PowerCenter Real-Time Development Brian Bunn, Project Manager Serco Jay Moles, Sr. Informatica Designer Serco Tom Bennett, Sr. Consultant Informatica 1
Agenda Overview of PowerCenter Web Services Error Handling Performance Tuning Web Services Security Implementation Case Study SERCO 2
Overview of Informatica PowerCenter Web Services 3
PowerCenter Web Services Hub Application Service Client application gateway to PowerCenter Domain Batch Web Services Integration Service Access Repository Metadata Access Real-Time Web Services Exposes Workflows as Web Services PowerCenter Web Services Provider 4
Informatica PowerCenter Web Services Provider Architecture 5
Informatica PowerCenter Web Service Consumer Allow Integration with Web Services 3rd Party Provider Integration Sources URL to Web Service WSDL File UDDI 6
Error Handling 7
SOAP Fault Messages FaultCode FaultString Describes the error FaultFactor (Optional) URI of the host generating the error Detail (Optional) Describes the cause of the error 8
Error Handling No SOAP Faults: Capture Source 9
Performance Tuning/Scalability 10
Performance Tuning Parameters to tune at the Workflow 11
Web Services Performance Tuning Parameters to tune at the Session level Idle Time Message Count Reader Time Limit 12
Web Services Scalability Load Balancer Associate multiple repositories with a Web Services Hub Associate a repository with multiple Web Services Hubs Run multiple instances of a web service workflow Run web service sessions or workflows on a grid 13
Web Services Security 14
Security Use Cases Protect a web service from unauthorized usage (by requiring username and password) Manage web services as part of overall security policies and integrating with LDAP Prevent a web service from DOS attacks or authentication attacks Allowing a secured web service to be load balanced across multiple WSHs for performance and scalability 15
Web Service Hub Security Encryption Encrypts repository information in the configuration file and in responses to Web service clients for login requests Authentication Authenticates Web service clients user name and password Authorization Checks Web service client has execute permission on a folder to run the service 3 16
Informatica WS-Security Support for Standard Oasis WS-Security UsernameToken Profile 1.1 Single pass authentication user specifies the appropriate security headers in the actual request to the service Supports multiple WSHs load balancing scenario Username Tokens are associated with a repository within a specific domain and should be applicable to all WSHs associated to that repository Advanced support for encoded passwords Hashed Passwords Digested Passwords Prevent repeated DOS/login attack Support for NONCE values 17
WS-Security Feature Details (Part 1) UsernameToken Format: 18
WS-Security Feature Details (Part 2) Password Format Supported Clear Text Hashed Same as clear text, but the password is encoded into a base64 20 bit hash value. Two hash algorithms supported: SHA-1 or MD5 Digested A generated password that is of the following formula: BASE64( SHA1_HASH (USERNAME + NONCE + CREATED) ) NONCE random generated value that s valid only once for that specific username token, it s provided to allow someone to specify a one-time only authentication token CREATED timestamp of when the UsernameToken was made in UTC timezone format Example: 2008/08/11T18:06:32.425Z (yyyy/mm/dd T HH:mm:ss.SSS Z) 19
WS-Security Feature Details (Part 3) Custom Property for NONCE and CREATED NonceExpirationTime custom property that can be set at the WSH to determine how long the hub should hold down to a specific NONCE value of a UsernameToken. By default this value is set to 300 seconds (5 minutes) If a request is made containing the same NONCE value outside of this timeframe, the request will fail. CreatedFreshnessPeriod custom property that determines how long a user has between the time the first request is made using the CREATED value and the next. By default this value is set to 300 seconds (5 minutes) If a request is made before this timestamp or after the expiration time following the timestamp, the request will fail. These two customer properties can be used independently of each other or together to ensure greater security. 20
Case Study : Implementation Architecture 21
Case Study: Architecture 22
Web Services Throughput (examples) Production Environment (Multiple Servers) RowsPerSecond Overall numbers range between 100 and 1000 rps If a request results in >10K rows, some customers have timed-out. RequestsPerMinute Overall numbers range between 10 and 100. If a request takes over 20 minutes, some customers have timed-out. 23
