Software Group SOA Governance Runtime Tools In Action based on the IBM SOA Governance at Runtime PoT...

Software Group

SOA Governance Runtime Tools In Actionbased on the “IBM SOA Governance at Runtime PoT”(PoT = Proof of Technology – A free IBM Hands-on Workshop)

[email protected]. Consulting Developer/Architect

IBM Certified SW IT Specialist WebSphere Integration Solution ArchitectSOA, Web2.0, Social Software & Development Tools Evangelist

Go to http://JavaSOA.com for presentations, demos, tutorials and other resources

Download demo files and place in same directory as presentaion,then use gold demo buttons at top of slides, while in screenshow mode.ftp://ftp.software.ibm.com/software/websphere/JavaDevTools/Demos/IBMSW/Governance/Big6-Gov-at-Runtime-Scenarios/

(Big6-Scenario1.avi thru Big6-Scenario6.avi)

2

Agenda

What is SOA Governance and the “Governance at Runtime PoT”?SOA Governance at Runtime Scenarios

1. Analysis of Running Services2. Dynamic Selection: Quality of Service 3. Dynamic Selection: Message Content or Version 4. Federated Identity Management & Credential Propagation5. Service Level Management6. Security Gateway

Wrap-up

3

What do Non-IT Business Stakeholders hear?

4

Currency conversion service

Accounting department

App. 1 App. 2

1. Provide acurrency service that fills a specific line of business (LOB)

A scenario on the importance of SOA governance - Step 1

* Scenario from Introduction to SOA Governance, Bobby Woolf.

5



App. 1 App. 2

Orderfulfillment

Sales

Purchasing

Legal

2. Other LOBs start using

the service



6



App. 1 App. 2

3. LOBs increase use of services / quality suffers



the service


Orderfulfillment

Sales

Purchasing

Legal

7



App. 1 App. 2




the service


Orderfulfillment

Sales

Purchasing

Legal

x

x

x

x

x x

8

4. Service is fixed at provider’s expense



App. 1 App. 2




the service


Orderfulfillment

Sales

Purchasing

Legal

9




App. 1 App. 2




the service


Orderfulfillment

Sales

Purchasing

Legal

x

x

x

x

x x

5. Fix works temporarily but problem

reappears

10




App. 1 App. 2




the service


Orderfulfillment

Sales

Purchasing

Legal

5. Fix works temporarily but problem

reappears

x

x

x

xx x

6. Maintenance costs soar / provider ends service

11

What Business AND IT Stakeholders need to make SOA Work Well?

12

SOA Service Certification

Services Build Process

Validation, Design Review & Code Walkthroughs

Functional & Non-Functional Requirement

Compliance Testing

SOA Development Tools & Training

Regulatory Compliance

Additional Roles & Responsibilities for SOA

Services Registry

Continuous Process & Organization Improvement

Project Alignment with Business & IS Goals

Requirements Gathering & Prioritization

SLA Definition

SLA Compliance Monitoring

Infrastructure Platform Components & Release

Cycle

Capacity Planning

Business Value & Reuse Validation

SOA Business Case

Services Ownership& Funding

Requirements of Internal/External Service

Consumers

SOA Vendor Selection & Management

Reuse vs. Build vs. Buy Services Decisions

Project Planning & Estimating

Project Execution & Monitoring

SOA Development Approach

IS/IT & Business Alignment

SOA Education

Validation Processes & Methodology

End-to-End Service Production Process

Monitoring

Services Selection & Prioritization

Services Granularity, Visibility & Accessibility

Enterprise Business Data Models

Design Reviews & Deployment options

Services Design Process

Services Assembly & Orchestration Services

Deployment Options

Configuration/Build Management

Services Registry & Version Management

Services Architectural Options

“Expose as Service” vs. “keep as Application”

Decisions

AcceptanceServices Portfolio

Approvals

Ta

cti

cs

Str

ate

gy

Op

era

tio

n

Strategy & Ownership

Organization & Planning

SOA Project Management

Service Modeling

Service Creation & Unit

Testing

Service Integration & Deployment

Service Operations & Management

Services SecurityDesign

Security Management

Enterprise Business Process Models

Project Business Case

SGIP© - SOA Governance Implementation Pattern

Define an optimal model for service ownership and funding

that encourages reuse

Justify the overall migration to SOA

Measure the benefits of SOA

Validate accuracy and completeness of the aspects of the Enterprise Data Model

that relate to SOA

Model the AS-IS and TO-BE business processes, optimize/re-engineer…include simulation and rich business case development.

