Author: Richard Seroter

[Series Links: Part I / Part II / Part III / Part IV]

In the last post we looked at how SOA Software is used to manage and maintain web services. Today, let’s look at how we can configure web service “policies” to do everything from encryption to load balancing.

So far we’ve seen that a give service managed by SOA Software can have a “policy” attached to it. What is a “policy” really? The types of policies we’ll look at here include “management” policies, “SLA” policies, and “access” policies. For a BizTalk developer, think of a management policy as a pipeline. The management policy configuration page looks like this:

You have a series of components to handle the request message, and series of components to handle the response message. Again, very much like a BizTalk pipeline. For the Record component in this template, you can configure it as such:

You can snag either the entire payload, or choose to grab only a specific record(s). Odds are, you’d only have a policy do this much recording of data during a test or debugging scenario. But, it’s quite useful if you’ve got a series of complex components (encryption, etc) and want to print out the result after a particular stage.

The Security policy component is quite powerful. You can perform authentication checks to ensure that the service client is a valid user in a defined identity system. After choosing which identity system the policy should confirm against, you next choose the means of capturing the actual identity. Choices include SAML, x509 certificates, HTTP Basic Auth, and more. From this component you can also apply or verify digital signatures.

If you choose to, you can also apply WS-Encryption and WS-Decryption capabilities. The WS-Encryption lets you choose the way to encrypt, and then WHAT to encrypt. So you could identify 4 nodes in your SOAP payload that contain sensitive data, and ONLY encrypt those fields.

You could also choose to manipulate the message a bit by using the Strip Element component. Let’s say that you’ve already verified a signature, or received credentials in the payload that are now unnecessary. You could strip those out before sending the message on to the next hop. Nice.

For performance reasons, you may also want to use a Caching component. In this case, the Policy will compare the SOAP body/envelope and if it matches an instance in cache, the cached response message is immediately returned.

Other valuable management policy components include:

• Authorization
• Schema Validation
• Dynamic Management (where you can re-route the service to different service locations based on rules)
• Data Transformation
• Compression/Decompression
• Load Balancing

Those were examples of “management” policies in SOA Software. You also have the ability to create additional policy types. One interesting one is the SLA Policy. In this type of policy, you can dictate performance-related metrics that should result in a system level alert. For instance, my policy below says that if SOA Software encounters more than 25 SOAP faults in a 1 day period, raise an alert. And remember, this specific policy can be associated with individual services and operations.

There’s also the concept of Access Policies which can be used to restrict traffic to a given service. If you had an external vendor calling your service, you could create a policy that says that a particular user/company can only execute the service 500 times a day, or, only between the hours of 8am-5pm Monday through Wednesday.

Now you could have the concern that managing these policies, and who is using them, could be a nightmare. What sort of dependency tracking do you get? The answer is, surprisingly strong reference management. In my Policy Overview screen, I can see how many service operations use a given policy.

I can then drill even further, and see each operation using a given policy. That alone is useful, but what if a mass update needed to happen? From this view, I can make bulk changes to each service that uses the policy!

That’s huge. Otherwise, even 50 services could be a challenge to maintain, not to mention 500!

It’s a fairly safe assumption that the “policy” functionality of SOA Software is where you find significant business value. All of these policies are applied, and enforced, without touching your service, or creating code. I suspect that my company will use the security-related components most frequently. The non-security policy components will definitely find a home in various policies, but we’ll see a universal adoption of security components off the bat.

As you’ve seen so far, managing existing services is easy. The only place where a developer needs to be cognizant of the fact that a service is managed is when they CALL that service. The next post is where I bring it all home. Specifically, how can BizTalk Server (or ANY .NET/Java application) make accurate calls to a service managed by SOA Software?

Technorati Tags: BizTalk, SOA

[Series Links: Part I / Part II / Part III / Part IV]

In the previous post, we did a high level look at SOA Software and the core modules of that platform that my company is using. Now, let’s dig a bit deeper in one of the base subsystems, the Management Server.

At its core, the SOA Software Management Server allows you to configure your services by applying appropriate policies. The Management Server also provides the monitoring component, but we’ll discuss that in the “monitoring and alerting” post that will follow this one. Here we’ll focus a bit more on registering and managing services using SOA Software.

To manually register a service, you can start from the SOA Software Service Manager Dashboard. The wizard window asks you for the WSDL of your physical service.

Then you can choose which operations on the service you wish to manage. “Managing” the operation gives you the ability apply policies, record and monitor data, and so forth.

Finally, you choose a default policy to use. This can be changed after the wizard is complete.

Now, SOA Software has the concept of a “virtual service”. These virtual services act as proxies that can be deployed on different machines, and, may be an aggregate of operations from multiple “physical” services. For instance, I may create four different web services that interact with a “vendor” object. Maybe a few operations on two of those services are going to be publicly exposed to outside parties. I can create a single “virtual service” made up of operations from two of those services, and deploy that “virtual service” to a locked down box in the DMZ. The same “physical service” may be part of multiple “virtual services”. Now because you can apply different policies to each operation in a service, it’s conceivable that you attach different policies to the same “physical service” (by virtualizing it) in order to target different audiences. Maybe the “GetVendor()” operation, when used internally, goes through a particular virtual service that only confirms that the user has a valid Active Directory account. However, when “GetVendor()” is exposed publicly, THAT virtual service operation may require a policy that does encryption/decryption AND authentication. Or, you may have a different service level agreement (SLA) for external parties than for those internal users. No problem, just apply different SLA policies to each individual virtual service. When I create a virtual service, I can choose which operations, from which services, to include.

