WB5401-VB5401abstract[1].doc

CrossWorlds Software

Accelerate, Secure and Integrate with WebSphere DataPower SOA Appliances V3.8.2

WB540 (classroom)

VB540 (online)

Course Abstract

Course descriptionIn this 5-day instructor-led course, students learn the fundamental skills required to implement IBM WebSphere DataPower SOA Appliances with firmware version 3.8.2.

The IBM WebSphere DataPower SOA Appliances allow an enterprise to simplify, accelerate, and enhance the security capabilities of its Extensible Markup Language (XML) and web services deployments, and extend the capabilities of its service-oriented architecture (SOA) infrastructure.

Through a combination of instructor-led lectures and hands-on lab exercises, students learn how to implement the key use cases for the DataPower appliances, including XML acceleration and threat protection, web service virtualization, web services security, integrating with IBM WebSphere MQ and Java Message Service (JMS), and authentication, authorization, and auditing (AAA). Students also learn how to use various problem determination tools such as logs, monitors, and probes, as well as techniques for testing DataPower services and handling errors.

Hands-on exercises give students experience working directly with an IBM WebSphere DataPower SOA Appliance, focusing on skills such as creating XML firewalls, working with encryption and cryptographic objects, configuring service level monitoring, troubleshooting services, and handling errors.

For information on other related WebSphere courses, visit the WebSphere Education Training Paths Web site:

http://www.ibm.com/software/websphere/education/paths/

General informationDelivery method:Classroom or instructor-led online (ILO)

Audience:This course is designed for integration developers who configure service policies on IBM WebSphere DataPower SOA Appliances.

Learning objectives:After completing this course, students should be able to:

Describe the key use cases and architectural scenarios for the IBM WebSphere DataPower SOA Appliances

Describe how WebSphere DataPower Appliances are configured, including the role of XSL Transformations (XSLT)

Configure an XML firewall to protect against a new class of XML-based threats

Create a Web Service Proxy to virtualize web service applications

Implement web services security

Create and configure cryptographic objects

Configure Secure Sockets Layer (SSL) to and from WebSphere DataPower SOA Appliances

Configure a multi-protocol gateway (MPG) to handle multiple protocols for a single service

Configure a service level monitoring (SLM) policy to handle service processing violations

Enforce service level policies to manage traffic to and from WebSphere DataPower SOA Appliances

Configure support for IBM WebSphere MQ and Java Message Service (JMS)

Troubleshoot services using logs and probes

Handle errors in service policies

Prerequisites:

Before taking this course, students should be familiar with:

Security-based concepts and protocols

XML-related technologies, such as XML schema, XPath, and XSLT

Web service fundamentals and the Web Services Security specificationDuration:

5 days

Skill level:

Intermediate

Notes

The unit and exercise durations listed below are estimates, and may not reflect every class experience. If the course is customized or abbreviated, the duration of unchanged units will probably increase.

This course is an update of course WB565 / VB565, Accelerate, Secure and Integrate with IBM WebSphere DataPower SOA Appliances V3.8.1Course agendaCourse introduction

Duration: 30 minutes

Unit overview:This unit welcomes students to the course and describes the agenda and logistics.

Unit 1. Introduction to DataPower SOA Appliances

Duration: 1 hour

Unit overview:This unit introduces the concept of an SOA appliance: an XML-aware network device that accelerates, secures, and integrates XML-based applications and web services.

Learning objectives:After completing this unit, students should be able to:

Describe and define the role of an SOA appliance

Identify the products in the WebSphere DataPower SOA Appliance product line

Describe how to use WebSphere DataPower SOA Appliances in an enterprise architecture

Unit 2. DataPower administration overview

Duration: 1 hour

Unit overview:This unit introduces three management interfaces for the WebSphere DataPower SOA Appliance: the Web GUI web application, the command-line interface (CLI), and the XML Management interface.


