software group soa governance runtime tools in action based on the ibm soa governance at runtime pot...
Post on 26-Mar-2015
215 Views
Preview:
TRANSCRIPT
Software Group
SOA Governance Runtime Tools In Actionbased on the “IBM SOA Governance at Runtime PoT”(PoT = Proof of Technology – A free IBM Hands-on Workshop)
Bill.Hahn@us.ibm.comSr. Consulting Developer/Architect
IBM Certified SW IT Specialist WebSphere Integration Solution ArchitectSOA, Web2.0, Social Software & Development Tools Evangelist
Go to http://JavaSOA.com for presentations, demos, tutorials and other resources
Download demo files and place in same directory as presentaion,then use gold demo buttons at top of slides, while in screenshow mode.ftp://ftp.software.ibm.com/software/websphere/JavaDevTools/Demos/IBMSW/Governance/Big6-Gov-at-Runtime-Scenarios/
(Big6-Scenario1.avi thru Big6-Scenario6.avi)
2
Agenda
What is SOA Governance and the “Governance at Runtime PoT”?SOA Governance at Runtime Scenarios
1. Analysis of Running Services2. Dynamic Selection: Quality of Service 3. Dynamic Selection: Message Content or Version 4. Federated Identity Management & Credential Propagation5. Service Level Management6. Security Gateway
Wrap-up
3
What do Non-IT Business Stakeholders hear?
4
Currency conversion service
Accounting department
App. 1 App. 2
1. Provide acurrency service that fills a specific line of business (LOB)
A scenario on the importance of SOA governance - Step 1
* Scenario from Introduction to SOA Governance, Bobby Woolf.
5
Currency conversion service
Accounting department
App. 1 App. 2
Orderfulfillment
Sales
Purchasing
Legal
2. Other LOBs start using
the service
A scenario on the importance of SOA governance - Step 2
1. Provide acurrency service that fills a specific line of business (LOB)
6
Currency conversion service
Accounting department
App. 1 App. 2
3. LOBs increase use of services / quality suffers
A scenario on the importance of SOA governance - Step 3
2. Other LOBs start using
the service
1. Provide acurrency service that fills a specific line of business (LOB)
Orderfulfillment
Sales
Purchasing
Legal
7
Currency conversion service
Accounting department
App. 1 App. 2
3. LOBs increase use of services / quality suffers
A scenario on the importance of SOA governance - Step 3
2. Other LOBs start using
the service
1. Provide acurrency service that fills a specific line of business (LOB)
Orderfulfillment
Sales
Purchasing
Legal
x
x
x
x
x x
8
4. Service is fixed at provider’s expense
Currency conversion service
Accounting department
App. 1 App. 2
3. LOBs increase use of services / quality suffers
A scenario on the importance of SOA governance - Step 4
2. Other LOBs start using
the service
1. Provide acurrency service that fills a specific line of business (LOB)
Orderfulfillment
Sales
Purchasing
Legal
9
4. Service is fixed at provider’s expense
Currency conversion service
Accounting department
App. 1 App. 2
3. LOBs increase use of services / quality suffers
A scenario on the importance of SOA governance - Step 5
2. Other LOBs start using
the service
1. Provide acurrency service that fills a specific line of business (LOB)
Orderfulfillment
Sales
Purchasing
Legal
x
x
x
x
x x
5. Fix works temporarily but problem
reappears
10
4. Service is fixed at provider’s expense
Currency conversion service
Accounting department
App. 1 App. 2
3. LOBs increase use of services / quality suffers
A scenario on the importance of SOA governance - Step 6
2. Other LOBs start using
the service
1. Provide acurrency service that fills a specific line of business (LOB)
Orderfulfillment
Sales
Purchasing
Legal
5. Fix works temporarily but problem
reappears
x
x
x
xx x
6. Maintenance costs soar / provider ends service
11
What Business AND IT Stakeholders need to make SOA Work Well?
