SOA Tech Exchange. Paradox: What s Good About SOA Is What s Bad About SOA (A Technical Perspective) Prepared By: Mark Blackburn, Ph.D.

Similar documents
Service Oriented Architecture

Architectural Requirements for an SOA Based on Web Services. Jim Bole VP, Engineering Infravio, Inc. April 23, 2003

NIST s Guide to Secure Web Services

Service Oriented Architecture (SOA) Architecture, Governance, Standards and Technologies

Service-Oriented Architectures

VALLIAMMAI ENGNIEERING COLLEGE SRM Nagar, Kattankulathur

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

AquaLogic Service Bus

Service Oriented Architecture (SOA) Architecture, Governance, Standards and Technologies

Definition of SOA. Capgemini University Technology Services School Capgemini - All rights reserved November 2006 SOA for Software Architects/ 2

Service-oriented architecture in e-commerce applications

E-Business Suite Oracle SOA Suite Integration Options

Developing SOA solutions using IBM SOA Foundation

Impact of Service Oriented Architecture on ERP Implementations in Technical Education

Simplifying Processes Interoperability with a Service Oriented Architecture

1 What Are Web Services?

1 What Are Web Services?

2 (18) - SOFTWARE ARCHITECTURE Service Oriented Architecture - Sven Arne Andreasson - Computer Science and Engineering.

Leveraging Service Oriented Architecture (SOA) to integrate Oracle Applications with SalesForce.com

Web Services - Consultant s View. From IT Stategy to IT Architecture. Agenda. Introduction

Web Services Security with SOAP Security Proxies

Enterprise SOA Strategy, Planning and Operations with Agile Techniques, Virtualization and Cloud Computing

<Insert Picture Here> Oracle Web Services Manager (WSM)

Service-Oriented Architecture: Analysis, the Keys to Success!

Di 6.1a. Warum naive SOA scheitert Ein Erfahrungsbericht. Adam Bien. January 26-30, 2009, Munich, Germany ICM - International Congress Centre Munich

EAI OVERVIEW OF ENTERPRISE APPLICATION INTEGRATION CONCEPTS AND ARCHITECTURES. Enterprise Application Integration. Peter R. Egli INDIGOO.

SOA : To Do or Not to Do

API Architecture. for the Data Interoperability at OSU initiative

Service-Oriented Architecture and its Implications for Software Life Cycle Activities

What You Need to Know About Transitioning to SOA

Service-Oriented Architecture and Software Engineering

Service Oriented Architecture (SOA) An Introduction

Service Virtualization: Managing Change in a Service-Oriented Architecture

Ensuring Web Service Quality for Service-Oriented Architectures. An Oracle White Paper June 2008

Table of Contents. 1 Executive Summary SOA Overview Technology Processes and Governance... 8

SOA + BPM = Agile Integrated Tax Systems. Hemant Sharma CTO, State and Local Government

Assurance in Service-Oriented Environments

Federal Enterprise Architecture and Service-Oriented Architecture

Government's Adoption of SOA and SOA Examples

Service-Oriented Integration: Managed File Transfer within an SOA (Service- Oriented Architecture)

BEA BPM an integrated solution for business processes modelling. Frederik Frederiksen Principal PreSales Consultant BEA Systems

Getting Started with Service- Oriented Architecture (SOA) Terminology

Secure Authentication and Session. State Management for Web Services

Testing service-oriented architecture (SOA) applications and services. White paper

SOA Myth or Reality??

Introduction to Service Oriented Architectures (SOA)

Software Services. By Michał Antkiewicz WCI CS Club

Service Oriented Architecture & Web Services

Service Virtualization

Building Your EDI Modernization Roadmap

MDM and Data Warehousing Complement Each Other

SERVICE ORIENTED ARCHITECTURE

The case for service oriented architecture in realising trusted, interoperable, pan-european egovernment services.

Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence

Business-Driven Software Engineering Lecture 3 Foundations of Processes

SOA Fundamentals For Java Developers. Alexander Ulanov, System Architect Odessa, 30 September 2008

SOA for Healthcare: Promises and Pitfalls

Introduction to Service-Oriented Architecture for Business Analysts

Run-time Service Oriented Architecture (SOA) V 0.1

Business Process Management Tampereen Teknillinen Yliopisto

Improving Agility at PHMSA through Service-Oriented Architecture (SOA)

Performance Evaluation of Intrusion Detection Systems

Microsoft SOA Roadmap

BUSINESS PROCESS AND EBXML - WEB SERVICES INTEGRATION PLATFORM, REQUIREMENTS, ARCHITECTURES, SECURITY

EVALUATING INTEGRATION SOFTWARE

The refinery scheduling system needs to interface with various

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Understanding and Selecting the Right Secure File Transfer Solution for your Organization

TECHNOLOGY TRANSFER PRESENTS MAX. From EAI to SOA ACHIEVING BUSINESS AGILITY THROUGH INTEGRATION

Guiding Principles for Modeling and Designing Reusable Services

Rotorcraft Health Management System (RHMS)

