to do that with the
XI50 and we have some tooling built around this; if you’re interested, let me know and I can tell
you all about it ((inaudible)) that wasn’t the right button.
Content-based routing is another aspect of our XI50, the idea that we can apply you know as
data-specific or application-specific rules to route requests to a certain endpoint, so things like
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 15
((inaudible)) on an XML and based on that, we would determine the eventual destination;
obviously, those are things that we would support. This is an area that we’re constantly evolving
because what we’re doing now is looking at better ways to understand what our destinations are.
So by and large today, this is a very static view, meaning on the box there is a routing table and I
respect the routing table to make routing decisions. Now, that routing table could be codified as
in a style sheet or it could be codified in a separate file that’s processed by a style sheet or
something that’s actually in configuration.
But it is very much a very static, very configuration-eccentric model and the ways that we’re
looking now to evolve this is to really better understand what the backend applications are, be
able to consume in runtime states on those applications, say it’s the WebSphere application
server running (Jade 3) environment being able to understand what that topology looks like, what
applications are deployed, where and be able to create the runtime state required to be able to
route those things in the most effective way.
By the way, we’re expecting CPU wage or other load wage to be able to make appropriate load
distribution techniques. That’s something that is part of our application optimizations, feature
which I’ll talk hopefully more about today if I have time but if (Chuck) kicks me out, I’ll talk more
about it tomorrow.
All right, so I mentioned about message transformation. So at the end of the day, this is fairly
straightforward, schema, an input schema, an output schema and something that transforms the
input schema to the output schema. Today, there’s really two different ways of doing this. When
we began, it was very much an XML-focused discussion, an XML-focused use case.
I have XML. I have an XSLT. I have an output XML converting one from the other. Since then,
we’ve evolved this story and through collaboration with WebSphere transformation extender, we
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 16
now have the capabilities to go to and from binaries. So whether the input is binary, the output is
XML or vice versa, those things could be handled on the device
From a transport perspective, again, rich set of transports that are constantly evolving; we talked
about some of these. Some of these are messaging based, so whether it’s you know MQ or
JMS, it essentially is about – there’s a queue somewhere that exists somewhere in the – you
know not on the appliance.
I’d like to take this message and send it you know place it on the queue. It’s very different than
the other transports that we provide which are client server based and I have an HTTP server
facade in my front-side protocol handler. Clients would connect the way they would normally
connect to an HTTP front end. They would do an HTTP deck port or whatever it is that they so
desire, and on the backside we can actually convert that to queuing and de-queuing mechanisms
over say you know MQ or JMS.
One of the things that we get – an interesting thing that we get is that when we do a client server-
based implementation, they’re sort of tied at the hip; we sort of get them for free. So when we did
IMS, we would essentially get the IMS capability on the front side as well. No one’s really
interested in creating an IMS Connect façade to say a Web service because that would be
ridiculous but if they wanted to, they could do that with the appliance. Again, our database
connectivity with our supported database there.
Integration within IBM; so from a security perspective, there’s a large breadth there in terms of
what we can do, authentication, authorization against, also identity mapping with integration with
(TFIM). From a messaging perspective, of course with MQ and JMS, strong set of collaboration
there, strong collaboration around governance with WSRR products to be able to extract Web
service information from the registry, be able to instantiate proxies that respect those policies
contained within that – within that WSRR installation.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 17
From a transformation perspective, we talked about the integration there, leveraging the tooling
that’s there, the infrastructure that’s there, DB2 obvious integration there, we talked about that;
and the last one is System z.
There really should be a lot more things here but our System z strategy has been evolving over a
large amount of time. It’s a very interesting – it’s very interesting how it’s come to where it is
today. If you look at it, it actually involves four major points. One is from a runtime perspective,
so we have System z customers I assume ((inaudible)), others – one, two, three, four, five, six,
seven, all right.
So if you look at System z you know subsystem integration, right. So what is the best way for me
to access the (KIX) application or an IMS application or you know a SOA procedure, a DB2, et
cetera, et cetera? And you know to obviously continue to evolve that story from a transport
perspective but what does the use case look like, right?
And so I can talk all day about that but from a transport perspective, we’re constantly evolving
that connectivity, those connectivity options; IMS Connect that’s something we support today;
(KIX), we have some interesting integration with (KIX) Web services, then we can talk more – I’ll
probably talk about this tomorrow as well.
The security point of view again, a lot of integration there. So if you look at System z, System z
has really heavy emphasis, a heavy focus on being the security hub if you will of the enterprise
and so a lot of the things that we’ve enabled have allowed us to reach into System z in a secure
fashion to be able to perform the things that we perform.
