Integration in the Cloud

The end of the year gives some time to relax, watch television and to read the many blog posts that have piled up in my reader. A lot of cloud stuff obviously, predictions for next year. James Urquhart mentions 7 businesses to watch out for, and on nr 2 is "Enterprise Integration as a Service". Couldn't agree more.

Urquhart refers to Boomi as an example of Integration through the cloud. I remember Boomi as a smaller B2B software vendor from around the period the AS2 protocol took off. Boomi's cloud offering and pricing remain a bit blurry to me. Should play around with the 30-day trial some day. But not today, Dec. 31st ;-)

What I don't understand is that John M Willis picks RabbitMQ as the "Best Cloud Orchestration Tools in the Cloud". RabbitMQ is a messaging solution based on the AMQP standard protocol. Maybe I'm overlooking something, but I don't see any AMQP whatsoever in the B2B integration space.

VAN in the cloud?

Stumbled on the interesting blog by Benoit Lheureux of Gartner. I really expect to have "Integration in the cloud" or "Integration-As-A-Service". And Benoit blog entries are in line with what I expect to happen. Some sort of Value Added Networks (VANs) that (re-appear) in the cloud.

Benoit talks about interesting topcis such as:

• exchanging good old EDI via the cloud
• cooperation of IBM and Hubspan: WebSpan
• Google Data Connector
• API's of Saas providers
• ...
  

Great cloud talks @ Devoxx

Three great cloud talks today at Devoxx:

• The Cambrian Cloud Computing Explosion by John M Willis
• Architecting Robust Applications for Amazon EC2 by Chris Richardson
• NoSQL with Cassandra and Hadoop: sharing experiences and insights by Steven Noels

WS-RM continued

My colleague Jeroen pointed me to this 2006 article on WS-RM by Clemens Vasters of Microsoft. An excerpt:

Truth be told, the reliability of WCF's WS-ReliableMessaging-based implementation by itself is "only" as good as it can be for a volatile reliable messaging mechanism
...
If you need end-to-end durable reliable messaging with full support for transactional I/O you need an infrastructure that's in control of both ends of the communication path and as it happens, such an infrastructure is part of the Windows operating system family. If these are your requirements, your WCF binding of choice is likely the NetMsmqBinding.

So let me repeat it again: if you don't want to loose messages, use a prorprietary messaging solution (e.g. MSMQ) or use a B2B protocol such as AS2. Or use AMQP once it gets some traction and is supported by larger IT players. Microsoft joined the AMQP working group in Oct. 2008. If Microsoft would release an AMQP implementation with WCF binding, that would be headline news!

Cloud News: NAS as a service

Listened to an interesting edition of the Cloud Computing Show about storage in the cloud. Not storage that is accessed through a proprietary API such as Amazon S3, RackSpace CloudFiles or the new EMC Atmos Online Storage Server. But NAS, with direct NFS and CIFS access to large volumes of data storage in the cloud! Some sort of NetApp, but in the cloud with multi-tenancy support. The (interesting) people interviewed were from a company called Zetta. I had never heard about "NAS in the cloud" nor Zetta. Zetta is a new player with an interesting offering that even allows to integrate with a corporate LDAP.

There seem to be more "NAS in the cloud" offerings, e.g. Nirvanix. And also IBM is starting to have a public cloud offering, including storage: IBM is IBM is entering the game with Smart Business Storage Cloud.

Note: direct access to GoGrid Cloud Storage seems possible as well, but is still a bit unclear to me

The brower model is broken

I'm not a security specialist, but I find IT security a very interesting topic. As a longtime listener of the Security Now podcast, I listened to another interesting story: "The Broken Browser Model". The talk was inspired on a presentation given at the Black Hat conference.

Main message of the podcast is the insecurity when a mix of HTTP and HTTPS is used. The HTML coming in over an insecure connection can be manipulated by a "man-in-the-middle" (e.g. through ARP spoofing), turning all the https:// URL (and more) into standard insecure http://. The man-in-the-middle initiates the SSL connections and can sniff all information going over the connection. A 24hr test of a (unknown) public hotspot revealed passwords for Yahoo, Gmail, Paypal and more, without any of the users noticing anything.

