What’s new in IBM DataPower Gateway Firmware 7.2

Executive Summary

IBM DataPower Gateway firmware 7.2 is a new release that includes the following great new features:

  • DataPower Virtual Edition can now run on Amazon and SoftLayer virtual servers. This can lower the cost of running a virtual appliance in the cloud.
  • Ability to create a secure tunnel between IBM Bluemix solutions and on-premise infrastructure giving the ability to leverage current assets in new cloud based solutions.
  • A REST API that can be used for scripting and monitoring of the appliance. This is in addition to to the existing XML Management Interface. The REST interface can make scripting more accessible to developers experienced with Javascript/JSON.
  • Support for SSL/TLS SNI that allows multiple SSL configurations to be served from a single TCP Port. This can simplify the infrastructure by removing non-standard SSL ports used to serve non-standard SSL profiles.
  • Easier methods for setting the list of supported ciphers used by TLS. In a world where SSL vulnerabilities are discovered on a constant basis, the ability to isolate offending ciphers is important.
  • Improved load balancers that can leverage GatewayScript, this may allow companies to delay purchases of other load balancing/health checking solutions.

Introduction

Every 6 months, a new major or minor version of DataPower firmware is released. June 19th, 2015 saw the arrival of firmware 7.2. This version introduces many updates that would take too long to go through line-by-line so, I’ll talk about the features that I’m most excited about.

The interesting feature list includes:

  • Full support for DataPower Virtual Edition running on Amazon Web Services (AWS) and SoftLayer Virtual servers.
  • Introduces an IBM Bluemix Secure Gateway Service, a bridge between cloud services on Bluemix and existing on premise solutions.
  • Implements a long-awaited REST API to manage the appliance.
  • New functions in Gateway Script including API for working with JSON Web Encryption (JWE), JSON Web Key (JWK), JOSE and JSON Web Token (JWT) standards.
  • Replacement of the SSL Client Profile Cipher String with an explicit ordered list of accepted ciphers using the industry standard names.
  • Support for TLS Server Name Indication (SNI)
  • Deprecation of ‘SSL Proxy Profile’ objects. They have been replaced with ‘SSL Client Profile’, ‘SSL Server Profile’ and ‘SNI Server Profile’ objects.
  • Updated Load Balancer Group Health Checking to add support for TCP half-open and can now use GatewayScript.

Virtual Edition on AWS and SoftLayer Virtual Servers

Adds support to deploy Virtual Edition on the following products.

  • IBM SoftLayer® virtual server
  • Amazon EC2 (Elastic Compute Cloud)

For more information, see Virtual Edition.

Previous to firmware 7.2, DataPower Virtual Edition was only packaged for VMWare or Citrix server virtualization and could be run on VMWare, Citrix, SoftLayer (via a bare metal server running VMware or Citrix) or IBM PureApplication System. To install a cloud based virtual appliance, the lack of options created a costly barrier to entry. I wanted to document the installation steps for SoftLayer but the cost of a bare metal server that met the minimum requirements was over $300/month and that didn’t include substantial Virtualization licensing costs.

In order to support Amazon and SoftLayer Virtual Servers, a new Debian deployment package is provided. This package must be installed ontop of Ubuntu 14.04 LTS. The interesting side-effect of IBM using Ubuntu 14.04 is that the package can be installed and run on any Ubuntu 14.04 system (of course, in an unsupported manner). With this functionality, you can theoretically deploy DataPower Virtual Edition to IBM’s Bluemix Virtual Machine cloud or any cloud that provides a Ubuntu image.

It’s great to see the number of supported cloud providers grow. More options provide more opportunities to lower the TCO of a virtual DataPower environment and give the customer the ability to install DataPower on  their preferred cloud provider.

REST management interface

Adds a REST management interface to access low-level management configuration and status resources from the appliance. With the REST-based API, you can create, update, retrieve, or delete resources based on the type of the resource.For more information, see Enabling the REST management interface.

The REST Management Interface provides similar functionality to the standard XML Management Interface while removing the pain of creating a SOAP Envelopes and XML formatted messages. I’ve noticed that the implementation of the REST API is more dynamic. An HTTP GET can be issued to the ‘/mgmt’ URI and it will return a list of the URIs corresponding to the different aspects of the API. The “domains” manipulation API endpoint can be discovered at ‘/mgmt/domains/config’. A list of domains on the device can be retrieved by issuing an HTTP GET to: ‘/mgmt/domains/config’.

Bluemix Secure Gateway

The IBM Bluemix Secure Gateway service connects your Bluemix applications to data and applications in your private network and securely transport that data with your Bluemix application. To use Bluemix, you must define a secure gateway in Bluemix and create a secure gateway client on the DataPower appliance.

For more information, see Bluemix Secure Gateway.

A challenge of moving into cloud solutions is how you can leverage your existing on-premise assets securely. If you have chosen IBM’s Bluemix your then you have the option to enable this gateway feature in DataPower to establish secure communication between cloud and your internal network.

