WB552: Random DataPower Thoughts Part 8

June 4th, 2008 dan Posted in DataPower No Comments »

SSL: Message Confidentiality, Message Integrity and Non-Repudiation

Server always authenticates to the client. Client optionally authenticates to the server.

During an SSL handshake: Negotiate the level of SSL, decide on cipher suite, authenticate the server, build a secret key to be used for the session.

SSL hello contains list of Cipher Suites. Server responds with hello and has selected a cipher suite from the list. Server also sends the certificate. Client validates certificate. Client encrypts message about the symmetric key with server public key.  Connection is secured. Symmetic key exists for a specified time (2 min) and is then re-negotiated.

Server Identifies, Client Validates.

In the case of mutual authentication, your Crypto Profile would contain both  Crypto Identification Credential and a Crypto Validation Credential.

forward ssl proxy -> Client. reverse ssl proxy -> server. Stupid.

SSL Proxy Profile refers to a Crypto Profile which then refers to the key/certs.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 7

June 4th, 2008 dan Posted in DataPower No Comments »

SSL Connections need Validation or Identification credentials based on which side of the conversation (client or server) the datapower box is.

Nonrepudiation: How do you knowwho the party on the other end is?

Signature: Encrypt a message with a private key, decrypt with the public key. This allows the receiver to verify the sender. Only the sender could use the private key to encrypt.

Message Integrity: Create a hash (message digest) from the message and then encrypt it with the private key.

Digital signatures provide the ability to authenticate who the message was sent from.

Signatures are encrypted with private keys. Messages for the recipient are generated from the public key.

Digital Certificate is a special public key. Contains identity information about the owner. Certificate is signed by whoever created it (self-signed or authority). Certificate does not contain the private key.

When generating a new private key, “Export Private Key” is the only way to get a private key off the box. The key will placed in the temporary filesystem which can be downloaded. There is also an optional piece of hardware called the HSM (Hardware security manager) that will allow you to get them off.

Export configuration will not includes keys.

Certificates exist in a trust chain. Certificate Authority (CA). Root certificates: Certificates we inherently trust.

Can poll a CRL (Certificate revokating list) to determine if certificate is still good.

DataPower Certificate monitors check when certificates expire.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 6

June 3rd, 2008 dan Posted in DataPower No Comments »

Always check the default system log when an error is first encountered.

Audit log only occurs on the default domain.

Captured IP packets are stored in pcap format. Need a tool to explore the data such as ethereal. The packet capture file is in the temporary directory.

Probes and debug level logging will create a noticeable slowdown.

Error reports are stored in temporary.

Log levels: debug captures the most information. emergency captures the least.

XML Capture: Captures every XML message that comes to the box.

Event sources: Generate events. Similar to a pub/sub.

Log Targets: Subscribe to the Event Sources.

Log Targets do not capture actual messages. Log action in a processing rule will do that.

Levels Emergency, Alert and Critical are rare.

Error Handling:

An Error-Rule will automatically run if the match is successful.

On-Error will overrule the Error-Rule  but can call an Error-Rule.

In the scenario of On-Error1 -> TransForm -> On-Error2 and the transformation fails, the On-Error1 will fire. On-Error is applicable to all actions AFTER it. If another on-error is included, then it will ‘protect’ the actions after it instead.

On-Errors can be used to capture the actual error that caused the problem. An error-rule will return a very generic message.

var://service/error-message  , var://service/error-code, var://service/error-subcode , var://service/transaction-id

<xsl:message ..> can be used to generate a log entry in an XSLT.

cURL -v can output more information for client-side errors but you are likely looking at the wrong side of your issue.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 5

June 3rd, 2008 dan Posted in DataPower No Comments »

Pass-thru: Traffic is passed without execution of the service policy.

XML: Check for well-formed XML

SOAP: Checked for SOAP Message validity.

Non-XML: Treated as a binary and the service policy is executed.

Service Level Monitors need a WSDL file to be defined.

The validate action only accepts a single XSD definition or WSDL file. The question was how can you validate against multiple xsd definitions. The general answer was that you could use the WSDL file and use includes to the xsd definitions.

Filter action is used to prevent SQL injection and Virus attacks. There is also a replay attack filter that is built into the store://replay-filter.xsl

Results action can be given a Destination URL.

Firmware v3.6.0 has a bug with the wizard and XSD data definitions that are generated against a WSDL file. There is an extra element declaration contained in this file that makes it invalid. It is presumed that this issue is fixed in v3.6.1. In the course, we overwrite the bad version of the file with a good one.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 4

June 3rd, 2008 dan Posted in DataPower No Comments »

XML Firewall is a superset of the XSL Proxy.

Web Service proxy understands more of the requirements to be a web service than the XML Firewall which only treats data as XML documents.

Web Service Proxy and Multi-Protocol Gateway are supersets of the XML Firewall. Neither suppors the loopback proxy.

Web Application Firewall: Customized XML Firewall for HTTP traffic. It does not have a document processing policy.

