Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The most important consideration currently is the existence of the Web Services Interoperability Basic<br />
Profile. This defines a mechanism for interoperability for the core st<strong>and</strong>ards used in Web services<br />
implementations, <strong>and</strong> covers SOAP, WSDL, <strong>and</strong> UDDI as well as some lower-level st<strong>and</strong>ards <strong>and</strong> protocols.<br />
The Basic Profile version 1.0 is not fully compatible with version 1.1 – guidance here is that usage of the<br />
st<strong>and</strong>ard should be at the same level to ensure interoperability.<br />
The Web services security (WS-Security) specification that has been developed <strong>and</strong> ratified by OASIS<br />
provides security for SOAP messages in transit, <strong>and</strong> can be regarded as an extension to SOAP. Originally<br />
developed by IBM, Microsoft, <strong>and</strong> Verisign, where messages need to pass across an untrusted intermediary<br />
structure, st<strong>and</strong>ards such as WS-Security provide a degree of trust, covering authenticity, integrity, <strong>and</strong><br />
confidentiality of messages. Security can be applied at transport level (for example Secure Sockets Layer<br />
(SSL) secures the HTTP layer on which various requests <strong>and</strong> responses are transmitted). However, where<br />
a message is sent via an intermediary, the transport layer no longer has control over the message when it<br />
is at the intermediary, <strong>and</strong> therefore it may also be necessary to implement message-level security – like<br />
keeping a message within a sealed, tamper-evident envelope.<br />
The WS-Security st<strong>and</strong>ard is already reasonably mature – version 1.0 was approved by OASIS in April<br />
2004, <strong>and</strong> version 1.1 was approved in February 2006.<br />
The WS-Security family specifications cover the use of various different tokens, such as Kerberos, X.509,<br />
<strong>and</strong> SAML. An example of a signed security token is an X.509 certificate; this asserts a binding between<br />
the requester’s identity <strong>and</strong> a public key. Security tokens like this can be carried in a message, or expressed<br />
by a reference so that the receiving service can ‘pull’ the claim from the relevant authority. To ensure<br />
interoperability, adapters <strong>and</strong> common algorithms for signatures <strong>and</strong> encryption will need to be agreed<br />
upon.<br />
The WS-Security model is extensible, <strong>and</strong> allows a service to specify the type <strong>and</strong> degree of security<br />
required. The WS-Interoperability Basic Profile includes Security.<br />
Web services gateways, message brokers, <strong>and</strong> ESBs may provide the trust required themselves, <strong>and</strong><br />
services that interrelate only within an ESB may not need to consider security. However, if they are to be<br />
exposed beyond this, then security will be needed.<br />
RUN-TIME OPTIONS FOR SOA<br />
CATALYST<br />
When most people think of SOA they automatically assume that Web services will be the way that services<br />
interact, <strong>and</strong> have concerns about the efficiency of such deployments. However, a SOA can have a number<br />
of deployment alternatives which can help get around some, but not all, of the performance issues.<br />
SUMMARY<br />
There is a trade-off possible between performance <strong>and</strong> long-term agility, <strong>and</strong> this<br />
needs consideration before committing to a course of action.<br />
Network appliance alternatives to traditional server/software implementation can<br />
offer cost/performance benefits.<br />
Run-time deployment of SOA-based applications does not always mean using Web<br />
services.<br />
High-performance SOA need not be an oxymoron, but good underst<strong>and</strong>ing of issues<br />
is needed.<br />
December 2006 Section 1: SOA Deployment 23