BTWebServicesBestAndWorstPractices

8/2/2019 BTWebServicesBestAndWorstPractices

1/45

2007 ACS Web Services SIG

17 May 2007

1

SOA and Web Services Best and Worstpractices

Ben ThurgoodAsia Pacific SOA Delivery Leader

IBM Software Group Services

[email protected]


2/45


21 February 2007

2

Agenda

SOA and Web Services

Best Practices Iterative Adoption

The Basics Sticking to the standards

Securing appropriately

Planning for expansion

Planning for Governance Worst Practices

Point to Point Services

Bottom-up Development (or Its all Greek to me)

The message that ate my server Pardon me, your data is showing

Schema? We dont need no stinkin schema!


3/45


17 May 2007

3

SOA and Web Services


4/45


21 February 2007

4

a service?

A repeatable businesstask e.g., check

customer credit; opennew account

service orientation?

A way of integrating yourbusiness as linked

services

service orientedarchitecture (SOA)?

An IT architectural stylethat supports

service orientation

a compositeapplication?

A set ofrelated &integrated services that

support a business processbuilt on an SOA

What is ..?


5/45


21 February 2007

5

What is a Service?

Service

A Service is a discoverable software resource which has aservice description. The service description is available

for searching, binding and invocation by a service

consumer. The service description implementation is

realized through a service provider who delivers quality ofservice requirements for the service consumer. Services

can be governed by declarative policies.

Source: IBM SOA Center of Excellence


6/45


21 February 2007

6

Atomic Service Composite Service Registry

Servicesatomic and composite

Operational Systems

Service Components

Consumers

Business ProcessComposition; choreography;business state machines

Servic

eProvid

er

Servi

ceCon

sum

er

Inte

gra

tion

(En

terpris

eSe

rviceB

us)

QoSL

ayer

(Security

,M

an

agem

en

t&

Monitorin

gInfra

structure

Servic

es)

DataArchite

cture

(meta

-data)&

Busin

essIn

tellig

e

nce

Gov

ern

an

ce

Channel B2B

PackagedApplication

CustomApplication

OOApplication

SOA Reference Model


7/45


21 February 2007

7

Aprogramming modelcomplete with standards,

tools, methods and technologies such as Web

services

Capabilities that a business wants to expose as a

set of services to clients and partner organizations

Roles

An architectural style which requires a service

provider, requestor and a service description. It

addresses characteristics such as loose coupling,

reuse and simple and composite implementations.

Implementation

Architecture

Business

OperationsA set of agreements among service requestors and

service providers that specify the quality of service

and identify key business and IT metrics.

IBM IT Service Management

IT Process ManagementIT Process

Management Products

IT ServiceManagement Platform

Best Practices

IT Operational

Management Products

IBM IT Service Management

IT Process ManagementIT Process

Management Products

IT ServiceManagement Platform

Best Practices

IT Operational

Management Products

SOA: Different things to different people


8/45


21 February 2007

8

Web Services do NOT equal SOA

The two are not the same thing: Many of today's production Web Services systems aren't

service oriented architectures

they're simple remote procedure calls or point-to-pointmessaging via SOAP or well structured integrationarchitectures

Many of today's production service oriented architectures

don't primarily use Web Services they use ftp, batch files, asynchronous messaging etc.

- mature technologies

SOA and web services are not the answer to every

situation dont use it as the hammer To maximize benefits of SOA and Web Services,

requires both SOA and Web services


9/45


17 May 2007

9

Best Practices

Patterns to follow


10/45


21 February 2007

10

Iterative SOA Adoption

Two Primary Roadmap Perspectives Strategic Vision

Business and IT statement of direction which can be used as aguideline for decision making, organizational buy-in, standardsadoption

Project Plans

Implementation projects to meet immediate needs of the currentbusiness drivers

Revenue

and Profit

Time

Strategic Vision Market Return throughTransformation

IncrementalApproximation

SOA Goal

Market return through transformation: quicker time to production, lower costs,

competitive differentiation


11/45


21 February 2007

11

Iterative SOA Adoption

Project 1 Project 2 Project n

COE

ESB

GUI GW BPE

Svc Svc Svc

Governance


12/45


21 February 2007

12

The Basics

Identify services based on business value, e.g. SOMA e.g. PayPartnerCreditCard vs. ProcessBatchCCPayments

Business task vs. Implementation option

No implementation details in the interface if needed transmit out of band, e.g. headers

