WebSphere DataPower SOA Appliance: The XML Management Interface

August 11th, 2008 syndication Posted in DataPower, DeveloperWorks No Comments »

From Developerworks, WebSphere DataPower SOA Appliance: The XML Management Interface
Draft Redpaper, last updated: Thu, 7 Aug 2008 - Appliance Management Protocol (AMP) - SOAP Configuration Management (SOMA) - Debugging The XML Management Interface is the third way to configure and administer the WebSphere DataPower SOA Appliance, besides the WebGUI and the CLI.
Kudos to the DataPower people for putting out more information about this interface that can be useful for administrators that like to run scripts to configure their environments.

Related Posts

AddThis Social Bookmark Button

Passed Certification Test 284: IBM WebSphere DataPower SOA Appliances Firmware V3.6.0

June 23rd, 2008 dan Posted in Certification, DataPower 2 Comments »

I re-wrote IBM DataPower Certification test 284 over the weekend and passed with a 75% when requiring a 60%. Taking the course made my life a lot easier. I still spent two hours writing and reviewing the answers but I was a lot more confident about passing when I ended the test.

I did notice that there is a bug in the Prometrics Windows based client (non web-browser) that you need to be aware of. One of the questions deals with “Which of the XMLs is invalid”, and the answers use xmlns to define namespaces. The problem is that the URLs follow the http:// format and the windows client is turning them into blue-underlined hyperlinks while removing the surrounding quotes. This will make three of the answers appear as invalid XML.

I have emailed the only person in IBM who I know is deeply involved in the certification organization and I hope IBM will either update the question or fix the windows client bug.

The other weird thing about the windows client was that I didn’t see an option to provide feedback directly when ending the test but not yet getting the score. I took a notes about questions that I really disliked and wanted to provide feedback on but I didn’t have the opportunity. The ‘paper’ I was given to record my notes on when writing the test was an erasable surface that had to be returned at the end.

Anyway,  the test was pretty much the same one that I had written previously except that the hard questions were first which freaked me out a bit :-)

Related Posts

AddThis Social Bookmark Button

DataPower Problem Determination Techniques

June 16th, 2008 syndication Posted in DataPower, DeveloperWorks No Comments »

From DeveloperWorks, DataPower Problem Determination Techniques
Draft Redpaper, last updated: Fri, 13 Jun 2008 This IBM redpaper provides a guide to many aspects of problem determination on a DataPower appliance, with an emphasis on powerful troubleshooting utilities.
This redpaper illustrates how to debug issues in DataPower using a scenario driven model.

Related Posts

AddThis Social Bookmark Button

DataPower Course WB552 Overall Impressions

June 10th, 2008 dan Posted in DataPower, Reviews No Comments »

I have to admit that I was very impressed with DataPower Course WB552. The content of the course covered everything that on would need to know about how to use the box along with security. It also provided a lot of opportunity to go off the beaten path and try modifications on your own. I felt like I got a good feel for debugging on the box as you would almost always miss a step (by default a rule is bi-directional which will throw an error when you only have security on one side).

When you are in this debugging mode, the box provides a pretty good view of exactly what was going on with the ability to see the complete trace log for a single transaction, even though sometimes the errors themselves are cryptic. Luckily, I have more than enough experience translating developer exceptions into English from WebSphere Process Server.

The time allocated for the labs is quite large and you get the opportunity to leverage the skill of your teacher to explain certain dialog boxes and determine the datapower programming model. An example of this was when I was trying to set two URL’s in a match rule, thinking that the operation between multiple rows in the list was an ‘OR’. It’s actually an ‘AND’ meaning that my match would have to satisfy both URL rules.

Given that I had previous datapower experience both writing the certification test and reading the course beforehand, my view may be a little skewed but I noticed that the entire class was able to keep up and usually worked ahead of the lecture::lab relationship.

I was told that there is a follow-on course for WB552, I’m not exactly sure which one it is, or what they start to get into.

I totally recommend this course to anyone who wants a better understanding on the hands-on use of the datapower box.

Curiously, I was also informed that the IBM Business Partner Virtual Innovation Center does not currently provide a DataPower box. This makes it difficult for partners to get the hands-on skill or be able to rerun the labs on their own time. Hopefully this will be addressed soon by IBM.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 12

June 6th, 2008 dan Posted in DataPower No Comments »

Message set (traffic Pattern)

Count monitors increment based on condition.

Duration monitors occur when a configured amount of time passes during processing of messages for the condition.

Message Count Monitors would be used to limit requests to a certain rate (100/second)

Message duration monitors are clock-based. Measure things like average server response.

Traffic Definitions are grouped into a Message Type Definitions, Filter Action Definition,  Monitor definitions, monitor-service association.

