IBM DataPower Gateway v7.

1 Solution Implementation

Certification Study Guide

Bill Barrus, WW Channel Tech Sales, IBM Systems Unit Software
Senior Software Engineer, Certified IT Specialist; [email protected]

2015 IBM Corporation

Test C2180-416: IBM DataPower Gateway V7.1, Solution

Implementation

Number of questions: 71
Time allowed: 2 hours!
Required passing score: 63%
Test language: English

http://www.ibm.com/certify/tests/ovrC2180-416.shtml

2015 IBM Corporation

Recommended Prerequisite Skills Basic knowledge

Networking (TCP/IP, DNS, load balancing, packet tracing and failover)
PKI (Digital certificates, Certificate Revocation Lists (CRL), SSL)
Transports (IMS Connect, WebSphere MQ, JMS, FTP, SFTP and HTTP)
XML (XSD, XSLT/XPath)
Web services (SOAP, WSDL and WS-Policy)
Web services security (WS-Security, XML encryption and XML digital signature)
Identity management software and protocols (Kerberos, LDAP, OAuth and SAML)
SOA Governance (web services management and registries)
Data mapping and transformations
Operations Management (logging and monitoring)
Enterprise Architecture (Cloud, SOA and Enterprise Security)
JavaScript ECMA Script 5.1 *
JSON *
Perl Compatible Regular Expression (PCRE) syntax *
* new skills required since version 5

2015 IBM Corporation

Preparation suggestions
1. Work through the
Discovering the value of IBM WebSphere DataPower SOA Appliances labs and
study the excellent lab notes.
2. Take the two classes if you can.
Accelerate, Secure and Integrate with IBM DataPower V7.1,
Administration of IBM WebSphere DataPower Gateway V7
3. Use the following resources as you go through each sections objective list:
Test preparation tab Web Resource listed by topic - search hyperlinked terms.
DataPower v7.1 Knowledge Center the official product documentation

4. Take the Sample / Assessment Test if you have not taken the certification test
yet.
There are only 6 questions, which can give you a sense for the format of the real test,
and it provides the answers.

5. Take notes as we step through the remaining slides to help direct your focus of
study.
Study your notes prior to taking the exam.

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

2015 IBM Corporation

Section 1 - Architecture and Basic Configuration

a.

Select the appropriate IBM DataPower Gateway modules and form factors based on specified use cases.

b.

Select the appropriate usage scenarios such as load balancing and redundancy for High Availability.

c.

Select the appropriate DataPower service type for a given use case scenario. [Architectural design patterns
Chapter 2.]

d.

Select the appropriate message type and/or message exchange pattern based on use case scenarios. [SOAP,
XML, JSON, Pass-Thru and Non-XML]. [Architectural design patterns Chapter 2.]

e.

Identify integration capabilities between DataPower and other products. [for example: MQ, SQL, WSRR, WTX,
and especially front side handlers]

f.

Architect a service considering capacity, scalability, security and future growth .

g.

Architect a service considering failure handling, audit logging and monitoring. [

Administration, Deployment, and Best Practices Chapter 6]

h.

Identify the implications of enabling Common Criteria mode during the appliance initialization process.

i.

Perform initial setup and enablement of the administrative interfaces.

j.

Configure a service and associated DataPower objects using the WebGUI, CLI and XML Management
Interface.

k.

Identify, configure, and deploy use case patterns via the Blueprint Console.

2015 IBM Corporation

Single, modular & extensible platform 1

IBM DataPower Gateway is the new name of a consolidated, extensible & modular platform

Physical Appliance

Converges three existing products, XG45 / XI52 / XB62, into a single modular offering
Available in physical and virtual form factor

2U rack mount appliance using latest generation hardware platform

Two base editions: Non-HSM and HSM (FIPS 140-2 Level 3 certified)
Each software module is licensed separately

Virtual Edition

Three editions: Developer, Non-Production, Production

Developer includes all software modules at no additional cost, except TIBCO EMS
Non-Production includes all software modules at no additional cost, except TIBCO EMS & ISAM Proxy
Production: Each software module is licensed separately

ISAM
Proxy
Module

Integration
Module

B2B
Module

AO
Module

TIBCO
EMS
Module

All software
modules are field
upgradeable

Supports V7.1
& above

(2U Physical, Virtual Edition)

