Beruflich Dokumente
Kultur Dokumente
Authors:
Gerry Kaplan, WebSphere DataPower SME
Ray Wilson, WebSphere DataPower SME
Contributors:
Charlie Sumner, WebSphere Transformation Extender SME
Sudhir Mohith, ISSW Partner Services Practice
Lou Rivas, WebSphere IT Specialist
Applicable Firmware: 5.0.0.0 and greater
IBM Software
Contents
LAB 1
LAB 2
LAB 3
LAB 4
LAB 5
LAB 6
LAB 7
LAB 8
LAB 9
Contents
Page 3
IBM Software
LAB 10
APPENDIX A.
APPENDIX B.
APPENDIX C.
APPENDIX D.
Page 4
IBM Software
Overview
This IBM WebSphere DataPower SOA Appliances Proof of Technology (PoT) provides a hands-on
experience for those needing to understand how WebSphere DataPower SOA Appliances can help ease
and accelerate the deployment of enterprise Service Oriented Architecture (SOA) implementations.
Participants gain an appreciation for the ability of WebSphere DataPower to meet the demand for fast,
secure, and reliable XML processing by creating various configurations that demonstrate a rich array of
built-in functionality.
Introduction
IBM WebSphere DataPower SOA Appliances represent an important element in IBM's holistic approach
to Service Oriented Architecture (SOA). IBM SOA appliances are purpose-built, easy-to-deploy network
devices that simplify, help secure, and accelerate your XML and Web services deployments while
extending your SOA infrastructure. These new appliances offer an innovative, pragmatic approach to
harness the power of SOA while simultaneously enabling you to leverage the value of your existing
application, security, and networking infrastructure investments.
Requirements
To complete the labs in this workbook, youll need the following:
A network attached workstation with sufficient memory (2GB minimum).
VMware Workstation or Viewer to run the supplied student VMware image.
An Internet browser.
Access to a WebSphere DataPower Integration Appliance (Physical or Hypervisor) with
Overview
Page 5
IBM Software
Icons
The following symbols appear in this document at places where additional guidance is available.
Icon
Page 6
Purpose
Explanation
Important!
Information
Troubleshooting
IBM Software
Lab 1
In this lab, youll gain a high level understanding of the architecture, features, and development concepts
related to the family of WebSphere DataPower SOA Appliances. Throughout the lab, youll get a chance
to use the WebSphere DataPower intuitive Web-based user interface (WebGUI) to explore the various
aspects associated with appliance configuration and operation.
Upon completing this lab, youll have a better understanding of:
The WebSphere DataPower SOA Appliances family.
Access Control.
Application Domains.
WebSphere DataPower Web-based User Interface (WebGUI).
Configuration Procedures.
The various WebSphere DataPower services.
Local file management.
Logging capabilities.
Device management options.
Firmware management.
1.1
WebSphere DataPower SOA Appliances are a key element in IBM's holistic approach to Service
Oriented Architecture (SOA). These appliances are purpose-built, easy-to-deploy network devices to
simplify, help secure, and accelerate your XML and Web services deployments.
The DataPower appliance family includes the following:
WebSphere DataPower XML Security Gateway XG45 - Capable of offloading overtaxed
Web and application servers by processing XML, XSD, XPath and XSLT at wirespeed,
this appliance enables faster results from application investments. It also delivers a
comprehensive set of configurable security and policy enforcement functions including
support for the latest WS-* standards.
WebSphere DataPower Integration Appliances XI52, XI50B and XI50Z - IBM's hardware
Integration Gateway, this appliance is built for simplified deployment & hardened security.
It includes all of the XML and security functionality found in the DataPower XML Security
Gateway appliance and adds capabilities for bridging multiple protocols.
WebSphere DataPower B2B Appliance XB62 Extends all of the capabilities of the
integration capabilities as the physical version but lacks the hardware acceleration.
Page 7
IBM Software
WebSphere DataPower Caching Appliance XC10 This adds elastic caching functionality
that will enable your business-critical applications to scale cost effectively with consistent
performance.
1.2
Access Control
There are three administrative interfaces for configuring WebSphere DataPower SOA Appliances:
Command line interface
Web-based graphical interface
SOAP-based XML management interface
Through the various administrative interfaces, it is possible to access the entire range of configuration
and status data. Access to the various administrative interfaces is tightly controlled through a variety of
access control methods.
Access control list. Only hosts with addresses in a listed range can access the
appliance.
Accounts, groups, and access policies. Local accounts can be created to gain access
to the appliance. Groups facilitate an easy way of managing multiple accounts with similar
access rights. Group access rights are defined using an access policy.
Role-based Management. Extends local access control to use remote authentication and
1.3
Application Domains
Application domains allow administrators to partition an appliance into multiple logical configurations. For
example, in a production environment, a domain may represent a business area like shipping or
accounting. In a development environment, each developer may have their own domain for testing.
Configurations that are created in one domain are secure from other domains and are not visible.
By default, a newly initialized WebSphere DataPower appliance will have a single domain named
default. The default domain should only be used for managing the network configuration and the
appliance itself.
Application domains allow for easier porting of development domain configurations among appliances
without affecting the core network for the appliance. A domain can easily be exported from one appliance
and imported into another.
1.4
The PoT leader will assign a unique student number to you. Your user ID and application domain is
based on your assigned number.
Your User Name is studentNN where NN is your student number. If your student number
Page 8
IBM Software
Youre now ready to start exploring the WebSphere DataPower WebGUI. Sign into the WebGUI and
change your password using the following steps:
__1.
__2.
__3.
Select your domain from the dropdown list of domains, and then click Login.
Since this is the first time you are logging in, youll be requested to change your password.
__4.
__5.
In the remaining two fields, type a new password that you will use for the remainder of this Proof
of Technology.
Important!
The new password is case sensitive so please make sure
to check that the cap lock key is not activated.
__6.
__7.
__8.
__9.
Log back into the appliance with your user name, new password and domain. Dont forget to
select your student domain from the dropdown domain list.
Page 9
IBM Software
Upon successful login, the DataPower Appliance Control Panel will be shown.
and domain.
The Save Config link is used to save all of your changes into the devices flash
memory. When you make changes to a configuration, the changes are immediately
active, but they are not saved to the flash memory until you click this link.
The Logout link will end the current session. Any changes you made will remain
active.
The left side of the browser window is occupied by the navigation tree. At the top is a link
(labeled Control Panel) for quick access to the control panel. The navigation tree is
divided into several sections. Clicking on the section name will expose additional actions
within that section.
Page 10
IBM Software
Status: provides menu options to view the overall status of the device, network
settings.
Administration: provides options that help you administer the device, such as
system, a system control panel, import and export tools, and a key and certificates
management tool.
Page 11
IBM Software
1.5
Configuration Procedures
There are three phases to the setup and configuration of a WebSphere DataPower SOA appliance. Each
of these phases involves a different set of objects, and often each phase is performed by different
enterprise personnel due to separation of duties and access isolation.
1.5.1
In this phase, the various objects that control the Ethernet interfaces, packet routing, time services and
emergency failure notification are configured. The basic networking values, such as IP addresses,
gateways, etc., are setup during this phase. These objects and settings all reside in the default domain
of the appliance and are accessible only to users with administrative privileges.
During the configuration phase, administrators will also setup the various application domains, users,
groups, and access policies. User access policies determine who can access the appliance to view or
alter its configuration.
1.5.2
During this phase, architects and developers create the various services that implement the solutions
needed to meet enterprise SOA requirements. This phase is often iterative as more and more top level
services are configured on the appliance.
Services can be created in a variety of ways depending on the developers experience level.
Configuration wizards provide the fastest means of creating a new service and its related objects. More
experienced developers may find it faster to create the configuration objects manually. In this Proof of
Technology, youll create objects both manually and using built-in wizards.
1.5.3
This phase occurs when a gateway configuration is moved into a runtime production environment.
Administrators commonly require that the appliance provide the means to produce status updates on a
regular and timely basis. It must also provide a quick, secure, and reliable means of upgrade,
configuration deployment and backup, and that access to the configuration interface is limited. Objects
such as Simple Network Management Protocol (SNMP) communities, statistical monitors, and audit logs
are configured as the appliance goes into production.
1.6
WebSphere DataPower SOA Appliances provide services to process traffic. This section discusses the
various service objects and their typical use cases.
The Services section of the control panel contains a group of icons that represent the most commonly
used services. The following image shows the service icons available on an XI50:
Page 12
IBM Software
1.6.1
XSL Accelerator
The XSL Accelerator validates and transforms incoming or outgoing XML documents. An XSL
Accelerator service would proxy a backend service, applying all the necessary schema
validation and transformations to the incoming document before forwarding the message to the
backend service. For response processing (from the server), it can perform similar validation and
transformation of the outbound XML using XSL.
One use case for this service object is XML to HTML rendering visualized in the above diagram. A
browser-based client makes a request to a web application. The XSL Accelerator service acts as a proxy
between the client and the backend web application server. The GET (or POST) is received by the XSL
Accelerator service, and then forwarded to the backend server. The backend server returns raw XML to
the XSL Accelerator, which then transforms the XML to HTML using an XSL template. The template may
reside on the appliance, or be fetched (and cached) from a remote server.
1.6.2
The Web Application Firewall service is designed to provide firewall and security services for
standard HTML over HTTP Web application traffic. In addition to protecting against common
threats, the Web Application Firewall can enforce specific policies against the data flowing
between the browser and the server. For instance, it can enforce cookie existence and value policies, or
require that specific form fields contain only certain values.
Page 13
IBM Software
1.6.3
XML Firewall
The XML Firewall is a general purpose HTTP(S) service that can process both XML and nonXML payloads. A wide array of actions can be applied to both inbound and outbound
messages, such as encryption/decryption, digital signatures, XSL transformations, filtering,
schema validation, and dynamic routing to name just a few. Checks for XML threats are provided
automatically.
Processing policies have access to all HTTP related details (headers, form fields, payload, status, etc.)
for both the request and the response and can therefore make decisions or process messages based on
the headers existence or contents.
A robust authentication and authorization engine, with built-in integration for a wide variety of policy
servers (LDAP, IBM Tivoli Access Manager, Kerberos/SPNEGO, IBM RACF, etc.) can apply simple
to complex security policies to both inbound and outbound messages. Security protocol mediation, such
as HTTP Basic Authentication to SAML, or Kerberos/SPNEGO to IBM Lightweight Third-Party
Authentication (LTPA), is easily configured through the WebGUI. There is support for the latest security
standards such as XACML, SAML, WS-Security, WS-Policy and WS-I Basic Profile.
The XML Firewall also includes support for some of the latest WS-* standards, including WS-Reliable
Messaging and WS-Addressing.
Page 14
IBM Software
1.6.4
Multi-Protocol Gateway
The Multi-Protocol Gateway service builds on the XML Firewalls XML and security functionality
by adding support for multiple protocols. In addition to HTTP and HTTPS, the Multi-Protocol
Gateway supports WebSphere MQ, WebSphere JMS, TibcoEMS, FTP(S), SFTP, NFS and IMS. All of
these protocols can be mixed and matched as necessary. For example, messages received over HTTPS
can easily be routed to WebSphere MQ or JMS.
1.6.5
The Web Service Proxy provides all of the same services as a Multi-Protocol Gateway service;
however it provides automatic configuration based on one or more Web Service Definition
Language (WSDL) files. WSDL files may be obtained through subscriptions to a Universal
Description, Discovery, and Integration (UDDI) or WebSphere Service Registry and Repository. A single
Web Service Proxy object can act as a single point of entry for multiple WSDLs, automatically routing (or
redirecting) the requests to the appropriate backend service.
The Web Service Proxy will automatically apply schema validation to both inbound and outbound
messages, further assuring message validity. Processing and security policies can be applied not only at
the entire service level, but for individual operations within the service as well.
Page 15
IBM Software
1.7
__10.
You should see the file explorer similar to the one below (additional directories may appear depending on
installed hardware options).
The Flash-based file system has a set of predefined directories. Some directories are shared across
domains, such as the store: directory, while others are specific to a single domain such as the local:
directory. The following is a list of only the most common directories and their contents:
Page 16
IBM Software
Directory
Usage
cert:
This encrypted directory contains private key and certificate files used by services within
the domain. Each application domain contains one cert: directory.
chkpoints:
This directory contains the configuration checkpoint files for the appliance.
config:
This directory contains the configuration files for the appliance. Each application domain
contains one config: directory.
local:
This general-purpose directory contains miscellaneous files that are used by the services
within the domain, such as XSL, XSD, and WSDL files. Each domain includes exactly one
local: directory.
logstore:
This directory contains log files that are stored for future reference.
logtemp:
This directory is the default location of log files, such as the appliance-wide default log.
This directory can hold only 13 MB.
pubcert:
This encrypted directory contains the security certificates that are used commonly by Web
browsers. This directory is shared across domains
sharedcert:
This encrypted directory contains security certificates that are shared with partners. Each
appliance contains only one sharedcert: directory. This directory is shared across
domains.
store:
This directory contains example style sheets, default style sheets, and schemas that are
used by the appliance. Do not modify the files in this directory. Each appliance contains
only one store: directory. By default, this directory is visible to all domains.
temporary:
This directory is used by processing rules as temporary disk space. Each application
domain contains one temporary: directory. This directory is not shared across domains.
The Flash-based file system is used for storing WebSphere DataPower firmware and configuration data
as well as service-related artifacts such as XSL stylesheets, keys, certificates, and schema definitions.
Static files such as schemas, WSDLs and XSL stylesheets are generally hosted off the box and fetched
(and cached) as required. Storing static documents off-box not only reduces flash storage requirements,
but greatly simplifies the deployment process when multiple WebSphere DataPower appliances are
clustered and share common artifacts.
For this Proof of Technology, youll need to upload a few files into your local: directory. The following
steps will guide you through the process.
Page 17
IBM Software
__11.
Click on the Actions link associated with the local: directory to reveal the actions pop-up menu
(see below).
__12.
__13.
__14.
Click the Upload button (or Browse button, depending on your browser) to upload the files into
the local: directory.
__15.
Page 18
IBM Software
__16.
Click on the small plus sign to the left of the local: directory and verify that all files were
uploaded.
Now youll repeat that process and upload several keys and certificates into the cert: directory.
__17.
Click the Actions link to the right of cert:, then select Upload Files.
__18.
Perform the same steps as before and select the following files:
__a. c:\labs\keysAndCerts\ProductService-privkey.pem
__b. c:\labs\keysAndCerts\ProductService-sscert.pem
__c. c:\labs\keysAndCerts\consumer-privkey.pem
__d. c:\labs\keysAndCerts\consumer-sscert.pem
__e. c:\labs\keysAndCerts\soapUI-sscert.pem
__19.
Make sure youve uploaded all pem files into the cert: directory (see below).
Page 19
IBM Software
1.8
Troubleshooting Tools
During the development phase, there are often times when a service configuration produces unexpected
results. WebSphere DataPower appliances have a number of built-in troubleshooting tools that can help
pinpoint the cause of problems.
__20.
In the Navigation pane (on the left side), click the Control Panel link to redisplay the control
panel.
__21.
In the Monitoring and Troubleshooting section, click on the Troubleshooting icon to reveal the
troubleshooting tools page.
The Troubleshooting page has several tools used for troubleshooting both configuration and network
problems.
Ping Remote and TCP Connection Test are used primarily for network connectivity
troubleshooting.
Set Log Level is used to change the logging verbosity. This is a domain-wide setting
which increases or decreases the granularity of messages that are written to the log. The
default log level is error.
Generate Log Event is used to write a specific message to the logs. This is often used for
domain.