Tree: Service -> Message Monitor -> ((Message Types -> Message Match)  | Message Filter Action)

OBJECTS -> Monitoring.

Traffic Definitions identify raw traffic streams.

Durations:

Reqeust: Time required to service requests by the appliance (inside DataPower)
Response: Time required to process responses from the server (inside DataPower)

Server: Time required by the back0end server to process requests (Server Request + Server Reponse)

Message: The round-trip for a message.  (DataPower Entry to DataPower Exit)

Message Filter Action -> What to do when the filter is true.

SLM: Service Level Monitoring. Web Service level montioring.

SLM Policy consists of 1 to n statements which consist of restrictions of traffic.

Statements -> Counts messages or duration. Executed in order.

Can be created top-down or bottom up from the Objects -> Monitoring menu.

SLM policies must be added as actions in the policy editor.

Ensure that the SLM action is placed before the results action or else your SLM will not run. Also, on the WS Proxy page, the SLM page will not run unless there is an SLM action.

SLM Action chooses an SLM policy to run.

SLM Action consists of Credential Class, Resoruce Class, Thresholds and Actions to take.

Token-Bucket: Total number of concurrent requests ?

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts 11

June 5th, 2008 dan Posted in DataPower No Comments »

Tivoli Directory Integration can integrate with multiple LDAP.

LDAP Search Attribute is the attribute in the LDAP that you want to look up.

Load Balancing Algorithms:

  1. First-Alive: Secondary servers are only called when the primary server is down. So the first alive entry is always used.
  2. Hash: Hashes the IP address of the client to provide affinity between clients and servers.
  3. least-connections: Choses the server with the least number of connections
  4. Round-Robin:Forwards request to the next server on the list.
  5. Weighted-Round-Robin: Forwards request to the next server on the list based on the weighted averages as entered.

LDAP Load Balancing Damp Time speficies how long a server should be marked as unavailable when a heath check fails.

If all servers go down, the default behaviour is to wait for damp time expiration or for the health check to find an active server.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 10

June 5th, 2008 dan Posted in DataPower No Comments »

AAA: Authentication, Authorization and Auditing

Authentication can occur without the use of external servers: AAA file, LTPA and a Validation credential object, SAML token (?).  Can use the external Systems: LDAP, SAML, Tivoli, RADIUS

When hitting a webpage, a browser artifact on a third party server can be pointed to embedded in the URL of the request.

Mapping Credentials: Map a credential from one system format to another. Same with Mapping Requested Resource.

Post-Processing steps: to inject the credentials into a message from a different format than the input.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 9

June 4th, 2008 dan Posted in DataPower No Comments »

XML Virus scanning uses a filter action sheet: store://Virus-ScanAttachment.xsl. This transform needs to be modified to include the URL of your ICAP server

Dictionary Attacks Protection uses count monitoring.

SQL injection Protection uses the store://SQL-Injection-Filter.xsl transformation.

Related Posts

AddThis Social Bookmark Button

DataPower: Can A Match Action Accept Multiple URLs?

June 4th, 2008 dan Posted in DataPower No Comments »

I have a match action which should accept /encrypt and /encrypt_fl . Could I have both of these specified in a single match action? When I tried it, I got a datapower error with the box unable to match. Not sure if this is user-error or what, but I thought I’d give a heads up to the world.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 8

June 4th, 2008 dan Posted in DataPower No Comments »

SSL: Message Confidentiality, Message Integrity and Non-Repudiation

Server always authenticates to the client. Client optionally authenticates to the server.

During an SSL handshake: Negotiate the level of SSL, decide on cipher suite, authenticate the server, build a secret key to be used for the session.

SSL hello contains list of Cipher Suites. Server responds with hello and has selected a cipher suite from the list. Server also sends the certificate. Client validates certificate. Client encrypts message about the symmetric key with server public key.  Connection is secured. Symmetic key exists for a specified time (2 min) and is then re-negotiated.

Server Identifies, Client Validates.

In the case of mutual authentication, your Crypto Profile would contain both  Crypto Identification Credential and a Crypto Validation Credential.

forward ssl proxy -> Client. reverse ssl proxy -> server. Stupid.

SSL Proxy Profile refers to a Crypto Profile which then refers to the key/certs.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 7

June 4th, 2008 dan Posted in DataPower No Comments »

SSL Connections need Validation or Identification credentials based on which side of the conversation (client or server) the datapower box is.

Nonrepudiation: How do you knowwho the party on the other end is?

Signature: Encrypt a message with a private key, decrypt with the public key. This allows the receiver to verify the sender. Only the sender could use the private key to encrypt.

Message Integrity: Create a hash (message digest) from the message and then encrypt it with the private key.

Digital signatures provide the ability to authenticate who the message was sent from.

Signatures are encrypted with private keys. Messages for the recipient are generated from the public key.

