Identify

Identify & Achieve ROI with Your SOA Training

Identify & Achieve ROIIdentify & Achieve ROIwith Your SOA Trainingwith Your SOA Training


THE WORLD’S LEADING MAGAZINE DEDICATED TO WEB SERVICES TECHNOLOGIES

www.SOA.SYS-CON.com

14 Web Service Contract Design & Versioning for SOA

18 The Table Stakes for Managing IT Just Went Up DOUGLAS R. MACKINNON AND WAYNE GREENE

22 A Multi-Core Optimized Software Appliance GIRISH JUNEJA

JANUARY / FEBRUARY 2009 / VOLUME: 9 ISSUE 1

10 KYLE GABHART

SEE INSIDE FOR DETAILS

RIA CONFERENCE & EXPORIA CONFERENCE & EXPO

2 JANUARY / FEBRUARY 2009 www.SOA.sys-con.com JANUARY /FEBRUARY 2009 3 www.SOA.sys-con.comwww.SYS-CON.com

www.SOA.SYS-CON.com

INTERNATIONAL ADVISORY BOARD Andrew Astor, David Chappell, Graham Glass, Tyson Hartman, Paul Lipton, Anne Thomas Manes, Norbert Mikula, George Paolini, James Phillips, Simon Phipps, Mark Potts, Martin Wolf

TECHNICAL ADVISORY BOARDJP Morgenthal, Andy Roberts, Michael A. Sick, Simeon Simeonov

EDITORIAL Editor-in-ChiefSean Rhody [email protected] XML EditorHitesh Seth Industry EditorNorbert Mikula [email protected] Product Review EditorBrian Barbash [email protected] .NET EditorDave Rader [email protected] Security EditorMichael Mosher [email protected] Research EditorBahadir Karuv, Ph.D [email protected] Technical EditorsAndrew Astor [email protected] Chappell [email protected] Thomas Manes [email protected] Sick [email protected] Wacey [email protected] International Technical EditorAjit Sagar [email protected] Executive EditorNancy Valentine [email protected]

Associate Online EditorLindsay Hock [email protected]

PRODUCTION ART DIRECTORAbraham Addo [email protected]

ASSOCIATE ART DIRECTORTami Beatty tami @sys-con.com

EDITORIAL OFFICES SYS-CON MEDIA577 CHESTNUT RIDGE ROAD, WOODCLIFF LAKE, NJ 07677TELEPHONE: 201 802-3000 FAX: 201 782-9637SOA World Magazine Digital Edition (ISSN# 1535-6906)Is published monthly (12 times a year)By SYS-CON Publications, Inc.Periodicals postage pendingWoodcliff Lake, NJ 07677 and additional mailing offices

POSTMASTER: Send address changes to:

SOA World Magazine, SYS-CON Publications, Inc.

577 Chestnut Ridge Road, Woodcliff Lake, NJ 07677

©COPYRIGHT Copyright © 2009 by SYS-CON Publications, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy or any information storage and retrieval system without written permission. For promotional reprints, contact reprint coordinator. SYS-CON Publications, Inc., reserves the right to revise, republish, and authorize its readers to use the articles submitted for publication. All brand and product names used on these pages are trade names, service marks, or trademarks of their respective companies. SYS-CON Publications, Inc., is not affiliated with the companies or products covered in Web Services Journal.

Why the Downturn Is Good for SOA

INDUSTRY COMMENTARY

WRITTEN BY DAVID S. LINTHICUM

About the Author

David S. Linthicum is an internationally known thought leader in the EAI, SOA, enterprise architecture, and Web 2.0 spaces.

He is a sought-after consultant, speaker, and writer, and formed David S. Linthicum, LLC (www.davidlinthicum.com), a leading

consulting organization focusing on enterprise architecture, SOA, and use of the next-generation Web within the enterprise. He

keynotes at many leading technology conferences, and has several well-read columns and blogs, as well as a weekly Podcast.

Dave has also authored 10 books. You can reach Dave at [email protected].

Who would have thought that if you spent less money you could actually do more? That seems to be the case with SOA. As budgets contract and SOA teams downsize, you’d think that SOA projects would be all doom and gloom and lacking in produc-

tivity. However, the opposite seems to be occurring, at least inside my client base. The reality is, when SOA projects had huge budgets they spent more money and time chasing SOA “quick fixes.” Now that there’s just not enough dough to do anything silly, those working on Service Oriented Architecture are forced to do... well ... architecture. Thus, we’re moving from something that was more about chasing the hype to something that’s more about getting things done in a practical and realistic manner. Another issue is the focus on job security. These days when layoffs are more the rule than the exception, SOA teams are more focused on getting results that can be traced to the bot-tom line. So there’s more “doing” and fewer unproductive activities. Many SOA teams that can’t prove their value are typically the first to go, as management focuses more on keeping the lights on and less about IT improvement. Those that remain are very good at finding the ROI and executing toward it. What’s core to this is the fact that the SOA strategy presentations and SOA studies have stopped. They weren’t healthy activities anyway, considering that management is looking to find places to cut that won’t cut directly into the operations of the business. The same people who were running PowerPoint presentations are now defining metadata, identifying services, and just doing some of the “real work” that needs to get done when pushing a SOA forward. At the same time, those who just want to jump on SOA teams to do studies and presenta-tions won’t have too many places to hide, and many are looking for new jobs now. A lot of those folks looked at SOA as something that could be purchased from a technology vendor, perhaps believing more of the SOA hype than the reality. That SOA is something you do, not something you buy. So I don’t get as many questions about which ESB to buy these days, but more about how to get through the architecture and the steps to success. I suspect that by the end of 2009 we could have many more successful SOA projects than we had in 2008, and while that will leave many in the press and analyst community scratch-ing their heads about the logic there, doing more with less, I’ll understand that a return to basics was a good thing. Moreover, we learn from success as well as failure, and I suspect that many more will understand that a focus on the fundamentals of SOA is worth the time. And it takes less time than you think. If you follow some basic steps, you’ll create the right architecture the first time. Trust me on that one. The fact of the matter is that SOA had, and in some cases still does have, a lot of unpro-ductive work surrounding it. Removing the resources has the effect of focusing the SOA teams on what’s most important to the task; getting the fundamentals of SOA right the first time, and addressing the needs of the business. While I don’t think that a down economy is good, in some aspects it does drive some good changes.

http://www.fiorano.com/downloads

4 JANUARY / FEBRUARY 2009 www.SOA.sys-con.com

INSIDE

2 Why the Downturn Is Good for SOA DAVID LINTHICUM

6 A Reference Architecture for Securing Web Services in a Heterogeneous Environment Using WS-Federation KONDURU SRINIVAS AND GVB SUBRAHMANYAM

10 Identify & Achieve ROI with Your SOA Training KYLE GABHART

14 Web Service Contract Design & Versioning for SOA BY THOMAS ERL, ANISH KARMARKAR, PRISCILLA WALMSLEY, HUGO HAAS, L. UMIT YALCINALP, KEVIN LIU, DAVID ORCHARD, ANDRE TOST AND JAMES PASLEY

18 The Table Stakes for Managing IT Just Went Up DOUGLAS R. MACKINNON AND WAYNE GREENE

22 A Multi-Core Optimized Software Appliance GIRISH JUNEJA

10

Crank Up XMLPerformance

Intel® XML Software Suite:

Making Fast Work of XML

Intel® XML Software SuiteVisit us at: intel.com/software/xml

Intel® XML Software Suite, a comprehensive high-performance

software library, enables solution providers to easily deliver

maximum performance of XML processing for any enterprise,

SOA, SaaS, and Web 2.0 based applications.

Maximize XML Performance with Minimum Effort

• Comprehensive XML processing with superior

XML performance

• Efficient memory management for large multi-GB files

• Thread safe, ready for multi-core performance on

Intel® Core™ microarchitecture

• High conformance to XML industry standards

• Free XML Benchmark Tool to analyze

the performance of XML

processing engines

Accelerate Your XML-Based Solutions

Maximum Performance with Minimum Effort

Copyright 2008, Intel Corporation. Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All rights reserved.

©

http://pdf.sys-con.com/WebServices/Identify_print.pdf

http://www.intel.com

6 JANUARY / FEBRUARY 2009 www.SOA.sys-con.com JANUARY /FEBRUARY 2009 7 www.SOA.sys-con.com

CORPORATEPresident and CEOFuat Kircaali [email protected]

Senior VP, Editorial & EventsJeremy Geelan [email protected]

ADVERTISINGSenior VP, Sales & MarketingCarmen Gonzalez [email protected]

Advertising Sales DirectorMegan Mussa [email protected]

Advertising & Events ManagerCorinna Melcon [email protected]

Events AssociatesKrisandra Russo [email protected] Susan Wechtler [email protected]

CUSTOMER RELATIONSCirculation Service CoordinatorsEdna Earle Russell [email protected]

SYS-CON.COMConsultant Information SystemsRobert Diamond [email protected]

Web DesignersRichard Walter [email protected] Kim [email protected]

ACCOUNTINGFinancial AnalystJoan LaRose [email protected]

Accounts PayableBetty White [email protected]

[email protected] or 1-888-303-5282For subscriptions and requests for bulk orders, please send your letters to Subscription DepartmentCover Price: $6.99/issueDomestic: $99/yr (12 issues)(U.S. Banks or Money Orders)

For list rental information: Kevin Collopy: 845 731-2684, [email protected]; Frank Cipolla: 845 731-3832, [email protected]

SYS-CON Publications, Inc., reserves the right to revise, republish and authorize its readers to use the articles submitted for publication.

www.SYS-CON.com

www.SOA.SYS-CON.com

WEB SERVICES

A Reference Architecture for Securing Web Services in a Heterogeneous Environment Using WS-Federation

BY KONDURU SRINIVAS AND GVB SUBRAHMANYAM

Web Services have played a key role in integrating heterogeneous applications, particularly in cross domains. As part of identity management, Security Token Services are used for request and response tokens. However, we need multiple communication channels among Security Token Services when

multiple applications in different domains try to reach other Web Services. In this article we have proposed a Master Security Token Service (MSTS) that can act as a broker for all security authorization without duplicating the effort at every domain. In a world of heterogeneous systems where each application is leveraging the services of other applications, a service-oriented analysis and design process has become signifi -cant. Web Services are sets of services used for integrating business processes and ser-vices, and can be accessed over the Internet or executed on a remote system hosting the Web Service requests using standard protocols. WS-Federation offers the opportunity of fulfi lling the SSO behavior across domains. Security information can be shared across the domains of applications through federated identity, which is about identity informa-tion across security domains. Heterogeneous applications will have interactions through either Web Service requests or browser requests. While Web Service requests follow the WS-Security and WS-Trust standards, browser requests follow on how the service mes-sages are secured and encoded with Http messages to transport among the resources. While Web Services use is now predominant in many enterprises across domains using different protocols, the security of the Web Services is debatable, consequently federated identity management implementation for the integrated environment of various ap-plications across domains using Web Services has become a hot topic for the reference architectural framework. Federated identity management should do authentication, authorization, auditing, reporting, and upstream and downstream session management. Security Token Service (STS) implements the protocol for message formats and message exchange patterns as defi ned in the WS-Trust specifi cation and WS-Secure Conversation will allow multiple Security Token Service requests. The main challenge is how to federate identity and es-tablish connection in domains when multiple applications are in different domains. We can have independent security authentication using separate Security Token Services for each of the applications and each of the services, which involves sets of repeated activi-ties. To minimize the effort of using multiple Security Token Services, we’ve identifi ed and proven the architecture, which will have one Security Token Services Server called a Master Security Token Services Server. This will reduce the replication of management credentials and provide robust security since it’s a centrally monitored server.

Three approaches

http://wso2.com

Everything you need for your

The open source SOA company

Service Connection

Service Creation

Service Composition

Service Governance

Web Services Application ServerWeb Services Framework

Data Services

Enterprise Service Bus

Mashup ServerBusiness Process Server

RegistryIdentity Solution

SOA

COMPOSE

CREATE

CONNECT

GOVERN

http://wso2/com


WEB SERVICES

Proposed MSTS Framework Figure 1 shows a reference architecture for managing the secu-rity of Web Services in a heterogeneous enterprise environment. It’s common for organizations to have multiple domains and for each domain to have a separate Security Token Service Server. It creates a lot of complexity if these systems have to interact with each other securely. In the context of Service Oriented Architec-ture, we use WS-Security and WS-Trust specifi cations to secure these services. These services will also make use of a Security Token Service from each realm/domain. This will also create a lot of complexity since every STS in one realm/domain has to issue tokens to STS in other domains. In the architecture proposed below, MSTS will reduce the complexity by having fewer commu-nication channels. This architecture recommends creating a Master STS that doesn’t belong to any realm/domain in particular. This cen-tral STS has to maintain bindings to the other STS from all the realms/domains. Suppose, for example, that a client from domain 3 wants to call a service from domain 2. It can call the Master STS and get a token to make a call on STS 2. Then the client can call STS 2 and get a token to call the service from domain 2. Only the Master STS has to maintain a trust relationship with all the other realms/domains rather than the individual realms/domains. This way managing the STS will be easy since only the Master STS has to be changed if any realms/domains are added or deleted. The same architecture can be extended to external realms/domains. You can treat any external realm/domain as another domain.

Conclusion and Future Work Implementing an MSTS will reduce STS complexity and sim-plify the overall architecture of the enterprise applications. It will help manage STS connections. Going forward, we’re focused on identity management with WS-Federation and SAML2.0. We’re also planning to work on the persistence of token services.

References• Shankar_Kambhampaty. http://portal.acm.org/citation.cfm?id=1

348235&dl=&coll=GUIDE.

• http://en.wikipedia.org/wiki/Webservice.

• Cesare Pautasso and Thomas Gschwind. Emerging Web Services Technology, Vol. II: Wewst 2007, Halle (Saale), Germany, Novem-ber 2007. Selected Revised Papers; more by Cesare Pautasso and more by Thomas Gschwind.

• Gustavo Alonso, Fabio Casati, Harumi Kuno, and Vijay Machiraju. Web Services. Amazon.

• Klaus Aschenbrenner. Implement Secure .NET Web Services with WS-Security. http://www.devx.com/security/Article/15634.

• Brokered Authentication: Security Token Service (STS). http://msdn.microsoft.com/en-us/library/aa480563.aspx.

• http://www4.java.no/javazone/2006/fossSOA-jan07(2).pdf.

• http://norstella.custompublish.com/getfi le.php/660103.177.dxd-dcvtfut/SOA-+og+Web+Services-seminar+2008.pdf.

• Jason Baragry. http://www4.java.no/javazone/2006/fossSOA-jan07(2).pdf.

