Demystifying the Service Oriented Architecture By Capgeminis North American Chief Architect Steve Rogers

Objective of this presentation

To illustrate and demystify how a Service Oriented Architecture should work

SOA in Context

The Business View Architecture Services

Service Oriented Architecture (SOA) should be about changing the way we think about satisfying the business needs.

Real world situation: Sending a package

1. 2. 3. 4. 5. 6.

Delivery company publishes phone # Customer finds them using yellow pages and orders delivery service from a price list Delivery company picks the package up and customer signs the contract Package goes into routing and distribution process Package is driven to location and is delivered Delivery company notifies customer package was delivered

Some terms before we begin Service Action or Activity that is available to a Service Consumer through a defined interface. Service Provider Makes available set of capabilities through a defined service contract for use by consumers. Service Consumer Reviews the price list an requests a Provider to deliver on a Service Contract. Service Interface (Contract)
The predefined agreement between a consumer and provider. Taking the order and Delivering the package are services. In both cases, the customer didnt need to know what happened behind the scenes. The Delivery company provides the services. Its service contract is the speed at which it promises to delivery and the price it charges. The Consumer is the person who places an order for delivery. They have agreed to the Contract terms and initiate the interaction with the Provider. Requester provides the delivery company with their address, the shipping address, package size and payment information over the phone. This information represents the Message Interface or Contract.
4

Some terms before we begin Discovery Ability to find or look-up

the services available to a service consumer. Yellow Pages are used to look up or discover the location and phone number for a delivery service. To actually deliver the package requires such service functions as hiring resources, scheduling drivers, dispatching trucks, routing packages, contracting with airlines, etc. From the moment the consumer requested the delivery, the activities to provide the service were all orchestrated in a sequence that facilitated the package arriving on time. If the delivery company changes its air carrier, the consumer shouldnt be impacted (unless the new carrier has a different service arrangement, in which case they might be).
5

Service Functions Functions that are executed to complete a service that are not visible to a service consumer. Orchestration Coordination of service operations to execute a process involving a sequence of activities. Also known as Business Process Management. Loosely Coupled A design
approach that decreases the impact of change between services

Guiding Principles to Follow A Service Oriented Architecture (SOA) is an IT architecture that enables business needs to be satisfied by following a few simple principles: 1. Services are designed for the enterprise, not just a department (and regional differences shouldnt be ignored). 2. The architecture should facilitate users working how they want to work (within given business process constraints) 3. A consumer of a service should not need to know the technologies that enable a service. 4. Industry accepted standards should be used when possible 5. Services should be discoverable (do not reinvent the wheel) 6. Consider the lifecycle of a service every time 7. Let the tools do their job 8. Externalize Externalize Externalize

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

Services come in many forms A Service is a self-contained, sharable software resource that performs a well-defined function and provides information specific to that function in a message-passing, networked environment. A service may: Complete an end-to-end business process such as Order Complete part of a process such as Quote Perform actions just on data such as Customer Only perform a specific function such as TransferBalance Only perform business rules such as ValidateRate

Services up to today Until recently, most services created by IT have been single-purpose or single-function (like GetCustomerAccountNumbers) and only used within a single application or by a single department (or by at most two departments). They have been mostly designed as Web Services and finding out about them has been done through word of mouth.

Application A Interface

Service: GetCustomerAccountNumber Interface

How services interact is described using a Web Service standard known as the Web Service Definition Language (WSDL). A WSDL describes the operations the service can perform and the interfaces. A WSDL may contain multiple interfaces.
9

Services in a managed SOA In a more managed SOA, the service architecture would look more like:
Enterprise Registry Contains Service: Interface definitions and locations (WSDL) Service Policies (WS-Policies) Service Security (WS-Security) Service Trust (WS-Trust) Service Management (WSDM or WS-Management)

Application A Interface

Service: Customer Interface

The benefit of this is better service manageability and monitoring. And remember, Externalize Externalize Externalize.
10

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

11

Messages

Services interact through messages

A request from one system or service to another arrives over a network in the form of a message. A message can come in different forms, but SOAP (Simple Object Access Protocol) is the predominant standard for Services Architecture because of its ubiquity and because it is independent of network protocols.
Application A Service: Customer The Message