7

2015 IBM Corporation

Single, modular & extensible platform 2

Modules

B2B Module

B2B DMZ gateway

EDIINT AS1,AS2,AS3,ebXML
Partner profile management
B2B transaction viewer
Any-to-Any message transformation
Database connectivity

ISAM Proxy Module

User access control, session

management, web SSO enforcement
Advanced mobile security: mobile
SSO, context-based access, one-time
password, multi-factor authn
Integration with ISAM for Mobile

TIBCO EMS
Module

Integrate with TIBCO EMS messaging

middleware
Support for queues & topics
Load balancing & fault-tolerance

Application Optimization
Module

Frontend self-balancing
Backend intelligent load distribution
Session affinity
z Sysplex Distributor integration

Integration
Module

Any-to-Any message transformation

Database connectivity
Mainframe IMS connectivity

IBM DataPower Gateway (Base)

Secure

Authentication, authorization
Security token translation
Service / API virtualization
Threat protection
Message validation
Message filtering
Message digital signature
Message encryption
AV scanning integration

Integrate

Transport protocol bridging

Message enrichment
Message transformation &
processing using JavaScript,
JSONiq, XQuery, XSLT
Mainframe integration &
enablement
Flexible pipeline message
processing engine

Control & Manage

Service level management

Quota & rate enforcement
Content-based routing
Message accounting
Integration w/ management &
visibility platforms including IBM
API Management & WSRR for
policy enforcement

Optimize & Offload

SSL / TLS offload

Hardware accelerated crypto*
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Local response caching
Distributed caching with WXS
or XC10
Backend load balancing

2U Physical or Virtual Edition

8

2015 IBM Corporation

Firmware V7.1, Modules & Supported Platforms

Firmware V7.1 delivers

ISAM Proxy Module to enable advance access enforcement of mobile & web use cases
B2B Module to enable secure B2B integration capabilities, formerly available on XB62 only
Integration Module to enable integration functionality including any-to-any message
transformation, database connectivity & mainframe connectivity
Kerberos S4U2Self functionality to provide flexible authentication for Microsoft environments
Increase in XML Names maximum to allow for large configurations, RAS & other enhancements

V7.1 supports the following

ISAM Proxy module requires V7.1 and is available on the following

IBM DataPower Gateway (Physical and Virtual Edition)

XG45 (Physical and Virtual Edition)
XI52 (Physical and Virtual Edition), XI50B (2426 & 4195 models)
XB62 (Physical)
IBM DataPower Gateway (Physical and Virtual Edition)
XG45 (Physical, and Virtual Edition)
XI52 (Physical, and Virtual Edition)
XB62 (Physical)

B2B module requires V7.1 and is available on the following

IBM DataPower Gateway (Physical and Virtual Edition)
XG45 (Physical, and Virtual Edition)
XI52 (Physical, and Virtual Edition)

Integration module requires V7.1 and is available on the following

IBM DataPower Gateway (Physical and Virtual Edition)

2015 IBM Corporation

Common Use Cases

IBM DataPower Gateway Appliances are the industry-leading
Security & Integration gateways that help provide security, integration, control and
optimized access to a full range of
Mobile, Web, API, SOA, B2B, & Cloud workloads
Internet

DMZ

Trusted Domain
Consumer

DataPower Gateway

Application or Servic

DataPower Gateway
Middleware

Consumer

1
2
3
4

Mobile Gateway
API Gateway
Web Gateway

B2B Partner
Gateway
Trading partners
10

5
6
7
8

z System

SOA & API Gateway

ESB / Integration Gateway
Internal Security Enforcement

Web Services Governance &

Management

Legacy Integration
2015 IBM Corporation

Processing Policy
A service defines a single policy
The policy is enforced through rules.

Each rule contains:

Match action
Defines criteria to determine if incoming traffic is processed by the rule

Processing actions:
A rule defines one or more actions taken on the submitted message.

11

2015 IBM Corporation

Processing Rules
Rules have the following directions:

Server to Client (response)

Client to Server (request)
Both Directions (request and response)
Error: executes when errors occur during processing in the request and response rules

Rules have priority and can be reordered.

