Certification Study Guide

IBM DataPower Gateway v7.1 Soution I!pe!entation

Bi Barru"# $$ C%anne &ec% Sae"# IBM Sy"te!" 'nit Software

Senior Software (n)ineer# Certified I& Speciai"t* ++arru",u".i+!.co!

Test C2180-416: IBM DataPower Gateway V7.1, Solt!o"


- u!+er of /ue"tion" 71

- &i!e aowed 2 %our"

- 3e/uired pa""in) "core 46

- &e"t an)ua)e (n)i"%

- %tt$:&&www.!'#.(o#&(ert!)y&tests&o*rC2180-416.s%t#l

+e(o##e"e Prere!s!te S!lls / Bas!( "owlee

etworin) 8&CP9IP# DS# oad +aancin)# pacet tracin) and faiover:

P;I 8Di)ita certificate"# Certificate 3evocation <i"t" 8C3<:# SS<:

&ran"port" 8IMS Connect# $e+Sp%ere M=# >MS# ?&P# S?&P and @&&P: AM< 8ASD# AS<&9APat%:

$e+ "ervice" 8SP# $SD< and $SPoicy:

$e+ "ervice" "ecurity 8$SSecurity# AM< encryption and AM< di)ita "i)nature:

Identity !ana)e!ent "oftware and protoco" 8;er+ero"# <DP# ut% and SM<:

S Governance 8we+ "ervice" !ana)e!ent and re)i"trie":

Data !appin) and tran"for!ation"

peration" Mana)e!ent 8o))in) and !onitorin):

(nterpri"e rc%itecture 8Coud# S and (nterpri"e Security:

>avaScript (CM Script 5.1 E

>S E

Per Co!pati+e 3e)uar (Fpre""ion 8PC3(: "yntaF E

E new "i" re/uired "ince ver"ion 5

Pre$arat!o" sest!o"s

1. $or t%rou)% t%e

Di"coverin) t%e vaue of IBM $e+Sp%ere DataPower S ppiance" a+" and

"tudy t%e eFceent a+ note".

2. &ae t%e two ca""e" if you can.

 cceerate# Secure and Inte)rate wit% IBM DataPower H7.1#

 d!ini"tration of IBM $e+Sp%ere DataPower Gateway H7

. '"e t%e foowin) re"ource" a" you )o t%rou)% eac% "ection" o+Jective i"t &e"t preparation ta+ $e+ 3e"ource i"ted +y topic "earc% %yperined ter!". DataPower v7.1 ;nowed)e Center  t%e officia product docu!entation

. &ae t%e Sa!pe 9 ""e""!ent &e"t if you %ave not taen t%e certification te"t

yet. &%ere are ony 4 /ue"tion"# w%ic% can )ive you a "en"e for t%e for!at of t%e rea te"t#

and it provide" t%e an"wer".

5. &ae note" a" we "tep t%rou)% t%e re!ainin) "ide" to %ep direct your focu" of

"tudy. Study your note" prior to tain) t%e eFa!.

Se(t!o"s o) t%e Test

1. r(%!te(tre a" Bas!( Co")!rat!o" 183

2. d!ini"tration and perationa rc%itecture 8216:

. Security Scenario" 8156:

. Inte)ration Scenario" 8216:

5. S Governance Scenario" 846:

4. &rou+e"%ootin) and &unin) 81K6:

Se(t!o" 1 - r(%!te(tre a" Bas!( Co")!rat!o"

a. Seect t%e appropriate IBM DataPower Gateway !odue" and for! factor" +a"ed on "pecified u"e ca"e".

+. Seect t%e appropriate u"a)e "cenario" "uc% a" oad +aancin) and redundancy for @i)% vaia+iity.

c. Seect t%e appropriate DataPower "ervice type for a )iven u"e ca"e "cenario. L rc%itectura de"i)n pattern"

 C%apter 2.

d. Seect t%e appropriate !e""a)e type and9or !e""a)e eFc%an)e pattern +a"ed on u"e ca"e "cenario". LSP#

AM<# >S# Pa""&%ru and onAM<. L rc%itectura de"i)n pattern" C%apter 2.

e. Identify inte)ration capa+iitie" +etween DataPower and ot%er product". Lfor eFa!pe M=# S=<# $S33# $&A#

and e"peciay front "ide %ander"

f.  rc%itect a "ervice con"iderin) capacity# "caa+iity# "ecurity and future )rowt% .

).  rc%itect a "ervice con"iderin) faiure %andin)# audit o))in) and !onitorin). L

 d!ini"tration# Depoy!ent# and Be"t Practice"  C%apter 4

%. Identify t%e i!pication" of ena+in) Co!!on Criteria !ode durin) t%e appiance initiaiNation proce"".

i. Perfor! initia "etup and ena+e!ent of t%e ad!ini"trative interface".

 J. Confi)ure a "ervice and a""ociated DataPower o+Ject" u"in) t%e $e+G'I# C<I and AM< Mana)e!entInterface.

. Identify# confi)ure# and depoy u"e ca"e pattern" via t%e Bueprint Con"oe.