Devoxx 09 - Great talks

The Devoxx conference is the place to be for everyone interested in Java and related techologies. And as one of the members of the steering team, I'm proud (again) on the impressive list of speakers we've gathered. My personal focus and interest is SOA and Cloud Computing. And that will definitely be covered at Devoxx!

University Day 1 - Monday Nov 16
The Cambrian Cloud Computing Explosion - John M Willis
Got to know John though his podcasts. John has a strong background in systems management and Tivoli, but his current focus is Cloud. And rest assured that he knows what a cloud is and knows all the players. For all the could enthusiastics: strongly recommended!
jBPM in Action - Tom Baeyens
Tom is "mister jBPM", the main driver behind jBPM, the JBoss BPM offering.
Architecting Robust Applications for Amazon EC2 - Chris Richardson
Chris is the founder of CloudFoundry. CloudFoundry provides tooling (and more) to deploy Java applications on Amazon EC2.
Note: CloudFoundry got acquired by SpringSource and SpringSource in turn got acquired by VMWare. Which is interesting as Amazon and VMWare are seen as big competing players in the cloud space.
SOA, OpenESB and OpenSSO Programming with Passion! - Sang Shin
Talk will be based on Sang's free online SOA course material.

University Day 2 - Tuesday Nov 16
Google App Engine for Java - a real live voyage to The Cloud
Develop along with the speakers your first (or next) application on the Google App Engine. No sales pitch, as the speakers are - Sam Brodkin and Scott Stevenson - are independent(s).
SOA In Practice - Nicolai Josuttis
Nicolas is the author of the book "SOA in practice". One of the better SOA books in my opinion.

Conference Day 1 - Wednesday Nov 17
ESB's and WebServices in Practice - Nicolai Josuttis
Once more Nicolas, but now with a more focused talk on the use of ESB's.
Architecting Robust Applications for Amazon EC2 - Chris Richardson
A condensed version of the University talk.
jBPM4 in Action - Tom Baeyens
A shortened version, ideal if you went to the cloud talk of John Willis on Monday.
Keeping Your Options Open, Even if the Cloud is Not - Doug Tidwell
Another specialist wrt. XSLT 2.0, but that's not the topic of this session. Doug will rather talk about the different Cloud offerings and standardization in the cloud space.
Distributed Programming the Google Way - Gregor Hohpe
Gregor is famous for his Integration Patterns. Focus of this talk are the base technologies underlying the Google imperium and the Google cloud solutions.

Conference Day 2 - Thrusday Nov 18
Using XML with Java: Spoilt for Choice? - Michael Kay
Michael Kay is the author of the Saxon XSLT and XQuery processor. Michael is "Mr XSLT". XML remains an important aspect of SOA and general (Java) development.
Note: actually we have 2nd XSLT guru at Devoxx, Doug Tidwell
Google Appengine Java: Groovy baby! - Patrick Chanezon and Guillaume Laforge
Another perspective on the Google AppEngine with focus on running different JVM based languages on Google AppEngine.
Master Data Management - Pierre Bonnet
Master Data Mangement is another important aspect of a SOA. Speaker is Pierre Bonnet, founder of the MDM Alliance Group.

Conference Day 3 - Friday Nov 19
BPM in a SOA Environment - Paul Brown
Paul Brown is the author of 2 great SOA books, is an architect at Tibco, but most importantly he is a senior, mild and fluent speaker on SOA. For this Devoxx talk, we have asked Paul to focus on BPM. Recommended!
Open Source SOA with Fuse - James Strachan
James is involved in a tremendous number of open source projects, usually focused on SOA and integraton, with ActiveMQ and ServiceMix being the most well known. Will be interesting to learn about the status of Fuse, the ESB based on ServiceMix.
Note: in particular as Progress acquired Iona and is behind FuseSource
Note 2: for those who remember the CXF WS framework, that's part of Fuse

See you at Devoxx!

Shock absorber

Listened to an interesting interview on se-radio with Michael Nygard. Great interview where Michael explains his focus on IT systems in production. The title of his book says it all: "Release It! Design and Deploy Production-Ready Software".