12
SOA Service Certification
Services Build Process
Validation, Design Review & Code Walkthroughs
Functional & Non-Functional Requirement
Compliance Testing
SOA Development Tools & Training
Regulatory Compliance
Additional Roles & Responsibilities for SOA
Services Registry
Continuous Process & Organization Improvement
Project Alignment with Business & IS Goals
Requirements Gathering & Prioritization
SLA Definition
SLA Compliance Monitoring
Infrastructure Platform Components & Release
Cycle
Capacity Planning
Business Value & Reuse Validation
SOA Business Case
Services Ownership& Funding
Requirements of Internal/External Service
Consumers
SOA Vendor Selection & Management
Reuse vs. Build vs. Buy Services Decisions
Project Planning & Estimating
Project Execution & Monitoring
SOA Development Approach
IS/IT & Business Alignment
SOA Education
Validation Processes & Methodology
End-to-End Service Production Process
Monitoring
Services Selection & Prioritization
Services Granularity, Visibility & Accessibility
Enterprise Business Data Models
Design Reviews & Deployment options
Services Design Process
Services Assembly & Orchestration Services
Deployment Options
Configuration/Build Management
Services Registry & Version Management
Services Architectural Options
“Expose as Service” vs. “keep as Application”
Decisions
AcceptanceServices Portfolio
Approvals
Ta
cti
cs
Str
ate
gy
Op
era
tio
n
Strategy & Ownership
Organization & Planning
SOA Project Management
Service Modeling
Service Creation & Unit
Testing
Service Integration & Deployment
Service Operations & Management
Services SecurityDesign
Security Management
Enterprise Business Process Models
Project Business Case
SGIP© - SOA Governance Implementation Pattern
Define an optimal model for service ownership and funding
that encourages reuse
Justify the overall migration to SOA
Measure the benefits of SOA
Validate accuracy and completeness of the aspects of the Enterprise Data Model
that relate to SOA
Model the AS-IS and TO-BE business processes, optimize/re-engineer…include simulation and rich business case development.
SOA Governance Implementation Patterns ©
13
SOA Governance Implementation Patterns ©
SOA Service Certification
Services Build Process
Validation, Design Review & Code Walkthroughs
Functional & Non-Functional Requirement
Compliance Testing
SOA Development Tools & Training
Regulatory Compliance
Additional Roles & Responsibilities for SOA
Services Registry
Continuous Process & Organization Improvement
Project Alignment with Business & IS Goals
Requirements Gathering & Prioritization
SLA Definition
SLA Compliance Monitoring
Infrastructure Platform Components & Release
Cycle
Capacity Planning
Business Value & Reuse Validation
SOA Business Case
Services Ownership& Funding
Requirements of Internal/External Service
Consumers
SOA Vendor Selection & Management
Reuse vs. Build vs. Buy Services Decisions
Project Planning & Estimating
Project Execution & Monitoring
SOA Development Approach
IS/IT & Business Alignment
SOA Education
Validation Processes & Methodology
End-to-End Service Production Process
Monitoring
Services Selection & Prioritization
Services Granularity, Visibility & Accessibility
Enterprise Business Data Models
Design Reviews & Deployment options
Services Design Process
Services Assembly & Orchestration Services
Deployment Options
Configuration/Build Management
Services Registry & Version Management
Services Architectural Options
“Expose as Service” vs. “keep as Application”
Decisions
AcceptanceServices Portfolio
Approvals
Ta
cti
cs
Str
ate
gy
Op
era
tio
n
Strategy & Ownership
Organization & Planning
SOA Project Management
Service Modeling
Service Creation & Unit
Testing
Service Integration & Deployment
Service Operations & Management
Services SecurityDesign
Security Management
Enterprise Business Process Models
Project Business Case
SGIP© - SOA Governance Implementation Pattern ©
Enforce the correct execution metrics for
every service invocation
Services correctly implement security decisions for
authentication, authorization, auditing, transport security,
threat protection
Validate that services are configured to use
the infrastructure most effectively
Validate the quality and accuracy of
the contents in the service registry,
and ensure version management is
carried out effectively
14
Examples of Governance Aspects Implementations
Governance Aspect Mechanism
Validate the quality and accuracy of the contents in the service registry. Version management is carried out effectively
Enforce the correct execution metrics for every service invocation.
Validate that services are configured to use the infrastructure most effectively
Services correctly implement security decisions for authentication, authorization, auditing, transport security, threat protection
Strategy Lab
Reconcile registered vs. running services 1
Dynamic Endpoint Resolution based on QoS 2
Dynamic Endpoint Resolution based on message content and synchronization
3
Federated identity management with credential propagation
4
Service Level Management 5
Security Gateway 6
SLA Compliance Monitoring
Deployment Options
Services Registry & Version Management
Security Management
15
Solution
● Register all available services that have passed established guidelines
● Audit running services for compliance with service registration
● Monitor and report which services are running and where
ServicesManager
ServicesRegistry and Repository
WSRR to register and store metadata for services
ITCAM for SOA to monitor runtime environment,TEP to display information from registry and monitor
Scenario 1 - Analysis of Running Services
How Do I …
● Understand where services are and what they do?
● Visualize which services are running and used?
● Ensure approved and deployed services are used?
Demo
16
Solution
● Monitor and report endpoint performance and availability
● ‘Flag’ services not meeting response time goal as ‘unavailable’
● Route requests to ‘available’ service endpoints -- no manual intervention
Scenario 2 - Dynamic Selection: Quality of Service
How Do I …
● Determine which services are meeting response time goals?
● Only use the services that meet goals without manual selection?
● Add and remove services from production without disruption?
ServicesRegistry and Repository
WSRR to store metadata and allow creation and change of custom properties
ITCAM for SOA to monitor service endpoint response time and availability
WESB for dynamic request routing
ESB
ServicesManager
Demo
17
Solution
● Route to services based on information in the message
● Resolve endpoints when changing service versions
Scenario 3 - Dynamic Selection: Message Content or Version
How Do I …
● Automatically select a service based on business rules, such as a ‘credit verification’ service, based on account limit?
● Ensure that there is no production disruption when changing service versions?
WSRR to store service metadata
DataPower to parse message content and route requests accordingly
DataPower to automatically resolve endpoints for changing versions of services registered in WSRR
ESB
ServicesRegistry and Repository
Demo
18
Solution
● Map identities between different authentication and authorization systems providing single-sign on
● Only view information relative to their own agency
● Provide secure application interaction via web services
How Do I …
● Allow customers, partners, agencies and suppliers access to internal information – only specific to them?
● Provide a single sign-on despite multiple authentication and authorization systems?
Federated IdentityManager
Tivoli Federated Identity Manager used map identities between different systems with single sign-on
Federated IdentityManager
Scenario 4 - Federated Identity Mgmt & Credential Propagation
Demo
19
Solution
● Monitor service throughput
● Enforce throughput thresholds and prevent requests from overwhelming services
Scenario 5 - Service Level Management
How Do I …
● Determine if requests are overwhelming services and causing poor performance?
● Create a ‘governor’ that enforces the volume limits for services?
ServicesManager
ITCAM for SOA to Enterprise Level Management solution
DataPower as a Service Level Management solution
ESB
Demo
20
Solution
● Enforce security policies at runtime
● Inspect requests for denial-of-service attacks and SQL injection
● Ensure response integrity, confidentiality and non-repudiation
Scenario 6 - Security Gateway
How Do I …
● Prevent security threats from external access?
● How do I authenticate, authorize, and audit requests for call center requests of customer information?
ServicesManager
Security Gateway
DataPower as a security gateway
Tivoli Federated Identify Manager for authentication, authorization, and token negotiation
Demo
21
Scenario 6 - Security Gateway - Details
● Configure the Web Service proxy Specify the WSDL to proxy
Point the proxy to TFIM
Specify SAML1.1 for the request token format
Add an AAA (Authentication, Authorization and Auditing) Action to the request rule in the proxy Policy
Add a Filter Action to the request rule
Add a Sign Action to the response rule
Add a Encrypt Action to the response rule
Web Service Proxy
WSDL
Federated IdentityManager
SAML Assertion AAA Action
Filter Action
Sign Action
Encrypt Action
SQL-injection filter
Key, Certificate
XPath expression
22
Resourceshttp://ibm.com/developer (IBM developerWorks for technologies and/or products)
Java, J2EE, Web Services and other technology zones are on the left hand sideWebSphere Zone: http://ibm.com/developer/websphere Rational Zone: http://ibm.com/developer/rational Free Education Portal: http://ibm.com/developer/training
http://www.redbooks.ibm.com (How-To Step-by-step Practical Implementation Books)
http://SOAWeb20.com (a.k.a. JavaSOA.com, WebSphereCentral.com)
(Tutorials, Links, Presentations, White Papers, Articles, etc.)
23
BACKUP SLIDES and “Governance at Runtime PoT” Scenario Details
24
IBM Architectural Pattern for SOA
BusinessPartnerSystem
User Access(browser, rich
Client, PDA etc.)
Proxy
PortalServices
ProcessServices
ExistingApplication
Services
Data Server,Data Services
EnterpriseInformation
Systems
WebApplication
Services
Internet
Protocol Firewall
FederatedIdentityManager
ServicesManager
Note: not every relationship is shown.