The ETL Behind-the-Scene Production Web-Service Broadcast ing Data Filtered Data SOAP request has parameters for result set SQL Transformation the data source can be dynamic [access/name] Sequence Generator Transformation XML output has multiple rows! 24
Web Services Latency (examples) Single Server Web-Service Initialization it takes the WSH from 3 to 11 seconds to prepare the ETL. Processing it then takes the WSH about 1 second to start processing the ETL. At this point, the response time depends on the processing. Multiple Server Web-Service Initialization it takes the WSH from 3 to 11 seconds to prepare the ETL Invocation it takes the WSH about 3 seconds to prepare the SOAP Request and invoke the internal web-service. Processing it then takes the internal WSH from 3 to 11 seconds to prepare the ETL, then the response time will depend on the internal processing. 25
Timeout/Fault Handling (examples) Input Web-Services Source Validation ETL tests/verifies content of the request Output Web-Services Target Response ETL always sends same formatted output, either a status message or a pre-determined value Processing depends on WSConsumer Application Connection Timeout property set for internal WSH call Will wait for a connection to internal WSH indefinitely. Will wait for a response from internal WSH indefinitely. These two properties prevent a forced timeout from the WSH. 26
Example Our Hello! Simple Web-Service No input fields in SOAP Request, static text in SOAP response Validates customer s connection via SSL Hello! 27
Example Our Addition Two-Step Web-Service Two input fields in SOAP Request, sum returned in SOAP response Validates customer s request will invoke internal web-service(s) 28
SSL Configuration 29
SSL Configuration Setting Up SSL Keystore for Web Services Hub Use the keytool utility. You generate a keystore, generate a signature request from it, have it signed by an authority, then install the signed file into your keystore. Default keystore generated by the PowerCenter installation process can be used for WSH, but be aware it is self-signed. Truststore for Web Services Hub Add customers certificates to the ca-bundle.crt files. Use openssl utilities to convert format if necessary. PEM format is required to add certificate to the ca-bundle.crt files. 30
SSL Configuration (examples) Creating the Keystore for Web Services Hub Example of the keytool utility. Prompts in black text, inputs in red. 31
SSL Configuration (examples) Creating the Signature Request File Example of the keytool utility using the created keystore. Have request signed by your Authority Independent firms: VeriSign. Install the Signed Response File Example of the keytool utility for the keystore and response. 32
SSL Configuration (examples) Installing the Customer Certificate Customer certificates need to be in PEM format. If certificate is not PEM, convert it using openssl utility. If customer s certificate file is in a binary format, DER for example, convert it. Add customer certificate text to the end of the ca-bundle.crt files. Add PEM Data: line before certificate text. Entry will look like this: File in PowerCenter Installation Directory, sub-folders server/bin and services/shared/bin both! 33
SSL Configuration (examples) Using the Keystore in the Web Services Hub Define the WSH service to use your signed-keystore. URLScheme must be set to either HTTPS or HTTPandHTTPS for the Web Services Hub to utilize SSL and access the keystore. Enter the keystore name and password used to create your keystore. 34
Tips, Best-Practices, etc. SOAP Request/Response: WSDL or Manual? Inputs XML of the in-bound request: one or multiple rows? Outputs XML of the out-bound response: one or multiple rows? Processing Initially, set up a pass-thru with an exp transformation and just the fields coming in and going out of the web-service. Basic static test version. Then, add bits and pieces. TESTING your Web-Services WSH and TryIt! ability to run web-service, but limited. soapui open-source tool (FREE!) that expands testing capabilities. Basically a SOAP Client GUI. 35
Informatica Velocity Methodology Velocity is the blueprint for delivering efficient and successful Informatica solutions that solve business problems. New Website New search capability Filtering/viewing content by project type project phase or other tags New accelerator tools Hot links between the articles Access at: mysupport.informatica.com Visit the Informatica Pavilion at the Technology and Solutions Fair for more details. Check out more than 100 new articles! 36
Questions? 37
Stay In Touch! LinkedIn Informatica Power Center Real-Time 38
Thank You 39