2. Please Note:
• IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality. Information
about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described
for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in
a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
1
4. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
3
5. DataPower Gateways …
INTEGRATE Systems of Engagement with Systems of Record
CONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
4
IBM DataPower Gateways provide a low startup cost,
helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances that
combine superior performance and hardened security in
physical and virtual form factors
CONSOLIDATE & Simplify Infrastructure Footprint
6. IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, integration, control
and optimized access to a full range of
Mobile, Web, API, SOA, B2B, & Cloud workloads
Common Use Cases
Internet Trusted Domain
Application or Service
DMZ
Consumer
5
Consumer
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 ESB / Integration Gateway
7 Internal Security Enforcement
8 Web Services Governance & Management
9 Legacy Integration
Middleware
z System
DataPower Gateway DataPower Gateway
7. Highlights of IBM DataPower Gateway & V7.1
Single multi-channel gateway platform to secure & optimize
delivery of mobile, API, web, SOA, B2B, cloud apps, and
integrate with IBM MobileFirst & WebSphere platforms
Integrates industry-proven access enforcement capabilities of
IBM Security Access Manager into the DataPower platform,
available as add-on ISAM Proxy Module
IBM DataPower Gateway is the new name of a consolidated,
extensible & modular platform
Converges three existing products, XG45 / XI52 / XB62, into a
single modular offering
Physical appliance uses purpose-built latest generation
6
Physical appliance uses purpose-built latest generation
hardware platform to provide increased performance & capacity
Virtual appliance runs on VMware & Citrix XenServer
hypervisors and cloud platforms that support them
Easy-to-use & secure B2B integration capabilities, formerly on
XB62 appliances only, available as add-on B2B Module
Enable authentication from internet consumers & Non-Microsoft
consumers to Microsoft systems with Kerberos S4U2Self
support
8. ModulesModules
ISAM Proxy Module
User access control, session
management, web SSO enforcement
Advanced mobile security: mobile
SSO, context-based access, one-
Application Optimization
Module
Frontend self-balancing
Backend intelligent load distribution
Integration
Module
Any-to-Any message transformation
Database connectivity
B2B Module
B2B DMZ gateway
EDIINT AS1,AS2,AS3,ebXML
Partner profile management
B2B transaction viewer
Any-to-Any message transformation
Database connectivity
TIBCO EMS
Module
Integrate with TIBCO EMS
messaging middleware
Support for queues & topics
Load balancing & fault-tolerance
Single, modular & extensible platform
7
SSO, context-based access, one-
time password, multi-factor authn
Integration w/ ISAM4Mobile
Backend intelligent load distribution
Session affinity
z Sysplex Distributor integration
Database connectivity
Mainframe IMS connectivity
IBM DataPower Gateway (Base)
Secure
Authentication, authorization
Security token translation
Service / API virtualization
Threat protection
Message validation
Message filtering
Message digital signature
Message encryption
AV scanning integration
Integrate
Transport protocol bridging
Message enrichment
Message transformation &
processing using JavaScript,
JSONiq, XQuery, XSLT
Mainframe integration &
enablement
Flexible pipeline message
processing engine
Control & Manage
Service level management
Quota & rate enforcement
Content-based routing
Message accounting
Integration w/ management &
visibility platforms including
IBM API Management &
WSRR for policy enforcement
Optimize & Offload
SSL / TLS offload
Hardware accelerated crypto
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Local response caching
Distributed caching w/ XC10
Backend load balancing
(2U Physical or Virtual Edition)
9. Latest Generation Hardware Platform
Trusted Platform Module
Customized intrusion detection
Cryptographic Acceleration Card
Hardware Security Module (Optional, FIPS 140-2 Level 3 certified)
Runtime Hardware Diagnostic
Intelligent Platform Management Interface
Supercapacitor Powered Flash-backed RAID Cache
Multiple Replaceable Units
– Customer Replaceable Units (CRU)
• Fan, Power Supply, HDD, Network Module
Purpose-built, high density 2U rack mount design
Increased capacity
‒ Higher performance CPU & memory
‒ Faster cryptographic acceleration card
‒ New RAID controller w/ large write cache
192 GB memory
Two 1.2 TB high speed hard drives
Three management traffic ports
1 RJ45 serial port
2 x 1 GbE ports
8
• Fan, Power Supply, HDD, Network Module
– Field Replaceable Units (FRU)
• Appliance, CPU, Memory, Flash Drive, Coin
Battery, Supercapacitor for RAID
• Cryptographic Acceleration Card, HSM
Card, RAID Card
Ten application traffic ports
‒ 8 x 1 GbE ports
‒ 2 x 10 GbE ports
2 10-Gigabit
Ethernet NICs
8 1-Gigabit
Ethernet NICs
RAID mirroring across two drives
11. DataPower Secret Sauce
Specialized compiler
technology creates
optimized executable
object code from
transformations (e.g.
