What is a service-oriented architecture?
For completeness we include two different definitions, one from W3C: “A set of components which can be invoked, and whose interface descriptions can be published and discovered.”
And a second from LooselyCoupled: “A system for linking resources on demand. In an SOA, resources are made available to other participants in the network as independent services that are accessed in a standardized way. This provides for more flexible loose coupling of resources than in traditional systems architectures.”
What are Web Services?
For completeness we include two different definitions, one from W3C: “A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.”
And a second from LooselyCoupled: “Automated resources accessed via the Internet. Web services are software-powered resources or functional components whose capabilities can be accessed at an internet URI. Standards-based web services use XML to interact with each other, which allows them to link up on demand using loose coupling.”
What is Web Services Management?
Web Services Management is a title used by the Gartner group to describe a market for solutions that facilitate the deployment of Web services. The term has become very broad and encompasses a wide range of different capabilities, implemented to varying degrees by a number of vendors.
At a minimum, Web Services Management solutions provide service performance and availability monitoring, often extending to provide service level agreement (SLA) monitoring.
Some solutions build on monitoring to provide management and enforcement of service level agreements. While others focus on Web Services Security management and enforcement.
SOA Software offers comprehensive monitoring and management (including very advanced identity-based SLA contracts, the strongest Web Services Security solution on the market, and extends the concept of Web Services Management with a powerful SOA Enablement solution.
The OASIS standard WS-Security is defined by LooselyCoupled as a Standards framework for secure web services, based on SOAP. WS-Security defines additional headers that can be added to a SOAP message to implement integrity and confidentiality in web services applications. It provides a foundation for further security specifications that are under development, including WS-Policy, WS-Trust and WS-Federation. Originally put forward by IBM, Microsoft and Verisign, WS-Security became the responsibility of the OASIS e-business standards body in July 2002.
As a market, Web Services Security refers the set of technology solutions that enhance security, including authentication, authorization, privacy, non-repudiation and auditing, for Web services. These solutions are available in many forms ranging from XML Firewall appliances through enterprise software solutions from many different vendors.
SOA Software offers a best-of-breed enterprise software solution for Web Services Security. SOA Software ’s advanced software delivers performance that exceeds that of many of the XML firewall appliance solutions. It also delivers much richer security from network edge to core.
Service oriented architecture enablement, or as Zapthink discusses, the SOA Implementation Framework, is an emerging technology concept that goes beyond Web Services Management to unlock the value of Web services. The promise of Web services is to enable the agile enterprise through service reuse within a service oriented architecture.
Without an SOA enablement solution, much of this promise falls by the wayside as developers are unable to comply with changing security and management policy and cannot keep track of changing service interfaces and locations.
SOA Software’s industry-leading Service Manager delivers a comprehensive SOA enablement solution that offers all the capabilities of traditional Web Services Management solutions and adds:
- Dynamic discovery and real-time implementation of service requirements for security:
- Message auditing
- Dynamic discovery of, and binding to, service location
- Powerful load-balancing and high-availability
- Real-time monitoring and enforcement of identity-based service level agreement contracts
- An adaptive, self-healing network of services
In short, the Service Manager fully abstracts service and application developers from any required knowledge of central management and security policy.
What is the difference between ESB, XML Firewall and Web Services Management providers?
At a high level there is very little difference. SOA Software believes that the distinction between these terms, and the terms themselves are transitory. To clarify, the terms exist as a result of different market sectors approaching the common problem of Web Services Management, or SOA Enablement; the EAI companies created ESB to highlight their value as a messaging system while the hardware vendors invented the XML Firewall due to the market’s familiarity with the traditional firewall. As we move forward, SOA Enablement will exist as a ubiquitous fabric that exists to abstract multiple transports, platforms and deployment scenarios.
From www.searchwebservices.com: “Firewalls have long been a mainstay of corporate security - but when it comes to Web services, they may well provide no security at all, because they can only filter at the packet level, and can't examine the contents of messages. Considering that Web services traffic may account for 25 percent of all enterprise traffic by 2006 according to the ZapThink Web services consulting group, that is a serious problem for any business looking to use Web services.
