Click here to load reader
Upload
kishore-reddy
View
19
Download
2
Embed Size (px)
DESCRIPTION
wmb
Citation preview
CrossWorlds Software
Accelerate, Secure and Integrate with WebSphere DataPower SOA Appliances V3.8.2
WB540 (classroom)
VB540 (online)
Course Abstract
Course descriptionIn this 5-day instructor-led course, students learn the fundamental skills required to implement IBM WebSphere DataPower SOA Appliances with firmware version 3.8.2.
The IBM WebSphere DataPower SOA Appliances allow an enterprise to simplify, accelerate, and enhance the security capabilities of its Extensible Markup Language (XML) and web services deployments, and extend the capabilities of its service-oriented architecture (SOA) infrastructure.
Through a combination of instructor-led lectures and hands-on lab exercises, students learn how to implement the key use cases for the DataPower appliances, including XML acceleration and threat protection, web service virtualization, web services security, integrating with IBM WebSphere MQ and Java Message Service (JMS), and authentication, authorization, and auditing (AAA). Students also learn how to use various problem determination tools such as logs, monitors, and probes, as well as techniques for testing DataPower services and handling errors.
Hands-on exercises give students experience working directly with an IBM WebSphere DataPower SOA Appliance, focusing on skills such as creating XML firewalls, working with encryption and cryptographic objects, configuring service level monitoring, troubleshooting services, and handling errors.
For information on other related WebSphere courses, visit the WebSphere Education Training Paths Web site:
http://www.ibm.com/software/websphere/education/paths/
General informationDelivery method:Classroom or instructor-led online (ILO)
Audience:This course is designed for integration developers who configure service policies on IBM WebSphere DataPower SOA Appliances.
Learning objectives:After completing this course, students should be able to:
Describe the key use cases and architectural scenarios for the IBM WebSphere DataPower SOA Appliances
Describe how WebSphere DataPower Appliances are configured, including the role of XSL Transformations (XSLT)
Configure an XML firewall to protect against a new class of XML-based threats
Create a Web Service Proxy to virtualize web service applications
Implement web services security
Create and configure cryptographic objects
Configure Secure Sockets Layer (SSL) to and from WebSphere DataPower SOA Appliances
Configure a multi-protocol gateway (MPG) to handle multiple protocols for a single service
Configure a service level monitoring (SLM) policy to handle service processing violations
Enforce service level policies to manage traffic to and from WebSphere DataPower SOA Appliances
Configure support for IBM WebSphere MQ and Java Message Service (JMS)
Troubleshoot services using logs and probes
Handle errors in service policies
Prerequisites:
Before taking this course, students should be familiar with:
Security-based concepts and protocols
XML-related technologies, such as XML schema, XPath, and XSLT
Web service fundamentals and the Web Services Security specificationDuration:
5 days
Skill level:
Intermediate
Notes
The unit and exercise durations listed below are estimates, and may not reflect every class experience. If the course is customized or abbreviated, the duration of unchanged units will probably increase.
This course is an update of course WB565 / VB565, Accelerate, Secure and Integrate with IBM WebSphere DataPower SOA Appliances V3.8.1Course agendaCourse introduction
Duration: 30 minutes
Unit overview:This unit welcomes students to the course and describes the agenda and logistics.
Unit 1. Introduction to DataPower SOA Appliances
Duration: 1 hour
Unit overview:This unit introduces the concept of an SOA appliance: an XML-aware network device that accelerates, secures, and integrates XML-based applications and web services.
Learning objectives:After completing this unit, students should be able to:
Describe and define the role of an SOA appliance
Identify the products in the WebSphere DataPower SOA Appliance product line
Describe how to use WebSphere DataPower SOA Appliances in an enterprise architecture
Unit 2. DataPower administration overview
Duration: 1 hour
Unit overview:This unit introduces three management interfaces for the WebSphere DataPower SOA Appliance: the Web GUI web application, the command-line interface (CLI), and the XML Management interface.
Learning objectives:After completing this unit, students should be able to:
List the methods that can be used to administer WebSphere DataPower SOA Appliances
Manage user accounts and domains on the appliance
Work with files on the WebSphere DataPower SOA Appliance
Exercise 1. Exercises setup
Duration: 45 minutes
Exercise overview: In this exercise, students perform work that will be used in subsequent exercises. Students determine the assigned variables and port numbers, import key and certificate crypto files, import WSDLs into Eclipse, and set up cURL and OpenSSL.
