SOA and Web Services Best and Worst practices

Ben Thurgood Asia Pacific SOA Delivery Leader IBM Software Group Services bthurgoo@au.ibm.com

2007 ACS Web Services SIG 17 May 2007

Agenda
SOA and Web Services Best Practices
Iterative Adoption The Basics Sticking to the standards Securing appropriately Planning for expansion Planning for Governance Point to Point Services Bottom-up Development (or Its all Greek to me) The message that ate my server Pardon me, your data is showing Schema? We dont need no stinkin schema!

Worst Practices

2007 ACS Web Services SIG 21 February 2007

SOA and Web Services

2007 ACS Web Services SIG 17 May 2007

What is ..?

a service? A repeatable business task e.g., check customer credit; open new account

service orientation? A way of integrating your business as linked services

service oriented architecture (SOA)? An IT architectural style that supports service orientation

a composite application? A set of related & integrated services that support a business process built on an SOA
4

2007 ACS Web Services SIG 21 February 2007

What is a Service?

Service
A Service is a discoverable software resource which has a service description. The service description is available for searching, binding and invocation by a service consumer. The service description implementation is realized through a service provider who delivers quality of service requirements for the service consumer. Services can be governed by declarative policies.

Source: IBM SOA Center of Excellence

2007 ACS Web Services SIG 21 February 2007 5

SOA Reference Model

Channel
Consumers

B2B
QoS Layer (Security, Management & Monitoring Infrastructure Services) Integration (Enterprise Service Bus) Data Architecture (meta-data) & Business Intelligence

Service Consumer Service Provider

Business Process
Composition; choreography; business state machines

Governance

Services
atomic and composite

Service Components

Operational Systems

Packaged Application

Custom Application

OO Application

Atomic Service

Composite Service

Registry

2007 ACS Web Services SIG 21 February 2007

SOA: Different things to different people

Roles

Capabilities that a business wants to expose as a set of services to clients and partner organizations An architectural style which requires a service provider, requestor and a service description. It addresses characteristics such as loose coupling, reuse and simple and composite implementations. A programming model complete with standards, tools, methods and technologies such as Web services A set of agreements among service requestors and service providers that specify the quality of service and identify key business and IT metrics.
2007 ACS Web Services SIG 21 February 2007

Business

Architecture

Implementation

IBM IT Service Management

IT Process Management IT Process Management Products

Operations

IT Service Management Platform

IT Operational Management Products Best Practices

Web Services do NOT equal SOA

The two are not the same thing:
Many of today's production Web Services systems aren't service oriented architectures they're simple remote procedure calls or point-to-point messaging via SOAP or well structured integration architectures Many of today's production service oriented architectures don't primarily use Web Services they use ftp, batch files, asynchronous messaging etc. - mature technologies

SOA and web services are not the answer to every situation dont use it as the hammer To maximize benefits of SOA and Web Services, requires both SOA and Web services
2007 ACS Web Services SIG 21 February 2007 8

Best Practices
Patterns to follow

2007 ACS Web Services SIG 17 May 2007

Iterative SOA Adoption

SOA Goal Market return through transformation: quicker time to production, lower costs, competitive differentiation
Revenue and Profit

Strategic Vision

Market Return through Transformation

Incremental Approximation

Two Primary Roadmap Perspectives

Time

Strategic Vision Business and IT statement of direction which can be used as a guideline for decision making, organizational buy-in, standards adoption Project Plans Implementation projects to meet immediate needs of the current business drivers
2007 ACS Web Services SIG 21 February 2007 10

Iterative SOA Adoption

COE Project 1 Project 2 Project n

GUI

GW ESB

BPE

Governance

Svc

Svc

Svc

2007 ACS Web Services SIG 21 February 2007

11

The Basics
Identify services based on business value, e.g. SOMA
e.g. PayPartnerCreditCard vs. ProcessBatchCCPayments Business task vs. Implementation option

No implementation details in the interface

if needed transmit out of band, e.g. headers

Use DTO (Data Transfer Object) or equivalent Standards based interface, e.g. WSDL Stateless Granularity not too fine, not too coarse
Does the service do too much? i.e. used by more than one different business task Does it do too little? i.e. business task uses multiple services to complete

Effective naming using terms understood by the business

2007 ACS Web Services SIG 21 February 2007 12

Sticking to the Standards

Embrace the appropriate use of standards

Choose levels of standards based on comfort level with new technologies Key standards: SOAP,WSDL, HTTP, XML Follow WS-I slavishly