XML firewalls promise to protect corporations against the unique dangers and intrusions posed by Web services. These firewalls can examine SOAP headers and XML tags, and based on what they find, distinguish legitimate from unauthorized content.”
Most XML Firewalls are implemented as hardware/software appliances that package Web services intermediary software with a rack mountable server.
An intermediary is a server (software or hardware – see XML Firewall) that sits between a web service consumer and provider endpoint. In the case of Web Services Management intermediaries, the intermediary provides varying degrees of security and monitoring functions.
“A SOAP intermediary is both a SOAP receiver and a SOAP sender and is targetable from within a SOAP message. It processes the SOAP header blocks targeted at it and acts to forward a SOAP message towards an ultimate SOAP receiver.”
SOA Software’s Management Point is a powerful, extremely high performance software appliance providing rich Web Services Management, Web Services Security and SOA enablement functionality.
A Service Level Agreement (SLA) provides advanced monitoring capabilities for services and operations to ensure that they meet pre-defined operational requirements.
SOA Software’s Service Manager implements very rich and powerful SLA monitoring with unique enterprise-class features. The distributed data collection combined with centralized analysis employed by the Service Manager ensures comprehensive, accurate performance monitoring. The Service Manager defines SLA policies that can then be applied by reference or copy to an operation or service. This provides the flexibility to be able to define central performance and availability monitoring policies that, when changed, will affect all services or operations to which they the policies have been applied.
SLA policies can be defined for many criteria including, throughput, response time, availability, number of errors, etc.
A contract is an agreement of a set of terms between various parties. The Service Manager uses contracts for various high-value functions. It implements both access contracts and SLA contracts.
An access contract is used to define highly granular rule about how a particular user, group or role and can access a service or operation. It can be used to control how many times, how frequently and at what times a user may access a particular operation. For example, the system could only allow a user to use a particular service 10 times per minute during business hours, but unlimited outside those hours. Or a user may only be allowed to use a service 100 times before being denied access.
An SLA contract closely models a real-world SLA by monitoring the performance of a service or operation as seen by a particular user, group or role. This allows the creation and monitoring of agreements for different user groups for the same services. For example one group of users may need a contractual commitment that a particular operation will always respond in less than 50ms to its messages, while another may want to guarantee that it will always be able to get more than 400 messages per second through a particular service.
These identity-based contracts are a unique feature of the Service Manager, made possible by its tight integration with identity management solutions.
What is the difference between monitoring and management?
Monitoring is the process of collecting and reporting on data. In the case of Web Services Management, monitoring typically refers to the collection and charting of performance and availability data, and in some cases security (access) data.
Management adds enforcement to monitoring. In Web Services Management, enforcement normally refers to security or network enforcement. Security enforcement is the process of authenticating users and making authorization decisions about the users' right to access a resource. Network enforcement is less common and should involve combining content-based routing and message throughput throttling with SLA monitoring.
The Service Manager is the only Web Services Management and SOA enablement solution that implements an adaptive infrastructure leveraging this concept of network enforcement.
Why do I need Web services management?
The promise of Web services is to enable the agile enterprise through service reuse within a service oriented architecture. Without an SOA enablement, or Web Services Management solution, much of this promise fails as developers are unable to comply with changing security and management policy and cannot keep track of changing service interfaces and locations.
Specifically, you need SOA Enablement and Web Services Management to:
- Ensure that application developers are abstracted from service endpoint and infrastructure policy requirements
- Provide comprehensive end-to-end security
- Guarantee that services perform to contractually agreed, or policy defined availability and performance metrics.
When should I think about using a Web Services Management system?
This is a “how long is a piece of string question”. Depending on the criticality and value of deployed Web services some organization should implement SOA Enablement and Web Services Management before conceiving their first Web services. Other organizations may be comfortable with insecure, unmanaged services for a long period. There is no clear rule of thumb, other than the obvious statement that without Web Services Management and SOA Enablement Web services will not be secure and will likely not live up to application developers performance and availability requirements.
