BTWebServicesBestAndWorstPractices
Transcript of BTWebServicesBestAndWorstPractices
-
8/2/2019 BTWebServicesBestAndWorstPractices
1/45
2007 ACS Web Services SIG
17 May 2007
1
SOA and Web Services Best and Worstpractices
Ben ThurgoodAsia Pacific SOA Delivery Leader
IBM Software Group Services
-
8/2/2019 BTWebServicesBestAndWorstPractices
2/45
2007 ACS Web Services SIG
21 February 2007
2
Agenda
SOA and Web Services
Best Practices Iterative Adoption
The Basics Sticking to the standards
Securing appropriately
Planning for expansion
Planning for Governance Worst Practices
Point to Point Services
Bottom-up Development (or Its all Greek to me)
The message that ate my server Pardon me, your data is showing
Schema? We dont need no stinkin schema!
-
8/2/2019 BTWebServicesBestAndWorstPractices
3/45
2007 ACS Web Services SIG
17 May 2007
3
SOA and Web Services
-
8/2/2019 BTWebServicesBestAndWorstPractices
4/45
2007 ACS Web Services SIG
21 February 2007
4
a service?
A repeatable businesstask e.g., check
customer credit; opennew account
service orientation?
A way of integrating yourbusiness as linked
services
service orientedarchitecture (SOA)?
An IT architectural stylethat supports
service orientation
a compositeapplication?
A set ofrelated &integrated services that
support a business processbuilt on an SOA
What is ..?
-
8/2/2019 BTWebServicesBestAndWorstPractices
5/45
2007 ACS Web Services SIG
21 February 2007
5
What is a Service?
Service
A Service is a discoverable software resource which has aservice description. The service description is available
for searching, binding and invocation by a service
consumer. The service description implementation is
realized through a service provider who delivers quality ofservice requirements for the service consumer. Services
can be governed by declarative policies.
Source: IBM SOA Center of Excellence
-
8/2/2019 BTWebServicesBestAndWorstPractices
6/45
2007 ACS Web Services SIG
21 February 2007
6
Atomic Service Composite Service Registry
Servicesatomic and composite
Operational Systems
Service Components
Consumers
Business ProcessComposition; choreography;business state machines
Servic
eProvid
er
Servi
ceCon
sum
er
Inte
gra
tion
(En
terpris
eSe
rviceB
us)
QoSL
ayer
(Security
,M
an
agem
en
t&
Monitorin
gInfra
structure
Servic
es)
DataArchite
cture
(meta
-data)&
Busin
essIn
tellig
e
nce
Gov
ern
an
ce
Channel B2B
PackagedApplication
CustomApplication
OOApplication
SOA Reference Model
-
8/2/2019 BTWebServicesBestAndWorstPractices
7/45
2007 ACS Web Services SIG
21 February 2007
7
Aprogramming modelcomplete with standards,
tools, methods and technologies such as Web
services
Capabilities that a business wants to expose as a
set of services to clients and partner organizations
Roles
An architectural style which requires a service
provider, requestor and a service description. It
addresses characteristics such as loose coupling,
reuse and simple and composite implementations.
Implementation
Architecture
Business
OperationsA set of agreements among service requestors and
service providers that specify the quality of service
and identify key business and IT metrics.
IBM IT Service Management
IT Process ManagementIT Process
Management Products
IT ServiceManagement Platform
Best Practices
IT Operational
Management Products
IBM IT Service Management
IT Process ManagementIT Process
Management Products
IT ServiceManagement Platform
Best Practices
IT Operational
Management Products
SOA: Different things to different people
-
8/2/2019 BTWebServicesBestAndWorstPractices
8/45
2007 ACS Web Services SIG
21 February 2007
8
Web Services do NOT equal SOA
The two are not the same thing: Many of today's production Web Services systems aren't
service oriented architectures
they're simple remote procedure calls or point-to-pointmessaging via SOAP or well structured integrationarchitectures
Many of today's production service oriented architectures
don't primarily use Web Services they use ftp, batch files, asynchronous messaging etc.
- mature technologies
SOA and web services are not the answer to every
situation dont use it as the hammer To maximize benefits of SOA and Web Services,
requires both SOA and Web services
-
8/2/2019 BTWebServicesBestAndWorstPractices
9/45
2007 ACS Web Services SIG
17 May 2007
9
Best Practices
Patterns to follow
-
8/2/2019 BTWebServicesBestAndWorstPractices
10/45
2007 ACS Web Services SIG
21 February 2007
10
Iterative SOA Adoption
Two Primary Roadmap Perspectives Strategic Vision
Business and IT statement of direction which can be used as aguideline for decision making, organizational buy-in, standardsadoption
Project Plans
Implementation projects to meet immediate needs of the currentbusiness drivers
Revenue
and Profit
Time
Strategic Vision Market Return throughTransformation
IncrementalApproximation
SOA Goal
Market return through transformation: quicker time to production, lower costs,
competitive differentiation
-
8/2/2019 BTWebServicesBestAndWorstPractices
11/45
2007 ACS Web Services SIG
21 February 2007
11
Iterative SOA Adoption
Project 1 Project 2 Project n
COE
ESB
GUI GW BPE
Svc Svc Svc
Governance
-
8/2/2019 BTWebServicesBestAndWorstPractices
12/45
2007 ACS Web Services SIG
21 February 2007
12
The Basics
Identify services based on business value, e.g. SOMA e.g. PayPartnerCreditCard vs. ProcessBatchCCPayments
Business task vs. Implementation option
No implementation details in the interface if needed transmit out of band, e.g. headers
Use DTO (Data Transfer Object) or equivalent
Standards based interface, e.g. WSDL
Stateless Granularity not too fine, not too coarse Does the service do too much? i.e. used by more than one
differentbusiness task
Does it do too little? i.e. business task uses multiple services to
complete Effective naming using terms understood by the
business
-
8/2/2019 BTWebServicesBestAndWorstPractices
13/45
2007 ACS Web Services SIG
21 February 2007
13
Sticking to the Standards
Embrace the appropriate use of standards
Choose levels of standards based on comfort
level with new technologies Key standards: SOAP,WSDL, HTTP, XML
Follow WS-I slavishly
-
8/2/2019 BTWebServicesBestAndWorstPractices
14/45
2007 ACS Web Services SIG
21 February 2007
14
Getting too far ahead of the curve
Problem: Customers often want to adopt Web Services standards before they are
ready in their products
Story1. Super security
One customer decided to go with HMAC-SHA1 authenticationbecause it was supported in their middleware platform (WebSphere)
At a meeeting with their partner organisations everyone nodded theirapproval to the security proposal
1 week before delivery we found out that the partners were going tofail to deliver because they were still trying to understand how toimplement the security protocol
2. WS-Addressing
One customer weve encountered really wanted to use WS-Addressing for asynchronous web services.
They found the ETTK implementation and then folded that into their
implementation Then they found in the last stages of their project that not only was theETTK not supported, but that the code wouldnt even run on the targetplatform (WebSphere on z/OS)
-
8/2/2019 BTWebServicesBestAndWorstPractices
15/45
2007 ACS Web Services SIG
21 February 2007
15
Getting too far ahead of the curve
Guidance
Look at whats currently supported in your
middleware platform Adopt technology based on its value
Balance interoperability with non-functional
requirements
-
8/2/2019 BTWebServicesBestAndWorstPractices
16/45
2007 ACS Web Services SIG
21 February 2007
16
Securing Appropriately
Web Services present an avenue forintrusion by hackers. They also create
brand new security issues of their own(XML threats)
How do we fix it?
Enable Application Server-level (J2EE)Security
Secure your Web Services with WS-Securityfollowing the WS-I Basic Security Profile
Use alternative mechanisms(HTTPs/BASIC-AUTH) if necessary
Use a DataPower XS40 appliance
-
8/2/2019 BTWebServicesBestAndWorstPractices
17/45
2007 ACS Web Services SIG
21 February 2007
17
XML/SOAP Firewall - Filter on any content, metadata or network variables
Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed
Field Level XML Security - Encrypt & sign individual fields, non-repudiation
Support for WS-Security Standards compliance with WS-I Basic Security Profile
XML Web Services Access Control - SAML, LDAP, RADIUS, etc.
XML Threat Protection Namespace attacks, SQL Injection attacks, etc.
Web Services Management - Web services proxy, SLM
Service Virtualization - Mask backend resources
Configuration & Administration - Ease of use, Integration for Management
XS40s Comprehensive
Functionality
DataPower has strong integration for
security and management. All of thisadds up to the strongest overall
current feature set.
- Forrester Research
the XS40 is an XML-security powerhouse
- Network Computing
The DataPower [XS40]... is the most
hardened ... it looks and feels like a
datacenter appliance, with no extra ports or
buttons exposed and no rotating media. "
- InfoWorld
Wirespeed Appliance Purpose-Built for SOA Security
-
8/2/2019 BTWebServicesBestAndWorstPractices
18/45
2007 ACS Web Services SIG
21 February 2007
18
Securing Appropriately
Why do we get this wrong?
Lack of understanding of security principles, Web
Services Security and WebSpheres security
implementation options
Story:
One customer that had hand-written authentication
and authorization on their web site but didnt
realize that they were also making their web
services (for internal use only) globally accessible
too
-
8/2/2019 BTWebServicesBestAndWorstPractices
19/45
2007 ACS Web Services SIG
21 February 2007
19
Plan for Expansion
You always want to assume that yourservices will
Move over time to other servers Migrate over time (change functionality)
Expand over time (need new capacity)
You need to virtualize your services Trick 1: Use a repository like WSRR to
contain the latest address of services
Trick 2: Use an ESB capable of intelligentrouting and handling untyped services
Trick 3: Establish an SOA COE
-
8/2/2019 BTWebServicesBestAndWorstPractices
20/45
2007 ACS Web Services SIG
21 February 2007
20
Flexible connectivity
infrastructure for integrating
applications and services to
power your SOA
CONVERTING transportprotocols betweenrequestor and service
ROUTING messagesbetween services
TRANSFORMING
message format betweenrequestor and service
HANDLING businessevents
What is an Enterprise Service Bus (ESB)?
Color = Data type
Shape = Protocol
-
8/2/2019 BTWebServicesBestAndWorstPractices
21/45
2007 ACS Web Services SIG
21 February 2007
21
ESB Pattern Walk Through
Portal
Web
Site
J2EE
Application
WSGW EDI
Business
Process
Engine
CRMLegacy
ApplicationDatabase
Enterprise Service Bus
Customer
Customer
Start Process
Start Process
Customer
Service Consumers
Service Providers
-
8/2/2019 BTWebServicesBestAndWorstPractices
22/45
2007 ACS Web Services SIG
21 February 2007
22
Interaction, Process, Information, Partner, Business App, Access ServicesInteraction, Process, Information, Partner, Business App, Access Services
IT Management Services
Expanded View of the Enterprise
Service Bus
Business Logic
Security Management
Message ModelsMessage Models
Message FlowsMessage Flows
Transport ProtocolsTransport Protocols
Enterprise Service Bus
Interaction Patterns Mediation Patterns
Registry
-
8/2/2019 BTWebServicesBestAndWorstPractices
23/45
2007 ACS Web Services SIG
21 February 2007
23
Service repository
Issues
How is Service-related information governed (stored, managed andmaintained, accessed) ?
How do Service Requesters determine which Services to use ?
How do Service Requesters locate Service endpoints ?
How are they made aware of changes happening? (Notification)
Objectives
Manage service-related information (interface, service location,
additional information such as specification) in a centralized manner Provide categorization and versioning capabilities to leverage service-
related information
Provide service requesters with extensive discovery and notificationcapabilities
Solution
Design and implement a Service Directory
-
8/2/2019 BTWebServicesBestAndWorstPractices
24/45
2007 ACS Web Services SIG
21 February 2007
24
z
System
ServiceRegistry
DomainModels
ExistingService
Endpoints
Discover &Describe
Reuse,Model &
Build
Configure,
Approve,Plan &Deploy
Find/Bind,Invoke,
Monitor &Manage
Topologies
InteractionHistory
Dashboard
AdminConsole
Administrator
Integrator
Registry in Composite Application Life Cycle
-
8/2/2019 BTWebServicesBestAndWorstPractices
25/45
2007 ACS Web Services SIG
21 February 2007
25
SOA Governance Create a COE
Plan
Determine scope of
governance work
Prepare and conduct kick
off session
- Scope confirmed
- Project plan
Understand current state
in SOA
- Surveys- Inventory of current IT
processes & mechanisms
- Inventory of current SOA
standards
Understand business and
IT goals for SOA
- SOA Value Proposition Understand current org
- Org Survey
- Skills inventory
- IT Roles and resp
- Governance mechanisms
Model
Design the SOA
Governance Model
Define Service Ownership
Model
- Service Domains
Create SOA Governance
Process Diagrams
- SOA IT Processes
Create initial org model forservice orientation
- Needs and scope
- SOA CoC model
- Roles and Responsibilities
- Org readiness assessment
Define SOA IT
Mechanisms- SOA CoC, Process Teams,
- IT Councils, Others
Define SOA Transition
Plan
Perform
Implementation of the
Governance Model
Initiate the governance
transition plan
Implement the SOA
governance processes
Staff and execute the SOA
Centre of Competency
Initiate the organization
model changes
Launch the communication
plan
Initiate the education and
mentoring plans
Define the SOA standardsand guidelines
- XML Messaging Standard
- Business Services
Technical Guidelines
- others
Improve
Monitor and Refine
Governance Model
Monitor governance and
management
- Service Planning
- Service Ownership and
Funding
- Service Modelling
- Service Implementation
- Service Management
Refine the SOA
Governance Model
- SOA Principles
- SOA IT Processes
- SOA IT Mechanisms
- Organizational Model
- Roles and Responsibilities
- Skills Needs
- Integration with Enterprise
Architecture
-
8/2/2019 BTWebServicesBestAndWorstPractices
26/45
2007 ACS Web Services SIG
17 May 2007
26
Worst Practices
Anti-patterns to avoid
-
8/2/2019 BTWebServicesBestAndWorstPractices
27/45
2007 ACS Web Services SIG
21 February 2007
27
Point to Point Interactions
Problem: Replacing middleware with point-to-point Web Services as anintegration approach.
Symptoms: Using XML or SOAP over HTTP between applications to effectcommunication between applications.
Consequences: Complexity N*(N-1)
Tight coupling
Reduced flexibility
Increased management, maintenance difficulty and cost
Root Cause: a view that an integration layer, usually called an EnterpriseService Bus (ESB), adds: Complicated new technology
A single point of failure
Cost (for the ESB software and supporting hardware) Reduced performance
Solution: Enterprise Service Bus
-
8/2/2019 BTWebServicesBestAndWorstPractices
28/45
2007 ACS Web Services SIG
21 February 2007
28
Its all Greek to me
Problem
Customers use bottom-up development of
Web Services from existing Java beans.They end up with language-specific
information (like Vectors or Hashmaps) in the
WSDL
Why?
Lack of understanding of interoperability
issues
-
8/2/2019 BTWebServicesBestAndWorstPractices
29/45
2007 ACS Web Services SIG
21 February 2007
29
Its all Greek to me
What happens
Other languages (Visual Basic, C#) cant
consume the SOAP produced How do we fix it?
Top-down development of WSDL and then
generation of Java beans from the WSDL
-
8/2/2019 BTWebServicesBestAndWorstPractices
30/45
2007 ACS Web Services SIG
21 February 2007
30
My Message ate my Server
The Problem
Customers often try to send extremely large
messages, or even worse, extremely largeopaque (binary) messages over Web
Services transports
Why? Looking at Web Services as a replacement for
EDI or CORBA
Not understanding the limitations of thetechnology
-
8/2/2019 BTWebServicesBestAndWorstPractices
31/45
2007 ACS Web Services SIG21 February 2007
31
My Message ate my Server
What happens Extremely high processing loads. Low throughput
due to immense amounts of time spent parsing.
High network latency How do we fix it?
Trick 1: Dont send redundant information. Consider
using compression. Trick 2: Dont embed binary in the XML useSOAP with attachments instead to bypass parsingoverhead
Trick 3: Use out-of-band transmission or thechecked baggage pattern to avoid sending largebinary files over SOAP/HTTP
-
8/2/2019 BTWebServicesBestAndWorstPractices
32/45
2007 ACS Web Services SIG21 February 2007
32
Pardon me, your data is showing
Problem
Customers try to put Web Services in at the
wrong place in their architecture Expose Data access (or GUI) through Web
Services
Why? Misunderstanding of SOA Architectural
principles
-
8/2/2019 BTWebServicesBestAndWorstPractices
33/45
2007 ACS Web Services SIG21 February 2007
33
Pardon me your Data is showing
How to fix it
Apply coarse-grained Web Services in the
right place in an architecture Use the Session Faade Pattern to expose
model-based services
View Domain Model Data AccessController
Web Services exposed here
Not here or here
Schema? We dont need no
-
8/2/2019 BTWebServicesBestAndWorstPractices
34/45
2007 ACS Web Services SIG21 February 2007
34
Schema? We don t need no
stinkin Schema!
Problem
Customers often put arbitrary XML inside a
SOAP envelope and call it a Web Service Why?
Trying to reuse existing code
Misunderstanding of the advantages of WebServices
Schema? We dont need no
-
8/2/2019 BTWebServicesBestAndWorstPractices
35/45
2007 ACS Web Services SIG21 February 2007
35
Schema? We don t need no
stinkin Schema!
What happens?
The XML often has no schema no chance of
validation They must parse the XML themselves in the
application and the client
What to do? Encourage them to create XML Schema and
make it part of the WSDL
Educate them as to the advantages of WSDL
-
8/2/2019 BTWebServicesBestAndWorstPractices
36/45
2007 ACS Web Services SIG21 February 2007
36
Summary
In this talk weve seen:
SOA and Web Services Best Practices to
Follow Worst Practices to avoid
-
8/2/2019 BTWebServicesBestAndWorstPractices
37/45
2007 ACS Web Services SIG21 February 2007
37
Acknowledgements
Special thanks to those people who havedirectly or indirectly contributed to thispresentation
Kyle Brown
Rachel Reinitz
Arnauld Deprets
Alex Polozoff
Robert Peterson
Paul Gover Paul Glezen
-
8/2/2019 BTWebServicesBestAndWorstPractices
38/45
2007 ACS Web Services SIG17 May 2007
38
IBM Services for SOA
Obligatory Plug!
-
8/2/2019 BTWebServicesBestAndWorstPractices
39/45
2007 ACS Web Services SIG21 February 2007
39
SOA Offering Roadmap
SOA COE Off i
-
8/2/2019 BTWebServicesBestAndWorstPractices
40/45
2007 ACS Web Services SIG21 February 2007
40
SOA COE Offering
The SOA CoE is a cross-organization IT team that guides IT investment,
design decisions and Implementation towards the strategic shared IT
Solutions targeted by the SOA Vision and Strategy.
Governance
Main Information Dissemination Vehicle for SOA in the Organization
Management Body of the SOA Governance and Management Process
Implementation Body of the SOA Governance and Management Process
Thought Leadership/Visioning
ProcessExpert SOA Skills and Resources
Knowledge Management Harvesting of Assets
Communication
Q ti ?
-
8/2/2019 BTWebServicesBestAndWorstPractices
41/45
2007 ACS Web Services SIG21 February 2007
41
Questions?
Ben Thurgood
AP SOA Delivery Leader
IBM Software Group Services
+61-421-012-787
-
8/2/2019 BTWebServicesBestAndWorstPractices
42/45
2007 ACS Web Services SIG17 May 2007
42
Unused Slides
Plan for Governance
-
8/2/2019 BTWebServicesBestAndWorstPractices
43/45
2007 ACS Web Services SIG21 February 2007
43
Plan for Governance
Governance is the structure of
relationships and processes to directand
to controlthe SOA components in orderto achieve the enterprises goals The governance model defines:
What has to be done? How is it done?
Who has the authority to do it?
How is it measured?Processes
People
Technology
Services
IBM SOA Governance and
-
8/2/2019 BTWebServicesBestAndWorstPractices
44/45
2007 ACS Web Services SIG21 February 2007
44
Management Approach
Plan
Determine scope of
governance work
Prepare and conduct kick
off session
- Scope confirmed
- Project plan
Understand current state
in SOA
- Surveys
- Inventory of current IT
processes & mechanisms
- Inventory of current SOA
standards
Understand business and
IT goals for SOA
- SOA Value Proposition
Understand current org
- Org Survey
- Skills inventory
- IT Roles and resp
- Governance mechanisms
Model
Design the SOA
Governance Model
Define Service Ownership
Model
- Service Domains
Create SOA Governance
Process Diagrams
- SOA IT Processes
Create initial org model forservice orientation
- Needs and scope
- SOA CoC model
- Roles and Responsibilities
- Org readiness assessment
Define SOA IT
Mechanisms- SOA CoC, Process Teams,
- IT Councils, Others
Define SOA Transition
Plan
Perform
Implementation of the
Governance Model
Initiate the governance
transition plan
Implement the SOA
governance processes
Staff and execute the SOA
Centre of Competency
Initiate the organizationmodel changes
Launch the communication
plan
Initiate the education and
mentoring plans
Define the SOA standards
and guidelines
- XML Messaging Standard
- Business Services
Technical Guidelines
- others
Improve
Monitor and Refine
Governance Model
Monitor governance and
management
- Service Planning
- Service Ownership and
Funding
- Service Modelling
- Service Implementation
- Service Management
Refine the SOA
Governance Model
- SOA Principles
- SOA IT Processes
- SOA IT Mechanisms
- Organizational Model
- Roles and Responsibilities
- Skills Needs
- Integration with Enterprise
Architecture
-
8/2/2019 BTWebServicesBestAndWorstPractices
45/45
2007 ACS Web Services SIG21 February 2007
45
Partnership between IT and Business
Need management and funding support at level of adoption
Establish feedback cycles
Establish service domains with business stakeholders as owners
Plan and adapt the system architecture, the development
processes, and the organization to the necessities of reuse in a
systematic but incremental fashion.
Directly address organization culture using champions. Ensure that the roles are defined for the creation of reusable
services, reuse of services in applications, the support of
services, and the refactoring of services.
Have an exception process Establish a Center of Excellence
Organizational and governance best practices