One of the nice quotes during the interview was "messaging middleware" as the "shock absorber" between IT systems. Indeed, the stength of queueing is the option to pile up messages while a system is heavily loaded or temporarily unavailalbe. The use of asynchronous communication also leads to applications that are fully aware about time-outs that may occur.

Triggered by the interview, I started reading the book. Well written, with at the beginning of each part a real-life "story". Recommended book!

WS-RX/WS-RM QoS

IBM recently published an article on the use of WS-ReliableMessaging between WebSphere 6.1 and Axis2. Most interesting I found the part on the Quality of Service of WS-RM:

• Unmanaged non-persistent tolerates network and remote system failures. You can configure Web service applications to use WS-RM with a default in-memory message store. This QoS requires minimal configuration; it is for a single server only and does not support clusters. Although this QoS allows for the re-sending of messages that are lost in the network, failure of a server results in lost messages. The default is unmanaged non-persistent.
  

• Managed non-persistent tolerates system, network, and remote system failures, but state is discarded after the messaging engine restarts. This in-memory QoS option supports clusters as well as single servers. This option uses a messaging engine to manage the sequence state, and messages are written to disk if memory is low. This QoS allows for the resending of messages that are lost in the network, and can also recover from server failure. However, a failure of the messaging engine causes message loss.

• Managed persistent tolerates system, network, and remote system failures. This QoS for asynchronous Web service invocations is recoverable. This option also uses a messaging engine and message store to manage the sequence state. Messages are persisted at the Web service requester server and at the Web service provider server, and are recoverable if the server fails. Messages that have not been successfully transmitted when a server fails can continue to be transmitted after the server restarts.

QoS of WS-RM is actually not part of any standard. Most implementations of WS-RM are non-persistent, in particular Microsoft WCF and Sun's Metro. And that is in my opinion the major shortcoming of the WS-* story. The WS-RX committee should have made message persistence part of the WS-RM spec and/or the WS-RM Policy spec.

Anyway, IBM has a persistent implementation of WS-RM. And so has SAP: SAP doesn't even give you the option and uses persistent WS-RM as its default. Well done by SAP, although the SAP implementation is based on an older version of the WS-RM spec (WS-RM 2005/02.)

What I don't find are reports of the use of persistent WS-RM between stacks of different vendors, e.g. between IBM and SAP. Maybe we'll need to have a go ourselves one day?

VMWare on EC2: nope

Out of curiosity, I had a quick try to see if VMWare can run on EC2. Before terminating the Win2003 (32 bit) server I had running on EC2, I installed VMWare client on it and launched image with it: got a nice error message telling that VMWare is not compatible with Xen hypervisor used by Amazon EC2.

Had a 2nd try with the open source VirtualBox (from Sun). When I launched a virtual machine in VirtualBox (install CentOS from ISO image), the whole EC2 image came to a halt. No problem, I was done with it anyway.

Lesson learned: running virtualization solution on EC2 doesn't seem to work

Note: it should be possbile to convert VMDK to AMI using QEMU

Loosely coupled: loosely defined, loosely understood

"Loosely coupled" is a heavily used term in SOA land. To me, loosely coupling means the use of a standardized contract/interface (aka canonical message format) and preferably also asynchronous messaging such as JMS.

Found an interesting presentation that describes the "facets" of loosely coupling. And it compares the different types of web services with relation to "decoupling".

Belgian weather and water keep Google cool

So Belgian cold weather also has its value: less energy required to cool the Google data center. Interesting to learn as well that the data center's location is nearby a canal to obtain cheap water.

For the location of Google's data center in Belgium itself (Mons): there must definitely be a relationship with the fact that Elio di Rupo is both president of the socialist party and mayor of the town of Mons.

Java Message Service - 2nd edition

JMS or Java Message Service is the basis and standard API for asynchronous, reliable messaging.

After 10 years, a new (2nd) edition of the book "Java Message Service" was recently published. Mark Richards reworked the original edition by David Chappell (ex-Sonic, now Oracle) and Richard Manson-Haefel.

