Datapower Deployment Scenarios

This article explains on the Datapower Deployment Scenarios and their specific functions inside an enterprise environment.

1. Lab environment – this is an isolated environment that allows testing of any major new firmware release features to be tested without any impact on ongoing development streams. This assist change management of new features and testing new feature before implementation.

2. Development environment – this is an very common practice to isolate Datapower service development to a dedicated environment. This will usually be an single appliance for developers as an black sandbox to develop as well as do project-specific configurations.

3. Testing environment – this is an isolated test environment from the development environment mentioned above. This environment is used to test all developed services. The appliance provide easy to service migration between appliances and domains.

4. Staging environment – the environment allows testing pre-releases, or rolling new releases into production. The environment is used to do performance testing to determine sizing and scaling of production appliances.

5. Production environment – appliances in the production environment can be deployed as a cluster in an active/passive configuration or active/active configuration. Appliances can balance traffic to target servers using the Application Optimization feature.

6. DR environment – Many organization require full data center failover to a second fully equipped site. The DR environment will provide failover appliance.

OAuth Implementation in Datapower XI52

OAuth is an authorization framework that allows a resource owner to grant permission to access their resources without sharing their credentials with a third party. Traditionally in client-server authentication model, the client uses its credentials to access its resources hosted by the server. OAuth introduces a third role called the resource owner. In this model, the client (which is not the resource owner, but is acting on its behalf) requests access to resources controlled by the resource owner, but hosted by the server.

Below figure shows OAuth in Datapower,

How to Use It?

To use the OAuth protocol, we need an AAA policy. The AAA policy must be defined in a processing rule of Web Token Service or Multi-Protocol Gateway.After successfully generating an access token, processing returns a node set that becomes part of the JSON object that contains the access token and optionally a refresh token.

1.     When configured through a Web Token Service, the service supports as authorization server endpoints

2.     When configured through a Multi-Protocol Gateway, the service supports as authorization server endpoints and enforcement point for resource servers.

Types of Protocol Flow

1.     Three Legged Flow – There are 3 entities namely the resource owner, an OAuth client who wants to access the resource, the resource server. The resource owner does not share its credentials to client instead it gives authorization grant and a client ID by an authorization service. Using authorization grant, OAuth client request an access token from authorization service to access the resource on resource server.

2.     Two Legged Flow – There are only 2 entities where the resource owner and OAuth client overlaps. The client needs resource owner credentials or a client credentials grant type. There are four credential grant type scenarios.

1. Implementation (Two legged Flow) through WTS (Grant type scenario- resource owner password credentials)

This scenario involves exchanging the resource owner’s username and password for an access token and make use of that token to access resources, which means the client possess the resource owner’s credentials. Client application sends a token request containing the resource owner username and password as well as its information to an authorization server and receives an access token. When acting as an authorization server, Datapower accepts and verifies an OAuth request and generates an access token. When acting as an enforcement point for a resource server, Datapower verifies the access token and validates it against the resource the client is requesting. Below steps describes this implementation,

STEP 1 Create an OAuth client object as below,

STEP 2 Create an OAuth client group object as below,

STEP 3 Create a AAA Policy with OAuth Config,

3 A. Extract Identity (EI)

3 B. Authentication (AU)

3 C. Resource Extraction(ER)

3 D. Authorization (AZ)

Sample AAA file,

STEP 4 Create an authorization server using the Web Token Service as below,

4 A.WTS Config,

4 B.WTS generated Processing Policy,

STEP 5 Create a resource server enforcement point using the Multi-Protocol Gateway as below,

5 A. Front Side Handler Config,

5 B. Processing policy for enforcement,

5 C. choose a static backend type, here it is a simple loopback XML Firewall. Request type as non-xml, Response type as Pass through and propagate URI to on.

