Implementing the Enterprise Gateway Framework service for WebSphere DataPower

The Enterprise Gateway Framework service in a WebSphere® DataPower environment is a service-based implementation that minimizes the exposure of internal Datapower ports and their configuration on the firewall. This article shows you how to implement the framework to help you streamline the development of new services in DataPower.

Introduction

All services running inside WebSphere DataPower need to be installed on the appliance IP address and on a port. As the number of services increase on the appliance, it creates complexity and the following issues for any environment:

  • Exposure of internal ports (and IP address in some cases) outside of their hosting network.
  • Multiple firewall configurations to allow traffic on different ports and IP addresses of DataPower.
  • Maintenance of IP addresses and ports as the number of services increases on the appliance.

There may be other solutions to handle the above mentioned issues, but one of the simplest and easy solutions is to implement a framework service in a DataPower environment to minimize the exposure of ports and their configuration on the firewall. This service is called the Enterprise Gateway Framework service, which provides the following features:

  • Provide a single point of entry for all services running inside DataPower.
  • Handle requests over HTTP, HTTPs, MQ, and FTP protocols.
  • Use the standard HTTP (80) or HTTPS (443) ports. This way, the firewall can only be configured for these standard ports.
  • Authenticate all incoming requests based on their security requirement, such as mutual authentication or one-way SSL.
  • Identify the client from the incoming request.
  • Identify the environment where the service is running.
  • Route request to the appropriate service or backend destination.
  • Deploy once to any WebSphere DataPower environment and require no code changes to incorporate new services.

Download file

The DataPower services described in this article (including sample firewall services) can be imported on a DataPower appliance using the following zip file: EnterpriseFrameworkMPGW.zip.


Overview of the Enterprise Gateway Framework service scenario

This article describes the steps to create an Enterprise Gateway Framework service in DataPower. For this article and demonstration, you will not be implementing any security options or MQ frontside handlers. However, because of the way the framework is designed, you can add these options later.

Our version of the Enterprise Gateway Framework service contains the following features:

  • Provide a single point of entry for all services running inside DataPower.
  • Handle requests over HTTP on port 81.
  • Identify the client from the incoming request.
  • Identify the environment where the service is running.
  • Route the request to the appropriate backend destination.
  • Deploy once to any DataPower environment and require no code changes to incorporate new services.

In this demonstration, the routing of the incoming request message is determined by the content of the URI of the request. Using this URI, the request is directed or routed to the appropriate backend service. It is assumed that all incoming requests are directed to port 81 of the DataPower device.


Create an Enterprise Gateway Framework service

Perform the following steps to create the Enterprise Gateway Framework service, called "EnterpriseFrameworkServiceMPGW" in DataPower.

  1. Create two loopback Services using the XML firewall, as shown in Figure 1:
    1. serviceA
    2. serviceB
    Figure 1. Two XML firewall services
    Two XML firewall services
  2. Create the following third file:
    1. Create EnvironmentConfig.xml (see Listing 1). This file contains the environment value, so the incoming request is assigned to the correct backend.
      Listing 1. EnvironmentConfig.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <config>
        <environment>DEV</environment> 
      </config>
    2. Create EnvironmentConfig.xslt (see Listing 2). This XSLT file reads values from the EnvironmentConfig.xml and sets the environment variable.
      Listing 2. EnvironmentConfig.xslt
      <?xml version="1.0" encoding="UTF-8"?>
      <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
          version="1.0"
          xmlns:dp="http://www.datapower.com/extensions"
          extension-element-prefixes="dp"
          exclude-result-prefixes="xalan dp"
          xmlns:xalan="http://xml.apache.org/xslt">
         