Sage Integration Cloud Technology Whitepaper

SOA and Cloud in practice - An Example Case Study

Securing corporate assets with two factor authentication

Web Services Testing. Mark Lewis-Prazen Web Services Fall, 2006

ebay : How is it a hit

Building the European Biodiversity. Observation Network (EU BON)

The Way to SOA Concept, Architectural Components and Organization

An IDL for Web Services

WHITE PAPER. Written by: Michael Azoff. Published Mar, 2015, Ovum

JOURNAL OF OBJECT TECHNOLOGY

Chapter 2: Cloud Basics Chapter 3: Cloud Architecture

ITU-T Kaleidoscope Conference Innovations in NGN. Managing NGN using the SOA Philosophy. Y. Fun Hu University of Bradford

must secure their online, automated business processes with partners

Java Security Web Services Security (Overview) Lecture 9

Core J2EE Patterns, Frameworks and Micro Architectures

The Business Benefits of the Proliance Architecture. September 2004

Pervasive Software + NetSuite = Seamless Cloud Business Processes

Enterprise IT Architectures SOA Part 2

Service Design Essentials

Web Services in SOA - Synchronous or Asynchronous?

CHAPTER 1 INTRODUCTION

GoodData Corporation Security White Paper

Ground System Architecture Workshop

Research on the Model of Enterprise Application Integration with Web Services

Motivation Definitions EAI Architectures Elements Integration Technologies. Part I. EAI: Foundations, Concepts, and Architectures

An introduction to Cryptosoft

White Paper. Web Services External (WS-X) An AS4 Implementation at Cisco

Service-Oriented Computing and Service-Oriented Architecture

Transcription:

SOA Tech Exchange Paradox: What s Good About SOA Is What s Bad About SOA (A Technical Perspective) Prepared By: Mark Blackburn, Ph.D. Systems and Software Consortium 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 FAX: (703)742-7200 www.systemsandsoftware.org

Why This Topic? Members confirmed that dependability issues are more difficult to address in SOA efforts than anticipated Dependability, including security, reliability, availability, integrity, confidentiality (and Quality of Service) More difficult problem than with more traditional tightly-coupled systems Information Week survey of 273 tech pros [Sept, 4, 2006] 24% say SOA & Web services projects fell short of expectations Of those, 55% say SOA introduced more complexity into IT environments 41% say they cost more than expected Out of all respondents using SOAs & Web services, just 7% say the results exceeded expectations Presentation discusses some of the technical challenges What s different with SOA (mostly from a Web services perspective)? Verification, testing, and monitoring where testing is difficult or costly Security Recommendations Conclusion

$$$ Why Should You Care? SOA introduces a new dimension with potentially unanticipated effort/cost Liability costs Functioning improperly Not being delivered on time

What Makes SOA Challenging? Intrinsically distributed Unknown number of possible configurations Focus is on interoperability versus integration Many dependencies - can take a lot of coordination to complete a call through entire chain Web services abstract applications from back-end systems performing the processing We might not know who we re talking to, resulting in need for new type of requirements => added cost and effort Security issues at every interface Infeasible to complete testing of all business workflows across heterogeneous technology layers at system and component levels Changing requirements and evolving systems What worked yesterday might not tomorrow

Simplified Example Web Client Retailer System submitpo Manufacturer System Web getcatalog Retailer Warehouse Manufacturer Client App submitorder Service A A getevents shiporder Warehouse B Manufacturer B Logging Service logevents (from anywhere) Warehouse C shippingno Manufacturer C errorpo Web Service Operations Synchronous unsecured User Operations Synchronous secured Asynchronous secured

SOA Verification Still need testing: Functional, performance, interoperability and vulnerability Unit, integration, system, regression, and acceptance Need testing at implementation layer (service verification) Service functionality needs to be more robust than ever, because it may be used or attacked in unexpected ways Need testing at messaging layer All services must operate as defined by interface - Web Services Definition Language (WSDL) Semantics needed too (WSDL-S) Example of semantics issues Excel spreadsheet example from Genetics Community Need verification of metadata

Example: SOA Messaging Elements Verification must consider all messaging elements of metadata BPEL, WSCI,.. WSDL, WSDL-S Messaging WS-Addressing/Routing/Policy/Security URI, XML, SOAP Transport SOAP: Simple Object Access Protocol BPEL: Business Process Execution Language WSCI: Web Service Choreography Interface WSDL-S: Web Service Semantics

Enterprise-wide SOA From Applications Perspective Business processes User interfaces Composite services orchestration defined with Business Process Modeling Notation (BPMN) to generate Business Process Execution Language (BPEL) Service choreography Web Service Choreography Interface (WSCI) Static (WSDL) WSCI provides interfaces for exchange of messages, WSDL provides interface, SOAP supports messaging Service applications Legacy ERP MDD/MDA Services may be commercial, legacy or developed using more modern approaches such as Model Driven Development (MDD) focused generation of code for the service applications