STEP 6 Testing the Configuration,

6 A. Client request to invoke the authorization service and fetch access token (Web token service)

Curl command,

curl -k https://<dp:ip>:5040/ –user password-client:passw0rd -d “grant_type=password&username=john&password=passW&scope=/getAccount {“token_type”:”bearer”,”access_token”:”bearer”,”expires_in”:3600 }”

6 B. Access token verified by the MPGW (Resource Service)

Curl command,

curl -k https://<dp:ip>:5041/getAccount -H “Authorization: Bearer AAEPcGFzc3dvcmQtY2xpZW50tOItBbbumS0yrr/H+fPT8VbAvrI3xX55MSfy7Pnjz07usWpDnPm+0evCFTcPjtUwt5SrAhdplb3QnH+Dy36pCg”

2.Implementation (Two legged Flow) through WTS (Grant Type Scenario-Client Credential)

In this scenario client itself the resource owner, which means client can get an access token by presenting its own credentials, avoiding its credentials from being exposed in each and every resource request.However,client credentials flow implementation is similar to resource owner password credentials configuration,

STEP 1 Configure the OAuth client application with the Datapower,

1 A.Configure an OAuth Client Profile similar to above implementation except for the grant type as below,

1 B. Configure the created client profile with OAuth Client Group,

1 C. Use the OAuth client group in AAA policy to implement in Authorization service,

Authentication(AU)

Resource Extraction(ER)

Authorization (AZ)

1 D. Use the OAuth client group in another AAA policy(below Config) to implement in Enforcement service,

Resource Extraction(ER)

Authorization(AZ)

STEP 2 Create an authorization service using the Web Token Service,

Create a WTS with SSL proxy profile and get the processing policy generated with AAA action that has OAuth Client configured earlier,

STEP 3 Create a resource server enforcement point using the Multi-Protocol Gateway,

3 A. Create a front side handler that listens the WTS Authorization service,

3 B. Create a processing policy for the enforcement point having the,

3 C. Choose a static backend type, here it is a simple loopback XML Firewall. Request type as non-xml, Response type as Pass through and propagate URI to on.

Troubleshooting the Configurations,

Scenario 1: Scope not sufficient

Request to invoke WTS Authorization service and get access token,

Curl Command,

curl -k https://<dp:ip>:5050/token -u ac-appln:passw0rd -d “grant_type=client_credentials&scope=getAccount”

Response,

Request with access token to enforcement service to get the response,

Curl Command,

curl -k https://<dp:ip>:5051/getAccount -H “Authorization: Bearer AAEIYWMtYXBwbG5NYwZ3Pi01cM3Rge0qjdvfh4VJ19KCNQoEfkbyiiXvCw9oZLfPdwC7OarGlixMcD46KqjChfuuHB6U/vpL7lWp”

Response,

We get the response as insufficient_scope because URL sent by client is checked for the ER phase for the endpoint server AAA policy, here the scope in the token request includes the leading slash.

Scenario 2: Invalid Client Application

Curl Command,

curl -k https://<dp:ip>:5050/token -d “grant_type=client_credentials&scope=/getAccount&client_id=application&client_secret=passw0rd”

Response,

Scenario 3: Success

Curl Command,

curl -k https://<dp:ip>:5050/token -u ac-appln:passw0rd -d “grant_type=client_credentials&scope=getAccount”

Request to invoke enforcement service(MPG),

curl -k https://<dp:ip>:5051/getAccount -H “Authorization: Bearer AAEIYWMtYXBwbG5NYwZ3Pi01cM3Rge0qjdvfh4VJ19KCNQoEfkbyiiXvCw9oZLfPdwC7OarGlixMcD46KqjChfuuHB6U/vpL7lWp“

Response,

Implementing SLM(Service Level Monitoring) in Datapower

SLM has the ability to monitor traffic and take action if traffic patterns meet certain criteria. For example, consider the case where you have a backend that can only process 300 transactions per second (TPS). SLM can be used to take action when more than 300 TPS inbound transactions are received.

DataPower can be used to ensure this capacity is not exceeded or to send notifications to ensure that any overage is appropriately billed.

