Monday, August 20, 2007

Holiday = time to read SOA book

While on holiday; I took along of copy of “Understanding Enterprise SOA ” by Eric Pulier and Hugh Taylor. The book uses the merger of 2 insurance companies as a background setting to explain the use of Service Oriented Architecture. The story of the different architects in the insurance companies with the author as the external consultant reads very fluently. By the way, the use of SOA also means the use of Web Services technology. So the fundamental WS technologies are explained in an open manner with some “Savvy Manager Cautions”.

Although the book is well written, I cannot recommend it. One thing I fundamentally disagree is to put integration (EAI) technology aside as an “old” technology. 1st of all, the world is not web services alone: file transfer, async. processing, connectivity to databases and back-end applications, support for B2B protocols all require the use of integration tools such as Enterprise Services Buses or Message Brokers.

The author Eric Pullier is Chairman of SOA Software . The name SOA Software pops up here and there as a vendor of WS mediation solutions. E.g. SOA Software acquired Blue Titan . But I haven’t encountered SOA Software here in Europe. Having no technical documentation available online, it’s hard to tell what their products actually cover.

Thursday, August 16, 2007

SSL beats WS-Security?

The weekly newsletter contained a link to a very interesting presentation about securing web services, given by Brad Hill of isecpartners at Black Hat briefings.

The presentation states that SSL with client certificates is the better mechanism to secure web services. Two main arguments: 1) SSL with client certificates is proven technology and very robust and 2) WS-Security isn't very good because it is so extensive and complex, and therefore an easy target for attack

SSL with client certificates is indeed a strong mechanism for securing connections coming into your DMZ. And the use of self-signed certificates makes the setup cheaper and more straightforward. But the use of SSL with client certificates also has its challenges. Biggest issue is the SSL session termination by a network device in front of you application server. If the SSL connection can be terminated in a container under your control, all information can be retrieved from the client certificate. But in case of such network device, you can only hope (or arrange) that the device forwards information about the client certificate to your application (e.g. using a HTTP header field such as SSL_CLIENT_CERT).

For his 2nd point, WS-Security indeed has (too) many options. Actually, it is more the underlying XML Signing and XML Encryption standards that provide too many options. WS-I will have to do a good job in reducing the number of options and choosing some good defaults. And to make things really secure and robust, the WS-Security implementations should only implement and support what is required by the WS-I Security Profile.

EDIINT AS2 is a nice example how security can be made workable: numerous organizations implement message level signing and encryption when setting up AS2 connections (only complexity is the process certificate renewal when using message level encryption).

So, while not fully agreeing with all the content, the presentation is a great piece of information.

Wednesday, July 18, 2007

Integration As A Service

Another interesting (sponsored) podcast was published on BriefingsDirect. Dana Garnder talks with Annrai O'Toole of CapeClear.

The ESB of CapeClear is used by the company Workday to offer integration capabilities around its hosted applications. Workday was created by the founder of PeopleSoft and provides "On Demand Enterprise Services".

During the podcast, the subject of "Integration As A Service" is put forward. Workday uses Capeclear to connect with its customers but also with business partners. The example of ADP is given for payroll processing.

The comparison is made with , which focuses only on integration with its customers and according to Annrai O’Toole, is facing an integration challenge. By the way, one thing I’ve always been asking myself about, is how it can address all its integration needs with web services only. Doesn’t have needs to communicate reliably and asynchronously using e.g. JMS, file transfer or AS2?

Integration-As-A-Service can also be implemented with a hosted integration solution within a large organization. In the podcast, JP Morgan is given as an example of such approach. The internally hosted integration solution provides integration services to the internal customers within the organization. Allowing these internal customers to address there integration needs in an effective manner, avoiding surprises by using a standard pricelist and a standardized way of implementing integration scenario’s.

Another interesting question that is raised is why companies such as Amazon, Google or Microsoft don't provide more subscription based integration services. Something I've been asking myself for a long time. And more in general, why aren't there more and larger organizations providing hosted B2B and integration solutions? In its introduction, Dana Gardner refers to GrandCentral

GrandCentral had a very nice hosted integration solution but went out of business. GrandCentral was the first to provide web services (SOAP) as one of its protocols to connect to its hub. Grand Central also allowed to design processing and transformations online in a Java applet. And to monitor all message flows and individual messages using an online monitoring tool. When I give training about application integration, I always show a couple of screen shots of the GrandCentral solution as THE example of a hosted integration solution.

Finally, I can strongly recommend all podcasts of Dana Gardner at BriefingsDirect. Keep up the good work Dana!

Tuesday, July 17, 2007

B2B: open source AS2

Within the open source community, there is a strong interest in integration technology: JMS implementations, Web Services frameworks, ESB's... But there is very limited interest in B2B. There are e.g. (almost) no open source implementations of RosettaNet RNIF or EDIINT AS2 .

One notable exception was the freebxml project with Hermes. Hermes is an open source implementation of the ebXML ebMS 2.0 protocol. The development was started quite a while and was mainly done in Hong Kong.

But recently, things have started moving wrt. EDIINT AS2. Hermes now also provides support for AS2. And 2 other projects have delivered implementation of the AS2 protocol: m-e-c AS2 and OpenAS2 .

Some time ago, I had to implement and test the commercial Seeburger AS2 adapterin a SAP XI environment. To do some initial testing and experimenting, I used m-e-c AS2 as the AS2 software of my fictitious business partner.

The m-e-c AS2 software worked quite OK, although I ran into some incompatibilities . It would be most interesting to do see the results of other compatibility testing for these open source AS2 implementations.

Anyway, a very interesting evolution to see all these open source AS2 implementations pop-up. Congratulations to all the committers!