SOA Governance Implementation Patterns ©

13

SOA Governance Implementation Patterns ©

SOA Service Certification

Services Build Process

Validation, Design Review & Code Walkthroughs

Functional & Non-Functional Requirement

Compliance Testing

SOA Development Tools & Training

Regulatory Compliance

Additional Roles & Responsibilities for SOA

Services Registry

Continuous Process & Organization Improvement

Project Alignment with Business & IS Goals

Requirements Gathering & Prioritization

SLA Definition


Infrastructure Platform Components & Release

Cycle

Capacity Planning

Business Value & Reuse Validation

SOA Business Case

Services Ownership& Funding

Requirements of Internal/External Service

Consumers

SOA Vendor Selection & Management

Reuse vs. Build vs. Buy Services Decisions

Project Planning & Estimating

Project Execution & Monitoring

SOA Development Approach

IS/IT & Business Alignment

SOA Education

Validation Processes & Methodology

End-to-End Service Production Process

Monitoring

Services Selection & Prioritization

Services Granularity, Visibility & Accessibility

Enterprise Business Data Models

Design Reviews & Deployment options

Services Design Process

Services Assembly & Orchestration Services

Deployment Options

Configuration/Build Management


Services Architectural Options

“Expose as Service” vs. “keep as Application”

Decisions

AcceptanceServices Portfolio

Approvals

Ta

cti

cs

Str

ate

gy

Op

era

tio

n

Strategy & Ownership

Organization & Planning

SOA Project Management

Service Modeling

Service Creation & Unit

Testing

Service Integration & Deployment

Service Operations & Management

Services SecurityDesign

Security Management

Enterprise Business Process Models

Project Business Case

SGIP© - SOA Governance Implementation Pattern ©

Enforce the correct execution metrics for

every service invocation

Services correctly implement security decisions for

authentication, authorization, auditing, transport security,

threat protection

Validate that services are configured to use

the infrastructure most effectively

Validate the quality and accuracy of

the contents in the service registry,

and ensure version management is

carried out effectively

14

Examples of Governance Aspects Implementations

Governance Aspect Mechanism

Validate the quality and accuracy of the contents in the service registry. Version management is carried out effectively

Enforce the correct execution metrics for every service invocation.

Validate that services are configured to use the infrastructure most effectively

Services correctly implement security decisions for authentication, authorization, auditing, transport security, threat protection

Strategy Lab

Reconcile registered vs. running services 1

Dynamic Endpoint Resolution based on QoS 2

Dynamic Endpoint Resolution based on message content and synchronization

3

Federated identity management with credential propagation

4

Service Level Management 5

Security Gateway 6


Deployment Options


Security Management

15

Solution

● Register all available services that have passed established guidelines

● Audit running services for compliance with service registration

● Monitor and report which services are running and where

ServicesManager

ServicesRegistry and Repository

WSRR to register and store metadata for services

ITCAM for SOA to monitor runtime environment,TEP to display information from registry and monitor

Scenario 1 - Analysis of Running Services

How Do I …

● Understand where services are and what they do?

● Visualize which services are running and used?

● Ensure approved and deployed services are used?

Demo

16

Solution

● Monitor and report endpoint performance and availability

● ‘Flag’ services not meeting response time goal as ‘unavailable’

● Route requests to ‘available’ service endpoints -- no manual intervention

Scenario 2 - Dynamic Selection: Quality of Service

How Do I …

● Determine which services are meeting response time goals?