Learning objectives:After completing this exercise, students should be able to:
Import the files used in the exercises
Verify cURL installation Populate the table containing all of the port numbers
Unit 3. Introduction to XSL transformations
Duration: 1 hour
Unit overview:This unit introduces students to Extensible Stylesheet Language Transformations (XSLT). Students learn how to create XSLT stylesheets to transform XML documents into other formats, and how to write XPath expressions to retrieve information from an XML document.
Learning objectives:After completing this unit, students should be able to:
Describe the Extensible Stylesheet Language (XSL) model
Construct XPath expressions
Create XSL stylesheets to apply XSL transformations
Use and apply XSL templates in XSLT
Describe the use of DataPower variables and extensions in XSL stylesheets
Exercise 2. Creating XSL transformations
Duration: 45 minutes
Exercise overview: In this exercise, students examine an existing XML file, create an XSL stylesheet, create an XML firewall service, and test the stylesheet using the new service.
Learning objectives:After completing this exercise, students should be able to:
Create an XSL stylesheet
Create an XML firewall service
Transform an XML file using the compiled XSL stylesheet
Describe the use of DataPower variables and extensions in XSL stylesheets
Unit 4. DataPower services overview
Duration: 1 hour
Unit overview:In this unit, students learn about the services supported on the DataPower appliance, and how to choose the correct service given a set of requirements. Students also learn how to configure services and service policies to process messages entering to and from the appliance.
Learning objectives:After completing this unit, students should be able to:
List the supported services on the WebSphere DataPower SOA Appliance
Compare and contrast the features supported by each WebSphere DataPower service
Exercise 3. Creating a simple XML firewall
Duration: 45 minutes
Exercise overview:This exercise explains how to create a basic XML firewall that can perform schema validation and message transformation. Students learn the basic steps necessary to implement a message flow within any DataPower service, and implement the validation and transformation by configuring an XML firewall in the loopback proxy mode. The scenarios are then tested with the cURL command line tool.
Learning objectives:After completing this exercise, students should be able to:
Create an XML firewall
Create a document processing policy with message schema validation and transformation
Test the message flow using the command line tool cURL
Unit 5. XML firewall service
Duration: 1 hour 15 minutes
Unit overview:This unit explains how to create and manage an XML firewall service on the WebSphere DataPower SOA Appliance. Students learn the capabilities of the XML firewall in order to secure, monitor, and administer their XML-based application. The unit also provides an introduction to implementing a service policy in any of the DataPower services, not just the XML firewall. Students learn about various processing actions available in other services such as Filter, Validate, Encrypt, Transform, and Route.
Learning objectives:After completing this unit, students should be able to:
List the features and functions of an XML firewall service
Configure an XML firewall service on a WebSphere DataPower SOA Appliance Describe the processing actions available in DataPower services
Unit 6. Problem determination tools
Duration: 45 minutes
Unit overview:This unit describes the troubleshooting tools available for debugging problems on the DataPower appliance. Several tools are available for use depending on the nature of the problem, ranging from low-level networking tools to probes that aid in debugging service policies. The logging utilities are available for capturing information generated by the DataPower objects.
Learning objectives:After completing this unit, students should be able to:
Capture information using system logs from messages passing through the WebSphere DataPower SOA Appliance
Configure a multistep probe to examine detailed information about actions within rules
List the problem determination tools available on the WebSphere DataPower SOA Appliance
Exercise 4. Creating an advanced XML firewall
Duration: 2 hours
Exercise overview:This exercise shows how to configure an XML firewall with content-based routing. Content-based routing is configured by creating an XML firewall that contains a document processing policy with a Route action. Students learn the steps required to create, configure, and test DataPower services.
Learning objectives:After completing this exercise, students should be able to:
Create an XML firewall from a WSDL definition
Configure a document processing policy with additional actions
Configure content-based routing using a Route action
Test the XML firewall policy using the command line tool cURL
Perform basic debugging using the system log and multistep probe
Unit 7. Handling errors in a service policy
Duration: 10 minutes
Unit overview:It is expected that errors will occur when messages are processed by the service policy, so the developers of service policies must plan for error handling within the rules of the policy. In this unit, students learn how to use the On Error action and Error rule, and how the service policy selects error handling.
Learning objectives:After completing this unit, students should be able to:
Configure an On Error action in a service policy
Configure an Error rule in a service policy
Describe how On Error actions and Error rules are selected during error handling
Exercise 5. Adding error handling to a service policy
Duration: 20 minutes
Exercise overview:In this exercise, students add an On Error action and an Error rule to a service policy.