Page 20
IBM Software
1.9
Logging
WebSphere DataPower appliances have a built-in publish-subscribe logging mechanism that is robust
and flexible. As transactions flow through the appliance, many events occur. Some of these events occur
as a result of normal processing, while others occur as a result of an exception such as a transaction
being rejected due to an authentication or authorization failure.
1.9.1
By default, the logging level is set so that only messages with a maximum priority of Error are written to
the system log. In this section, youll change the default log level to debug, resulting in a much more
granular level of logging. This not only is helpful is seeing what steps are executing, but helps in
troubleshooting when things arent going as expected.
__22.
In the Logging section, change the Log Level dropdown to: debug
__23.
__24.
__25.
Throughout the various configuration forms, there are links that enable you to view the logs. For
example, right above the Log Level is a magnifying glass icon that, when clicked, will open a window
showing the system log. You can also view the log from the main control panel.
__26.
Click on the Control Panel link in the upper left corner of the browser window.
__27.
Clicking on the View Logs icon will take you to the system log page, which by default shows the last 50
entries in the default log. The interface enables you to filter the entries by category and/or priority, in
order to limit the number of lines.
Page 21
IBM Software
For additional filtering, you can click a transaction id (tid), client IP address, or error code. Each of these
opens a new window with messages related to the selected value; for example, clicking a transaction ID
displays only messages from that transaction.
1.9.2
Log targets
The logging subsystem on WebSphere DataPower SOA Appliances is based on the publish-subscribe
paradigm that enables distribution of selected messages to various protocols and destinations.
Publishers include the DataPower appliance itself as well as the various user-configured services and
their supporting objects. For example, the DataPower appliance may log a message to indicate that a
network connection is failing. Similarly, a user-configured MQ front side handler may log a message to
indicate that the queue manager has become unresponsive.
Log targets act as the subscribers to published messages. Log targets can:
Capture messages and forward them to a variety of different logging server types such as
Page 22
IBM Software
__28.
Expand the navigation tree to expose the Manage Log Targets option. The path is:
Administration Miscellaneous Manage Log Targets
__29.
__30.
On the Main tab, locate the Target Type field and click the dropdown to reveal the list of
available log target types that you can create. You should see a list similar to the following
image. After reviewing the drop down click cancel for at this point we will not create a new log
target.
The dropdown list shows the various log target types supported by the logging subsystem.
Cache: Writes log entries to system memory (this is how the default log is setup).
Page 23
IBM Software
Console: Writes log entries to the screen when using Telnet, Secure Shell (SSH), or
addresses. Before sending, the contents of the log can be encrypted or signed.
SNMP: Forwards log entries as SNMP traps to configured recipients.
SOAP: Forwards log entries as SOAP messages.
syslog-ng: Forwards log entries using Transmission Control Protocol (TCP) to a remote
syslog daemon.
syslog: Forwards log entries using User Datagram Protocol (UDP) to a remote syslog
daemon.
1.9.3
Log Categories
Log targets filter captured messages by event category. The use of categories allows log targets to
subscribe to specific messages, such as appliance messages, network messages, or particular service
messages. In addition to the predefined log categories specific to WebSphere DataPower objects and
operations, you can create your own custom log categories which are more specific to your applications.
__31.
Back in the Administration section of the navigation tree, locate and click on the Configure Log
Categories link.
A list of all predefined log categories will be displayed.
Page 24
IBM Software
1.9.4
Appliance management
There are a number of methods that administrators can use to manage WebSphere DataPower SOA
Appliances. These methods include:
Manually exporting and importing configurations. Configurations can include a single
perform DataPower configuration tasks. Scripting can also be accomplished using SOMA
(SOAP management interface) and integrated with high level programming languages.
Appliance Management Protocol (AMP) and WebSphere Appliance Management Toolkit.
This includes a set of Java components that can be leveraged to perform common
management routines such as backup, restore, etc.
WebSphere Appliance Management Center. This separately licensed product provides a
1.9.5
Administrators can use the Export Configuration utility to export a complete appliance back-up or export
selected portions of the appliance configuration.
The Import Configuration utility is used to restore a complete appliance back-up or selected portions of
an exported configuration.
__32.
At the top of the left navigation pane, click the Control Panel link.
__33.
__34.
Leave the default selection of Export configuration and files from the current domain and click
the Next button.
__35.
__36.
Under the heading Select configuration objects to export, make sure All Objects is selected;
then click the right pointing button to move the selected objects into the Selected Objects box.
When you click the right pointing arrow, the right side box will become populated with all of the objects in
your domain. The objects in the right box will be the objects that are exported as shown in the following
image.
Page 25
IBM Software
__37.
Click the Next button. The export file named MyExport is now created and ready for you to
download to your workstation.
__38.
Click the Download button. Youll be prompted for a location to save the exported file. You can
save the file anywhere on your workstation.
__39.
The file you just downloaded contains a complete backup of your application domain. The MyExport.zip
file can now be imported into another WebSphere DataPower appliance to recreate an exact duplicate of
your domain.
1.9.6
Device Status
The built-in monitoring subsystem can provide complete details as to the operational status of the
appliance, including firmware and library information as well as memory usage, CPU utilization and
hardware operational circumstances. All of this information is viewable from within the WebGUI as well
as through remote monitoring tools (discussed in the next section).
__40.
In the navigation tree, expand the Status menu to reveal the various status sections.
__41.
Locate and expand the System section and explore the various status details.
Page 26
IBM Software
1.9.7
Remote monitoring
Administrators can monitor the health and activity of the appliance with any of the following protocols:
SNMP
Web Services Distributed Management (WSDM)
WS-Management
Proprietary SOAP application programming interface (API)
Remote consoles such as SNMP console, or an IBM Tivoli Composite Application Manager for SOA
console, can display throughput, CPU and memory usage, transaction latency, and general
responsiveness of an appliance with these protocols. The following image shows a third party SNMP
Management Information Base (MIB) Browser showing memory usage statistics.
1.9.8
Administrators can use the Configuration Comparison utility to determine what has changed between
current and saved configurations, including previously exported configurations.
Configuration checkpoints can be set at any time within an application domain. An administrator can then
compare these checkpoints to any other configuration or roll-back the configuration of a domain to an
existing checkpoint.
Page 27
IBM Software
1.11 Summary
In this lab, you learned:
About the various tools and procedures used to configure WebSphere DataPower SOA
Appliances.
Application domains are used to logically partition a DataPower appliance. A domain can
be used for an organizational line of business, or as a location for one or more developers
to collaborate when implementing a solution.
Configuration is accomplished through any of three administrative interfaces: command
through the use of access control lists, user accounts, groups, and access policies.
About the three configuration phases: network services/user configuration phase,
complex processing policies (XSL Accelerator, Web Application Firewall, XML Firewall,
Multi-Protocol Gateway, and Web Service Proxy).
How the built-in logging subsystem is based on the publish-subscribe paradigm, with log
supported.
Page 28
IBM Software
Lab 2
2.1
When a service receives a message from a designated IP and port, a sequence of events are set into
motion before the message is ultimately forwarded to its intended destination. The events are separated
into three distinct phases: client-side processing, service processing, and server-side processing.
Page 29
IBM Software
2.1.1
During this phase, the received message will be directed to the service object that is configured for the IP
address and port combination on which the message was received. Once the service object (such as a
Multi-protocol Gateway or XML Firewall) receives the message, a significant amount of processing of the
message occurs. For example:
If SSL is configured for the service, SSL negotiation and decryption of the data stream will
occur.
SOAP envelope validation.
Protocol-specific actions such as HTTP header suppression or injection.
Inspection for known XML threats.
This is not an exhaustive list, but gives an idea of some of the actions that may occur upon receiving a
message. The results of these pre-processing steps could result in the message being rejected before
any message processing is even attempted.
2.1.2
Once the client-side processing phase has completed and accepted the message, the message will be
passed to the services processing policy. This is often referred to as Multistep processing. A Processing
Policy is a list of rules that contain actions that can be applied to a message. Actions are specific
operations that are applied to a message such as encryption and decryption, message signing,
authentication, etc. As the request message passes through the processing policy, the actions are
applied to the message in a specified sequence, ultimately resulting in the message that will be passed
to the server-side processing phase.
2.1.3
If the message makes it to this phase, it has been accepted by the client-side phase and processed by
the service phase. Its now ready to be sent to the backend server. Before sending though, some
additional steps may be required. Those steps may include:
Establishing a new SSL connection to the back side server.
Setting additional headers in the request.
Mediating protocol versions (i.e. HTTP 1.1 to HTTP 1.0).
Other protocol related tasks for WebSphere MQ, WebShere JMS, FTP, NFS, etc.
Once all of the server-side processing is complete, the message is sent to the backend destination.
2.1.4
Response Processing
When (and if) a response is received from the backend server, the three phases will occur again to verify
the validity of the response, execute a processing policy, and then forward the response back to the
original client. The processing phase can be configured to have separate rules for request and response
processing.
Page 30
IBM Software
2.1.5
A single WebSphere DataPower appliance has the ability to host numerous service configurations. The
following diagram shows a top-level object hierarchy of a WebSphere DataPower service.
This diagram shows some of the objects associated with a given service. For example, the service could
be a Multi-Protocol Gateway that you create for handling requests. The service will use a Front Side
Handler object which identifies an IP address and port. It also includes an SSL Proxy object which
includes the necessary objects for SSL encryption. The service has a Processing Policy (for the service
processing phase), and that policy contains one or more Processing Rules, and each rule contains one
or more Processing Actions. Some of the objects will be created for you as a by-product of configuration
wizards, and others will be created by drag and drop actions within the WebGUI.
2.2
In this section, youll be creating a service that will receive messages posted from your workstation, and
perform a variety of actions against the messages XML payload. There are several steps youll follow to
create the service object:
Specify the basic information about the Multi-Protocol Gateway Service.
Create an HTTP Front Side protocol handler to handle HTTP requests.
Create a Processing Policy and Processing Rule
To get things started, youll create a service proxy that simply acts as a pass-thru. Whatever you post to
the service proxy will get forwarded to an echo service running on the backend server. The response will
pass back through your proxy and then be returned to your workstation.
Page 31
IBM Software
The following steps will guide you through the process of creating and testing your service proxy. If you
logged out from the WebGUI, log back in with your assigned user id and password. Make sure to select
the matching domain for your user id.
__1.
If the control panel is not visible, click on the Control Panel link at the top of the left navigation
pane.
__2.
__3.
Click the Add button to create a new Multi-Protocol Gateway service. The Configure
Multi-Protocol Gateway form will be displayed.
__4.
__5.
2.2.1
The Multi-Protocol Gateway service employs one or more Front Side Handlers (FSH) to manage all
inbound traffic. In a simple configuration, there might be a single HTTP front side handler that listens for
requests on a specific IP address and port.
In the scenario shown in the following illustration, requests arrive over HTTP and are received by the
HTTP front side handler. The HTTP FSH will then pass the request to the Multi-Protocol Gateway
(MPGW) for processing
Page 32
IBM Software
Its also possible to mix and match different types of protocols on the same multi-protocol gateway. For
example, you can assign one FSH for HTTP, another for HTTPS, and yet another that acts as a
WebSphere MQ client.
The server-side protocol is completely independent of the front-side and can be any of the protocols
supported by the appliance.
For this lab exercise, youll create a single HTTP Front Side Handler and assign it to the multi-protocol
gateway.
__6.
In the middle of the form towards the right is a section labeled Front side settings. Locate and
click the plus (+) button to create a new front side handler.
A pop-up list of front side handlers will be displayed. You can see from this list that the
Multi-Protocol Gateway service supports many different front-side protocols.
__7.
In the pop-up list of front side handlers, click: HTTP Front Side Handler
The options provided in the pop-up window allow you to precisely configure the various settings related
to HTTP connections. In addition to the obvious settings such as IP address and port, you can also
specify which version of HTTP that the listener will accept, or whether or not to use persistent
connections.
__8.
In the Name field, type HTTP_444nn where nn is your student number. For example, if you are
student01, type the name HTTP_44401.
__9.
Leave the Local IP Address field as 0.0.0.0. This will cause the front side handler to listen for
traffic on all IP addresses defined on the appliance.
Page 33
IBM Software
__10.
In the Port Number field, replace the default port 80 with 444nn where nn is your student
number.
__11.
Click the Apply button in the upper left corner of the form. The new HTTP FSH should be
automatically added to the list of Front Side Protocols (see below).
2.2.2
Each service that you configure will have exactly one Processing Policy. The processing policy defines
what should happen when a message arrives from either the client (request), or the server (response).
A processing policy is comprised of one or more Processing Rules. A processing rule always begins with
a Match Action, followed by one or more Processing Actions. Processing rules are identified as either
request, response, both, or error types. A processing rule that is indicated as a request rule will be
ignored during response processing. A processing rule that is identified as both will be evaluated for both
requests and responses. Error rules are executed only when an error occurs during processing.
Multi-Protocol Gateway
Processing Policy
Processing Rule #1
[ Req | Rsp | Both | Error ]
Processing Rule #2
Processing
Action #1
Processing
Action #2
Processing
Action #N
Match
Action
Processing
Action #1
Processing
Action #2
Processing
Action #N
Processing
Action #1
Processing
Action #2
Processing
Action #N
Match
Action
Processing Rule #N
[ Req | Rsp | Both | Error ]
Match
Action
The Match Action references a Match Rule that contains one or more matching criteria (or expressions)
that are evaluated to determine whether or not to execute the remaining actions in the processing rule.
When more than one match expression is defined, the match rule can specify whether to combine them
with Boolean AND or OR semantics. When the match rule is configured to use OR, only one of the match
expressions must be True; when AND is specified, all expressions must evaluate to True.
Page 34
IBM Software
Matching expressions can test the message in several ways. For instance, in this lab youll be specifying
a matching expression that inspects the request URI for a specific pattern. Matching rules support the
following types of matching expressions:
URL: A match template that inspects the URL for a specific pattern.
HTTP: A match template that inspects the value of a specified HTTP header for a specific
pattern.
HTTP Method: A match template that compares the specified HTTP method (POST, GET,
In the General Configuration section of the form on the right side, locate the field labeled
Multi-Protocol Gateway Policy and click the plus (+) to create a new processing policy.
__13.
In the Policy Name field at the top of the policy editor, type: ProductServicePolicy
Page 35
IBM Software
In the following steps, youll create a rule that will process client requests.
__14.
__15.
After you click the new rule button, a blank rule will be created that contains a match action.
For this lab, youll create a match rule that will match on any inbound URI.
__16.
Double click the match action to reveal its configuration form in a pop-up window.
__17.
In the Configure a Match Action form, click on the plus (+) button to create a new matching rule.
__18.
In the Configure Matching Rule form, in the Name field, type: MatchAnyURI
__19.
__20.
At the bottom of the list of matching rules, click the Add button to create a new expression.
__21.
__22.
In the URL Match field, type: * (The asterisk is a wildcard character that will match anything).
__23.
Click the Apply button, which will close the Edit Matching Rule window.
__24.
In the Configure Matching Rule window, click the Apply button, which will close the Configure
Matching Rule window.
__25.
In the Configure a Match Action window, click the Done button, closing the Configure a Match
Action window. To validate the rule you just created hover your mouse over the match action
icon, the following should be set Type : url and url : *.
In the following steps, youll create a rule that will process server responses.
__26.
__27.
Page 36
IBM Software
__28.
__29.
In the Configure Matching Action form, select the previously created MatchAnyURI rule from the
dropdown list.
__30.
__31.
Click the Apply Policy button to save these changes. When you do this a Results action will be
inserted into the processing rule. At this point your screen should look like the following.
__32.
Click the Close Window link in the upper right corner to dismiss the policy editor.
__33.
In the Configure Multi-Protocol Gateway form, click the Apply button to activate this new
configuration.
Page 37
IBM Software
You are now ready to test the service you just created.