Multiple rules may match on same URL can be reordered
Specific rules have higher priority than catch all rules

12

2015 IBM Corporation

Matching Rule
A match action allows you to provide different processing based on
matching conditions.

Match criteria can be based on:

Error code value

Fully qualified URL
Host
HTTP header value
URL
XPath expression

13

2015 IBM Corporation

Processing Actions
A rule consists of multiple processing actions with scope
Actions such as transformation or validation execute during the request or
response rule (if any).
Contexts or defined variables within the scope are used to pass information
between actions.

14

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration Tasks (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

15

2015 IBM Corporation

Section 2 - Administration and Operational Architecture

a. Create and administer users, roles, and Role Based Management on the appliance.
b. Select and configure network settings including link aggregation and VLAN settings.
c. Implement configuration management (import, export, secure backup and secure restore.)
d. Implement High Availability, including Application Optimization, and disaster recovery
solutions as they apply to the IBM DataPower Gateway.
e. Configure deployment policies and deployment policy variables.
f.

Use host names and aliases for portability between environments.

g. Perform tasks using the appliances administrative interfaces (CLI, WebGUI, XML
Management).
h. Manage appliance firmware versions.
i.

Manage and backup certificates and keys including the use of the Hardware Security
Module (HSM).

j.

Enable monitoring for the appliance.

16

2015 IBM Corporation

Initial Network Setup

Use the null-modem cable or a USB-to-serial converter cable to connect
the terminal or PC to the SERIAL connector on the device.
Ensure that the terminal or PC is configured for standard 115200 8N1
(9600 for 7198/9 or 2426 appliances) and no flow control operation.
Turn on the appliance. You should hear the fans change speed as the
screen displays the following information. DPOS... Wait for a few
seconds for the device to boot.
Login as admin/admin.
Read and accept the license agreement. You will be prompted to change
the default admin password.
You can define the base configuration in one of the following ways:
With the startup command, which uses the DataPower installation wizard.
With a manual procedure, which uses a series of DataPower commands.

17

2015 IBM Corporation

Users and Roles

User accounts

Group-defined
The group-defined account type establishes this user as a member of a user group.

Privileged
The privileged account type provides this user with access to the entire resource
suite from the WebGUI and CLI on a domain-by-domain basis. Users with privileged
access can configure and can monitor all appliance operations.

User
The user account type provides this user with access to view configuration details to
most, but not all, objects.

18

2015 IBM Corporation

Users and Roles

User Groups
A user group represents a collection of users who perform similar duties and require
the same level of access to the DataPower appliance.
Creating a group account:
Specify a name for the user group.
Format of access policy

address/domain/resource?Access=privileges&[field=value]
The address (appliance address), domain (application domain), and resource (e.g change-password,
radius) fields must be fully specified or specified with an asterisk (*). An asterisk matches all values.
The privileges string is comprised of the individual permission symbols that are separated by the plus sign (+)
character. For example, the string a+d+x+r+w represents add, delete, execute, read, and write permissions.
The field token must be one of the additional fields that can be added to the string. The corresponding value
can be a PCRE. E.g. Name, LocalAdress, LocalPort, etc.

19

2015 IBM Corporation

Role-based Management (RBM)

Role-based management consists of the following capabilities:
Authenticating users: Extract the user identity from the access request and
authenticate the user identity that is presented. One of the following methods can
be used for user authentication (Local User, Custom, LDAP, RADIUS, SAF,
SPNEGO, SSL User Certificate, XML File)
Evaluating the access profile: The access profile defines the set of privileges
for one or more resources on the DataPower appliance. An access profile can
originate from any of the following credential mapping sources (Local User
Group, Custom, XML File)
Enforcing access to resources: After the user is authenticated and the access
profile is evaluated, the DataPower appliance enforces the established access
profile

Example: Check out: store:///RBMInfo.xml (found on the DataPower file system)

20

2015 IBM Corporation

Configuration Management & High Availability

DataPower Configuration:

File Management
Application Domains
Devices and Environment
Load Balancers, Active/Active, Active/Standby Configuration

Network Objects:
Host Alias
Static Hosts
DNS Settings

Reference:
http://www.ibm.com/developerworks/websphere/library/techarticles/0801_ras
mussen/0801_rasmussen.html