• Luciano Baresi, Elisabetta Di Nitto, Carlo Ghezzi, Sam Guinea. A framework for the deployment of adaptable web service compo-sitions. 75-91. http://www.informatik.uni-trier.de/~ley/db/jour-nals/soca/soca1.html

• WS Federation. http://www.ibm.com/developerworks/library/specifi cation/ws-fed/

• Federated Identity. http://en.wikipedia.org/wiki/Federated_iden-tity.

• How to: Create a Security Token Service. http://msdn.microsoft.com/en-us/library/ms733095.aspx.

• Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 Micro-soft Corporation. http://msdn.microsoft.com/en-us/library/aa480557.aspx. .

About the AuthorsGvb Subrahmanyams is an Application Developer, Lead, Project Manager, and Development

Manager and Delivery Manager in a wide variety of business applications as part of an IT ser-

vice provider. He has an M.Tech. and a PhD in chemical technology from IIT Kharagpur, India,

and an MS in software systems from BITS Pilani. He is also a PMI certifi ed PMP.

[email protected]

Srinivas Konduru has about 10 years of experience in developing, designing and architecting

J2EE, SOA-based solutions.

[email protected]

Figure 1 Master security token service architecture

Cosponsors

© 2009. All rights reserved. Sun, Sun Microsystems, the Sun logo, Java, JavaFX, and JavaOne are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other countries. Information subject to change without notice.

JavaOneSM Conference | June 2–5, 2009The Pavilion: June 1–4, 2009, The Moscone Center, San Francisco, CA

WHEREwill YOU be on June 2?

Save $200on Conference registration!

Register by April 22 atjava.sun.com/javaone

The JavaOneSM conference brings together developers, technology enthusiasts, and industry luminaries from around the world. It’s your chance to learn, grow, and network with the vast—and growing—technology community.

This year’s JavaOne conference offers even more opportunity to grow your language skills. You can:

Connect with developers from more than 70 countries��

Hear from expert speakers on the hot topics you care about ��most, including SOA, cloud computing, and virtualization

Choose from a wide variety of targeted tracks, labs, and BOFs��

Get tips and best practices from JavaOne conference ��Rock Stars and Java technology creators and evangelists

Experience JavaFX�� TM, RIAs, and other groundbreaking technologies—hands-on in our Pavilion

Nowadays money’s tight. That’s why it’s more important than ever to attend the one conference that delivers everything you want to see, learn, and experience—all under one big roof. And that’s the JavaOne conference.

Save Your Spot—Register Today!

By the way, check out CommunityOne, Sun’s conference on open-source innovation and implementation, colocated with the JavaOne conference. developers.sun.com/events/communityone

http://java.sun.com/javaone/index.jsp?cid=J9JMT25


An ancient Chinese proverb says, “Tell me and I forget. Show me and I remember. Involve me and I understand.” For many people, even entire organizations, the

approach to education seems to be along the lines of learning facts, figures, details, tools and standards. This results in a shallow understanding of both the business problem and the new Service Oriented Architecture (SOA) strategies available for addressing the

business’s needs. The next step is either to scrap the initiative or pour more time and money into patching the solution to bridge the chasm that could have been avoided with a more complete understanding of the domain and the implications and strategies surrounding service orientation. In this article, we’ll unpack the challenges facing organizations that adopt a service-oriented enterprise strategy with a special emphasis on the importance of training. We’ll then examine best

Why you need a comprehensive and well-reasoned education strategy

practices regarding SOA education. Finally we’ll crystallize the return on investment (ROI) delivered by prioritizing SOA education.

SOA Skills Shortage Multiple experts have recognized the tremendous shortage of SOA skills: “There is a looming enterprise architect ‘drought’ and a signifi-cant demand in the marketplace for experienced SOA talent,” said ZapThink principal Ron Shmeltze a few years ago. “Both SOA and Web Services application development pose unique challenges to the skills of the department,” the Aberdeen Group said. “There is a shortage of SOA skills in a typical company and demand for SOA skills far outstrips the supply,” according to, AMR research director Ian Finley a year ago. Then an IBM survey that queried Fortune 1000 CEOs in 2008 found that 56% said a shortage of SOA skills is the number one obstacle to “launching and delivering SOA projects with strong business impact.” How is it that such a significant gap in skills has existed for so long? First, many people assume that SOA can be learned from books. Second, there’s a lack of awareness regarding the significant value-add that genuine education provides.

Learning SOA When “learning SOA” the de facto approach tends to be a combi-nation of self-study, sending a couple people to a conference, and taking one or two technical classes from a major platform vendor. Unfortunately, this results in ill-informed SOA adoption plans, ven-dor-driven architectural designs, and ultimately solutions that don’t meet business needs. To salvage the project, organizations typically pour in addi-tional resources to try to patch and augment the project, moving closer to a successful state. This sort of post-design patchwork rarely produces a solution that completely addresses enterprise needs. Moreover, these solutions tend to be less resilient to change, resulting in an inability to adapt alongside the changing organization. Adopting SOA and a service-oriented approach to business is a non-trivial task. Significant changes must be made in the business analysis discipline, solution design and architecture, as well as development, testing, and effective project management. Acquiring a solid grasp of methodology as well as developing new skill sets is crucial for the successful adoption of SOA. The fact is that few orga-nizations invest in preparing for the shift that is required in terms of mindset as well as knowledge and skills.

The Value of Education The Aberdeen Group released a report in 2007, “SOA Middle-ware Takes the Lead: Picking up Where Web Services Leaves Off” that included its findings in a survey of 400 organizations that had adopted SOA over a period of 18 months. It identified key best prac-

tices for adopting SOA identified as standard practices performed by “best-in-class” organizations. According to Aberdeen, best-in-class organizations (the top 20% of aggregate performance scorers) prioritize investments in educa-tion/training, architecture, SOA middleware and infrastructure, and processes aimed at measuring and tweaking performance. Correspondingly average organizations (the middle 50% of aggre-gate performance scorers) tend to make minor investments in SOA middleware and infrastructure, very little in education/training, and have virtually ignored organizational performance measure-ment metrics for refining the enterprise The Aberdeen report advises organizations to retrain their de-velopment teams. “Don’t expect IT to just ‘get it’’when it comes to SOA,” it says. Furthermore, it also says, “Don’t skimp on training. Even though SOA applications are similar to earlier distributed architectures that you may have experience with, the difference are significant and require new approaches to design and develop.”

Identifying and Achieving a Return on Training Investments Calculating a specific ROI for education is a tricky proposi-tion. According to research conducted by UK-based e-Skills and reported in its Q4 2005 ICT inquiry report, only 11% of businesses quantitatively measure ROI for IT spending. Those that do are predominately medium-sized and larger organization in the technology industry. The vast majority (89%) rely on “informed guesswork” or “personal intuition” rather than any sort of defined process for measuring the productivity returns for technology investments. The lack of historical metrics and ROI tracking for technology initiatives makes crafting a reliable value proposition challenging. If you happen to be one of the minorities of companies that have this data then you can use that as your baseline for gauging the improvement offered by education. Otherwise, you may need to get creative with how you can articulate the pre-training cost of doing business and then compare that against a post-training cost of do-ing business.

Step 1 – Focus your education initiative Regardless of whether you have good historical data to go on or simply have to use more recent data combined with some educated extrapolations, you’ll need to identify specific metrics that you intend to improve through education. This will provide two key benefits: 1) You’ll have objective targets to hit, providing you with a means of measuring education success and 2) The education program can be focused to target improvement in the specific areas that are relevant to your business. Two common focal points include project execution (i.e., ability to deliver on time and on budget) and solution quality (i.e., providing products and/or services with a mini-mal number of defects).

“Business-driven, results-oriented SOA training can mean the difference between a SOA adoption initiative that meets leadership expectations and one that does not”


BY KYLE GABHART

TRAINING


TRAINING

Step 2 – Select a measurable metric One approach would be to calculate project overruns due to poor analysis and design (a key target of SOA education). Another approach would be to calculate the cost of service defects and/or service refactoring with an eye toward improving the quality of ser-vices and processes post training (cutting these costs by 20%-40% is a reasonable target objective). Many of our clients fi nd that one effective and reliable approach is to aim for a measurable improvement in knowledge and practical skill sets. This sort of analysis can be achieved through administer-ing pre-training tests, post-training tests, and then a third evalua-tion six weeks later to gauge the applicability of the education from a practical implementation perspective.

Step 3 – Have test pilots take the lead Prior to a major education rollout, it’s important to have a select group of personnel serve as test pilots for the training. Ideally, this group should be senior-level, very involved in the adoption of SOA and perhaps even participants within the organization’s SOA Center of Excellence (CoE). While taking the training, this group can look for opportunities to tweak terminology, refi ne examples to be more relevant to the organization, and otherwise tailor the course content to more accurately refl ect the motivations for adopting SOA and ensure that the ROI metrics (identifi ed earlier) are achieved.

Step 4 – Put governance gates in place Identifying your ROI objectives is only half the battle. You also need to establish checkpoints along the way to evaluate the prog-ress and ensure that you are on target. Recommended governance gates include a preliminary check prior to the fi rst course delivery, another check after the fi rst course, and then periodic checks every three-six weeks. Finally, there should be some major milestone (the third or fourth month is generally good) during which a more comprehensive analysis and adjustment is performed. At each of these steps, the education program should be evaluated and tuned to ensure that it is targeting the right content at the appropriate degree of depth. Additionally, information from the fi eld should be folded back into the education program to ensure that the training program is timely and relevant.

Summary Business-driven, results-oriented SOA training can mean the difference between a SOA adoption initiative that meets leadership expectations and one that does not. Too often, SOA training focuses on teaching vendor tools or simply providing academic facts and details regarding SOA and related technology standards. If you truly want to change your enterprise for the better through service orientation, you need a comprehensive and well-reasoned educa-tion strategy. That strategy should be business-driven and include objective, quantifi able metrics. Make 2009 your year to achieve ROI from your SOA education program.

About the Author

Kyle Gabhart is a subject matter expert specializing in service-oriented technologies and

currently serves as the SOA Solutions Director for Web Age Solutions, a premier provider of

technology education and mentoring. Since 2001 he has contributed extensively to the SOA

community as an author, speaker, consultant, and open source contributor.

[email protected]

RE

PR

INTS

!contact MEGAN MUSSAtel [email protected]

Despite the prevalence of content management technology, managing unstructured digital information—information not in databases—remains a tremendous challenge for most enterprises. Industry research estimates that as much as 90 percent of unstructured information goes unmanaged.

Moreover, the volume of information that needs to be man-aged continues to grow at an alarming rate. In 2006, the world created, captured, and replicated more than 150 exabytes of digital information. Projections indicate that by 2011 we’ll be creating 1,800 exabytes annually. Bret Swanson, senior fel-low at the Discovery Institute, calls this trend, “the exaflood.”

So, on the one hand, we have a huge volume of unman-aged, unstructured information. On the other, we have per-haps 10 percent of unstructured information in enterprise content management (ECM) systems. Unfortunately, that 10 percent is not likely to be in the same ECM repository.

For a variety of legitimate reasons, businesses often de-ploy different ECM systems. But, whatever the reason, the outcome is the same. Essential business content ends up locked in separate, application-specific repositories that make information sharing difficult. Moreover, application de-velopers invariably build separate ecosystems around each repository. Thus an organization ends up with multiple in-vestments in discrete environments, greater maintenance costs and management overhead, and a loss of business flexibility. Or as one Gartner analyst described it, “a mess.”

To deal with this “mess”—the IT burden of multi-vendor, multi-repository environments—EMC, IBM, and Microsoft joined forces in developing a specification that uses web services to share information among different content re-positories. Other leading ECM providers including Alfresco Software, Open Text, Oracle, and SAP also contributed to this effort. The result is Content Management Interoper-ability Services (CMIS), a draft specification that has been submitted to OASIS (Organization for the Advancement of Structured Information Standards) and subjected to its rigor-ous standards vetting process.

CMIS will augment existing ECM systems and their appli-cation interfaces. The specification focuses on basic con-tent management capabilities—create, read, write, delete, and query. Content Management Interoperability Services defines these capabilities as simple, generic functions for managing content regardless of the underlying platform or storage mechanism. It connects repositories through a ser-vice-oriented interface, as shown in the following illustration.

The specification currently provides for two protocol bind-ings, one based on Simple Object Access Protocol and the other on Representational State Transfer and Atom Publish-ing Protocol. They provide a lightweight, loosely coupled re-pository interface, independent of the underlying platform, programming language, or transport protocol.

CMIS is an elegant, simple approach to content interoper-ability. Once the standard is approved, existing repositories can be made CMIS compliant with a simple, vendor supplied software download. For the enterprise with multiple content management systems, this means all its repositories become accessible and interoperable without expensive custom inte-gration. For developers and independent software vendors, new applications that are coded to the standard will enjoy a substantially broader market. The CMIS standard willl:

Improve user access to content from any application• Enable one application to access multiple CMIS-compli-• ant repositoriesSupport workflows and business processes that span • different ECM systemsReduce application development costs• Expand the market for content-enabled applications• Protect future investments in applications and reposi-• toriesDefine a technology independent standard •

EMC, IBM, and Microsoft recognize that the Internet and the Web now provide mainstream technology for informa-tion delivery. CMIS is a first step in guiding the ECM indus-try toward the creation of a flexible application development paradigm that can leverage this technology.

Content Management Interoperability Services—Driving the Evolution of ECM

Advertorial

www.EMC.comBy Razmik Abnous

Coping with the information exaflood

The challenge of disparate content repositories

When the going gets tough, the tough propose a standard

CMIS: setting the stage for next-generation ECM

Multiple content repositories are accessible from the same applcation via CMIS

http://www.emc.com


BOOK EXCERPT

It’s always good to get an idea of the big picture before diving into the details of any technology-centric topic. For this reason, we’ll take the time to briefly mention the overarching goals and benefits associated with service-oriented computing as they

relate to Web Service contract design.Because these goals are strategic in nature, they are focused on long-term benefit — a consideration that ties into both the design and governance of services and their contracts. An understanding of these long-term benefits helps provide a strategic context for many of the suggested techniques and practices in this guide.Here’s the basic list of the goals and benefits of service-oriented computing:

• Increased Intrinsic Interoperability• Increased Federation • Increased Vendor Diversification Options• Increased Business and Technology Domain Alignment• Increased ROI• Increased Organizational Agility• Reduced IT Burden

Although it might not be evident, service contract design touches each of these goals to some extent. Let’s explore how.

Increased Intrinsic Interoperability For services to attain a meaningful level of intrinsic interoper-ability, their technical contracts must be highly standardized and designed consistently to share common expressions and data mod-els. This fundamental requirement is why project teams often must take control of their Web Service contracts instead of allowing them to be auto-generated and derived from different sources.