2007 ACS Web Services SIG 21 February 2007

13

Getting too far ahead of the curve

Problem:
Customers often want to adopt Web Services standards before they are ready in their products

Story
1. Super security One customer decided to go with HMAC-SHA1 authentication because it was supported in their middleware platform (WebSphere) At a meeeting with their partner organisations everyone nodded their approval to the security proposal 1 week before delivery we found out that the partners were going to fail to deliver because they were still trying to understand how to implement the security protocol 2. WS-Addressing One customer weve encountered really wanted to use WSAddressing for asynchronous web services. They found the ETTK implementation and then folded that into their implementation Then they found in the last stages of their project that not only was the ETTK not supported, but that the code wouldnt even run on the target platform (WebSphere on z/OS)

2007 ACS Web Services SIG 21 February 2007

14

Getting too far ahead of the curve

Guidance
Look at whats currently supported in your middleware platform Adopt technology based on its value Balance interoperability with non-functional requirements

2007 ACS Web Services SIG 21 February 2007

15

Securing Appropriately

Web Services present an avenue for intrusion by hackers. They also create brand new security issues of their own (XML threats) How do we fix it?
Enable Application Server-level (J2EE) Security Secure your Web Services with WS-Security following the WS-I Basic Security Profile Use alternative mechanisms (HTTPs/BASIC-AUTH) if necessary Use a DataPower XS40 appliance
2007 ACS Web Services SIG 21 February 2007 16

XS40s Comprehensive Functionality

Wirespeed Appliance Purpose-Built for SOA Security
XML/SOAP Firewall - Filter on any content, metadata or network variables Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed Field Level XML Security - Encrypt & sign individual fields, non-repudiation Support for WS-Security Standards compliance with WS-I Basic Security Profile XML Web Services Access Control - SAML, LDAP, RADIUS, etc. XML Threat Protection Namespace attacks, SQL Injection attacks, etc. Web Services Management - Web services proxy, SLM Service Virtualization - Mask backend resources Configuration & Administration - Ease of use, Integration for Management
the XS40 is an XML-security powerhouse - Network Computing The DataPower [XS40]... is the most hardened ... it looks and feels like a datacenter appliance, with no extra ports or buttons exposed and no rotating media. " - InfoWorld
2007 ACS Web Services SIG 21 February 2007

DataPower has strong integration for security and management. All of this adds up to the strongest overall current feature set. - Forrester Research

17

Securing Appropriately

Why do we get this wrong?

Lack of understanding of security principles, Web Services Security and WebSpheres security implementation options

Story:
One customer that had hand-written authentication and authorization on their web site but didnt realize that they were also making their web services (for internal use only) globally accessible too

2007 ACS Web Services SIG 21 February 2007

18

Plan for Expansion

You always want to assume that your services will

Move over time to other servers Migrate over time (change functionality) Expand over time (need new capacity)

You need to virtualize your services

Trick 1: Use a repository like WSRR to contain the latest address of services Trick 2: Use an ESB capable of intelligent routing and handling untyped services Trick 3: Establish an SOA COE
2007 ACS Web Services SIG 21 February 2007 19

What is an Enterprise Service Bus (ESB)?

Flexible connectivity infrastructure for integrating applications and services to power your SOA

ROUTING messages between services CONVERTING transport protocols between requestor and service TRANSFORMING message format between requestor and service HANDLING business events
2007 ACS Web Services SIG 21 February 2007
Color = Data type Shape = Protocol

20

ESB Pattern Walk Through

Service Consumers

Portal Web Site

Customer Start Process

WSGW

EDI

Business Process Engine

Start Process

Enterprise Service Bus

Customer

Customer

J2EE Application

CRM

Legacy Application

Database

Service Providers
2007 ACS Web Services SIG 21 February 2007 21

Expanded View of the Enterprise Service Bus

Interaction, Process, Information, Partner, Business App, Access Services Interaction, Process, Information, Partner, Business App, Access Services

Business Logic

Enterprise Service Bus

Interaction Patterns

Message Flows Message Flows

Mediation Patterns

Message Models Message Models Transport Protocols Transport Protocols

Security

Management
IT Management Services

Registry

2007 ACS Web Services SIG 21 February 2007

22

Service repository
Issues
How is Service-related information governed (stored, managed and maintained, accessed) ? How do Service Requesters determine which Services to use ? How do Service Requesters locate Service endpoints ? How are they made aware of changes happening? (Notification)