How does Web Services Management fit into my existing infrastructure?
The Service Manager is completely non-intrusive. It operates using standalone and agent based intermediaries to ensure that messages are authenticated, routed and authorized appropriately. It uses powerful SLA and contract management technologies to dynamically adjust the network to ensure performance and availability without ever requiring a developer to be aware of the fabric.
How does Web Services Management Security fit in with my existing security and policy systems?
The Service Manager can implement its own user and policy store (commonly used to manage application identities), and/or it can tightly integrate with existing 3rd party identity and policy management systems extend their reach into Web services.
How does Web Services Management integrate with existing applications?
The Web Services Management solution should integrate transparently with existing client and server applications in order to abstract much of the complexity of security and message delivery and simplify the development task. The Web Services Management solution can be deployed as a proxy that intercepts the Web service calls without any changes to the application code. On Java and .NET applications, the agent can also be deployed with no changes to the application code by making a few simple declarative changes to the environment.
How does Web Services Management integrate with new applications?
The Web Services Management solution offers a great deal to developers of new applications by providing a fabric that abstracts much of the complexity of security and message delivery and simplifies the development task. Making use of the Web Services Management solution can be done during development or added later as described above.
How does Web Services Management & Web Services Security fit into my Netegrity environment?
Web Services Security solution will inevitably need to authenticate users and roles and make authorization decisions about granting access to services and operations. It is essential that the Web Services Management and Security solution is able to integrate with an existing identity-management infrastructure for authentication and most authorization decisions.
The Service Manager offers the closest integration with Netegrity in the industry. It can either integrate at an intermediary level, or via it’s powerful built-in Policy Manager. When integrating at the Policy Manager it can leverage identity for security and management tasks. See contracts.
How do I manage B2B communication?
B2B communication brings a number of interesting challenges to the SOA, including the requirement to manage Service Level Agreement and provisioning contracts. In addition to this, you need to manage the routing of external requests through your DMZ to your internal applications. A good WSM solution will provide both the means to effectively and transparently route transactions as well as the means to manage the business agreements (SLAs and provisioning contracts) that you have set up with your partners.
How do I secure B2B communication?
B2B communication raises two important security concerns. Firstly the transactions may be occurring over the Internet, resulting in an increased security risk. Secondly, the partner identities and their access rights need to be closely managed. Your WSM solution should therefore provide all the features of an XML firewall, such as:
- High performance
- Schema validation
- Attack prevention
- Authentication and authorization
- Centralized policy management
Additionally, the WSM solution should be capable of associating partner identities with their provisioning contracts and Service Level Agreements
Does Web Services Management provide orchestration?
Before answering this question it is important to first describe the concept of orchestration.
From a Hewlett Packard White Paper “Web Services Orchestration - A Review of Emerging Technologies, Tools, and Standards”:
“The industry has used a number of terms to describe how components can be connected together to build complex business processes. Workflow and document management systems have existed as a means to handle the routing of work between various resources in an IT organization. These resources might include people, systems, or applications, and typically involve some human intervention. Business process management systems (BPMS) have also been used to enable a business to build a tops-down process design model, consisting of various integration activities (e.g., integration to a legacy system). BPMS systems would typically cover the full lifecycle of a business process, including the modeling, executing, monitoring, management, and optimization tasks. With the introduction of web services, terms such as “web services composition” and “web services flow” were used to describe the composition of web services in a process flow. More recently, the terms orchestration and choreography have been used to describe this. Orchestration describes how web services can interact with each other at the message level, including the business logic and execution order of the interactions. These interactions may span applications and/or organizations, and result in a longlived, transactional, multi-step process model. Choreography tracks the sequence of messages that may involve multiple parties and multiple sources, including customers, suppliers, and partners.
