Front cover DataPower SOA Appliance Service Planning, Implementation, and Best Practices Service planning and optimization Key and certificate management Lifecycle topics David Shute Daniel Dickerson Richard Kinard Manuel Carrizosa Bruno Neves Pablo Sanchez Byron Braswell ibm.com/redbooks International Technical Support Organization DataPower SOA Appliance Service Planning, Implementation, and Best Practices June 2011 SG24-7943-00 Note: Before using this information and the product it supports, read the information in “Not ices” on pagevii. First Edition (June 2011) This edition applies to DataPower firmware version 3.8.2. © Copyright International Business Machines Corporation 2011. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix The team who wrote this book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix Now you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . . xii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Stay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Chapter 1. Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Business framework planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Architectural map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Inclusive asset universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2 Use case scenario map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Base configuration items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.1 Hardware install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 Device initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.3 Network integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.4 Application domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.5 User accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.6 Monitoring and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.7 Configuration management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Application development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5 Life cycle phases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.5.1 Revision control system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.5.2 Development environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.3 Deployment packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.4 Test methodologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.5 Production. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 2. Service implementation and optimization . . . . . . . . . . . . . . . . 17 2.1 Multi-Protocol Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.1 Gateway settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2 Protocol support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1 File Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.2 MQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Web Service Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.3.1 WSDL management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.3.2 Retrieving WSDLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 © Copyright IBM Corp. 2011. All rights reserved. iii 2.3.3 Implementing RESTful services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.3.4 Service versioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.3.5 Front-Side Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.3.6 SLM interval length agreement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.4 Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.4.1 Threat protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.2 Access control and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.3 Content management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.4.4 Session management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.4.5 Best practice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.5 Processing policy practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.5.1 Authentication, Authorization, and Auditing . . . . . . . . . . . . . . . . . . . 39 2.5.2 Split and join processing pattern. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.3 Using asynchronous actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.5.4 Minimizing memory usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.5.5 Open Database Connectivity (ODBC). . . . . . . . . . . . . . . . . . . . . . . . 45 2.5.6 Handling errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.6 General considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.6.1 Service chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.6.2 SOMA Execute Scripts through XML Management Interface. . . . . . 50 2.6.3 XML Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.7 Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 2.7.1 Advantages of streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.7.2 Constraints of streaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.7.3 DataPower processing actions compatibilities . . . . . . . . . . . . . . . . . 53 2.7.4 Streaming attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Chapter 3. Managing keys and certificates. . . . . . . . . . . . . . . . . . . . . . . . . 57 3.1 Overview of keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.1 Basic cryptographic components . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.2.2 Hardware Security Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2.3 Cryptographic tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.2.4 Certificate storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.2.5 Key storage on a non-HSM appliance . . . . . . . . . . . . . . . . . . . . . . . 65 3.2.6 HSM key storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.2.7 Using Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.2.8 Using the Certificate Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.3 Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.1 Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.2 Managing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.3 Using HSM for managing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.4 Import keys and change configuration to use them from HSM. . . . . 71 iv DataPower SOA Appliance Service Planning, Implementation, and Best Practices 3.3.5 Removing crypto objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.4 Examples and real-life scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.4.1 Exporting or listing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.4.2 Rebuilding certificate objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.4.3 Rebuilding key objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Chapter 4. Serviceability and Troubleshooting . . . . . . . . . . . . . . . . . . . . . 73 4.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.2 Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.3 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.3.1 Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.2 Viewing logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.3 Latency log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 4.3.4 Error reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 4.3.5 Packet Capture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.3.6 Probe function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.3.7 XML File Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.3.8 Status providers and statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.3.9 Failure Notification and First Failure Data Capture (FFDC) . . . . . . . 83 4.4 Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.4.1 General troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.4.2 FFDC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.4.3 Import, export, and upgrading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.4.4 Debugging AAA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.4.5 Debugging RBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.4.6 Debugging network issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 4.4.7 Debugging an unexpected restart. . . . . . . . . . . . . . . . . . . . . . . . . . . 95 4.4.8 Memory growth/high CPU/high load. . . . . . . . . . . . . . . . . . . . . . . . . 96 4.5 Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.5.1 Monitoring resource growth over time. . . . . . . . . . . . . . . . . . . . . . . . 97 4.5.2 Example methods of isolating an issue to a particular domain. . . . . 99 4.5.3 Sample data collection for a failed network connection . . . . . . . . . 100 Chapter 5. Business-to-business service implementation . . . . . . . . . . . 103 5.1 Introduction to B2B appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 5.2 B2B appliance benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.3 B2B appliance known limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 5.3.1 Application Optimization option is not available . . . . . . . . . . . . . . . 108 5.3.2 The B2B Gateway Service cannot stream large files . . . . . . . . . . . 108 5.4 B2B performance testing best practices . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.5 Common usage patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 5.5.1 Best practices common to all patterns . . . . . . . . . . . . . . . . . . . . . . 112 5.5.2 EDIINT (AS1/AS2/AS3) data exchange with data transformation. . 113 Contents v 5.5.3 Web Services bridged to AS2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 5.5.4 XB60 / MQ FTE integration pattern. . . . . . . . . . . . . . . . . . . . . . . . . 119 5.5.5 ebMS data exchange with CPA . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 5.5.6 Health Level 7 clinical data exchange with standards conversion . 125 Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 vi DataPower SOA Appliance Service Planning, Implementation, and Best Practices Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. © Copyright IBM Corp. 2011. All rights reserved. vii Trademarks IBM, t he IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: CloudBurst™ IBM® Tivoli® DataPower device® IMS™ WebSphere® DataPower® Redbooks® DB2® Redbooks (logo) ® The following terms are trademarks of other companies: Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. viii DataPower SOA Appliance Service Planning, Implementation, and Best Practices
Description: