Product Architecture

Scalable, Enterprise-class SOA Governance, Security, Mediation, and Management Infrastructure

SOA Software, Inc. 12100 Wilshire Blvd, Suite 1800 Los Angeles, CA 90025 866-SOA-9876 www.soa.com info@soa.com
Copyright 2007 by SOA Software, Inc.

Disclaimer: The information provided in this document is provided "AS IS" WITHOUT ANY WARRANTIES OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. SOA Software may make changes to this document at any time without notice. All comparisons, functionalities and measures as related to similar products and services offered by other vendors are based on SOA Software's internal assessment and/or publicly available information of SOA Software and other vendor product features, unless otherwise specifically stated. Reliance by you on these assessments / comparative assessments are to be made solely on your own discretion and at your own risk. The content of this document may be out of date, and SOA Software makes no commitment to update this content. This document may refer to products, programs or services that are not available in your country. Consult your local SOA Software business contact for information regarding the products, programs and services that may be available to you. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.

Table of Contents
1 2 3 Introduction .......................................................................................2 Architecture Overview..........................................................................4 Workbench.........................................................................................6 3.1 3.2 3.3 3.4 3.5 3.6 4 Central Database ...........................................................................6 Registry/Repository........................................................................7 Policy Manager ..............................................................................8 Management Application .................................................................8 Security Application .......................................................................9 Web UI Console ........................................................................... 11

Service Manager ............................................................................... 12 4.1 4.2 4.3 Network Director ......................................................................... 12 Agent......................................................................................... 13 Delegate .................................................................................... 13

About SOA Software .......................................................................... 14

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

1 Introduction
SOA Infrastructure is the set of tools and technologies that an organization deploys to secure and manage services and service-oriented business applications. SOA Infrastructure has two main goals, to facilitate and promote reuse for enterprise agility and cost efficiency, and to provide visibility into, and ensure the security and reliability of the services and applications it deploys using the principals and concepts of service-oriented architecture. SOA Softwares Workbench and Service Manager implement a comprehensive SOA Infrastructure solution that follows the reference model defined below.

As the market-leading provider of SOA Infrastructure software products, SOA Software has published the SOA Infrastructure Reference Model into the public domain. It provides a product and vendor agnostic view of the architectural concepts, components and standards that make up a successful SOA Infrastructure Reference Model.
www.soa.com
Copyright by SOA Software, Inc. 2005. All rights reserved.

The Reference Model focuses on the architectural concepts, components and standards that are required to build effective SOA Infrastructure. It provides a conceptual breakdown of the realization of an enterprise SOA environment into two fundamental layers; an application and messaging services layer, and an infrastructure services layer. In reality these two layers are deeply integrated, although their focus and role is considerably different. The application and messaging services layer is where process services, applications, and messaging platforms such as Application Servers, Enterprise Service Bus(es), and Business Process Management engines reside. In this layer, business applications and services expose interfaces that other business applications and services consume focusing only on the business logic, and business interface specifications. The infrastructure layer provides security, mediation, monitoring, policy management and, governance services to the application and messaging layer. It ensures that appropriate policies are enforced by services as they receive messages, and that applications send message that comply with the policies that will be enforced by the receiving service. This separation between these layers is critical to ensure the true loose-coupling of services and applications that is required to achieve the efficiency and agility benefits of SOA. The infrastructure layer provides agents, proxies, and delegates to ensure that the application and messaging layer can access and use the services it delivers. This document describes how SOA Softwares Workbench and Service Manager implement a comprehensive closed-loop SOA infrastructure according to the published reference model described above.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

2 Common Architecture Considerations

Common architecture considerations are identified as those capabilities required in a comprehensive SOA governance system that are not specific to any one element. These considerations are intentionally expressed in RFC2119 form to show how they shape the core product architecture. 1. The Governance System MUST include Registry, Repository, Management, Security, and Intermediary elements. 2. The Governance System elements MUST be deeply integrated to drive a closed-loop as described in the introduction using published standards to ensure loose-coupling where possible. 2.1. 2.2. 2.3. 2.4. The Governance System MUST support the WS-Policy framework and any defined assertions where appropriate. The Governance System MUST support the use of a REST-based model for the distribution of metadata artifacts. The Governance System SHOULD support the use of WSMetadataExchange for the interchange of metadata artifacts. The Governance System MUST support the UDDIv3.02 specification as a model for categorizing, tagging and classifying services and their related artifacts. This helps ensure the interoperability and loosecoupling of the Governance System with other SOA Infrastructure elements.