Choreography is typically associated with the public message exchanges that occur between multiple web services, rather than a specific business process that is executed by a single party. There is an important distinction between web services orchestration and choreography. Orchestration refers to an executable business process that may interact with both internal and external web services. For orchestration, the process is always controlled from the perspective of one of the business parties. Choreography is more collaborative in nature, in which each party involved in the process describes the part they play in the interaction. Many of the standards that will be discussed in this paper initially focused on either orchestration or choreography. However, recent enhancements and standards convergence has somewhat blurred this distinction. In this paper, the term web services orchestration will be used to describe the creation of business processes, either executable or collaborative, that utilize web services.”
While some Web Services Management solutions may provide Orchestration and Choreography functions, these would more typically be provided by a Business Process Management solution.
Is Web Services Management only important if I have a Heterogeneous environment?
No, SOA Enablement and Web Service Management adds considerable value to any environment. The concept of abstracting developers from security and management policy requirements in the network and at the service endpoints is independent of development platform. Just because consumer and endpoint applications are both implemented using .NET, or BEA doesn’t mean that they automatically understand each other, and can automatically adapt to changes.
SOA Software’s Web Services Management solution ensures the performance and availability of services using powerful failover and load balancing technologies combined with industry-leading service level agreement management and monitoring. Essentially, the Web Services Management fabric will detect impending failures or performance problems and will make appropriate routing and throttling decisions to ensure that service levels are maintained for high value or importance transactions.
What is needed to deploy Web Services Management?
Depending on the Web Services Management vendor, deployment will usually involve some central policy server(s) and software and distributed intermediaries. The intermediaries may be hardware/software appliances, standalone servers running specialized software, or a “agent” deployed with the Web service itself.
Again, depending on the vendor, the Web Services Management solution should not be intrusive.
What is the fabric?
The fabric is a representation of the Web Services Management and SOA enablement infrastructure. It provides a visual concept that facilitates understanding of what Web Services Management is and does.
Do I need to change my applications to use Web Services Management?
Depending on the Web Services Management vendor, the solution should be completely non-intrusive.
The Services Manager delivers a fully non-intrusive comprehensive Web Services Management and SOA enablement fabric.
What are the performance implications of Web Services Management?
This completely depends on the Web Services Management vendor and the architecture of the complete solution. The functions of Web Services Management; security, monitoring, enforcement, enablement, all need to be done somewhere in an SOA. A well-architected solution will externalize these functions from the applications to ensure consistent application of policy.
The Service Manager is an extremely high performance solution. In monitor mode, the Management Point operates at zero-latency (any added latency is not measurable). In intermediary mode where is it enforcing management and security policy it has been tested under heavy load and demonstrated sub millisecond latencies. To put this into perspective, most Web services themselves will operate with 100-200 millisecond response times, some taking several seconds to respond. In this environment, the Web Services Management fabric is increasing latency by less than 1/10th of a percent.
Furthermore, a well-architected Web Services Management solution will constantly monitor performance and will increase the perceived performance of the Web services network through intelligent routing.
Dynamic binding is the process whereby a Web service consumer discovers the location (and in some cases the policy requirements) of a Web services immediately prior to invocation and connects to it based on this up-to-date information.
Dynamic binding is essential for the functioning of an agile enterprise. Without dynamic binding service consumers will use hard-coded endpoint information and will fail in the event of any change being made to the service endpoint.
How can I make my Web services secure?
There are many approaches to securing Web services. The Service Manager implements one of the most secure and flexible approaches by deploying agent-based intermediaries with each Web service, and forcing all messages to pass through the intermediary for authentication and authorization.
How can I make my Web services reliable?
The Service Manager’s approach to Web Services Management delivers powerful failover and load-balancing technologies to ensure service availability. As the solution begins to detect performance or availability problems it will automatically adjust traffic to ensure that high-priority messages are delivered and alert administrators to impending problems.
How can I make my Web services transparent?
The Service Manager implements powerful dynamic discovery capabilities to fully abstract consumer applications from any knowledge of service endpoint location, or fabric policy.
How do I expose services on Mainframe and AS/400 systems?
