Professional Documents
Culture Documents
By the Numbers
Fortune 250 Insurer >20M protected worldwide >150K customers in the US & UK Provides >30% of the Fortune 500 with benefits Top 10 in group/individual disability & long term care Top 10 in voluntary insurance
The Challenge
When making the move to SOA, the insurer wanted to ensure they retained the same level of security and privacy for their customers data as they had implemented with their traditional architecture. For this reason, they implemented their existing proprietary Secure Token Service (STS), which leveraged attributes stored in an SQL Server database, as the central point of authorization. While this STS was more than adequate for a traditional architecture, the overhead of per-request SAML security caused slowdowns due to the high level of CPU usage for message decryption. Switching from NetTCPBinding to WSFederationHttpBinding and utilizing WS-SecureConversation solved the slowdown problem, but introduced a new issue with dropped sessions as a result of poor sticky load balancing. As a workaround, the insurer added code to both the client and server applications that would generate an HTTP cookie. Now, if the load balancer redirected a client to a new server, it could use the cookie to rebuild the session context and avoid renegotiating WS-SecureConversation. At this juncture, the insurer discovered that their clients and services were no longer loosely coupled, making it far too easy to introduce breaking changes: any change in a service API would break compatibility with the client. In an environment that featured 10,000 desktops loaded with tens of client applications interacting with multiple backend services, tight coupling was a recipe for disaster. Even with extensive planning, there was still an extremely high risk of something going wrong. And any change introduced to a service would require time consuming, labor intensive and costly updating of the client-side software, effectively bringing server side rollouts to a standstill. What the insurer required was something that could act as a mediator in their environment in order to mitigate the risk of API changes, negotiate the security regime, and translate the content.
designed for version 1.0 of an API (for example) into API 2.0 calls, thereby ensuring existing applications wont break. Implemented in conjunction with HP SOA Systinet and HP Business Availability Center (BAC), the Layer 7 Gateway helps create a comprehensive SOA Governance solution. The Systinet UDDI Registry acts as the SOA repository of record, providing design-time Governance through its service cataloguing and policy lifecycle management capabilities. The Systinet and Layer 7 solution allows the insurer to track the entire service lifecycle, from design through production, enforcing Systinet policies across their extended enterprise. HP BAC enables trust and control of services by providing end-to-end performance monitoring and diagnostics of SOA services, applications and infrastructures. Deployed together with the Layer 7 Gateway, BAC allows the insurer to report across all their message-oriented systems; track requests that access multiple backend services, and report across different transport layers.
The Results
With a comprehensive SOA Governance solution in place, the insurer will now be able to gain greater business agility with less duplication of effort by enabling the realization of shared services that can be consistently discovered, understood and trusted. Benefits include lower application maintenance costs and improved application flexibility/adaptability gained through the introduction of a layer of abstraction the Layer 7 XML Gateways policy layer between clients and services. The Gateway also provides for reduced IT and business risk by introducing a mediation layer to mitigate changes at the client and Web service. Finally, the insurer can expect higher-quality services and fewer service outages by utilizing HP BACs SOA monitoring capabilities to ensure uninterrupted performance.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.