Increased Federation Service-oriented computing aims to achieve a federated service endpoint layer. It is the service contracts that are the endpoints in this layer, and it is only through their consistent and standardized design that federation can be achieved. This, again, is a goal that is supported by the ability of a project team to customize and refine Web Service contracts so that they establish consistent endpoints within a given service inventory boundary.

Increased Vendor Diversification Options For a service-oriented architecture to allow on-going vendor diversification, individual services must effectively abstract pro-prietary characteristics of their underlying vendor technology. The contract remains the only part of a service that is published and available to consumers. It must therefore be deliberately designed to express service capabilities without any vendor-specific de-tails. This extent of abstraction allows service owners to extend or replace vendor technology. Vendor diversification is especially attainable through the use of Web Services, due to the fact that they are supported by all primary vendors while providing a non-propri-etary communications framework.

Increased Business and Technology Domain Alignment The service layers that tend to yield the greatest gains for service-oriented environments are those comprised of business-centric services (such as task and entity services). These types of services introduce an opportunity to effectively express various forms of business logic in close alignment with how this logic is modeled and maintained by business analysts. This expression is accomplished through service contracts and it is considered so important that entire modeling processes and approaches exist to first produce a conceptual version of the service contract prior to its physical design.

Strategic Benefits The latter three goals listed in the previous bullet list represent strategic benefits that are achieved when attaining the first four goals. We therefore don’t need to map the relevance of service con-tracts to each of them individually. If we take the time to understand how central service contract de-sign is to the ultimate target state we hope to achieve with service-ori-ented computing in general, it’s clear to see why this book was written.

Service-Orientation and Web Service Contracts To understand SOA is to understand service-orientation, the design paradigm that establishes what is required to create software programs that are truly service-oriented. Service-orientation represents a design approach comprised of eight specific design principles. Service contracts tie into most but

Web Service Contract Design & Versioning for SOA

BY THOMAS ERL, ANISH KARMARKAR, PRISCILLA WALMSLEY, HUGO HAAS, L. UMIT YALCINALP, KEVIN LIU, DAVID ORCHARD, ANDRE TOST AND JAMES PASLEY

not all of these principles. Let’s first intro-duce their official definitions:

Standardized Service Contract – “Services within the same service inventory are in compliance with the same contract design standards.”

Service Loose Coupling – “Service contracts impose low consumer coupling require-ments and are themselves decoupled from their surrounding environment.”

Service Abstraction – “Service contracts only contain essential information and in-formation about services is limited to what is published in service contracts.”

Service Reusability – “Services contain and express agnostic logic and can be posi-tioned as reusable enterprise resources.”

Service Autonomy – “Services exercise a high level of control over their underlying runtime execution environment.”

Service Statelessness – “Services minimize resource consumption by deferring the management of state information when necessary.”

Service Discoverability – “Services are sup-plemented with communicative meta data by which they can be effectively discovered and interpreted.”

Service Composability – “Services are effec-tive composition participants, regardless of the size and complexity of the composition.”

Each of these design principles can, to some extent, influence how we decide to build a Web Service contract. With regards to the topics covered in this book, the fol-lowing principles have a direct impact.

Standardized Service Contract Given its name, it’s quite evident that this design principle is only about service contracts and the requirement for them to be consistently standardized within the boundary of a service inventory. This design principle essentially advocates “contract first” design for services.

Service Loose Coupling This principle also relates to the service contract. Its design and how it is architec-turally positioned within the service archi-tecture are regulated with a strong empha-sis on ensuring that only the right type of content makes its way into the contract in

order to avoid the negative coupling types.The following sections briefly describe common types of coupling. All are consid-ered negative coupling types, except for the last.

Contract-to-Functional Coupling Service contracts can become dependent on outside business processes, especially when they are coupled to logic that was de-signed directly in support of these process-es. This can result in contract-to-functional coupling whereby the contract expresses characteristics that are specifically related to the parent process logic.

Contract-to-Implementation Coupling When details about a service’s underly-ing implementation are embedded within a service contract, an extent of contract-to-implementation coupling is formed. This negative coupling type commonly results when service contracts are a native part of the service implementation (as with com-ponent APIs) or when they are auto-gener-ated and derived from implementation resources, such as legacy APIs, components, and databases.

Contract-to-Logic Coupling The extent to which a service contract is bound to the underlying service program-ming logic is referred to as contract-to-logic coupling. This is considered a negative type of service coupling because service consumer programs that bind to the service contract end up also inadvertently forming dependencies on the underlying service logic. A Web Service contract can be negatively coupled to various parts of the underlying service implementation.

Contract-to-Technology Coupling When the contract exposed by a service is bound to non-industry-standard commu-nications technology, it forms an extent of contract-to-technology coupling. Although this coupling type could be applied to the dependencies associated with any propri-etary technology, it is used exclusively for communications technology because that is

Figure 2:

Figure 1:

Contracts must adhere to design principles


what service contracts are generally concerned with. An example of contract-to-technology coupling is when the service exists as a distributed component that requires the use of a proprietary RPC technology. Because this book is focused solely on Web service contract technology, this coupling type does not pose a design concern.

Logic-to-Contract Coupling Each of the previously described forms of coupling are con-sidered negative because they can shorten the lifespan of a Web service contract, thereby leading to increased governance burden as a result of having to manage service contract versions.This book is focused on providing the skills necessary to achieve high levels of logic-to-contract coupling by ensuring that the Web service contract can be designed with complete independence from the underlying Web service implementation. The most desirable design is for the Web Service contract to remain an independent and fully decoupled part of the service architecture, thereby requiring the underlying logic to be coupled to it.

Service Abstraction By turning services into black boxes, the contracts are all that is officially made available to consumer designers who want to use the services. While much of this principle is about the controlled hiding of information by service owners, it also advocates the streamlining of contract content to ensure that only essential content is made available. The related use of the validation abstraction pattern further can affect aspects of contract design, especially related to the constraint granularity of service capabilities.

Service Reusability While this design principle is certainly focused on ensur-ing that service logic is designed to be robust and generic and much like a commercial product, these qualities also carry over into contract design. When viewing the service as a prod-uct and its contract as a generic API to which potentially many consumer programs will need to interface, the requirement emerges to ensure that the service’s functional context, the definition of its capabilities, and the level at which each of its

design granularities are set are appropriate for it to be posi-tioned as a reusable enterprise resource.

Service Discoverability Because the service contracts usually represent all that is made available about a service, they are what this principle is primarily focused on when attempting to make each service as discoverable and interpretable as possible by a range of project team members. Note that although Web Service contracts need to be designed to be discoverable, we do not discuss discovery processes or registry-based architectures.

Service Composability This regulatory design principle is very concerned with ensuring that service contracts are designed to represent and enable services to be effective composition participants. The contracts must there-fore adhere to the requirements of the design principles and also take multiple and complex service composition requirements into account.