● Only use the services that meet goals without manual selection?

● Add and remove services from production without disruption?


WSRR to store metadata and allow creation and change of custom properties

ITCAM for SOA to monitor service endpoint response time and availability

WESB for dynamic request routing

ESB

ServicesManager

Demo

17

Solution

● Route to services based on information in the message

● Resolve endpoints when changing service versions

Scenario 3 - Dynamic Selection: Message Content or Version

How Do I …

● Automatically select a service based on business rules, such as a ‘credit verification’ service, based on account limit?

● Ensure that there is no production disruption when changing service versions?

WSRR to store service metadata

DataPower to parse message content and route requests accordingly

DataPower to automatically resolve endpoints for changing versions of services registered in WSRR

ESB


Demo

18

Solution

● Map identities between different authentication and authorization systems providing single-sign on

● Only view information relative to their own agency

● Provide secure application interaction via web services

How Do I …

● Allow customers, partners, agencies and suppliers access to internal information – only specific to them?

● Provide a single sign-on despite multiple authentication and authorization systems?

Federated IdentityManager

Tivoli Federated Identity Manager used map identities between different systems with single sign-on


Scenario 4 - Federated Identity Mgmt & Credential Propagation

Demo

19

Solution

● Monitor service throughput

● Enforce throughput thresholds and prevent requests from overwhelming services

Scenario 5 - Service Level Management

How Do I …

● Determine if requests are overwhelming services and causing poor performance?

● Create a ‘governor’ that enforces the volume limits for services?

ServicesManager

ITCAM for SOA to Enterprise Level Management solution

DataPower as a Service Level Management solution

ESB

Demo

20

Solution

● Enforce security policies at runtime

● Inspect requests for denial-of-service attacks and SQL injection

● Ensure response integrity, confidentiality and non-repudiation

Scenario 6 - Security Gateway

How Do I …

● Prevent security threats from external access?

● How do I authenticate, authorize, and audit requests for call center requests of customer information?

ServicesManager

Security Gateway

DataPower as a security gateway

Tivoli Federated Identify Manager for authentication, authorization, and token negotiation

Demo

21

Scenario 6 - Security Gateway - Details

● Configure the Web Service proxy Specify the WSDL to proxy

Point the proxy to TFIM

Specify SAML1.1 for the request token format

Add an AAA (Authentication, Authorization and Auditing) Action to the request rule in the proxy Policy

Add a Filter Action to the request rule

Add a Sign Action to the response rule

Add a Encrypt Action to the response rule

Web Service Proxy

WSDL


SAML Assertion AAA Action

Filter Action

Sign Action

Encrypt Action

SQL-injection filter

Key, Certificate

XPath expression

22

Resourceshttp://ibm.com/developer (IBM developerWorks for technologies and/or products)

Java, J2EE, Web Services and other technology zones are on the left hand sideWebSphere Zone: http://ibm.com/developer/websphere Rational Zone: http://ibm.com/developer/rational Free Education Portal: http://ibm.com/developer/training

http://www.redbooks.ibm.com (How-To Step-by-step Practical Implementation Books)

http://SOAWeb20.com (a.k.a. JavaSOA.com, WebSphereCentral.com)

(Tutorials, Links, Presentations, White Papers, Articles, etc.)

23

BACKUP SLIDES and “Governance at Runtime PoT” Scenario Details

24

IBM Architectural Pattern for SOA

BusinessPartnerSystem

User Access(browser, rich

Client, PDA etc.)

Proxy

PortalServices

ProcessServices

ExistingApplication

Services

Data Server,Data Services

EnterpriseInformation

Systems

WebApplication

Services

Internet

Protocol Firewall

FederatedIdentityManager

ServicesManager

Note: not every relationship is shown.


Domain Firewall

ESB

SecurityGateway

25



Client, PDA etc.)