XSLT) that execute
natively on hardware
Everything is viewed as
a transformation that is
extensible via
DataPower custom
extension functions
High-performing
throughput-optimized
engine yields wire-
speed capabilities
Purpose-built
hardware to execute
SOA workloads and
transformations
10
12. IBM DataPower’s value as a Security & Integration Gateway
Virtual Environment /
Private Cloud
Mobile, PoS,
ATMs
Big Data
Social &
Internet Data
DMZ DMZ
APP
APP
Service
Service
DBAPPDB
APP
APP
Internet
Public Cloud
Master Data
Management
Enterprise
DB
Internet
Trading partner
communities
ATMs Internet Data
sources
Internet
API
Developer & Customer
communities
Internet of Things
Sensors
Secure appliances
enable controlled &
optimized access to
enterprise resources
Secure appliances
integrate
apps/data/services and
partners while controlling
and optimizing
transactions
11
13. Evolving Industry Requirements
• Virtualized data-centers are becoming the new norm
• Requests for virtual gateways growing
• DataPower capability has known high value, however
customers need it where they deploy to
• Developers and testers require separate appliances
‒ Isolation of Dev and Test environments
‒ Scalability and flexibility through the dev/test lifecycle‒ Scalability and flexibility through the dev/test lifecycle
‒ Multiple physical appliances are expensive and costly to install
• Physical appliances still recommended for DMZ
operation and bullet-proof HW/SW security
• DataPower Virtual Editions augments use cases
recommending physical appliances with the elasticity,
flexibility and scalability available in virtual and cloud
environments
12
On-
premise
cloud
IBM
PureApp
System
Off-
premise
cloud
14. Design Points
• Make virtual DataPower a new deployment option
• Once deployed, it should behave like any other
DataPower appliance
• Where applicable, maintain full functionality
• New features on physical, become new features on
virtual
• Maintain the same firmware upgrade/downgrade
philosophy and capability
• Provide for configuration import/export between• Provide for configuration import/export between
virtual-to-virtual and virtual-to-physical appliances
• Provide the same workload security as physical
appliances
• Overall performance adjustable through the
virtual resources allocated by the VM
management system
• Architected to allow easy porting to new
platforms
13
15. DataPower VE Security
• Once deployed, DataPower Virtual Editions behave like their physical appliance
counterparts
• All DataPower Security Best Practices apply to DP VE as well
• Hardware is virtualized as part of the VM infrastructure so some functions
which require HW assist are not supported:
• Intrusion detection
• TPM
• Crypto acceleration
• HSM• HSM
• Secure backup/restore supported for:
• Backup from virtual, restore to virtual
• Configuration export/import supported for:
• Export from virtual, import to virtual or physical
• Export from physical, import to physical or virtual
• Chain of trust down to the hardware requires DataPower physical appliances
• DataPower Virtual Editions adds deployment options for secure virtual
environments
14
16. Comparing Physical and Virtual
• Physical appliances
– Hardware Security
• Hardware based protection against tampering and malicious altering of the physical system, intrusion detection
• Trusted Platform Module (TPM) chip
• Certification – The DataPower physical appliance provide FIPS 140-2 Level 3 compliance through the use of
optional hardware security module (HSM)
• The HSM is an embedded, factory installed option providing tamper proof storage of private key material used for
cryptographic operations performed on the appliance
– Performance
• The DataPower hardware appliance is a purpose-built system
providing hardware accelerated operations
15
providing hardware accelerated operations
• Virtual appliance
– Flexible deployment
• DataPower virtual editions can be deployed on
commodity x86 hardware servers and supported cloud environments
• Elasticity - VMs can easily be moved from server to server and new
DataPower VMs can be added for growth or during peak loads
– Development/Test version
• Development Virtual Edition provides a lower-cost environment for application development and test validation
• Includes the optional add-on features, except TIBCO EMS, available for DataPower at no additional cost
– Consolidation
• Multiple instances of DataPower VE can be consolidated and run concurrently on a single physical server
• This includes different firmware versions
18. DataPower Virtual Edition for VMware
• Support for new VMware Type 2 hypervisors
• Support for the IBM SoftLayer Cloud platform
• Improvements in VMware tools support to
enhance functionality and RAS
• Added support of ova import from VMware• Added support of ova import from VMware
vCenter
• Added vMotion support
• Added support for VMware tools logging
• Changed default deployment options to "medium" size
• Added support for VMware tools guest IP address information
17
19. DataPower – Developers Edition
• Introducing DataPower Virtual Edition for Developers, with additional
support for “desktop” hypervisors
• VMware Workstation for Linux and Windows
• VMware Player for Linux and Windows
• VMware Fusion for Mac
• Provides a low cost and easy to use
gateway specifically for developers
• Per user license ®
Run DataPower
On Your Mac• Per user license
• XG45 and XI52 models available
• Same options included as DP VE non-production
• Can use disconnected
• At home, on the plane, in the hotel, at InterConnect!
