You are on page 1of 10

Accelerate, Secure and Integrate with WebSphere DataPower SOA Appliances V3.8.

WB540 (classr oom) VB540 (online) Course Abstract

Course description In this 5-day instructor-led course, students learn the fundamental skills required to implement IBM WebSphere DataPower SOA Appliances with firmware version 3.8.2. The IBM WebSphere DataPower SOA Appliances allow an enterprise to simplify, accelerate, and enhance the security capabilities of its Extensible Markup Language (XML) and web services deployments, and extend the capabilities of its service-oriented architecture (SOA) infrastructure. Through a combination of instructor-led lectures and hands-on lab exercises, students learn how to implement the key use cases for the DataPower appliances, including XML acceleration and threat protection, web service virtualization, web services security, integrating with IBM WebSphere MQ and Java Message Service (JMS), and authentication, authorization, and auditing (AAA). Students also learn how to use various problem determination tools such as logs, monitors, and probes, as well as techniques for testing DataPower services and handling errors. Hands-on exercises give students experience working directly with an IBM WebSphere DataPower SOA Appliance, focusing on skills such as creating XML firewalls, working with encryption and cryptographic objects, configuring service level monitoring, troubleshooting services, and handling errors. For information on other related WebSphere courses, visit the WebSphere Education Training Paths Web site:
http://www.ibm.com/software/websphere/education/paths/

General information Delivery method: Audience: Learning objectives: Classroom or instructor-led online (ILO) This course is designed for integration developers who configure service policies on IBM WebSphere DataPower SOA Appliances. After completing this course, students should be able to: Describe the key use cases and architectural scenarios for the IBM WebSphere DataPower SOA Appliances Describe how WebSphere DataPower Appliances are configured, including the role of XSL Transformations (XSLT) Configure an XML firewall to protect against a new class of XML-based threats Create a Web Service Proxy to virtualize web service applications Implement web services security Create and configure cryptographic objects Configure Secure Sockets Layer (SSL) to and from WebSphere DataPower SOA Appliances Configure a multi-protocol gateway (MPG) to handle multiple protocols for a single service Configure a service level monitoring (SLM) policy to handle service processing violations Enforce service level policies to manage traffic to and from WebSphere DataPower SOA Appliances
IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Prerequisites:

Configure support for IBM WebSphere MQ and Java Message Service (JMS) Troubleshoot services using logs and probes Handle errors in service policies

Before taking this course, students should be familiar with: Security-based concepts and protocols XML-related technologies, such as XML schema, XPath, and XSLT Web service fundamentals and the Web Services Security specification 5 days Intermediate

Duration: Skill level: Notes

The unit and exercise durations listed below are estimates, and may not reflect every class experience. If the course is customized or abbreviated, the duration of unchanged units will probably increase. This course is an update of course WB565 / VB565, Accelerate, Secure and Integrate with IBM WebSphere DataPower SOA Appliances V3.8.1 Course agenda Course introduction Duration: 30 minutes Unit overview:

This unit welcomes students to the course and describes the agenda and logistics.

Unit 1. Introduction to DataPower SOA Appliances Duration: 1 hour Unit overview: This unit introduces the concept of an SOA appliance: an XML-aware network device that accelerates, secures, and integrates XML-based applications and web services. Learning objectives: After completing this unit, students should be able to: Describe and define the role of an SOA appliance Identify the products in the WebSphere DataPower SOA Appliance product line Describe how to use WebSphere DataPower SOA Appliances in an enterprise architecture Unit 2. DataPower administration overview Duration: 1 hour Unit overview: This unit introduces three management interfaces for the WebSphere DataPower SOA Appliance: the Web GUI web application, the command-line interface (CLI), and the XML Management interface. Learning objectives: After completing this unit, students should be able to: List the methods that can be used to administer WebSphere DataPower SOA Appliances Manage user accounts and domains on the appliance Work with files on the WebSphere DataPower SOA Appliance Exercise 1. Exercises setup Duration: 45 minutes Exercise overview: In this exercise, students perform work that will be used in subsequent exercises. Students determine the assigned variables and port numbers, import key and certificate crypto files, import WSDLs into Eclipse, and set up cURL and OpenSSL. Learning objectives: After completing this exercise, students should be able to:

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Import the files used in the exercises Verify cURL installation Populate the table containing all of the port numbers

