Upload
soa-symposium
View
610
Download
0
Tags:
Embed Size (px)
Citation preview
1
Founding Sponsors
This Presentation Courtesy of the
International SOA Symposium
October 7-8, 2008 Amsterdam Arena
www.soasymposium.com
Gold Sponsors
Platinum Sponsors
Silver Sponsors
SOA Runtime Governance
A Policy-Based Approach
Paul Butterworth
Chief Technology Officer
AmberPoint, Inc
October 2008
2
© 2008 AmberPoint, Inc. 3
Agenda
SOA Characterization
Policy-based Runtime Governance
Some Examples
Based on our experiences with ~200 customers
© 2008 AmberPoint, Inc. 4
Typical Service Network Topology
firewall
Shared Services External
Services
Order Entry
Accounting
Partner
Internal Services
Credit
Services not applications
Shared
Dynamic
Federated
3
© 2008 AmberPoint, Inc.
Typical Service Network Infrastructure
JavaService
MainframeApplication
WebService
DBMS
BizApplication
BizApplication
Network
Service Bus
Appliance
In all but the newest of environments, “SOA” ≠ “Just Web Services & XML”
© 2008 AmberPoint, Inc. 6
Keys to Successful Governance and Management of SOA Applications
Continuous SOA Discovery
Service Management &
Security
4
© 2008 AmberPoint, Inc. 7
Keys to Successful Governance and Management of SOA Applications
Business System Validation
Closed Loop Governance
Continuous SOA Discovery
Service Management &
Security
Business Transaction
Management
Business
Architects & Development
Operations
© 2008 AmberPoint, Inc. 8
SOA Runtime Governance and Life Cycle
SOA Runtime Governance automates real-time visibility and
control at each stage of the SOA lifecycle
Development Staging Production
IDE’s
Process Tools
Business Logic
Discovery
Policies• Performance
• Availability
Performance
• Automatically enforce
governance
• Security
• Logging
Diagnostics
Validation
CapacityPlanning
ServiceLevels
Discovery• Automatically discover
rogue services
More Policies• Performance
• Availability
• SLAs
• Security
• Logging
• Audit
5
© 2008 AmberPoint, Inc. 9
Agenda
SOA Characterization
Policy-based Runtime Governance
Some Examples
© 2008 AmberPoint, Inc. 10
Governance Constraints as Policy
Declarative specification of system
characteristics as “Policies” Configurations
Constraints
Desired states
Specify what must be accomplished as
opposed to “how” What are my service levels not how to measure them
What are my faults not how to detect them
What level of security do I require
6
© 2008 AmberPoint, Inc. 11
Policy Benefits in Runtime Governance
Improve Productivity and Increase Accuracy Simpler constraint specification
Easier to understand
Easier to change
Eliminate Policy Obsolescence
Decouple policy description from policy enforcement
Remap and reassign policies as environment evolves
– New intermediaries and system architecture
– New phase of lifecycle – testing vs. production
– Different department / division – architectural choices
Leverage intrinsic and increasing SOA capabilities of various
“intermediaries” whenever possible
Platforms – Indigo, WebSpeher, WebLogic, NetWeaver, IONA, etc.
ESBs – AquaLogic, WebSphere ESB, SAP XI
XML-aware Appliances – Cisco AON, Forum, Datapower, Reactivity, etc.
© 2008 AmberPoint, Inc. 12
data
Policy-based Runtime Governance Architecture
Collected
Data
Runtime Policy & Analysis
Engine
policies
data
PEP
Load
Balancing
data
Exception
Management
begin end
Developer- Feedback on
runtime errors
Systems Operations- Ensure reliability
Business Operations- Track our contracted
service levels
Security Officer- Enforce authentication
RuntimeGovernance
ServiceNetwork
Policy Requests
Simple Policies Complex Policies
Instrumentation
Failover
Load balancing
Content-based routing
Transformations
Encryption
Security checks
Service level agreements
Exception handling
Advanced security
Validation
Runtime Policy Execution Point (PEP)
Runtime Policy
S1 S3S2 S4S1 S2
Enterprise Service Bus
servicecontract
7
© 2008 AmberPoint, Inc. 13
Binding Policy to SOA
All production services
All orders > $10,000
All services in Accounting application
All services deployed in WebLogic containers
s1 s5
s4
s2s6
s3
where“Accounting”
SecurityEncryption
allservices
One-at-a-Time Approach
where deployedon .NET app servers
Logging
Dynamic Approach
s1
p1
s2
s3
s100
p1 p1 p50
100 svcs x 50 policies
5,000policy points
Load-BalWeighted
Apply p1 to s1
Apply p2 to s2
Apply p1 to s2
…..