Enhanced GatewayScript

Adds support for JSON Web Encryption (JWE) encryption and decryption APIs, JSON Web Key (JWK) APIs, and JOSE and JSON Web Token (JWT) APIs for JWK. Adds JSON decrypt, encrypt, sign, and verify processing actions. Functional enhancements in the following areas.

  • XML DOM API support
  • fs module enablement
  • dp:gatewayscript() extension function
  • dp:gatewayscript extension element
  • IBM MQ URLOpen support
  • XSLT transformations against Node or NodeList objects

JSON & JavaScript continue their world domination.

TLS Server Name Indication (SNI)

Adds support for Server Name Indication when the appliance is an SSL client or SSL SNI server. When the appliance is an SNI server, an SNI map is available to provide the mapping of host names in the ClientHello SNI extension to SSL server profiles.

In the past, a single SSL Proxy Profile was bound to a TCP Port. This meant that new non-standard ports had to be configured for clients who need non-standard SSL settings.

SNI allows a single TCP Port to serve multiple SSL Server Profiles by using the new SSL SNI Server Profile object. This new object introduces a hostname to profile map to determine the proper profile to use. The caveat is that client SNI support was introduced around 2006-2007. If your client is older than that, it is possible they don’t support the standard and won’t provide the required hostname in the handshake. They will then be directed to the default SSL Server Profile.

Enhanced SSL communication

  • Supports specifying the maximum number of client initiated SSL renegotiations per connection and setting the maximum duration of an SSL session.
  • Supports Elliptic Curve TLS ciphers.
  • Supports Perfect Forward Secrecy (ECDHE-RSA and DHE TLS ciphers).
  • SSL version 3 protocol and RC4 ciphers are disabled by default.

For more information, see SSL connections.

DataPower has gained some new ciphers for securing the TLS connection and also the default object disables SSL version 3 and disables RC4 ciphers. The more important update that I discovered was the removal of the complicated and often misunderstood SSL cipher selection string. At most customers this was left as the default ‘HIGH:MEDIUM:!aNULL:!eNULL:@STRENGTH’ or worse ‘DEFAULT’ (accepting very insecure ciphers). Understanding the minutiae surrounding this string was difficult due to the poor documentation of this feature.

In the new firmware, this has been replaced with a (long) list of supported ciphers. Individual ciphers can be added/removed and reprioritized as needed. In addition, the ciphers are given their standard names. This goes a long way to making the security configuration explicit in face of the growing number of attacks that public endpoints endure on a daily basis.

Deprecated: SSL Proxy Profile

Depending on the role of the DataPower appliance, you can now use an SSL client profile, SSL server profile, or SSL SNI server profile to replace the SSL proxy profile and crypto profile to secure connections. The SSL proxy profile and crypto profile are deprecated. The new SSL profiles are available in all objects and extension functions where you can use an SSL proxy profile.

For more information, see SSL connections and technote 1699392, Migration from SSL Proxy Profile.

In the new firmware the ‘SSL Proxy Profile’ object has been deprecated. It has been split into more explicit objects: The SSL Client Profile and the SSL Server Profile. With the new objects, you can easily tell wether it’s either being used to consume a TLS endpoint (client) or it’s being used to provide a TLS endpoint (server). In addition, the new SSL SNI Server Profile object can be used lieu of the SSL Server Profile object to provide SNI capabilities.

Enhanced load balance groups

TCP connection health checks support partial or half-open TCP connection checks.

  • Load balancer group TCP connection health check improvements.
  • Enhanced load balancer group to support GatewayScript health check processing. When GatewayScript processing is enabled, the content of health check requests and responses can be of any type and the response evaluator is a GatewayScript file. For more information, see GatewayScript health check response evaluator scenario.

I think this feature is easy to dismiss but provides solid improvements for using a DataPower for health checking and load balancing. In some DataPower environments, a completely separate load balancing technology such as F5 is used. Additional technology carries cost to the enterprise architecture through installation, development and support.

DataPower now has the ability to health check based with TCP Half-Open requests. ‘Half-Open’ can health check a TCP endpoint without having to actually complete and consume the connections resources. The addition of gateway script into health checking opens the entire functionality of the device to handle health determination as fine grained as needed.

Conclusion

DataPower firmware 7.2 is a great next step in the evolution of the DataPower device. It now supports Amazon Cloud and SoftLayer virtual servers. There is now a REST-based API for configuration management. It has new IBM Bluemix services for integration between cloud and on-premise.  It supports new JSON security standards. It supports TLS SNI, has introduced new secure Ciphers and has updated the user interface to make Cipher selection and allowance more explicit. It has also opened up the load balancer group health checker to use Gateway Script.

About the Author

Dan Zrobok

Twitter

Dan is the owner of Orange Specs Consulting, with over 14 years of experience working in enterprise systems integration. He is an advocate of the IBM DataPower Gateway platform and looks to improve environments that have embraced it. He also occasionally fights dragons with his three year old daughter Ruby, and newborn Clementine.

Share this Post