Unit 3. Introduction to XSL transformations Duration: 1 hour Unit overview: This unit introduces students to Extensible Stylesheet Language Transformations (XSLT). Students learn how to create XSLT stylesheets to transform XML documents into other formats, and how to write XPath expressions to retrieve information from an XML document. Learning objectives: After completing this unit, students should be able to: Describe the Extensible Stylesheet Language (XSL) model Construct XPath expressions Create XSL stylesheets to apply XSL transformations Use and apply XSL templates in XSLT Describe the use of DataPower variables and extensions in XSL stylesheets Exercise 2. Creating XSL transformations Duration: 45 minutes Exercise overview: In this exercise, students examine an existing XML file, create an XSL stylesheet, create an XML firewall service, and test the stylesheet using the new service. Learning objectives: After completing this exercise, students should be able to: Create an XSL stylesheet Create an XML firewall service Transform an XML file using the compiled XSL stylesheet Describe the use of DataPower variables and extensions in XSL stylesheets Unit 4. DataPower services overview Duration: 1 hour Unit overview: In this unit, students learn about the services supported on the DataPower appliance, and how to choose the correct service given a set of requirements. Students also learn how to configure services and service policies to process messages entering to and from the appliance. Learning objectives: After completing this unit, students should be able to: List the supported services on the WebSphere DataPower SOA Appliance Compare and contrast the features supported by each WebSphere DataPower service Exercise 3. Creating a simple XML firewall Duration: 45 minutes Exercise overview: This exercise explains how to create a basic XML firewall that can perform schema validation and message transformation. Students learn the basic steps necessary to implement a message flow within any DataPower service, and implement the validation and transformation by configuring an XML firewall in the loopback proxy mode. The scenarios are then tested with the cURL command line tool. Learning objectives: After completing this exercise, students should be able to: Create an XML firewall Create a document processing policy with message schema validation and transformation Test the message flow using the command line tool cURL Unit 5. XML firewall service Duration: 1 hour 15 minutes Unit overview: This unit explains how to create and manage an XML firewall service on the WebSphere DataPower SOA Appliance. Students learn the capabilities of the XML firewall in order to secure, monitor, and administer their XML-based application. The unit also provides
IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Learning objectives:

an introduction to implementing a service policy in any of the DataPower services, not just the XML firewall. Students learn about various processing actions available in other services such as Filter, Validate, Encrypt, Transform, and Route. After completing this unit, students should be able to: List the features and functions of an XML firewall service Configure an XML firewall service on a WebSphere DataPower SOA Appliance Describe the processing actions available in DataPower services

Unit 6. Problem determination tools Duration: 45 minutes Unit overview: This unit describes the troubleshooting tools available for debugging problems on the DataPower appliance. Several tools are available for use depending on the nature of the problem, ranging from low-level networking tools to probes that aid in debugging service policies. The logging utilities are available for capturing information generated by the DataPower objects. Learning objectives: After completing this unit, students should be able to: Capture information using system logs from messages passing through the WebSphere DataPower SOA Appliance Configure a multistep probe to examine detailed information about actions within rules List the problem determination tools available on the WebSphere DataPower SOA Appliance Exercise 4. Creating an advanced XML firewall Duration: 2 hours Exercise overview: This exercise shows how to configure an XML firewall with content-based routing. Content-based routing is configured by creating an XML firewall that contains a document processing policy with a Route action. Students learn the steps required to create, configure, and test DataPower services. Learning objectives: After completing this exercise, students should be able to: Create an XML firewall from a WSDL definition Configure a document processing policy with additional actions Configure content-based routing using a Route action Test the XML firewall policy using the command line tool cURL Perform basic debugging using the system log and multistep probe Unit 7. Handling errors in a service policy Duration: 10 minutes Unit overview: It is expected that errors will occur when messages are processed by the service policy, so the developers of service policies must plan for error handling within the rules of the policy. In this unit, students learn how to use the On Error action and Error rule, and how the service policy selects error handling. Learning objectives: After completing this unit, students should be able to: Configure an On Error action in a service policy Configure an Error rule in a service policy Describe how On Error actions and Error rules are selected during error handling Exercise 5. Adding error handling to a service policy Duration: 20 minutes Exercise overview: In this exercise, students add an On Error action and an Error rule to a service policy. Learning objectives: After completing this exercise, students should be able to: Configure a service policy with an On Error action Configure a service policy with an Error rule