DataPower SLM can take action at a transaction threshold in three ways:

Notify: DataPower can send a notification to its logging system via any protocol supported by the device including e-mail, WebSphere MQ, and HTTP. For example, in the case where the REST customer has met its capacity, DataPower could send a notification to a business process that notifies the customer.

Shape: DataPower can delay traffic in an attempt to keep the transaction rate at the given threshold. Take the example where the backend can only process 300 TPS. Here, shaping can be used to queue any transactions that exceed that rate.

Throttle: DataPower can reject transactions that exceed the given threshold.

SLM is supported on multiple appliances that share load with SLM peer groups. The appliances in a peer group continuously communicate with each other to ensure SLM thresholds are shared across the entire group.

A peer group is a collection of DataPower appliances that exchange service level data to enforce SLM policies in the group. A peer group establishes a data-sharing protocol. The traffic that each appliance in the group processes is passed to the other peers to calculate whether a threshold is reached.

Check that all the criteria below is met for creating SLM Peer Group:

1.     All the DataPower Appliances must be clock-synchronized. You can use the NTP service.

2.  The XML Management Interface has to be enabled on both devices.

3. Ensure that there is no firewall in between the appliances blocking the port for the XML Management Interface.

4. Review the XML Management Interface configuration and check the advanced tab, to ensure, the default user agent is not used, or if used, that it has been set up with an SSL Proxy Profile.

5. SLM Peer Groups communicate over XML Management Interface (XMI), and XMI uses SOAP over HTTPS to exchange data. If specifying the “Custom User Agent” property of the XMI and you have an “SLM Peer Group” configured, you must make sure to have an SSL Proxy Profile defined in the “Custom User Agent”.

6. If this was not the case, the outbound request with the “Custom User Agent” property set is not processed by the other appliance in the “SLM Peer Group”.

7. To exchange SLM data at periodic interval, peer members must have identical SLM configurations, including the members list.

8. Ensure that the URLs in the peer group are correct

9. When using hostnames in the peer group URLs, make sure you have a working DNS configuration

10. The SLM policy needs to be identical on both appliances. If they do not match, the peering will not work.

11. SLM Interval length agreement:

An SLM Policy allows administrators to set a threshold level interval set on the SLM Policy Statements page.

When an SLM Policy being enforced by more than one device, administrators must also set a SLM update Interval on the SLM tab of the XML Management Interface configuration page found only in the default domain.

The SLM update Interval must be equal to or less than the threshold interval set in any SLM Policy statement in use on the device. If not, the updates deliver outdated information to the individual policies and are ignored, defeating the purpose of peering.

12. Use the same packet transmission method: unicast or multicast.

13. SLM unicast peering

SLM unicast peering uses unicast packet transmission to update peers in a connected manner.

Consider SLM unicast peering when:

1.     DataPower appliances in the peer group are not physically close or not connected within the same sub network.

2.     The rate of incoming data is low or moderate.

3.     The data sharing interval equals to or is more than one second.

14. SLM multicast peering

SLM multicast peering uses IP multicast packet transmission to update peers in a connectionless manner. Multicast peering supports small threshold intervals and allows data sharing intervals of less than one second.

Consider SLM multicast peering when:

1.     DataPower appliances in the peer group are physically close and connected within the same sub network.

2.     The rate of incoming data is high.

3.     The data sharing interval is less than one second, and you need higher SLM peering accuracy.

4.     The peering traffic and the data traffic use separate networks.

To define a peer group using SLM Unicast:

1.     Click Objects → Network → Peer Groups.

2.     Click Add.

3. In the Name field, enter the name for the configuration.

4. Set Administrative State to identify the administrative state of the configuration.

5. Optional: In the Comments field, enter a descriptive summary.

6. From the Type list, select the type of SLM peering for packet transmission.

7. For SLM unicast peering, specify the IP unicast configuration and update interval to exchange data among peers.

In the URL field, enter the URL of each peer, including the local appliance, and click Add.

8. Click Apply to save the changes to the running configuration.

9. Optional: Click Save Config to save the changes to the startup configuration.