Objectives
Manage service-related information (interface, service location, additional information such as specification) in a centralized manner Provide categorization and versioning capabilities to leverage servicerelated information Provide service requesters with extensive discovery and notification capabilities

Solution
Design and implement a Service Directory

2007 ACS Web Services SIG 21 February 2007

23

Registry in Composite Application Life Cycle

Integrator Domain Models

Reuse, Model & Build

System

Discover & Describe Existing Service Endpoints

Service Registry Admin Console

Configure, Approve, Plan & Deploy

Topologies

z
Find/Bind, Invoke, Monitor & Manage

Dashboard

Interaction History Administrator 24

2007 ACS Web Services SIG 21 February 2007

SOA Governance Create a COE

Plan Determine scope of governance work Prepare and conduct kick off session
Scope confirmed Project plan

Model Design the SOA Governance Model Define Service Ownership Model
Service Domains

Perform Implementation of the Governance Model Initiate the governance transition plan Implement the SOA governance processes Staff and execute the SOA Centre of Competency Initiate the organization model changes Launch the communication plan Initiate the education and mentoring plans Define the SOA standards and guidelines
XML Messaging Standard Business Services Technical Guidelines others

Improve Monitor and Refine Governance Model Monitor governance and management
Service Planning Service Ownership and Funding Service Modelling Service Implementation Service Management

Understand current state in SOA

Surveys Inventory of current IT processes & mechanisms Inventory of current SOA standards

Create SOA Governance Process Diagrams

SOA IT Processes

Create initial org model for service orientation

Needs and scope SOA CoC model Roles and Responsibilities Org readiness assessment

Refine the SOA Governance Model

SOA Principles SOA IT Processes SOA IT Mechanisms Organizational Model Roles and Responsibilities Skills Needs Integration with Enterprise Architecture

Understand business and IT goals for SOA

SOA Value Proposition Org Survey Skills inventory IT Roles and resp Governance mechanisms

Understand current org

Define SOA IT Mechanisms

SOA CoC, Process Teams, IT Councils, Others

Define SOA Transition Plan

2007 ACS Web Services SIG 21 February 2007

25

Worst Practices
Anti-patterns to avoid

2007 ACS Web Services SIG 17 May 2007

26

Point to Point Interactions

Problem: Replacing middleware with point-to-point Web Services as an integration approach. Symptoms: Using XML or SOAP over HTTP between applications to effect communication between applications. Consequences:
Complexity N*(N-1) Tight coupling Reduced flexibility Increased management, maintenance difficulty and cost

Root Cause: a view that an integration layer, usually called an Enterprise Service Bus (ESB), adds:
Complicated new technology A single point of failure Cost (for the ESB software and supporting hardware) Reduced performance

Solution: Enterprise Service Bus

27

2007 ACS Web Services SIG 21 February 2007

Its all Greek to me

Problem
Customers use bottom-up development of Web Services from existing Java beans. They end up with language-specific information (like Vectors or Hashmaps) in the WSDL

Why?
Lack of understanding of interoperability issues

2007 ACS Web Services SIG 21 February 2007

28

Its all Greek to me

What happens
Other languages (Visual Basic, C#) cant consume the SOAP produced

How do we fix it?

Top-down development of WSDL and then generation of Java beans from the WSDL

2007 ACS Web Services SIG 21 February 2007

29

My Message ate my Server

The Problem
Customers often try to send extremely large messages, or even worse, extremely large opaque (binary) messages over Web Services transports

Why?
Looking at Web Services as a replacement for EDI or CORBA Not understanding the limitations of the technology
2007 ACS Web Services SIG 21 February 2007 30

My Message ate my Server

What happens
Extremely high processing loads. Low throughput due to immense amounts of time spent parsing. High network latency

How do we fix it?

Trick 1: Dont send redundant information. Consider using compression. Trick 2: Dont embed binary in the XML use SOAP with attachments instead to bypass parsing overhead Trick 3: Use out-of-band transmission or the checked baggage pattern to avoid sending large binary files over SOAP/HTTP
2007 ACS Web Services SIG 21 February 2007 31

Pardon me, your data is showing

Problem
Customers try to put Web Services in at the wrong place in their architecture Expose Data access (or GUI) through Web Services

Why?
Misunderstanding of SOA Architectural principles

2007 ACS Web Services SIG 21 February 2007

32

Pardon me your Data is showing

How to fix it
Apply coarse-grained Web Services in the right place in an architecture Use the Session Faade Pattern to expose model-based services
Web Services exposed here

View

Controller

Domain Model

Data Access

Not here or here

2007 ACS Web Services SIG 21 February 2007 33

Schema? We dont need no stinkin Schema!

