This document discusses IBM DataPower and how it can be used to securely expose APIs and services. It provides an overview of DataPower's key capabilities including security, protocol support, and an application development model. Specific services that DataPower provides are discussed such as the web service proxy, XML firewall, and web application firewall. The document also covers how DataPower can implement various security features and policies to control access and traffic. Finally, it presents some high-level questions to consider when shaping an API strategy.

1. WEB API
Deliver Company Services as Cloud to
Developers, 3rd parties etc…
Tansu Daslı
Osman Ozel

2. DATAPOWER
Key Points
• Hardened security: It can act purely
as a security gateway.
• Appliance versatility: It is easy to add
to the the network at various points to
perform different functions.
• XML lingua franca: The promise of
XML-speak is uniformity, simplicity, and
transparency of handling data. Being
XML-centric from core upwards gives
DataPower the ability to adapt to
different roles.
• Any-to-any transformation: The ability
to transform any data format allows it
to be an integration device.
• Multi-protocol support: This allows it to
be a integration device or bridge for
heritage applications.
Ease of Use
• Installation: As a network appliance it
can be up and running in literally a
few minutes.
• Development cycle: On-board Web
GUI based approach to creating and
managing applications gets rid of the
develop-deploy round trip
development methodology.
• Development model: The modeling
uses the building-block approach
where the application is built using a
collection of objects one on top of
another. The granularity of these
objects maps comfortably to
architectural components of typical
applications.

3. DataPower
Core services
Multi-Protocol Gateway
Web Service Proxy
XML Firewall
Web Application Firewall
Access to a third-party Web service, described by a
WSDL, is front-ended by the Web Service Proxy.
Access to a specific operation, is controlled by an
Authentication, Authorization, and Auditing Policy (AAA)
that extracts identity information from the WS-Security
Username-Token. Requests exceeding specified service
level parameters are queued and bleed off at the
specified rate. Access to all other operations is
unrestricted.
The XML firewall service is used to send and receive XML
traffic over HTTP to and from XML-based applications.
• Accept and send SOAP, raw XML, or unprocessed (binary)
documents.
• Decrypt, encrypt, filter, transform, and validate XML
documents.
• Route XML documents to the appropriate back-end service.
• Sign documents and verify signatures.
• Process large documents in the streaming mode.
• Implement document-level security or service-level security.
• Communicate with clients, servers, and peers with SSL
encryption.
An external client to connect to the Web application firewall service in
DataPower. Once authenticated, request is forwarded to the back-end
Web application.
The Web application firewall service uses an AAA policy to validate users. In
a production environment, you would also need to secure the connection
from the Web application firewall service to the back-end Web application,
using either a security token or SSL.

4. Web Services &
Policy Management
Traffic throttling : This is a simplified model of controlling throughput of messages by discarding
packets that go over a certain threshold. DataPower’s Limit field sets the threshold, and an
interval is set for duration of throttling.
Traffic shaping : An SLM that can improve delivery while maintaining SLAs on performance by
protecting bandwidth.
Custom SLM statements
Count all (default) : The threshold level is applied to the resources specified by a resource class.
Count errors : The threshold is based on errors.
Back-end latency : The threshold is based on server latency.
Internal latency : The threshold is based on internal latency (processing time).
Total latency : The threshold is based on the sum of measured latencies.

5. Security
• Protocol-based security, including SSL
• Message-based security, including digital signature generation and
verification, as well as data encryption and decryption
• The Authentication/Authorization/Audit (AAA) framework for access control
• Federated Identity Management
WS-Security
Security Assertion Markup Language (SAML)
XACML PEP/PDP
Kerberos and SPNEGO
XML threats
Multiple-message XDoS attacks
Unauthorized access attacks
Data integrity/confidentiality attacks
Systems compromise attacks
Single-message xDOS attacks

6. High Level Architecture
operation
SOAP
WS
SOAP
WS
Datapower
cloud domain mw domain
Security
Throttle
Developers
3rd Parties
apigee/w2o/mashery/ibm/3scale
Security
Throttle
soap-ws
Monitoring
Billing
Developer Portal
HTTP
over
XML
Restfull
WS
restful-ws
D
M
Z
C
O
M
P
A
N
Y
Monit
oring
OTA
Developer Portal
confluence
developer
.company
.com.tr
Reverse Proxy
C
L
O
U
D

7. Questions for
Shaping Strategy
 Which services exposed to
whom (3rd parties, external
developers etc..)?
 legal implications?
 metrics to measure success
(page visit or revenue
etc..)?
 aim (increasing the
revenues, increase product
loyalty or rebranding etc..)?
 pricing model (free,
developer pays, shared
revenue, advertisement
revenues, tired pricing etc..)
?
 An effective Web API strategy
is essential in a market where
access really is everything. 1
 Community is important for
success.
 web api management platform place
(inside company or cloud)?
 agrements with incubation centers?