ServicesRegistry and Repository
Domain Firewall
ESB
SecurityGateway
25
BusinessPartnerSystem
User Access(browser, rich
Client, PDA etc.)
Proxy
PortalServices
ProcessServices
ExistingApplication
Services
Data Server,Data Services
EnterpriseInformation
Systems
WebApplication
Services
Internet
Protocol Firewall
FederatedIdentityManager
ServicesManager
Note: not every relationship is shown.
ServicesRegistry and Repository
Domain Firewall
SecurityGateway
Major Components for SOA Governance at Runtime
FederatedIdentityManager
ServicesManager
SecurityGateway
ESBESB
ServicesRegistry and Repository
26
BusinessPartnerSystem
User Access(browser, rich
Client, PDA etc.)
Proxy
PortalServices
ProcessServices
ExistingApplication
Services
Data Server,Data Services
EnterpriseInformation
Systems
WebApplication
Services
Internet
Protocol Firewall
FederatedIdentityManager
ServicesManager
Note: not every relationship is shown.
ServicesRegistry and Repository
Domain Firewall
SecurityGateway
IBM Products for SOA Governance at Runtime
FederatedIdentityManager
ServicesManager
ServicesRegistry and Repository
SecurityGateway
ESBESB
WebSphere DataPower SOA Appliance
Tivoli Composite Application Manager for SOA
WebSphere Enterprise Service Bus
WebSphere DataPower SOA Appliance
Tivoli Federated Identity Manager
WebSphere Service Registry and Repository
27
Scenario 1 - Analysis of Registered vs. Running Services
Policies and Objectives
● All available services should be registered (Registration)
● Audit running services for compliance with service registration (Audit Registration)
● Determine that deployed services actually get used (Usage)
Implementation
● Registry to publish services that have passed a litmus test
● Monitoring solution to determine if and which services are used
● Reporting function to show which services are registered and running, and where products
Issues
- Deployed services are not consistently governed- IT organization does not have information on usage of deployed services - Approved and deployed services have not been used - No way to visualize what services are running
ServicesManager
ServicesRegistry and Repository
WSRR to register and store metadata for services
ITCAM for SOA to monitor runtime environment,TEP to display information from registry and monitor
Metric % of rogue services allowed in the system
28
Scenario 1 - Configuration
Register service
WSDL document added to the registry/repository
WSDL
ServicesRegistry and Repository
Reconcile service information
29
Scenario 2 - Dynamic Endpoint Resolution based on QoS
Policies and Objectives
● Service endpoints that do not meet a response time goal should be marked as unavailable
● Only service endpoints marked as available should be used during production
● Endpoints should be selected based on runtime properties without manual intervention
Implementation
● Service repository needed to store and manipulate service metadata
● Dynamic method to change service metadata
● Monitoring solution to track endpoint performance
● ESB to dynamically route requests to appropriate service endpoints
ServicesManager
WSRR to store metadata and allow creation and change of custom properties
ITCAM for SOA to monitor service endpoint response time and availability
Issues- Poor performance of service endpoints; SLAs not respected
- Production disruption when adding and removing service endpoints
Metric service endpoint average response time
WESB for dynamic request routing
ServicesRegistry and Repository
ESB
30
Message is routed to the selected
endpoint
Message
A message is received
WebSphere ESB Mediation
WebSphere ESB Mediation
Invokes a selection mediation
Load Service Metadata
Message
Executes matching algorithm to identify the
provider service for requestor service
Message
Monitor Response time
Update Service Properties
WebSphere ESB
Publish Find Enrich GovernManage
WebSphere Service Registry and Repository
Scenario 2 - Configuration
31
● WSDL parsed into logical components eg. Ports
● Ports have properties
● Availability property determinesif endpoint is selected to serve request
Port1Port1
Port2Port2
Service
v1.0
Service
v1.0
concept
XML Document
available Endpoint
Port3Port3
WSDL
Properties
Properties
Properties
properties
Scenario 2 - Configuration
32
Scenario 2 - Configuration
● ESB Mediation Module
33
Scenario 3 - Dynamic Endpoint Resolution based on Content and Subscription
Policies and Objectives
● Service provider (credit verification) should be automatically selected based on the account limit
● Endpoints should be automatically selected based on specified version
Implementation
● Service Registry to store service template
● ESB with ability to make decisions based on message content
● ESB to make routing decisions based on information obtained from subscription to service registry
IssuesNo automatic selection of service providers based on rules