Having just skimmed through the book, it did look very intersting. Obviously an extensive treatment of the API (and thus specification). But nice to see code samples based on ActiveMQ, some explanation of character encoding, use of non-JMS clients (.Net, C++), dynamic vs. administered queues, message driven beans (MDB) and Spring and Security.

Some topics that did not seem to be addressed:SOAP over JMS, REST-like access tot JMS providers, persistence mechanisms (database or file based),

Messaging solutions are still the core backbone for many ESB's and integration solutions. The JMS API remains the standard abstration layer for both Java (ActiveMQ, SonicMQ, OpenMQ, Fiorano) and non-Java based messaging (Tibco , WebSphereMQ, SoftwareAG WebMethods, Oracle AQ) solutions.

Simple SOAP definition

SOAP is the HTML for machine-to-machine communication.

Cloud Application Architectures

Holidays in beautiful Umbria (Italy) give the opportunity to do some reading. With a strong interest in clould computing, I read Cloud Application Architectures by Georges Reese this summer. Around the same time last year (2008), I read Programming Amazon Web Services by James Murty.

The book "Programming Amazon Web Services" was really good in 2008. It describes the different Amazon offerings and how to invoke the API's using Ruby. But Amazon is extending its offering a a rapid pace, e.g. with fixed IP addresses and block storages (like NAS). So James Murty's book is in need for a 2nd edition.

"Cloud Application Architecture" goes up the stack to a higher abstraction level and explains how to deploy ("architect") application on the Amazon cloud. Georges Reese has gained practical experience while deploying the Valtira (Web Marketing) application on Amazon.

Reese covers some very interesting topics:

• Load balancing with software load balancer in the cloud vs. HW load balancer on premise
  
• Cost comparison with sample calculation; : making the comparison with operating application on own hardware or in the cloud
  
• (High) Availability with some sample calculations
• Use of stateless application servers
• (Virtual) Machine images: outweihing generic vs. specific machine images; the use of startup-scripts with user-data
  
• Privacy: example on how to separate private information and encrypt it with key generated for each customer/partner/...
  
• Database management: outweighing clustering vs replication, whereby replication is usually considered the better option; the slave(s) can be used for read operations and backups; solutions for primary key generation and optimistic locking
• Data Security: e.g. through file system encryption
  
• Network security: security groups as alternative to firewalls, the fact that network intrusion detection cannot be used in Amazon context, why network level encryption still makes sense even if machine cannot see eachother's traffic at Amazon, system hardening (Bastille), Host intruction detection (OSSEC), anti-virus
  
• Disaster Recovery, backups, recovery, redundancy,
  
• Scaling & capacity planning, the non-sense of auto-scaling

A real joy to read, but sometimes I would have loved that the author went into some more depth. One thing definitely became clear to me: deploying application on the (Amazon) cloud requires specific approaches and skills with obviously a sound and well-thought architecture. Also specific tools will be helpful and needed: Rightscale and enStratus are mentioned in the book. That's probably the reason why Reese is also the CTO of enStratus.

We may expect many more cloud books in the coming months but "Cloud Application Architectures" brings quality content well ahead of the pack.

PS: podcast with interview of George Reese available here, same quality and content

Encryption - automatic key renewal

When doing message level encryption, the public key of the recipient is used to encrypt the source message. But how to obtain the encryption key of the recipient? Is there some directory (X500?) containing all these keys? Nope. Encryption keys are usually exchanged via out-of-band mechanisms.

For message level signing, things are much easier: a sender attaches its certificate to the signed message. The receiver checks the certificate first and next uses the public key contained in the certificate to verify the signatures. If the sender switches to a new private key, a new certificate containing the new public key is sent along with each message.

But what if a receiver wants to switch to a new encryption key? How to inform all senders that they should start using a new encryption key? What I've seen happening is that a company informs its business partners that they should all switch to this new key at exactly the same date and time. Clumsy solution. This could easily be avoided if ESB's and B2B tools supported the use of both the old and new encryption key for a while (try to decrypt with the new key, next try to decrypt with the old key). But products don't support this simple feature.

Note: switching to new encryption key is typical when the same keys are used for signing and encryption; the certificate needs to be renewed and this often implies a new keypair and thus new encryption key.

