The Role of XML Gateways in SOA

Transcription

1 WHITE PAPER DECEMBER 2014 The Role of XML Gateways in SOA Optimizing Performance, Security and Policy Operations

2 2 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA ca.com Table of Contents SOA and the XML Gateway 3 Centralized Enforcement of Message Level Security 3 Policy Governance 4 SLA Enforcement 4 Protocol Switching and Reliable Messaging 4 Data Translation 5 Service Virtualization 5 Acceleration of XML Processing 5 Deployment Patterns for XML Gateways 6 DMZ: Hardened Appliances 6 Data Center: High Performance, Easily Manageable Blades 6 Application Server: Software-based Solution 6 Conclusions 7

3 3 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA ca.com SOA and the XML Gateway An XML gateway is a new class of networking device that manages message level security, Service Level Agreements (SLAs) and performance in a Service-Oriented Architecture (SOA). In contrast to a conventional networking device, which operates on message streams based on network-level inspection of byte streams (such as TCP or UDP ports, or simple byte patterns in message content), an XML gateway (also referred to as a Web services gateway) specializes in the application-level protocols rendered within the XML or Web services message itself. With the ability to rapidly inspect and process XML messages, XML gateways can perform security, transformation, routing and SLA operations at wirespeed. An XML gateway can therefore act as an application-oriented networking device for offloading traditional XML policy operations from service endpoints. These operations include content routing, protocol switching, data transformation, identity authentication and authorization, privacy enforcement and schema validation. By offloading these policy operations to a purpose-built application networking device, SOA architects can implement security, optimize performance and enable advanced policy operations like SLAs without programming. In a loosely-coupled, distributed SOA this is critical, since programming and processing message level policy on every service endpoint introduces security, performance, scalability and flexibility issues. By centralizing policy operations, XML gateways eliminate the need to code policy into each and every Web services application in an organization. Centralized Enforcement of Message Level Security An XML/Web services gateway provides a means for consistent enforcement of policy in a distributed SOA at a granular XML or Simple Object Access Protocol (SOAP) (XML message conforming to Web services standards) message level. For example, gateways can inspect XML message streams for anomalies or known attacks using specialized silicon. It can accelerate XML cryptographic operations, manage access requests, encrypt and decrypt, and validate message schemas and signatures. The gateway can affect credential transforms, act as a Public Key Infrastructure (PKI) Certificate Authority (CA) or Registration Authority (RA) and capture message-level audit logs and more all at wirespeed. It can also assure standards conformance by enforcing compliance with Web Services (WS-*) standards or ensuring improved interoperability by automatically applying WS-* standards to non-standards-based XML messages. Through the offloading of granular XML security operations to specialized gateway hardware, architects can expand their security control and flexibility while freeing processor cycles on service endpoints to execute business logic. When XML gateways are deployed as SOA security devices, they are often described as XML firewalls. These message-level firewalls typically provide XML threat protection at an infrastructure, application and transaction level, as well as extensive identity-based functions (including credential chaining, single sign-on and federation), granular access control and full support for WS-* standards among other functions.

4 4 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA ca.com Policy Governance By combining policy enforcement with policy management, an XML gateway can enable runtime policy governance across an SOA. Governance is a combination of consistent policy definition, execution and conformance validation. At runtime, this may mean that every service endpoint responds the same way to a denial-of-service attack, or it may mean that precise SLAs can be defined and enforced across a set of services with an automatic response in the event of a violation. While not all XML gateways can enforce and manage general XML messaging policies, gateways have been designed specifically to handle general SOA policy definitions, including security, SLAs, routing, transforms and identity. In this way, a comprehensive SOA policy governance framework can be implemented at runtime inside the application network. XML gateways perform a critical role in enforcing SOA security, SLAs, routing, access control, and data/protocol transformation. SLA Enforcement SLAs address situations when, due to contractual or other reasons, compliance with one or more defined service level benchmarks needs to be verified. Although very common in telecom environments, SLAs are being used with increasing frequency in general ebusiness, outsourcing and B2B deployments. Metrics, such as processing time, messages per hour, rejected transaction counts and queries per day are common examples of defined service levels which may be measured either at endpoints or by an intermediary like an XML firewall or gateway. These measurements are then typically compared by an enforcement process or application to the desired level, with the result driving some form of action. Typical actions can include gathering and reporting results, identifying and forwarding SLA violations or changing service behavior based on current SLA conformance. XML gateways can perform a critical role in enforcing SOA SLA policies. Gateways are designed to inspect and process XML messages at wirespeed, detect SLA policy violations at an XML message level in real-time and act to deny normal message processing, initiate a new policy process or generate an alarm event. Best-of-breed gateways can also capture detailed information about any message flowing through it to produce metrics based on virtually any content, including identity, XML payload and/or policy violation. Protocol Switching and Reliable Messaging Increasingly, XML and SOAP messages are transported over protocols other than HTTP. Between companies this may mean legacy transports like EDI and FTP. Inside companies this often means reliable messaging protocols like JMS, MQSeries and Rendezvous. Mediating XML messages between these transports and middleware protocols is a function that can be handled by many XML gateways using specialized software that allows them to switch messages between transport and middleware protocols. In the future, it will also be possible to preserve reliability context (CA Technologies is a co-author to the Organization for the Advancement of Structured Information Standards Web Services Reliable Exchange or OASIS WS-RX standard that will help make this possible).