25 P%ys!(al, V!rtal !t!o"










 IBM DataPower Gateway i" t%e new na!e of a con"oidated# eFten"i+e O !oduar patfor! Conver)e" t%ree eFi"tin) product"# AG5 9 AI52 9 AB42# into a s!"le #olar o))er!"

 vaia+e in p%y"ica and virtua for! factor 


 P%ys!(al $$l!a"(e 25 ra( #o"t appiance u"in) ate"t )eneration %ardware patfor! Two 'ase e!t!o"s on@SM and @SM 8?IPS 102 <eve certified:

(ac% "oftware !odue i" icen"ed "eparatey 

 V!rtal !t!o" &%ree edition" Deveoper# onProduction# Production

De*elo$er  incude" a so)tware #oles at "o a!t!o"al (ost# eFcept &IBC (MS 9o"-Pro(t!o" incude" a so)tware #oles at "o a!t!o"al (ost# eFcept &IBC (MS O ISM ProFy Pro(t!o" (ac% "oftware !odue i" icen"ed "eparatey

S$$orts V7.1 a'o*e

ll so)tware#oles are )!el


S!"le, #olar ete"s!'le $lat)or# 1

ISM Proy Mole'"er acce"" contro# "e""ion!ana)e!ent# we+ SS enforce!ent dvanced !o+ie "ecurity !o+ieSS# conteFt+a"ed acce""# oneti!epa""word# !utifactor aut%nInte)ration wit% ISM for Mo+ie

$$l!(at!o" $t!#!;at!o"Mole

?rontend "ef+aancin)

Bacend intei)ent oad di"tri+utionSe""ion affinityN Sy"peF Di"tri+utor inte)ration


 nytony !e""a)e tran"for!ation

Data+a"e connectivityMainfra!e IMS connectivity

B2B MoleB2B DM )ateway

(DII& S1#S2#S#e+AM<Partner profie !ana)e!entB2B tran"action viewer  nytony !e""a)e tran"for!ationData+a"e connectivity


Inte)rate wit% &IBC (MS !e""a)in)!iddewareSupport for /ueue" O topic"<oad +aancin) O fauttoerance

IBM DataPower Gateway Base

Se(re ut%entication# aut%oriNationSecurity toen tran"ationService 9 PI virtuaiNation&%reat protectionMe""a)e vaidationMe""a)e fiterin)Me""a)e di)ita "i)natureMe""a)e encryption H "cannin) inte)ration

I"terate&ran"port protoco +rid)in)Me""a)e enric%!entMe""a)e tran"for!ation O

proce""in) u"in) >avaScript#>Si/# A=uery# AS<&Mainfra!e inte)ration Oena+e!ent?eFi+e pipeine !e""a)eproce""in) en)ine

Co"trol Ma"aeService eve !ana)e!ent=uota O rate enforce!entContent+a"ed routin)Me""a)e accountin)Inte)ration w9 !ana)e!ent Ovi"i+iity patfor!" incudin) IBM PI Mana)e!ent O $S33 forpoicy enforce!ent

$t!#!;e ))loaSS< 9 &<S offoad@ardware acceerated cryptoE>S# AM< offoad>avaScript# >Si/# AS<&#

A=uery acceeration<oca re"pon"e cac%in)Di"tri+uted cac%in) wit% $ASor AC10Bacend oad +aancin)

25 P%ys!(al or V!rtal !t!o"

S!"le, #olar ete"s!'le $lat)or# 2

<!r#ware V7.1, Moles S$$orte Plat)or#s  <!r#ware V7.1 deiver"

ISM ProFy Modue to ena+e advance acce"" enforce!ent of !o+ie O we+ u"e ca"e" B2B Modue to ena+e "ecure B2B inte)ration capa+iitie"# for!ery avaia+e on AB42 ony Inte)ration Modue to ena+e inte)ration functionaity incudin) anytoany !e""a)e

tran"for!ation# data+a"e connectivity O !ainfra!e connectivity ;er+ero" S'2Sef functionaity to provide feFi+e aut%entication for Micro"oft environ!ent"

Increa"e in AM< a!e" !aFi!u! to aow for ar)e confi)uration"# 3S O ot%er en%ance!ent"    V7.1 "upport" t%e foowin)

IBM DataPower Gateway (Physical and Virtual Edition)  XG45 (Physical and Virtual Edition)  XI52 (Physical and Virtual Edition), XI5B (242! " 4#$5 %odels)  XB!2 (Physical)

 ISM Proy #ole re/uire" H7.1 and i" avaia+e on t%e foowin) IBM DataPower Gateway (Physical and Virtual Edition)  XG45 (Physical, and Virtual Edition)  XI52 (Physical, and Virtual Edition)  XB!2 (Physical)

 B2B #ole re/uire" H7.1 and i" avaia+e on t%e foowin) IBM DataPower Gateway (Physical and Virtual Edition)

 XG45 (Physical, and Virtual Edition)  XI52 (Physical, and Virtual Edition)

 I"terat!o" #ole re/uire" H7.1 and i" avaia+e on t%e foowin) IBM DataPower Gateway (Physical and Virtual Edition)

IBM DataPower  Gateway ppiance" are t%e indu"tryeadin)Se(r!ty  I"terat!o" )ateway" t%at %ep provide se(r!ty# !"terat!o", (o"trol and

o$t!#!;e acce"" to a fu ran)e ofMo+ie# $e+# PI# S# B2B# O Coud woroad"

Co##o" 5se Cases

Internet Trusted Domain


Application or Servic


 Trading partners

1 Mobile Gateway 2 API Gateway

3 Web Gateway

4 B2B Partner


5 !A " API Gateway# $B % Inte&ration Gateway

' Internal e(urity $n)or(ement

* Web er+i(es Go+ernan(e "


,-e&a(y Inte&ration



z System

DataPower Gateway DataPower Gateway

Pro(ess!" Pol!(y

-   "ervice define" a "in)e poicy

‒ &%e poicy i" enforced t%rou)% rue".