So two key aspects; one is in the context of authentication, authorization. So we can actually
invoke our SAF-based infrastructure inside System z and query it to determine whether – in a
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 18
secure way to determine whether a particular user is a valid user and determine whether it has
access to this particular SAF-based resource as specified by the SAF endpoint.
We can also now as a (380) essentially query for security information – keys essentially the
System z so we can extract, download the keys the we need on the fly, on demand and the
opposite of that which is what I call the on-loading operation being able to take it a private key
operation, actually transport it securely into the System z to ((inaudible)) key, get the result and
use that in our heavy lifting inside DataPower.
So it’s kind of two-way street in terms of being able to integrate from a security perspective,
again, all with the notion of really building out this broad integration that doesn’t sacrifice the
security aspects of System z when leveraging DataPower.
All right, let’s talk about (high robust). So the common question we always get is you guys have
three ESBs, when do I use one versus the other. I think I have one – 15 to 20 – 20? Great. And
the answer is look at the heritages of the products. These products are – if you look inside,
they’re built very differently. One has intrusion (labs), WESB, Message Broker, obviously with
different historical roots from an MQ infrastructure and DataPower from an appliance perspective,
is very different.
So I talked to you about the key characteristics of the appliance thing and very often, our
customers, they always ask, “well, how do I know when to stop or how do I know if I need
something else?” The appliance itself is predominantly configured, so I instantiate a flow of
actions declaratively. This is a decrypt action. This is a route action.
This is a traffic-shaping action and that’s how I imagine but I can also extend it through this rich
use of SSL key, in fact from the device that we enabled is something that we call extension
function. So literally, almost everything that we do is actually implemented as XSLT through the
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 19
use of these extension functions and so it provides a very – a very rich, a very robust
environment. XSLT is a Turing-complete language and so essentially, you can do anything if you
wanted to.
Now, the question is do you really want to, right? Do you really want to have the skills you know
to build out all these broad levels of XSLT in house? And more than likely, you have a limit there.
At some point, you say this is – this goes beyond really the customization aspects that I would
want to have.
So what does it not allow you to do? I can’t run arbitrary Java code and run it on the device. I
can’t – you know I can’t run in fact any other code; the only thing I could really run is XSLT and
So where we begin to sort of draw the line is if you look at the use cases that you have and again,
this is really a question of you know what skills do I have and how, how am I organized from a
business perspective but in the customers that I’ve seen, there becomes that sort of well-defined
space.
I tend to view it this way. Integration problems that are prominent in my environment can be
solved by DataPower by and large, right. So from a transformation perspective, from a transport
data format perspective, if you can – you know if the transport is on the supported list, I’m pretty
confident that it’ll work.
Now, obviously, there’s going to be some overlap in terms of how you do these things with other
appliances – I’m sorry, with other products and there might be a need for you know either
switching or actually deploying these things together. If I like – if I had some arbitrary Java code
or some more elaborative infrastructure or if I have you know an already standing WESB
environment that I’d like to integrate with and provide some security capabilities of DataPower, all
those things work well; in fact, it’s a broad pattern that many of our customers use today in
production.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 20
So it’s a question that really is addressed by heritage and also addressed by the skills that one
has and how; if you have specific examples or specific questions about that, find me, let’s talk
and we can you know make some recommendations as to what – you know how I would proceed.
The one thing that we’re doing of course is you know we don’t work in vacuums. We have a large
amount of integration that’s taking place with all these other products that are going to enable us
to you know continue to work with those things like federations, things like integration through our
registry or repository, all the things that are key aspects that are important to us because they
help us follow the business problems that we have moving forward.
So using those things, using these tools – these collection of tools collectively, you’re going to
see a lot more – a lot more of a robust and powerful solution than one would buy itself but again,
((inaudible)) so we can talk about that. In general, it’s really fairly straightforward; our customers
that end up deploying what we would call this (hybrid bus).
So this collection of appliances to implement the ESB pattern if you will end up running the bulk
their volume or the bulk of the work through DataPower appliances; the transformation, security
aspects, generally, DataPower is the choice there but in terms of the breadth of function that’s
required of the customization that’s required, you really wouldn’t do the bulk of that on
DataPower; you do the declarative – you know the 20 – the (8020 role) in terms of fitting that into
the environment. So again, we’ll talk more about that.
Let’s take another example; here’s an XI50 example; in this particular case, we’re running in an
environment where we need to do some virus scanning, so this actually deployed in DMZ. Again,
the XI50 is a DMZ-capable appliance. It’s going off to some backend Message Broker and we’re
doing some sort of authentication, authorization calls to some identity database here.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 21
So it’s normal to canonical use cases for – we support ICAP by the way here which is a
mechanism to offload essentially all of this, so that the virus checking can be occurred and ICAP
is an MAPI for that.