__34.
__35.
In the project tree, expand the ProductService project until SOAP request is visible (see below).
__36.
__37.
In the upper right corner of the soapUI window, click the maximize button to enlarge the request
window.
__38.
__39.
__40.
Update the port number by replacing nn with your student number, then click OK.
__41.
If everything worked properly, you should see <getProductResponse> xml tree in the Response tab.
If you received an error, you can try and determine the cause by looking at the logs. Theres a
convenient View Log link found towards the top of the Multi-Protocol Gateway configuration page. You
can also view the logs from the main control panel by clicking on the View Logs icon.
At this point, you have created a multi-protocol gateway service that acts as a pass-thru and verified that
it works. Now youll add some more interesting functionality to the service.
2.2.3
Once you have your configuration running properly, its a good idea to save the configuration to the flash
memory. At this point, if the device was shut off or the power was disconnected, all of the work youve
done until now would be lost. Saving the configuration causes your domain to be written to the flash
memory, making it available after the device is restarted.
Page 38
IBM Software
__42.
At the top of the browser window, click on the Save Config link. You should see a message that
says Configuration successfully saved as shown in the image below.
2.3
Schema Validation
An XML Schema describes the structure of an XML document. Validating an XML document against a
schema is one step to assuring that the structure and content of the document is valid and safe. The
process of validating an XML document against a schema is generally considered to be processor
intensive, resulting in increased server load. For this reason, organizations often disable schema
validation in an effort to reduce load (and cost) on application servers, especially when they are running
on a mainframe. This is generally considered a security risk.
WebSphere DataPower SOA Appliances solve this problem by providing wirespeed schema validation to
messages before they reach the application server. Messages that fail validation are rejected by default
(this behavior can be customized).
In this section, youll add a new processing rule to your service that will ultimately perform a variety of
actions against the SOAP request.
Now youll add a schema validate action to the processing rule. Youll configure the Validate action to
use the embedded schema in the WSDL you uploaded in the first lab.
__43.
Page 39
IBM Software
__44.
Expand the policy editor so that you can see all the configured rules at the bottom. Make sure
the Client to Server rule is selected (it will be bold).
__45.
Click and drag a Validate action and drop it to the right of the matching action.
__46.
Double click the new validate action (outlined in yellow) to provide the missing configuration
details.
There are several methods listed for the Schema Validation method. This is a good opportunity to see
the appliances online help.
__47.
Move the mouse over the field label Schema Validation Method. You should notice that it is
actually a hyperlink. Almost all field labels in the WebGUI are hyperlinks and when clicked, will
pop up a help window to explain the various options for that field.
__48.
Click the Schema Validation Method label to show the help text. Close the help text window by
clicking its close button.
Page 40
IBM Software
__49.
Select the radio button associated with: Validate Document via WSDL URL. Selecting this
option causes DataPower to validate the message against the schema found within a WSDL.
__50.
In the WSDL URL, make sure the upper dropdown contains local:///. In the lower dropdown list,
select ProductService.wsdl that you previously uploaded. The Validate configuration window
should look like the following image.
__51.
__52.
Click the Apply Policy button at the top of the policy editor to activate your changes.
__53.
Click the Close Window link in the upper right corner of the policy editor.
The WSDLs schema looks like the schema in the following listing. Notice that the product-id element
restricts its values to the various WebSphere DataPower SOA Appliances models (XA35, XS40, etc.).
<xsd:element name="product-info">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="product-id">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="XA35"/>
<xsd:enumeration value="XS40"/>
<xsd:enumeration value="XI50"/>
<xsd:enumeration value="XI52"/>
<xsd:enumeration value="XB60"/>
<xsd:enumeration value="XB62"/>
<xsd:enumeration value="XM70"/>
<xsd:enumeration value="XE82"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<xsd:element name="brand" type="xsd:string"/>
<xsd:element name="encoded-description" type="xsd:string"/>
<xsd:element name="benefits" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
Page 41
IBM Software
__54.
In soapUI, click the green submit button to POST the request again. The request should be
successful as it was before. This indicates that the message successfully passed schema
validation.
__55.
In the Request tab, change the value of <product-id> to 1234, then click the green submit
button to post the message.
Since 1234 is not a valid product-id, it failed schema validation resulting in a SOAP fault back
to the client.
The returned error message indicates that an internal error occurred but no other details are provided.
This is by design to prevent malicious attackers from gaining detailed information about the underlying
service. You can see detailed information about the failure in the DataPower log.
__56.
In the Multi-Protocol Gateway configuration page, click on the View Log link towards the top right
side of the page.
The log will reveal the underlying reason for the Internal Error message.
__57.
Page 42
Close the log window by clicking on the Windows close button (upper right corner of window).
IBM Software
2.4
The Multi-Protocol Gateway service that you configured expects requests and responses to conform to
SOAP standards. This setting is found towards the middle of the Multi-Protocol Gateway main
configuration page (see following image).
Important!
The following steps show you how to reload the request
payload with prebuilt SOAP messages. In future steps,
these detailed steps will be omitted for brevity.
__58.
In the soapUI Request tab, right click within the message body and select: Load from
__59.
Page 43
IBM Software
__60.
Click the green submit button to POST the XML to ProductServiceProxy. The request should fail
again. To see details about the failure, click on the View Log link in the Multi-Protocol Gateway
configuration page.
2.5
Content-based Filtering
You can easily extend the built-in threat protection by defining custom filters. A custom filter is an XSL
template that makes an accept or reject decision based on some custom logic that you define.
The accept and reject decision are accomplished using special built-in extension functions for XSL.
The <dp:accept> and <dp:reject> extension functions are used to tell processing rule how to proceed
with the message. The following XSL template inspects the <brand> element to make sure that it
contains the string DataPower.
Listing of file: customFilter.xsl
<xsl:template match="/">
<xsl:choose>
<xsl:when test="contains(//prod:brand,'DataPower')">
<dp:accept/>
</xsl:when>
<xsl:otherwise>
<dp:reject>Missing 'DataPower' trademark</dp:reject>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
In the policy editor window, drag a filter action onto the rule as shown below.
__62.
Double click the yellow outlined filter action to complete its configuration.
__63.
__64.
Page 44
IBM Software
The processing policy should now look like the following image.
__65.
__66.
__67.
Click the green submit button to POST the request to ProductServiceProxy. You should receive
a SOAP fault with an error message as shown in the following image.
2.5.1
SQL Injection is an attack technique used to exploit Web sites and services that construct SQL
statements from user-supplied input. For example, assume that a web service expects a SOAP request
containing a <last-name> element used for looking up a customer.
<soap:Body>
<customer-lookup>
<last-name>KAPLAN</last-name>
</customer-lookup>
</soap:Body>
The Web service uses an SQL statement with substitution parameters similar to the following SQL
snippet:
Page 45
IBM Software
In the policy editor window, drag another Filter action onto the processing rule to the right of the
previously added filter action.
__69.
Double click the yellow outlined filter action to complete its configuration.
__70.
__71.
__72.
Page 46
IBM Software
The policy will now protect against malicious SQL injection threats. The file sqlThreat.xml contains a
SOAP message with an SQL Injection Threat in it. The contents of the <brand> element contain the
threat:
<product-info>
<product-id>XI50</product-id>
<brand>DataPower' or '1'='1</brand>
<encoded-description>{omitted}</encoded-description>
<benefits>Security;Integration;Performance</benefits>
</product-info>
__73.
__74.
Click the green submit button to POST the message to ProductServiceProxy. The request
should fail due to Message contains restricted content (from client).
2.6
At the heart of WebSphere DataPower SOA Appliances is a high speed XSL compiler and execution
engine. In fact, most of the built-in functionality is engineered using XSL. Some of the built-in stylesheets
can be found in the store directory. XSL developers can easily copy and modify the IBM provided
stylesheets to create new functionality or support emerging standards before IBM makes them available.
When a stylesheet is referenced for the first time, it is compiled using a patented optimizing XSL compiler
for execution on specialized WebSphere DataPower hardware, then cached in memory for high-speed
recall and execution.
IBM has augmented XSL with a rich set of extension functions that enable you to easily add complex
processing functionality to your processing rules. For example, there are extension functions for
performing base-64 encoding and decoding, encryption and decryption, and date/time functions. There
are also functions for communicating with off-box web services as well as LDAP servers.
In this section, youll be introduced to how XSL templates are used within processing rules. Youll also
get a chance to see the decode() extension function for decoding base-64 encoded text.
In the following steps, youll add a transform action to the response (server to client) rule instead of the
request rule. Since the transform action will modify the overall structure of the message, it wont match
the schema that the backend service is expecting, therefore the request will fail. To avoid this, youll
modify the response which is destined back to soapUI.
__75.
In the policy editor, towards the bottom, click on the Server to Client rule to make it the active
rule in the editor.
Page 47
IBM Software
__76.
Click and drag a transform action and drop it after the match action.
__77.
Double click the yellow outlined transform action to expose its configuration settings.
For this transform, the stylesheet will be located on a remote HTTP server rather than in your local:
directory.
__78.
__80.
Click the Apply Policy button to apply the changes to the overall policy.
__81.
__82.
Youre now ready to run another transaction through your multi-protocol gateway service. Before you do
that, lets take a look at what the XSL template will do to the message.
Heres the SOAP body of the response message. Notice the <encoded-description> tag contains base64 encoded text (some of it has been omitted).
Page 48
IBM Software
<soap:Body>
<getProductResponse>
<Product>
<product-id>XI50</product-id>
<brand>WebSphere DataPower</brand>
<encoded-description>SUJNIFdlYlNw {omitted}</encoded-description>
<benefits>Security;Integration;Performance</benefits>
<Product>
</getProductResponse>
</soap:Body>
tag and then decode the original tags value. dp:decode() is an extension function that will
perform the base-64 decoding.
When a <benefits> tag is encountered, it will use the str:tokenize() function to tokenize the
that hasnt explicitly been matched, and copy it to the output document.
Partial Listing of file: productTransform.xsl
<xsl:template match="encoded-description">
<description>
<xsl:value-of select="dp:decode(.,'base-64')"/>
</description>
</xsl:template>
<xsl:template match="benefits">
<xsl:variable name="benefits" select="str:tokenize(.,';')"/>
<benefits>
<xsl:for-each select="$benefits">
<benefit><xsl:value-of select="."/></benefit>
</xsl:for-each>
</benefits>
</xsl:template>
Page 49
IBM Software
__83.
__84.
Click the green submit button to POST the message to ProductServiceProxy, then inspect the
response. Notice that the <encoded-description> tag was replaced with a <description> tag, and
that its contents are no longer base-64 encoded. Also, the benefits list was properly expanded
into a multi-element <benefits> group.
__85.
If youve gotten everything working properly, you can save your configuration by clicking the
Save Config link in the top of the browser window.
2.7
Stylesheet Caching
XSL stylesheets are compiled and then cached to improve performance. Previously you configured your
processing rule to transform the request XML document against productTransform.xsl. The stylesheet
was fetched from a remote server, compiled, and then cached. You can verify this by checking the status
of the document cache.
__86.
In the left hand navigation pane, under the Status menu, scroll down to find and expand the
XML Processing section, and click on Stylesheet Cache.
In the cached stylesheets column, you can see the number of stylesheets that have been compiled and
cached (this value also includes some system stylesheets).
__87.
The Stylesheet Status page shows you all of the stylesheets that have been compiled and cached. Since
schema documents (XSD) are compiled like stylesheets, they show up in this list too.
2.8
Services that are configured to receive XML messages provide a wide array of additional XML threat
protection.
2.8.1
Page 50
IBM Software
__88.
__89.
__90.
2.8.2
Click the green submit button to POST the malformed message to ProductServiceProxy. Again,
you should receive a generic SOAP fault. Click the View Log link at the top of the Multi-Protocol
Gateway configuration page and notice the error message pertaining to the mismatched tag.
WebSphere DataPower appliances can protect Web services against both single message denial of
service (XDoS) and multiple message denial of service (MMXDoS) attacks.
Single message XDoS attacks may have any combination of the following characteristics:
Jumbo payloads Sending a very large XML message to exhaust memory and CPU on
or an excessive number of tags. This attack may also lead to buffer overruns.
Coercive parsing XML messages specially constructed to be difficult to parse, resulting
Web service. This attack can be combined with Replay attack to bypass authentication,
and with Single message XDoS to increase its impact.
Resource hijack sending messages that lock or reserve resources on the target server
Return to the ProductServiceProxy configuration page. At the top of the Multi-Protocol Gateway
configuration form is a set of tabs. At the right and left side of the tabs are arrow images. Moving
the cursor over the arrow (without clicking) will cause the tabs to shift left or right. Move the
mouse over the right arrow until the XML Threat Protection tab is visible.
__92.
Page 51
IBM Software
__93.
In the Single Message XML Denial of Service section, click the on radio button for Gateway
parser limits.
__94.
Notice that the XDoS protection is highly customizable. For now turn this off by togging the
Gateway parser limits back to off.
__95.
In the Multiple Message XML Denial of Service section, click the on radio button for Enable
MMXDoS Protection.
__96.
Again notice the ability to customize and then click the off button for Enable MMXDos Protection.
__97.
Before completing this lab it would be a good time to click on the Save Config link at the top of
the screen
2.8.3
Virus Scanning
Viruses are typically contained in message attachments. XML Virus Protection sets parameters that
handle the following types of attacks in attachments:
XML virus attacks
XML encapsulation attacks
Payload hijack attacks
Binary injection attacks
on the XML Threat Protection tab that is currently displayed in your browser in the
XML Virus (X-Virus) Protection section.
If attachments are allowed, the second level of protection occurs in the processing rule. A
special Virus Scan action will extract the attachment from the message and send it to an
Internet Content Adaption Protocol (ICAP) compatible virus scanner. If the scanner
responds that a virus exists in the attachment, the virus scanning action will either strip the
attachment or reject the message (based on configuration settings).
Page 52
IBM Software
2.9
Summary
The client-side processing performs all protocol related processing as well as shielding
against a variety of malicious attacks. The service processing phase contains all of the
specific rules and actions that you define. The server-side processing phase is where any
backside protocol tasks are performed before the message is forwarded to the intended
destination.
WebSphere DataPower configurations are built using a pure object-oriented design. Every
configuration object, such as a SSL Proxy Profile or a Processing Policy, can be reused.
How to configure a Multi-Protocol Gateway service, along with an HTTP Front Side
Action that is evaluated to determine whether the rule should be executed. Each
processing rule contains a list of processing actions that are executed against the
message.
Match rules can match on various aspects of a message, including the URL, HTTP
headers, error codes, or an XPath that inspects the XML payload of a message.
Clicking the Save Config link in the top navigation area will save your running
configuration (for your domain) to the flash memory. The running configuration and the
saved configuration are independent.
How to add a schema validate action to the processing rule by dragging it from the action
palette onto the processing rule. WebSphere DataPower appliances can perform schema
validation against messages at near wire-speed, adding minimal latency to the overall
transaction time.
SOAP requests and responses are automatically checked against a SOAP schema,
Malformed XML is rejected which assures backend applications receive only well-formed
XML.
Custom Filters can be used for content-based message filtering and SQL injection threat
protection.
How to transform an XML document using a Transform action.
XSD and XSL stylesheets are compiled and cached.
Page 53
IBM Software
Page 54
IBM Software
Lab 3
3.1
In the digital world, public and private keys are often employed to perform cryptographic operations, such
as encryption of message data. The use of key pairs (public/private) is known as asymmetric encryption.
It is vital that the private key is protected, while its public counterpart, the public key (often carried in a
certificate), can be freely distributed. Certificates are typically validated by a Certificate Authority (CA). In
the event that an authority needs to revoke a previously distributed certificate, it adds the revoked
certificate to a globally published certificate revocation list (CRL).