3. The Governance System MUST offer WSDL-based interfaces for management, control and admin functions. 4. The policy-based run-time management system's control, management and administration Web Service (WSDL) interfaces SHOULD consistently leverage and uniformly apply the governance system's lifecycle management, validation and conformance, policy and audit compliance capabilities. 5. The Governance systems control, management and administration Web Service (WSDL) interfaces SHOULD consistently leverage and uniformly apply the policy-based run-time management system's security, mediation, reliability, enforcement, management, SLA and compliance capabilities. 6. The Governance, Management and Security systems' control, management and administration Web Service (WSDL) interfaces SHOULD be designed to provide support for common grammars (verbs and nouns) with consistent, intuitive, predictable and uniform semantics.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

3 Architecture Overview
SOA Softwares governance infrastructure solution consists of 2 products: Workbench provides a centralized set of high-performance, reliable, scalable infrastructure applications. Service Manager provides a set of distributed intermediaries for policy enforcement, implementation, metric collection and audit. The combination of the Workbench and Service Manager delivers a closed-loop SOA governance solution that defines and governs policies that are implemented and enforced at runtime and these enforcement and implementation actions are audited by the governance platform.

The interfaces between the distributed and centralized components use industry standards where available (UDDI, WS-MEX, WS-Policy, WS-Management, WSTrust, etc). All of the central Workbench applications are implemented as standalone, stateless Java applications that leverage a central database for state management and as a core data repository. This delegates reliability and performance management to the underlying database tier, a well understood discipline in most large enterprises.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

4 Workbench
Workbench provides the central subsystems that make up the infrastructure layer. It delivers a set of high-performance, scalable, stateless applications that expose standard protocols where available. The applications communicate with one another and with the underlying database to provide a comprehensive SOA infrastructure solution.

Each of these applications can be deployed in a cluster using standard network load-balancing technologies for exceptional scaling and performance. They are highly optimized and provide excellent standalone performance characteristics. 4.1 Central Database Service Manager and Workbench delegate scalability and state management to an underlying database layer. Most large enterprises, especially those that have a significant investment in information technology, have a well established, high-performance, reliable, managed database infrastructure. SOA Softwares products are designed, implemented and tested to work with common database infrastructure solutions including Oracle, SQL Server, and DB2. The deployment model for the products typically reflects the database deployment chosen. The products support active/active, and active/passive modes.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

4.2 Registry/Repository The registry/repository application provides the cornerstone of Workbench. The other Workbench and Service Manager applications and components rely on it to find and communicate with their peers, and to discover, enforce, and implement policies for governed services.

The registry/repository application provides multiple different interfaces into the same core set of data. Each of the interfaces will show a different subset of the data in different ways. The core interfaces are the UDDIv3 Inquiry, Publish, and Subscription APIs, WS-MetadataExchange, and REST. The UDDI APIs present and manage a structured view of the data defining and categorizing services. WS-MEX provides a standardized mechanism for retrieving WSDL, Policy, and other metadata, and the REST API provides an overarching mechanism for managing the complete data set. The flexibility of this registry/repository model is shown in the multiple ways different applications and platforms can and will consume the stored and managed data. The Workbench console application described below offers a powerful user interface combining advanced UI technologies and design techniques to deliver an exceptionally powerful and easy to use SOA Governance portal.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

4.3 Policy Manager The Workbench policy manager application extends the metadata repository described above with advanced policy authoring, governance, and distribution capabilities. It creates and managed WS-Policy documents that describe the expected and required behavior of the services and service operations with which the policies are associated. It also creates and manages lifecycle compliance policies that validate the static and dynamic metadata for a service. These policies include things like WS-I Basic Profile validation, service categorization checking, runtime policy presence validation, WSDL conformance, schema conformance and others. The set of policies delivered with the product can be readily extended using the XQuery language, or by adding custom modules created using a published and documented API.

In addition to its role managing policies, the policy manager is used to define, negotiate, govern, and publish contracts. Contracts define the relationship between a service or group of services and a consumer or group of consumers. They are XML documents that define the access rights, capacity requirements, performance requirements, and other key contractual terms. Contracts are enforced dynamically by the Service Manager intermediaries. 4.4 Management Application The Workbench management application monitors the performance, throughput, and usage of services and applications, and consolidates this information to provide valuable services such as SLA reporting, performance charting and trend analysis, and alert and exception management. The distributed intermediaries collect alert, performance, usage and message data according to the defined
www.soa.com
Copyright by SOA Software, Inc. 2005. All rights reserved.

policies for each operation they manage, they then use SOAP and REST interfaces to push this data to the management application. The management application processes this captured data to calculate SLA performance, determine if any actions need to be take, distribute alerts, and present real-time and historic charts.

