Enterprise Service Oriented Architectures (eBook)

TABLE OF CONTENTS 7
ENDORSEMENTS 11
ABOUT THE SERIES 13
Series Editors 14
FOREWORD 17
PREFACE 21
ABOUT THIS BOOK 25
Audience 26
What This Book Is Not! 26
How to Use This Book 27
Motivation for Writing This Book 28
Disclaimer 28
About the Authors 29
ACKNOWLEDGEMENTS 31
ABOUT THE REVIEWERS 33
Argentina 33
Australia 33
Belgium 33
Canada 34
Finland 34
Germany 34
India 34
Israel & Palestine
Pakistan 34
Scotland 34
Singapore 34
Ukraine 35
United Kingdom 35
United States 35
1 UNDERSTANDING SERVICE- ORIENTED ARCHITECTURE 36
1. Introducing Service-Oriented Architectures 40
1.1. Web Services 40
1.1.1. Enterprise IT and Web Services 41
1.1.2. WSDL and SOAP 43
1.1.3. UDDI 47
1.1.4. The Beginnings of Enterprise Service Orientation 50
1.2. Enterprise Service-Oriented Architecture 52
2. Service-Based Collaboration through Federation 54
2.1. A Federation Is … 54
2.2. Federation and Mature CBSE 58
2.3. The Federation Spectrum 59
2.4. The Spectrum as a Service Taxonomy 63
2.5. Federation Example 65
2 COMPONENT-BASED SERVICES 84
1. Component-Based Software Engineering ( CBSE) 86
1.1. Understanding CBSE 87
2. A Component De.nition 90
2.1. The UML2 Component 91
2.2. The Enterprise Component 95
2.3. Network-Style Interfaces 96
3. Component Granularity 99
3.1. Distribution Domains and Tiers 100
3.1.1. Looking at the Big Picture 100
3.1.2. Distribution Domains and Tiers 102
3.1.3. The BPM Domain 104
3.2. Granularity Scheme 105
3.2.1. The Distributed Component (DC) 106
3.2.2. The Business Component (BC) 108
3.2.3. The Application Component (AC) 111
3.3. Dependency Management 114
3.3.1. Inter-Tier Interactions 114
3.3.2. Business Function Layers 115
4. From Requirements to Design 116
4.1. Requirements 117
4.1.1. Business Elements 118
4.1.2. Processes and Resources 118
4.2. Business Element Analysis 119
4.2.1. Resource Business Element (RBE) 120
4.2.2. The Service Business Element (SBE) 123
4.2.3. Delivery Business Element (DBE) 126
4.3. Mapping to Components 127
5. Summary 129
3 ORCHESTRATION 130
1. Work.ow and Business Process Management 132
1.1. Intra-Enterprise Work.ows 135
1.2. Interoperability Concerns 136
2. The Business Process Execution Language ( BPEL) 136
2.1. Relationship to XPath 138
2.2. Variables 138
2.3. De.ning Business Relationships 140
2.4. Message Correlation 142
2.5. Activities 147
2.5.1. < assign>
2.5.2. < receive>
2.5.3. < invoke>
2.5.4. < reply>
2.5.5. < throw>
2.5.6. < catch>
2.5.7. < terminate>
2.5.8. < sequence>
2.5.9. < .ow>
2.5.10. < scope>
2.5.11. < wait>
2.5.12. < pick>
2.5.13. < switch>
2.5.14. < while>
2.5.15. < empty>
2.6. Transactions 162
3. A Worked Example of Web Services Orchestration 163
4. Design-Time Demonstration 164
4.1. Task De.nitions 164
4.2. The ProcessOrderApplication Flow 165
4.3. The PaymentAuthorization Sub-Task 167
4.3.1. Testing the Sub-Task within the Design Tool 169
4.4. Gluing Them Together 173
4.5. Fault Handling 178
4.6. The Entire Flow 179
5. Run-Time Demonstration 180
5.1. Tracking the Flow 180
5.2. The Audit Trail 183
6. Summary 183
4 WORKING WITH REGISTRY AND UDDI 186
1. Introducing the Registry 187
1.1. Why Do I Need It? 187
1.2. How Do I Use It? 188
1.3. Registry vs Repository 189
2. Universal Description, Discovery and Integration ( UDDI) 189
2.1. Technical Overview 190
2.2. Informational Structural Model 192
2.2.1. Business Information: The BusinessEntity Element 193
2.2.2. Service Information: The BusinessService element 194
2.2.3. Specification Information: The BindingTemplate Element 194
2.2.4. Technical Fingerprint: The TModel Element 195
