What are the ESB implementation patterns and SOA in Datapower? (115/285 technotes for 2015)

An ESB Must Support the following mentioned below - 



Application Awareness in ESB

• Service Virtualization
• Improved Manageability - all the things below can be managed centrally
• style sheets
• security
• caching
• routing 
• Monitoring and Managing messages as they flow on the bus
• Routing messages 
• Converting Protocols
• Transformation
• Securing messages
• Providing connectivity to application services via open and propriety interfaces

Monitoring & Managing - log information about arrival path, contents of the msg based on filters

• ESB general monitoring
• track messages as they flow through the Enterprise - determine where time and resources are being spent
• remote monitoring of Datapower appliances - using SNMP, WSDM, WS-Management and proprietary SOAP API.
• for end to end monitoring for the ESB as well as the services is to - integrate Enterprise Monitoring software through std protocols like SNMP and ARM - like ITCAM for SOA

• ESB service level management (SLA) via monitoring - this is one of the most important 
• throttle (reject) and shape(delay) traffic based on patterns below
• Prioritization
• Count Monitors
• Duration Monitors
• protects the backend application resources when.
• application latency reaches a threshold
• processing latency reaches a threshold

Routing - is required the 2 reasons mentioned below

• Quality of Service - able to prioritize some message based on the the SLA
• Support of specific functionality or affinity - 
• some functionality provided in a particular version
• session may exist on a particular destination - requiring affinity based routing

• Different types of Routing
• Content based routing
• Context based routing
• Aggregation and Disaggregation

Protocol Conversion -

• need to move messages from one protocol to another
• web based scenario's are asynchronous, but back end systems are transaction oriented and want it to be synchronous. So state management responsibility is also there for the mediator.
• if Websphere ESB is used - to convert protocol and transform and route message - it in general degrades performance

Message Transformation -

• XML-to-XML Transformations 
• HTML/SOAP to XML Transformations
• Binary Transformations
• Content Enrichment and Filtering

Securing Messages -

• Though it has a large set of Security services - but a fairly small set of Services should be available for an ESB
• Support for standard WS-Security protocols as defined in the WS-I Basic Security Profile  
• Support for credential mapping across multiple protocols and transports  
• AAA

Connectivity -

• 
  

References:

Datapower Architectural Design Patterns - Integrating and Securing Services Across Domains - http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf

What are the three possible placement of Datapower in an ESB scenario? (114/285 technotes for 2015)

Architecturally Datapower can be placed in the three possible places in the Enterprise Infrastructure

• Standard ESB - basically used as an ESB
• ESB Federated Gateway
• DMZ Gateway - at the edge of the ESB

Standard ESB

ESB Federated Gateway

DMZ Gateway

What is a DMZ? (113/295 technotes for 2015)

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a 

• physical or logical subnetwork that 
• contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet.

References:

Image Src - http://www.ibm.com/developerworks/websphere/techjournal/0907_banerjee/images/image002.gif

How can Datapower be used as an ESB? (112/285 technotes for 2015)

Datapower can be considered as an ESB since - 

• supports - abstraction using the proxy architecture
• highly message oriented - with support for SOAP, raw XML and ther formats
• has full Web Services support
• Is network aware - residing between application layer and network - with support for 
• routing, msg filter, transformation etc

• Also 
• has a surprisingly small footprint
• built from the ground up to be network aware.

What are the different Datapower security scenarios? (111/285 technotes for 2015)

Different Datapower security scenarios:

• Datapower typical security - solves the issues below
• Cross Enterprise Inter-operation - 
• Federated Interoperability - 
• Human and automated service invocations - 
• Dynamic service binding -
• Global architecture layers impact - 

• Datapower as a XML firewall

• While developing internet facing applications, the concept of DMZ is very important - this is the place where a hardened bastion host is placed between 2 firewalls.
• Below is the standard topology - without Datapower
• The WebServer - does almost nothing
• Most of the work is done by Webservices Gateway

• Using It is the most hardened device available in the market.
• the role of Datapower within the DMZ is that it needs to be able to stop any incoming request and provide authentication and authorization - depending on Business Requirements.
• Eliminates the Web Server and the Web Services Gateway
• More secure - easy to manage
• Below are a few of the protection which Datapower provides - 
• XDOS
• well formedness
• verify digital signature
• signing messages
• implementing service utilization to mask internal resources via XML transformation and routing
• encrypting data at the field level

• • Three basic types of Firewall
  • Static backend
  • Dynamic backend
  • Loopback

  
  

• Recommendation: All internet-facing systems that provide for inbound Web services, requests should use Datapower as their XML firewall, even when performance or security is considered unimportant.