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Unit 8. DataPower cryptographic tools Duration: 45 minutes Unit overview: This unit describes how to use the cryptographic tools to create keys and certificates. Students also set the DataPower objects that are used to validate certificates and configure certificate monitoring to ensure that only valid certificates exist on board. Learning objectives: After completing this unit, students should be able to: Generate cryptographic keys using the WebSphere DataPower tools Create a crypto identification credential object containing a matching public and private key Create a crypto validation credential to validate certificates Set up certificate monitoring to ensure that certificates are up to date Exercise 6. Creating cryptographic objects Duration: 30 minutes Exercise overview: This exercise shows how to create cryptographic keys using the DataPower crypto tools. Keys can be created on the appliance or uploaded externally. Students create a crypto identification credential storing certificate-key pairs that are used in securing SSL connections, and create a validation credential object for validating certificates. These objects are used as part of a Crypto Profile. Learning objectives: After completing this exercise, students should be able to: Generate cryptographic keys using the WebSphere DataPower crypto tools Upload key files to the WebSphere DataPower SOA Appliance Create a crypto identification credential using a crypto key object Validate certificates using a validation credential object Unit 9. Securing connections using SSL Duration: 45 minutes Unit overview: This unit describes how to secure connections using SSL to and from the DataPower appliance. Learning objectives: After completing this unit, students should be able to: Configure the WebSphere DataPower SOA Appliance to communicate using SSL Associate an SSL proxy profile with keys and certificates Configure a user agent to initiate requests Exercise 7. Securing connections using SSL Duration: 1 hour Exercise overview: This exercise shows how to set up a Secure Sockets Layer (SSL) connection to and from the DataPower appliance using the DataPower Web GUI. Learning objectives: After completing this exercise, students should be able to: Create an SSL proxy profile to accept SSL connections from a client to the WebSphere DataPower SOA Appliance Create an SSL proxy profile to initiate an SSL connection from the WebSphere DataPower SOA Appliance to a back-end service Create a Hypertext Transfer Protocol (HTTP) service to handle HTTP requests Unit 10. XML threat protection Duration: 45 minutes Unit overview: This unit covers the vulnerabilities that exist in XML messaging, and the threat protection features of the WebSphere DataPower SOA Appliance. Learning objectives: After completing this unit, students should be able to: Explain possible attack scenarios involved in XML-based applications Describe the various types of XML attacks Use the WebSphere DataPower SOA Appliance to protect against XML attacks

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Exercise 8. Protecting against XML threats Duration: 30 minutes Exercise overview: XML and web services are subject to a number of different types of attacks that are broadly referred to as XML structural attacks, XML content-based attacks, and denial-ofservice attacks. This exercise demonstrates the major XML threat protection features of the WebSphere DataPower SOA Appliance. Learning objectives: After completing this exercise, students should be able to: Run a recursive entity attack simulation Perform a recursive entity threat protection test Enable excessive attribute count threat protection Enable SQL injection attack prevention Unit 11. Web Service Proxy service Duration: 1 hour Unit overview: This unit discusses the Web Service Proxy service and its role in an XML-Aware webservices-based network, and outlines the configuration steps required to create and manage a web services proxy. The unit also explains advanced web service configuration steps, such as proxy-level security, SOAPAction policy, and web service endpoint. Learning objectives: After completing this unit, students should be able to: Describe the Web Service Proxy architecture List and explain the configuration steps needed to create a Web Service Proxy Create and configure a Web Service Proxy policy at various levels of the Web Services Description Language (WSDL) file Exercise 9. Configuring a Web Service Proxy Duration: 1 hour Exercise overview: In this exercise, students create a Web Service Proxy (WS-Proxy) that virtualizes or proxies the East and West Address Search web service. A Web Service Proxy allows a user to mask the actual endpoint of the web service. Web Service Proxy configuration is done by uploading a WSDL document for each service. Once a Web Service Proxy is created, a user can configure a policy with rules and actions for each service defined within the proxy. Learning objectives: After completing this exercise, students should be able to: Configure a WS-Proxy to virtualize an existing set of web services Create a policy within the WS-Proxy Unit 12. XML and web services security overview Duration: 45 minutes Unit overview: This unit discusses the features of the web services security specification. This specification provides message level security to ensure message confidentiality and integrity using XML encryption and XML signatures, respectively. You will learn how to use the DataPower device to encrypt and decrypt, and to sign and verify messages. Learning objectives: After completing this unit, students should be able to: Describe the features of the WS-Security specification Enable message confidentiality using XML Encryption Provide message integrity using XML Signature Exercise 10. Web service encryption and digital signatures Duration: 1 hour Exercise overview: In this exercise, students learn how to perform web services security functions using the WebSphere DataPower SOA Appliance. The DataPower appliance supports securityrelated tasks that both a client and a server need to perform. Students play the role of a client by using an XML firewall to generate an encrypted and signed message, and then play the role of the server by decrypting and verifying the digital signature of the message on the Web Service Proxy. Learning objectives: After completing this exercise, students should be able to:
IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Create an XML firewall to generate a message with XML encryption Create an XML firewall to generate a message with an XML digital signature Perform field-level encryption and decryption on XML messages Create a rule to decrypt messages and verify digital signatures contained in a message within a Web Service Proxy policy