Note that the physical services being aggregated could be on different servers, and even different application server platforms. No reason I can’t have a virtual service that combines related operations from services in IIS 6.0 and Weblogic.

Services may also get “auto discovered” if they are deployed to a box with the SOA Software agent running. Once a service is managed (either through auto-discovery, or manually), you open up a wealth of management options for that particular service. The most eye-catching part is the real-time feed of usage data.

This Flash object updates in real time so that you can see each service call and how long it takes. By mousing over the bars, you can see specific details about the time the operation took to execute. Nice!

You may think that with all these “virtual services” floating around that it could be a challenge to remember what the correlations are between services. Have no fear, the “Service Relationships” widget provides another Flash-based view of the connection between virtual and physical services.

By moving your mouse over the “services” in this window, you can see the details about each service in the relationship tree.

Finally, the Portal provides plenty of ways to see metadata about services and perform maintenance tasks. The “Actions” widget associated with each service exposes various functions.

You can view a copy of the WSDL, virtualize a given service, and much more. One of my favorites is the “Test Service” function. This actually allows you to execute the service itself. My initial thought was that this would be similar to the ASP.NET Web Services testing page that is shown in IIS. That is, if you have simple type parameters (ints, strings, etc), then test away. However, the default ASP.NET Web Services test page doesn’t allow you to test complex type parameters. HOWEVER, the SOA Software web services tester actually parses out the complex type and lets you test those as well!

That’s great stuff. Unexpected, and very useful.

The SOA Software Management Server is a great way to centralize management and ownership of services. The ability to generate proxy services that abstract the underlying services has enormous implications for distributed environments. In the next part of this series, I’ll tackle the Policy Manager subsystem.

Technorati Tags: BizTalk, SOA

[Series Links: Part I / Part II / Part III / Part IV]

Recently, the company I work for purchased a web services management platform solution from SOA Software. This post starts a short series where I will highlight the key features of the platform, and, how to integrate BizTalk with this solution.

SOA Software provides us with that “last mile” web services capability set that should help my organization realize our vision of a truly enterprise SOA. Specifically, SOA Software provides us with four key functions:

• Centralized management, including automatic service discovery
• Fully UDDI 2.0 compliant service registry (UPDATE: UDDI 3.0 compliance as well)
• Application of service “policy” via configuration
• Full-featured monitoring and customized alerting

In this first post, I’ll do a very high level overview of each of those functions.

Centralized management, including automatic service discovery
Each of our web servers will have a SOA Software “discovery” agent installed which detects when new web services are deployed to the box. The supported application servers include Websphere, Weblogic, Tomcat and IIS. So this plays very well in a Microsoft, or non-Microsoft shop. Once a web service has been discovered, it can be centrally managed. “Managing” a service can mean applying security policies, establishing service level agreements, apply access/deny rules, and more.

Fully UDDI 2.0 compliant service registry (UPDATE: UDDI 3.0 compliance as well)
It’s nice that SOA Software provides us a service registry out of the box. No need to purchase and integrate another company’s registry solution. The registry has a fairly rich “search” capability where I can search for service by name, usage, category and more.

What are categories? Once a service is managed, you can group the service using user-defined categories. Much nicer than having a registry that just shows a dump of every service with no way to organize them.

Application of service “policy” via configuration
While you could potentially do without the previous two features (even though it makes life significantly easier), the SOA Software Policy Manager service is where you really get your money’s worth. Without TOUCHING the code or configuration files of a deployed service, you can apply a “policy” to that service. Because each service is hosted on a web server with a SOA Software management agent, all service requests can be intercepted. SOA Software acts as an intermediary between the service client and service provider. A service policy may include:

• message logging
• authentication
• compression/decompression
• encryption/decryption
• validation
• much more …

Those are examples of “management” policies. I’ll also show you “SLA” policies, and more in the later post. Each method of a given service can have a different policy attached. I can’t stress how cool this stuff is. When someone builds a service, they don’t have to do anything special for this service management capability. All of it occurs at the management point, not development point.

Full-featured monitoring and customized alerting
A robust monitoring module is so important if you want to evaluate service usage trends in your organization. I can capture the payload of the SOAP messages coming in and out of the services. This includes the ability to see the services before/after policies have been applied. The view below shows my message after a SAML token has been applied.

I can also see various reports about service response time, usage and more. So far, that is just passive reporting. I have to go query for data to discover a problem. What if I have a SLA set up, and NEED to be very proactive about service interruptions or problems? You can subscribe to alerts already configured, or, create your own. I can build an SLA Policy to ensure that if response time goes above a certain amount, or the number of SOAP faults exceeds an acceptable amount, then send me an email message.

In the next few posts, I’ll show more details about these key subsystems. Finally, I’ll show how BizTalk can call one of these SOA Software-managed services. The service *caller* requires a bit of code (in order to inject the headers necessary to conform to the policies), but SOA Software has made it fairly straightforward.

Technorati Tags: BizTalk, SOA

Lots of stuff today about BizTalk Services, the new offering from Microsoft that exposes an “Internet Service Bus” built upon BizTalk. Good summaries by Mick and Chris. There’s also a very nice article in eWeek
(not the one linked to from the Labs site) entitled Microsoft’s BizTalk Services Simplify SOA that talks about the strategic important of these software services.

While intellectually interesting to me, I’m hard-pressed at the moment to see a use case within my organization itself. Steve Martin of the BizTalk team has a good write up and hits the target audience: We see BizTalk Services as a complement to “traditional” BizTalk Server uses on premise. As you need to coordinate SOA on a broader scale beyond the organization, we see the introduction of hosted services as one way to help support federation of business process, messaging, and identity across boundaries.

Well said.

Technorati Tags: BizTalk