- (ac% rue contain"‒ Matc% action

Define" criteria to deter!ine if inco!in) traffic i" proce""ed +y t%e rue

‒ Proce""in) action"

  rue define" one or !ore action" taen on t%e "u+!itted !e""a)e.

Pro(ess!" +les

- 3ue" %ave t%e foowin) direction"‒ Server to Cient 8re"pon"e:

‒ Cient to Server 8re/ue"t:

‒ Bot% Direction" 8re/ue"t and re"pon"e:

‒ (rror eFecute" w%en error" occur durin) proce""in) in t%e re/ue"t and re"pon"e rue"

- 3ue" %ave priority and can +e reordered.‒ Mutipe rue" !ay !atc% on "a!e '3< can +e reordered

‒ Specific rue" %ave %i)%er priority t%an catc% a rue"

Mat(%!" +le

-   !atc% action aow" you to provide different proce""in) +a"ed on

!atc%in) condition".

- Matc% criteria can +e +a"ed on‒ (rror code vaue

‒ ?uy /uaified '3<

‒ @o"t

‒ @&&P %eader vaue

‒ '3<

‒ APat% eFpre""ion

Pro(ess!" (t!o"s

-   rue con"i"t" of !utipe proce""in) action" wit% "cope

‒ ction" "uc% a" trans&or%ation or 'alidation eFecute durin) t%e re/ue"t orre"pon"e rue 8if any:.

‒ ConteFt" or defined varia+e" wit%in t%e "cope are u"ed to pa"" infor!ation

+etween action".

Se(t!o"s o) t%e Test

1. rc%itecture and Ba"ic Confi)uration &a"" 81K6:

2. #!"!strat!o" a" $erat!o"al r(%!te(tre 213

. Security Scenario" 8156:

. Inte)ration Scenario" 8216:

5. S Governance Scenario" 846:

4. &rou+e"%ootin) and &unin) 81K6:

Se(t!o" 2 - #!"!strat!o" a" $erat!o"al r(%!te(tre

a. Create and ad!ini"ter  u"er"# roe"# and 3oe Ba"ed Mana)e!ent on t%e appiance.

+. Seect and confi)ure networ "ettin)" incudin) in a))re)ation and H< "ettin)".c. I!pe!ent confi)uration !ana)e!ent 8i!port# eFport# "ecure +acup and "ecure re"tore.:

d. I!pe!ent @i)% vaia+iity# incudin) ppication pti!iNation# and di"a"ter recovery 

"oution" a" t%ey appy to t%e IBM DataPower Gateway.

e. Confi)ure depoy!ent poicie" and depoy!ent poicy varia+e".

f. '"e %o"t na!e" and aia"e" for porta+iity +etween environ!ent".

). Perfor! ta"" u"in) t%e appiance" ad!ini"trative interface" 8C<I# $e+G'I# AM<


%. Mana)e appiance fir!ware ver"ion".

i. Mana)e and +acup certificate" and ey" incudin) t%e u"e of t%e @ardware Security

Modue 8@SM:.

 J. (na+e !onitorin) for t%e appiance.

I"!t!al 9etwor Set$

- '"e t%e nu!ode! ca+e or a 'SBto"eria converter ca+e to connect

t%e ter!ina or PC to t%e S(3I< connector on t%e device.

- (n"ure t%at t%e ter!ina or PC i" confi)ured for "tandard 115200 K1

8Q400 for 71QK9Q or 224 appiance": and no fow contro operation.

- &urn on t%e appiance. Rou "%oud %ear t%e fan" c%an)e "peed a" t%e

"creen di"pay" t%e foowin) infor!ation. DPS... $ait for a few

"econd" for t%e device to +oot.

- <o)in a" ad!in9ad!in.

- 3ead and accept t%e icen"e a)ree!ent. Rou wi +e pro!pted to c%an)e

t%e defaut ad!in pa""word.

- Rou can define t%e +a"e confi)uration in one of t%e foowin) way"‒ $it% t%e start$ co!!and# w%ic% u"e" t%e DataPower in"taation wiNard.

‒ $it% a !anua procedure# w%ic% u"e" a "erie" of DataPower co!!and".

5sers a" +oles

5ser a((o"ts

- Groupdefined‒ &%e rou*de&ined account type e"ta+i"%e" t%i" u"er a" a !e!+er of a u"er )roup.

- Privie)ed‒ &%e ri'ileed account type provide" t%i" u"er wit% acce"" to t%e entire re"ource

"uite fro! t%e $e+G'I and C<I on a do!ain+ydo!ain +a"i". '"er" wit% privie)ed

acce"" can confi)ure and can !onitor a appiance operation".

- '"er‒ &%e user account type provide" t%i" u"er wit% acce"" to view confi)uration detai" to

!o"t# +ut not a# o+Ject".

5sers a" +oles

5ser Gro$s

  user rou repre"ent" a coection of u"er" w%o perfor! "i!iar dutie" and re/uiret%e "a!e eve of acce"" to t%e DataPower appiance.

Creatin) a )roup account

Specify a na!e for t%e u"er )roup.

?or!at of acce"" poicy


&%e aress 8appiance addre"":# o#a!" 8appication do!ain:# and resor(e 8e.) c%an)epa""word#

radiu": )!els !u"t +e fuy "pecified or "pecified wit% an a"teri" 8E:. n a"teri" !atc%e" a vaue". &%e privie)e" "trin) i" co!pri"ed of t%e individua per!i""ion "y!+o" t%at are "eparated +y t%e pu" "i)n 8V:

c%aracter. ?or eFa!pe# t%e "trin) aVdVFVrVw repre"ent" add# deete# eFecute# read# and write per!i""ion". &%e fied toen !u"t +e one of t%e additiona fied" t%at can +e added to t%e "trin). &%e corre"pondin) vaue

can +e a PC3(. (.). a!e# <ocadre""# <ocaPort# etc.