EDIINT/AS2 is a popular protocol for B2B communication. AS2 uses message level security extensively, both for signing and encryption. So AS2 uses are confronted with this challenge of key renewal. Now AS2 has an optional profile called "Certificate Exchange Messaging" that allows the automated exchange of new encryption keys! And it requires the parallel use of an old and new key.

This optional CEM profile exists already for a while but support is still limited: Axway, Cleo Communications Inc. GXS,Inc., Inovis, and SEEBURGER.

Microsoft DCS & BitzTalk adapter pack

Just as the BizTalk services evolved into Azure cloud offering, Microsoft seems to be brewing something else as well. As part of their Customer Care Framework, Microsoft delivers the Distributed Connectivity Services (DCS). This underlying layer seems pretty fundamental. If I understand well, (web) services are discovered and invoked dynamically. No UDDI , but WS-MetaDataExchange. Don't have the full picture yet, but looks very interesting...

Something else I learned on the Microsoft side is the BizTalk adapter pack. The new BizTalk adapters are WCF enabled and can be invoked as WCF services. So from a .Net program perspective, everything looks like standard services. Makes me think a bit of WSIF in the Java/open-source world. Biztalk adapters will gradually migrate to this new architecture. This allows these adapters to be used both with and without the BizTalk server.

Fiber optic sabotage

At the start of Javaposse podcast #244, Dick et al explain how they got digitally disconnected from the outside world... Saboteurs digged 2 holes and cut a crucial fiber cable at 2 different locations. Hacking with a shovel!

Anyway, this is a new type of cyber attack, or is it warfare? Fiber optic cables are usually deployed as rings. So if the cable gets cut at one point, the other part of the ring still works fine and can handle all the traffic. But if you cut it at 2 points, end of story. Not only the Internet connections were down for 50.000+ people, but cell phones were dead as well.

Connecting back from the Azure cloud

Invoking services within the Intranet was in the design of Azure from the start. The .Net Services Bus of Azure allows local services to be called from the cloud.

A connection is setup from within the corporate firewall to the Azure servers in the cloud. This bidirectional connection is used to invoke services on the Intranet. The Services Bus is much more advanced than the Secure Data Connector from Google.

Azure is not limited to .Net, there are also Ruby and Java SDK for .Net Services available! To learn a bit, I downloaded and installed the Java chat sample. Encountered the error "The subscription cannot be created" during my first experiments. But waiting a while resolved the issue: probably the service didn't unregister correctly during my first runs and the service bus needs to detect that the service was no longer present.

In the Chat example, client and service are running in the same application (multi-threaded). No need to deploy the service implementation in an application server. Also nice to see how the JAX-WS API is leveraged to create the service.

Connecting from Azure to Amazon (or the other way around) should be trivial. But integrating Azure with AppEngine (or Force.com) is a different story. Both cloud have there own version and solution for integration and interoperability. A ESB hosted in the cloud or behind the corporate firewall will bring that interoprability.

Connecting back from the Google cloud

Big news this week, the rumor finally became true: Google App Engine supports Java, next to Python. So Google AppEngine is now a big Servlet Engine in the cloud.

Along with the Java on Google App Engine announcement, I noticed another component: the Secure Data Connector. This SDC allows applications running in the Google cloud to inter operate with Intranet applications. Through the Secure Data Connector, Intranet applications can be accessed.

Scenario:

• The Secure Data Connector is installed on a Linux server within the Enterprise.
• An administrator configures the SDC to access certain resources within the Intranet.
• The SDC is started and runs continuously as a background process.
• The SDC connects to Google (https://apps-secure-data-connector.google.com) on port 443 (HTTPS). The connection is made from the enterprise to Google, so no need to configure the firewall at Enterprise side to allow inbound connections (from Google into the Enterprise).
  
• The SDC authenticates itself using username and password.
• Once the SSL connection is established, the connection remains open.
• An application running in the Google cloud (AppEninge, Google Spreadsheet, ...) needs to access data from the Intranet or send data to the Intranet.
  
• In AppEngine, this is done using the URLFetchService. To specify that an Intranet resource should be accessed, add the HTTP header use_intranet=true in the request.
  
