I’ve been a proud member of the DataPower® community since Day One of IBM®’s acquisition of that company in the fall of 2005. I fondly remember the rumors, consternation, and excitement of that time:
Why is this hardware appliance part of the IBM Software Group?
Why is DataPower in the WebSphere® brand and not the Tivoli® brand?
There were a lot of questions and certainly some skepticism about this DataPower "thing" from myself and from other hard-boiled field consultants. Were the magical things we were hearing about this product (hardened SOA/ESB appliance? Kerberos? SAML?) for real or were they just hype and trickery meant to spur the acquisition? In good time, we knew we would pull the man out from behind the curtain and expose the truth.
But that never happened because, as it turns out, all of the things we had been told about DataPower were shockingly true -- and then some.
In the ensuing years, WebSphere DataPower products have been enhanced and have evolved, both because of the smart, focused people who work on them, and because of IBM, whose vast experience building “business machines” led to design changes that added redundant, field-replaceable power supplies, fans, and other components to the appliances. With each major firmware release, from 3.5 to 3.6 to 3.7, a rich new set of features enhanced and expanded the appliances’ capabilities.
I can easily say however, that the release I am most excited about is the new 3.8 firmware release, and, in particular, the Application Optimization (AO) licensed feature. So let’s take a moment to explore some of the tricks and treats in this bag of goodies, and I’ll point out the ones that are part of the AO package.
(Included in AO) One reason I am personally excited about this feature is that, due to my background supporting IBM’s former Edge Server (and later Edge Components) load balancer and caching proxy, I have long known that DataPower could enhance its capabilities in those areas by reviewing and perhaps incorporating features and code from those products. The load balancing features on both the front end and back end of DataPower have historically been functional, yet somewhat "vanilla."
For some time now, DataPower has had a standby configuration that enables the devices to be configured in an active-standby mode across a set of interfaces (for example, eth0 on both machines). Some users have even been creative in turning this into active-active by doing this across two sets of interfaces on two devices. In reality, though, most users have just placed load balancers in front of their appliances, getting it done the old fashioned way.
With the new self-balancing feature, you can get the best of both worlds by configuring the devices to balance load across themselves in active-active mode, without the extra hops and infrastructure of separate load balancers in front of them. Of course, this involves the use of a shared virtual IP address (VIP) and is a fault-tolerant configuration. Cluster members monitor the one designated as the distributor and will elect a new one to take over that role if necessary. The distributor is an equal and active member of the appliance cluster, and service states are learned dynamically by all members. This level of intelligence would not be possible with a typical load balancer. A smarter and less complex network topology is a good thing!
Intelligent load distribution
Whereas the self-balancing feature is related to ingress traffic to the device, the Intelligent Load Distribution feature is used for the egress traffic from the device to back-end servers. While DataPower has always had back-end load balancing capabilities, implementing the most common algorithms, such as round-robin, this is something much more sophisticated.
For appliances with the AO feature, the load balancing configuration on the device becomes much more dynamic and intelligent. It constantly changes and improves itself based on feedback from IBM WebSphere Application Server Network Deployment and IBM WebSphere Virtual Enterprise back ends.
For non-WebSphere environments, a set of tools is available through style sheet extensions to modify a load balancer group’s members and weights. These style sheet extensions do not require the AO feature.
Cookie-based session affinity helps Web applications work with session information in an elegant and efficient fashion. Intelligent load distribution integrates the load balancing function with the new session affinity support to provide an intelligent mix of load balancing and session affinity, as required. Session affinity support will work with any WebSphere or non-WebSphere back end and requires AO.
JSON, REST, Web 2.0
The appliances will also understand and process REST (REpresentation State Transfer) HTTP verbs such as PUT. These capabilities will make scenarios such as having newer architecture Web 2.0 clients sending and receiving messages to standard back-end Web services quite possible. This enables you to leverage the newer technologies and architectures of today while still taking advantage of the appliance’s powerful XML threat protection, crypto, WS-* compliance, transformation, validation, and other capabilities. This is a good thing, as "Web 2.0" is not known to be synonymous with "security." DataPower to the rescue!
Web application security enhancements
As DataPower has always been an XML- and Web services-centric product, the Web application proxying (and, specifically, the Web Application Firewall service) has not received as much attention as the more primary features and services. This changes in 3.8 as many enhancements have been made in this area, based on user input. One of the big ones is support for form-based login, which is common for Web applications.
Anyone familiar with DataPower knows that security is Job One, so no major firmware release would be complete without further strides in this area. In addition to the Web application security enhancements mentioned above, there is built-in integration with the fantastic new IBM Tivoli Security Policy Manager product for distribution of WS-SecurityPolicy and eXtensible Access Control Markup Language (XACML) policies. There are also improvements in the Online Certificate Status Protocol (OSCP) feature.
But by far, my favorite new security feature is the ability for the appliances to dynamically retrieve key and certificate crypto material from a back-end z/OS communication server. This prevents the crypto material from having to be stored on the appliance’s file system, as the material will be cached in memory upon retrieval. Even cooler is the ability for the appliance to offload crypto operations by sending the XML to the z/OS server to be processed (for those who are too paranoid to allow the keys to travel across the wire!).
Another System z enhancement is support of ICRX token for System z distributed ID propagation.
The newest member of the DataPower appliance family, XB60 B2B device, also benefits from some new enhancements. In short:
- The protocol support has been extended with the addition of EDIINT AS1 and plain text e-mail.
- Interop has been improved through the completion of Drummond Group AS2 certification.
- The B2B Transaction Viewer has been improved to provide the ability to search and display AS Message IDs.
- Transaction performance has also been improved over previous releases.
There is now support for TIBCO EMS map messages and TIBCO Rendezvous (XM70 only as a separate license), as well as transactional messaging for the IBM WebSphere Application Server JMS. IBM WebSphere MQ integration has been upgraded to V7 support, adding features such as batching, pub/sub, async PUT, message properties, and extended retry intervals.
The rest of the story
Other great enhancements that come with 3.8 are:
- Out-of-the-box support for Microsoft.NET™ WCF Web services bindings.
- Support for remote hosting of IBM WebSphere Transformation Extender maps.
- FTP/FTPS improvements including flow control for file streaming.
- The Web Service Proxy can now support non-HTTP (WebSphere MQ, JMS, EMS) back ends, and custom log categories can be created by administrators.
The great thing is that you don’t have to wait long for all of this. Electronic download is now available and new devices should ship with this firmware soon.
Keep in mind that AO is an extra-cost licensable component, and only available on 3.8 firmware for XS40 and XI50 appliances built on the 9235 (9004) hardware architecture. The great thing, though, is that appliances already out in service can be field-upgraded to AO by purchasing the license!
- WebSphere DataPower SOA Appliances product information
- Announcement: IBM WebSphere DataPower Appliances firmware V3.8.0 adds new load balancing capabilities, enhanced interoperability, and additional security