• Recommendation: DataPower should be used as the policy enforcement point for Web services authorization. It should interact with a central policy decision point, such as Tivoli Access Manager.

What is IBM Tivoli? (110/285 technotes for 2015)

Tivoli provides SOA Security Management with:  

• Policy management: WS-Policy, WS-SecurityPolicy  
• Federated Identity Management: Liberty, SAML 2.0, WS-Federation, WS-Security  
• Auditing and compliance for SOA: Compliance Automation)  
• User provisioning: WS-Provisioning/SPML 2.0.

XML-level protection enhances SOA security management. 

This simply maps the different steps of the DataPower AAA framework to specific IBM products and standards that may be used in each of these steps.

TAM -  provides Authentication & Authorization

IBM Tivoli Access Manager ( now IBM Security Access Manager) handles the authentication and authorization part of your IAM infastructure.

TFIM -  provides federated identity between organizations

IBM Tivoli Federated Identity Manager allows for federated and web Single Sign On. It can be used with ISAM, for example in a scenario that ISAM delegates the authentication part to TFIM for certain resources/cases.

ISAM does not speak SAML by itself, but it can leverage TFIM that does.

TAM and Datapower - 

• In order to connect to TAM from DP, a TAM client must be configured in the DP SOA appliance.
• TAM is specified in the AAA policy.

References:

• http://www.redbooks.ibm.com/abstracts/sg247620.html?Open
• http://stackoverflow.com/questions/28966097/ibm-tivoli-access-manager-vs-tivoli-federated-identity-manager

What are the mechanisms supported by AAA (109/285 technotes for 2015)?

• SAML
• SAML, a user can login to one system in an environment, and then will be able access to other systems in that environment without needing to login again (until the web browser session is ended).

• XACML PEP/PDP - 
• eXtensible Access Control Markup Language 
• Policy Enforcement Point/ Policy Decision Point
• The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests according to the rules defined in policies.

• Kerberos & SPNEGO
• a protocol for authentication
• uses tickets to authenticate
• avoids storing passwords locally or sending them over the internet
• involves a trusted 3rd-party
• built on symmetric-key cryptography
• Kerberos is normally deployed in a client/server environment. It is rarely used in web-applications and thin client environments.

• Because of this, SPNEGO comes to the rescue. It stands for Simple and Protected GSS-API Negotiation Mechanism, which provides a mechanism for extending a Kerberos based single sign-on environment to web-applications.

References:

• http://www.roguelynn.com/words/explain-like-im-5-kerberos/
• https://en.wikipedia.org/wiki/SPNEGO
• http://thekspace.com/home/component/content/article/54-kerberos-and-spnego.html
• http://wso2.com/library/articles/2014/02/introduction-to-security-assertion-markup-language-2.0/

What is a multistep probe? What is a AAA action?(108/285 technotes for 2015)

Multistep Probe :-

To view the contents of any phase, enable the multi-step probe for the firewall or Web Services proxy - employing a document processing policy containing a AAA action


AAA Action :

AAA Action is a Datapower object - that references a specific AAA policy. This is the way to add  (bridge) a AAA policy to any of the services mentioned below.

• XML Firewall
• MPGW
• Web Service proxy
• XSL proxy

References:

Datapower Architectural Design Patterns -Integrating and Securing Services Across Domains -   http://www.redbooks.ibm.com/abstracts/sg247620.html?Open

What is AAA? (107/285 technotes for 2015)

AAA - stands for 

• Authentication
• Authorization
• Auditing

Datapower makes clear separation of processing of all three in a loosely coupled way.

The steps for AAA are:

1. Extract identity (EI) claim - such as username /password from HTTP basic authentication.
2. Extract resource (ER) - such as Web services URL being accessed.
3. Authenticates (AU) the extracted identity - with either an on-board / off-board identity server - LDAP
4. Map Credentials (MC)- using rewrite rules
5. Map Resource (MR) - mapped using rewrite rules
6. Authorize (AU)- submit to a policy server for authorization.
7. Post Processing (PP) - audit

References: 

Datapower Architectural Design Patterns -Integrating and Securing Services Across Domains -   http://www.redbooks.ibm.com/abstracts/sg247620.html?Open

What is Credential Transformation in Datapower? (106/285 technotes for 2015)

Since WebService requests have to travel multiple security domains, the credentials used in the inbound to a boundary server, often require transformation, before reaching the recipient.

