How to use WebSphere Message Broker to extend MQ and exploit DataPower for Web services security processing
from CCR2, Issue 07 - 2007
 |
For this feature, CCR2 interviewed Anthony O’Dowd, architect and strategist for the IBM WebSphere Message Broker Development team.
|
IBM WebSphere Message Broker and IBM WebSphere DataPower SOA appliances work through a common console to help you simplify MQ application connectivity with service-oriented architecture (SOA), and offload high-volume Web services security (WS-Security) processing from z.
Service-oriented architecture (SOA) helps enterprises connect any application or service to any other application or service in a way that allows for easy change and connectivity reconfiguration in the future. Instead of point-to-point connectivity, SOA relies on an enterprise service bus (ESB).
An ESB performs several tasks to help organizations meet their connectivity needs. It matches and routes communication between services. It converts from among different transport protocols. It transforms from among different data formats, and it identifies and distributes business events to and from disparate sources.
An ESB lets you to separate connectivity logic from application code. Any application connected to the bus is ready to talk to any other application connected to the bus. If your applications are predominantly Web Services-ready, a Web Services standards-based ESB, such as IBM WebSphere Enterprise Service Bus, lets you reconfigure connections at will, without changing the application code.
In most large business, however, recently-developed standards-based applications are the exception, not the norm. Businesses depend on time-tested applications and systems that may not be good candidates for an update. For connections with these applications, you’ll need protocol adaptation and data format transformation, so you can connect diverse applications and services. An ESB, such as IBM WebSphere Message Broker for z/OS, can follow your business rules to make policy-based transformations on the fly and route messages to different applications based on the content of each message. In addition, a hardware-based ESB, such as IBM WebSphere DataPower XI50 Integration Appliance, can transform message formats offload processing for Web services calls and XML from servers, and use the Web Services Security standard (WS-Security).
Get on the bus
IBM WebSphere MQ provides a reliable, proven messaging backbone for your ESB, but is not itself an ESB. MQ message queues eliminate the need for an application to address the intricacies of various platforms and deal with situations in which the receiving application is busy or off-line. While simplifying connectivity and allowing you to balance the messaging workload, this transport layer doesn’t select target applications based on message content or change the data or protocols to match the form expected by the receiving application. It simply sends the message to the recipient based on header information.
An ESB built for heterogeneous IT environments, such as WebSphere Message Broker, manipulates messages so diverse applications can exchange information in dissimilar forms, with brokers handling the processing required for the information to arrive at the right place in the correct format.
Without changing an MQ application at all, you can use the graphical Message Broker Toolkit, which integrates with the WebSphere MQ Explorer, to associate the application’s MQ queues with the Message Broker bus. Using the toolkit, you can then tell Message Broker to perform a set of message processing operations on each message, depending on the message’s content, as the message flows from one application to its destination, or destinations. Message Broker can perform a wide range of operations on messages, such as storing message detail in a database for your audit trail.
While built to extend WebSphere MQ, WebSphere Message Broker can also process messages from many other sources, such as JMS providers, HTTP calls and flat files. As a result, you can completely decouple the application code from interface logic – freeing your enterprise applications and enabling reuse and quick reconfiguration in the future.
Designed as a native z/OS subsystem, WebSphere Message Broker for z/OS delivers all the capabilities of WebSphere Message Broker for Multiplatforms and more. You can control Message Broker through the MVS console, Batch using job control language (JCL) and the MVS console, and the Eclipse-based Message Broker Explorer graphical interface. Message Broker takes advantage of Resource Recovery Services (RRS) for transaction management, and z/OS workload manager (WLM), writes its log information into the system management facilities (SMF) and provides full integrated reporting and charge back.
In addition, you can spread multiple message brokers across System z CPUs in a Sysplex and isolate message brokers in separate address spaces, if desired. You can offload Java processing to an IBM System z Application Assist Processor (zAAP).
Security on the edge
Many companies need ESB message encryption and firewall security to protect access to important applications and data. When using Web Services, you can intercept incoming transaction requests with a specialized IBM WebSphere DataPower SOA appliance that provides WS-Security encryption and extensible markup language (XML) threat protection. Because WS-Security encryption involves extensive processing, offloading the work from your System z environment to a dedicated device becomes especially important if your ESB handles a lot of encrypted traffic.