• From the Google AppEngine, a call is made to the SDC deployed in the Enterprise. Remember, TCP connections are bidirectional!
• The SDC verifies if the access the local resources, e.g. using the local DNS from within the Enterprise.
• The SDC accesses the local resource or web service and returns the data back to the applicaton running in te Google cloud. The size of request and response messages is limited to 1 MB.
  

The access to protected data within the enterprise is somewhat of a challenge. The only mechanism the SDC can provide credentials to Intranet application/service/resource is OpenSocial and OAuth signatures. And

One of the evolutions that I envision is that ESB's or B2B services will embed the SDC logic as an adapter. The ESB is able to transform the requests coming from Google into other protocols or formats and add the necessary credentials.

Some more thoughts and remarks I made while going through the Secure Data Connector docs:

• How is the configuration file of the SDC protected? In particular the username and password contained therein.
  
• Support is limited to Linux. What prevents this open source code to be ported to other platforms?
• How about load balancing or failover?
• How about interoperability between clouds: anyone already tried to deploy the SDC on EC2?
• Where is the SOAP support? How to invoke SOAP web services using the URLFetchService?
  
• How about identity services and mapping the identity of a Google user to an internal Enterprise user account?
• The SDC is not comparable to the .Net Services Bus of Windows Azure.
• Can the SDC access the Internet through a proxy?
• To deploy the Secure Data Connector in a large enterprise, you might have a hard time convincing the security department.

Talking with Talis - great podcast

Another podcast that I can strongly recommend: Talking with Talis. Interviews with some very knowledgeable people and good sound quality. Lately, the focus was on Cloud Computing: Appistry, RightScale, the Eucalyptys project, HP, SalesForce and Force.com, Windows Azure, ...

SpokenWord.org

Can't remember the exact date when I started listening to podcasts in my car, but that must be at least 5 years ago. It was ITConversations that triggered me into buying a small 256KB MP3 player (which ended up in the washing machine). Doug Kaye, the founder of ITConversations, has started a new initiative: SpokenWorld.org. This site is a directory that helps you find spoken-word recordingings.

When I did a search on some of my favourite topics - SOA and Cloud Computing - I immediately found a few new podcasts: OnSOA and The Cloud Computing Show.

Oracle Essentials - Oracle is old

Enjoyed 2 days off in the Ardennes in the woods around Saint-Hubert, I took a book along that was already a couple of months on my bookshelf: Oracle Essentials 4th Edition. Triggered also by a customer looking into Oracle Advanced Queueing (AQ).

Nice book, giving a good overview of all the features available in and around the Oracle database. Obviously the book doesn't go into every detail, but it does give a good overview or "refresh".

While reading the book, I came to realize that the Oracle database is 28 years old! I still remember starting my career in September 1987, developing with the Informix database and 4GL on NCR Unix servers. Informix, together with Progress, was a major competitor of Oracle at that time.

Only in 1995 I really worked with Oracle. Oracle 7 with ESQL/C (embedded SQL) in C on Sun Solaris.

At that time, I learned about the distinguishing feature of Oracle: multiversion read consistency. The fact that Oracle will not fail when reading a row updated by another transaction. Instead, Oracle will retrieve the row as it looked like when the transaction started from its transaction logs. This avoids locking all the rows being read, as opposed to all the other databases, including Informix. Obviously, an update of such row will fail as it was already updated by another transaction.

AS4

EDIINT AS2 is a very popular B2B protocol. Apart from file transfer, I think this is currently the most popular B2B protocol. Although EDIINT was initially meant to replace EDI over VAN connections by EDI over the INTernet (EDIINT), the AS2 protocol can transport any data in an asynchronous manner.

AS2 provides:

• Firewall friendly as it uses HTTP(S) underneath
• Straightforward: adds a number of HTTP header fields and MIME based message structure
• Reliable: send message until you get a 200, duplicates are filtered based on message-id
• Signing: based on S/MIME message structure and PKCS7 signing (self signed certificates are often used in practice)
• Encyption: also leveraging the S/MIME message structure
  
• Non-repudiation: signed acknowledgement or message receipt, called the Message Disposition Notification
• Any payload: EDI, XML, binary, text
• Many implementations: cheap commercial versions available at low price and one or two open source implementations

As is typical in B2B scenario's, AS2 servers are mostly located behind firewalls that only allow inbound connections from well know IP addresses.