21

2015 IBM Corporation

Managing disaster recovery

Disaster Recovery (DR) is the ability to create a secure backup that you can use to
recover the complete configuration of a lost appliance. DR uses a backup-restore
process that must be enabled. To check, click Administration Device System
Settings. If the Backup Mode property is set to Secure, disaster recovery is available.
Unlike a standard backup, a secure backup contains
private data from the appliance (certificates, keys, and user data), which the appliance encrypts
with a customer-provided certificate and a DataPower certificate.
an unencrypted XML manifest file, which includes information such as the date of the backup and
the firmware level, model, and serial number of the backed-up appliance. You can view the
unencrypted manifest file.
The backup-restore process must be used among appliances that are at the same firmware level
and have the same compatible configuration.

A secure restore does not merge data. The restore deletes all private data (certificates,
keys, and user data) that is currently on the target appliance.
Reference: InfoCenter Managing Disaster Recovery

22

2015 IBM Corporation

Consolidate your infrastructure with Application

Optimization
Use Self-Balancing technology to spread inbound traffic load across
multiple DataPower appliances using a single target.
Eliminate the need for additional physical load balancers.
Efficiently distributes traffic with minimal overhead.

Use Intelligent Load Distribution to optimize outbound

traffic across multiple destinations.
Supports dynamic WebSphere cell interrogation.
Automatically updates targets and weights.

Use Session Affinity to preserve target

session state across multiple requests.
Supports WebSphere and non-WebSphere targets.

WS Application Accelerator for Public Networks

Secure Cloud Connector

Reference: WSTE presentation on AO

developerWorks article Using DataPower AO etc.

23

2015 IBM Corporation

Administration Interfaces
CLI
Select Network Management SSH Service to display the SSH Service Configuration
(Main) screen.
Telnet
Select Network Management Telnet Service to display the Telnet Service catalog.

WebGUI
Access to the appliance via the WebGUI is supported by a dedicated HTTP server that you
configured during the initial appliance configuration process.

XML Management Interface

The DataPower appliance can be configured and managed completely through the XML
Management Interface. When enabled, this interface allows administrators to send status and
configuration requests to the DataPower appliance through a standard SOAP interface.

WSDM interface
When enabled, this implementation provides a protocol-specific interface for managing Web
Service endpoints that were instantiated on the appliance through Web Service Proxy objects.

24

2015 IBM Corporation

Go back to previous firmware level

You can toggle between releases by rolling back and forth between
the current and the previous image. This includes rolling back between
major releases.
In the WebGui:
from the Control Panel, choose System Control.
in the Firmware Roll-Back section click the "Firmware Roll-Back" button to
toggle between images.

Using the CLI:

Enter the command "CO".
Enter the command "flash" press enter.
Enter the command "boot switch" press enter.

25

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration Tasks (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

26

2015 IBM Corporation

Section 3 - Security Scenarios

a.

Configure crypto objects.

b.

Configure a service to use SSL.

c.

Configure a service to use WS-Security.

d.

Configure a service to secure a WSDL-described web service.

[Items e and f are covered in subsequent slides]

e.

Configure a service to enforce non-repudiation using digital signatures.

f.

Configure a service to enforce confidentiality using encryption.

g.

Configure a service to enforce authentication and authorization.

h.

Configure message-level threat protection.

i.

Configure a service to use OAuth.

j.

Configure the use of a security server such as IBM Security Access Manager (ISAM), SAML and LDAP.

k.

Identify the implications of enabling the FIPS 140-2 Level Compliance modes.

27

2015 IBM Corporation

Security Terminology
Authentication verifies the identity of a client.
Authorization decides a client's level of access to a protected resource.
Integrity ensures that a message has not been modified while in transit. A cryptographic hash
allows the end user to check if a certain message was intercepted or tampered with.
Confidentiality ensures that the contents of a message are kept secret. DataPower allows
message and field level encryption, which ensures that no one can access the payload
without the appropriate decrypt key.
Non-repudiation allows the client to prove that the server has received a previously sent
message, and vice-versa. Digital signatures are used to determine if the message was sent
by the actual originator.
Securing data while in-flight: DataPower provides in-flight security using the secure socket
layer (SSL). It provides support for HTTPS, FTPS, SFTP, and MQ.
Auditing maintains records to hold clients accountable to their actions.