Exposing services on Mainframe and AS/400 systems is not the problem, there are many technologies and companies that do just that. The challenge is to do it in a way that ensures security and protects the mainframe and AS/400 systems from denial-of-service attacks.
The SOA Software Mainframe and AS/400 solution package delivers a powerful combination of professional services expertise and product to create secure managed Web services from mission critical Mainframe and AS/400 systems. It integrates enterprise identity-management systems such as Netegrity SiteMinder or IBM Tivoli Access Manager with Mainframe security solutions like ACF/2 and RAC/F. It delivers powerful service level agreement and contract management capabilities combined with comprehensive message throughput and routing controls to prevent denial-of-service attacks.
Why is policy-based management important?
The number of service relationships in an organization will quickly grow beyond its ability to manage and secure the services individually. To handle this, the practices and standards of the organization should be defined and stored centrally as policies. These policies can then be easily managed and applied to the distributed groups of services.
Policy-based management is critical if your enterprise intends to define central policies for security, performance and availability and then implement and enforce these policies at a service and application level.
The concept of policy-based management allows central definition of security, availability and performance requirements in a single location (the Policy Definition Point – PDP), with these definition being automatically implemented and enforced at distribute Policy Enforcement Points – PEPs. This dramatically reduces the cost of securing and managing a large scale Web services deployment.
The Service Manager is the industry’s first comprehensive, central policy-based management and security solution.
Management and Security Policy can be defined at many levels. At a high level, it is the rules defined by the enterprise for managing and securing applications and transactions. At a more granular level it is the meta-data used to describe these business policies and their enforcement.
What is the difference between definition, enforcement and enablement?
Definition is the process of defining policies for security and management.
Enforcement is the process of enforcing these policies as described above.
Enablement goes beyond both of these to provide a mechanism for automatically allowing applications to comply with Policy.
SOA Software is the only SOA enablement vendor with products that dynamically adapt to the changing infrastructure to fully abstract application developers from management and security policy. The Gateway and Management Point products provide the core of this enablement capability.
Why is it important to externalize policy?
The number of service relationships in an organization will quickly grow beyond its ability to manage and secure the services individually. To handle this, the practices and standards of the organization should be defined and stored centrally as policies. These policies can then be easily managed and applied to the distributed groups of services.
Externalized Policy-based management is critical if your enterprise intends to define central policies for security, performance and availability and then implement and enforce these policies at a service and application level.
What is the importance of the Web services standards?
Web services standards ratified by organization such as OASIS and the IETF are critical for the long term adoption of Web services. The basic building blocks of Web services, XML, SOAP, WSDL and UDDI allow applications to be built from loosely coupled services. Without further standards describing security, reliability, transaction support and other advanced capabilities, Web services will fail to deliver the real promise of a service oriented architecture.
To this end, standards like: WS-Security, WS-Federation, WS-Trust, WS-Reliability, WS-Transactions, WS-Correlation, WS-DistributedManagement and many others are fundamental to the success of Web services.
Web services security standards include, but are not limited to:
WS-Security, Security Assertion Markup Language (SAML), XML-Encryption, XML-Signature, WS-Trust, WS-Federation, and WS-Policy (this is broader than security, but has strong security implications).
What are the management standards?
Web services management standards include, but are not limited to:
WS-Distributed Management, WS-Reliable Messaging, WS-Correlation, WS-Orchestration, WS-Meta-Data, and WS-Policy.
What is WS-I?
WS-I is the Web Services Interoperability organization. SOA Software is a member of WS-I.
From the WS-I web site:
“WS-I is an open, industry organization chartered to promote Web services interoperability across platforms, operating systems, and programming languages. The organization works across the industry and standards organizations to respond to customer needs by providing guidance, best practices, and resources for developing Web services solutions.
WS-I was formed specifically for the creation, promotion, or support of Generic Protocols for Interoperable exchange of messages between services. Generic Protocols are protocols that are independent of any specific action indicated by the message beyond actions necessary for the secure, reliable, or efficient delivery of messages; "Interoperable" means suitable for and capable of being implemented in a neutral manner on multiple operating systems and in multiple programming languages.”