The Workbench management application is based on the WS-Distributed Management specification, and will adopt whichever specifications emerge from the HP, Microsoft, and IBM sponsored harmonization initiative. It also supports SNMP and EIF for integrating with 3rd party management systems like HP OpenView, IBM Tivoli Enterprise Console, and CA Unicenter. It exposes a set of published, documented Web services APIs for easy integration with enterprise management portals. 4.5 Security Application In this reference model, the security service serves three purposes. It is a token server, an authorization server, and a PKI certificate authority.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

As a security token server, it provides both authentication and token exchange services. It can consume a credential, and return a token of some description, most likely a SAML assertion in a Web services environment. A common use case for both authentication and token exchange in Web services is for the security token server to work in conjunction with a portal to request a username and password from a Web browser user, and provide the browser with an http session cookie. When the portal needs to request access to a Web service, it should then contact the security token service and exchange the cookie for a SAML assertion. The Workbench security application supports a wide range of token types and protocols including WS-Trust for requesting tokens, and SAML, Kerberos, WS-Security, http basic, https certificates, X.509, and others as token formats. It can delegate authentication decisions to external systems like Microsoft Active Directory, CA SiteMinder, and IBM TAM. The Workbench security application provides an XACML compliant authorization server with a service for making decisions about whether a particular request is authorized or not based on a number or factors including user, role, or other sender identifying characteristics, request content, request destination, and environmental factors such as destination real-time performance. Most authorization servers still implement proprietary APIs, although XACML remains the most commonly discussed and implemented authorization standard. It can use external group information from systems like Microsoft Active Directory and LDAP servers, and can delegate authorization decisions to external systems like CA SiteMinder, and IBM TAM. The Workbench security application also provides a built-in PKI solution with the ability to generate and manage public/private key pairs and certificates, import
www.soa.com
Copyright by SOA Software, Inc. 2005. All rights reserved.

10

externally generated keys and certificates, and distribute these keys and certificates to the processes and applications that need them in real-time. It supports certificate revocation list checking and uses an XKMS-based model for certificate and key distribution. 4.6 Web UI Console Workbench provides a powerful web-based UI. It is a JSR-168 compliance portlet-based application implemented in html, AJAX, and Flash.

The Workbench console delivers a comprehensive integrated user interface for SOA registry/repository, policy management, governance, security, management, and monitoring. It is a stateless Java Web application that deploys by default into its own self contained container. It can also be deployed into Tomcat, IBM WAS, or BEA WebLogic. The console provides a powerful workflow solution with customizable workflows for service lifecycle management and contract management and negotiation. The workflows allow for multi-level approvals and offer extensive features around notification and policy compliance checking.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

11

5 Service Manager
Service Manager provides the distributed intermediaries that implement and enforce policy for, and provide metrics and audit data back to, Workbench.

Service Manager includes 3 distinct intermediary types; agents for most common service platforms and containers, a router-based (stand-alone) intermediary, and a client-side delegate. All the intermediaries provide exceptional performance and scalability with centralized deployment and policy management to ensure true enterprise readiness. They cover the widest possible surface area of applications and offer the broadest and deepest functionality of any SOA intermediaries on the market. 5.1 Network Director The Network Director is a stand-alone smart service router that deploys into the network supporting a wide range of intermediary patterns for routing, service virtualization, high-availability/load-balancing and others. It is fully stateless, offering exceptional performance and scalability combined with unique capabilities for mediation, routing, and policy enforcement.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

12

5.2 Agent The Agents deploy into the container to ensure last-mile security and policy enforcement for services. SOA Software offers agents for most common Java application servers, .NET, several ESB products and several business process management tools. The agents are fully functional, platform-native, and noninvasive offering complete last-mile policy enforcement including on-board cryptographic operations without having to change any deployed applications or services.

5.3 Delegate The Delegate is a client-side intermediary that deploys seamlessly into consumer applications to abstract the application from the location, transport, and policies required by the services it will consume. SOA Software offers delegates for Java applications and .NET, and packages the delegate in a wide range of forms with simple, non-invasive deployment options for most common service platforms and containers, including ESBs and business process management tools.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

13

6 About SOA Software

SOA Software is a leading provider of comprehensive, enterprise-class SOA Governance, security, mediation, and management. SOA Software products provide a comprehensive closed-loop SOA governance solution (Workbench), a high-performance, scalable SOA management and security solution (Service Manager), and a mainframe Web services solution for CICS applications (SOLA). SOA Software products process over 500 million mission critical transactions a month and are used by the largest Fortune 1000 corporations, including Merrill Lynch, Verizon, and Pfizer. For more information, please visit http://www.soa.com. SOA Software, Workbench, Service Manager, SOLA, and Network Director are trademarks of SOA Software, Inc. All other product and company names herein may be trademarks and/or registered trademarks of their registered owners.

www.soa.com

Copyright by SOA Software, Inc. 2005. All rights reserved.

14