Reference: Achieving PCI compliance using WebSphere DataPower

28

2015 IBM Corporation

Web Services Security

Web services security (WS-Security) provides a standard, platform-independent
way for specifying message-level security information.
Flexible set of mechanisms for using a range of security protocols
Does not define a set of security protocols
Provides end-to-end security

Associate security tokens with a message

Username Token profile

X.509 Token profile
Kerberos Token profile
SAML Token profile: Security Assertion Markup Language
REL Token profile: Rights Expression Language

Confidentiality (XML Encryption)

Process for encrypting data and representing the result in XML

Integrity (XML Signature)

Digitally sign the SOAP XML document, providing integrity and signer authentication

XML Canonicalization

Normalizes XML document

Ensures two semantically equivalent XML documents contain the same octet stream

Reference: Web Service Proxy Developers Guide

29

2015 IBM Corporation

29

Flexible Authentication, Authorization, and Auditing

(AAA) policies
HTTP Headers
WS-Security Tokens
WSSecureConversation
WS-Trust
Kerberos
X.509
SAML Assertion
IP Address
LTPA Token
Custom

Extract
Identity

LDAP
System/z NSS (RACF, SAF)
Tivoli Access Manager
Kerberos
WS-Trust
Netegrity SiteMinder
RADIUS
SAML
LTPA
Verify Signature
Custom

AAA

Map
Identity

Authenticate

input

LDAP
ActiveDirectory
System/z NSS
Tivoli Access Manager
SAML
XACML
Custom

Add WS-Security
Generate z/OS ICRX Token
Generate Kerberos
Generate SAML
Generate LTPA
Map Tivoli Federated Identity

Authorize
Extract
Resource

Audit &
Post-Process

output

Map
Resource

URL
SOAP Operation
HTTP Operation
Custom

External access control server or onboard identity management store

30

2015 IBM Corporation

Secure your data with XML threat protection

XML Threat Protection

Entity expansion/recursion attacks

Message/data tampering

Public Key DoS

Message snooping

XML Flood

Xpath or SQL injection

Resource Hijack

XML encapsulation

Dictionary Attack

XML virus

Replay Attack

Configuring XML threat protection

31

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration Tasks (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

32

2015 IBM Corporation

Section 4 - Integration Scenarios

a.

Configure a service Front Side Protocol Handler.

b.

Configure a service Backend URL. [dynamic backed]

c.

Configure a service for mediation between protocols.

d.

Configure a service for integration with messaging systems such as IBM MQ.

e.

Configure a service to transform XML and Non-XML messages. [transformation using the
Transform actions for v7.1]

f.

Configure a service for Web 2.0 scenarios. REST proxy deployment,

Rest bridge deployment

g.

Configure a service for database integration.

h.

Configure a service to integrate with IMS Connect.

i.

Use the Interoperability Test Service during service development.

j.

Use extension functions as appropriate within a stylesheet.

k.

Customize message processing using GatewayScript module functions.

l.

Configure services that support portability between environments. [see next slide]

m.

Configure a service to perform JSON schema validation.

33

2015 IBM Corporation

Configuration for Migration

Environments in this case are:
Development
Test
Production

Use these best practices (chapter 3) to make a configuration more

portable and maintainable
Use Host Alias rather than dot decimal address in Services that expose
external ports.
Use Environment Specific DNS when possible rather than dot decimal
address
Use Static Hosts to handle DNS aberrations.
Externalize XLST IP/Port and Host Name references via the Identity
Document.
Migrate only those objects which require migration.

34

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration Tasks (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

35

2015 IBM Corporation

Section 5 SOA Governance Scenarios

a. Configure Message Monitors and Service Level Monitoring (SLM)
policies to enforce Service Level Agreements (SLAs).
b. Attach and enforce WS-Policy statements using a web service proxy
service. [focus on enforcement in the knowledge center article]
c.

Attach and enforce WS-MediationPolicy statements within a web

service proxy service.

d. Configure subscriptions to external service registries such as

WebSphere Service Registry and Repository (WSRR).