Learning objectives:After completing this exercise, students should be able to:
Configure a service policy with an On Error action
Configure a service policy with an Error rule
Unit 8. DataPower cryptographic tools
Duration: 45 minutes
Unit overview:This unit describes how to use the cryptographic tools to create keys and certificates. Students also set the DataPower objects that are used to validate certificates and configure certificate monitoring to ensure that only valid certificates exist on board.
Learning objectives:After completing this unit, students should be able to:
Generate cryptographic keys using the WebSphere DataPower tools
Create a crypto identification credential object containing a matching public and private key
Create a crypto validation credential to validate certificates
Set up certificate monitoring to ensure that certificates are up to date
Exercise 6. Creating cryptographic objects
Duration: 30 minutes
Exercise overview:This exercise shows how to create cryptographic keys using the DataPower crypto tools. Keys can be created on the appliance or uploaded externally. Students create a crypto identification credential storing certificate-key pairs that are used in securing SSL connections, and create a validation credential object for validating certificates. These objects are used as part of a Crypto Profile.
Learning objectives:After completing this exercise, students should be able to:
Generate cryptographic keys using the WebSphere DataPower crypto tools
Upload key files to the WebSphere DataPower SOA Appliance
Create a crypto identification credential using a crypto key object
Validate certificates using a validation credential object
Unit 9. Securing connections using SSL
Duration: 45 minutes
Unit overview:This unit describes how to secure connections using SSL to and from the DataPower appliance.
Learning objectives:After completing this unit, students should be able to:
Configure the WebSphere DataPower SOA Appliance to communicate using SSL
Associate an SSL proxy profile with keys and certificates
Configure a user agent to initiate requests
Exercise 7. Securing connections using SSL
Duration: 1 hour
Exercise overview:This exercise shows how to set up a Secure Sockets Layer (SSL) connection to and from the DataPower appliance using the DataPower Web GUI.
Learning objectives:After completing this exercise, students should be able to:
Create an SSL proxy profile to accept SSL connections from a client to the WebSphere DataPower SOA Appliance
Create an SSL proxy profile to initiate an SSL connection from the WebSphere DataPower SOA Appliance to a back-end service
Create a Hypertext Transfer Protocol (HTTP) service to handle HTTP requests
Unit 10. XML threat protection
Duration: 45 minutes
Unit overview:This unit covers the vulnerabilities that exist in XML messaging, and the threat protection features of the WebSphere DataPower SOA Appliance.
Learning objectives:After completing this unit, students should be able to:
Explain possible attack scenarios involved in XML-based applications
Describe the various types of XML attacks
Use the WebSphere DataPower SOA Appliance to protect against XML attacks
Exercise 8. Protecting against XML threats
Duration: 30 minutes
Exercise overview: XML and web services are subject to a number of different types of attacks that are broadly referred to as XML structural attacks, XML content-based attacks, and denial-of-service attacks. This exercise demonstrates the major XML threat protection features of the WebSphere DataPower SOA Appliance.
Learning objectives:After completing this exercise, students should be able to:
Run a recursive entity attack simulation
Perform a recursive entity threat protection test
Enable excessive attribute count threat protection
Enable SQL injection attack prevention
Unit 11. Web Service Proxy service
Duration: 1 hour
Unit overview:This unit discusses the Web Service Proxy service and its role in an XML-Aware web-services-based network, and outlines the configuration steps required to create and manage a web services proxy. The unit also explains advanced web service configuration steps, such as proxy-level security, SOAPAction policy, and web service endpoint.
Learning objectives:After completing this unit, students should be able to:
Describe the Web Service Proxy architecture
List and explain the configuration steps needed to create a Web Service Proxy
Create and configure a Web Service Proxy policy at various levels of the Web Services Description Language (WSDL) file
Exercise 9. Configuring a Web Service Proxy
Duration: 1 hour
Exercise overview:In this exercise, students create a Web Service Proxy (WS-Proxy) that virtualizes or proxies the East and West Address Search web service. A Web Service Proxy allows a user to mask the actual endpoint of the web service. Web Service Proxy configuration is done by uploading a WSDL document for each service. Once a Web Service Proxy is created, a user can configure a policy with rules and actions for each service defined within the proxy.
Learning objectives:After completing this exercise, students should be able to:
Configure a WS-Proxy to virtualize an existing set of web services
Create a policy within the WS-Proxy
Unit 12. XML and web services security overview
Duration: 45 minutes
Unit overview:This unit discusses the features of the web services security specification. This specification provides message level security to ensure message confidentiality and integrity using XML encryption and XML signatures, respectively. You will learn how to use the DataPower device to encrypt and decrypt, and to sign and verify messages.