About the Authors

To learn more about this book and the authors, visit www.soabooks.com/wsc/

EXCERPT

Advertiser Index ADVERTISER URL PHONE PG

General Conditions: The Publisher reserves the right to refuse any advertising not meeting the standards that are set to protect the high edito-rial quality of .Net Developer’s Journal. All advertising is subject to approval by the Publisher. The Publisher assumes no liability for any costs or damages incurred if for any reason the Publisher fails to publish an advertisement. In no event shall the Publisher be liable for any costs or damages in excess of the cost of the advertisement as a result of a mistake in the advertisement or for any other reason. The Advertiser is fully responsible for all financial liability and terms of the contract executed by the agents or agencies who are acting on behalf of the Advertiser. Conditions set in this document (except the rates) are subject to change by the Publisher without notice. No conditions other than those set forth in this “General Conditions Document” shall be binding upon the Publisher. Advertisers (and their agencies) are fully responsible for the content of their advertisements printed in .Net Developer’s Journal. Advertisements are to be printed at the discretion of the Publisher. This discretion includes the positioning of the advertisement, except for “preferred positions” described in the rate table. Cancellations and changes to adver-tisements must be made in writing before the closing date. “Publisher” in this “General Conditions Document” refers to SYS-CON Publications, Inc. This index is provided as an additional service to our readers. The publisher does not assume any liability for errors or omissions.

Fiorano http://www.fiorano.com/downloads 3

Intel http://www.intel.com 5

WSO2 http://wso2/com 7

JavaOne http://java.sun.com/javaone/index.jsp?cid=J9JMT25 9

EMC http://www.emc.com 13

SYS-ON Events http://www.events.sys-con.com 201-802-3020 17

Web Age http://www.webage.com 877-517-6540 21

CommunityOne http://www.developers.sun.com/events/communityone 25

QuantumXML http://www.quantumxml.com 26

Figure 3:��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

http://www.events.sys-con.com


and consistently followed to minimize operational issues. If the appropriate process and policy is not consistently followed, er-rors occur that negatively impact service. In addition, additional resources are wasted backing out these errors and redoing the task correctly to restore service.

• Stop wasting your most expensive staff by consuming their time performing routine and repetitive tasks. Wherever possible move these tasks to less expensive resources and refocus expensive high-performing staff members on identifying and managing best practices as well as delivering new services and applications.

Increasing IT automation is a particularly enticing area to consider. IT has been automating business processes, so it knows how to automate and knows the value automation can deliver: lower costs, higher quality, and greater responsiveness. Like the cobbler’s children who have no shoes too often IT is so busy serv-ing the automation needs of the business that it gives insufficient service to its own needs. But where can IT get the greatest return from automating its processes? For those familiar with ITIL processes, the place to start is with incident management within service operations. The purpose of incident management is to return IT service to cus-

tomers as quickly as possible once an incident occurs. Incidents don’t have to actually create a service issue. They also include situ-ations where an incident is imminent such as detecting that an out-of-space situation will occur in an Exchange Server data store during the next few days unless action is taken or in a Web ap-plication where resources pools are nearly consumed indicating a strong chance for impending end-user performance impact. This is also an incident and should be dealt with proactively. Incident management is the service operation discipline that if the busi-ness could see into IT, it would understand how it directly touches the business and understand its added value. Incident management has three components where automa-tion can significantly assist in reducing costs: incident avoidance; incident detection; and incident resolution. Automated incident avoidance provides very high value by automating the daily, weekly, and monthly checklists that exist as best practices for managing infrastructure and applications. Many suppliers of servers, operating systems, and applications provide recommended checklists that should be run regularly to uncover incidents. In ITIL’s problem management, when resolution to a problem is determined, it too can become part of the ongoing automated preventive maintenance. Unfortunately, preventive

AUTOMATION

CIOs see operational excellence as the “table stakes” in the high-roller game of IT. Often thought of as the starting point to creating value for the business in this game, busi-nesses use IT for competitive advantage, and the business

that is most successful wins. However, operational excellence has always been a moving target – more of a journey than a destina-tion because it’s seldom attained, and then not for very long. What was good enough yesterday, no longer meets the today’s needs and surely won’t meet tomorrow’s.

Today’s financial climate adds massive complications to this journey and totally changes the stakes for CIOs and the IT organi-zations they run. To succeed in competitive markets, operational excellence needs to constantly improve over the next several years. Attaining operational excellence will require IT to change how it approaches system operations. The stakes for managing IT just went up. The current business environment presents more challenges than any in years. As its business partners grapple with white-knuckle ups and downs in the marketplace, IT must find ways to deliver efficiency and improved service without being any less nimble or responsive. Innovation can’t take a backseat to reduc-ing costs, absorbing change, or continuous improvement. The business side needs every competitive advantage it can get, and IT

needs to be part of the solution, or it risks being seen as part of the problem. If you’re in IT, it’s plain to see that both alignment with and adding value to the business have taken on new urgency. From a business perspective, IT only adds value when it builds and deploys new services and applications that the business uses. Anything else is simply housekeeping that maintains exist-ing systems and services. Yet today, most IT organizations only expend 10% to 20% of their resources building and deploying these new services and applications. That’s because 80% to 90% of IT’s resources are focused on maintaining existing systems. IT professionals spend most of the day fixing problems that prevent them from applying time and resources to activities that could truly drive business innovation. In fact, IT managers may find themselves mired down in operations and spending too little time helping the business grow. Systems management for existing systems such as providing performance management, backup and recovery, systems maintenance, etc. are all necessary tasks, but not ones the business sees as adding greater value. The key to adding greater value is to increase management focus and the level of resources dedicated to building and deploying new ser-vices and applications that support business initiatives. Fundamentally IT needs to reset its economics and dramatically improve its operational efficiency. There are three ways to reset economics: simplify its infrastructure; reduce waste and error; and increase automation. Efforts to simplify infrastructure are already underway in many IT organizations partly initiated with efforts to “go green.” These organizations are reducing costs by taking advantage of larger servers and virtualization to support server consolidation. This reduces both facilities costs and the energy footprint. In addition, second passes at consolidation can lead to greater efficiencies created by datacenter consolidation as well as standardizing tools and processes. A variety of approaches can be used to reduce waste and error:• Identify expenditures that are no longer justified such as support

for legacy applications and hardware that have been retired.• Evaluate tasks and processes that are not strategic to supporting

the business and consider no longer doing them or outsourcing them where it is cost justified.

• Ensure operational best practices are identified, kept up-to-date

The Table Stakes for Managing IT Just Went Up

BY DOUGLAS R. MACKINNON AND WAYNE GREENE

Changing the approach to system operations

Figure 1:


AUTOMATION

maintenance is often neglected. Ironically, it’s often deferred to resolve incidents that would have been detected in advance if preventive maintenance had been done in the first instance! Automating daily maintenance such as checklists can significantly reduce incidents from occurring in the first place and avoid wast-ing resources on incidents and problems that were avoidable.Incident detection involves manually sifting through calls and e-mails to the service desk as well as processing operational alerts. ITIL places the service desk at the heart of incident manage-ment because for many IT organizations a customer complaint is generally the first indication there is an incident that threatens service. IT needs to be more proactive with managing incidents and should have a goal to detect most incidents without requiring a customer to call. Complex event processing can be an effective tool to auto-matically determine when patterns of alerts, events, and other data indicate that an incident has just occurred. By automat-ing incident detection, IT can improve service by more quickly identifying when an incident has occurred and begin resolving the incident. IT can also improve its internal reputation by avoiding the awkward situation of having to have your customers tell you that incidents are occurring. Incident resolution is the process of doing those tasks neces-sary to close an incident and return processing to its normal state. Today this is a time-consuming manual process and there is always the issue of ensuring that the analyst assigned the incident actually follows best practices and adheres to company policy. Au-tomation of incident resolution provides several benefits in clos-ing incidents. First, it can ensure that there is little delay between identifying an incident and beginning to resolve it. Second, it can ensure that best practices and company policies are consistently followed. Third, it creates an audit trail to track and enhance processes. And finally, it can significantly reduce the mean time to repair and the resources required to resolve an incident. The class of technical solutions that can assist in automating IT processes and procedures including incident management will be classified under a new class of tools called IT process automa-tion or IT process management. These are tools that allow the automation of processes and policies without requiring scripting, although existing scripts can be reused if so desired. They are graphically oriented and allow you to use a visual editor to create these processes and policies using a familiar drag-and-drop paradigm. These tools make it significantly easier to create, document, automate, and audit process and policy. And they can simultaneously reduce the resources required to support IT and increase levels of service to the business. Some of the capa-bilities you should look for when considering these tools are:• Drag-and-drop visual process editor – makes it easy to design

and build processes, and makes it easy for others to evaluate and support

• Automatic process wiring – makes it easy to link the steps to-gether

• Full-function workflow engine – ensures that you can handle

iterative steps, case logic, and other complexities in processes• The ability to manage processes separately from policy – since

policy and who implements it will change more often than the process itself, you want to be able to isolate policy from the pro-cess