          <xsl:template match="/">
            <xsl:variable name="masterConfig" select="document
             ('local:///EnvironmentConfig.xml')"/>
            <dp:set-variable name="'var://context/wp/environment'"
             value="normalize-space($masterConfig/config/environment/text())"/>
          </xsl:template>
      </xsl:stylesheet>
    3. Create EnterpriseFrameworkRouter.xslt (see Listing 3). This XSLT file gets the backend URL for the incoming request message by using the URI of the incoming message. It is assumed that the service name is used as the URI for the incoming request. This stylesheet looks for a subdirectory that is named the same as the string passed in the URI, under local:///xml. It then retrieves the target host information from a file named config.xml that is expected to be in that subdirectory.
      Listing 3. EnterpriseFrameworkRouter.xslt
      <?xml version="1.0" encoding="ISO-8859-1"?>
      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:dp="http://www.datapower.com/extensions"
      extension-element-prefixes="dp" exclude-result-prefixes="dp">
      
           
      	<xsl:template match="/">
      		<xsl:copy-of select="."/>
      		<xsl:variable name="incomingURI">
      			<xsl:value-of select="dp:variable('var://service/URI')"/>
      		</xsl:variable>
      		<xsl:variable name="tempVar">
      			<xsl:value-of select="substring-after($incomingURI,'/')"/>
      		</xsl:variable>
      		<xsl:variable name="serviceName">
                  <xsl:if test="contains($tempVar,'/')">
                   <xsl:value-of select="substring-before($tempVar,'/')"/>
                  </xsl:if>
                  <xsl:if test="not(contains($tempVar,'/'))">
                    <xsl:value-of select="$tempVar"/>
                  </xsl:if>
      		</xsl:variable>
      		<xsl:param name="hostAddr" select="'local:///'"/>
      		<xsl:variable name="remoteURL" select="concat($hostAddr,'/xml/',
               $serviceName,'/config.xml')"/>
      		<xsl:variable name="environment" select=
               "dp:variable('var://context/wp/environment')"/>
      		<xsl:variable name="config" select="document($remoteURL)" />
      		<xsl:variable name="serviceDestination">
      	     <xsl:copy-of select="$config/EnterpriseFrameworkDestinationList/
                 serviceDestination[@environment=$environment]"/>
      		</xsl:variable>
                <dp:set-variable name="'var://service/routing-url'" 
                 value="concat($serviceDestination,$incomingURI)"/>
      	</xsl:template>
      </xsl:stylesheet>
  3. Upload the following files to DataPower:
    1. Create an xslt folder and upload both xslt files there (see Figure 2).
    2. Upload EnvironmentConfig.xml to local:///.
    Figure 2. Upload XML and XSLT files
    Upload XML and XSLT files
  4. Create a Multi-Protocol Gateway (MPGW) named EnterpriseFrameworkMPGW (see Figure 3) with:
    1. Dynamic backend
    2. Request and Response type to Non-xml
    Figure 3. EnterpriseFrameworkMPGW
    EnterpriseFrameworkMPGW
  5. Create a front side handler, name it EnterpriseFrameworkFSH, and assign port number to "81", as shown in Figure 4.
    Figure 4. EnterpriseFrameworkFSH
    EnterpriseFrameworkFSH
  6. Create a new policy, EnterpriseFrameworkPolicy, and add the following rules:
    1. Create a new rule for "Client to Server" and with two transform actions:
      1. Assign EnvironmentConfig.xslt to the first transform action, and make sure the output is set to "NULL", as shown in Figure 5.
        Figure 5. EnterpriseFrameworkPolicy client to server rule
        EnterpriseFrameworkPolicy client to server rule
      2. Assign EnterpriseFrameworkRouter.xslt to the second transform action, and make sure the output is set to "NULL", as shown in Figure 6.
      Figure 6. EnterpriseFrameworkPolicy client to server rule
      EnterpriseFrameworkPolicy client to server rule
  7. Create a new rule for "Server to Client" without any actions. EnterpriseFrameworkPolicy looks similar to Figure 7.
    Figure 7. Complete EnterpriseFrameworkPolicy
    Complete EnterpriseFrameworkPolicy
  8. Apply the policy and close the window.
  9. EnterpriseFrameworkMPGW looks similar to Figure 8. Save the configuration.
    Figure 8. Complete EnterpriseFrameworkMPGW
    Complete EnterpriseFrameworkMPGW

Integrate existing or new services to the Enterprise Gateway Framework service

To incorporate the existing or new service in the Enterprise Gateway Framework service:

  1. Create a folder with the name of the service as a folder name under local:///xml/, as shown in Figure 9.
    Figure 9. Create service folders
    Create service folders
  2. Create the following config.xml file for "serviceA", which contains the IP address or hostname for each environment and the port where serviceA is running (Listing 4).
    Listing 4. Endpoints for serviceA
    <?xml version="1.0" encoding="UTF-8"?>
    <EnterpriseFrameworkDestinationList>
      <serviceDestination environment="DEV">http://192.168.136.145:2048</
       serviceDestination>
      <serviceDestination environment="QA">http://192.168.136.146:2048</
       serviceDestination>
      <serviceDestination environment="PROD">http://192.168.136.147:2048</
       serviceDestination> 
    </EnterpriseFrameworkDestinationList>
  3. Upload the config.xml file located at the local:///xml/serviceA folder, as shown in Figure 10.
    Figure 10. Uploaded config.xml file for serviceA
    Uploaded config.xml file for serviceA
  4. Create a similar config.xml file for "serviceB", with serviceB's hosts for each environment and assigned port (see Listing 5).
    Listing 5. Endpoints for serviceB
    <?xml version="1.0" encoding="UTF-8"?>
    <EnterpriseFrameworkDestinationList>
      <serviceDestination environment="DEV">http://192.168.136.145:2049</
       serviceDestination>
      <serviceDestination environment="QA">http://192.168.136.146:2049</
       serviceDestination>
      <serviceDestination environment="PROD">http://192.168.136.147:2049</
       serviceDestination> 
    </EnterpriseFrameworkDestinationList>
  5. Upload the config.xml file located at the local:///xml/service folder, as shown in Figure 11.
    Figure 11. Uploaded config.xml file for serviceB
    Uploaded config.xml file for serviceB
  6. Every time a new service needs to be integrated to the Enterprise Gateway Framework service, a config file needs to be created for that service with values of hostname/IP address and the port number where the service is installed. Nothing needs to be done on EnterpriseFrameworkMPGW.
  7. For every incoming request, EnterpriseFrameworkRouter.xslt (installed in the EnterpriseFrameworkMPGW) parses the URI and looks for the config.xml file for that service. If the service is not installed, then there is no XML file for that service.

Test and verify the service

Perform the following steps to test the functionality of the Enterprise Framework Gateway service:

  1. Enable the probes on "serviceAFW" and "serviceBFW".
  2. From the SOAP UI, send the following test message for serviceA, as shown in Figure 12: http://<hostname>:81/serviceA.
    Figure 12. Sample request for serviceA
    Sample request for serviceA
    You see the response back as shown in Figure 13.
    Figure 13. Response for serviceA
    Response for serviceA
    From the serviceA probe, notice the values of "inbound-url" and "outbound-url", as shown in Figure 14.
    Figure 14. serviceA probe
    serviceA probe
  3. Now, send the request for serviceB as shown in Figure 15: http://<hostname>:81/serviceB.
    Figure 15. Sample request for serviceB
    Sample request for serviceB
    From the serviceB probe, notice the values of "inbound-url" and "outbound-url", as shown in Figure 16.
    Figure 16. serviceB probe
    serviceB probe
    From the EnterpriseFrameworkMPGW probe, you can see the requests are directed to their respective services. Notice the values of "inbound-url" and "outbound-url", as shown in Figure 17.
    Figure 17. EnterpriseFrameworkMPGW probe
    EnterpriseFrameworkMPGW probe

Conclusion

This article demonstrated how to implement an Enterprise Gateway Framework service in WebSphere DataPower. By implementing the framework service to any DataPower environment, you can streamline the development of new services inside DataPower. Administrators do not need to deal with firewall and network configuration requests when a new service is implemented on any DataPower appliance. The framework design also does not expose any additional ports, other than port 81 (in this scenario) to the network.

Acknowledgements

The author would like to thank Pradeep Thomas for his valuable input and assistance in reviewing this article.


Download

DescriptionNameSize
Code sampleEnterpriseFrameworkMPGW.zip487KB

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=844527
ArticleTitle=Implementing the Enterprise Gateway Framework service for WebSphere DataPower
publish-date=11072012