+ole-'ase Ma"ae#e"t +BM

- 3oe+a"ed !ana)e!ent con"i"t" of t%e foowin) capa+iitie"

‒ t%e"t!(at!" sers (Ftract t%e u"er identity fro! t%e acce"" re/ue"t and

aut%enticate t%e u"er identity t%at i" pre"ented. ne of t%e foowin) !et%od" can+e u"ed for u"er aut%entication 8<oca '"er# Cu"to!# <DP# 3DI'S# S?#

SP(G# SS< '"er Certificate# AM< ?ie:

‒ *alat!" t%e a((ess $ro)!le &%e acce"" profie define" t%e "et of privie)e"

for one or !ore re"ource" on t%e DataPower appiance. n acce"" profie can

ori)inate fro! any of t%e foowin) credentia !appin) "ource" 8<oca '"erGroup# Cu"to!# AM< ?ie:

‒ ")or(!" a((ess to resor(es fter t%e u"er i" aut%enticated and t%e acce""

profie i" evauated# t%e DataPower appiance enforce" t%e e"ta+i"%ed acce""


(Fa!pe C%ec out "tore9993BMInfo.F! 8found on t%e DataPower fie "y"te!:

Co")!rat!o" Ma"ae#e"t =!% *a!la'!l!ty

DataPower Confi)uration

?ie Mana)e!ent

 ppication Do!ain" Device" and (nviron!ent

<oad Baancer"# ctive9ctive# ctive9Stand+y Confi)uration

etwor +Ject"

@o"t ia" Static @o"t"

DS Settin)"

3eference %ttp99www.i+!.co!9deveoperwor"9we+"p%ere9i+rary9tec%artice"90K01Wra"


Ma"a!" !saster re(o*ery

Di"a"ter 3ecovery 8D3: i" t%e a+iity to create a "ecure +acup t%at you can u"e to

recover t%e co!pete confi)uration of a o"t appiance. D3 u"e" a +acupre"tore

proce"" t%at !u"t +e ena+ed. &o c%ec# cic #!"!strat!o" X De*!(e X Syste#Sett!"s. If t%e Ba($ Moe property i" "et to Se(re# di"a"ter recovery i" avaia+e.

- 'nie a "tandard +acup# a "ecure +acup contain"‒ private data fro! t%e appiance 8certificate"# ey"# and u"er data:# w%ic% t%e appiance encrypt"

wit% a cu"to!erprovided certificate and a DataPower certificate.

‒ an unencrypted AM< !anife"t fie# w%ic% incude" infor!ation "uc% a" t%e date of t%e +acup and

t%e fir!ware eve# !ode# and "eria nu!+er of t%e +acedup appiance. Rou can view t%e

unencrypted !anife"t fie.

‒ &%e +acupre"tore proce"" !u"t +e u"ed a!on) appiance" t%at are at t%e "a!e fir!ware eve

and %ave t%e "a!e co!pati+e confi)uration.

-   "ecure re"tore doe" not !er)e data. &%e re"tore deete" a private data 8certificate"#

ey"# and u"er data: t%at i" currenty on t%e tar)et appiance.

3eference InfoCenter Y Mana)in) Di"a"ter 3ecovery

Co"sol!ate yor !")rastr(tre w!t% $$l!(at!o"


- '"e SefBaancin) tec%noo)y to "pread in+ound traffic oad acro""

!utipe DataPower appiance" u"in) a "in)e tar)et.‒ (i!inate t%e need for additiona p%y"ica oad +aancer".

‒ (fficienty di"tri+ute" traffic wit% !ini!a over%ead.

- '"e Intei)ent <oad Di"tri+ution to opti!iNe out+ound

traffic acro"" !utipe de"tination".‒ Support" dyna!ic $e+Sp%ere ce interro)ation.

‒ uto!aticay update" tar)et" and wei)%t".

- '"e Se""ion ffinity to pre"erve tar)et

"e""ion "tate acro"" !utipe re/ue"t".‒ Support" $e+Sp%ere and non$e+Sp%ere tar)et".

- $S ppication cceerator for Pu+ic etwor"

- Secure Coud Connector 

3eference $S&( pre"entation on

deveoper$or" artice '"in) DataPower etc.

Page 24: CertStudyGuideIDGv7.1SolnImplSlides 20150814

#!"!strat!o" I"ter)a(es

- C>I‒ Seect 9etwor X Ma"ae#e"t X SS= Ser*!(e to di"pay t%e SS@ Service Confi)uration

8Main: "creen.

‒ Tel"et‒ Seect 9etwor X Ma"ae#e"t X Tel"et Ser*!(e to di"pay t%e &enet Service catao).

- ?e'G5I‒  cce"" to t%e appiance via t%e $e+G'I i" "upported +y a dedicated @&&P "erver t%at you

confi)ured durin) t%e initia appiance confi)uration proce"".

- @M> Ma"ae#e"t I"ter)a(e‒ &%e DataPower appiance can +e confi)ured and !ana)ed co!petey t%rou)% t%e AM<

Mana)e!ent Interface. $%en ena+ed# t%i" interface aow" ad!ini"trator" to "end "tatu" and

confi)uration re/ue"t" to t%e DataPower appiance t%rou)% a "tandard SP interface.