List the methods that can be used to administer WebSphere DataPower SOA Appliances

Manage user accounts and domains on the appliance

Work with files on the WebSphere DataPower SOA Appliance

Exercise 1. Exercises setup


Exercise overview: In this exercise, students perform work that will be used in subsequent exercises. Students determine the assigned variables and port numbers, import key and certificate crypto files, import WSDLs into Eclipse, and set up cURL and OpenSSL.

Learning objectives:After completing this exercise, students should be able to:

Import the files used in the exercises

Verify cURL installation Populate the table containing all of the port numbers

Unit 3. Introduction to XSL transformations

Duration: 1 hour

Unit overview:This unit introduces students to Extensible Stylesheet Language Transformations (XSLT). Students learn how to create XSLT stylesheets to transform XML documents into other formats, and how to write XPath expressions to retrieve information from an XML document.


Describe the Extensible Stylesheet Language (XSL) model

Construct XPath expressions

Create XSL stylesheets to apply XSL transformations

Use and apply XSL templates in XSLT

Describe the use of DataPower variables and extensions in XSL stylesheets

Exercise 2. Creating XSL transformations


Exercise overview: In this exercise, students examine an existing XML file, create an XSL stylesheet, create an XML firewall service, and test the stylesheet using the new service.


Create an XSL stylesheet

Create an XML firewall service

Transform an XML file using the compiled XSL stylesheet

Describe the use of DataPower variables and extensions in XSL stylesheets

Unit 4. DataPower services overview

Duration: 1 hour

Unit overview:In this unit, students learn about the services supported on the DataPower appliance, and how to choose the correct service given a set of requirements. Students also learn how to configure services and service policies to process messages entering to and from the appliance.


List the supported services on the WebSphere DataPower SOA Appliance

Compare and contrast the features supported by each WebSphere DataPower service

Exercise 3. Creating a simple XML firewall


Exercise overview:This exercise explains how to create a basic XML firewall that can perform schema validation and message transformation. Students learn the basic steps necessary to implement a message flow within any DataPower service, and implement the validation and transformation by configuring an XML firewall in the loopback proxy mode. The scenarios are then tested with the cURL command line tool.


Create an XML firewall

Create a document processing policy with message schema validation and transformation

Test the message flow using the command line tool cURL

Unit 5. XML firewall service

Duration: 1 hour 15 minutes

Unit overview:This unit explains how to create and manage an XML firewall service on the WebSphere DataPower SOA Appliance. Students learn the capabilities of the XML firewall in order to secure, monitor, and administer their XML-based application. The unit also provides an introduction to implementing a service policy in any of the DataPower services, not just the XML firewall. Students learn about various processing actions available in other services such as Filter, Validate, Encrypt, Transform, and Route.


List the features and functions of an XML firewall service

Configure an XML firewall service on a WebSphere DataPower SOA Appliance Describe the processing actions available in DataPower services

Unit 6. Problem determination tools


Unit overview:This unit describes the troubleshooting tools available for debugging problems on the DataPower appliance. Several tools are available for use depending on the nature of the problem, ranging from low-level networking tools to probes that aid in debugging service policies. The logging utilities are available for capturing information generated by the DataPower objects.


Capture information using system logs from messages passing through the WebSphere DataPower SOA Appliance

Configure a multistep probe to examine detailed information about actions within rules

List the problem determination tools available on the WebSphere DataPower SOA Appliance

Exercise 4. Creating an advanced XML firewall

Duration: 2 hours

Exercise overview:This exercise shows how to configure an XML firewall with content-based routing. Content-based routing is configured by creating an XML firewall that contains a document processing policy with a Route action. Students learn the steps required to create, configure, and test DataPower services.


Create an XML firewall from a WSDL definition

Configure a document processing policy with additional actions

Configure content-based routing using a Route action

Test the XML firewall policy using the command line tool cURL

Perform basic debugging using the system log and multistep probe

Unit 7. Handling errors in a service policy


Unit overview:It is expected that errors will occur when messages are processed by the service policy, so the developers of service policies must plan for error handling within the rules of the policy. In this unit, students learn how to use the On Error action and Error rule, and how the service policy selects error handling.


