Datapower appliances - A brief overview

What are they ?

Datapower SOA appliances are a suite of XML aware network appliances. Often termed as
“hardware ESB”, these rack-mountable devices are an increasingly important part of the IBM ESB
family. They are specialized, purpose-built, consumable SOA appliances that redefine the
boundaries of middleware.
There are 3 flavors of the appliance as of today with many more in the fray. XA 35 was the first of
the three appliances which was custom designed to provide high performance XML processing.
XS 40 was a purpose built security appliance which was aimed at suppressing the ubiquitous
XML threats and issues associated with info security while exchanging messages over the
network. It inherited the XML processing capabilities offered by XA 35. The latest in the array is XI
50, which apart from inheriting the above two capabilities is also an integration appliance
providing a plethora of brokering functionalities.

What do they offer ?

XML Processing

Datapower appliances can help speed up common types of XML processing by offloading this
from servers and networks. It can perform XML parsing, XML schema validation, XPath routing,
XSLT, XML compression, and other essential XML processing with wire­speed XML performance.

• High performance, multi-step, wire-speed message processing, including XML, XSLT,

XPath, and XML Schema Definition (XSD)

• In addition to wire­speed processing, Datapower appliances support XML routing, XML 
pipeline   processing,   XML   compression,  XML/XSL   caching,   as  well  as   other   intelligent 
processing capabilities to help manage XML traffic.

• The Datapower appliances provide real­time visibility into critical XML statistics such as 
throughput, transaction counts, errors, and other processing statistics. Data network­level 
analysis   is   provided   and   includes   server   health   information,   traffic   statistics,   and 
management and configuration data.

Info Security and management

The DataPower appliance provides a security-enforcement point for XML and Web service
transactions. It offers encryption, firewall, filtering, digital signatures, schema validation, WS-
Security, XML access control, XPath and other features. Apart from that, it facilitates dealing with
a wide range of XML threats and Denial of Service attacks (DOS attacks)

• XML/SOAP firewall
Filters traffic at wire speed, based on information from layers two through seven of the
protocol stack. It filters traffic from field-level message content and SOAP envelopes to IP
address, port or host name, payload size, and other metadata. Filters can be predefined
with an easy point-and-click XPath filtering GUI and automatically uploaded to change
security policies based on the time of day or other triggers.

• XML/SOAP data validation
With its unique ability to perform XML schema validation as well as message validation,
at wire speed, the appliance ensures that incoming and outgoing XML documents are
legitimate and properly structured. It protects against threats such as XDoS attacks,
buffer overflows, or vulnerabilities created by deliberately or inadvertently malformed XML
documents.

• Field­level message security
It offers granular and conditional security policies like, complete or field level
encryption/decryption of data, digitally signing the message, verification of entire
messages or individual fields.

• XML Web services access control
Provides support to a variety of access control mechanisms, including WS-Security, WS-
Trust, X.509, SAML, SSL, Lightweight Directory Access Protocol (LDAP), RADIUS, and
simple client/URL maps. It can control access rights by rejecting unsigned messages and
verifying signatures within SAML assertions.

• Service virtualization
XML Web services require companies to link partners to resources without leaking
information about their location or configuration. With the combined power of URL
rewriting, high-performance XSL transforms and XML/SOAP routing, the appliance can
transparently map a rich set of services to protected back-end resources with high
performance.

• Centralized policy management
With the wire-speed performance, enterprises can centralize security functions in a single
drop-in device that can enhance security and help reduce ongoing maintenance costs.
Simple firewall functionality can be configured via a GUI and be running in minutes. By
using the power of XSLT, sophisticated security and routing rules could be created. It
works with leading policy managers, and hence an ideal policy execution engine for
securing next generation applications. It supports Simple Network Management Protocol
 (SNMP), script-based configuration, and remote logging to integrate seamlessly with
leading management software.

• Web services management/service level management
It has extensive support for WSDM, UDDI, WSDL, Dynamic Discovery, and broad support
for service-level management (SLM) configurations. With this support, it natively offers a
robust Web services management framework for the efficient management of distributed
Web service endpoints and proxies in heterogeneous SOA environments. SLM alerts and
logging, as well as pull and enforce policies, help enable broad integration support for
third-party management systems and unified dashboards, in addition to robust support
and enforcement for governance frameworks and policies.

Brokering and Application integration

Datapower Integration Appliances provide transport-independent transformations between binary,

flat text files and XML message formats. Visual tools are used to describe data formats, create
mappings between different formats, and define message choreography. The appliance can
transform binary, flat text, and other non-XML messages to help offer an innovative solution for
security-rich XML enablement, ESBs, and mainframe connectivity.

• Any­to­any transformation engine
It supports parsing and transforming arbitrary binary, flat text, and XML messages,
including EDI, COBOL copybook, ISO 8583, CSV, ASN.1. The patented DataGlue
technology of Datapower appliance uses a fully declarative, metadata-based approach
for transformation.

• Transport bridging
Provides transport layer flexibility with support for a wide array of transport protocols. It is
capable of bridging request and response flows to and from protocols such as HTTP,
HTTPS, MQ, SSL, IMS Connect and ftp.

• Integrated message­level security
It offers mature message-level security and access control functionality. Messages can
be filtered, validated, encrypted, and signed, helping to provide more secure enablement
of high-value applications. Supported technologies include WS-Security, WS-Trust,
SAML, and LDAP.

• Lightweight message brokering
1. Sophisticated multi-step message routing, filtering, and processing
2. Multiple synchronous and asynchronous transport protocols
3. Detailed logging and audit trail, including non-repudiation support
Where is it used ?

• Datapower SOA appliances provide a robust, secure platform for middleware integration 
that   can   be   deployed   in   an   array   of   deployment   scenarios   to   perform   a   variety   of 
middleware use cases.

• It could also be effectively deployed in the DMZ environment, built with security and policy 
enforcements.   In   this   scenario,   Datapower   could   prominently   act   as   an   application 
firewall,   with   all   the   security   related   aspects   offloaded   from   the   application   to   be 
performed at wire speed by the Datapower appliance. This involves, message filtering, 
validation,   encryption/decryption,   verification   of   digital   signatures,   certificate   validation, 
authentication, authorization through a widely supported set of open standard protocols 
and technologies.