If you have a web service proxy and the input message isn’t well formed, then an internal error will be returned to the client. To resolve this issue, put an XML Firewall in front of the WS Proxy.

On choosing which of the services to use: “Choose less sophisticated service when there is a specific need”.

“Front-side handlers impact performance” -> This statement is currently wide-spread but it is unsure if it’s factually correct. A further conversation with IBM should be needed.

Secondary Services: HTTP service, TCP Proxy and SSL Proxy.

Beware the background image when configuring the rules. They always run left to right, but the client -> origin server arrows may appear right to left.

Service has One Policy, Mulitple Rules with Multiple Actions.

When no match rules match, the message is rejected by DataPower.

Related Posts

AddThis Social Bookmark Button

WB552: Local DataPower XI50 (Blue) Initial Configuration Issues

June 2nd, 2008 dan Posted in DataPower No Comments »

We’re stuck in the middle of a time-out as they configure the local datapower box for usage by the class. There was some mix-up and this wasn’t done before the class.

All the material I’ve ever read says that setting up a new machine is pretty easy, but they’re been working on this for about an hour now. Something to do with the box not picking up the mgmt interface.

Go figure.

My suggestion was to hit it a few times. I didn’t get the roaring laughter like I thought I would.

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 2

June 2nd, 2008 dan Posted in DataPower No Comments »

DataPower XA35 (Green): XA = XML Accelerator

DataPower XS40 (Yellow): XS = XML Security

DataPower XI50 (Blue): XI = XML Integration

“SSL Termination” refers to the destination system that recieves an SSL connection.

DataPower can not participate in a two-phase commit transaction. Seems to me like this is a feature that needs to be incorporated sooner than later.

Network ports are disabled “at christmas morning” when you first take the device out of the box. Need to connect to the serial port to enable them.

Port 5550 (or 5050) is used for SOAP based XML management of the device. This can be leveraged for automated device configuration.

Default port for the Web GUI is 9090.

The web firewall and xml firewall icons in the web gui are humerous. They are quite literally a brick wall on fire. Obviously created by a graphic designer who doesn’t understand what the term ‘firewall’ means.

File directories for configuration:

config – Per application Domain; not shared. Stores configuration files for the current application domain.

export – Per application Domain, not shared. Holds any exported configuration.

local: Per application Domain, sharable. Storage space for files used by local services.
store: Systemwide and shared. Sample and default stylesheets.

temporary: Per application Domain, not shared. Temp space used for processing rules and actions.

For security:

cert: Per application domain, not shared. Stores private keys and digital certificates.

sharedcert: Systemwide and shared between app domains. Stores digital certs shared with partners.

pubcert: Systemwide. Security certificates for root certificate.

Directories for logging:

logtemp: Per app domain: File store size fixed at 13MB. Default location of log files.

logstore: Per app domain. Long-term storage for log files.

Break for Lunch!

Related Posts

AddThis Social Bookmark Button

WB552: Random DataPower Thoughts Part 1

June 2nd, 2008 dan Posted in DataPower No Comments »

DataPower will not allow modified firmwares to be uploaded to the machine. They are required to be signed by IBM.

By default, the device is ‘completely off’ with a locked down configuration. It’s up to the administrator to enable relevant services.

When something is in encrypted storage, there is no UI to get the information off of it. There is apparently some kind of special hardware device that will allow access should something go wrong.

“near-wirespeed” is now the en-vogue term when talking about performance. I’ve noticed that the marketing lingo has changed from “wirespeed” since that would be technically impossible (no delay transforms).

“The XI50 is one of IBM’s three ESB products.” I find this interesting because IBM likes to play down the ESB functionality of the DataPower box in favour of the WebSphere Enterprise Service Bus. If you’ve been reading this blog, you know my opinions on the subject.

DataPower boxes in a cluster can recognize each other and have the ability to control traffic flow as a community. This is primarily used to enforce Service Lifecycle Management (SLMs).

DataPower supports WTX (WebSphere Transformation Extender) and Contivo (sp?)  for mapping XML to Binary via the DataGlue engine.

‘DataGlue’ : No one was sure if this is actually an engine or just marketecture to describe the XML-Binary transformation work.

DataPower can also do content based routing, which puts it at direct competition with WebSphere Business Services Fabric as well. Actually, it’s one-up on WBSF since DataPower can do transformations. WBSF has to defer to the WebSphere Process Server runtime for that capability.

Can leverage the XML-PI (processing instruction) to modify XML data.

First break.

Related Posts

AddThis Social Bookmark Button

WB552: “Is there an IDE for DataPower?”

June 2nd, 2008 dan Posted in DataPower 2 Comments »

Q: “Is there an IDE for DataPower?”

Answer: No. The web client is used to access most of the features”

I think that there probably should be an investment (or direction) from IBM about how to go about doing the development work for DataPower. What I say this, I mean what is the recommended IDE to do your XSLT transformation work? It’s true that you don’t need an IDE for development in the same vein that you can use WebSphere Application Server without an IDE. You can, but why would you?