Message Broker works closely with WebSphere DataPower SOA appliances, including IBM WebSphere DataPower Integration Appliance XI50, a dedicated hardware ESB, and WebSphere DataPower XML Security Gateway XS40. These hardened, specialized SOA hardware devices can work on the edge of your network to encrypt Web-based messages and help protect your mainframe from penetration by malicious Web users.
Like the zAAP’s offloading of CPU-intensive Java processing from your mainframe, SOA appliances are ideal workhorses dedicated to SOA security processing. Both the XS40 and XI50 provide a security-enforcement point for XML and Web services transactions, including encryption, firewall filtering, digital signatures, schema validation, WS-Security, XML access control, XPath and detailed logging.
Figure 1 shows a requesting application communicating with a WebSphere DataPower SOA appliance using SOAP over HTTP, where the message body is encrypted with the WS-Security standard. The DataPower appliance decrypts the body of the message upon receipt. This content is then passed to Message Broker over a connection secured by HTTP secure (HTTPS). Message Broker receives the SOAP message and transforms it to a COBOL structure for the final MQ application. Responses then flow back similarly. You can also place the DataPower appliance within a demilitarized zone bounded by firewalls for additional protection.
Figure 1: Message Broker can use a WebSphere DataPower SOA appliance to handle WS-Security.
Quick to deploy and easy to manage, WebSphere DataPower SOA appliances can dramatically cut development and deployment time to help you quickly start realizing business benefits from your SOA project. You can deploy them from the beginning or easily add them later, as needed.
United we stand
By offering multiple ESBs that work together (federated), IBM helps you to put the right function in the right place on the IBM System z platform or a SOA appliance. What’s more, you can now administer your federated ESBs from a common Eclipse-based console, which is an extension of the WebSphere MQ Explorer.
The latest Message Broker Explorer SupportPac (IS02: WebSphere Message Broker Explorer Plug-in) extends the MQ Explorer administrative interface. With it you’ll be able to seamlessly administer WebSphere MQ version 6, Message Broker version 6 and DataPower SOA appliance security features from a common administrative console.
With this extended Message Broker Explorer console, you’ll have full operational control and understanding of your ESB. You can inspect what’s in a queue, monitor real-time performance of message broker message flows, such as I/O and CPU statistics, and gather data for spreadsheet analysis. Graphical accounting statistics show you how your system performs in real time and allows you quickly pinpoint performance problems (see Figure 2). You can look into how much time Message Broker spends end to end and at each step in the routing and transformation processes.
Figure 2: Accounting and statistics for Message Broker flows
The Message Broker Explorer also includes the DataPower security wizard to let you configure a WebSphere DataPower SOA appliance as an XML firewall within a demilitarized zone (DMZ), inbound WS-Security decryption engine, outboard WS-security encryption engine or secure sockets layer (SSL) gateway to Message Broker (see Figure 3). The wizard can retrieve key information, such as details about the HTTPinput and HTTPSinput nodes in a message flow, cryptographic profiles for SSL communications, and DataPower encryption and decryption certificates. A policy sets editor in the Message Broker Explorer further helps you configure the WS-Security aspects of your encryption and decryption rules.
These DataPower configuration features are quick to use – you may be up and running an hour after downloading the SupportPac; that’s the experience of our early adopting customers and partners. No development work is required, and there is no impact on your applications.
Figure 3: Discovering and configuring security
Working together for you
IBM offers three ESB solutions IBM WebSphere Enterprise Service Bus, IBM WebSphere Message Broker for z/OS, and IBM WebSphere DataPower XML Security Gateway XS40. Each can be used independently or work well together as federated ESBs.
The latest Message Broker SupportPac allows you to extend your WebSphere MQ experience to deploy and manage a WebSphere Message Broker enterprise service bus using the Message Broker Explorer interface. You can further offload Web services security processing to a WebSphere DataPower Integration Appliance XI50 or DataPower Security Gateway XS40 and configure security using the Message Broker Explorer. Regardless of where you start, your IBM ESB can grow with your business.
For more information:
|