Use DTO (Data Transfer Object) or equivalent

Standards based interface, e.g. WSDL

Stateless Granularity not too fine, not too coarse Does the service do too much? i.e. used by more than one

differentbusiness task

Does it do too little? i.e. business task uses multiple services to

complete Effective naming using terms understood by the

business


13/45


21 February 2007

13

Sticking to the Standards

Embrace the appropriate use of standards

Choose levels of standards based on comfort

level with new technologies Key standards: SOAP,WSDL, HTTP, XML

Follow WS-I slavishly


14/45


21 February 2007

14

Getting too far ahead of the curve

Problem: Customers often want to adopt Web Services standards before they are

ready in their products

Story1. Super security

One customer decided to go with HMAC-SHA1 authenticationbecause it was supported in their middleware platform (WebSphere)

At a meeeting with their partner organisations everyone nodded theirapproval to the security proposal

1 week before delivery we found out that the partners were going tofail to deliver because they were still trying to understand how toimplement the security protocol

2. WS-Addressing

One customer weve encountered really wanted to use WS-Addressing for asynchronous web services.

They found the ETTK implementation and then folded that into their

implementation Then they found in the last stages of their project that not only was theETTK not supported, but that the code wouldnt even run on the targetplatform (WebSphere on z/OS)


15/45


21 February 2007

15

Getting too far ahead of the curve

Guidance

Look at whats currently supported in your

middleware platform Adopt technology based on its value

Balance interoperability with non-functional

requirements


16/45


21 February 2007

16

Securing Appropriately

Web Services present an avenue forintrusion by hackers. They also create

brand new security issues of their own(XML threats)

How do we fix it?

Enable Application Server-level (J2EE)Security

Secure your Web Services with WS-Securityfollowing the WS-I Basic Security Profile

Use alternative mechanisms(HTTPs/BASIC-AUTH) if necessary

Use a DataPower XS40 appliance


17/45


21 February 2007

17

XML/SOAP Firewall - Filter on any content, metadata or network variables

Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed

Field Level XML Security - Encrypt & sign individual fields, non-repudiation

Support for WS-Security Standards compliance with WS-I Basic Security Profile

XML Web Services Access Control - SAML, LDAP, RADIUS, etc.

XML Threat Protection Namespace attacks, SQL Injection attacks, etc.

Web Services Management - Web services proxy, SLM

Service Virtualization - Mask backend resources

Configuration & Administration - Ease of use, Integration for Management

XS40s Comprehensive

Functionality

DataPower has strong integration for

security and management. All of thisadds up to the strongest overall

current feature set.

- Forrester Research

the XS40 is an XML-security powerhouse

- Network Computing

The DataPower [XS40]... is the most

hardened ... it looks and feels like a

datacenter appliance, with no extra ports or

buttons exposed and no rotating media. "

- InfoWorld

Wirespeed Appliance Purpose-Built for SOA Security


18/45


21 February 2007

18

Securing Appropriately

Why do we get this wrong?

Lack of understanding of security principles, Web

Services Security and WebSpheres security

implementation options

Story:

One customer that had hand-written authentication

and authorization on their web site but didnt

realize that they were also making their web

services (for internal use only) globally accessible

too


19/45


21 February 2007

19

Plan for Expansion

You always want to assume that yourservices will

Move over time to other servers Migrate over time (change functionality)

Expand over time (need new capacity)

You need to virtualize your services Trick 1: Use a repository like WSRR to

contain the latest address of services

Trick 2: Use an ESB capable of intelligentrouting and handling untyped services

Trick 3: Establish an SOA COE


20/45


21 February 2007

20

Flexible connectivity

infrastructure for integrating

applications and services to

power your SOA

CONVERTING transportprotocols betweenrequestor and service

ROUTING messagesbetween services

TRANSFORMING

message format betweenrequestor and service

HANDLING businessevents

What is an Enterprise Service Bus (ESB)?

Color = Data type

Shape = Protocol


21/45


21 February 2007

21

ESB Pattern Walk Through

Portal

Web

Site

J2EE

Application

WSGW EDI

Business

Process

Engine

CRMLegacy

ApplicationDatabase

Enterprise Service Bus

Customer

Customer

Start Process

Start Process

Customer

Service Consumers

Service Providers


22/45


21 February 2007

22

Interaction, Process, Information, Partner, Business App, Access ServicesInteraction, Process, Information, Partner, Business App, Access Services

IT Management Services

Expanded View of the Enterprise

Service Bus

Business Logic

Security Management

Message ModelsMessage Models

Message FlowsMessage Flows

Transport ProtocolsTransport Protocols

Enterprise Service Bus

Interaction Patterns Mediation Patterns

Registry


23/45


21 February 2007

23

Service repository

Issues

How is Service-related information governed (stored, managed andmaintained, accessed) ?