2.2.5. Relationships: The PublisherAssertion Element 196
2.2.6. Operations Information: The OperationalInfo Element 197
2.3. UDDI Keys 197
2.3.1. UUID 198
2.3.2. DomainKey 198
2.3.3. DerivedKey 199
2.4. Classification – Where Is My Data? 199
2.4.1. Categorization 200
2.4.2. Identifiers 202
3. Programming UDDI 204
3.1. Searching with UDDI 204
3.1.1. Browse Pattern 205
3.1.2. Drill-Down Pattern 206
3.1.3. Invocation Pattern 207
3.2. Publishing with UDDI 208
3.3. Subscribing with UDDI 208
3.3.1. Asynchronous Noti.cation 212
3.3.2. Synchronous Noti.cation 212
4. Internationalization 214
4.1. Multilingual Descriptions, Names and Addresses 214
4.2. Multiple Names in the Same Language 215
4.3. Internationalized Address Format 216
4.4. Language-Dependent Collation 217
4.5. Federation of Registries 217
4.6. Private Test Registry 218
4.7. Shared Registry 219
4.8. Security 221
5. Summary 222
5 UNDERSTANDING ENTERPRISE SECURITY 224
1. Need for a Message Level Security Solution 226
1.1. Point-to-Point vs End-to-End Security 226
1.2. Application Independence 227
1.3. Technology Independence 228
2. Security Concepts 228
2.1. Authentication – Who Is It? 229
2.2. Authorization – What Can They Do? 229
2.3. Integrity – Ensure That Information Is Intact 230
2.4. Con.dentiality – You Can’t Read 230
2.5. Non-Repudiation – You Sent It, I Got Proof 230
2.6. Single Signon – How Many Times Do I Have to Tell You? 231
2.7. Key Management – Give Me a Key Chain 231
3. Security Technologies 231
3.1. Authenticaton and Security Tokens 232
3.1.1. Username/Password 233
3.1.2. PKI through X.509 Certi.cates 234
3.1.3. Kerberos 234
3.2. Integrity and Signing 234
3.3. XML Signature 236
3.3.1. Generate Certi.cate 239
3.3.2. Signing 240
3.3.3. Veri.cation 242
3.4. Canonicalization 243
3.5. Con.dentiality and Encryption 244
3.5.1. Symmetric Encryption 245
3.5.2. Asymmetric Encryption 246
3.6. XML Encryption 247
3.6.1. Encryption 249
3.6.2. Decryption 249
3.7. Authorization 250
3.8. Extensible Access Control Markup Language ( XACML) 250
3.8.1. Key Concepts 250
3.9. Top-Level Constructs: Policy and PolicySet 251
3.10. Key Management 251
3.11. XML Key Management Speci.cation ( XKMS) 252
3.11.1. XML Key Information Service Specification ( XKISS) 252
3.11.2. XML Key Registration Service Specification ( XKRSS) 252
3.12. Single Sign-On 253
3.13. Identity Management 255
3.14. Liberty Alliance Project 255
3.15. Security Assertion Markup Language ( SAML) 258
4. Web Services Security (WSS) 260
4.1. Security Tokens 261
4.2. Signature 262
4.3. Encryption 263
5. WS-Policy 265
6. WS-Trust 266
7. WS-Privacy 267
8. WS-SecureConversation 267
9. WS-Federation 268
10. WS-Authorization 268
11. Summary 268
6 SOA MANAGEMENT 270
1. Problem Space 271
1.1. Management Scenarios 275
2. Systems Management 279
2.1. Logging 280
2.2. Auditing 282
2.3. Monitoring 283
3. Alerting 285
3.1. Round Trip 285
3.2. Transaction Size 285
3.3. System Fault 286
3.4. Trending 286
4. Provisioning 287
5. Leasing 288
6. Billing 289
7. Pricing/Chargeback Models 290
7.1. Per Transaction 291
7.2. Fixed Fee/Subscription 291
7.3. Lease/License 291
7.4. Business Partnership/Percentage of Revenue 292
7.5. Registration 292
8. Lifecycle Management 292
8.1. Routing 294
8.2. Versioning and Deprecation 295
8.3. Transformation 297
8.4. Provisioning 300
8.5. Quality Assurance 302
8.6. Business Processes 303
8.7. Message Prioritization 304
8.8. Business Activity Monitoring 304
9. Management Architecture 306
9.1. Gateways 306
9.2. Agents 307
9.3. Centralized Policies 308
9.4. Operational Rules 308
9.5. Components 310
9.6. Persistent Storage 311
10. Policy Architecture 312
10.1. Policy Execution 313