Learning objectives:After completing this unit, students should be able to:
Describe the features of the WS-Security specification
Enable message confidentiality using XML Encryption
Provide message integrity using XML Signature
Exercise 10. Web service encryption and digital signatures
Duration: 1 hour
Exercise overview:In this exercise, students learn how to perform web services security functions using the WebSphere DataPower SOA Appliance. The DataPower appliance supports security-related tasks that both a client and a server need to perform. Students play the role of a client by using an XML firewall to generate an encrypted and signed message, and then play the role of the server by decrypting and verifying the digital signature of the message on the Web Service Proxy.
Learning objectives:After completing this exercise, students should be able to:
Create an XML firewall to generate a message with XML encryption
Create an XML firewall to generate a message with an XML digital signature
Perform field-level encryption and decryption on XML messages
Create a rule to decrypt messages and verify digital signatures contained in a message within a Web Service Proxy policy
Unit 13. Authentication, authorization, and auditing (AAA)
Duration: 1 hour
Unit overview:This unit describes the authentication, authorization, and auditing (AAA) framework within the XI50 and XS40 IBM WebSphere DataPower SOA Appliances. These three facets of security both monitor and restrict access to resources.
Learning objectives:After completing this unit, students should be able to:
Describe the authentication, authorization, and auditing framework within the WebSphere DataPower SOA Appliance
Explain the purpose of each step in an access control policy
Authenticate and authorize Web service requests with:
WS-Security Username and binary security tokens
HTTP Authorization header claims
Security Assertion Markup Language (SAML) assertions
Exercise 11. Web service authentication and authorization
Duration: 1 hour
Exercise overview:This exercise covers the authentication, authorization, and auditing (AAA) capabilities of the XS40 and XI50 IBM WebSphere DataPower SOA appliance. Enforcing client authentication and authorization means that access to services is restricted to permitted clients.
Learning objectives:After completing this exercise, students should be able to:
Configure an action to enforce authentication and authorization policies
Configure an action to verify an SAML assertion token for authentication and authorization purposes
Unit 14. Configuring LDAP using AAA
Duration: 30 minutes
Unit overview:This unit describes how to authenticate and authorize users using LDAP in a AAA policy. Students learn basic LDAP concepts and constructs, and how to configure LDAP in a AAA policy to connect to a directory service.
Learning objectives:After completing this unit, students should be able to:
Describe the fundamentals of configuring the Lightweight Directory Access Protocol (LDAP) and deploying directory services
Authenticate and authorize user credentials using LDAP by creating a AAA policy
Exercise 12. Creating a AAA policy using LDAP
Duration: 45 minutes
Exercise overview:In this exercise, students play the role of an LDAP user and create a AAA policy that validates a credential using the configured LDAP directory service.
Learning objectives:After completing this exercise, students should be able to:
Add entries to the IBM Tivoli Directory Server LDAP server
Authenticate users on an LDAP server by configuring a AAA policy
Unit 15. Multi-protocol gateway service
Duration: 1 hour
Unit overview:This unit describes the features of the multi-protocol gateway in the IBM WebSphere DataPower SOA Appliance. The gateway allows a many-to-many service mapping: multiple transport protocols can access a list of operations, and more than one back-end service can provide the implementation for these operations.
Learning objectives:After completing this unit, students should be able to:
Configure a multi-protocol gateway to provide a service over a set of different protocols
Configure a connection to a static back-end service
Configure a processing rule to select a back-end service at run time
Exercise 13. Configuring a multi-protocol gateway service
Duration: 1 hour 15 minutes
Exercise overview:This exercise covers the multi-protocol gateway service in the XS40 and XI50 IBM WebSphere DataPower SOA Appliances. Clients and back-end services can communicate with each other over a variety of protocols.
Learning objectives:After completing this exercise, students should be able to:
Configure a multi-protocol gateway to accept messages over HTTP and HTTPS
Forward messages from a multi-protocol gateway to a static back-end service
Unit 16. Monitoring objects
Duration: 30 minutes
Unit overview:This unit shows how to configure monitors to measure traffic volume and system latency.
Learning objectives:After completing this unit, students should be able to:
Identify messages that will be monitored
Configure a message count monitor
Set up a message duration monitor
Unit 17. Service level monitoring
Duration: 30 minutes
Unit overview:This unit shows how to implement service level monitoring within the DataPower SOA Appliance.
Learning objectives:After completing this unit, students should be able to:
Identify the service level monitoring (SLM) functionality provided by the WebSphere DataPower SOA Appliance
Implement a basic SLM policy using the Web Service Proxy Web GUI
Create an advanced SLM policy using the SLM Statement construct
Unit 18. Integration with WebSphere MQ
Duration: 45 minutes
Unit overview:This unit describes how to configure the DataPower appliance to communicate with WebSphere MQ. Students learn how to receive and put messages on WebSphere MQ queues, and how DataPower manages transactions between WebSphere MQ queue managers.