AS2 and its family
AS2 has some family: AS1, which goes over SMTP. And a younger brother AS3 which uses FTP as its transport. And now a 4th child joins the family: AS4! AS4 uses uses ebXML messaging v3 as its transport. But what the heck is ebXML?

ebXML
ebXML was an initiative to define *the* new B2B standard for the 21st century: new transport layer, new message definitions, XML schema building blocks, process layer, protocol profiles and so on. ebXML didn't really take off, mostly because it was considered some sort of threat to the Web Services story. A pitty that the WS-* world and ebXML world weren't able to come together in 2001. ebXML gained a bit of popularity in some European countries like the Netherlands and Denmark, where it is used on a limited scale.

Work continued very quiet and a new version of the transport layer was released in 2007: ebXML Messaging v3. ebXML Messaging v2 and v3 are actually SOAP over HTTP(s) with some extra whistles.

Polling
The most important feature of AS4 is pulling or polling. Polling is one of the reasons why file transfer is so popular: it is "asymmetric" and allows one side to stay behind a closed firewall. ebMS 3.0 supports polling and AS4 das well. Well done! WS-Polling was a similar initiative in the WS-* world to introduce polling.

Conclusion
AS4 will not become that popular in my opinion. The spec is rather "heavy" and ebMS 3.0 has very little traction. I'm not aware of any implementation. I would have preferred an extension of AS2 with support for polling, completely independent of the ebMS and WS-* specs. And so we'll simply continue using file transfer (SFTP, FTPS) as our most popular polling mechanism.

Notes:
- Brik, thanks for pointing me to AS4
- Pictures are from a talk I gave on AS2
- Interesting link for those speaking Dutch: ebXML en ebMS: veilig en betrouwbaar berichten uitwisselen

REST article

Gave a hand to Paul Hermans writing an article on REST and SOAP. Got published in the January issue of the Dutch magazine Software Release Magazine. In Dutch and not yet available on online.

Dream machine: laptop with hypervisor?

Podcasts are an interesting way of staying up-to-date, especially when spending a lot of time in your car like I do. A podcast that I recently discovered is DABBC. DABBC focuses mainly on virtualization and tracks vendors such as Citrix, VMWare, Microsoft, Parallels and others.

Episode 67 of DABBC Radio is an interview with Ian Pratt, a Britt who co-founded XenSource (acquired by Citrix). Interesting to learn about paravirtualization, whereby the OS on top of the hypervisor is aware about the hypervisor underneath and the OS behaves somewhat differently as when it had full access to the hardware. I also learned that more and more vendors are shipping machines with virualization support in the hardware. E.g. HP and Dell seem to ship servers that contain Xen in the hardware.

Most customers I work for don't allow me to connect to their corporate network with my own laptop. They provide me with a laptop configured according to their corporate guidelines (typically XP). As a consequence, I'm always on the road with 2 or 3 laptops. Wouldn't it be great if they provided me with a machine image that I could run on top of the hypervisor of my own laptop?

MD5 broken - Rogue CA certificate created

The ACM TechNews contained a pointer to an interesting article. The MD5 hash algorithm is broken. Based on this weakness, researches have succeeded in creating their own intermediary CA certificate. And this in turn allows them to sign whatever SSL certificate they want!

The presentation by the researchers is quite clear and very interesting. The researchers used 200 PS-3 game consoles, but Amazon EC2 could have been used just as well. They also leveraged some weaknesses in the CA they attacked (RapidSSL): use of MD5 (obviously), predication of serial number (sequential) and validity (fixed amount of time to generate cert).

Their conclusion:

• No need to panic, the Internet is not completely broken
• The affected CAs are switching to SHA-1
• Making the theoretical possible is sometimes the only way you can affect change and secure the Internet

Anyway, it's getting time to move to something stronger than SHA-1 as well.