Production disruption when changing service versions
Metric time needed to change version for service in production
ServicesRegistry and Repository
WSRR to store service metadata
DataPower to parse message content and route
requests accordingly
DataPower to automatically resolve endpoints for changing versions of services registered in
WSRR
ESB
34
Scenario 3 - Configuration
Part 1
● Configure Web Service Proxy Specify the WSDL to proxy
Add a Route Action to the request rule in the proxy Policy
specifying two XPath expressions for the Route Action
Web Service Proxy
WSDL
Route Action
accountLimit < 10000
accountLimit >= 10000
endpoint 1
endpoint 2
Part 2
● Configure WSRR Load a WSDL, create a concept and
relate the two
● Configure Web Service Proxy Subscribe to the concept
ServicesRegistry and Repository
Web Service Proxy
WSDL
Concept
Concept
subscription
35
Scenario 4 - Federated Identity Management and Credential Propagation
Policies and Objectives
● Agencies can sign in and be authenticated once to gain access to resources in JK
● Only Agency managers are allowed to run View Profiles application
● Agency managers can only view information about employees in their own agencies
Implementation
● Federated identity solution to map identities between different authentication and authorization systems
● Single sign-on
IssuesMultiple Authentication and Authorization systems to give partners access to JK portal
Metric # of unauthorized entries
Federated IdentityManager
TFIM used as the Identity Provider (Agency)
TFIM used as the Service Provider (JKE)
36
Scenario 4 - Example
SAML assertions are often used for cross-domain web services
37
HTTP
SOAP Message
SOAP Body
SOAP Header
wsse:Security
SAML Assertion
…
…
AssertionIssuer
Signature
Subject
Conditions
Statement(s)
Authentication Statement
Authorization Decision Statement
Attribute Statement
Anatomy of an Assertion
38
Scenario 5
Policies and Objectives
● Limit service requests so system performance does not exceed SLA threshold
Implementation
● SLM solution to enforce throughput thresholds and prevent requests from overwhelming services
Issues Poor performance of service endpoints; SLAs not respected
Metric throughput level and # discarded requests
ServicesManager
ITCAM for SOA to Enterprise Level
Management solution
DataPower as a Service Level
Management solution ESB
39
Scenario 5 - Configuration
● Configure the Web Service proxy Specify the WSDL to proxy
Specify a request limit for the requestCreditReport operation
Select notify or throttle for the action to be taken when the condition is met
Web Service Proxy
WSDL
SLM
request limit = 2
request interval = 1
requests are notified or discarded when the throughput exceeds 2 messages per second
40
Scenario 6 - Security Gateway
Policies and Objectives
● Call center requests for customer information need to be authenticated, authorized and audited
● Requests should be inspected for denial-of-service attacks and SQL injection before entry into JK system
● Responses should ensure message integrity, confidentiality and non-repudiation
Implementation
● Security gateway to enforce security policies at runtime in the DMZ
● Integration with federated identity management solution for federated identification, authentication, authorization, and token negotiation
● Solution for XML threat protection, including but not limited to DOS and SQL injection attacks
● Solution to ensure response integrity, confidentiality and non-repudiation
Issues Security threats from external access
Metric # of security violations
Federated IdentityManager
TFIM for federated identification,
authentication, authorization, and token negotiation
DataPower as a security gateway
Security Gateway
41
Scenario 6 - Configuration● Configure the Web Service proxy
Specify the WSDL to proxy
Point the proxy to TFIM
Specify SAML1.1 for the request token format
Add an AAA (Authentication, Authorization and Auditing) Action to the request rule in the proxy Policy
Add a Filter Action to the request rule
Add a Sign Action to the response rule
Add a Encrypt Action to the response rule
Web Service Proxy
WSDL
Federated IdentityManager
SAML Assertion AAA Action
Filter Action
Sign Action
Encrypt Action
SQL-injection filter
Key, Certificate
XPath expression
42
Resourceshttp://ibm.com/developer (IBM developerWorks for technologies and/or products)
Java, J2EE, Web Services and other technology zones are on the left hand sideWebSphere Zone: http://ibm.com/developer/websphere Rational Zone: http://ibm.com/developer/rational Free Education Portal: http://ibm.com/developer/training
http://www.redbooks.ibm.com (How-To Step-by-step Practical Implementation Books)
http://RationalCentral.com (a.k.a. JavaSOA.com, SOAWeb20.com, WebSphereCentral.com)
(Tutorials, Links, Presentations, White Papers, Articles, etc.)
top related