How do Service Requesters determine which Services to use ?

How do Service Requesters locate Service endpoints ?

How are they made aware of changes happening? (Notification)

Objectives

Manage service-related information (interface, service location,

additional information such as specification) in a centralized manner Provide categorization and versioning capabilities to leverage service-

related information

Provide service requesters with extensive discovery and notificationcapabilities

Solution

Design and implement a Service Directory


24/45


21 February 2007

24

z

System

ServiceRegistry

DomainModels

ExistingService

Endpoints

Discover &Describe

Reuse,Model &

Build

Configure,

Approve,Plan &Deploy

Find/Bind,Invoke,

Monitor &Manage

Topologies

InteractionHistory

Dashboard

AdminConsole

Administrator

Integrator

Registry in Composite Application Life Cycle


25/45


21 February 2007

25

SOA Governance Create a COE

Plan

Determine scope of

governance work

Prepare and conduct kick

off session

- Scope confirmed

- Project plan

Understand current state

in SOA

- Surveys- Inventory of current IT

processes & mechanisms

- Inventory of current SOA

standards

Understand business and

IT goals for SOA

- SOA Value Proposition Understand current org

- Org Survey

- Skills inventory

- IT Roles and resp

- Governance mechanisms

Model

Design the SOA

Governance Model

Define Service Ownership

Model

- Service Domains

Create SOA Governance

Process Diagrams

- SOA IT Processes

Create initial org model forservice orientation

- Needs and scope

- SOA CoC model

- Roles and Responsibilities

- Org readiness assessment

Define SOA IT

Mechanisms- SOA CoC, Process Teams,

- IT Councils, Others

Define SOA Transition

Plan

Perform

Implementation of the

Governance Model

Initiate the governance

transition plan

Implement the SOA

governance processes

Staff and execute the SOA

Centre of Competency

Initiate the organization

model changes

Launch the communication

plan

Initiate the education and

mentoring plans

Define the SOA standardsand guidelines

- XML Messaging Standard

- Business Services

Technical Guidelines

- others

Improve

Monitor and Refine

Governance Model

Monitor governance and

management

- Service Planning

- Service Ownership and

Funding

- Service Modelling

- Service Implementation

- Service Management

Refine the SOA

Governance Model

- SOA Principles

- SOA IT Processes

- SOA IT Mechanisms

- Organizational Model


- Skills Needs

- Integration with Enterprise

Architecture


26/45


17 May 2007

26

Worst Practices

Anti-patterns to avoid


27/45


21 February 2007

27

Point to Point Interactions

Problem: Replacing middleware with point-to-point Web Services as anintegration approach.

Symptoms: Using XML or SOAP over HTTP between applications to effectcommunication between applications.

Consequences: Complexity N*(N-1)

Tight coupling

Reduced flexibility

Increased management, maintenance difficulty and cost

Root Cause: a view that an integration layer, usually called an EnterpriseService Bus (ESB), adds: Complicated new technology

A single point of failure

Cost (for the ESB software and supporting hardware) Reduced performance

Solution: Enterprise Service Bus


28/45


21 February 2007

28

Its all Greek to me

Problem

Customers use bottom-up development of

Web Services from existing Java beans.They end up with language-specific

information (like Vectors or Hashmaps) in the

WSDL

Why?

Lack of understanding of interoperability

issues


29/45


21 February 2007

29

Its all Greek to me

What happens

Other languages (Visual Basic, C#) cant

consume the SOAP produced How do we fix it?

Top-down development of WSDL and then

generation of Java beans from the WSDL


30/45


21 February 2007

30

My Message ate my Server

The Problem

Customers often try to send extremely large

messages, or even worse, extremely largeopaque (binary) messages over Web

Services transports

Why? Looking at Web Services as a replacement for

EDI or CORBA

Not understanding the limitations of thetechnology


31/45

2007 ACS Web Services SIG21 February 2007

31

My Message ate my Server

What happens Extremely high processing loads. Low throughput

due to immense amounts of time spent parsing.

High network latency How do we fix it?

Trick 1: Dont send redundant information. Consider

using compression. Trick 2: Dont embed binary in the XML useSOAP with attachments instead to bypass parsingoverhead

Trick 3: Use out-of-band transmission or thechecked baggage pattern to avoid sending largebinary files over SOAP/HTTP


32/45


32

Pardon me, your data is showing

Problem

Customers try to put Web Services in at the

wrong place in their architecture Expose Data access (or GUI) through Web

Services

Why? Misunderstanding of SOA Architectural

principles


33/45


33

Pardon me your Data is showing

How to fix it

Apply coarse-grained Web Services in the

right place in an architecture Use the Session Faade Pattern to expose

model-based services

View Domain Model Data AccessController

Web Services exposed here

Not here or here

Schema? We dont need no


34/45


34

Schema? We don t need no

stinkin Schema!