Other Verification Issues Lack of control Services run on an independent infrastructure and evolve under control of provider Is regression testing comprehensive and feasible for every version change? Verification of long sequences of asynchronous events is difficult testing task Continuous self-checking of a services/system by monitoring it during execution Alternative to testing Monitoring impacts the design process Requires verification to ensure monitoring works properly More unanticipated cost

Other Verification Issues (cont.) Lack of observability Loose coupling is a good thing, but introduces testing challenges Logging services may support testability Be a discriminator in selecting a service to use Web services client developers typically have access to interfaces (WSDLs) only No access to the code or structure Dynamic behavior Service changes or service is no longer available From earlier example: Choosing between warehouses and manufacturers When/if a shipping number is generated and/or PO error is sent Potential need to provide mechanisms to substitute alternatives for unavailable product Creates need for more error handling => more effort and cost

SOA Security Distributed nature of SOA applications adds complexity Traditional applications often use single point for identification and authentication SOA applications may require users to be identified and authenticated to multiple servers during a transaction No over-riding security context for composite services Services must determine that call to it is from an authenticated user, with authority to perform the action SOA applications may require sophisticated identity management and security policy infrastructure Metadata what information is provided to an attacker? If a service can find another service, an attacker can too What happens if discovered services is established by an attacker? And, you send your data to it? Security considerations at each interoperable interface

Example Requirements for Security* Security functionality must be considered at every operation where there is an interface boundary Sender Receiver Operation Message Message Integrity Authentication Confidentiality Algorithm Web Client Retailer getcatalog getcatalog Request WC X.509: Body, UNT, Timestamp UNT-user, Cert Auth R X.509: Body, Signature Key: RSA 1.5, Data: AES 128, Digest: SHA1 Retailer Web Client getcatalog getcatalog Response R X.509: Body, Timestamp Cert Auth WC X.509: Body, Signature Key: RSA 1.5, Data: AES 128, Digest: SHA1 Web Client Retailer submitorder submitorder Request WC X.509: Body, UNT, Timestamp UNT-user, Cert Auth R X.509: Body, Signature Key: RSA 1.5, Data: AES 128, Digest: SHA1 Retailer Web Client submitorder submitorder Response R X.509: Body, Timestamp Cert Auth WC X.509: Body, Signature Key: RSA 1.5, Data: AES 128, Digest: SHA1 Retailer Warehouse n ShipGoods ShipGoods Request R X.509: Body, Config Header, Timestamp Cert Auth None Key: RSA 1.5, Digest: SHA1 Warehouse n Retailer ShipGoods ShipGoods Response Wn X.509: Body, Timestamp Cert Auth None Key: RSA 1.5, Digest: SHA1 *SCM Security Architecture WGD 5-00 (March, 2006)

Security Features versus SW Defects Security features such as authentication, encryption, access control, etc. are necessary but not sufficient Hardware appliances for networks security only filter - also necessary but not sufficient Security often breached by exploiting vulnerabilities Defects (or weaknesses) in design or implementation often make the system vulnerable Example SW defect: distributed error handling E.g., errorpo the asynchronous error handler

Opportunities for Re-Design SOA projects will likely require redesign to support reuse Such activities provide an opportunity to address security architecture as well as implementation details Organization that expose a component developed for use in tightly coupled environment as a service need to apply rigorous engineering for security as well as robustness Analyze service connections and interfaces What can call what? What are the vulnerabilities by the interactions? What possible multi-state transactions can be used to break security? What types of API are used? How are they vulnerable?

Design for Testability Requires element under test to have: Controllability, observability, and predictablity Fundamental to automation Well-defined interfaces and program-to-program interaction facilitates test automation Automation supports rapid continual deployment, with reduced cost Supports automated regression testing that is even more important as services may change or go away SOA are not always predictable Any distributed system with asynchronous communication makes the predictability of the systems more difficult

Test at Multiple Levels Increase test coverage with fewer tests Test service implementation at the interfaces Can be assured that implementation behavior is correct Can be accomplished with predictability in development environment Isolates implementation from communication issues Reduces complexity of a test harness Separate business logic from client and server communication and test separately Earlier focus on integration testing permits messagebased acceptance testing in deployment environment to focus on service-to-service interfaces

The Right Test Automation Testing environment can be a strategic tool for improving implementation efficiency and reducing manual support SOA testing tools generalized from Web page testing tools may be insufficient for SOA implementations more manual than one thinks SOA integration testing tools that simulate service requests and events allow testing in virtual environment SOA verification tools should test dynamically changing business requirements reflected by metadata changes Reuse functional testing assets for performance and load testing Model-based testing helps ensure robustness for service implementation and supports regression testing Model-based testing promotes test driven development Reuse of models provides high ROI Hard part is the distributed processing aspects of SOA

Conclusion Paradox? What s good? Loosely coupled, reuseable, discoverable, composite services What s bad? Must be more robust Highly distributed which are harder to verify Requires additional effort to provide security at every interface Recommendations - leverage re-design opportunities: Address security at every interface Design for testability to support continuous automated testing Separate business logic, from implementation service and communication Supports layered testing to increase coverage with fewer tests Address distributed process verification with alternatives such as monitoring to supplement testing

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information