Configure an On Error action in a service policy

Configure an Error rule in a service policy

Describe how On Error actions and Error rules are selected during error handling

Exercise 5. Adding error handling to a service policy


Exercise overview:In this exercise, students add an On Error action and an Error rule to a service policy.


Configure a service policy with an On Error action

Configure a service policy with an Error rule

Unit 8. DataPower cryptographic tools


Unit overview:This unit describes how to use the cryptographic tools to create keys and certificates. Students also set the DataPower objects that are used to validate certificates and configure certificate monitoring to ensure that only valid certificates exist on board.


Generate cryptographic keys using the WebSphere DataPower tools

Create a crypto identification credential object containing a matching public and private key

Create a crypto validation credential to validate certificates

Set up certificate monitoring to ensure that certificates are up to date

Exercise 6. Creating cryptographic objects


Exercise overview:This exercise shows how to create cryptographic keys using the DataPower crypto tools. Keys can be created on the appliance or uploaded externally. Students create a crypto identification credential storing certificate-key pairs that are used in securing SSL connections, and create a validation credential object for validating certificates. These objects are used as part of a Crypto Profile.


Generate cryptographic keys using the WebSphere DataPower crypto tools

Upload key files to the WebSphere DataPower SOA Appliance

Create a crypto identification credential using a crypto key object

Validate certificates using a validation credential object

Unit 9. Securing connections using SSL


Unit overview:This unit describes how to secure connections using SSL to and from the DataPower appliance.


Configure the WebSphere DataPower SOA Appliance to communicate using SSL

Associate an SSL proxy profile with keys and certificates

Configure a user agent to initiate requests

Exercise 7. Securing connections using SSL

Duration: 1 hour

Exercise overview:This exercise shows how to set up a Secure Sockets Layer (SSL) connection to and from the DataPower appliance using the DataPower Web GUI.


Create an SSL proxy profile to accept SSL connections from a client to the WebSphere DataPower SOA Appliance

Create an SSL proxy profile to initiate an SSL connection from the WebSphere DataPower SOA Appliance to a back-end service

Create a Hypertext Transfer Protocol (HTTP) service to handle HTTP requests

Unit 10. XML threat protection


Unit overview:This unit covers the vulnerabilities that exist in XML messaging, and the threat protection features of the WebSphere DataPower SOA Appliance.


Explain possible attack scenarios involved in XML-based applications

Describe the various types of XML attacks

Use the WebSphere DataPower SOA Appliance to protect against XML attacks

Exercise 8. Protecting against XML threats


Exercise overview: XML and web services are subject to a number of different types of attacks that are broadly referred to as XML structural attacks, XML content-based attacks, and denial-of-service attacks. This exercise demonstrates the major XML threat protection features of the WebSphere DataPower SOA Appliance.


Run a recursive entity attack simulation

Perform a recursive entity threat protection test

Enable excessive attribute count threat protection

Enable SQL injection attack prevention

Unit 11. Web Service Proxy service

Duration: 1 hour

Unit overview:This unit discusses the Web Service Proxy service and its role in an XML-Aware web-services-based network, and outlines the configuration steps required to create and manage a web services proxy. The unit also explains advanced web service configuration steps, such as proxy-level security, SOAPAction policy, and web service endpoint.


Describe the Web Service Proxy architecture

List and explain the configuration steps needed to create a Web Service Proxy

Create and configure a Web Service Proxy policy at various levels of the Web Services Description Language (WSDL) file

Exercise 9. Configuring a Web Service Proxy

Duration: 1 hour

Exercise overview:In this exercise, students create a Web Service Proxy (WS-Proxy) that virtualizes or proxies the East and West Address Search web service. A Web Service Proxy allows a user to mask the actual endpoint of the web service. Web Service Proxy configuration is done by uploading a WSDL document for each service. Once a Web Service Proxy is created, a user can configure a policy with rules and actions for each service defined within the proxy.


Configure a WS-Proxy to virtualize an existing set of web services

Create a policy within the WS-Proxy

Unit 12. XML and web services security overview


Unit overview:This unit discusses the features of the web services security specification. This specification provides message level security to ensure message confidentiality and integrity using XML encryption and XML signatures, respectively. You will learn how to use the DataPower device to encrypt and decrypt, and to sign and verify messages.