36

2015 IBM Corporation

Monitors
Allow for constant feedback on messages that flow through the appliance. You can
configure monitors to generate log messages at a given log level after reaching a count or
latency threshold or other event trigger. Monitors can also throttle (reject) or shape (delay)
traffic after reaching a count or latency threshold or other event trigger

Count Monitors
Increment a counter every time messages of a particular type pass through a service

Duration Monitors
Increment a counter every time a configured amount of time passes during the processing of
messages of a particular type

Web Service Monitors

Offer the ability to configure monitoring based on the services defined in a WSDL

Service Level Monitors

Allow finer degree of control which can extend to the precise definition of users or resources and
the scheduling of operations

37

2015 IBM Corporation

WS-Policy
The WS-Policy standard provides an XML vocabulary for Web services to describing
their constraints and requirements.
Each policy consists of one or more policy assertions.

Policy assertions define the requirements of a service for a particular policy domain.
Require username token
Require encryption
Require digital signature

Policy assertions do not follow any predefined format, except that they are
embedded within a <Policy> tag.
<wsp:Policyxmlns:wsp="http://www.w3.org/2006/07/ws-policy">
<UsernameToken/> /* Policy Assertion */
</wsp:Policy>

The WS-Policy specification allows you to enforce requirements that cannot be described by
a WSDL file. For example, if you require all requests to be digitally signed, it is not possible to
encode that requirement in a WSDL file.

38

2015 IBM Corporation

Sections of the Test

1. Architecture and Basic Configuration Tasks (18%)
2. Administration and Operational Architecture (21%)
3. Security Scenarios (15%)
4. Integration Scenarios (21%)
5. SOA Governance Scenarios (6%)
6. Troubleshooting and Tuning (18%)

39

2015 IBM Corporation

Section 6 - Troubleshooting and Tuning (13%)

a. Resolve network connectivity problems.
b. Perform and analyze packet captures.
c.

Configure Log Targets for analysis and alerting.

d. Configure event triggers.

e. Analyze and interpret system logs.
f.

Debug message flows using the Probe.

g. Configure a service for transaction logging.

h. Configure the appliance to manage memory usage.
i.

Configure the appliance for network optimization. [Static route table]

j.

Use status providers and built-in capabilities to perform analysis and

troubleshooting.

k.

Configure caching on a service.

40

2015 IBM Corporation

Packet Capture
Generates a PCAP file
Use Wireshark (Ethereal) or other PCAP tool to analyze the results.

41

2015 IBM Corporation

Event Triggers
You can use the event triggers to automatically run commands when
specific messages are logged. Typical usage would be to generate an
error report when a rarely observed but recurring message is logged.

You can define event triggers for a variety of situations:

Starting and stopping a packet capture.
Creating an error report when a discrete service encounters a problem.
Using a custom message.

42

2015 IBM Corporation

Network Connectivity

43

2015 IBM Corporation

Preparation suggestions - repeated

1. Work through the
Discovering the value of IBM WebSphere DataPower SOA Appliances labs and
study the excellent lab notes.
2. Take the two classes if you can. Accelerate, Secure and Integrate with IBM
DataPower V7.1, Administration of IBM WebSphere DataPower Gateway V7
3. Use the following resources as you go through each sections objective list:
Test preparation tab Web Resource listed by topic - search hyperlinked terms.
DataPower v7.1 Knowledge Center the official product documentation

4. Take the Sample / Assessment Test if you have not taken the certification test
yet.
There are only 6 questions, which can give you a sense for the format of the real test,
and it provides the answers.

5. Take notes.
Study your notes prior to taking the exam.

44

2015 IBM Corporation

The test
Contains questions requiring single and multiple answers
For multiple-answer questions, you need to choose all required options to get the
answer correct
You will be advised how many options make up the correct answer

Is designed to provide diagnostic feedback on the Examination Score Report

Correlating back to the test objectives
Informing the test taker how they did on each section of the test.
Questions and answers are not distributed

45

2015 IBM Corporation

Tips for passing the test

Taking the Test
Some questions are very tricky while others are very straightforward.
Try not to get discouraged and return to the more difficult questions if
time permits.
Remember that a score of 63% is enough to pass.
Afterwards
If you pass, celebrate!
If not, record questions that you missed
Find answers you missed in the Knowledge Center or other sources and
schedule to take the test again soon.