- ?SDM !"ter)a(e‒ $%en ena+ed# t%i" i!pe!entation provide" a protoco"pecific interface for !ana)in) $e+

Service endpoint" t%at were in"tantiated on t%e appiance t%rou)% $e+ Service ProFy o+Ject".

Go 'a( to $re*!os )!r#ware le*el

 Ao (a" tole 'etwee" releases 'y roll!" 'a( a" )ort% 'etwee"

t%e (rre"t a" t%e $re*!os !#ae. &%i" incude" roin) +ac +etween!aJor reea"e".

- In t%e $e+Gui‒ fro! t%e Contro Pane# c%oo"e Sy"te! Contro.

‒ in t%e ?ir!ware 3oBac "ection cic t%e Z?ir!ware 3oBacZ +utton to

to))e +etween i!a)e".

- '"in) t%e C<I‒ (nter t%e co!!and ZCZ.

‒ (nter t%e co!!and Zfa"%Z pre"" enter.

‒ (nter t%e co!!and Z+oot "witc%Z pre"" enter.

Se(t!o"s o) t%e Test

1. rc%itecture and Ba"ic Confi)uration &a"" 81K6:

2. d!ini"tration and perationa rc%itecture 8216:

. Se(r!ty S(e"ar!os 13

. Inte)ration Scenario" 8216:

5. S Governance Scenario" 846:

4. &rou+e"%ootin) and &unin) 81K6:

S ! S ! S !

Se(t!o" - Se(r!ty S(e"ar!os

a. Confi)ure crypto o+Ject".

+. Confi)ure a "ervice to u"e SS<.

c. Confi)ure a "ervice to u"e $SSecurity.

d. Confi)ure a "ervice to "ecure a $SD<de"cri+ed we+ "ervice.

LIte!" e and f are covered in "u+"e/uent "ide"

e. Confi)ure a "ervice to enforce nonrepudiation u"in) di)ita "i)nature".

f. Confi)ure a "ervice to enforce confidentiaity u"in) encryption.

). Confi)ure a "ervice to enforce aut%entication and aut%oriNation.

%. Confi)ure !e""a)eeve t%reat protection.

i. Confi)ure a "ervice to u"e ut%.

 J. Confi)ure t%e u"e of a "ecurity "erver "uc% a" IBM Security cce"" Mana)er 8ISM:# SM< and <DP.. Identify t%e i!pication" of ena+in) t%e ?IPS 102 <eve Co!piance !ode".

S !t T ! l

Se(r!ty Ter#!"oloy

- t%e"t!(at!o" verifie" t%e identity of a cient.

- t%or!;at!o" decide" a cient[" eve of acce"" to a protected re"ource.

- I"ter!ty en"ure" t%at a !e""a)e %a" not +een !odified w%ie in tran"it. crytorahic hash aow" t%e end u"er to c%ec if a certain !e""a)e wa" intercepted or ta!pered wit%.

- Co")!e"t!al!ty en"ure" t%at t%e content" of a !e""a)e are ept "ecret. DataPower aow"%essae and &ield le'el encrytion# w%ic% en"ure" t%at no one can acce"" t%e payoadwit%out t%e appropriate decrypt ey.

- 9o"-re$!at!o" aow" t%e cient to prove t%at t%e "erver %a" received a previou"y "ent!e""a)e# and vicever"a. Diital sinatures are u"ed to deter!ine if t%e !e""a)e wa" "ent+y t%e actua ori)inator.

- Se(r!" ata w%!le !"-)l!%t DataPower provide" infi)%t "ecurity u"in) t%e "ecure "ocetayer 8SS<:. It provide" "upport for @&&PS# ?&PS# S?&P# and M=.

- !t!" !aintain" record" to %od cient" accounta+e to t%eir action".

3eference c%ievin) PCI co!piance u"in) $e+Sp%ere DataPower 

? ' S ! S !t

?e' Ser*!(es Se(r!ty

- $e+ "ervice" "ecurity 8$SSecurity: provide" a "tandard# patfor!independentway for "pecifyin) !e""a)eeve "ecurity infor!ation.

- ?eFi+e "et of !ec%ani"!" for u"in) a ran)e of "ecurity protoco"‒ Doe" "ot define a "et of "ecurity protoco"‒ Provide" endtoend "ecurity

-  ""ociate "ecurity toen" wit% a !e""a)e‒ '"erna!e &oen profie‒ A.50Q &oen profie‒ ;er+ero" &oen profie‒ SM< &oen profie Security ""ertion Marup <an)ua)e‒ 3(< &oen profie 3i)%t" (Fpre""ion <an)ua)e

- Confidentiaity 8AM< (ncryption:‒ Proce"" for encryptin) data and repre"entin) t%e re"ut in AM<

- Inte)rity 8AM< Si)nature:‒ Di)itay "i)n t%e SP AM< docu!ent# providin) inte)rity and "i)ner aut%entication

- AM< CanonicaiNation‒ or!aiNe" AM< docu!ent‒ (n"ure" two "e!anticay e/uivaent AM< docu!ent" contain t%e "a!e octet "trea!

3eference $e+ Service ProFy Deveoper" Guide

  © 2

<le!'le t%e"t!(at!o", t%or!;at!o", a" !t!"