On DataPower, public certificates and private keys are wrapped in crypto objects so that there is one
level of indirection when using them. For example, when you upload a public certificate, it will be
wrapped in a Crypto Certificate object. When a service object needs to use that public certificate, it will
reference it using the crypto certificate instead of the actual certificate file. The following image shows a
signing action that references a crypto key and crypto cert when digitally signing a message.
This single level of indirection allows the underlying key or certificate to be replaced without the need to
reconfigure any services that are using it.
Page 55
IBM Software
3.2
The term digital signature refers to something created using public key technology. Two keys are
involved: a private key, which only you know, and a corresponding public key, which you can freely give
to anyone. What makes this key pair interesting is that anything encrypted using one key can only be
decrypted with the other one.
The primary usage of digital signatures is to verify the integrity of a transmitted message. When a
message travels over public networks, it can be intercepted, modified, and then forwarded without
detection. Adding a digital signature to a message enables the recipient of the message to determine
whether the message has been altered along the way.
For example, assume a business partner wants to send you a digitally signed message. First, they will
compute a special checksum on the message they want to send (this is often referred to as a message
digest). Then they encrypt the digest with their private key. The result is a digital signature for the
message. They send this digital signature along with the original message to you.
When you receive the message, youll first compute the message digest on the received message. Youll
then use the senders public key to decrypt the message digest that was sent along with the message. If
the message digest that you calculated and the one that you decrypted are identical, then you can be
certain that the data wasnt changed in transit (integrity) and that the data was signed by the business
partner (authentication).
Creating and verifying digital signatures involve a considerable amount of mathematical computations,
and are thus very processor intensive. WebSphere DataPower employs cryptographic hardware to do
these calculations, thus freeing up costly processor cycles for business-related tasks.
In this section, youll configure your ProductServiceProxy to:
1. Verify a digital signature generated by soapUI. If the verification fails, reject the request.
2. Strip the digital signature from the request before forwarding it to the backend service.
3. Add a digital signature to the services response and return the signed response to soapUI.
3.2.1
Crypto objects
In lab 1, you uploaded several PKI files. Keys and certificates generally have expiration dates, thus
requiring occasional replacement. To avoid the need to change multiple configurations each time a key
or certificate needs updating, keys and certificates are wrapped in Crypto Key and Crypto Certificate
objects. These crypto objects add a level of indirection to the underlying keys and certs, averting the
need to update affected configurations each time key or certificate maintenance occurs.
The following steps will guide you in creating a Crypto Key object that wraps ProductServiceprivkey.pem, and Crypto Certificates that wrap ProductService-sscert.pem and soapUI.pem.
Page 56
IBM Software
In the search field above the navigation tree, type the word crypto (case is not important). As
you type, the results of the search will replace the navigation tree.
__2.
__3.
__4.
__5.
__6.
__7.
__8.
__9.
__10.
__11.
In the left navigation pane, locate and select Crypto Certificate. If you cannot find it, you can use
the navigation search box.
Page 57
IBM Software
__13.
__14.
__15.
__16.
3.2.2
The process of securely verifying a digital signature requires that the recipient of the message have
access to the signers public certificate. The certificate is often included in the signed message, but the
most reliable way of verifying the signature is with a certificate provided by the signer and uploaded to
the cert: directory.
3.2.3
In the search field above the navigation tree, type the word crypto. In the search results, locate
and select: Crypto Validation Credentials
__18.
__19.
__20.
In the Certificates field, dropdown the certificate list and choose: SoapUICryptoCert
__21.
Click the Add button to add the certificate to the list of certificates.
__22.
Page 58
IBM Software
3.2.4
In the next steps, youll modify the ProductServiceProxy Multi-Protocol Gateway to verify the digital
signature sent by soapUI, and to put a digital signature on the response sent back to soapUI.
__23.
In the search field above the navigation tree, type the word multi.
__24.
In the search results, locate and click on: Edit Multi-Protocol Gateway
__25.
__26.
As youve done before, open the policy editor window by clicking on the ellipsis in the
Multi-Protocol Gateway Policy field.
Drag a Verify action onto the processing rule after the match action.
__28.
Double click the yellow outlined verify action to complete its configuration.
__29.
__30.
Click Done.
In the following steps, you'll add a transform action that will strip off the digital signature that soapUI
created. This is not required, but is often done in order to reduce the overall message size. WebSphere
DataPower appliances come with a library of pre-built stylesheets that perform various useful tasks such
as stripping a digital signature. These pre-built stylesheets can be found in the store: directory.
Page 59
IBM Software
__31.
In the policy editor, drag a transform action after the verify action.
__32.
Double click the yellow outlined transform action to complete its configuration.
__33.
__34.
In the configured rules section in the policy editor (at the bottom), click on the Server to Client
rule to make the response rule active in the editor.
__36.
Drag a Sign action onto the processing rule to the right of the transform action.
__37.
Double click the yellow outlined sign action to show its configuration.
__38.
__39.
__40.
__41.
Click the Apply Policy button to make your changes to the policy effective.
__42.
Page 60
IBM Software
3.2.5
The transaction probe is a troubleshooting tool that provides insight into the state of a transaction as it
moves through the processing rule. It allows you to see what the input context is to each of the actions
as well as the values of system variables, protocol headers, etc. It is the single most important tool to use
when troubleshooting a services policy.
__43.
In the Configure Multi-Protocol Gateway form, towards the upper right corner, click on the
Show Probe link.
__44.
__45.
__46.
Leave the Transaction List window open so you can easily access it in future steps. If you close
the window by accident, you can always re-open it by clicking on the Show Probe link.
When you run transactions through the ProductServiceProxy gateway, the probe will capture all the
details about the message.
Now youll tell soapUI to add a digital signature over the body of the request.
__47.
In soapUI, use the same request you did in the previous chapter. Expand the ProductService
project until SOAP request is visible (see below), then double click it to open it.
__48.
Page 61
IBM Software
__49.
At the bottom, locate and click the Aut button to reveal the authentication dialog.
__50.
Select the following from the Incoming and Outgoing WSS dropdowns:
__a. In the Outgoing WSS dropdown, select Sign.
__b. In the Incoming WSS dropdown, select Verify.
__51.
__52.
Click the green submit button to POST the request to your service proxy. The request should
succeed.
__53.
In the Transaction List (probe) window, click the Refresh button so you can see the transaction
that you just posted.
The transaction list should now show the request you just posted. The [+] at the left side of the
magnifying glass indicates that there is an associated response with the request.
Page 62
IBM Software
__54.
__55.
Click on the top (request) magnifying glass to show the execution details for that transaction. At
the top of the displayed window will be a set of icons that represent each action in the rule that
was executed. The main part of the window displays the contents of the INPUT context (the
contents of the message sent by soapUI). Notice that soapUI properly added a digital signature
to the message.
Page 63
IBM Software
3.2.6
DataPower Contexts
While configuring the various actions (sign, transform, etc.), you may have noticed that each action
declares an input and an output context. In the case of a transform action, the input context will be the
document that is fed to the transformer, and the results of the transformation will be written to the output
context.
Some actions may only have an input context. For example, the verify action has an input context, but no
output context; the signature verification either passes or fails. In contrast, some actions may only have
an output context. The fetch action can fetch an XML document from a local file or a remote server, and
the fetched document becomes the output context. Contexts are referred to by the following names:
INPUT represents the original message as it arrived from the client.
OUTPUT represents the outbound message which will be forwarded to the destination. In
the case of client-to-server processing, the OUTPUT context represents what will be sent
to the backend server. In the case of server-to-client processing, the OUTPUT context
represents what will be returned to the client.
NULL indicates that the output is not needed. In other words, the output from the action
action. In this case, the input context of the next action must also specify PIPE.
Named context in this case, you can assign a name to a context and use it at a later
point in the processing rule. For example, a transform action can be configured with an
input context of INPUT and an output context of newRequest. Later in the processing
rule, another action can use newRequest as the input context.
__56.
The XML document shown in the window shows what will be fed into the transform action as the
context document. In this case, the message with the digital signature will be the input context to
the transformation.
__57.
Click on the magnifying glass after the transform action (in front of the sign action).
The input to the schema validate action is the results of the prior transform action. In the content
section, notice that the digital signature has been removed.
Page 64
IBM Software
__58.
Click on the last magnifying glass. It contains the contents of the OUTPUT context, which will be
forwarded to the backend service.
__59.
__60.
In the transaction list window, click on the magnifying glass to the left of the response.
The INPUT context shown in the transaction window shows the response that came back from the
backend service.
__61.
Click on the magnifying glass after the transform action. In the content section, you should that
the transformation decoded the encoded description and expanded the benefits list into an XML
nodeset.
__62.
Click on the magnifying glass after the sign action. In the content section, you should see that
the message now contains a digital signature.
__63.
Finally, click on the last magnifying glass. It represents the content that will be returned to
soapUI.
Page 65
IBM Software
__64.
You can verify that soapUI accepted the digital signature by looking at the soapUI log. At the
bottom of the soapUI window is a button to show the soapUI log.
If soapUI could not verify the signature created by DataPower, the log would contain an error
message.
3.3
Similarly to digital signatures, encryption use PKI keys and certificates for encryption and decryption.
When encrypting a message, the recipient's public key is used; only the private key can decrypt the
message.
3.3.1
In the following steps, youll add the necessary actions to decrypt the request (from soapUI) and then
encrypt the response (going back to soapUI).
__65.
Reopen the policy editor by clicking the ellipsis in the Multi-Protocol Gateway page.
__66.
__67.
Double click the decrypt action to provide additional details for its configuration.
__68.
__69.
Click Done.
Page 66
IBM Software
__70.
In the list of configured rules at the bottom of the policy editor, click on the Server to Client rule
to make it the active rule in the editor.
__71.
__72.
__73.
In the Configure Encrypt Action form, locate the Recipient Certificate field, then select
SoapUICryptoCert.
__74.
__75.
__76.
Click the Close Window link in the upper right of the policy editor.
__77.
In soapUI, click the green submit button to test your service gateway.
If you inspect the response closely, youll notice that the contents of the SOAP Body are
completely encrypted.
You just verified that DataPower is signing and encrypting the response. Now configure soapUI to
sign+encrypt the request, and decrypt+verify the response.
__78.
__79.
Click the Aut button to show the authorization security settings. If the soapUI log is still visible,
you may want to hide that too.
__80.
Page 67
IBM Software
__81.
__82.
__83.
Click the green submit button to submit the request to ProductServiceProxy. Look closely at the
response. This time, soapUI was able to decrypt the contents of the SOAP body.
__84.
Look back at the probe window; click the Refresh button. You should see two transactions in the
list. Feel free to inspect the new transactions that include the encryption steps.
3.3.2
In the previous steps, you saw how to encrypt the entire SOAP body. In some circumstances, it may be
preferable to encrypt only specific elements.
Now youll modify the encrypt action so that only the <brand> tag will be encrypted.
__85.
Reopen the policy editor by clicking on the ellipsis button in the Multi-Protocol Gateway Policy
field.
__86.
In the configured rules section at the bottom, click on the Server to Client rule to make it the
active rule in the editor.
__87.
__88.
In the Message Type section, choose Selected Elements (Field-Level). When you make this
selection, a new field, Document Crypto Map will appear.
The Document Crypto Map is used to tell the encrypt action which element(s) are to be encrypted. Since
the document will be in XML, the most natural way of selecting the target elements is with XPath
expressions. The Document Crypto Map represents a collection of XPath expressions which identify the
elements to be encrypted.
__89.
Click the plus (+) button next to the Document Crypto Map dropdown.
__90.
__91.
__92.
__93.
Click the Add button to add this XPath to the list of expressions.
__94.
Page 68
IBM Software
__95.
__96.
__97.
__98.
In soapUI, click the green submit button to POST the request to the ProductServiceProxy
gateway.
Since soapUI is configured to decrypt the message, you wont have much proof that DataPower
only encrypted the <benefits> element. You can verify this in two ways:
__a. Look at the transaction probe, in the response rule, look at the contents of the OUTPUT
context (the last magnifying glass) to see what is being returned to soapUI. There you will
see that the <benefits> element has been encrypted but the other elements are not.
__b. Modify soapUIs authentication settings by changing the incoming WSS security to either
verify or blank. This will prevent soapUI from decrypting the response.
__99.
Click the Apply button in the main Multi-Protocol Gateway configuration form.
Applying changes disables the probe.
In order to preserve system resources, the probe is
automatically disabled after pressing the Apply button in the
main Multi-Protocol Gateway configuration window.
__100. If your configuration is working properly, click the Save Config link to persist your configuration to
the flash memory.
Page 69
IBM Software
3.4
Summary
In this lab, you saw a variety of ways in which WebSphere DataPower appliances can help secure data
using its cryptographic capabilities. You learned:
How crypto certificates and crypto keys are used to dereference key and certificate files
Page 70
IBM Software
Lab 4
Authenticate
If the identity is successfully extracted from the message, it will then be authenticated. Authentication is
most commonly accomplished via an external service such as Tivoli Access Manager or LDAP. If the
authentication is successful, the process enters the resource and credential mapping phase.
Page 71
IBM Software
Authorize
Like authentication, authorization is most commonly accomplished via an external policy server such as
Tivoli Access Manager or an LDAP. The result of the authorization phase is to either allow or deny the
request to proceed.
If either authentication or authorization denies access, the system generates an error which is returned to
the calling entity. This error may be handled, as with any other errors within multi-step processing, by an
on-error action or an error rule. Either method allows for the creation of custom error messages.
4.1
LDAP authentication
In this section, youll add an AAA action to your processing rule to authenticate requests against an
LDAP.
__1.
Re-open the policy editor by clicking on the ellipsis button in the Multi-Protocol Gateway Policy
field.
__2.
In the Client-to-Server rule, drag an AAA action and drop it after the initial match action.
Page 72
IBM Software
__3.
__4.
The AAA processing action references an AAA Policy. Click the plus (+) sign next to the
AAA Policy dropdown to create a new AAA policy.
__5.
__6.
The next page identifies how to extract the users identity (and optionally password) from the message.
For this exercise, well indicate that the identity will be in a WS-Security Username Token element.
__7.
__8.
Select: Bind to Specified LDAP Server. When you make the selection, LDAP specific
configuration parameters will be displayed.
__10.
__11.
__12.
__13.
Now you will define how to extract the resource. Since the message is a SOAP request, you can expect
that the first element in the SOAP body contains the operation being requested. In XPath terms, this is
referred to as the Local Name of the Request Element.
__14.
__15.
__16.
For the authorization phase, leave the default set to: Allow Any Authenticated Client.
__17.
The last page of the AAA policy configuration wizard gives you the options of performing various post
processing tasks. One powerful post-processing task is to perform security protocol mediation such as
creating a Kerberos/SPNEGO token or generating a signed SAML assertion. For this lab, just leave
everything with the default values.
__18.
__19.
__20.
Make sure MyAaaPolicy is selected in the AAA Policy field, and then click Done.
Page 73
IBM Software
__21.
__22.
__23.
__24.
In the soapUI, click the green submit button to submit the request to your service. The request
should now fail with an error message of Rejected by policy. To resolve this, you need to tell
soapUI to include the WS-Security Usernametoken.
__25.
In soapUI, make sure the request tab is selected then click the Aut button to show the
authentication settings.
__26.
__27.
__28.
Click the green submit button to submit another request to the service. This time, the request
should succeed. If you want to see the WS-Security UsernameToken that soapUI injected into
the message, you can use the probe to inspect the transaction.
__29.
If you want to see the AAA policy reject a bad password, follow these steps:
__a. In the soapUI request tab, click on the Aut button to show the authentication settings.
__b. Select BadPassword_UNT from the Outgoing WSS dropdown the password is incorrect
for user david.