Web clients are good for simple tasks (ex WebSphere  Admin Console) but not for development efforts. How can I work on my datapower rules when I’m at home off the network? Currently the answer is that you can’t.

Of course, I’m not an expert and I know theres some kind of DataPower plug-in for WebSphere Integration Developer but I’m not sure what it does.

Related Posts

AddThis Social Bookmark Button

WB552: Introductions

June 2nd, 2008 dan Posted in DataPower No Comments »

Instructor: Greg Dinning, a 10 year educator on the IBM Suite of Integration software.

The Attendees were a wide mix of developers wondering how to use the box, people who wanted to understand why they should buy it and people (like me) who are focused on getting the information to pass certification.

I’m not going to go into depth about the content of every slide in this education course, but rather just list the points/discussions that I find interesting.

Related Posts

AddThis Social Bookmark Button

DataPower Course WB552: Accelerate and Secure XML and Web Services with IBM DataPower SOA Appliances

June 2nd, 2008 dan Posted in Certification, Dan Zrobok, DataPower No Comments »

This is the course that I am attending this week. This will be nice as I’ll have a hardcopy of the course contents. Also, being able to go through the content slowly over a week with hands-on usage of the datapower box will be a huge bonus. When I was trying to learn the machine without  the help of the exercises, I was overwhelmed by the number of options available and unsure when to use what. So far, I see nine attendees in the room. Lower than the other two times I’ve been here (WebsSphere Application Server v6.1 admin had a maximum room of 20 and WebSphere Process Server was the same).

Additionally, for attending this course I have two certificates for free certification test (WebSphere 284 firmware v3.6.0 and WebSphere 289 v3.6.1) .

Related Posts

AddThis Social Bookmark Button

Attending DataPower Classroom Training Next Week

May 28th, 2008 dan Posted in Certification, Dan Zrobok, DataPower No Comments »

Sometimes the stars just align perfectly. I’m trying to get my DataPower Certification and IBM’s business partner relations team is offering a free course on DataPower next week in Markham. It pays to be in a city with an IBM Office. I’ll be in attendance there and hopefully sitting in the room for 5 days will put me over the edge.

Naturally, I’ll try and blog it.

Related Posts

AddThis Social Bookmark Button

Make SOA real with IBM WebSphere Enterprise Service Bus and IBM WebSphere DataPower SOA Appliances

May 27th, 2008 syndication Posted in DataPower, DeveloperWorks, Syndication, WebSphere Enterprise Service Bus, WebSphere Process Server No Comments »

From DeveloperWorks, Make SOA real with IBM WebSphere Enterprise Service Bus and IBM WebSphere DataPower SOA Appliances, Part 1: Use WebSphere Enterprise Service Bus for protocol switching of encrypted data

And Make SOA real with IBM WebSphere Enterprise Service Bus and IBM WebSphere DataPower SOA Appliances, Part 2: Use WebSphere DataPower SOA Appliances extension functions for certificate-based XML standard encryption

Looking for a way to manage the interoperability among applications using
different protocols that need to exchange confidential data? Consider combining the
functionality of IBM WebSphere Enterprise Service Bus and IBM WebSphere DataPower
SOA Appliances. Find out how you can get a secure, agile, and extendible solution
with a little effort in terms of code.

I’d say that if you happen to have both of these products, you are better of attempting to offload most of the logic to the datapower box and use the ESB for business functionality.

Related Posts

AddThis Social Bookmark Button

Using DataPower SOA Appliances to query WebSphere Service Registry and Repository

May 16th, 2008 syndication Posted in DataPower, DeveloperWorks, WebSphere Service Registry and Repository 2 Comments »

From Developerworks, Using DataPower SOA Appliances to query WebSphere Service Registry and Repository

Learn how to use IBM WebSphere DataPower SOA Appliances to query information from IBM WebSphere Service Registry and Repository using the REST API and SOAP API. Reusable stylesheets are provided to serve as standard query components to be used throughout DataPower configurations. Step-by-step examples show how these assets can be used to query WebSphere Service Registry and Repository. (IBM WebSphere Developer Technical Journal)

It appears that DataPower doesn’t have any native support for WebSphere Service Registry and Repository and just uses the standard SOAP API’s.

Related Posts

AddThis Social Bookmark Button

Build an RSS aggregator using IBM WebSphere DataPower SOA Appliances multistep

May 13th, 2008 syndication Posted in DataPower, DeveloperWorks No Comments »

From DeveloperWorks, Build an RSS aggregator using IBM WebSphere DataPower SOA Appliances multistep

The IBM WebSphere DataPower SOA Appliances multistep processing policy
system is a key part of appliance configuration. Version 3.6.1 of the firmware
includes a number of enhancements to multistep that provide functionality familiar
to programmers, including loops of actions, conditional execution of actions, and
the ability to execute actions in parallel. Explore how you can combine the new
features in multistep 3 to build an RSS feed aggregator.

Here is an example of the new Multi-Step feature in DataPower firmware 3.6.1 in action.

Related Posts

AddThis Social Bookmark Button

« Previous Entries
Next Entries »