@&&P @eader"

$SSecurity &oen"





SM< ""ertion

IP ddre""

<&P &oen






SP peration

@&&P peration



Sy"te!9N SS 83C?# S?:

&ivoi cce"" Mana)er ;er+ero"


ete)rity SiteMinder 




Herify Si)nature









Sy"te!9N SS

&ivoi cce"" Mana)er 



 dd $SSecurity

Generate N9S IC3A &oen

Generate ;er+ero"

Generate SM<

Generate <&PMap &ivoi ?ederated Identity

(Fterna acce"" contro "erver or on+oard identity !ana)e!ent "tore

inut  outut 

Se(re yor ata w!t% @M> t%reat $rote(t!o"

@M> T%reat Prote(t!o"

(ntity eFpan"ion9recur"ion attac"

Pu+ic ;ey DoS

AM< ?ood

3e"ource @iJac

Dictionary ttac

3epay ttac

Me""a)e9data ta!perin)

Me""a)e "noopin)

Apat% or S=< inJection

AM< encap"uation

AM< viru"

Confi)urin) AM< t%reat protection

S ! ) % T

Se(t!o"s o) t%e Test

1. rc%itecture and Ba"ic Confi)uration &a"" 81K6:

2. d!ini"tration and perationa rc%itecture 8216:

. Security Scenario" 8156:

4. I"terat!o" S(e"ar!os 213

5. S Governance Scenario" 846:

4. &rou+e"%ootin) and &unin) 81K6:

Se(t!o" 4 - I"terat!o" S(e"ar!os

a. Confi)ure a "ervice ?ront Side Protoco @ander .

+. Confi)ure a "ervice Bacend '3<. Ldyna!ic +aced

c. Confi)ure a "ervice for !ediation +etween protoco".

d. Confi)ure a "ervice for inte)ration wit% !e""a)in) "y"te!" "uc% a" IBM M=.

e. Confi)ure a "ervice to tran"for! AM< and onAM< !e""a)e". Ltran"for!ation u"in) t%e

&ran"for! action" for v7.1

f. Confi)ure a "ervice for $e+ 2.0 "cenario". 3(S& proFy depoy!ent#3e"t +rid)e depoy!ent

). Confi)ure a "ervice for data+a"e inte)ration.

%. Confi)ure a "ervice to inte)rate wit% IMS Connect.

i. '"e t%e Interopera+iity &e"t Service durin) "ervice deveop!ent.

 J. '"e eFten"ion function" a" appropriate wit%in a "tye"%eet.

. Cu"to!iNe !e""a)e proce""in) u"in) GatewayScript !odue function".

. Confi)ure "ervice" t%at "upport porta+iity +etween environ!ent". L"ee neFt "ide

!. Confi)ure a "ervice to perfor! >S "c%e!a vaidation.

Co")!rat!o" )or M!rat!o"

- (nviron!ent" in t%i" ca"e are‒ Deveop!ent

‒ &e"t

‒ Production

- '"e t%e"e +e"t practice" 8c%apter : to !ae a confi)uration !ore

porta+e and !aintaina+e

‒ '"e @o"t ia" rat%er t%an dot deci!a addre"" in Service" t%at eFpo"e

eFterna port".

‒ '"e (nviron!ent Specific DS w%en po""i+e rat%er t%an dot deci!a


‒ '"e Static @o"t" to %ande DS a+erration".

‒ (FternaiNe A<S& IP9Port and @o"t a!e reference" via t%e Identity


‒ Mi)rate ony t%o"e o+Ject" w%ic% re/uire !i)ration.

Se(t!o"s o) t%e Test

1. rc%itecture and Ba"ic Confi)uration &a"" 81K6:

2. d!ini"tration and perationa rc%itecture 8216:

. Security Scenario" 8156:

. Inte)ration Scenario" 8216:

. S Go*er"a"(e S(e"ar!os 63

4. &rou+e"%ootin) and &unin) 81K6:

Se(t!o" / S Go*er"a"(e S(e"ar!os

a. Confi)ure Me""a)e Monitor" and Service <eve Monitorin) 8S<M: 

poicie" to enforce Service <eve )ree!ent" 8S<":.+.  ttac% and enforce $SPoicy "tate!ent" u"in) a we+ "ervice proFy

"ervice. Lfocu" on enforce!ent in t%e nowed)e center artice

c. ttac% and enforce $SMediationPoicy "tate!ent" wit%in a we+

"ervice proFy "ervice.d. Confi)ure "u+"cription" to eFterna "ervice re)i"trie" "uc% a"

$e+Sp%ere Service 3e)i"try and 3epo"itory 8$S33:.


 ow for con"tant feed+ac on !e""a)e" t%at fow t%rou)% t%e appiance. Rou can

confi)ure !onitor" to )enerate o) !e""a)e" at a )iven o) eve after reac%in) a count or

atency t%re"%od or ot%er event tri))er. Monitor" can a"o t%rotte 8reJect: or "%ape 8deay:

traffic after reac%in) a count or atency t%re"%od or ot%er event tri))er 

-Count Monitor"‒ Incre!ent a counter every ti!e !e""a)e" of a particuar type pa"" t%rou)% a "ervice

-Duration Monitor"‒ Incre!ent a counter every ti!e a confi)ured a!ount of ti!e pa""e" durin) t%e proce""in) of

!e""a)e" of a particuar type

-$e+ Service Monitor"‒ ffer t%e a+iity to confi)ure !onitorin) +a"ed on t%e "ervice" defined in a $SD<

-Service <eve Monitor"‒  ow finer de)ree of contro w%ic% can eFtend to t%e preci"e definition of u"er" or re"ource" and

t%e "c%eduin) of operation"

?S Pol!(y

- &%e $SPoicy "tandard provide" an AM< voca+uary for $e+ "ervice" to de"cri+in)

t%eir con"traint" and re/uire!ent".‒ (ac% poicy con"i"t" of one or !ore poicy a""ertion".