__c. Click the Aut button to hide the authentication settings.
__d. Click the green submit button to submit the request. The request should fail with the
Rejected by policy message.
__e. Restore the Outgoing WSS setting back to UsrtokenSignEncrypt and verify that the
request succeeds (this is important for future labs).
__30.
If your configuration is working properly, you can click the Save Config link in the upper right part
of the DataPower banner. This will save your configuration to the flash memory.
4.2
Summary
In this lab, you saw how you can further secure your services with DataPowers access control
framework. You learned:
Access Control Policies, also known as AAA policies, are a powerful and flexible way to
prevent unauthorized access to your services. Through the point-and-click WebGUI, you
can easily configure access policies to contact external authentication and policy servers.
AAA policies can also do security mediation, such as converting between HTTP Basic
Authentication and Kerberos/SPNEGO. AAA policies can also create a SAML assertion
based on authenticated credentials extracted from the message.
Page 74
IBM Software
Lab 5
The basic process involves adding an HTTPS Front Side Handler to your multi-protocol gateway. The
primary difference between an HTTP and HTTPS front side handlers is that the HTTPS FSH requires an
SSL Proxy Profile object.
The preceding image shows the relationships of various crypto objects that work together to provide
mutual SSL services.
Page 75
IBM Software
An SSL Proxy Profile is used as a way of configuring SSL connection details such as caching, direction
(forward, reverse, two-way), and authentication requirements. The SSL Proxy Profile leverages various
other objects that all work together during and after SSL handshaking:
Crypto Profile used to associate a Crypto ID Credential and a Crypto Validation
Credential together in one convenient reusable object. Also defines acceptable ciphers for
encryption.
Crypto ID Credential - during SSL negotiation, it may be necessary for a DataPower
service to provide a certificate that represents its identity to the client. A Crypto ID
Credential will act as this part of the SSL handshake equation. The Crypto ID Credential
will contain both a private key and a public certificate that identifies your service.
Crypto Validation Credential used to define which certificates are acceptable from the
peer during SSL negotiation. If the peers certificate does not exist in the Crypto Valcred,
the connection will be rejected. The validation credential is optional and if not specified,
would result in a one-way SSL negotiation. In other words, DataPower will present its
public certificate to the peer as its identity, but would not require the peer to present a
certificate back.
This may seem like a lot of pieces to configure, but keep in mind that a single WebSphere DataPower
appliance can host multiple services and may need to have multiple identities. This object relationship
provides the maximum flexibility and object re-use.
5.1.1
__31.
In the navigation search box, type id crypto, then from the search results, locate and click
Crypto Identification Credentials.
__32.
__33.
__34.
__35.
__36.
5.1.2
The crypto profile object will now tie together the crypto identification credential and the crypto validation
credential to form a relationship between the two.
__37.
Using either the search results or by starting a new search, locate and click Crypto Profile.
__38.
__39.
__40.
__41.
Page 76
IBM Software
__42.
5.1.3
The SSL profile object provides the SSL-specific configuration parameters, and references the crypto
profile for any required crypto keys and certificates.
__43.
Using either the navigation search box or the navigation tree, locate and select SSL Proxy
Profile.
If you use the search box, you can type ssl.
If you use the navigation tree, you will find it under: ObjectsCrypto Configuration.
__44.
__45.
__46.
__47.
Click the Apply button to save the new SSL Proxy Profile.
__48.
5.1.4
The final steps are to create the HTTPS front side protocol handler and add it to the multi-protocol
gateway service. The HTTPS front side handler will identify which SSL Proxy Profile to use as well as a
TCP port for communications.
__49.
__50.
Click ProductServiceProxy to open the configuration for your multi-protocol gateway service.
__51.
In the Front Side Protocol field, click the plus (+) button to create a new front side protocol
handler.
__52.
From the pop-up menu, select HTTPS (SSL) Front Side Handler
__53.
__54.
__55.
Towards the bottom of the configuration window, locate the SSL Proxy field and select
ProductServiceSslProxyProfile from the dropdown list.
__56.
Click the Apply button to save the front side handler configuration.
__57.
Click the Apply button at the top of the Configure Multi-Protocol Gateway form.
Page 77
IBM Software
The configuration is complete. Now your multi-protocol gateway service is listening on two ports, one
being HTTP and the other HTTPS.
__58.
In soapUI, from the endpoint dropdown list, select the HTTPS endpoint
https://datapower:443nn/ProductService/ProductService.
__59.
__60.
__b. Click the green submit button to POST the request using SSL. The request should succeed
as it did earlier.
Page 78
IBM Software
__61.
Perform a test to show that ProductServiceProxys SSL is mutual, and that it will only trust
connections from peers whose certificate is included in ProductSvcConsumersValcred.
__a. In the Request Properties section, change the SSL keystore to: untrustedpeer.jks.
__b. Click the green submit button to POST the request using SSL. The request should fail. If
you examine the DataPower system log (accessible from the control panel), you will see
something similar to the following screen capture.
__62.
If your configuration is working properly, click the Save Config link in the upper right corner of the
window to save your configuration to the flash memory.
Page 79
IBM Software
5.2
Summary
Page 80
IBM Software
Lab 6
6.1
A Web service is defined as a self-describing, standalone application that can be consumed by other
applications. Web services use Web Services Description Language (WSDL) to provide the consumer
with the essential details associated with its usage. A WSDL document is generally available to the
consumer, and is used when developing clients that use the service.
The Web Service Proxy (WS Proxy) object fully understands Web Services Description Language. In
fact, a fully functional WS Proxy can be configured simply by providing it with a WSDL document. Once
configured, additional processing requirements and quality of service parameters can be easily
configured using the WebGUI.
6.1.1
The central element to the configuration of a WS Proxy service is one or more WSDLs. There are several
ways of which a WS Proxy service can gain access to a Web services WSDL:
The WSDL document can be uploaded into the flash-based file system.
The WSDL can be referenced via a URL, such as http://myservice.com/service?WSDL
The WS Proxy can subscribe to a centralized repository such as WebSphere Service
Page 81
IBM Software
Using a WSDL repository such as WSRR or UDDI has some distinct advantages. When using a
repository, the WS Proxy service subscribes to a WSDL and periodically checks for service definition or
policy updates. When a new WSDL becomes available, the WS Proxy will obtain it and automatically
reconfigure itself based on the new WSDL.
6.2
number, this operation will calculate the headwind and crosswind strengths at take-off.
CalculateCloudBase given the temperature and dew point, this operation will calculate
6.3
Before creating the configurations to protect the service, you can test the service to make sure its up and
running. First, youll request the services WSDL from the actual service.
Page 82
IBM Software
__1.
If the service returned its WSDL, you know the service is up and running. Now you can submit a SOAP
request to test the service.
__2.
__3.
In the project tree, expand the E6BService project until the CalculateCloudBase requests are
visible (see below).
__4.
__5.
In the upper right corner of the soapUI window, click the maximize button to enlarge the request
window.
Page 83
IBM Software
__6.
__7.
Make sure that the <temperature> and <dewpoint> elements contain integer values. They should
default to temperature 80 and dewpoint 40.
__8.
Click the green submit button to POST the CalculateCloudBase request to the actual
E6BService.
__9.
If everything is working properly, the response window should show the SOAP response that
came back from the Web service. If you submitted 80 and 40 for temperature and dew point, the
service should respond with a cloud base altitude of 9090 feet.
If you did not receive a response, or you receive a SOAP fault, ask the instructor for additional help in
troubleshooting your server connectivity.
6.4
For this Proof of Technology, the instructors workstation (demoserver) has a running instance of
WebSphere Service Registry and Repository. The WSDL for the E6B service has been uploaded and
published into the registry. When you create your Web Service Proxy object, youll configure it to obtain
the WSDL from the registry. Therefore, youll first need to configure a WebSphere Service Registry and
Repository connection object. Youll do that in the following steps.
__10.
__11.
__12.
Click the Add button to create a new WebSphere Service Registry and Repository server
connection.
__13.
__14.
__15.
__16.
__17.
Page 84
IBM Software
6.5
The first step in create a Web Service Proxy object is to give it a WSDL. For this lab, the WSDL will be
obtained from a registry (WebSphere Service Registry and Repository). In the following steps, youll
create a subscription to WebSphere Service Registry and Repository to obtain the E6B Service WSDL.
__18.
__19.
Click on the Web Service Proxy icon. It is located on the top row of service icons.
__20.
Click the Add button to create a new Web Service Proxy object.
__21.
__22.
__23.
Under the WSDLs heading, locate and click the mini tab labeled: Add WSRR Subscription
__24.
Under WSRR Subscription Name header, select New and type: E6BServiceSubscription
__25.
__26.
__27.
__28.
__29.
Page 85
IBM Software
6.5.1
Now youll define how clients will connect to the Web Service Proxy. Youll do this the same way you did
in previous labs when you created an HTTP front side handler (FSH).
__30.
In the Local settings box, click the plus (+) button in the Local Endpoint Handler column to create
a new front side handler.
__31.
In the pop-up list of protocol types, select: HTTP Front Side Handler
__32.
__33.
In the Port Number field, type: 445nn where nn is your student number.
__34.
In the Allowed Methods and Versions section, click the checkbox to enable GET method.
By default, the HTTP GET verb is disallowed since Web services involve POSTing SOAP
requests. However, in a subsequent step, youll submit a GET to the service in order to see its
WSDL; therefore you need to enable the HTTP GET verb.
__35.
The 2nd column labeled URI is used to specify what the inbound URI should be for the service. By
default, this is taken from the WSDL; however you can override the URI with a totally different URI for
client requests, thus hiding the actual service URI.
__36.
Page 86
Click the Add button to add the front side configuration to the Web Service Proxy.
IBM Software
6.5.2
The final step is to define details associated with the actual backend service. By default, all of the details
will be derived from the retrieved WSDL; however, you do have complete flexibility to override the
backend hostname, port, and remote URI if necessary.
__37.
Your service is now created and ready to use. First, verify that everything is up and that the WSDL was
successfully retrieved.
__38.
Towards the middle of the page, verify that the WSDL Status section shows: Okay
__39.
At the top right section of the page, click on the View Operations link to show the details
pertaining to the service operations.
A window will open showing you details about the three operations available in the E6BService.
__40.
6.5.3
__41.
At the top right section of the page, click on the Show Probe link to open the probe window.
__42.
__43.
Page 87
IBM Software
6.5.4
Before you submit another transaction, youll need to change and edit the endpoint that points to
datapower instead of demoserver.
__44.
In the soapUI window, click the endpoint dropdown list and select the datapower:445nn URL to
make it the current endpoint.
__45.
__46.
Click the green submit button to submit the request to the service. The service will receive the
request, perform XML security checks on the message (schema validation, XML threats, etc.),
then forward the message to the actual E6BService running on demoserver.
In the Transaction Probe window, click the Refresh button. If the transaction was successful, it
should appear in the probe similar to the following image:
__48.
Clicking on the little [+] sign next to the magnifying glass will expand the transaction to show the
response. You learned how to use the transaction probe in a previous lab, so feel free to
investigate the different details, headers, etc., about the request and response.
__49.
Page 88
IBM Software
6.6
WS-SecurityPolicy
On its own, a WSDL is capable of fully describing a service and its various operations. A consumer can
easily obtain a WSDL and create client code that would know first-hand how to communicate with the
service. The WSDL, however, is not capable of informing the consumer precisely what type of message
or transport level security is required to access the service. WS-Policy and WS-SecurityPolicy were
conceived to solve this problem.
WS-Policy defines a framework for allowing Web services to express their constraints and requirements.
WS-SecurityPolicy expresses security requirements using the WS-Policy framework. For example,
consider a Web service that requires all inbound requests to contain a WS-Security header that contains
a UsernameToken element. This requirement cannot be described in the WSDL. If a consumer were to
inspect the WSDL, they would have no way of knowing the security requirements imposed on the Web
service. This information would have to be conveyed either in embedded comments, or in person-toperson correspondence (documentation, phone, e-mail, etc.). WS-SecurityPolicy provides a way of
expressing these requirements.
WS-SecurityPolicy is not restricted to only service requests; it can also describe constraints and
requirements for responses. For example, WS-SecurityPolicy can dictate that all responses are digitally
signed or encrypted.
6.6.1
There are two ways of enforcing WS-SecurityPolicy on a Web service. The first and most obvious way
would be to modify the WSDL to include the WS-SecurityPolicy assertions. In this way, the policy
becomes one and the same with the WSDL. This is referred to as an embedded policy.
There may be times when the WSDL cannot be modified, or a single policy should be applied to many
services (or operations within a service). In this situation, a separate WS-SecurityPolicy document can
be attached to an existing WSDL.
6.6.2
an attempt will be made to satisfy them. If the policy requirements cannot be satisfied, the
message will be rejected.
For requests, all policy requirements must be met; No attempt to satisfy them will be
made. For example, if the policy states that inbound messages must contain a
WS-Security UsernameToken element, and the request does not contain it, the
request will be rejected.
For responses, an attempt will be made to satisfy the requirements if the backend
server did not. For example, if the policy states that all responses must be digitally
signed, but the server returned a response that is not signed, a signature will be
added to the response before it is returned to the client.
Filter mode the policy will be enforced. If the policy requirements arent satisfied, the
not meet the policy requirements, the entire transaction will be rejected.
Page 89
IBM Software
Earlier in this lab, you configured a WS Proxy service to obtain the E6BService WSDL from the service
registry (WebSphere Service Registry and Repository). A WS-Policy attachment has also been uploaded
into WebSphere Service Registry and Repository and attached to the E6BService WSDL. You can see
the attached policy by fetching the WSDL from your DataPower E6BServiceProxy (not the original
demoserver E6BService, as it does not have any policy attached to it).
__50.
Open a new browser window and navigate to the following URL (insert your student number):
http://datapower:445nn/E6BService/E6BService?WSDL
The services WSDL should be displayed in the browser window. Scroll towards the end of the
WSDL (or use the browsers find function) and locate the <wsp:Policy> element. The WSDL
is being returned from the WS Proxy service, not the actual service on demoserver. The
E6BServiceProxy fetched the WSDL and the Policy and combined them together. You can verify
this by retrieving the WSDL directly from the service and comparing it to the one generated by
the E6BServiceProxy (see step 1 of this lab).
6.6.3
UsernameToken Policy
The CalculateHeadCrossWinds operation has the WS-SecurityPolicy attached to it. The policy specifies
that requests must include either a version 1.0 or a version 1.1 UsernameToken element in the
WS-Security header. The policy looks similar to the following listing:
Page 90
IBM Software
In the soapUI E6BService project, locate CalculateHeadCrossWind, then double click the
request labeled: Request
__52.
Make sure the request has valid parameters: WindSpeed is 15, WindDirection is 45, and
RunwayNumber is 1.
__53.
__54.
Click the green submit arrow to submit the request. The request should FAIL because it
does not have a WS-Security UsernameToken as required by the WS-SecurityPolicy. The fault
string should read: Rejected by policy. (from client)
doesnt actually authenticate the user. To authenticate the request, youll add the
previously created AAA policy to the WS-Proxy object so that it will authenticate the user
credentials found in the UsernameToken.
The backend service is not expecting a UsernameToken and will thus complain about it.
Youll add a transform step that will strip the UserName token from the request before
forwarding it to the backend service.
Page 91
IBM Software
6.6.4
__55.
The Policy page allows you to define custom rules that are applied at various levels in the service. For
example, you can create a rule that will apply to all operations in the WSDL, or you can create a rule
specific to just one operation. Rules are created exactly the same way as you did in the previous labs.
__56.
Page 92
In the WSDL Policy Tree Representation section, expand all of the nodes until all port operations
are visible (see below).
IBM Software
__57.
Locate the CalculateHeadCrossWind operation and then click the Processing Rules button.