• Embedded administrator expertise – having domain knowl-edge built-in makes the technology easier to implement in that domain

• The ability to initiate processes ad hoc or automatically, based on sophisticated calendars or events – ensure that the processes can be initiated how and when you want them to.

• Automation of routine daily, weekly, and monthly best practices – support for incident avoidance and preventive maintenance

• Support for client self-service – allows expensive IT human resources to offload tasks to more cost-effective persons

• Full-function security model – ensure that you can control who has access to the automated processes, who can edit them etc. to ensure system integrity.

• Auditing and logging of all active processes – required for system auditing and to support identifying areas for enhancement

• Support for the platforms and applications important to your business – IT process automation will be most effective if you select a specific domain to start in rather than approaching the problem broadly

• Complex event processing – provides the ability to handle complex decision-making based on prior events and the current status of your systems

By increasing automation for managing IT itself, the industry has significant opportunities to change the economics of provid-ing IT to the business. Operational excellence has been and will continue to be a mov-ing target. While the economic climate is challenging, the good news is that there are opportunities to reset the economics of IT and dramatically improve its operational efficiency. There are areas where we can reduce our operational costs. If the industry focuses on what delivers increased value to the business – build-ing and deploying new services and applications the business uses – it can weather the current financial difficulties and emerge with its reputation enhanced.

About the Authors

Douglas R. MacKinnon, Ph.D. Director of Product Strategy at Tidal Software.

[email protected]

Wayne Greene is vice president of product management at Tidal Software. He also manages

the Tidal Enterprise Scheduler product line and drives the product strategy across the compa-

ny. Prior to Tidal, he was director of competitive and market intelligence at the Wily Technol-

ogy Division of Computer Associates. Prior to CA, he was at Hewlett Packard for 18 years in a

variety of different roles, spending the last 6 years at HP in the Corporate IT and Outsourcing

Services division where he was responsible for the enterprise management toolset. Wayne has

a PhD f rom University of California at Berkeley, and a Bachelor of Science from M.I.T.

[email protected]

“While the economic climate is challenging, the good news is that there are opportunities to reset the economics of IT and dramatically improve its operational efficiency”

Sound Architecture Requires Proper Planning

Add Web Age Solutions to your plan & stay ahead of the competition

Custom training plans for virtually every job roleBUSINESS ANALYST ADMINISTRATOR DEVELOPER ARCHITECT QA/TESTER MANAGER EXECUTIVE SECURITY

Custom training for complementary SOA technologiesXML WEB SERVICES WSDL SOAP WEBSPHERE WEBLOGIC JBOSS J2EE SPRING/HIBERNATE/STRUTS WID/WBI/WMB

WEB AGE SOLUTIONS - YOUR TRAINING PARTNER FOR SOA

www.webagesolutions.com [email protected] 877.517.6540- -

Consulting services for all phases of SOA migration

In all phases of SOA migration, Web Age Solutions provides training and customized services from awareness to implementation. We support vendor specific or generic SOA training tailored

to your organization's needs.

http://www.webagesolutions.com


scenarios some of the ugly underbelly of a services architecture gets addressed. The service consumers may be interested in asynchronous communication with a service designed for a re-quest/response message model, the service consumer may have a different transport support requirement than that supported by the consumer, and worse still, either the producer or consum-er may not be a service at all, but rather a legacy application that must be bridged due to business requirements. Service media-tion scenarios can be addressed by ESBs, however, SOA appli-ances claim to offer easier options in terms of time and resource requirements to get the job done.

Limitations of Hardware XML & Security Gateway Appliances Since the first XML and security gateway appliances were released by early start-ups such as Sarvega and Datapower (later acquired by Intel and IBM, respectively), the IT landscape has shifted markedly. For one, the hardware architecture has evolved rapidly. General-purpose computing is moving aggressively towards a multi-core environment. We are looking at 16- or even 32-core processors soon. On the other hand, most SOA middleware technologies still aren’t ready to fully utilize multi-core and the underlying virtual machines require a significant rewrite that’s a few years away. For most business computing using SOA, the challenge in multi-core environments is figuring out which com-ponents of the processing can be parallelized and how to avoid race conditions. On the other hand, in this economic environment, the strong gets stronger and weak companies go out of business. Data cen-ters continue to consolidate and get bigger, with increased focus on green IT that requires less cooling and space. Virtualization as a core data center trend is growing larger – with the addition of cores the ability to host multiple application servers on single-server hardware allows for more efficient data center usage. In such a changing environment, slow-to-evolve and non-ex-tensible point appliances for service governance, integration, and security with specialized XML hardware are unlikely to be the best route for enterprise SOA. The financial constraints on IT are likely to become even more severe, resulting in a search for options that deliver performance and functionality. These options must avoid the upfront expense of customized hardware appliances, with their expensive data center footprint, specialized server node overhead, and high upgrade costs.

Soft Appliance – The Next Generation of Service Mediation Infrastructure In this changing environment, a multi-core optimized soft-ware infrastructure with a common service runtime proves advantageous. This form factor offers governance, integration, mediation, and “headless” manageability – delivering dramatic efficiencies from an operations standpoint. The soft appliance should be deployable alongside service containers in the same native or virtual machine, or in a virtual container by itself, or on a standalone server node. In all cases the soft appliance should deliver the same performance as a specialized hardware appli-ance at a lower price point. Intel’s Software and Services Group has released such a tool in SOA Expressway (http://www.intel.com/software/soae) that is

highly tuned for the multi-core architecture and provides the full service governance, integration and mediation functionality with

an Eclipse-based design-time environment. It makes a services architecture deployment in a multi-core environment signifi-cantly scaleable and manageable. Just like hardware appliances, it’s deployable on general-pur-pose servers in minutes rather than days. For common service intermediary patterns, it requires no coding. The software appliance offers a “service router”-style architecture, deliver-ing mediation capabilities that can deal with heterogeneous service and legacy environments, as well as different messaging patterns supported in service interactions. The product offers common shared security enforcement for XML threat protection, identity verification, authorization, access control, and auditing. It can be deployed to use its Eclipse-based governance infra-structure or can be used in conjunction with other design-time SOA governance solutions from major software providers. The

SOFTWARE

A Multi-Core Optimized Software Appliance

BY GIRISH JUNEJA

A New Breed of Service Intermediary

In the enterprise IT environment today, modern middleware technologies make it easier to expose existing or new business applications as sets of services. However, with the mashup of cloud-based services and enterprise data center services, the

visibility of how a service created today will be used in the future gets murkier. This is because it’s difficult to predict how a service will be consumed over long periods of time and by which consumers, and further how the service may be integrated with other ser-vices or legacy applications to create new composite services. It also remains a challenge to architect services in such a way that service upgrades don’t affect consumers unpredictably. The hype of “just create services with an Enterprise Service Bus (ESB) and you’ll have the benefits of a service architecture such as lower costs and software reuse” typically leads to services proliferation and little reuse. Does this sound familiar? How many architects try to solve this problem simply with hardware-based XML and security gateway appliances as a point of control? The prevailing theory is that any change in consumer behavior or the service itself can be easily mediated at such a device since it requires no coding. “Most” changes can be made through XML-based policy changes. Hard-ware appliances, however, are inflexible, expensive, and miss the mark against widespread data center trends such as virtualiza-tion and cost reduction through capital (server) reuse.