5 5 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA ca.com Data Translation One of the most critical functions of an XML gateway in a SOA environment is the transformation and normalization of data formats. This plays two vital roles: it simplifies interoperation between applications using distinct XML data formats and allows for credentials to be transformed and remapped to make cross platform authentication and authorization possible. In some XML gateways, this function is accelerated by virtue of specialized silicon and XML processing software. By virtualizing services at runtime, organizations can create new virtual services based on multiple existing services, or discrete operations of a single service. Service Virtualization Service virtualization is another benefit realized by managing access to services using an XML gateway. Technical architects can fine-tune and personalize the view of services presented to requesters based on their identity and capabilities without custom coding or service duplication. For example, using the policy authoring capabilities of the gateway, a policy can be defined to generate separate service views based on the identity and associated role of the requesting client application. These identity-tailored service views can proscribe different security expectations, standards support or SLA for each requester, simplifying the process of service delivery and assuring service reuse. Using the service virtualization feature of an XML gateway, architects can compose new virtual services based on multiple existing services or discrete operations of a single service. Similarly non-spec-compliant services coming over an IBM MQSeries or TIBCO Rendezvous message queue can be rendered as speccompliant, WSDL-based services for sharing with external departments and partners without the need for recoding. The ability to virtualize services at runtime also simplifies service lifecycle management. In practice, service definitions evolve based on changing business demands, usage policies or standards. XML gateways can insulate client applications from service changes by ensuring that multiple views of the same underlying service can be maintained simultaneously. This ensures that client access isn t broken when service definitions change. It also guarantees services can be staged before deployment. Acceleration of XML Processing XML processing is extremely resource intensive. The parsing, querying and transformation of messages is computationally expensive, and can greatly drive up application server costs. The CA API Gateway can accelerate performance through specialized parsing software and silicon. For example, the CA API Gateway accelerates complex XML operations like XPATH, XSLT and schema validation in software (using FastPath XML streaming technology) or hardware (via specialized semiconductor technology). The performance benefits scale linearly with the addition of each gateway to a SecureSpan cluster. This combination of performance technologies allows CA API Gateway to handle policy operations on the kind of large messages that would tax application servers dependent on DOM-based parsing.

6 6 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA ca.com Deployment Patterns for XML Gateways Unlike conventional firewalls or gateways, which typically define the edge of a corporate network, XML gateways can be located anywhere within a network where there are XML applications to protect and accelerate. Because network architectures can vary so significantly in different organizations, flexibility in deployment is an important characteristic to consider in evaluating any gateway. Best-of-breed XML gateways are available in three different physical form factors to support different deployment scenarios, including hardened appliances for the DMZ and network edge, blade-based deployment for the datacenter and as software that can integrate with application servers. Best-of-breed gateways should be available in a number of form factors to meet performance, manageability and budgetary needs. DMZ: Hardened Appliances A common deployment pattern for XML gateways is at the edge of the network, in a DMZ defined by conventional firewall and router infrastructure. In this role, the XML gateway serves as the entry point for all XML/Web services traffic into an organization, providing both protection against threats and highperformance enforcement of security policy before routing messages into mission-critical internal servers. Hardware-based, rack-mount appliances are an ideal solution in this deployment as they cluster easily to provide unparalleled scalability and fault tolerance. They are also self-contained in a hardened package that provides the most secure entry point into the organization. DMZ deployments often require secure connections between the gateway and the internal network. This is known as the last mile, a term borrowed from telephone distribution, where it describes the path from the switching station into the residence. There are a number of approaches to securing the last mile in Web services. An encrypted tunnel, using Secure Sockets Layer (SSL) or Virtual Private Network (VPN), is a popular solution because of its ease of setup. Alternatively, the gateway can validate, but not decrypt cryptographically secured message elements. It then relays the still-secure message to the destination application server where it is ultimately decrypted. This solution is only practical if that server has the capability of processing the complex, message-based encryption from the OASIS WS Security specification. Technologies like the OASIS Security Assertion Markup Language (SAML) or IBM s Lightweight Third-Party Authentication (LTPA) also provide a means to transfer any authentication context established by a gateway to a downstream application server. Best-of-breed gateways can also support a code-free model that requires no security programming at all on service endpoints but rather relies on the deployment of last-mile agents for consuming and enforcing security at the endpoint. Data Center: High Performance, Easily Manageable Blades The datacenter has different capacity and management expectations than the DMZ, providing an excellent fit for blade-based solutions. Blade-based XML gateways afford the perfect balance between a cost-effective solution, ease of management and raw performance-oriented scalability without sacrificing functionality. Application Server: Software-based Solution Finally, there are deployments in which endpoint-to-endpoint (i.e., from client to service without intermediary) security or SLA enforcement is the primary concern. In these situations, integrating gateway security functions into the application server environment as a software solution is the only way to ensure that there is no possible point of attack between applications.

7 7 WHITE PAPER: THE ROLE OF XML GATEWAYS IN SOA Conclusions XML gateways are a new class of network device that can play a key role in any SOA framework. Technical architects concerned about throughput, security, governance, SLA enforcement or service virtualization may be able to solve these problems more easily or more cost-effectively using an XML gateway. Over time, the benefit of managing performance and policy operations in a central location will lower the TCO of any SOA, while providing greater scalability, flexibility and security. Learn more at ca.com/api Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only and to the extent permitted by applicable law, CA provides it as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. The information in this document is based upon CA s experiences with the referenced software products in a variety of development and customer environments. Past performance of the software products in such development and customer environments is not indicative of the future performance of such software products in identical, similar or different environments. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CS200_87956_1214