__58.
Specify that this rule should only be executed on inbound requests (client to server).
__a. Click on the New Rule button to create a new rule for this policy.
__b. In the Rule Direction dropdown, select: Client to Server
__59.
__60.
Double click the yellow outlined AAA action to complete its configuration.
__61.
In the AAA Policy dropdown, select the previously created AAA policy: MyAaaPolicy
__62.
Page 93
IBM Software
6.6.5
In the following steps, youll add a transform action that will strip the WS-Security Header so that the
backend server wont complain about it.
WebSphere DataPower appliances come with a library of pre-built XSL stylesheets that perform a variety
of common functions. One of the stylesheets will strip the WS-Security header from a message.
__63.
__64.
Double click the yellow outlined transform action to complete the configuration.
__65.
__66.
__67.
At the top of the page, click the Apply button to make these changes active.
__68.
Page 94
IBM Software
__69.
__b. Click the green submit button again. This time the request should fail. If youre interested to
see the details of why the request failed, you can look at the transaction probe.
6.7
The service level monitoring facility provides a policy-driven approach to governing web service traffic. At
its simplest level, it allows you to configure thresholds that dictate how many transactions should be
allowed to flow through a service, as well as what action to take should those thresholds be exceeded.
More complex SLM policies can also be defined which have the ability to base activity thresholds on
parameters such as client IP, user identity, and user defined message details to name just a few.
When a threshold is exceeded, the SLM policy can be configured to take one of three actions:
Throttle the request will be rejected.
Shape the request will be queued until the next timeframe window begins. For example,
if the policy says 10 requests per 30 seconds and 11 requests arrive within the first two
seconds, the 11th request will be queued until the next 30 second timeframe begins. Then
it will be processed and forwarded to the final endpoint.
Notify a message will be logged indicating that the threshold was exceeded.
In the following steps, youll configure the CalculateFlightLeg operation to only allow 2 requests per 10
second interval, and throttle any requests that exceed the threshold.
Page 95
IBM Software
__70.
__71.
In the Auto Generated SLM Statements section, expand each level of the tree by clicking the
buttons until the port operations are exposed.
__72.
In the CalculateFlightLeg operation section, click on the Request link, and specify the following
SLM parameters:
__a. Interval: 10
__b. Limit: 2
__c. Action: throttle
__d. Click the Apply button to save the SLM request properties.
__73.
Click the Apply button at the top of the page to apply these changes to the E6BServiceProxy.
__74.
In the soapUI program window, close any open windows and expand the CalculateFlightLeg
operation and then double click Request.
__75.
Page 96
IBM Software
__76.
Make sure the parameters are valid. You can use the following if they are not automatically filled
in for you:
__77.
Now submit several requests to the web service by clicking the green submit button several
times. Starting with around the 3rd request, you should get a SOAP fault indicating that the
request was rejected by policy. Continue to try submitting requests. Eventually, the 10 second
time window will elapse and requests will be permitted again.
Page 97
IBM Software
6.8
Summary
In this lab, you had a brief introduction to the Web Service Proxy (WSP) and how it can be configured to
protect your web services. You saw how the WSP is self-configuring simply by providing a WSDL, either
through uploading or subscription to a WSDL repository such as UDDI or WebSphere Service Registry
and Repository.
You also learned how a WS Proxy service can understand and enforce WS-Policy, a specification that
helps Web service consumers understand the required policy governing the services usage. Both WSDL
and policy documents can be uploaded into WebSphere Service Registry and Repository and
automatically retrieved by a WS Proxy service through a self-updating subscription.
Finally you saw how WebSphere DataPower appliances can enforce service usage levels through its
SLM facility. Though only a simple SLM policy was demonstrated that limited the request rate, complex
SLM policies can also be defined that consider nearly any aspect of a request when determining whether
or not the request should be processed or rejected.
Page 98
IBM Software
Lab 7
XACML, which is short for Extensible Access Control Markup Language, is an OASIS standard that
describes both a policy language and an access control decision request/response language, both which
are encoded using XML.
The policy language is used to describe general access control requirements, and has
standard extension points for defining new functions, data types, combining logic, etc.
The request/response language lets you form a query to ask whether or not a given action
should be allowed. The response always includes an answer about whether the request
should be allowed using one of four values: Permit, Deny, Indeterminate (an error
occurred or some required value was missing, so a decision cannot be made) or Not
Applicable (the request can't be answered by this service).
XACML employs two primary components to carry out authorization requests:
Policy Enforcement Point (PEP), which acts as the gatekeeper and is responsible for
extracting the various bits of information from the inbound request and creating a XACML
authorization request document. The authorization request document contains the subject
(user ID, etc.), the resource (requested URL, SOAP action, etc.) and the action (execute,
read, etc.). The authorization request document is then sent to a policy decision point
which makes the permit or deny decision.
Policy Decision Point (PDP), which acts as the decision maker and contains the enterprise
security policies that govern access to the resource in question. When the XACML
request document arrives, it extracts the subject, resource, and action and determines
whether the user has the necessary privileges. The response is returned in a XACML
authorization response document.
Page 99
IBM Software
There are many existing proprietary and application-specific languages for doing this kind of thing but
XACML has several points in its favor:
It's standard. By using a standard language, you're using something that has been
reviewed by a large community of experts and users, you don't need to roll your own
system each time, and you don't need to think about all the tricky issues involved in
designing a new language. Plus, as XACML becomes more widely deployed, it will be
easier to interoperate with other applications using the same standard language.
It's generic. This means that rather than trying to provide access control for a particular
environment or a specific kind of resource, it can be used in any environment. One policy
can be written which can then be used by many different kinds of applications, and when
one common language is used, policy management becomes much easier.
It's distributed. This means that a policy can be written which in turn refers to other
policies kept in arbitrary locations. The result is that rather than having to manage a single
monolithic policy, different people or groups can manage separate sub-policies as
appropriate, and XACML knows how to correctly combine the results from these different
policies into one decision.
It's powerful. While there are many ways the base language can be extended, many
environments will not need to do so. The standard language already supports a wide
variety of data types, functions, and rules about combining the results of different policies.
In addition to this, there are already standards groups working on extensions and profiles
that will hook XACML into other standards like SAML and LDAP, which will increase the
number of ways that XACML can be used.
7.1
The XACML policy document describes a security policy and is comprised of a collection of rules, which
either result in a permit or deny decision. Within each rule are targets that contain four sections:
subjects, resources, actions, and conditions. These sections match closely with the details found in a
XACML authorization request. When the authorization request arrives, the subject, resource, and action
are extracted and then looked up within the policy. If the subject is found within the subjects, and the
resource is found within the resource, and the action is found in the actions, and any additional
conditions are met, then the rule will return either permit or deny as specified in the rules effect attribute.
XACML policy documents are not usually coded manually; rather a product such as Tivoli Security Policy
Manager or some other XACML-enabled policy manager will generate the XACML policy document.
Page 100
IBM Software
7.2
When a request arrives at the policy enforcement point, the PEP will create a XACML authorization
request document and send it to the policy decision point (PDP).
The XACML authorization request document contains the subject, resource, and action to be evaluated
by the PDP. The following XACML authorization request is for a subject named david, a resource
named product-info, and an action of execute.
<Request>
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>david</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>product-info</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>execute</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>
Page 101
IBM Software
7.3
WebSphere DataPower has the ability to act as both the policy enforcement point and the policy decision
point. As a policy enforcement point, an AAA action is used to extract the credentials and resource
information from a request and create a XACML authorization request document. The AAA policy will
then send that authorization request document to a XACML policy decision point.
In the following diagram, WebSphere DataPower receives requests from a client, extracts the credential
and resource details, then creates and sends a XACML AuthZ request document to the PDP. The PDP
responds with a XACML AuthZ response document. WebSphere DataPower interprets the response and
either allows or denies the request accordingly.
Since WebSphere DataPower supports XACML policy documents, it can act as a PDP as well. The
following diagram shows how WebSphere DataPower can act as a PDP for many XACML PEPs. When
WebSphere DataPower receives an XACML AuthZ request, it makes the decision based on a cached
XACML policy document and responds accordingly.
= XACML AuthZ Req/Rsp
PEP
PEP
PEP
PEP
XACML Policy
Document (cached)
Page 102
Policy Server
IBM Software
WebSphere DataPower can also act as both a PEP and a PDP. In the following diagram, WebSphere
DataPower fetches and caches the XACML policy document from the policy server. When requests
arrive, WebSphere DataPower can make the allow/deny decision independently without additional
communications.
7.4
The process begins with an AAA policy. As youve seen in previous labs, the AAA policy allows you to
specify exactly how to extract the subject and resource from an inbound request. Once the subject and
resource have been identified, DataPower will create a XACML authorization request document (using
XSLT). That request will be sent to the designated PDP (that youll be creating). This is a simple process
that only requires uploading the XACML policy file.
First, create the Policy Decision Point.
__1.
__2.
__3.
In the Configure XACML Policy Decision Point page, click the Add button.
__4.
__5.
__6.
Now youll modify the MyAaaPolicy to add authorization using XACML. Your AAA policy will be
configured as follows:
Extract user identity and password from a WS-Security UsernameToken.
Page 103
IBM Software
Authenticate the identity by attempting to bind to an LDAP with the extracted credentials.
Determine the resource by looking at the name of the request element (this is essentially
any authorization.
__7.
__8.
__9.
__10.
__ii.
The xacml-request-binding.xsl stylesheet will generate the XACML Authorization Request document that
will be sent to the PDP. The stylesheet takes the subject and resource that were extracted in the
previous AAA steps, and inserts them into the appropriate parts of the authorization request document.
__11.
Youre just about ready to test the service. Lets flush the probe of any previous transactions so that the
following requests will be easy to see.
__12.
Click on the Control Panel link to show the main DataPower control panel.
__13.
On the 2nd row of icons, locate the Troubleshooting icon and click it.
__14.
From the top row of tabs, click on the Debug Probe tab.
__15.
In the Web Service Proxy section, locate E6BServiceProxy and then click on the magnifying
glass to show the probe.
__16.
Click the Flush button to clear out the old transactions. Leave the probe window open so that
you can easily find it.
Page 104
IBM Software
__17.
In soapUI, expand the CalculateHeadCrossWind operation. You should see four pre-populated
requests with names such as Request_David, Request_Sarah, etc. For your convenience, the
username and password have already been specified in these requests.
password of foobar.
The XACML policy document grants execute access to david and sarah for operations
Open Request_David and submit it by clicking the green submit button. The request should
succeed.
__19.
In the DataPower probe window, click the Refresh button. You should see a transaction.
__20.
The window shows the contents of the request as it was sent from soapUI. Notice that it contains the
WS-Security UsernameToken.
__21.
Click on the AAA icon to show the details of the AAA action.
Page 105
IBM Software
In the Extension Trace list, there should be three events that occurred:
Ldap-authen this is where the AAA policy contacted the LDAP server to authenticate the
user.
Transform this is where the AAA policy executed the XSL that you uploaded in order to
__22.
On the MyXacmlPDP row, under the request heading, click (show nodeset). You will see the
completed XACML authorization request document that contains the extracted user, resource,
and action. This is the authorization request that will be sent to the XACML PDP (MyXacmlPDP).
__23.
On the same row, click (show nodeset) under the response heading. This shows the response
that was received from the PDP. In this case, it should say Permit.
__24.
__25.
In the soapUI window, close any open requests and open Request_Ariel and submit it.
The requests for Ariel should fail. Once again, you can use the probe to inspect the transaction and see
the XACML authorization request and the response. This time, the response should say Deny.
__26.
Click the Save Config link to save all of the changes youve made during this lab exercise.
Page 106
IBM Software
7.5
Summary
In this lab exercise, you learned that XACML itself is not a policy server; rather its a standard way of
describing security policies using XML. You learned that a policy enforcement point acts as the
gatekeeper for requests, and that the policy decision point acts as the decision maker as to whether the
request is authorized or not. The PEP will contact the PDP using a predefined XML message that is
described in the XACML specification.
Components that understand XACML are theoretically plug-and-play with each other. A policy
enforcement point is indifferent as to the vendor of the PDP (and visa versa). If a policy server has the
ability to export its policy as XACML, it can be imported into a DataPower PDP object, and DataPower
can act as a PDP without any additional configuration. Tivoli Security Policy Manager (TSPM) is one
such product that can be used to author XACML policies.
You saw that DataPowers AAA policy acts as the PEP and creates the authorization request by
extracting the subject and resource from the inbound request, then passing them to a stylesheet that
creates the authorization request document.
Finally, using the probe, you saw how the various steps were executed.
Page 107
IBM Software
Page 108
IBM Software
Lab 8
Page 109
IBM Software
An XML Firewall acts as the outbound federation point for the consumer. It first
authenticates the client by extracting the credentials from the UsernameToken, and then
authenticates them against an LDAP server. If this succeeds, the AAA policy will generate
a signed SAML assertion and forward the message to its intended service endpoint (the
WS-Proxy E6BService that you created in lab 4).
The message is received by the WS-Proxy which looks for the signed SAML assertion. If it
does not find it, it rejects the request. If it is found, and the signature is valid, then it will
allow the request to pass through to the actual E6BService.
The goal of this lab is for you to see that DataPower can act on behalf of the consumer by generating a
SAML authentication assertion, as well as on behalf of the service provider by accepting the signed
SAML assertion as an acceptable form of identity.
8.1.1
The consumer is responsible for authenticating the request before it is sent to the service provider. In this
section, youll create an AAA policy that will extract the user identity from the requests WS-Security
header, and then authenticate the user using an LDAP. If the authentication is successful, the policy will
inject a SAML authentication assertion into the SOAP header and then digitally sign it.
__1.
In the navigation search box, type aaa and from the search results, select: AAA Policy
__2.
__3.
__4.
In the SAML Message Signing Key field, click the plus (+) sign to create a new Crypto Key.
__5.
__6.
In the SAML Message Signing Certificate field, click the (+) sign to create a new Crypto
Certificate.
__a. For the name, type: ConsumerCert
__b. In the File Name, select consumer-sscert.pem from the dropdown list.
__c. Click the Apply button.
__7.
Towards the bottom of the page, locate LDAP Version and select: v3
__8.
Select the Extract Identity tab and from the Methods list, select: Password-carrying
UsernameToken Element from WS-Security Header
Page 110
IBM Software
__9.
__10.
Select the Extract Resource tab and choose: Local Name of Request Element
__11.
__12.
8.1.2
For this step, youll create an XML Firewall service that will authenticate requests using ConsumerAAA
policy that you just created. SoapUI will send its outbound request to the E6BConsumer outbound
gateway, which will authenticate the username and password, then add a SAML assertion before
forwarding the request to the E6BService.
__13.
__14.
Click on the XML Firewall service icon to start the creation process.
__15.
__16.
Page 111
IBM Software
__17.
In the XML Firewall Processing Policy field, click the plus (+) button to create a new policy.
__18.
__19.
Click the New Rule button to create a new rule for this policy.
__20.
__21.
Double click the yellow outlined match action to open its configuration page.
__22.
In the Matching Rule dropdown, select: MatchAnyURI and then click the Done button.
__23.
__24.
Double click the yellow outlined AAA action to open its configuration page.
__25.
In the AAA Policy dropdown, select ConsumerAAA and then click the Done button.
__26.
__27.
__28.
Page 112
IBM Software
8.1.3
Now youll need to create an AAA policy for the service provider (E6BService). This AAA policy will be
configured to extract the users identity from the SAML authentication assertion and consider it to be
valid if the digital signature is valid. If there is no SAML authentication assertion, or the digital signature
verification fails, then the request will be rejected.
__29.
In the navigation search box, type aaa and from the search results, select: AAA Policy
__30.
__31.
In the next steps, youll create a new validation credential that will contain certificates for the trusted
partners. Youll add the consumer crypto certificate you created earlier in this lab exercise.