Describe the features of the WS-Security specification

Enable message confidentiality using XML Encryption

Provide message integrity using XML Signature

Exercise 10. Web service encryption and digital signatures

Duration: 1 hour

Exercise overview:In this exercise, students learn how to perform web services security functions using the WebSphere DataPower SOA Appliance. The DataPower appliance supports security-related tasks that both a client and a server need to perform. Students play the role of a client by using an XML firewall to generate an encrypted and signed message, and then play the role of the server by decrypting and verifying the digital signature of the message on the Web Service Proxy.


Create an XML firewall to generate a message with XML encryption

Create an XML firewall to generate a message with an XML digital signature

Perform field-level encryption and decryption on XML messages

Create a rule to decrypt messages and verify digital signatures contained in a message within a Web Service Proxy policy

Unit 13. Authentication, authorization, and auditing (AAA)

Duration: 1 hour

Unit overview:This unit describes the authentication, authorization, and auditing (AAA) framework within the XI50 and XS40 IBM WebSphere DataPower SOA Appliances. These three facets of security both monitor and restrict access to resources.


Describe the authentication, authorization, and auditing framework within the WebSphere DataPower SOA Appliance

Explain the purpose of each step in an access control policy

Authenticate and authorize Web service requests with:

WS-Security Username and binary security tokens

HTTP Authorization header claims

Security Assertion Markup Language (SAML) assertions

Exercise 11. Web service authentication and authorization

Duration: 1 hour

Exercise overview:This exercise covers the authentication, authorization, and auditing (AAA) capabilities of the XS40 and XI50 IBM WebSphere DataPower SOA appliance. Enforcing client authentication and authorization means that access to services is restricted to permitted clients.


Configure an action to enforce authentication and authorization policies

Configure an action to verify an SAML assertion token for authentication and authorization purposes

Unit 14. Configuring LDAP using AAA


Unit overview:This unit describes how to authenticate and authorize users using LDAP in a AAA policy. Students learn basic LDAP concepts and constructs, and how to configure LDAP in a AAA policy to connect to a directory service.


Describe the fundamentals of configuring the Lightweight Directory Access Protocol (LDAP) and deploying directory services

Authenticate and authorize user credentials using LDAP by creating a AAA policy

Exercise 12. Creating a AAA policy using LDAP


Exercise overview:In this exercise, students play the role of an LDAP user and create a AAA policy that validates a credential using the configured LDAP directory service.


Add entries to the IBM Tivoli Directory Server LDAP server

Authenticate users on an LDAP server by configuring a AAA policy

Unit 15. Multi-protocol gateway service

Duration: 1 hour

Unit overview:This unit describes the features of the multi-protocol gateway in the IBM WebSphere DataPower SOA Appliance. The gateway allows a many-to-many service mapping: multiple transport protocols can access a list of operations, and more than one back-end service can provide the implementation for these operations.


Configure a multi-protocol gateway to provide a service over a set of different protocols

Configure a connection to a static back-end service

Configure a processing rule to select a back-end service at run time

Exercise 13. Configuring a multi-protocol gateway service


Exercise overview:This exercise covers the multi-protocol gateway service in the XS40 and XI50 IBM WebSphere DataPower SOA Appliances. Clients and back-end services can communicate with each other over a variety of protocols.


Configure a multi-protocol gateway to accept messages over HTTP and HTTPS

Forward messages from a multi-protocol gateway to a static back-end service

Unit 16. Monitoring objects


Unit overview:This unit shows how to configure monitors to measure traffic volume and system latency.


Identify messages that will be monitored

Configure a message count monitor

Set up a message duration monitor

Unit 17. Service level monitoring


Unit overview:This unit shows how to implement service level monitoring within the DataPower SOA Appliance.


