Securing WebSphere DataPower XC10 Appliance

Data grids in the appliance store information that is sensitive and must be protected.

Before you begin

Some elements of this scenario, such as enabling Federal Information Processing Standard 140-2 (FIPS), require that all members of a collective are at a current level. If the appliance to be secured is a member of a collective, all of the members of the collective must have upgraded firmware to complete the tasks in this scenario.

About this task

WebSphere® DataPower® XC10 Appliance includes comprehensive security controls. The default configuration has default passwords, SSL keys, and authentication secrets that you must change. Complete this scenario to modify the configuration and then, make a deployment of the appliance secure.

For a secure deployment, use several layers of protection for optimal security. The first element of protection is the use of firewalls to segment the network. The standard tiered model for web applications is composed of web clients, a presentation tier of HTTP servers, an application tier that is composed of application servers, a data tier, and a storage tier.

WebSphere DataPower XC10 Appliance appliances are deployed as part of the data tier. Standard practice is to put the presentation layer servers in a demilitarized zone (DMZ) that is protected by one firewall, and to put the application, data, and storage tiers in network segments that are protected by more firewalls. Do not deploy appliances in a DMZ. You must protect appliances as you protect all other elements of the data tier, according to standard industry practice.

However, for optimal protection against security threats, use an in-depth defense mechanism, where a number of extra measures protect appliance operation and the data that is stored in the data grid. These additional measures not only help in defending against external threats, but also prevent unauthorized data access by employees and contractors who might have access to network segments in which the appliances reside.

This steps in this scenario are done in the web console for WebSphere DataPower XC10 Appliance. Each of these steps can also be automated by calling the HTTP command-line interface from a program. For more information about the HTTP command-line interface, see Configuring Transport Layer Security (TLS) for WebSphere Application Server.