Proxy

PortalServices

ProcessServices

ExistingApplication

Services



Systems

WebApplication

Services

Internet

Protocol Firewall


ServicesManager



Domain Firewall

SecurityGateway

Major Components for SOA Governance at Runtime


ServicesManager

SecurityGateway

ESBESB


26



Client, PDA etc.)

Proxy

PortalServices

ProcessServices

ExistingApplication

Services



Systems

WebApplication

Services

Internet

Protocol Firewall


ServicesManager



Domain Firewall

SecurityGateway

IBM Products for SOA Governance at Runtime


ServicesManager


SecurityGateway

ESBESB

WebSphere DataPower SOA Appliance

Tivoli Composite Application Manager for SOA

WebSphere Enterprise Service Bus

WebSphere DataPower SOA Appliance

Tivoli Federated Identity Manager

WebSphere Service Registry and Repository

27

Scenario 1 - Analysis of Registered vs. Running Services

Policies and Objectives

● All available services should be registered (Registration)

● Audit running services for compliance with service registration (Audit Registration)

● Determine that deployed services actually get used (Usage)

Implementation

● Registry to publish services that have passed a litmus test

● Monitoring solution to determine if and which services are used

● Reporting function to show which services are registered and running, and where products

Issues

- Deployed services are not consistently governed- IT organization does not have information on usage of deployed services - Approved and deployed services have not been used - No way to visualize what services are running

ServicesManager


WSRR to register and store metadata for services

ITCAM for SOA to monitor runtime environment,TEP to display information from registry and monitor

Metric % of rogue services allowed in the system

28

Scenario 1 - Configuration

Register service

WSDL document added to the registry/repository

WSDL


Reconcile service information

29

Scenario 2 - Dynamic Endpoint Resolution based on QoS


● Service endpoints that do not meet a response time goal should be marked as unavailable

● Only service endpoints marked as available should be used during production

● Endpoints should be selected based on runtime properties without manual intervention

Implementation

● Service repository needed to store and manipulate service metadata

● Dynamic method to change service metadata

● Monitoring solution to track endpoint performance

● ESB to dynamically route requests to appropriate service endpoints

ServicesManager

WSRR to store metadata and allow creation and change of custom properties

ITCAM for SOA to monitor service endpoint response time and availability

Issues- Poor performance of service endpoints; SLAs not respected

- Production disruption when adding and removing service endpoints

Metric service endpoint average response time

WESB for dynamic request routing


ESB

30

Message is routed to the selected

endpoint

Message

A message is received

WebSphere ESB Mediation

WebSphere ESB Mediation

Invokes a selection mediation

Load Service Metadata

Message

Executes matching algorithm to identify the

provider service for requestor service

Message

Monitor Response time

Update Service Properties

WebSphere ESB

Publish Find Enrich GovernManage

WebSphere Service Registry and Repository


31

● WSDL parsed into logical components eg. Ports

● Ports have properties

● Availability property determinesif endpoint is selected to serve request

Port1Port1

Port2Port2

Service

v1.0

Service

v1.0

concept

XML Document

available Endpoint

Port3Port3

WSDL

Properties

Properties

Properties

properties


32


● ESB Mediation Module

33

Scenario 3 - Dynamic Endpoint Resolution based on Content and Subscription


● Service provider (credit verification) should be automatically selected based on the account limit

● Endpoints should be automatically selected based on specified version

Implementation

● Service Registry to store service template

● ESB with ability to make decisions based on message content

● ESB to make routing decisions based on information obtained from subscription to service registry

IssuesNo automatic selection of service providers based on rules

Production disruption when changing service versions

Metric time needed to change version for service in production


WSRR to store service metadata

DataPower to parse message content and route

requests accordingly

DataPower to automatically resolve endpoints for changing versions of services registered in