• Develop and test applications anywhere
• Up and running in minutes … no complex networking setup
• Develop and test on desktops/laptops without network connectivity
• Can run multiple DP instances on a single laptop
®On Your Mac
… and on your
workstation
18
20. DataPower VE for Citrix XenServer
• Introducing support for Citrix XenServer as an additional platform
for DataPower Virtual Edition
• Many customers use Xen as their preferred hypervisor
• Citrix XenServer is a popular and supported platform
for cloud and desktop workloads in data centers
• Access and manage DP VE instances with Citrix XenCenter
• DP VE supports the XenServer tools• DP VE supports the XenServer tools
stack, enabling hypervisor functions
• Soft power start / stop
• Soft power shutdown / reboot
• Report assigned DP IP address
• Full DataPower functionality, security, import/export, and upgrade /
downgrade capability as with other DP VE platforms
19
21. DataPower VE for SoftLayer Bare Metal
• SoftLayer IaaS provides a dedicated bare metal server option
• Custom configured to the customers spec
• Wide selection, from low range to GPU, etc• Wide selection, from low range to GPU, etc
• Network: public or private
• Time to provision: 2-4 hours
• Various OS choices, including VMware ESX and Citrix XenServer
• DataPower Virtual Edition now supports SoftLayer bare metal instances
• Provision a bare metal server
• Select desired CPU and Memory (consider number of DP VE instances to be deployed)
• Select hypervisor of choice (ESX, XenServer)
• Once, provisioned import and deploy DP VE
• Can deploy multiple instances of DP VE on the hypervisor
• Example: using AO feature to configure a self balanced cluster
20
23. VMware Deployment on SoftLayer Bare Metal
• Add a bare metal server of choice
• Example: 4 cores and 16GB RAM
• Choose Monthly order
• Select data center: e.g., Dallas 5
• Choose VMware ESXi operating system
• Import and deploy DataPower Virtual Edition for VMware ESX normally
22
24. XenServer Deployment on SoftLayer Bare Metal
• Add a bare metal server of choice
• Example: 4 cores and 16GB RAM
• Choose Monthly order
• Select data center: e.g., Dallas 5
• Choose Citrix XenServer 6.2 operating system
• Import and deploy DataPower Virtual Edition for Citrix XenServer normally
23
25. DataPower SoftLayer Virtual Server - CCI
• SoftLayer IaaS also provides Virtual Servers
• Pay As You Go or Monthly Packages
• Monthly billing based on hourly usage or monthly plans
• Pay only for the resources you need and use
• Rapid Provisioning
– A Virtual Server delivered in as fast as 5 minutes;– A Virtual Server delivered in as fast as 5 minutes;
Storage and Content Delivery Network ready in real-time.
• DataPower to provide a SoftLater Virtual Server – Cloud Compute Image (CCI)
• Can rapidly deploy multiple instances of DP CCI, via SL customer portal or API
• Once deployed, the DP CCI operates as any virtual or physical DataPower appliance
– Workload security
– Application Optimization
– Legacy connectivity
– Configuration import/export
– Secure backup/restore
• DataPower CCI deployment capability brings full support of PaaS flexibility and
scalability
24
26. DataPower Amazon EC2 AMI
Deploy DataPower Gateways on EC2 optimized for your specific workload.
Choose from among
compute, memory, and
storage optimized instances
to tailor virtual servers tuned
for your workloads.
25
Exploit EC2 AMI Lifecycle with
DataPower intrinsic host aliases to
create reusable appliance
configurations for elastic computing.