46

2015 IBM Corporation

[email protected]

47

2015 IBM Corporation

Backup

48

2015 IBM Corporation

Foundational Technologies
a.

Identify the characteristics of TCP/IP networking.

b.

Identify the characteristics of Public Key Infrastructure (PKI).

c.

Describe how SSL transport encryption and endpoint authentication works.

d.

Identify the characteristics of an XML message, SOAP message and JSON

Message.

e.

Identify the characteristics of XSLT, XPath expressions, XSD and WSDL.

f.

Identify basic message-level security concepts.

g.

Identify the characteristics of attachments in web services.

h.

Describe the characteristics of messaging systems such as WebSphere MQ

and JMS.

i.

Identify the characteristics of Web 2.0 services.

49

2015 IBM Corporation

SSL Handshake
SSL Server

SSL Client
(1) Client Hello, Cipher Suites
Supported, version supported
(2) Server Hello, Cipher Suite
Selected, Server Certificate,
Client Certificate Request
(optional)

(3) Verify Server

certificate. Check
cryptographic
ciphersuite
selected by the
server

(4) Client key exchange, Send

secret key (encrypted with server
public key)
(5) Send client certificate (optional)

(6) Verify client

certificate
(optional)

(7) Client Finish

(8) Server Finish

(9) Exchange messages

(encrypted)
More on SSL handshake
50

2015 IBM Corporation

SSL Object Hierarchy and underlying PKI integration

The Crypto Identification Credential object is used when providing an identity to

connecting clients. When a client connects, it requests a certificate. The crypto ID
credential references which certificate should be returned to the client. It also references
a private key which is used by SSL.
A Crypto Validation Credential can be used when verifying a digital signature when the
signer may be one of many different business partners. With a crypto validation credential
(often referred to as a valcred), you can create a single processing rule with a single
signature verification action that will accommodate countless public certificates.
The Crypto Profile object ties together a Crypto ID credential and a Crypto Validation
credential.
The SSL Proxy Profile provides some protocol-specific options and references a crypto
profile. The SSL Proxy Profile thus contains every bit of information needed to establish
one or two-way SSL handshaking.

51

2015 IBM Corporation

XML Example
Test is focused on examples. Here is an example from w3schools.com taken out of XPath
section.
<?xml version="1.0" encoding="ISO-8859-1"?>
<bookstore>
</book>
<book category="WEB">
<title lang="en">XQuery Kick Start</title>
<author>James McGovern</author>
<author>Per Bothner</author>
<author>Kurt Cagle</author>
<author>James Linn</author>
<author>Vaidyanathan Nagarajan</author>
<year>2003</year>
<price>49.99</price>
</book>
<book category="WEB">
<title lang="en">Learning XML</title>
<author>Erik T. Ray</author>
<year>2003</year>
<price>39.95</price>
</book>
</bookstore>

52

2015 IBM Corporation

XSLT
XSLT is used to transform an XML document into another XML document, or another
type of document that is recognized by a browser, like HTML and XHTML. Normally
XSLT does this by transforming each XML element into an (X)HTML element.

With XSLT you can add/remove elements and attributes to or from the output file. You
can also rearrange and sort elements, perform tests and make decisions about which
elements to hide and display, and a lot more.

In the transformation process, XSLT uses XPath to define parts of the source document
that should match one or more predefined templates. When a match is found, XSLT will
transform the matching part of the source document into the result document.

Refer to: http://www.w3schools.com/xsl/xsl_intro.asp for more information.

53

2015 IBM Corporation

XPath
X-Path is a specification for describing a location with an XML document.
Shared by many XML-based standards/technologies
Used by XSLT, XPointer, and XQuery

Allows you to address elements of a document that meet specified criteria.

Example: In XML for a book on Java, find the chapters with JDBC in the title

Provides the ability to retrieve a subset of an XML document in any direction.

Forwards, backwards or sideways

Expression shortcuts

//[element] selects element node regardless of location

. selects the current node
.. selects the parent of the current node
@[attribute-name] selects an attribute

54

2015 IBM Corporation