Let’s talk about System z. We mentioned a large number of these things already. Let me just
quickly recap. This is probably the worst part in the deck and I’m just noticing it now. I didn’t
write the slide, Andy did. I’m just making sure he’s awake. Andy didn’t create this. Don’t beat up
Andy because he didn’t create this chart but he just – all right, so let’s talk a little bit about this.
So again, there’s four key aspects to a System z integration. One is this runtime aspect,
transport aspect. One is security aspect. I don’t want to sacrifice security if I’m using DataPower
to you know – the System z people like to phrase it this way, offload things; well you know this
about enablement not just about offloading.
The other is tooling. What are you doing to support me so that I can actually deploy DataPower
in a consumable way without sacrificing the tools that I normally use for my System z pattern.
And the last one is management, and so management perspective you know how all these things
fit together on a glass. We have broad integration with Tivoli; we’ll continue to involve in that
Tivoli integration.
System z does as well. Right now, we’re working on some integration from a management
perspective with the hardware management console with System z. So continuing to expand on
that on an aspect. So we can consider it this way. We sort of begun with things from a transport
runtime perspective, have now declared large success from a security perspective and moving on
to the management plain in the next revisions.
Third party vendors that we support. We talked about the database provider that we support. We
talked about the messaging providers that we support. So you know the bottom-line is this,
DataPower in many of all use cases becomes the central point, the integration, the hub or
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 22
whether it’s a centralized DMZ resident entry point. It needs to talk to a lot of things and so our
strategy is very clear and very open.
We provide first class capabilities to integrate with IBM products and we also provide first class
mechanisms to integrate with third parties, particularly through the use of open standards but in
some cases not necessarily. So it’s a two-headed strategy that enables us to be prosperous in
those integration environments. We talked about sole governance but you know again in the high
level, it’s about control, about policy enforcement. I think I’m going to save this one for – are we
doing questions today? I didn’t realize that. Fair enough.
We’ll talk a little bit about WSR integration. So where are we today? Today, we could have Web
service descriptions in WSR. We can extract those Web service descriptions and create proxies
that automatically dynamically are configured to support those Web services. We have
capabilities for interacting with some tooling whether it’s Tivoli based or not to allow us, to monitor
from a centralized monitoring perspective, what’s going on in the environment.
So if you look at the monitoring aspect, there’s really two key things. One is monitoring of
appliances, just the appliance box itself from a system level, a lot of capabilities there. We
support SNMP a number of different ways to script help statistics off the appliance and then from
a functional perspective, a Web services perspective, integration with things like ITCAM SOA to
understand what Web services are deployed you know how big are the messages, et cetera, et
cetera, et cetera.
So if you look at this conceptually, where does that lead us? So great. Now we have this notion
of a registry, we have this notion of being able to extract the information we need from that
registry to dynamically deal with these Web services but now we’re exploring and moving into the
realm of policies. Today, we could extract policies, security policies from WSRR, apply them on
the device, and enforce them on the device as the policy enforcement (points).
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 23
Where this is heading is in terms of what additional types of policies we’d like to have. So things
like quality of service policies or maybe there are other types of policies that we’d like to codify in
WSRR and dynamically strike them and enforce them on the appliance. This is an evolving
strategy. It’s something that we’re working on today.
All right, let’s talk a little bit about – if we kind of covered this, only thing really I want to say about
this is support for (Zacamal) for doing access and authorization checking; a very broad support
there from an enforcement point of view integrates with another service tool called the TSPM and
provides additional mechanisms for security policy enforcement. I keep doing that, here we go.
So here’s another example. Here’s another customer example where we have an XI50 and an
XS40 deployed together.
So this is in a DMZ environment and this is essentially the ESB pattern, the integration hub
pattern. It looks like in this case we are using a WSRR environment, we’re retracting the Web
service configuration, going off box to probably an ITCAM or some monitoring tool that’s going to
enable us to capture statistics about what’s ((inaudible)) and presumably there’s lots of backend
services at this integration. From a DMZ perspective, imagine what we’re doing you know triple A
type checking here, digital signatures and verification. We can probably do content checking
here as well as virus checking if we want to, IP and TCP level type processing as well.
All right, quickly about the XB60 appliance. The XB60 appliance is something that we launched
around a year and three months ago or so ago, maybe in two months ago. It is a DMZ-capable
appliance that speaks – you know basically enables partner transactions from a B2B perspective
through AS2, AS3 type business pattern.
The idea is that you would create – I don’t think I have a picture of this; you would create this B2B
gateway service in each of the partner environments and between the two, they would coordinate
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 24
with each other, sending back transaction request and MDM’s message disposition notification
that will essentially ((inaudible)) I got this transaction. This is the process – you know the
transaction, et cetera, et cetera. From a high level perspective word of that precision in terms of
what we have, the gate is – it is essentially the B2B gateway capability.
