IBM DataPower Gateway is a product from IBM that helps businesses meet their Security and Integration needs. IBM DataPower is one of the preferred application proxies/gateways for interfacing with external APIs. Certificates are used in DataPower for a variety of use cases such as,
Validating the identity of an external API endpoint (aka the backend URL).
Authenticating to an external API endpoint.
Benefits of using IBM DataPower Gateway
Mitigate Vulnerabilities.
Accelerate transformation.
Reduced cost and complexity.
Simplify troubleshooting.
Features of IBM DataPower Gateway
Runtime application security.
Transform messages and protocols.
Application and service protection.
Access management and control.
Extensive debug tool.
Intuitive user experience.
IBM DataPower Gateway Versions
IBM Offers the DataPower Gateway product in two versions, Hardware/Physical and Virtual/software.
Physical/Hardware
Intrusion detection.
Secured boot process.
Hardware security module (HSM).
Lower latency and higher throughput than virtual applications.
Purpose-built system.
Virtual/Software
High elasticity.
Flexible licensing.
Can be deployed on X86 architecture-based servers and supported cloud infrastructure.
Increased workload isolation.
Run multiple instances concurrently on a single physical server.
Provides a lower-cost environment.
IBM DataPower Gateway Certificate Maintenance
An organization or a company should have a centralized standard system to manage certificates where each DataPower Gateway certificate is assigned to an application, which is otherwise called a certificate wallet. The certificates used in the IBM DataPower Gateway must be integrated into the certificate wallet to avoid any discrepancies when renewing, installing, or decommissioning the expired or unused certificates.
The certificate wallet should be capable of sending out notifications or emails to the assigned application team members when the certificates are due to be renewed or replaced.
If the current state of the certificates from DataPower Gateway is not reflected in the certificate wallet, then that would be a problem. In this scenario, the DataPower Gateway Team should work with the Integrated application Teams to reconcile this information and make sure there are checks in place to ensure the critical certificates do not expire without notice.
Certificate use cases in IBM DataPower Gateway
To validate the identity of an endpoint that DataPower Gateway connects to. These certificates are called 'Validation Certificates' or 'valcreds'.
SSL/TLS Termination.
Backend Server Authentication.
Message Signing and encryption.
SSL/TLS Client authentication.
Certificate revocation.
Trust store management.
Key management.
To better reflect the complexity of object relationships in DataPower Gateway, certificate objects in the certificate wallet should be assigned a display name or a nickname according to the backend URL they are using which consists of the FQDN of the backend URL, plus the reason for usage in parenthesis.
Example: If the backend URL is "https://products.ibm.com", and the DataPower gateway URL is "https://serviceproxyprod.ibminternal.net/nonxml/ibm.com/ibmDPoutboundService", and the certification is a validation credential, then the certificate's nickname can be "products.ibm.com (outbound valcred)." The IBM DataPower URL, used by the company/organization's applications to connect to DataPower Gateway, and the backend URL should be stored in the Description metadata field of the certificate.
The Description field of the certificate should contain the DataPower URL and the backend URL.
The certificate Object should contain a copy of the actual certificate used in DataPower Gateway.
The below is just a depiction of IBM DataPower Gateway, but it could change as per your Organization's policies, requirements, and Infrastructure Architecture.
Comments