Web Application Firewall

Virtualize a back-end Web application
=============================
The Web application firewall service in DataPower can execute a security policy on messages that arrive in the DMZ before sending them to a back-end Web application.

WAF can also handle rate limit request and enforce an AAA policy but in our example, we are just virtualizing the host and secure the connection to the back-end Web application.

These tasks may also be performed on J2EE application servers such as WebSphere Application Server, but configuration using the DataPower management interface is much easier and does not require custom code.

For example let’s try to virtualize Citibank website and provide access with http connection by integrating with DataPower WAF.
https://www.online.citibank.co.in/

Refer the below steps to achieve the scenario.

Step1: In the DataPower Control Panel, click Web Application Firewall:

Step2: Click Add wizard. The wizard then asks you a series of questions to generate a WAF service.

Step3: Name of WAF: CitiBankProxyApp

Step4: Backend web application details

            https backend default port is: 443

            http backend default port is: 80

Step5: Configure forward crypto profile for the https secure connection to Citibank application.

Step6: Configure the FSH details.

Step7: Configure rest all to default, just click next in all screens till we see the finial screen to commit the application.

And click on commit in the last screen

Step 8: Now access the Citibank Application using the FSH IP and port

 http://192.168.136.128:1234/

DP Feature Management

DataPower Feature Management- Integration Module for Binary Processing

We must separately purchase and activate add-on modules for DataPower Appliance to match the business goals in development, test, and production environments.

After you activate an add-on module, you can disable and re-enable it.

Available modules for DataPower appliances:

https://www.ibm.com/support/knowledgecenter/SS9H2Y_7.1.0/com.ibm.dp.doc/feature_available.html

Available Modules List

                    1. Integration Module

                    2. B2B Module

                    3. IBM Security Access Manager Proxy Module

                    4. Application Optimization Module

                    5. TIBCO EMS Module

                    6. Database Connectivity Module

                        7. Data Integration Module

When you purchase a physical or virtual production edition appliance from IBM Passport Advantage, add-on modules are not preinstalled.

When you purchase a virtual developer or nonproduction edition appliance, most add-on modules are activated. For the add-on modules that you do not want, disable them.

After an add-on module is activated, you can disable and re-enable it. The tools to enable and disable a module are available at no cost from IBM Fix Central.

We need to choose the activation license, enable and disable tool based on the type of appliance edition either virtual or physical and the box type need to be identified.

Refer the below link to identifying:

https://www.ibm.com/support/knowledgecenter/en/SS9H2Y_7.1.0/com.ibm.dp.doc/feature_tools.html

Note:

For all modules, except the Application Optimization Module, you must install your current firmware image again to have the library for these modules. The installation process selectively installs the libraries in the firmware image for the activated features

Refer the below steps for activating Integration Module in IDG Physical Appliance

Step 1: Take secure backup of appliance from default domain

              Note: Appliance should be set to DR mode at installation time or we cannot perform secure  

                         Backup. If the secure backup is not enabled, try to take backup using export config.

a)      We need to be in default domain

b)      Administration à Main à System Control

c)       Secure Backup section

d)      Crypto Certificate à select a cert for secure backup àDestination: temporary: ///myDir à exclude ISCSI and RAID  

e)      Click Secure backup à Confirm à Close

f)       Check the backup file from file management

g)      Keep the private key and certificate which will be used to restore

Step2: Check Device Features before Activating Integration Module 

           

                     

Step3: Quiesce the appliance by specifying the specific time under timeout option and then click on           

             Quiesce button

             Administration àMainàSystem Control  à Quiesce

Step4: Upload the Activation Module file, File will be uploaded to image:// location in file management and click on boot image.

A file name for IDG physical device for integration module: idg-activate-IM-20150619.scrypt3  

Step5: we need to reload the existing firmware image now. If not stored the file we can get it from IBM  Fix Central, Check for exact firmware version and the appliance edition type. 

NOTE: For all modules, except the Application Optimization Module, you must install your current firmware image again to have the library for these modules. The installation process selectively installs the libraries in the firmware image for the activated features

File name for IDG physical device with firmware 7.2.0.2 is idg7202.scrypt3

Reload of firmware will take 20 to 30 minutes once we click on Confirm

Step6: After reload is complete it will take to login screen, log in using admin credentials and check for device feature

Status àSystem àDevice Features

Step7: Unquiesce the appliance after validation

APIC Installation

1.  Install Node.js in windows system

2. Make sure you have Node and NPM installed by running simple commands to see what version of     each is installed and to run a simple test program:

3. Test Node.
     node –v
     v0.10.35

4. Test NPM.
     npm -v 
     1.4.28

5.  Create a JavaScript file: name it hello.js, and just add the code console.log('Node is installed!');.  
     To run the code simply open your command line program, navigate to the folder where you save          the file and type
     node hello.js

6. Install version 3 of npm by entering the following command:
    npm install -g npm

7. Then ensure the npm command uses the correct version:
     npm -v

8. If the version shown is not 3.x.x, then edit your system PATH to ensure that                
    C:\Users\username\AppData\Roaming\npm supersedes any other entries.

Install IBM API Connect
npm install -g apiconnect

This installs:
1.  API Connect Developer Toolkit, that includes the apic command-line tool and the API Designer          visual tool
2.  LoopBack Node.js framework
3.  API Connect Micro Gateway

It will take around 30 minutes to install API Connect
Once installation is complete check the version of APIC connect using below command

apic –v

It will ask for license acceptance select yes
Once it's completed check for API connect version

                                      

References
=========
API Connect Reference:
https://www.npmjs.com/package/apiconnect
https://strongloop.com/get-started/

Node.js Reference: http://blog.teamtreehouse.com/install-node-js-npm-windows
                                https://nodejs.org/en/download/