Identify the service level monitoring (SLM) functionality provided by the WebSphere DataPower SOA Appliance

Implement a basic SLM policy using the Web Service Proxy Web GUI

Create an advanced SLM policy using the SLM Statement construct

Unit 18. Integration with WebSphere MQ


Unit overview:This unit describes how to configure the DataPower appliance to communicate with WebSphere MQ. Students learn how to receive and put messages on WebSphere MQ queues, and how DataPower manages transactions between WebSphere MQ queue managers.


Create a multi-protocol gateway with a WebSphere MQ front-side handler

Configure a WebSphere MQ back-end uniform resource locator (URL)

Manage transactionality between WebSphere MQ queue managers

Exercise 14. Configuring a multi-protocol gateway service with WebSphere MQ


Exercise overview:This exercise shows how to add support for WebSphere MQ to a multi-protocol gateway service. Students add an MQ front-side handler to the AddressSearchMPG created in an earlier exercise, and then create another multi-protocol gateway service to demonstrate one-way messaging to a back-end WebSphere MQ system. This multi-protocol gateway service is used as an MQ client to get and put messages from queues. Finally, students learn about the transaction capabilities when integrating DataPower and WebSphere MQ.


Create a WebSphere MQ front-side handler (FSH) that gets messages from a queue and puts responses on a queue

Send messages from a multi-protocol gateway service to a queue in WebSphere MQ in a fire-and-forget messaging pattern

Configure transactionality between WebSphere DataPower and WebSphere MQ when errors occur during message processing

Unit 19. DataPower and Java Message Service (JMS)


Unit overview:This unit describes how to configure a JMS front-side handler to connect to the default messaging provider in WebSphere Application Server V6, and to TIBCO Enterprise Message Service (EMS). Students learn how to invoke a web service running on WebSphere Application Server V6 over JMS.


Describe the components of the service integration bus on WebSphere Application Server V6

Configure a JMS front-side handler to send JMS messages to the default messaging provider in WebSphere Application Server V6

Configure a JMS front-side handler to send JMS messages to TIBCO EMS

Unit 20. DataPower architectural scenarios


Unit overview:This unit covers the various scenarios in typical enterprise architectures for which DataPower appliances can be used.


Identify the security scenarios involved when deploying a WebSphere DataPower SOA Appliance

Describe use cases that include the WebSphere DataPower SOA Appliance in enterprise architectures

Unit 21. Course summary


Unit overview:This unit summarizes the course, explains the class evaluation process, and provides information for future study.


Explain how the course met its learning objectives

Submit an evaluation of the class

Identify other WebSphere Education courses related to this topic

Access the WebSphere Education Web site

Locate appropriate resources for further study

Appendix Unit A. Web application firewall service


Unit overview:In this unit, students learn how to create a web application firewall to offload tasks and protect access to their web applications.


Configure a Web application firewall to protect a back-end Web application

Use a AAA policy to protect access via the Web application firewall

Validate parameters from an HTTP request using Name-value profiles

Protect the Web application from phishing attacks using built-in threat protection

Appendix Exercise A. Creating a firewall and HTTP proxy for a web application


Exercise overview:In this exercise, students create a web application firewall to secure the back-end East Address Search web service application. Clients connect to the web application firewall hosted on the DataPower appliance, which uses a AAA policy to authenticate users. Students also configure an SSL proxy profile to securely access the back-end web application firewall.


Use the web application firewall wizard to create a web application firewall

Implement a security policy on a web application firewall

Create a reverse-proxy to virtualize requests to web applications

Appendix Exercise B. Configuring WebSphere JMS


Exercise overview:This exercise shows how DataPower can send and receive messages to and from WebSphere Application Server default messaging engine. In this exercise, students create a multi-protocol gateway service that receives a request from cURL and sends a message to the WebSphere Application Server messaging engine to invoke the East Address Search web service over JMS.


Identify the fields in the service integration bus configuration on WebSphere Application Server V6.0 or V6.1 that are needed to configure the WebSphere DataPower JMS object

Create a multi-protocol gateway service that invokes the East Address Search web service over the JMS transport

IBM WebSphere Education

http://www.ibm.com/websphere/educationContact us at: [email protected]

Documents

WB5401-VB5401abstract[1].doc