WSRR

ESB

34


Part 1

● Configure Web Service Proxy Specify the WSDL to proxy

Add a Route Action to the request rule in the proxy Policy

specifying two XPath expressions for the Route Action

Web Service Proxy

WSDL

Route Action

accountLimit < 10000

accountLimit >= 10000

endpoint 1

endpoint 2

Part 2

● Configure WSRR Load a WSDL, create a concept and

relate the two

● Configure Web Service Proxy Subscribe to the concept


Web Service Proxy

WSDL

Concept

Concept

subscription

35

Scenario 4 - Federated Identity Management and Credential Propagation


● Agencies can sign in and be authenticated once to gain access to resources in JK

● Only Agency managers are allowed to run View Profiles application

● Agency managers can only view information about employees in their own agencies

Implementation

● Federated identity solution to map identities between different authentication and authorization systems

● Single sign-on

IssuesMultiple Authentication and Authorization systems to give partners access to JK portal

Metric # of unauthorized entries


TFIM used as the Identity Provider (Agency)

TFIM used as the Service Provider (JKE)

36

Scenario 4 - Example

SAML assertions are often used for cross-domain web services

37

HTTP

SOAP Message

SOAP Body

SOAP Header

wsse:Security

SAML Assertion

…

…

AssertionIssuer

Signature

Subject

Conditions

Statement(s)

Authentication Statement

Authorization Decision Statement

Attribute Statement

Anatomy of an Assertion

38

Scenario 5


● Limit service requests so system performance does not exceed SLA threshold

Implementation

● SLM solution to enforce throughput thresholds and prevent requests from overwhelming services

Issues Poor performance of service endpoints; SLAs not respected

Metric throughput level and # discarded requests

ServicesManager

ITCAM for SOA to Enterprise Level

Management solution

DataPower as a Service Level

Management solution ESB

39


● Configure the Web Service proxy Specify the WSDL to proxy

Specify a request limit for the requestCreditReport operation

Select notify or throttle for the action to be taken when the condition is met

Web Service Proxy

WSDL

SLM

request limit = 2

request interval = 1

requests are notified or discarded when the throughput exceeds 2 messages per second

40

Scenario 6 - Security Gateway


● Call center requests for customer information need to be authenticated, authorized and audited

● Requests should be inspected for denial-of-service attacks and SQL injection before entry into JK system

● Responses should ensure message integrity, confidentiality and non-repudiation

Implementation

● Security gateway to enforce security policies at runtime in the DMZ

● Integration with federated identity management solution for federated identification, authentication, authorization, and token negotiation

● Solution for XML threat protection, including but not limited to DOS and SQL injection attacks

● Solution to ensure response integrity, confidentiality and non-repudiation

Issues Security threats from external access

Metric # of security violations


TFIM for federated identification,

authentication, authorization, and token negotiation

DataPower as a security gateway

Security Gateway

41

Scenario 6 - Configuration● Configure the Web Service proxy

Specify the WSDL to proxy

Point the proxy to TFIM

Specify SAML1.1 for the request token format

Add an AAA (Authentication, Authorization and Auditing) Action to the request rule in the proxy Policy

Add a Filter Action to the request rule

Add a Sign Action to the response rule

Add a Encrypt Action to the response rule

Web Service Proxy

WSDL


SAML Assertion AAA Action

Filter Action

Sign Action

Encrypt Action

SQL-injection filter

Key, Certificate

XPath expression

42

Resourceshttp://ibm.com/developer (IBM developerWorks for technologies and/or products)

Java, J2EE, Web Services and other technology zones are on the left hand sideWebSphere Zone: http://ibm.com/developer/websphere Rational Zone: http://ibm.com/developer/rational Free Education Portal: http://ibm.com/developer/training

http://www.redbooks.ibm.com (How-To Step-by-step Practical Implementation Books)

http://RationalCentral.com (a.k.a. JavaSOA.com, SOAWeb20.com, WebSphereCentral.com)

(Tutorials, Links, Presentations, White Papers, Articles, etc.)

Software Group SOA Governance Runtime Tools In Action based on the IBM SOA Governance at Runtime PoT...

Documents

Transcript of Software Group SOA Governance Runtime Tools In Action based on the IBM SOA Governance at Runtime PoT...