- Poicy a""ertion" define t%e re/uire!ent" of a "ervice for a particuar poicy do!ain.‒ 3e/uire u"erna!e toen

‒ 3e/uire encryption

‒ 3e/uire di)ita "i)nature

- Poicy a""ertion" do not foow any predefined for!at# eFcept t%at t%ey are

e!+edded wit%in a \Poicy] ta).\w"pPoicyF!n"w"pUZ%ttp99www.w.or)920049079w"poicyZ]

\'"erna!e&oen9] 9E Poicy ""ertion E9


- &%e $SPoicy "pecification aow" you to enforce re/uire!ent" t%at cannot +e de"cri+ed +y

a $SD< fie. ?or eFa!pe# if you re/uire a re/ue"t" to +e di)itay "i)ned# it i" not po""i+e to

encode t%at re/uire!ent in a $SD< fie.

Se(t!o"s o) t%e Test

Se(t!o"s o) t%e Test

1. rc%itecture and Ba"ic Confi)uration &a"" 81K6:

2. d!ini"tration and perationa rc%itecture 8216:

. Security Scenario" 8156:

. Inte)ration Scenario" 8216:

5. S Governance Scenario" 846:

6. Tro'les%oot!" a" T"!" 183

Se(t!o" 6 - Tro'les%oot!" a" T"!" 13

a. 3e"ove networ connectivity pro+e!".

+. Perfor! and anayNe pacet capture".

c. Confi)ure <o) &ar)et" for anay"i" and aertin).

d. Confi)ure event tri))er".

e. nayNe and interpret "y"te! o)".

f. De+u) !e""a)e fow" u"in) t%e Pro+e.

). Confi)ure a "ervice for tran"action o))in).

%. Confi)ure t%e appiance to !ana)e !e!ory u"a)e.

i. Confi)ure t%e appiance for networ opti!iNation. LStatic route ta+e J. '"e "tatu" provider" and +uitin capa+iitie" to perfor! anay"i" and


. Confi)ure cac%in) on a "ervice.

Pa(et Ca$tre

- Generate" a PCP fie

-'"e $ire"%ar 8(t%erea: or ot%er PCP too to anayNe t%e re"ut".

*e"t Tr!ers

- Rou can u"e t%e event tri))er" to auto!aticay run co!!and" w%en

"pecific !e""a)e" are o))ed. &ypica u"a)e woud +e to )enerate an

error report w%en a rarey o+"erved +ut recurrin) !e""a)e i" o))ed.

- Rou can define event tri))er" for a variety of "ituation"‒ Startin) and "toppin) a pacet capture.

‒ Creatin) an error report w%en a di"crete "ervice encounter" a pro+e!.

‒ '"in) a cu"to! !e""a)e.

9etwor Co""e(t!*!ty

Pre$arat!o" sest!o"s - re$eate

1. $or t%rou)% t%e

Di"coverin) t%e vaue of IBM $e+Sp%ere DataPower S ppiance" a+" and

"tudy t%e eFceent a+ note".

2. &ae t%e two ca""e" if you can. cceerate# Secure and Inte)rate wit% IBM

DataPower H7.1# d!ini"tration of IBM $e+Sp%ere DataPower Gateway H7

. '"e t%e foowin) re"ource" a" you )o t%rou)% eac% "ection" o+Jective i"t &e"t preparation ta+ $e+ 3e"ource i"ted +y topic "earc% %yperined ter!". DataPower v7.1 ;nowed)e Center t%e officia product docu!entation

. &ae t%e Sa!pe 9 ""e""!ent &e"t if you %ave not taen t%e certification te"t

yet. &%ere are ony 4 /ue"tion"# w%ic% can )ive you a "en"e for t%e for!at of t%e rea te"t#

and it provide" t%e an"wer".

5. &ae note". Study your note" prior to tain) t%e eFa!.

T%e test

- Contain" /ue"tion" re/uirin) "in)e and !utipe an"wer"

‒ ?or !utipean"wer /ue"tion"# you need to c%oo"e a re/uired option" to )et t%ean"wer correct

‒ Rou wi +e advi"ed %ow !any option" !ae up t%e correct an"wer

- I" de"i)ned to provide dia)no"tic feed+ac on t%e a#!"at!o" S(ore +e$ort‒ Correatin) +ac to t%e test objectives 

‒ Infor!in) t%e te"t taer %ow t%ey did on eac% "ection of t%e te"t.

‒ =ue"tion" and an"wer" are not di"tri+uted

T!$s )or $ass!" t%e test

Ta!" t%e Test

- So!e /ue"tion" are very tricy w%ie ot%er" are very "trai)%tforward.

- &ry not to )et di"coura)ed and return to t%e !ore difficut /ue"tion" if

ti!e per!it".

- 3e!e!+er t%at a "core of 46 i" enou)% to pa"".


- If you pa""# cee+rate

- If not# record /ue"tion" t%at you !i""ed

- ?ind an"wer" you !i""ed in t%e ;nowed)e Center or ot%er "ource" and"c%edue to tae t%e te"t a)ain "oon.

<o"at!o"al Te(%"olo!es

a. Identify t%e c%aracteri"tic" of &CP9IP networin).