11. Framework Vendors 314
12. Summary 315
7 TRANSACTIONS 316
1. What Are ACID Transactions? 316
1.1. The Synchronization Protocol 320
1.2. Optimizations to the Protocol 321
1.3. Non-Atomic Transactions and Heuristic Outcomes 322
2. Why ACID Is Too Strong for Web Services 323
3. A Brief History of Web Services Transactions 325
4. The Coordination Frameworks 326
4.1. Coordination Architecture 328
4.2. Creating a Coordinator 329
4.3. The Context 330
4.4. Registering Participants 331
4.5. Terminating the Coordinator 334
5. Web Services Transactions 334
5.1. Atomic Transaction 336
5.1.1. Supported Protocols 337
5.2. Business Activity 340
5.2.1. WS-BusinessActivity 342
5.2.2. Long Running Action 342
5.3. Business Process Model 345
6. Security Implications 347
7. Interoperability Considerations 349
8. Summary 350
8 EVENT-DRIVEN ARCHITECTURE 352
1. Overview 354
2. Events 355
2.1. Descriptive 355
2.2. Prescriptive 355
2.3. Factual 356
2.4. Assumptive 356
2.5. Business Rules 356
3. Agents 358
3.1. Service Design 361
3.2. Pools 362
4. Threads 364
4.1. Thread per Request 364
4.2. Thread Pools 366
5. Alternative Pattern-Based Approaches 367
5.1. Strategy Pattern 368
5.2. Chain of Responsibility Pattern 368
5.3. Interpreter Pattern 370
5.4. Flyweight Pattern 371
5.5. Memento Pattern 372
6. Language Specific Constructs 373
6.1. Soft References 374
6.2. Forking 375
6.3. Non-Blocking I/O 375
6.4. Enterprise Service Bus 376
6.5. Callbacks 379
7. Finite State Machines 379
8. Event Notification 382
8.1. Brokered Notification 384
8.2. Security Concerns 385
8.3. Message Order Alteration 385
8.4. Availability Attacks 386
8.5. Replay Attacks 386
8.6. Redirection Attacks 386
9. Practical Considerations 387
9.1. Return on Investment 388
9.2. Canonical Form 388
9.3. Integration 389
9.4. Retirement 389
10. Summary 390
OUTTRO 392
APPENDIX A: UNDERSTANDING DISTRIBUTED COMPUTING 394
1. Distributed Computing 395
1.1. Anatomy of a Distributed Application 396
1.1.1. Understanding the Network Layer 397
1.1.2. Building the Application Layer 399
1.1.3. Operating System Components 401
1.2. Interprocess Communication 403
1.3. Communications Infrastructure 405
1.4. Remote Procedure Calls (RPC) 406
1.5. Object Request Brokers (ORB) 406
1.6. Transaction Processing Monitors 408
1.7. Message-Oriented Middleware ( MOM) 410
1.8. Service Description 411
1.9. Versioning 412
1.10. Operations 413
1.10.1. One-Way 414
1.10.2. Request/Response 414
1.10.3. Solicit/Response 415
1.10.4. Noti.cation 415
1.11. Service Discovery 416
1.12. Application Services 417
1.12.1. Stateless Services 418
1.12.2. Conversational Services 418
1.12.3. Cached Services 419
1.12.4. Singleton Services 419
2. Practical Considerations 420
3. Summary 420
APPENDIX B: QUALITY ATTRIBUTES 422
1. System Qualities 422
1.1. Availability 422
1.2. Manageability 424
1.3. Performance 424
1.4. Scalability 425
1.5. Security 426
2. Design vs Run-Time 426
APPENDIX C: REFERENCES 430
Books 430
Magazines 432
Docs 432
Web Sites 434
Presentations 436
APPENDIX D: ADDITIONAL READING 438
APPENDIX E: UPCOMING BOOKS 440
Agile Enterprise Architecture – Fall 2006 440
Enterprise Portal Architecture – Fall 2006 441
Enterprise Open Source – Spring 2007 442
Enterprise BPM Patterns – Summer 2007 443

3 ORCHESTRATION (p.95-96)

None of us is as smart as all of us. 
Anonymous