Problem
Customers often put arbitrary XML inside a SOAP envelope and call it a Web Service

Why?
Trying to reuse existing code Misunderstanding of the advantages of Web Services

2007 ACS Web Services SIG 21 February 2007

34

Schema? We dont need no stinkin Schema!

What happens?
The XML often has no schema no chance of validation They must parse the XML themselves in the application and the client

What to do?
Encourage them to create XML Schema and make it part of the WSDL Educate them as to the advantages of WSDL

2007 ACS Web Services SIG 21 February 2007

35

Summary

In this talk weve seen:

SOA and Web Services Best Practices to Follow Worst Practices to avoid

2007 ACS Web Services SIG 21 February 2007

36

Acknowledgements

Special thanks to those people who have directly or indirectly contributed to this presentation
Kyle Brown Rachel Reinitz Arnauld Deprets Alex Polozoff Robert Peterson Paul Gover Paul Glezen
2007 ACS Web Services SIG 21 February 2007 37

IBM Services for SOA

Obligatory Plug!

2007 ACS Web Services SIG 17 May 2007

38

SOA Offering Roadmap

2007 ACS Web Services SIG 21 February 2007

39

SOA COE Offering

The SOA CoE is a cross-organization IT team that guides IT investment, design decisions and Implementation towards the strategic shared IT Solutions targeted by the SOA Vision and Strategy. Governance Main Information Dissemination Vehicle for SOA in the Organization Management Body of the SOA Governance and Management Process Implementation Body of the SOA Governance and Management Process Thought Leadership/Visioning Process Expert SOA Skills and Resources Knowledge Management Harvesting of Assets Communication

2007 ACS Web Services SIG 21 February 2007

40

Questions?

Ben Thurgood
AP SOA Delivery Leader IBM Software Group Services bthurgoo@au.ibm.com +61-421-012-787

2007 ACS Web Services SIG 21 February 2007

41

Unused Slides

2007 ACS Web Services SIG 17 May 2007

42

Plan for Governance

Governance is the structure of relationships and processes to direct and to control the SOA components in order to achieve the enterprises goals
The governance model defines:
What has to be done? How is it done? Who has the authority to do it? How is it measured?
Technology People

Services Processes

2007 ACS Web Services SIG 21 February 2007

43

IBM SOA Governance and Management Approach

Plan Determine scope of governance work Prepare and conduct kick off session
Scope confirmed Project plan

Model Design the SOA Governance Model Define Service Ownership Model
Service Domains

Perform Implementation of the Governance Model Initiate the governance transition plan Implement the SOA governance processes Staff and execute the SOA Centre of Competency Initiate the organization model changes Launch the communication plan Initiate the education and mentoring plans Define the SOA standards and guidelines
XML Messaging Standard Business Services Technical Guidelines others

Improve Monitor and Refine Governance Model Monitor governance and management
Service Planning Service Ownership and Funding Service Modelling Service Implementation Service Management

Understand current state in SOA

Surveys Inventory of current IT processes & mechanisms Inventory of current SOA standards

Create SOA Governance Process Diagrams

SOA IT Processes

Create initial org model for service orientation

Needs and scope SOA CoC model Roles and Responsibilities Org readiness assessment

Refine the SOA Governance Model

SOA Principles SOA IT Processes SOA IT Mechanisms Organizational Model Roles and Responsibilities Skills Needs Integration with Enterprise Architecture

Understand business and IT goals for SOA

SOA Value Proposition Org Survey Skills inventory IT Roles and resp Governance mechanisms

Understand current org

Define SOA IT Mechanisms

SOA CoC, Process Teams, IT Councils, Others

Define SOA Transition Plan

2007 ACS Web Services SIG 21 February 2007

44

Organizational and governance best practices

Partnership between IT and Business Need management and funding support at level of adoption Establish feedback cycles Establish service domains with business stakeholders as owners Plan and adapt the system architecture, the development processes, and the organization to the necessities of reuse in a systematic but incremental fashion. Directly address organization culture using champions. Ensure that the roles are defined for the creation of reusable services, reuse of services in applications, the support of services, and the refactoring of services. Have an exception process Establish a Center of Excellence

2007 ACS Web Services SIG 21 February 2007

45