IBM DataPower Gateways and B2B…
With more and more companies expanding their business and dividing enterprises into different domains and locations, along with a growing need for up-to-date processes and information flows, the complexity of exchanging business-to-business (B2B) information is increasing.
In the pre-internet and early internet era B2B often consisted of exchanging EDI messages with very few business partners. Looking at today’s business needs, regardless of the label, small-, midsize- or large-company, it often includes a variety of external partners, communication types and messages. Many companies do not realize the width of their traffic that would classify as B2B from a “modern” standpoint.
With many established partners, subsidiaries or offices in other geographical regions B2B is often viewed as something like an internal process with an added protocol to be able to exchange the messages between different networks.
The above sentence summarizes the most commonly known definition for a B2B scenario; the exchange of data between isolated networks by two identifiable parties!
Not said that the “parties” must be different companies, it might be different departments, separate geographical areas, etc. “Identifiable” is another rather wide term as the identification of a party could be either a standardized addressing like, EDI identifier, DUNS or similar or a more technical term such as IP address or a dedicated directory in a FTP exchange scenario.
Regardless of which identifier is used (most commonly a combination of many) a B2B gateway must be able to identify the sending and receiving party.
Another key concept of a B2B gateway is to offer a routing capability for back-end systems like an ESB, ERP, or any other receiving system. The routing capability normally takes the information about the sender and receiver along with information about the message and/or protocol used to make the routing decision.
More external end-points to come – API
Looking at the expanding need for externalizing data today companies must also consider how to be able to meet these demands.
With mobile devices and “bring-your-own-device” policies a whole new era of communications are evolving, the API-era…
Mobile API’s are but one of three common types, Web-API’s and Business-API’s are the two other types. Web-API’s typically serves various web-portals or application servers while Business API’s is about publishing “business information”, e.g. master data.
A sample of the three working together might be if there is a customer repository in the internal systems and we want to serve our business with one common set of master-data. We would then build a business-API that would publish the customer address for example, then we would build a Mobil-API that the customers Mobile App can utilize and another Web-API so the customer also can see the address if logging in through a web browser.
The benefit of using API Management to handle this is that we only need to handle one set of data but then we can publish that same data in three separate ways, without having to write different code for them. We will also be able to handle security and user management in API Management as well as look at statistics and utilization of the API’s.
In this white paper we will not focus on API’s but an important note is that DataPower is capable of handling API’s as well and there is an available add-on called API Management for DataPower that will handle of your API requirements.
To be a bit crude, one could say that DataPower is “B2B in a box”…
DataPower with the B2B module is more than that though; it is a complete solution that will cover most of the B2B needs even for the most demanding of companies.
The DataPower simplifies, helps secure and accelerates your B2B trading partner connectivity.
As DataPower is based upon the IBM’s Gateways series hardware it is delivered as a “box”, or to use IBM’s terminology an “appliance”. DataPower can also be purchased as a “virtual appliance”, it will provide the exact same functions and even looks identical from a user perspective but then runs in a hypervisor environment, e.g. VMware ESX.
The base model for DataPower is called “IBM DataPower Gateways” which adds security and gateway capabilities to your network. Adding the module “Integration” it will add integration and an ESB capabilities. The B2B module in turn is based on the “Integration module” which means that all the functionality included in “Integration” is also found in the “B2B” version.
With the B2B module added you will get trading partner profile management, B2B transaction viewing capabilities and industry standards-based B2B messaging protocols to the already robust integration capabilities of the core appliance. These three added key capabilities are at the heart of the B2B module.
The only connections needed for any DataPower appliance is power (through a regular power cord) and a network cable. The initial setup for the network interface is done through a local USB connection and after that all configuration is normally done through the web interface. There is a Command Line Interface (CLI) and also scripting capabilities if needed.
To learn more of the basics on DataPower, please view the Red Book “DataPower Architectural Design Patterns” (http://www.redbooks.ibm.com/redbooks/pdfs/sg247620.pdf).