Problem

Customers often put arbitrary XML inside a

SOAP envelope and call it a Web Service Why?

Trying to reuse existing code

Misunderstanding of the advantages of WebServices

Schema? We dont need no


35/45


35

Schema? We don t need no

stinkin Schema!

What happens?

The XML often has no schema no chance of

validation They must parse the XML themselves in the

application and the client

What to do? Encourage them to create XML Schema and

make it part of the WSDL

Educate them as to the advantages of WSDL


36/45


36

Summary

In this talk weve seen:

SOA and Web Services Best Practices to

Follow Worst Practices to avoid


37/45


37

Acknowledgements

Special thanks to those people who havedirectly or indirectly contributed to thispresentation

Kyle Brown

Rachel Reinitz

Arnauld Deprets

Alex Polozoff

Robert Peterson

Paul Gover Paul Glezen


38/45

2007 ACS Web Services SIG17 May 2007

38

IBM Services for SOA

Obligatory Plug!


39/45


39

SOA Offering Roadmap

SOA COE Off i


40/45


40

SOA COE Offering

The SOA CoE is a cross-organization IT team that guides IT investment,

design decisions and Implementation towards the strategic shared IT

Solutions targeted by the SOA Vision and Strategy.

Governance

Main Information Dissemination Vehicle for SOA in the Organization

Management Body of the SOA Governance and Management Process

Implementation Body of the SOA Governance and Management Process

Thought Leadership/Visioning

ProcessExpert SOA Skills and Resources

Knowledge Management Harvesting of Assets

Communication

Q ti ?


41/45


41

Questions?

Ben Thurgood

AP SOA Delivery Leader

IBM Software Group Services

[email protected]

+61-421-012-787


42/45

2007 ACS Web Services SIG17 May 2007

42

Unused Slides

Plan for Governance


43/45


43

Plan for Governance

Governance is the structure of

relationships and processes to directand

to controlthe SOA components in orderto achieve the enterprises goals The governance model defines:

What has to be done? How is it done?

Who has the authority to do it?

How is it measured?Processes

People

Technology

Services

IBM SOA Governance and


44/45


44

Management Approach

Plan

Determine scope of

governance work

Prepare and conduct kick

off session

- Scope confirmed

- Project plan

Understand current state

in SOA

- Surveys

- Inventory of current IT

processes & mechanisms

- Inventory of current SOA

standards

Understand business and

IT goals for SOA

- SOA Value Proposition

Understand current org

- Org Survey

- Skills inventory

- IT Roles and resp

- Governance mechanisms

Model

Design the SOA

Governance Model

Define Service Ownership

Model

- Service Domains

Create SOA Governance

Process Diagrams

- SOA IT Processes

Create initial org model forservice orientation

- Needs and scope

- SOA CoC model


- Org readiness assessment

Define SOA IT

Mechanisms- SOA CoC, Process Teams,

- IT Councils, Others

Define SOA Transition

Plan

Perform

Implementation of the

Governance Model

Initiate the governance

transition plan

Implement the SOA

governance processes

Staff and execute the SOA

Centre of Competency

Initiate the organizationmodel changes

Launch the communication

plan

Initiate the education and

mentoring plans

Define the SOA standards

and guidelines

- XML Messaging Standard

- Business Services

Technical Guidelines

- others

Improve

Monitor and Refine

Governance Model

Monitor governance and

management

- Service Planning

- Service Ownership and

Funding

- Service Modelling

- Service Implementation

- Service Management

Refine the SOA

Governance Model

- SOA Principles

- SOA IT Processes

- SOA IT Mechanisms

- Organizational Model


- Skills Needs

- Integration with Enterprise

Architecture


45/45


45

Partnership between IT and Business

Need management and funding support at level of adoption

Establish feedback cycles

Establish service domains with business stakeholders as owners

Plan and adapt the system architecture, the development

processes, and the organization to the necessities of reuse in a

systematic but incremental fashion.

Directly address organization culture using champions. Ensure that the roles are defined for the creation of reusable

services, reuse of services in applications, the support of

services, and the refactoring of services.

Have an exception process Establish a Center of Excellence

Organizational and governance best practices

BTWebServicesBestAndWorstPractices

Documents

Transcript of BTWebServicesBestAndWorstPractices