__32.
For the SAML Signature Validation Credentials, click the plus (+) sign to create a new validation
credential.
__a. For the Name, type: E6BSvcConsumers
__b. In the Certificates field, in the dropdown list select: ConsumerCert, then click the Add
button to add the certificate to the list.
__c. Click the Apply button.
__33.
Select the Extract Identity tab, then for the Method, select: Name from SAML Authentication
Assertion
__34.
Select the Authenticate tab and from the Method dropdown, select Accept a SAML Assertion
with a Valid Signature.
__35.
Select the Extract Resource tab and choose: Local Name of Request Element
__36.
The final step is to add the new AAA policy to the existing E6BServiceProxy.
__37.
Click on the Control Panel link to display the main DataPower Control Panel.
__38.
__39.
Click on E6BServiceProxy.
__40.
In an earlier lab you added an AAA action to the CalculateHeadCrossWind operation. This time, youll
add the AAA action to the services default request rule.
Page 113
IBM Software
The default request rule is executed for all operations except those that explicitly override it. Since you
previously created a request rule for CalculateHeadCrossWind, the default request rule will not apply to
that operation. The default request rule will apply to the remaining operations, CalculateFlightLeg and
CalculateCloudBase.
__41.
At the top of the WSDL policy tree, click on the Processing Rules button.
__42.
__43.
Double Click the yellow outlined AAA action to open its configuration page.
__44.
In the AAA Policy field, select E6BSamlAaa and then click the Done button.
__45.
8.1.4
Now youll submit several requests to the E6BService to show that the SAML-based federation is
working.
First, youll verify that you can no longer execute the CalculateCloudBase or CalculateFlightLeg
operation without a SAML assertion. To do this, youll have SoapUI go directly to the E6BServiceProxy
without going through the E6BConsumer you just created.
__46.
__47.
__48.
Page 114
IBM Software
__49.
Click the green submit button to execute the request. It should fail with a SOAP fault: Rejected
by Policy. It is failing because the policy now requires a signed SAML assertion and there isnt
one.
__50.
You can verify the same will occur with the CalculateFlightLeg operation.
Now youll post a message to the E6BConsumer you created. It will act as the outbound gateway from
the consumer (soapUI) by authenticating the user and then adding the SAML authentication assertion.
__51.
In the dropdown endpoint, select the URL that represents the E6BConsumer that is listening on
port 555nn. Edit the URL so that the port correctly shows your student number.
__52.
Click the green submit button to post the request. The request should fail since the
E6BConsumer AAA policy is expecting to extract the username and password from a WSSecurity UsernameToken.
Finally, submit the request with the username and password. The request will pass authentication in the
E6BConsumer gateway, which will then create a signed SAML assertion and forward the request to the
remote E6BServiceProxy thats protecting the real web service. The E6BServiceProxy will consume the
signed SAML assertion and permit the request to go through.
__53.
In SoapUI, under the CalculateCloudBase operation, double click Request_David. This request
has been prepopulated with a username and password for your convenience.
__54.
Click the green submit button. This time, the request should succeed.
from a SAML assertion. If it cannot find the assertion, it will reject the message. If it finds
the assertion, it will attempt to verify the digital signature over the SAML assertion. If the
digital signature is good, the message will be accepted and forwarded to the real
E6BService running on the application server. If digital signature verification fails, the
message will be rejected.
The application server will process the request and then return the response to the
E6BServiceProxy.
The E6BServiceProxy schema validates the response and then forwards the response
Page 115
IBM Software
You can see all these steps in action using the probe. The probe should still be enabled for the
E6BServiceProxy.
__55.
8.2
Summary
In this lab, you saw how WebSphere DataPower can participate in a federation using SAML by creating a
mock environment for SAML-based federation. You created an XML Firewall with an AAA policy that
authenticates the user against an LDAP and then generates a signed SAML assertion. Then you created
a new AAA policy that looks for a signed SAML authentication assertion and added it to the existing
E6BServiceProxy.
Page 116
IBM Software
Lab 9
Representational State Transfer (REST) is an important Web 2.0 technology that has become a popular
alternative to other Web-based services, such as SOAP-based Web services and Enterprise JavaBeans
(EJB). Many Internet-facing companies provide REST-based services; a common scenario is to expose
a RESTful interface in front of an existing legacy system or peer system (SOAPful services). This lab
briefly explains what it means to be "RESTful," and then provides a comprehensive example of how to
use an WebSphere DataPower appliance to expose a RESTful facade (with JSON as the
representational format) to bridge an existing SOAPful Web service.
Web 2.0 includes a proliferation of new technologies; some of them brand new and others old but newly
invigorated as they are applied to Web 2.0. There is a growing demand to use these new protocols and
technologies to interact with existing enterprise systems. DataPower is uniquely positioned to bridge
Web 2.0 and SOA. DataPower can service Web 2.0 requests, such as an ATOM feed message or a
REST invocation, and bridge to enterprise protocols, such as Web services, JMS, or even mainframe
connectivity (for example, with IMS Connect). The case this lab addresses is that of bridging REST client
requests, which use JSON as the representational format, to a traditional SOAPful Web service back-end
system.
9.1
REST overview
REST is a term coined by Roy Fielding in his Ph.D dissertation, and it denotes an architectural style for
Web services and applications that manipulate media content. It can be considered a set of best
practices for using the HTTP specification (RFC 2616) as an application layer protocol. There are no
standards or APIs, and the primary ingredients are found in all HTTP-based Web applications and
services. A good analogy for REST is "object-oriented" Web programming in which the resource
specified by the URI is the object, the method is specified by the HTTP verb, and the parameters are
specified by the HTTP headers, such as Accept or the URI query. Finally, the HTTP response code is the
return code. For example, the following RESTful HTTP request results in the HTTP 201 (created)
response code:
Page 117
IBM Software
A Web service provider (and consumer for that matter) will pay close attention to the following RESTful
precepts:
Named resources - Computation is over Web resources that are named through URIs.
A resource is anything important enough to be referenced as a thing in itself, such as
Uniform interface - Web resources are accessed through a generic interface that mimics the CRUD
persistent storage pattern:
GET -- Retrieve a resource representation.
POST -- Create a new resource.
PUT -- Modify or create a new resource.
DELETE -- Remove an existing resource.
HEAD -- Retrieve metadata-only representation.
Interconnected resource representations - URL links interconnect resources, thereby driving all state
transfers.
Representations are hypermedia (consider the duality of XHTML and micro-formats).
A web of resources.
Axiom: "Hypermedia as the engine of application state" -- Roy Fielding.
Application state is therefore the pathway the client follows, not an HTTP session on a
server.
Cookies break the REST model of state transfer.
Stateless - Each request stands on its own without correlation to the server-side state.
States of a server are represented by URI addressable resources.
Every HTTP request happens in complete isolation, and is not dependent on previous
requests.
Client moves through states by navigating representational formats (URIs) or going to
known waypoints.
Consider the FTP "working directory" as an analogy.
Easy to distribute a stateless application across load-balanced services.
Client is in charge of managing "application state," while server manages "resource state."
The result of applying RESTful precepts is not only the simplicity and consistency of developing and
invoking Web services, but also an advantage in service performance. When RESTful services are
deployed, they can naturally participate in the HTTP caching mechanism. Therefore caching
intermediaries or response caches can leverage the additional information supplied not only by the HTTP
method, but also by the cache control headers (including the last-modified header) rendered by the
RESTful service provider. Leveraging caching in this way can dramatically improve response time. In
addition, the stateless nature of RESTful service not only makes horizontal scaling trivial, but also eases
Page 118
IBM Software
the burden on load balancers (no session affinity is necessary), and allows application-aware caching
intermediaries to execute more efficiently because the payload often does not have to be processed or
parsed.
9.2
The following figure shows an overview of WebSphere DataPower exposing a REST facade against a
SOAPful Web service as the back end. The representational format (media type) used by the REST
facade is JSON. The multi-protocol gateway accepts RESTful method requests (GET, PUT, POST,
DELETE) from the service consumer and then transforms the requests to corresponding SOAP requests,
which are sent to the WS-Proxy. The WS-Proxy is optional; the SOAP requests could be sent directly to
the back end, but this practice is strongly discouraged because the configuration might require
monitoring or security in the future. Thus, a best practice is to include a WS-Proxy as part of a REST
transformation configuration. To save time, you wont be configuring the WS-Proxy.
Topology of a RESTful client passing JSON to DataPower, which mediates a SOAPful Web Service
Page 119
IBM Software
9.3
The remainder of this lab uses a common example to show how DataPower can expose a RESTful Web
service interface, enabled for JSON, for a SOAPful Web service backend. The sample ProjectService
Web service is a simple project organizer with which projects can be created, edited, and queried. The
operations available for ProjectService are shown below:
Operation
Description
createProject
updateProject
getProject
Fetches name and description of a project. The identifier of the project must be
provided in the request.
listProject
deleteProject
Removes a project from the server. The identifier of the project must be
provided in the request.
9.4
In this section, youll use soapUI to send a SOAP transaction to the actual ProjectService to verify that it
is up and running.
__1.
In soapUI, expand ProjectService SOAP, locate and double click Create Request to open a
request window.
__2.
__3.
Click the green submit button to POST the request to the ProjectService.
Page 120
IBM Software
__4.
Verify that the successFlag is true and the success message indicates that the project was
created. Also notice that an id was assigned to this project.
Now that youve verified that the service is accessible and operational, youre ready to configure a
Multi-Protocol Gateway that will mediate between REST/JSON and SOAP.
9.5
Since you already have experience (from earlier labs) in creating and configuring a Multi-Protocol
Gateway service, youll import a pre-built configuration for this lab. That will save you plenty of dragging
and dropping since it requires a separate rule (with multiple actions) for each HTTP verb.
__5.
Click on the Control Panel link to display the DataPower control panel.
__6.
__7.
__8.
__9.
Click the Next button to start the import process. DataPower will read the configuration file and
then show you a summary of the configuration objects it will import.
__10.
At the bottom of the window, click the Import button to import the selected files.
__11.
After the import completes, a summary will be displayed. Click Done to continue.
9.5.1
__12.
From the DataPower control panel, click on the Multi-Protocol Gateway icon.
__13.
__14.
__15.
Click the Enable button to enable the probe, then click the Close button in the confirm dialog.
Leave the probe window open so you can easily access it later.
__16.
Back in the main browser, in the list of tabs across the top of the page, select the Advanced tab.
Page 121
IBM Software
On the Advanced tab, you should notice an option towards the bottom labeled "Process messages
whose body is empty" (see the following figure). This option is useful for message patterns that can
include bodiless requests and responses. This is common with RESTful Web services where messages
may or may not include a body, but still require the processing policy to run in order to perform
mediations. Unlike SOAPful Web services, which always have a payload (message body), RESTful Web
services often, but not always, have a message body, as with HTTP DELETE.
Since our RESTful facade will support HTTP DELETE and GET, you must configure the service to
support bodiless messages. If you don't select this option, DataPower defaults to a processing mode
called "One way exchange pattern," in which messages flow straight to the backside server, bypassing
any processing rules. You also have to configure the HTTP front side handler to accept the HTTP
methods that you plan on supporting in your policy. In addition, since you are dealing with JSON as the
representational format, the request and response payload types will be non-XML.
Multi-Protocol Gateway configuration, Advanced Tab
9.5.2
The ProjectService specifies /ProjectService/ProjectService as the service URI, while RESTful Web
services use URI's not as the service end-point but rather as the resource to apply the uniform interface.
Because of this dramatic difference in usage, a URL rewrite policy is associated with the multi-protocol
gateway, as shown in Figure 7-3 below. In this way, all incoming RESTful URI's are rewritten to the
single SOAP service URI.
__17.
__18.
In the General Configuration section, locate the URL Rewrite Policy dropdown and then click the
ellipsis () button.
Page 122
IBM Software
__19.
In the Configure Rewrite Policy page, click on the URL Rewrite Rule tab.
You can see the various parameters included in a URL rewrite rule. A single URL Rewrite Policy
can contain multiple rules, so it is possible to share a single policy amongst various services.
__20.
9.5.3
When building a RESTful service, it is a best practice to set up processing rules for each HTTP method.
This is because the REST uniform interface may be applied to each RESTful URI but require different
processing behavior, such as HTTP DELETE on /library/book/12345679001 and HTTP GET on
/library/book/12345679001.
Page 123
IBM Software
The Multi-Protocol Gateway matches on HTTP methods by creating a Match Action with a Match Rule
that specifies a Matching Type of "HTTP Method" for each REST verb supported by the service. This
matching rule can be combined with any other match criteria to create personalized processing rules
based on URI and/or HTTP headers.
__21.
In the General Configuration section, in the Multi-Protocol Gateway Policy field, click on the
ellipsis () to open the policy editor.
__22.
Enlarge the policy editor so that you can see all of the defined rules (see below).
Notice that there is a Client to Server (request) and Server to Client (response) rule for each of the
four HTTP verbs.
Page 124
IBM Software
The first action in each rule is the Match action. The Match action contains some criteria that, if met, will
cause the rest of the rule to execute. Match actions are executed from top to bottom, and once a match
actions criteria is met; no additional match actions are tested.
__23.
In the list of Configured Rule, hover the mouse over the match action
rule (POST) to see the match criteria.
Notice that the Type is method (short for HTTP method), and the Method is POST. In other
words, if the request arrives and has an HTTP method of POST, the match criteria will be met,
the remaining actions in the rule will be executed, and no further match testing will occur. If the
request has a different method, such as DELETE, this matchs criteria will not be met; the next
match action will then be evaluated.
__24.
Hover the mouse over the various match actions to see how they are defined.
The next sections describe the implementation of the REST Multi-Protocol Gateway policy. They can be
used as an exercise in DataPower REST development, as a working configuration to use as a starting
point for other REST projects, or simply as a gauge for what transformation from REST/JSON to SOAP
looks like with DataPower.
9.5.4
The POST processing rule corresponds to the createProject operation for the SOAP API.
Request payload
Page 125
IBM Software
Request Actions
1. Convert-http action: The http-convert action specifies JSON as the message encoding which automatically
parses and transforms the message payload into JSONx, an IBM internal standard for representing JSON as
XML. Once the JSON is transformed into JSONx, the usual DataPower transformation capabilities are
available to further process the message as XML. For the JSON request payload, the resulting JSONx is
shown below:
<json:object xsi:schemaLocation="http://www.d... {omitted} ...2009/jsonx">
<json:string name="description">Research of ancient cultures</json:string>
<json:string name="owner">Alice</json:string>
</json:object>
2. Transform action: Uses a custom stylesheet to transform the JSONx to an equivalent SOAP message. To
view the entire XSL, use the DataPower File Manager to view local:///createProjJSONx2SOAP.xsl.
<xsl:template match="/">
<soapenv:Envelope xmlns:soapenv="htt... {omitted} ...tapower.ibm.com/ProjectService/">
<soapenv:Body>
<tns:createProjectRequest>
<tns:newProject>
<tns:name>
<xsl:value-of select="/json:object/json:string[@name='description']" />
</tns:name>
<tns:owner>
<xsl:value-of select="/json:object/json:string[@name='owner']" />
</tns:owner>
</tns:newProject>
</tns:createProjectRequest>
</soapenv:Body>
</soapenv:Envelope>
</xsl:template>
3. Setvar action: This action sets the SOAPAction header before the message is sent to the actual
ProjectService.
Page 126
IBM Software
Response Actions
1. Transform action: Uses a custom stylesheet to select the ID from the SOAP response and sets the location
HTTP header with the URL for the newly created resource.