27. IBM Bluemix™ is now open!
• Built on Cloud Foundry to build applications rapidly and
incrementally composed from services
• Open standards, leveraging the open and flexible cloud
environment using a variety of tools from IBM, third party or
open technologies.
• Bluemix offers more than 200 software and middleware patterns
available from IBM and IBM Business Partners
• Pre-built services make application assembly very easy.
• DevOps in the cloud … allows developers to transform an idea to an application faster
• Facility to store and manage code by means of Git repository
• A built-in web integrated development environment (IDE)
• Easy integrations with popular development tools like Eclipse and Visual Studio
• Agile planning, tracking and team collaboration
• Services for automatic application deployment
• Hides the complexities associated of hosting and managing cloud-based applications so
that developers can just focus on development
• Bluemix can automatically scale a deployed application up or down based on application
usage
26
28. A Secure Gateway for Bluemix
Host-based routing to services
Load balancing to router/services
DataPower (go)router
external
services
login
appsapps
apps
apps
HTTP/WebSockets
The DataPower Gateway secures all Bluemix traffic
Dallas Yellow Production ZoneLoad balancing to router/services
URL rewriting for Mobile
Response caching of static content
SSL termination
Self-balancing front-side
Rate limiting
Request logging/monitoring
login
IDaaS
license
accept
27
This list is growing daily
Dallas Yellow Production Zone
• Transactions: 8M/day ~ 5k/min
• Proxy URLs: 98
• Distinct services:
- ECaaS
- CDE
- Workflow
- Alchemy
- Cloud Integration
- SQL-DB
- AES
- TSDB
- IDaaS
- Admin console
- c2a
- JSONDB
- sqldb-micro
29. IBM API Management
Cloud Landscape
Cloud Integration
IBM API Management
On Premise
IBM API Management
On Premise
ESXi/Xen
IBM API Management
SaaS SoftLayer/NetflixOSS
28
31. DataPower Multi-tenant Physical Appliance
CLI
XML
Mgmt
Web
GUI
• Upgrade/downgrade XI52 and IDG with DataPower/MT firmware
• Instance 0 runs with native DataPower performance
• Deploy multiple DP/MT guest types for high density or isolation
• Manage guest hardware resource allocation, including CPU, RAM, Disk, and processor and NIC affinity
• Modern web based DataPower Hypervisor UX for instance management and performance data
• Once deployed, instances are “just DataPower”
30
DP/OS
CLI
XML
Mgmt
Web
GUI
DataPower Instance 0
DP
Hypervisor
GUI
Server
hyp lite
DP/MT
Guest(s)
container
DP/MT
Guest(s)
hyp lite
DP
Legacy
Guest(s)
kvm
DP
Legacy
Guest(s)
hyp
Other
Appliance
Type
kvm
Other
Appliance
Type
hyp
DP
Legacy
Guest(s)
kvm
DP/MT
Isolated
Guest(s)
hyp
32. DataPower Multi-tenant Use Cases
1. Multiple isolated** DataPower runtime environments within a
single physical appliance
• Separate LOBs
• Separate projects within an LOB
• Span operational zones
2. Multiple isolated** DataPower firmware versions within a single
physical appliance to support migration
3. Mix of old and new firmware on same physical appliance
4. Greater elasticity, flexibility, and scalability of a physical
appliance
5. Greater leverage of physical appliances installed in the Data
Center
6. Lower cost alternative to a full dedicated physical appliance
** There is a range of isolation from process-level -> traffic-level -> VM level
31
33. Consolidate Across LOBs
Internet Trusted DomainDMZ
DataPower HA DataPower HA Backend LOB 2
DataPower HA DataPower HA Backend LOB 1
Backend LOB 2
Backend LOB 2
Backend LOB 1
DataPower HA DataPower HA Backend LOB 3
DataPower HA DataPower HA
MT
32
MT
34. Span Operational Zones
DMZ
192.168.14.0/24
Server Zone
172.32.16.0/24
DMZ
192.168.14.0/24
Server Zone
172.32.16.0/24MT
Backend
10.11.12.0/24
Backend
10.11.12.0/24
Today with application domains
33
35. Range of Isolation Design Points
Density
process
• Highest instance density
• Traffic isolation
Isolation
VM
• Fewer instances
• Separate instance OS’
34
38. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
37
39. Thank You
Your Feedback is
Important!
Access the InterConnect 2015Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.