Types of Transformation:

• Technology - 
• changing a credential from one type to another
• eg: sender might use Digital Signatures, while the receiver might use Username token.

• Naming - 
• the name that represents a user might change, similar to Relationship in Process Server.
• eg: your identity to IBM can be your serial number, but to bank it can be bank account number. 

To Resolve this - 

1. Custom developed ad-hoc code - 
1. Datapower can perform complex transformations - using built in functions as well as custom transformations.
2. Leverage a product like TFIM (Tivoli Federated Identity Manager)
1. Datapower can also connect to products like TFIM.

Rule of THUMB:

• Use Datapower - for simple credential transformation
• User TFIM - 
• for complex credential transformation
• when transformation occurs in multiple places like Datapower and WAS.

How does Datapower provides Acceleration and Flexibility? (105/285 technotes for 2015)

Acceleration - 

Datapower consumes messages in the network speed, and can remove the WS-Security overhead and pass the clear message to back-end server and vice versa.

Felxibility - 

1. Datapower supports more of WS-Security than of any Application Server - maybe Websphere will catchup the near future, but as of now they have a complete coverage.
2. Datapower fundamentally includes XSL processing engine - which helps in easy Transformation of messages.
3. By offloading the WS-Security processing to Datapower, we eliminate the need to configure and re-configure the back end server.

Example of Datapower usecase:

1. Client who want to use WS-Security but find that their Application Server, does not fully support this, should evaluate Datapower.
2. Clients expecting to frequently change WS-Security settings, 
3. Clients with problematic messages.

What is WS Trust & Secure Conversation? (104/285 tech notes for 2015)

Why WS Trust and Secure Conversation?

WS-Security adds enterprise-level security features to SOAP message exchanges, but with a substantial performance cost. 

WS-Trust builds on WS-Security to provide a way of exchanging security tokens, 
WS-SecureConversation builds on WS-Security and WS-Trust to improve performance for ongoing message exchanges

What is the performance issue with WS Security?
WS Security uses asymmetric keys - that is public and private key pair, which require larger keys and complex processing while decrypting messages vs single secret keys known to the both parties. 

WS Conversation uses WS Trust (+ WS Security) to use only a single key pair to communicate between client and server.


What is WS-Trust?
WS Trust is a WS based standard for Requesting / Receiving the tokens

• Function 1 - Implement the STS to
• issuing
• renew
• cancel
• validate Security Tokens
• Function 2 - Support brokering Trust relationship

What is STS (Security Token Service)?

An STS is a web service that implements a simple interface defined by the WS-Trust specification. The operations supported are issue, renew, cancel and validation of Tokens. 

WS Conversation - is a standard which allows symmetric encryption to be used ongoing exchange of messages between client and the server.

-----------------------

How WS Trust is established?

• Consumer Requests a Security Token (RST) to the STS
• STS returns a signed token to the Consumer - Request Security Token Response (RSTR)
• Once the token is received - the requester can present it to multiple services.

References:

http://www.ibm.com/developerworks/library/j-jws15/
https://www.youtube.com/watch?v=YZNVyUc-3fQ
http://bit.ly/1WcpDKb

What is WS Policy? (103/285 technotes for 2015)

WS Policy is a flexible / extensible grammar to define

• capabilities
• requirements 
• general characteristics of entities in an  

XML Web Services based system based on a particular domain.

Examples of Domain for which we have separate policies:

• Security
• Privacy
• Reliable Messaging

Where and how is a WS-Policy used?

Ans: A Web Service uses a policy to define its requirements in the wsdl file.

For eg:

policy 1: all messages must be signed and encrypted in a certain way.

policy 2: every message has to have a timestamp.

What is WS-Policy Terminology?

Ans:

Policy --> multiple Policy Alternative

Policy Alternative --> multiple Policy Assertion

Policy Assertion - is the criteria - for eg: every msg needs to be encrypted.

eg: of WS-Policy

References:

1. https://www.youtube.com/watch?v=vh4gYKe3_Jc
2. www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf
3. http://www.w3.org/TR/ws-policy-primer/