Even before the advent of Web services, an increasingly large number of distributed applications were constructed by composing them out of existing applications. Enterprise Application Integration (EAI) techniques grew up from the realization that no one infrastructural technology (e.g., CORBA or DCOM) will ever be adopted by all of the software industry. Furthermore, although sourcing a solution to a problem (large or small) from a single vendor is possible in the short term, in the long term it is often the case that a corporate intranet will be running systems from a variety of vendors, not all of which will be able to interoperate. Large multi-national corporations often evolve through acquisitions of smaller companies who may have different infrastructural investments. We have often heard the statement that "It’s easier to interoperate with a different company than to talk to different divisions within the same company." Therefore it should come as no surprise to learn that large-scale applications are rarely built from scratch; rather they are constructed by composing them out of existing applications.

Providing solutions that enable disparate (heterogeneous) technologies and applications to communicate is extremely important. Without them, a company’s infrastructure would either not be able to grow (leading to islands of isolation) or would be at the mercy of a single vendor. For several years EAI solutions have made it possible to compose an application out of component applications in a uniform manner, irrespective of the languages in which the component applications have been written and the operating systems of the host platforms. Unfortunately, most EAI platforms offer solutions that are not interoperable with one another. Web services offer a potential solution to this important drawback.
The resulting applications can be very complex in structure, containing many temporal and data.ow dependencies between their constituent applications. An additional complication is that the execution of such an application may take a long time to complete and may contain long periods of inactivity (minutes, hours, days, weeks, etc.), often due to the constituent applications requiring user interactions. In a distributed environment, it is inevitable that long running applications will require support for fault-tolerance and dynamic recon.guration: machines may fail, services may be moved or withdrawn and application requirements may change. In such an environment it is essential that the structure of applications can be modi.ed to re.ect these changes. In general, composite applications are increasing in importance as companies combine off-the-shelf and homegrown Web services into new applications. Various mechanisms are being proposed and delivered to market daily to help improve this process. New "fourth generation" language development tools are emerging that are speci.cally designed to stitch together Web services from any source, regardless of the underlying implementation.

A large number of vendors are starting to sell business process management, work.ow and orchestration tools for use in combining Web services into automatic business process execution .ows. In addition, a growing number of businesses .nd themselves creating new applications by combining their own Web services with Web services available from the Internet supplied by the likes of Amazon.com and Google.com. These types of composite applications represent a variety of requirements, from needing a simple way to share persistent data to the ability to manage recovery scenarios that include various types of transactional software. Composite applications therefore represent a signi.cant challenge for Web services standards since they are intended to handle complex, potentially long-running interactions among multiple Web services as well as simple and short-lived interactions.