+. Identify t%e c%aracteri"tic" of Pu+ic ;ey Infra"tructure 8P;I:.c. De"cri+e %ow SS< tran"port encryption and endpoint aut%entication wor".

d. Identify t%e c%aracteri"tic" of an AM< !e""a)e# SP !e""a)e and >S


e. Identify t%e c%aracteri"tic" of AS<&# APat% eFpre""ion"# ASD and $SD<.f. Identify +a"ic !e""a)eeve "ecurity concept".

). Identify t%e c%aracteri"tic" of attac%!ent" in we+ "ervice".

%. De"cri+e t%e c%aracteri"tic" of !e""a)in) "y"te!" "uc% a" $e+Sp%ere M=

and >MS.

i. Identify t%e c%aracteri"tic" of $e+ 2.0 "ervice".

SS> =a"s%ae

SS< Cient SS< Server 

81: Cient @eo# Cip%er Suite"Supported# ver"ion "upported

82: Server @eo# Cip%er Suite

Seected# Server Certificate#

Cient Certificate 3e/ue"t


8: Herify Server

certificate. C%ec



"eected +y t%e


8: Cient ey eFc%an)e# Send

"ecret ey 8encrypted wit% "erver

pu+ic ey:

85: Send cient certificate 8optiona:

87: Cient ?ini"%

8K: Server ?ini"%

8Q: (Fc%an)e !e""a)e"


SS> 'Ee(t =!erar(%y a" "erly!" PFI !"terat!o"

-&%e Crypto Identification Credentia o+Ject i" u"ed w%en providin) an identity toconnectin) cient". $%en a cient connect"# it re/ue"t" a certificate. &%e crypto ID

credentia reference" w%ic% certificate "%oud +e returned to t%e cient. It a"o reference"

a private ey w%ic% i" u"ed +y SS<.

-  Crypto Haidation Credentia can +e u"ed w%en verifyin) a di)ita "i)nature w%en t%e

"i)ner !ay +e one of !any different +u"ine"" partner". $it% a crypto vaidation credentia

8often referred to a" a vacred:# you can create a "in)e proce""in) rue wit% a "in)e"i)nature verification action t%at wi acco!!odate counte"" pu+ic certificate".

-&%e Crypto Profie o+Ject tie" to)et%er a Crypto ID credentia and a Crypto Haidation


-&%e SS< ProFy Profie provide" "o!e protoco"pecific option" and reference" a crypto

profie. &%e SS< ProFy Profie t%u" contain" every +it of infor!ation needed to e"ta+i"%one or twoway SS< %and"%ain).

@M> a#$le

- &e"t i" focu"ed on eFa!pe". @ere i" an eFa!pe fro! w"c%oo".co! taen out of APat%"ection.

  \TF! ver"ionUZ1.0Z encodin)UZISKK5Q1ZT]\+oo"tore]\9+oo]\+oo cate)oryUZ$(BZ]  \tite an)UZenZ]A=uery ;ic Start\9tite]  \aut%or]>a!e" McGovern\9aut%or]  \aut%or]Per Bot%ner\9aut%or]

  \aut%or];urt Ca)e\9aut%or]  \aut%or]>a!e" <inn\9aut%or]  \aut%or]Haidyanat%an a)araJan\9aut%or]  \year]200\9year]  \price]Q.QQ\9price]\9+oo]\+oo cate)oryUZ$(BZ]

  \tite an)UZenZ]<earnin) AM<\9tite]  \aut%or](ri &. 3ay\9aut%or]  \year]200\9year]  \price]Q.Q5\9price]\9+oo]\9+oo"tore]


- AS<& i" u"ed to tran"for! an AM< docu!ent into anot%er AM< docu!ent# or anot%er

type of docu!ent t%at i" reco)niNed +y a +row"er# ie @&M< and A@&M<. or!ay

AS<& doe" t%i" +y tran"for!in) eac% AM< ee!ent into an 8A:@&M< ee!ent.

- $it% AS<& you can add9re!ove ee!ent" and attri+ute" to or fro! t%e output fie. Rou

can a"o rearran)e and "ort ee!ent"# perfor! te"t" and !ae deci"ion" a+out w%ic%

ee!ent" to %ide and di"pay# and a ot !ore.

- In t%e tran"for!ation proce""# AS<& u"e" APat% to define part" of t%e "ource docu!ent

t%at "%oud !atc% one or !ore predefined te!pate". $%en a !atc% i" found# AS<& wi

tran"for! t%e !atc%in) part of t%e "ource docu!ent into t%e re"ut docu!ent.

3efer to %ttp99www.w"c%oo".co!9F"9F"Wintro.a"p for !ore infor!ation.


Page 54: CertStudyGuideIDGv7.1SolnImplSlides 20150814

8/20/2019 CertStudyGuideIDGv7.1SolnImplSlides 20150814 54/54

- APat% i" a "pecification for de"cri+in) a ocation wit% an AM< docu!ent.‒ S%ared +y !any AM<+a"ed "tandard"9tec%noo)ie"

‒ '"ed +y AS<&# APointer# and A=uery

-  ow" you to addre"" ee!ent" of a docu!ent t%at !eet "pecified criteria.‒ (Fa!pe In AM< for a +oo on >ava# find t%e c%apter" wit% >DBC in t%e tite

- Provide" t%e a+iity to retrieve a "u+"et of an AM< docu!ent in any direction.‒ ?orward"# +acward" or "ideway"

- (Fpre""ion "%ortcut"‒ ^99Lee!ent_ "eect" ee!ent node re)arde"" of ocation

‒ ^._ "eect" t%e current node

‒ ^.._ "eect" t%e parent of t%e current node

‒ ^,Lattri+utena!e_ "eect" an attri+ute

