In my previous post I present an architectural design on a lock-box creation around IBM PureApplication System using DataPower and in detail the XI52 model. To WebSphere DataPower we can delegate the entire security component request in a web solution in terms of authentication, encryption, decryption, validation and HTTPs protocol:
The WebSphere DataPower lockbox pattern offer also the benefit to reduce the CPU consumption because these activities normally are execute inside the web server , or in any way inside our server, and as you know this is very high CPU consumption tasks.
WebSphere DataPower appliance implementation offer a solution totally safe;it is more safe than any other solution realized on an application server java technology; fast and cheap to implement for a huge set of wizard, based on a web security standard model to configure your lock-box pattern.
In detail WebSphere DataPower appliance provides an XML threat-reduction and security-enforcement layer for XML messages and Web services transactions, including encryption, filtering, digital signatures, schema validation, WS-Security, XML access control, XPath and detailed logging. The appliance includes easy-to-use XML Firewall, service-level management and access-control enforcement.
Do not forget the benefit that you take from this solution when you realize, manage and control the security pattern out of the java world:
- Reduce the reaction time
- Increase the flexibility
- Dramatically reduce cost and complexity
- Enable new business with unmatched performance
- Improve the security model with a enforcement centralization
But all these benefits is connected to how is the integrated DataPower XI52 appliance with the PureApplication System.
We can found many aspects in term of integration.
The PureApplication System is a Built-in Expertise system Integrated by design to Simplify Experience.
So this is the focus paradigm for PureExperience System. The reflection on this aspect is that there not any possibility to install DataPower appliance (and in the same way any other component) inside the PureApplication chassis. The PureApplication System is based on NGP technology also available in a building block offering but outside the Integration by design offered. The chassis is create in a standard way to maximize (and simplify the experience and “standard” model can not include any appliance.
The DataPower (or any other appliance) must be installed outside the PureApplication rack. The DataPower appliance come with 8 Vlan port and using Ethernet cable we can connect it with the PureApplication. We can consider the PureApplication a black box and DataPower installed outside and around it.
In alternative way the WebSphere DataPower Integration Appliance XI52 is also available on a “Virtual Edition”: it runs in VMware hypervisor environments and it is totally compliant with the PureApplication ecosystem. Powered by a purpose-built platform including an embedded, optimized DataPower Operating System, and it offered functionality similar to the corresponding physical appliance.My point of view is to use the “Virtual edition” for the pre-production environment to test e validate your lock-box.
The wired speed performance and capability and scalability offered by the Hardware appliance is the best for the production environment and it became one of main important non-functional requirement if you create on DataPower appliance a unique access point for your PureApplication ecosystem.But in term of functionality and secure benefit they are totally the same in both models. On the Hardware model we can discuss on the other faces on integration.
Administrative Console integration
The WebSphere console (start form the version 7) includes the administrative function to manage multiple DataPower appliances. This administrative function provides a comprehensive set of capabilities to manage the appliances in terms of to share the same configuration and firmware replicas. This level of software is available in PureApplication System. You can found more detail on this aspect here in this DeveloperWorks article.
The PureApplication System supports the cloud deployments models in term of self service delivery and dynamic provision of the workload. When a workload is created inside the PureAppliaction and when this workload depends of the DataPower, the DataPower needs to feel the workload. In other world the workload need to communicate with DataPower and DataPower need to change something inside. This dynamism and flexibility must be managed in some way and it has two different aspects.
- Security aspect: the DataPower delegates the Authorization, Authentication and Audit tasks to Identity a manager server. This server may be based on LDAP server. You can allocate this server inside the PureApplication System using the pattern available or in alternative you can create a virtual appliance with your own authorization validation strategy. When you have your security server inside PureApplication System throw any script configured inside the workload Virtual System pattern you can control the interaction with the workload. In this way you need to use the System Pattern instead the ApplicationPattern.
- Transactional aspect: the DataPower policies flexibility can be delegate to a server registry in a total compliant to the SOA architecture. The IBM WebSphere Service Registry and Repository is available as a PureApplication system pattern. In this way you can create the WSRR inside the PureApplication and control DataPower policy using the Service registry interface. So in the same way as Security aspect you can configure/modify the WSRR using a script inside the workload Virtual System pattern. The modification will reflect to a DataPower at runtime using the interface between DataPower and WSRR.
At any time that a system pattern will be deploy in a PureApplication System a set of scripts collaborate with the Security server and with the Service Registry server to propagate new configuration and the workload is able to activated his specific strategy and requirements on DataPower appliance.
In the picture the Red line shows the configuration interaction with WSRR and Security Registry. The blue one shows the service-level communication.