Digital Certificate is a special public key. Contains identity information about the owner. Certificate is signed by whoever created it (self-signed or authority). Certificate does not contain the private key.

When generating a new private key, “Export Private Key” is the only way to get a private key off the box. The key will placed in the temporary filesystem which can be downloaded. There is also an optional piece of hardware called the HSM (Hardware security manager) that will allow you to get them off.

Export configuration will not includes keys.

Certificates exist in a trust chain. Certificate Authority (CA). Root certificates: Certificates we inherently trust.

Can poll a CRL (Certificate revokating list) to determine if certificate is still good.

DataPower Certificate monitors check when certificates expire.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 6

June 3rd, 2008 dan Posted in DataPower No Comments »

Always check the default system log when an error is first encountered.

Audit log only occurs on the default domain.

Captured IP packets are stored in pcap format. Need a tool to explore the data such as ethereal. The packet capture file is in the temporary directory.

Probes and debug level logging will create a noticeable slowdown.

Error reports are stored in temporary.

Log levels: debug captures the most information. emergency captures the least.

XML Capture: Captures every XML message that comes to the box.

Event sources: Generate events. Similar to a pub/sub.

Log Targets: Subscribe to the Event Sources.

Log Targets do not capture actual messages. Log action in a processing rule will do that.

Levels Emergency, Alert and Critical are rare.

Error Handling:

An Error-Rule will automatically run if the match is successful.

On-Error will overrule the Error-Rule  but can call an Error-Rule.

In the scenario of On-Error1 -> TransForm -> On-Error2 and the transformation fails, the On-Error1 will fire. On-Error is applicable to all actions AFTER it. If another on-error is included, then it will ‘protect’ the actions after it instead.

On-Errors can be used to capture the actual error that caused the problem. An error-rule will return a very generic message.

var://service/error-message  , var://service/error-code, var://service/error-subcode , var://service/transaction-id

<xsl:message ..> can be used to generate a log entry in an XSLT.

cURL -v can output more information for client-side errors but you are likely looking at the wrong side of your issue.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 5

June 3rd, 2008 dan Posted in DataPower No Comments »

Pass-thru: Traffic is passed without execution of the service policy.

XML: Check for well-formed XML

SOAP: Checked for SOAP Message validity.

Non-XML: Treated as a binary and the service policy is executed.

Service Level Monitors need a WSDL file to be defined.

The validate action only accepts a single XSD definition or WSDL file. The question was how can you validate against multiple xsd definitions. The general answer was that you could use the WSDL file and use includes to the xsd definitions.

Filter action is used to prevent SQL injection and Virus attacks. There is also a replay attack filter that is built into the store://replay-filter.xsl

Results action can be given a Destination URL.

Firmware v3.6.0 has a bug with the wizard and XSD data definitions that are generated against a WSDL file. There is an extra element declaration contained in this file that makes it invalid. It is presumed that this issue is fixed in v3.6.1. In the course, we overwrite the bad version of the file with a good one.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 4

June 3rd, 2008 dan Posted in DataPower No Comments »

XML Firewall is a superset of the XSL Proxy.

Web Service proxy understands more of the requirements to be a web service than the XML Firewall which only treats data as XML documents.

Web Service Proxy and Multi-Protocol Gateway are supersets of the XML Firewall. Neither suppors the loopback proxy.

Web Application Firewall: Customized XML Firewall for HTTP traffic. It does not have a document processing policy.

If you have a web service proxy and the input message isn’t well formed, then an internal error will be returned to the client. To resolve this issue, put an XML Firewall in front of the WS Proxy.

On choosing which of the services to use: “Choose less sophisticated service when there is a specific need”.

“Front-side handlers impact performance” -> This statement is currently wide-spread but it is unsure if it’s factually correct. A further conversation with IBM should be needed.

Secondary Services: HTTP service, TCP Proxy and SSL Proxy.

Beware the background image when configuring the rules. They always run left to right, but the client -> origin server arrows may appear right to left.

Service has One Policy, Mulitple Rules with Multiple Actions.

When no match rules match, the message is rejected by DataPower.

Related Posts

AddThis Social Bookmark Button

WB552: Local DataPower XI50 (Blue) Initial Configuration Issues

June 2nd, 2008 dan Posted in DataPower No Comments »

We’re stuck in the middle of a time-out as they configure the local datapower box for usage by the class. There was some mix-up and this wasn’t done before the class.

All the material I’ve ever read says that setting up a new machine is pretty easy, but they’re been working on this for about an hour now. Something to do with the box not picking up the mgmt interface.

Go figure.

My suggestion was to hit it a few times. I didn’t get the roaring laughter like I thought I would.

Related Posts

AddThis Social Bookmark Button

« Previous Entries