If you’d like to have other – you know other services like you know EDI processing, et cetera, you
would have to deploy that I would say a training manager or some – another solution but this is
something that we’re looking at now in terms of what – you know what the direction is but today it
is very much the B2B gateway capabilities. One of the interesting things that we’re doing now is
looking at the high availability aspects of this type solution and so we’re evaluating where to go
there. If you like to learn more about that, let me know.
Low latency messaging is our embodied in our XM70 appliance that has capabilities for LAN
something that integrates with our WebSphere (front office) offering. It supports also some Cisco
messaging protocols and something called Cisco RV which you may not have heard of.
Fundamentally, what it really means is I have some data.
It is of a certain format and I need to do something with that data quickly and you do it, I need to
be able to disseminate that via what are essentially multicast routing protocols embedded inside
the device to distribute that to interested parties. So they are routing mechanisms that allow me
to do that, I’d say at the fixed level and so depending on what kind of content it is, typically, a
typical contents are fixed format and we could – you know the canonical question, we get is when
is SWIFT support in – containing here from a format perspective that’s not something that’s here
today but something that we’re looking at. So if you’re interested in that, let me know.
There also has been first class support into the entire traditional XI50 type capability so that you
can bridge from one to another. So if I have, say, an environment where I like to use this low
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 25
latency messaging capability and bridge it to a Web service HTTP type environment, I could do
that with the XM70 appliance.
This is just a high level conceptual pictures that looks like – multicast is a problem by the way. It
is a ((inaudible)) problem, a lot of solutions. At the end of the day, all the solutions end up
gearing towards what are called overlay networks. So the idea is that you are actually affecting
the multicast at higher level. If we have any network administrators in the house, we all know that
– you would all know that multicast is a big no-no environment. Most customers end up not
enabling multicast across LAN segments for – you know from a policy perspective because it
could lead to essentially storms of information.
So at the heart of this problem is, how do I disseminate quickly large amount of data in a way that
allows me to control what data gets sent – you know because if I enable this broadcast capability
– you know if here – you know everyone would be expected or anticipated you know screaming in
the room every five seconds, no one would ever hear each other. So how do we control that
medium in a way that allows us to make fuller progress?
At the end of the day, what happens is you have this overlay from an application perspective that
allows these nodes to coordinate and be able to effectively disseminate the information. That’s
really what this is talking about, a couple of different options in terms of how you do that whether
it’s acknowledgements or knacks which is basically not acknowledgments, negative
acknowledgements using that information to affect this multicasting mechanisms. Wow, you
really can’t read that. Thanks John.
So let’s – I blame this one on Chuck. So let me walk in just quickly through this. Where have we
been? We began many moons ago, we’ve been constantly revving our product and so I can’t
even see it myself. Where are we today? So today where we delivered in (380) which is our last
release with ((inaudible)) in December of last year. Big thing was application optimization.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 26
I’ll tell you a little bit more about that in a second as long as I don’t get the boot. We’ve done a lot
of z/OS integration recently. Support ((inaudible)) was fairly recent. This is actually wrong, that
was in (373). Recently, we had a big initiative around IPv6. We’ve revved our XB60 and XM70
appliances with core funding support to bring them forward. Interoperability is always a big thing
((inaudible)) from a WSR perspective, being able to support the latest standards, always on the
go here and so as we now move into 2010, a number of other interesting subjects but you can
look at this as a reference moving forward.
So we talked a little bit about application optimization. Let me just give you one more little tidbit
about application optimization. We talked about this backend flow here, so being able to
understand what’s going on from a runtime perspective particularly when we have WebSphere
environment.
What’s happened today is essentially we now have an information conduit between WebSphere
application servers to be able to extract what applications are running where and how and using
that information to appropriately route and do load distribution and provide procession opinion to
those backend. So this story is not just only the WebSphere application server but today, it’s
((inaudible)) we’re constantly evolving that looking at expanding into third party vendors.
This other thing here, this green arrow talks about self-balancing. The self-balancing aspects of
AO enable us to essentially use an internal connection dispatcher to essentially distribute load
amongst DataPower appliances that are collaborating with one another. So the idea is, if I have
four DataPower appliances, I may not have a fronting IP flare to distribute load across those and
oh, by the way, the key design point here is that for most DataPower use cases that the overhead
performing this capability which is now being done on a DataPower appliance is essentially
negligible.
IBM CORPORATION
Moderator: Janice Bennett
03-28-10/8:03 am CT
Confirmation # 62877741
Page 27
If you’re interested, let me know. We’ll talk more about this. So I’ll have a ((inaudible)) tomorrow
and that’s my last chart. Thank you to (Chuck). I think it actually was the last one.
END