Learning objectives:After completing this unit, students should be able to:
Create a multi-protocol gateway with a WebSphere MQ front-side handler
Configure a WebSphere MQ back-end uniform resource locator (URL)
Manage transactionality between WebSphere MQ queue managers
Exercise 14. Configuring a multi-protocol gateway service with WebSphere MQ
Duration: 1 hour 15 minutes
Exercise overview:This exercise shows how to add support for WebSphere MQ to a multi-protocol gateway service. Students add an MQ front-side handler to the AddressSearchMPG created in an earlier exercise, and then create another multi-protocol gateway service to demonstrate one-way messaging to a back-end WebSphere MQ system. This multi-protocol gateway service is used as an MQ client to get and put messages from queues. Finally, students learn about the transaction capabilities when integrating DataPower and WebSphere MQ.
Learning objectives:After completing this exercise, students should be able to:
Create a WebSphere MQ front-side handler (FSH) that gets messages from a queue and puts responses on a queue
Send messages from a multi-protocol gateway service to a queue in WebSphere MQ in a fire-and-forget messaging pattern
Configure transactionality between WebSphere DataPower and WebSphere MQ when errors occur during message processing
Unit 19. DataPower and Java Message Service (JMS)
Duration: 45 minutes
Unit overview:This unit describes how to configure a JMS front-side handler to connect to the default messaging provider in WebSphere Application Server V6, and to TIBCO Enterprise Message Service (EMS). Students learn how to invoke a web service running on WebSphere Application Server V6 over JMS.
Learning objectives:After completing this unit, students should be able to:
Describe the components of the service integration bus on WebSphere Application Server V6
Configure a JMS front-side handler to send JMS messages to the default messaging provider in WebSphere Application Server V6
Configure a JMS front-side handler to send JMS messages to TIBCO EMS
Unit 20. DataPower architectural scenarios
Duration: 45 minutes
Unit overview:This unit covers the various scenarios in typical enterprise architectures for which DataPower appliances can be used.
Learning objectives:After completing this unit, students should be able to:
Identify the security scenarios involved when deploying a WebSphere DataPower SOA Appliance
Describe use cases that include the WebSphere DataPower SOA Appliance in enterprise architectures
Unit 21. Course summary
Duration: 15 minutes
Unit overview:This unit summarizes the course, explains the class evaluation process, and provides information for future study.
Learning objectives:After completing this unit, students should be able to:
Explain how the course met its learning objectives
Submit an evaluation of the class
Identify other WebSphere Education courses related to this topic
Access the WebSphere Education Web site
Locate appropriate resources for further study
Appendix Unit A. Web application firewall service
Duration: 45 minutes
Unit overview:In this unit, students learn how to create a web application firewall to offload tasks and protect access to their web applications.
Learning objectives:After completing this unit, students should be able to:
Configure a Web application firewall to protect a back-end Web application
Use a AAA policy to protect access via the Web application firewall
Validate parameters from an HTTP request using Name-value profiles
Protect the Web application from phishing attacks using built-in threat protection
Appendix Exercise A. Creating a firewall and HTTP proxy for a web application
Duration: 45 minutes
Exercise overview:In this exercise, students create a web application firewall to secure the back-end East Address Search web service application. Clients connect to the web application firewall hosted on the DataPower appliance, which uses a AAA policy to authenticate users. Students also configure an SSL proxy profile to securely access the back-end web application firewall.
Learning objectives:After completing this exercise, students should be able to:
Use the web application firewall wizard to create a web application firewall
Implement a security policy on a web application firewall
Create a reverse-proxy to virtualize requests to web applications
Appendix Exercise B. Configuring WebSphere JMS
Duration: 30 minutes
Exercise overview:This exercise shows how DataPower can send and receive messages to and from WebSphere Application Server default messaging engine. In this exercise, students create a multi-protocol gateway service that receives a request from cURL and sends a message to the WebSphere Application Server messaging engine to invoke the East Address Search web service over JMS.
Learning objectives:After completing this exercise, students should be able to:
Identify the fields in the service integration bus configuration on WebSphere Application Server V6.0 or V6.1 that are needed to configure the WebSphere DataPower JMS object
Create a multi-protocol gateway service that invokes the East Address Search web service over the JMS transport
IBM WebSphere Education
http://www.ibm.com/websphere/educationContact us at: [email protected]