OASIS (www.oasis-open.org) is the primary standards body focused on developing and ratifying Web services standards. SOA Software is a member of OASIS, tracking Web Services Management, Web Services Security and SOA Enablement standards.
From the OASIS Web site:
“OASIS is a not-for-profit, international consortium that drives the development, convergence and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, supply chain, public sector, and interoperability within and between marketplaces.
OASIS has more than 3,000 participants representing over 600 organizations and individual members in 100 countries around the world. The Consortium hosts two of the most widely respected information portals on XML and Web services standards, xml.CoverPages.org and XML.org. OASIS Member Sections include UDDI, CGM Open, LegalXML and PKI.”
UDDI is one of the three foundations of Web services. It provides a registry of services that can be used both to allow application developers to find appropriate services, and as a meta-data store that can allow the fabric to abstract developers from service and fabric location and policy requirements.
From www.developer.com: “(Universal Description, Discovery, and Integration)—An XML-based lookup service for locating Web Services in an Internet scenario.”
SOAP is one of the three foundations of Web services. Arguably, for an application to be called a Web service, it must expose its interfaces as SOAP APIs.
From www.developer.com: “(Simple Object Access Protocol)—A lightweight, XML-based messaging protocol that contains an envelope, header, and body, designed to exchange information in a decentralized, distributed environment.”
WSDL is one of the three foundations of Web services. It provides a standard way of defining the interfaces and APIs implemented by a service.
From www.developer.com: “(Web Services Definition Language)—An XML-based language used to give a description about the Web Services available in a UDDI.”
The www.developer.com definition is somewhat misleading, because it is not necessary for a service to be published in a UDDI registry for it to have a WSDL document.
What is SAML?
SAML (Security Assertions Markup Language) provides a basic framework for federated authentication and authorization. Essentially SAML allows a user (person or application) to authenticate once against a server that validates the identity. Once authenticated the server will issue an authentication assertion to the user (the server can also generate an authorization assertion that grants privileges to the user), the user can pass this (these) assertion(s) on to other application that can then verify that the user is who they say they are, without having any prior knowledge of the user. This would be most useful in partnership environments, where an enterprise can rely on its partners to authenticate their own users. Unfortunately there are some outstanding challenges that SAML must address before it can be widely used in this type of environment:
- Chained trust – A SAML assertion is signed by its issuing authority, but there is no model for attaching a trust chain, i.e. signature of an authority that can vouch for the issuing authority
- Token interoperability – SAML is often used as a simple container for passing proprietary credentials. A good example is Netegrity TransactionMinder that generates a SAML assertion containing just a Siteminder ID. This renders different SAML implementations non-interoperable
- Standards battles – Liberty Alliance and a group led by Microsoft and IBM are battling over specific federation models. Without an effective federation standard SAML is rendered impotent.
Why is SOA Software’s SAML implementation unique and valuable? The following text is the formal description of SAML taken directly from the OASIS published standard.
The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain.
Assertions can convey information about authentication acts that were previously performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. A single assertion might contain several different internal statements about authentication, authorization, and attributes.
Assertions are issued by SAML authorities, namely, authentication authorities, attribute authorities, and policy decision points. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding, to SOAP over HTTP. SAML authorities can use various sources of information, such as external policy stores and assertions that were received as input in requests, in creating their responses. Thus, while clients always consume assertions, SAML authorities can be both producers and consumers of assertions.
One major design goal for SAML is Single Sign-On (SSO), the ability of a user to authenticate in one domain and use resources in other domains without re-authenticating. However, SAML can be used in various configurations to support additional scenarios as well. Several profiles of SAML have been defined that support different styles of SSO, as well as the securing of SOAP payloads.
WS-Distributed Management (WSDM) is an OASIS technical committee (TC) tasked with creating a standard for the management of distributed Web services.
From www.oasis-open.org: “The purpose of this TC is to define web services management, including using web services architecture and technology to manage distributed resources. This TC will also develop the model of a web service as a manageable resource.”