© 2008 AmberPoint, Inc. 14
Detailed Metadata of Your SOA Environment
Operational Info: When service was
discovered
Availability
Type of service
Type of container
Link to WSDL
Business Info: Business owner
Division
Version
Etc.
Custom: Chargeback info
Risk assessment
Links to URL‟s
Etc.
Operational Info
Business Info
8
© 2008 AmberPoint, Inc.
15
AmberPoint
Dependencies Policy
Runtime Governance
Capability-based Delegation of Runtime Policies
SecurityAuthN Monitoring
Load-BalRound-Robin
Logging
Gathers existing application knowledge and policies
Assigns policies based on capabilities
Translates runtime policy into platform-specific interfaces
Monitors execution
Agents to round out capabilities and for other components
Network
Runtime
Repository
© 2008 AmberPoint, Inc. 16
Agenda
SOA Characterization
Policy-based Runtime Governance
Some Examples
9
© 2008 AmberPoint, Inc. 17
Universal Policy LibraryConsistent enforcement regardless of SOA infrastructure
Library of commonly used runtime policies
Based on standards WS-Policy
WS-SecurityPolicy
WS-PolicyAttachment
User-extensible
Leverage the metadata “Apply Encryption to All Services where
Application_group = „Accounting‟”
Synchronize with other governance processes
Instrumentation
Content-based Policies
Versioning
Authentication – certificates, credentials, SAML, etc
Authorization
Censorship
Credential Mapping
Crypto – Signatures & Encryption
Throttling
Failover
Load Balancing
Quality of Service Performance Availability Throughput
Service LevelAgreements
Exception Handling
Validation
© 2008 AmberPoint, Inc. 18
Service Virtualization
Abstracts service changes and versions behind a published „façade‟ (a „virtual‟ service)
Enables endpoint routing, load-balancing, failover, transformations etc.
•Sees simpler interface
•Service changes don’t show through.
Before After
Virtual
Svc
(PEP)
•Load balance•Route•Transform•Version
Service
AService
B
OrderLookup
ChangeDate
ChangeQty
ScheduleShip
ChangePrior
LookupETA
Service
AService
B
OrderLookup
ChangeDate
ChangeQty
ScheduleShip
ChangePrior
LookupETA
10
© 2008 AmberPoint, Inc. 19
Service Level Management
Real-time visibility into service network performance and availability
Segmentation and prioritization based on business criteria
Trigger preventative and corrective actions Redirect traffic
Make less critical requests wait
Reporting Compliance
Historical trends for capacity planning
Process Engine Service Bus
© 2008 AmberPoint, Inc. 20
Transaction Management
Visibility into technical and application-level errors “rejected”, “unknown”, “Error code: UUUEX32AF”, SOAP faults, no
response, transport-level errors
Monitoring of business-level anomalies International travel ticket with price < $100
IT & Business Operations Non-Compliance Order completed and shipped, but never invoiced
Regulatory non-compliance (Privacy Act, HIPAA conditions etc. )
11
© 2008 AmberPoint, Inc. 21
SOA Security
Integrate with Existing Security Solutions
XML Signatures/Validation•Apply to parts of message,
across multiple hops•Transport, language & vendor
independent
Last-Mile Security for Distributed SOA• Local intermediaries enforce security for each
end-point• Manage security events & exceptions across
distributed environments
XML Encryption/Decryption• Apply to parts of message, across multiple hops• Independent of transport, language or vendor
<?xml version='1.0'?>
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData
Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>
env:Fault >
Unknown Servic
"urn:ups -shipping
Service Downserver:8192/e
/soapenv :
<Name>
<Encrypted
Type='http
<CipherDa
<Cipher
</Ciphe
Process Engine Service Bus
© 2008 AmberPoint, Inc. 22
Client Provisioning
switch
data
Reduces costs by eliminating coding.
servicecontract
AmberPoint
Registry Policy
Manager
Data
Collection
Management Svcs
policies
Provisions client with service contract requirements Looks up service endpoint and caches it for higher performance
Provisions required security policies
Automatically process request and response to match policy requirements
Insertion of security info, acquire security tokens, etc.
Collects client-side service level metrics Provides visibility into “first mile” SLA metrics
Local logging of interactions, if requested
policies
data
12
© 2008 AmberPoint, Inc.
Business System Validation
Development Staging Production
Process Engine Service Bus
The “Preflight Check” for SOA Systems
: Security Policies Functioning
Unexpected Deviation for
B2B Partner Usage
: WS-I Compliant
: Capacity Adequate
Validation Checklist
Acceptance testing of pending changes to SOA environment New Versions of Services
Policy Changes
Bug Fixes
Infrastructure Patches, etc.
Uses knowledge of dependencies and observed interactions
Simulates services that can’t be replicated in pre-production environments External services
Fee-based services
Gives Staging and Operations a final check before deploying changes
24
Q&A
Paul Butterworth
510.663.6300