Unit 13. Authentication, authorization, and auditing (AAA) Duration: 1 hour Unit overview: This unit describes the authentication, authorization, and auditing (AAA) framework within the XI50 and XS40 IBM WebSphere DataPower SOA Appliances. These three facets of security both monitor and restrict access to resources. Learning objectives: After completing this unit, students should be able to: Describe the authentication, authorization, and auditing framework within the WebSphere DataPower SOA Appliance Explain the purpose of each step in an access control policy Authenticate and authorize Web service requests with: WS-Security Username and binary security tokens HTTP Authorization header claims Security Assertion Markup Language (SAML) assertions Exercise 11. Web service authentication and authorization Duration: 1 hour Exercise overview: This exercise covers the authentication, authorization, and auditing (AAA) capabilities of the XS40 and XI50 IBM WebSphere DataPower SOA appliance. Enforcing client authentication and authorization means that access to services is restricted to permitted clients. Learning objectives: After completing this exercise, students should be able to: Configure an action to enforce authentication and authorization policies Configure an action to verify an SAML assertion token for authentication and authorization purposes Unit 14. Configuring LDAP using AAA Duration: 30 minutes Unit overview: This unit describes how to authenticate and authorize users using LDAP in a AAA policy. Students learn basic LDAP concepts and constructs, and how to configure LDAP in a AAA policy to connect to a directory service. Learning objectives: After completing this unit, students should be able to: Describe the fundamentals of configuring the Lightweight Directory Access Protocol (LDAP) and deploying directory services Authenticate and authorize user credentials using LDAP by creating a AAA policy Exercise 12. Creating a AAA policy using LDAP Duration: 45 minutes Exercise overview: In this exercise, students play the role of an LDAP user and create a AAA policy that validates a credential using the configured LDAP directory service. Learning objectives: After completing this exercise, students should be able to: Add entries to the IBM Tivoli Directory Server LDAP server Authenticate users on an LDAP server by configuring a AAA policy Unit 15. Multi-protocol gateway service Duration: 1 hour Unit overview: This unit describes the features of the multi-protocol gateway in the IBM WebSphere DataPower SOA Appliance. The gateway allows a many-to-many service mapping: multiple transport protocols can access a list of operations, and more than one back-end service can provide the implementation for these operations.

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Learning objectives:

After completing this unit, students should be able to: Configure a multi-protocol gateway to provide a service over a set of different protocols Configure a connection to a static back-end service Configure a processing rule to select a back-end service at run time

Exercise 13. Configuring a multi-protocol gateway service Duration: 1 hour 15 minutes Exercise overview: This exercise covers the multi-protocol gateway service in the XS40 and XI50 IBM WebSphere DataPower SOA Appliances. Clients and back-end services can communicate with each other over a variety of protocols. Learning objectives: After completing this exercise, students should be able to: Configure a multi-protocol gateway to accept messages over HTTP and HTTPS Forward messages from a multi-protocol gateway to a static back-end service Unit 16. Monitoring objects Duration: 30 minutes Unit overview: This unit shows how to configure monitors to measure traffic volume and system latency. Learning objectives: After completing this unit, students should be able to: Identify messages that will be monitored Configure a message count monitor Set up a message duration monitor Unit 17. Service level monitoring Duration: 30 minutes Unit overview: This unit shows how to implement service level monitoring within the DataPower SOA Appliance. Learning objectives: After completing this unit, students should be able to: Identify the service level monitoring (SLM) functionality provided by the WebSphere DataPower SOA Appliance Implement a basic SLM policy using the Web Service Proxy Web GUI Create an advanced SLM policy using the SLM Statement construct Unit 18. Integration with WebSphere MQ Duration: 45 minutes Unit overview: This unit describes how to configure the DataPower appliance to communicate with WebSphere MQ. Students learn how to receive and put messages on WebSphere MQ queues, and how DataPower manages transactions between WebSphere MQ queue managers. Learning objectives: After completing this unit, students should be able to: Create a multi-protocol gateway with a WebSphere MQ front-side handler Configure a WebSphere MQ back-end uniform resource locator (URL) Manage transactionality between WebSphere MQ queue managers Exercise 14. Configuring a multi-protocol gateway service with WebSphere MQ Duration: 1 hour 15 minutes Exercise overview: This exercise shows how to add support for WebSphere MQ to a multi-protocol gateway service. Students add an MQ front-side handler to the AddressSearchMPG created in an earlier exercise, and then create another multi-protocol gateway service to demonstrate one-way messaging to a back-end WebSphere MQ system. This multi-protocol gateway service is used as an MQ client to get and put messages from queues. Finally, students learn about the transaction capabilities when integrating DataPower and WebSphere MQ. Learning objectives: After completing this exercise, students should be able to: Create a WebSphere MQ front-side handler (FSH) that gets messages from a queue and puts responses on a queue