Usage Models for Service intermediaries Service reuse is a tough nut to crack because it requires ad-dressing the service architecture at the infrastructure level. But is a hardware appliance the right choice? Initially designed to address problems around XML processing, hardware XML and security gateway appliances have morphed their offerings often enough that they’re become the middleware “gold dust” that makes life easier for rest of the IT environment. Deploying these hardware appliances in data centers was an unfortunate reality of moving to a services architecture due to security, perfor-mance, and governance concerns. While the data centers have moved towards consolidation to reduce power, heat, and mainte-

nance costs through application virtualization and even network virtualization, the apparent need for hardware appliances sticks out like a sore thumb. So let’s clear the cobwebs. What need we are trying to address with hardware appliances? Well, for starters, in a service-based environment, we may need to know the answers to several oper-ational questions like who is using the service and which version are they using? Are the consumers authorized to use this service? Is the service provisioned to handle the load coming from this new consumer? Can service interactions be assured of conform-ing to business application usage policy? Can the operators see the consolidated exceptions to the policy compliance? Can the XML data transformations required in the service interaction be accelerated for better scalability? Is the proper level of security being enforced in these service interactions? Can all of this be done outside of the service container environment so the neces-sary level of decoupling between services and their usage criteria is maintained to ensure maximum reuse? These questions can all be categorized as service governance-related requirements. The next level of usage of XML and security gateway applianc-es is best described as a service mediation usage model. In these

Figure 1

Figure 2

Figure 3

Figure 4


SOFTWARE

service router is unique in its ability to take highly normalized and unstructured information and bind that information to new abstract schemas that better match the business systems that use them, such as a single representation of customer data, order information, or a product. While leveraging traditional runtime and design-time SOA governance technology works fine for smaller domains, enter-prise-wide service governance must manage both policies and services at high transaction volumes without becoming the bottleneck. Here again Intel’s SOA Expressway makes it possible without resorting to customized hardware appliance by scaling service mediation and XML processing on multi-core. We’ll review three different performance scenarios to evalu-ate the performance of SOA Expressway as a service intermedi-ary on a multi-core architecture. The detailed methodology and test cases used will be made available at the Intel SOA Products web site at http://www.intel.com/software/soae. We used SOA Expressway’s Eclipse-based Service Designer to visually create and test the service policies for the governance and mediation scenarios. The Intel SOA Expressway was configured on two separate quad-core dual processor machines (8 cores), first one based on Quad-Core Intel Xeon Processor 5400 and second on the Intel’s new Intel Core i7 processor ( both machines with 2 quad-core processors for a total of 8 cores and running Red Hat Linux 2.6 with 8GB or higher memory) platform. We tested for both the absolute highest throughput and highest throughput at lowest latency to observe the scalability of the solution on both plat-forms. For the service mediation scenario, we used a REST-like XML-over-HTTP service to process purchase orders. Intel SOA Expressway was configured to act as a mediation solution for this service with a policy to validate the XML payload defined by the XML schema definition The policy then transforms the purchase orders to a normalized form using XSL and updates the billing address. The policy then validates the resulting transformed out-put message for schema conformance and routes the message to the right instance of the back-end service based on the country to which the order is being shipped. As the graph shows the Intel Xeon Processor 5400 based server demonstrated a performance of 8,600 tps at an average latency of 5.17 msec, while the Intel Core i7 processor based server demonstrated the best through-put of 12500 tps at about the same average latency. Compared to many hardware appliances, this performance is 300-500% better without requiring any customized hardware. For the service governance scenario, we created a set of SOAP 1.1 doc/literal style purchase order Web Services and hosted them in Apache Axis2. These services exposed methods for creat-ing, canceling, updating, and sending purchase orders. Intel SOA Expressway was configured to act as an SOA governance solution with a policy that required SOAP 1.1 schema validation and SOAP body payload validation on the incoming request, forwarding the request to the purchase order Web Service, and applying digital signatures and encryption on response. The signature policy used was WS-Security with RSA-SHA1 and exclusive canonicalization, and for encryption, the policy was WS-Security with 3DES-CBC applied to the SOAP body. Three sets of tests were run for governance: A pass-through case (pure service virtualization), schema validation only, and then the full governance workflow (validation and WS-Security

with signatures and encryption). To configure the policy SOA Expressway obtains the service definition and policy definition from a registry/repository and then virtualizes the service. This is done in a proxy mode by changing the service definition to point to the address of the virtual service container and provi-sioning a policy that defines the real service container as the destination for the request. While we can imagine more complex service mediation and SOA governance scenarios such as XML threat protection, au-thentication, authorization, and FIFO processing, the scenarios used in this test showcase some of the more compute-intensive operations. These tests demonstrate that a new generation of service intermediaries optimized for general-purpose multi-core servers can address very high-end transaction processing volumes.

Platform Test DetailsIntel® SOA Expressway v2.0 on Intel XeonDual Processor Intel(R) Xeon(R) CPU X5560 @ 2.80GHz Nehalem-EPManufacturer: SupermicroMemory: 6x2GB 1333 DDR3 RDIMMs (12G total)Operating System: Red Hat Linux AS 4Intel® SOA Expressway v2.0 on HP ProLiantPlatform: HP ProLiant DL360 G5Dual ProcessorManufacturer: HPMemory: 4x2GB FBD PC2-5300 (8G total)Client: High performance generic HTTP Linux clientServer: Standard low-latency HTTP web server4X Quadcore: Genuine Intel(R) CPU @ 2.40GHzMemory: 16GRed Hat Linux AS4Default settings were used for Intel® SOA Expressway

Footnotes:Performance tests and ratings are measured using specific comput-er systems and/or components and reflect the approximate perfor-mance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of infor-mation to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit http://www.intel.com/performance/resources/limits.htm. For processors with HT Technology, performance and functionality will vary depend-ing on (i) the specific hardware and software you use and (ii) the feature enabling/system configuration by your system vendor. See www.intel.com/products/ht/hyperthreading_more.htm for infor-mation on HT Technology or consult your system vendor for more information

About the Author

Girish Juneja is director of SOA products at Intel. A co-founder of Sarvega, Inc., an SOA

infrastructure company, he led the engineering and customer services organizations to de-

velop Sarvega’s industry leading core XML technology and XML networking products. Girish

has held senior technology and management roles at Thomson Financial Services, Verizon,

and MCI Telecommunications, with more than 15 years of experience in the technology

industry in engineering, technology strategy, and management roles.

[email protected]

http://www.developers.sun.com/events/communityone

http://www.quantumxml.com

Documents

Identify