12

Service / Message interaction

Message Infrastructure

The Message Infrastructure (usually a queue in a service bus) is there to make sure the message gets from one service to another. It also provides: Monitoring Authentication Authorization Encryption Sequencing/Prioritization Logging / Auditing Transformation Routing Error Handling

Message Infrastructure

13

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

14

Services Allow Messages In and Out through Interfaces which enables loose-coupling Interfaces allow data into or out-of a system or service. Interfaces should be designed to shield a consumer or provider from needing to know the intricacies of the system/service.
An interface specifies the actions that are possible with a service and what data elements the service needs or will provide back. The infrastructure to support passing information between interfaces is needed because messages: Need to cross process and system boundaries May be asynchronous, devices arent always connected May need to be processed later Can be delivered zero or more times Do not have immediate delivery guarantee May be resent by the client May be delivered out of sequence
15

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

16

Monitoring and Management

Services should be monitored just like any other infrastructure component: Provides an immediate view into their health and availability. Provides a centralized way for alerting purposes. Can also assist in monitoring business values such as volumes, total amounts, number of requests, etc. Services should be managed like applications for: Versioning (routing new requests to new services) Backward compatability Easier or scheduled deprecation. The emerging standards for management are Web Service Distributed Management (WSDM) WS-Management
17

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

18

Business Process Management (BPM) serves to bridge business users and IT

BPM promotes a process centric view of IT where end-toend process management is separated from underlying applications, their connections and data
Customers

Finance BSS
Customer Customer Care Care Billing

HR BPM
Independent Process Layer

EAI ESB

Procurement Procurement

OSS Internal Systems

Inventory Fault Workforce Activation Management Management Management

network

19

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

20

Orchestrated Processes execute the services in the right order

BPM is generally done via modeling tools that let business architects draw / model the ideal business process flow. Developers use these models to generate the code to orchestrate the services

Ex

ter na

liz e

Ex

ter na

liz e

Ex ter

na liz e.
21

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

22

Challenges with SOA security Even with conventional security controls in place, there are challenges: The loosely-coupled paradigm makes security more complex. Look for ways to reduce this complexity. In SOA, security is strongly associated with web services security, so identities can be stored in many directories and security needs to be distributed per message. Solid trust relationships with partners need to be established at the business level.
Internet

Ex

ter na

SOAP Message

liz e

<...>Flight Booking <From>Stuttgart <Date>20031130 .....

Ex

<...>Flight Booking <Flight>ZZ1234 <From>Stuttgart <Date>20031130 .....

ter na

liz e

WS-Routing WS-Security

Security abstraction layer / Message Router

Ex ter

WS-Transaction

na liz e.

Flight Booking Service Interface Flight Booking Service

23

Per message security security context Transport security protocols provide point-to-point security, where message contents are not encrypted at the endpoints, i.e. an intermediary system

Message security protocols provide end-to-end security, where messages are protected while on the systems of intermediaries (this is the federated model)

24

Per message security Per message security involves the encryption and/or digital signing of (parts of) SOAP messages for the following objectives: Confidentiality of the sensitive information so that no unauthorized entity can gain access to it Data integrity of the message to evaluate whether the message was modified in transit Message authentication, which guarantees that the message was created by the claimed identity To support Non-repudiation, required to guarantee that the origination or receipt of messages cannot be repudiated at a later stage
SOAP message Message header Encrypted payload Message digest (digital signature)

25

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

26

Policies and Trust Policies define certain aspects or rules on how a web service can be used. WS-Policy is a security standard used to define items the web service consumer and provider need to know outside of the basics of the interface (the WSDL file). Without WS-Policy, you will have to hand code items like:
Functional policy Message sequences Message types Message content Security policy Ex ter Message signing na liz Message auditing eE xte Authentication rn Operational policy ali ze $ Transport Ex ter Encoding na liz Logging e. Load balancing Failover
27

Policies and Trust Trust is defined as "the characteristic that one entity is willing to rely upon another entity to execute a set of actions." Specification of trust policies is done with WS-Trust (what are the requirements for using the service., i.e. what trust do I need and how do I tell the service users?) Need to broker trust between different security domains, also known as spheres of trust (how do I know who to trust, i.e. will service users comply with the policies?).