<xsl:template match="/">
<xsl:variable name="quote">'</xsl:variable>
<xsl:variable name="message" select="//*[local-name()='successMessage']/text()" />
<xsl:variable name="id_begin" select="substring-after($message, $quote)" />
<xsl:variable name="id" select="substring-before($id_begin,$quote)" />
<dp:set-http-response-header name="'Location'" value="concat('/projects/',$id)" />
</xsl:template>
In soapUI, collapse the ProjectService SOAP project and expand ProjectService REST to reveal
the Create Project request.
__26.
In the Request tab, carefully change the value of the owner to your name. Feel free to change
the description as well, but be careful to maintain the JSON syntax.
__27.
Update the soapUI URL to include the correct port [446nn] based on your student number.
__28.
Click the green submit button to POST the JSON body to the RESTful faade to the
ProjectService.
Page 127
IBM Software
__29.
The soapUI response tab should become active, but if its not, click on the Response tab.
__30.
In the response tab, click on the side tab labeled Raw to show the actual response from the
REST faade.
Notice the Location header has been properly set to the URL of the project you just added.
__31.
Bring the probe window back to the front so you can inspect the transaction.
__32.
__33.
From the list of transaction, click on the small [+] to show the request and response.
__34.
__35.
action.
The original JSON payload was successfully transformed into JSONx and is now represented
using XML. Now that the message is in XML, it can be manipulated using XSLT to generate a
true SOAP request.
__36.
__37.
__38.
Click on the Headers tab. Notice the SOAPAction header was created by the set variable action.
__39.
__40.
Back in the Probe Transaction List, click the magnifying glass in front of the response.
Page 128
IBM Software
__41.
The INPUT context should show the response that was received from the ProjectService
backend.
__42.
__43.
Make a note of the Location URI so you can use it later (the number is the important part).
__44.
__45.
In soapUI, create one or two more projects (keep your name as the owner).
Page 129
IBM Software
9.5.5
The GET processing rule corresponds to the getProject and listProject operations for the SOAP API. It
can either retrieve a single project or a list of projects.
Request payload
None
Response payload
JSON project:
1. Transform action: This transform generates a SOAP message based on the contents of the URI. If the URI
contains /projects/, it extracts the project id from the URI and generates a getProject request, otherwise it
generates a listProjects request.
2. Method rewrite: Converts the original GET into a POST.
Response Actions
1. Transform action: Uses a custom stylesheet convert the SOAP response into JSONx in preparation for the
next transform.
2. Transform action: Uses an IBM supplied stylesheet that converts JSONx into JSON.
Page 130
IBM Software
In soapUI, close any open windows, then open the Get Project request (see below).
__47.
Update the soapUI URL to include the correct port based on your student number.
__48.
In the Get Project request window, locate the projectId parameter and update it with the number
you saved from the createProject test.
__49.
Click the green submit button to GET the details about the project. Your response should look
similar to the one below.
Page 131
IBM Software
In soapUI, close any open windows, then open the List Project request (see below).
__51.
Update the soapUI URL to include the correct port based on your student number.
__52.
Click the green submit button to submit the GET request to the REST faade.
Page 132
IBM Software
9.5.6
The PUT processing rule corresponds to the updateProject operation for the SOAP API.
Request payload
JSON project object
1. Convert-HTTP action: This http-convert action specifies JSON as the message encoding, which
automatically parses and transforms it into JSONx, an IBM internal standard format for representing JSON as
XML. Once the JSON is transformed into JSONx, the usual DataPower transformation capabilities are
available to further process the message as XML if necessary.
2. Transform action: This stylesheet transforms the REST JSONx project payload to the equivalent SOAP
payload. The project ID, project description, and owner are copied from the JSONx REST request (see
local:///updateProjJSONx2SOAP.xsl).
3. Setvar action: This action sets the SOAPAction header before the message is sent to the ProjectService
Web service proxy.
4. Method rewrite: Prior to sending the SOAP message to the back end, you need to rewrite the HTTP method
from the originating PUT to HTTP POST.
Response Actions
1. Transform action: Once the SOAP response is retrieved from the back end, it needs to be transformed into a
RESTful response code, which is typically 204 (No Content) when a PUT is performed.
Page 133
IBM Software
In soapUI, close any open windows, then open the Update Project request.
__54.
Update the soapUI URL to include the correct port based on your student number.
__55.
In the Update Project request window, locate the projectId parameter and set it to the number
you saved from the createProject test.
__56.
Page 134
IBM Software
__57.
9.5.7
Click the green submit button to PUT the details about the project. Put does not return a payload,
thus the response will be empty, however it should return an HTTP response 204. You can verify
this by looking at the Raw tab in the soapUI response.
The DELETE processing rule corresponds to the removeProject operation for the SOAP API.
Request Payload
None
Response Payload
None
Request Actions
1. Transform action: This stylesheet constructs the SOAP payload to delete a project. It corresponds to the
deleteProject SOAP operation. The project ID is retrieved from the URL and then used to construct the SOAP
payload.
2. Setvar action: Sets the SOAPAction header to deleteProject as expected by ProjectService.
3. Method rewrite: Converts the original DELETE into a POST.
Response Actions
1. Transform action: Uses a custom XSLT to set the HTTP response code to 204 (No Content).
Page 135
IBM Software
In soapUI, close any open windows, then open the Delete Project request.
__59.
Update the soapUI URL to include the correct port based on your student number.
__60.
In the Delete Project request window, locate the projectId parameter and replace it with the
number you saved from the createProject test.
Page 136
IBM Software
__61.
Click the green submit button to DELETE the project. DELETE does not return a payload, thus
the response will be empty; however it should return an HTTP response 204. You can verify this
by looking at the Raw tab in the soapUI response.
__62.
Optionally, you can execute the listProject command again to see that the project is missing.
Because the whole class is using the same project store, the list may contain more than just your
projects.
Page 137
IBM Software
9.6
Conclusion
This lab showed how WebSphere DataPower fits in the Web 2.0 space, provided an overview of REST,
described the recommended patterns to use for exposing REST and JSON with WebSphere DataPower,
and included a comprehensive example with a DataPower domain export and the ProjectService Web
service back-end application. You should now have a good understanding of what REST is and how you
can develop REST services on WebSphere DataPower so you can configure your own Web 2.0
appliance.
Page 138
IBM Software
Lab 10
maps.
Page 139
IBM Software
In an asynchronous scenario, the MPGW receives the request over HTTP or WebSphere MQ, processes
it, and then PUTs the message onto the designated queue. No response processing will occur.
In the navigation search box, type queue and then from the search results, select MQ Queue
Manager. If multiple results with the same name exist, select any one of them.
__2.
Click the Add button to create a new queue manager connection object.
__3.
__4.
__5.
__6.
Page 140
IBM Software
In the navigation search box, type multi and then from the search results, select
New Multi-Protocol Gateway.
__8.
__9.
In the Backend URL field, click the MQHelper button and provide the following details.
__a. Queue Manager dropdown: MyMqManager
__b. RequestQueue: requests
__c. ReplieQueue: replies
__d. Click the Build URL button
__e. In the Front Side Protocol field, click the (+) button to create a new front side handler, and
then from the list of front side handler types, select: HTTP Front Side Handler
__10.
In the HTTP Front Side Handler form, make the following selections, replacing nn with your
student number.
__a. Name: HTTP_447nn
__b. Port Number: 447nn
__c. Click Apply
__11.
In the Multi-Protocol Gateway Policy field, click the (+) button to create a new policy.
__12.
__13.
__14.
__15.
Double click the yellow outlined match action to show its configuration page. From the Matching
Rule dropdown, select MatchAnyUri and then click the Done button.
__16.
Click the Apply Policy button to activate the changes to the policy.
__17.
Page 141
IBM Software
__18.
Click the Apply button to save these changes to the multi-protocol gateway service.
__19.
In soapUI, collapse any open projects. Expand the MQGatewayService project and open Simple
echo request.
__20.
__21.
Again, in the endpoint dropdown, select [edit current], then update the port number by
replacing the nn with your student number.
__22.
Feel free to update the Hello, world! message payload to any message, then click the green
submit button to POST the message to MqGatewaySvc. You should see your message echoed
back in the response. Choose the Raw tab to see the response without any XML formatting.
If youd like to see details about how the message travelled from HTTP to WebSphere MQ, you can use
the transaction probe or view the system logs.
Page 142
IBM Software
Page 143
IBM Software
The schema describes an XML document that looks like the following:
The output card was generated by importing a COBOL copybook (shown below).
Page 144
IBM Software
Once the input and output cards are defined, a map is created by dragging fields from the input card and
dropping them onto the output card. WebSphere Transformation Extender contains a large library of
functions, such as math and string manipulation, that can be used when creating the maps.
In the Multi-Protocol Gateway Policy field, click on the ellipsis () to open the policy editor.
__24.
Drag an Advanced action onto the rule after the match action
Page 145
IBM Software
__25.
Double click the yellow outlined Advanced action to open its configuration.
__26.
In the list of action types, scroll to the bottom and select: Transform Binary, then click Next.
__27.
__28.
__29.
__30.
__31.
Click the Apply button to save the changes to the multi-protocol gateway service.
__32.
In soapUI, close any open request windows and then open the WTX transform request. It will be
pre-populated with the XML content described earlier in this lab.
__33.
Update the soapUI URL to include the correct port number [447nn] based on your student
number.
__34.
Click the green submit button to POST the message to the MQGatewayService Gateway. You
should see your message echoed back in the response. Choose the Raw tab to see the
response without any XML formatting.
Page 146
IBM Software
10.6 Summary
In this lab, you learned:
WebSphere DataPower act as a WebSphere MQ Client.
WebSphere Transformation Extender Design Studio can be used to create binary
transformations (any to any). WTX uses input cards to define how the input is formatted,
output cards to define how the desired output should be formatted and mapping files to
define the relationship and mapping rules between the input and output cards.
WebSphere DataPower can execute maps built using WebSphere Transformation
Page 147
IBM Software
Page 148
IBM Software
Lab Environment
Isolated environment allows testing of major new firmware features without impacting
development efforts.
Development Environment
Very common practice to isolate development to a dedicated environment.
Single appliance for developer sandbox as well as project-specific configuration.
Testing Environment
Isolating the test environment from the development environment is a common best
practice.
Unique environments ease the burden of code migration.
Staging Environment
Staging environment allows testing pre-releases, or rolling new releases into production.
Often re-used as a performance test lab to determine peak supported throughput in a
production-like environment.
Production Environment
Appliances can be deployed in active/active (with a load balancer) or active/passive
(without).
Appliances can balance traffic to target servers, so a second load balancer is NOT
required.
Appendix A
Page 149
IBM Software
Disaster Recovery
Many organizations require full data center failover to a second fully equipped site.
Specific project risk profile will dictate this need.
Page 150
IBM Software
XML Denial of Service (xDoS) -- Slowing down or disabling a Web service so that valid service
requests are hampered or denied.
Data integrity/Confidentiality -- Attacks that strike at the data integrity of Web service
responses, requests, or underlying databases.
System compromise -- Corrupting the Web service itself or the servers that host it.
There are several types of attacks within these four broad classifications, which we will look at in a
minute. Also, be aware that these can be single-message or multiple-message attacks.
Appendix B
Page 151
IBM Software
Software-based application servers used to host Web services are generally quite vulnerable to these
attacks; they are often run with XML validation off for performance reasons, and may not be looking out
for most XML attack types. As we will see, once the XML hits the parser, it is too late. Worse, if your
system accepts native XML documents without the complexity of Web services or SOAP, it is even
easier to attack.
Jumbo payloads -- Sending a very large XML message to exhaust memory and CPU on the
target system.
Recursive elements -- XML messages that can be used to force recursive entity expansion (or
other repeated processing) to exhaust server resources. An example of this type of attack would
be the billion laughs attack that is widely available through the Internet.
MegaTags -- Otherwise valid XML messages containing excessively long element names, or an
excessive number of tags. This attack may also lead to buffer overruns.
Coercive parsing -- XML messages specially constructed to be difficult to parse to consume the
resources of the machine.
Public key DoS -- Utilizing the asymmetric nature of public key operations to force resource
exhaustion on the recipient by transmitting a message with a large number of long-key-length,
computationally expensive digital signatures.
XML flood -- Sending thousands of otherwise benign messages per second to tie up a Web
service. This attack can be combined with Replay attack to bypass authentication, and with
Single message XDoS to increase its impact.
Resource hijack -- Sending messages that lock or reserve resources on the target server as part
of a never-completed transaction.
Unauthorized access
Dictionary attack -- Guessing the password of a valid user using a brute force search through
dictionary words.
Falsified message -- Faking that a message is from a valid user, such as by using Man in the
Middle to gain a valid message, and then modifying it to send a different message.
Replay attack -- Re-sending a previously valid message for malicious effect, possibly where only
parts of the message (such as the security token) are replayed.
Page 152
IBM Software
Data integrity/Confidentiality
Message tampering -- Modifying parts of a request or response in-flight; most dangerous when
undetected (less commonly known as Message alteration).
Data tampering -- Exploiting weakness in the access control mechanism that permits the
attacker to make unauthorized calls to the Web service to alter data.
Message snooping -- A direct attack on data privacy by examining all or part of the content of a
message. This can happen to messages being transmitted in the clear, transmitted encrypted but
stored in the clear, or decryption of messages due to stolen key or cryptanalysis.
XPath/XSLT injection -- Injection of expressions into the application logic. Newer modifications
include Blind XPath injection, which reduces the knowledge required to mount the attack.
SQL injection -- Inserting SQL in XML to obtain additional data than what the service was
designed to return.
WSDL enumeration -- Examining the services listed in WSDL to guess and gain access to
unlisted services.
Message snooping -- Using SOAP routing header for access to internal Web services.
Systems compromise
Malicious include -- Causing a Web service to include invalid external data in output or return
privileged files from the server file system. For example, using embedded file: URLs to return
UNIX password files or other privileged data to the attacker.
Memory space breach -- Accomplished via stack overflow, buffer overrun, or heap error,
enables execution of arbitrary code supplied by the attacker with the permissions of the host
process.
XML encapsulation -- Embedding system command in the XML payload, such as through the
CDATA tag.
XML virus (X-Virus) -- Using SOAP with attachments or other attachment mechanisms to
transmit malicious executables, such as viruses or worms.
http://www.ibm.com/developerworks/websphere/techjournal/0603_col_hines/0603_col_hines.html
Appendix B
Page 153
IBM Software
Appendix C. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that
only that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can
send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property
Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES
CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some
states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this
statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part
of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Any performance data contained herein was determined in a controlled environment. Therefore, the
results obtained in other operating environments may vary significantly. Some measurements may have
Page 154
IBM Software
been made on development-level systems and there is no guarantee that these measurements will be
the same on generally available systems. Furthermore, some measurements may have been estimated
through extrapolation. Actual results may vary. Users of this document should verify the applicable data
for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental. All references to fictitious companies or individuals are
used for illustration purposes only.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs
in any form without payment to IBM, for the purposes of developing, using, marketing or distributing
application programs conforming to the application programming interface for the operating platform for
which the sample programs are written. These examples have not been thoroughly tested under all
conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs.
Appendix C
Page 155
IBM Software
AIX
CICS
ClearCase
ClearQuest
Cloudscape
Cube Views
DB2
developerWorks
DRDA
IMS
IMS/ESA
Informix
Lotus
Lotus Workflow
MQSeries
OmniFind
Rational
Redbooks
Red Brick
RequisitePro
System i
System z
Tivoli
WebSphere
Workplace
System p
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other
countries, or both and is used under license therefrom.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United
States, other countries, or both. See Java Guidelines
Microsoft, Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft
Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel
SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications
Agency which is now part of the Office of Government Commerce.
Other company, product and service names may be trademarks or service marks of others.
Page 156
NOTES
NOTES