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Send messages from a multi-protocol gateway service to a queue in WebSphere MQ in a fire-and-forget messaging pattern Configure transactionality between WebSphere DataPower and WebSphere MQ when errors occur during message processing Unit 19. DataPower and Java Message Service (JMS) Duration : 45 minutes Unit overview: This unit describes how to configure a JMS front-side handler to connect to the default messaging provider in WebSphere Application Server V6, and to TIBCO Enterprise Message Service (EMS). Students learn how to invoke a web service running on WebSphere Application Server V6 over JMS. Learning objectives: After completing this unit, students should be able to: Describe the components of the service integration bus on WebSphere Application Server V6 Configure a JMS front-side handler to send JMS messages to the default messaging provider in WebSphere Application Server V6 Configure a JMS front-side handler to send JMS messages to TIBCO EMS Unit 20. DataPower architectural scenarios Duration: 45 minutes Unit overview: This unit covers the various scenarios in typical enterprise architectures for which DataPower appliances can be used. Learning objectives: After completing this unit, students should be able to: Identify the security scenarios involved when deploying a WebSphere DataPower SOA Appliance Describe use cases that include the WebSphere DataPower SOA Appliance in enterprise architectures Unit 21. Course summary Duration: 15 minutes Unit overview: This unit summarizes the course, explains the class evaluation process, and provides information for future study. Learning objectives: After completing this unit, students should be able to: Explain how the course met its learning objectives Submit an evaluation of the class Identify other WebSphere Education courses related to this topic Access the WebSphere Education Web site Locate appropriate resources for further study Appendix Unit A. Web application firewall service Duration: 45 minutes Unit overview: In this unit, students learn how to create a web application firewall to offload tasks and protect access to their web applications. Learning objectives: After completing this unit, students should be able to: Configure a Web application firewall to protect a back-end Web application Use a AAA policy to protect access via the Web application firewall Validate parameters from an HTTP request using Name-value profiles Protect the Web application from phishing attacks using built-in threat protection Appendix Exercise A. Creating a firewall and HTTP proxy for a web application Duration: 45 minutes Exercise overview: In this exercise, students create a web application firewall to secure the back-end East Address Search web service application. Clients connect to the web application firewall hosted on the DataPower appliance, which uses a AAA policy to authenticate users. Students also configure an SSL proxy profile to securely access the back-end web

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com

Learning objectives:

application firewall. After completing this exercise, students should be able to: Use the web application firewall wizard to create a web application firewall Implement a security policy on a web application firewall Create a reverse-proxy to virtualize requests to web applications

Appendix Exercise B. Configuring WebSphere JMS Duration: 30 minutes Exercise overview: This exercise shows how DataPower can send and receive messages to and from WebSphere Application Server default messaging engine. In this exercise, students create a multi-protocol gateway service that receives a request from cURL and sends a message to the WebSphere Application Server messaging engine to invoke the East Address Search web service over JMS. Learning objectives: After completing this exercise, students should be able to: Identify the fields in the service integration bus configuration on WebSphere Application Server V6.0 or V6.1 that are needed to configure the WebSphere DataPower JMS object Create a multi-protocol gateway service that invokes the East Address Search web service over the JMS transport

IBM WebSphere Education http://www.ibm.com/websphere/education Contact us at: websphere_skills@us.ibm.com