The security required for web services depends on the business relationship between service consumers and service providers. with long standing trusted relationships different security controls are required than with fast changing shallow relationships.

28

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

29

The Lifecycle of Services in a Governed SOA

Contextual (why need)

Conceptual (how satisfy)

Physical (execute/change)

Service Lifecycle
Logical (architect/build)

30

Current Reality: Multiple Organizations Will Use the Same Service

Corporate Governance

IT Governance SOA Governance The set of processes, customs, policies, laws and institutions affecting the The leadership and organizational structures and processes way a corporation is directed, administered orand controlled. The that processes, policies, standards, organization technologies ensure that the organizations IT sustains and extends the required to manage and ensure theand availability, accessibility, organizations strategies objectives. quality, consistency and security of services in a company. Shareable, reusable packages of business functionality
Business Processes
POS Underwriting Billing & Payment Claims

Policy Services

Billing Services

Claim Services

Common Services

31

Without Governance, SOA Will Fail

32

Once the governance model is selected, determine roles and responsibilities

PMO
Gives Direction to Oversees Report results Develop Gives Direction to

SOA Gov Chairperson

Application Architects Tool Specialists/Architects SOA Architects Enterprise Architecture

33 34

Develop

Strategy and Standards

Reference and Use Maintain Develop

Recommend

Execute

Reference and Use

Procedures and common objects

Reference and Use Submit Work for

Take

Developers

Operations Support

Take

Training

Follow

Checkpoints (Reviews)

Metadata Support

Top 10 SOA Elements You Need to Know

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Service Message Interface Monitoring and Management Business Process Management Process Orchestration Security Policy and Trust Governance and Lifecycle Standards

Services Oriented Industry Standards

FinXML, fpXML,UCCNet, ACORD RosettaNet, HL7, HIPAA ebXML, OAGIS, UAN, SOX

A key goal is to implement standards based solutions, using common protocols and languages (i.e.):

Industry Business Semantics Service Presentation Service/Event Delivery Service Orchestration Security Service Discovery Service Description Message Processing Data Semantics Data Syntax Transport

SOAP Access protocols and languages UDDI Solutions will look for interfaces registered in distributed directories XML all derivatives of the popular mark up language provide a common interface language BPEL Standardization on a language for coding business rules

JSR 168, WSRP, RFID

Management and Monitoring - WSDM

BPEL, Ws-Choreography WS-Security, SAML, XML D-Sig UDDI, WSIL WSDL, WS-Policy

SOAP, WS-Eventing, WS-Addressing XML Schema, DTD, XDR XML, XSLT, XPath JMS, HTTP,AS1, EDIINT/AS2 WS-ReliableMessaging

35

Appendix Slides

ESB Sample SOA From this to that

36

Putting it all together

Applications and Services
App1 Shared Services Services App2 Services WS WS WS WS Portal POS Content
file

File WS

Single Sign On

Business Process Management

Security

Enterprise Service Bus (ESB)

Core ESB Services Web Services Transformation WS-Security Routing Multi-Protocol Message Translation Event Services Enrichment Exception Handling

Transaction Monitoring

Process Orchestration

Audit & Logging

Repository

UDDI Registry

Security & Policy

Monitoring SLA

Portal Presentation

DB2

Services Lifecycle Management & Governance

Storage
37

Architecture & Design Our Architecture Goal is to go From Here...

Systems Today LOB 1
Business Processes

LOB 2
Business Processes

LOB 3
Business Processes

Applications & Services

Applications & Services

Applications & Services

Data

Data

Data

Infrastructure & Security

Infrastructure and Security

Infrastructure & Security

Service & Support

38

Architecture & Design To This

Tomorrow

SOA

LOB 1 Standards Rules Policies and Guidelines

Business Processes

LOB 2
Business Processes

LOB 3
Business Processes

Shared Business Processes

Applications & Services Applications & Services Applications & Services

Shared Application Services

Data Data Data

Shared Data
Infrastructure & Security Infrastructure and Security Infrastructure & Security

Shared Infrastructure and Security Services

Service Lifecycle

Service & Support

39