IBM DataPower Gateways with the B2B module is a purpose-built hardware B2B-enabled ESB.
It is designed for simplified deployment and hardened security with the ability to quickly transform data between a wide variety of formats, including XML, industry standards and custom formats. DataPower offers a built-in IBM WebSphere Transformation Extender (WTX) runtime as well as XSLT for flexible and high-performing transformations.
The device provides core B2B functions, including AS2 and AS3 messaging, partner profile administration, routing of electronic data interchange (EDI), XML and binary payloads, auto archiving and purging of B2B transactions and B2B transaction viewing capabilities.
A few core features for the B2B functionality is:
- Easily manage and connect to trading partners using industry standards
- Extend integration beyond the enterprise with a securely deployed B2B Gateway in the demilitarized zone (DMZ)
- Improve the performance and scalability of B2B interfaces
- Govern B2B integration points through consolidated trading partner management
The ESB functions include routing, bridging, transformation and event handling. It provides a reliable, performance-oriented solution to many integration challenges. Because it is not limited to handling just XML the DataPower fits perfectly with IT organizations that need to benefit from the connectivity of SOA deployments but must also deal with managing a combination of multiple proprietary, industry, company-specific and existing data formats.
The device is a true drop-in B2B integration point for such environments, reducing the time and cost of integrations and speeding the time to market for services.
For accelerated, security-rich integration capabilities, DataPower provides transport mediation, routing and transformations among binary, text and XML message formats.
Visual tools can be used to describe data formats, create mappings between different formats and define message flows. With native connectivity to IBM DB2 and IBM System z technology, the device offers a solution for a secure XML enablement of existing systems and mainframe connectivity.
The WebSphere DataPower SOA appliance portfolio has a long-standing history of support for key and advanced standards, including WS-Security, WS-Policy, WS-Reliable Messaging, SOAP, Web Services Distributed Management (WSDM), WS-I Profiles, WS-Addressing, eXtensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML), Secure Socket Layer (SSL) and proprietary Single Sign-on (SSO) tokens.
DataPower integrates with a variety of registry and repository, security, identity and service management software. Coupled with access-control software, such as IBM Tivoli Access Manager, the device enforces fine-grained access controls.
In many cases, when security is first discussed with the customer, they think of securing their data and possibly their connection. When it comes to deploying a B2B solution, we also need to take into consideration how to deploy the software in a manner that does not violate any existing network security policies that the customer has in place.
The four areas of security and their definitions that apply to B2B are:
- Deployment Security means the placement of hardware within an existing network with access to the Internet. This type includes database servers, file shares, message queue servers and integration servers.
- Connection Security means establishing a secure connection between trading participants over a Secure Socket Layer (SSL/TLS) connection (NB! Only TLS is enabled by default in DataPower but legacy SSL support exists).
- Document Security encompasses signing and encrypting the message prior to sending it to the trading partner.
- Access Control means providing access to data and configuration information inside the B2B application.
To protect B2B applications from unauthorized access, networking and firewall protection must be established. Firewalls work in conjunction with proxy servers, providing the ability to filter protocols, addresses, communication ports and IP packets. The security model that can be used is the establishment of a demilitarized zone (DMZ). The DMZ must be configured to restrict only a minimum set of communication ports for it to process requests.
DataPower is a DMZ-deployable appliance and requires a minimum amount of access through the inner firewall. Any sensitive payload data persisted to the Appliance is not accessible by partners and is encrypted on the hard drive.
Document security is normally accomplished through digital certificates, which provide an online identification credential for specific document exchanges, for example, AS1, AS2, AS3 or custom document-level encryption requirements. As part of document exchange, digital signatures can be calculated on the electronic document using public key cryptography. Through this process the digital signature is tied to the document being signed, as well as to the signer, and cannot be reproduced.
DataPower uses a role-based approach for access control. Users log in by providing their partner name, user id and password. The login determines individual access privileges. DataPower browser interface, which is used for administering functions, operates over a TLS connection (https).
To learn more and to see what DataPower can do for you and your company contact Enfo Zystems today!