Advanced Services - Beyond the Basics Case Studies II Lawrence Wilkes

Advanced Services - Advanced Services - Beyond the BasicsBeyond the BasicsAdvanced Services - Advanced Services - Beyond the BasicsBeyond the Basics

Case Studies IICase Studies II

Lawrence WilkesLawrence Wilkes

Tesco.com ChallengesTesco.com ChallengesLargest on-line grocery retailer in the worldLargest on-line grocery retailer in the world

UK, Republic of Ireland, South Korea and Groceryworks, a UK, Republic of Ireland, South Korea and Groceryworks, a joint venture with Safeway Inc. in the USAjoint venture with Safeway Inc. in the USA

$1b+ turnover in UK (2003)$1b+ turnover in UK (2003)

120,000+ deliveries every week in the UK (2003)120,000+ deliveries every week in the UK (2003)

Part of one of the largest bricks and mortar Part of one of the largest bricks and mortar retailers in the worldretailers in the world

Expand on-line grocery to non-food markets with Expand on-line grocery to non-food markets with the objectives:the objectives:

Diversify product range, with many virtual storesDiversify product range, with many virtual stores

Maintain customer managementMaintain customer management

Expansion must not disrupt current systemsExpansion must not disrupt current systems

Time to market is crucialTime to market is crucial

Support multiple devices for end customerSupport multiple devices for end customer

Improve delivery processImprove delivery process

Tesco.comTesco.com

3rd Party Fulfilment

3rd Party Information

Own StoresDeliveries

Diverse Shopping

Clients

Web ServicesWeb Services PromotionsPromotions Product fileProduct file Home pageHome page Product searchProduct search FavouritesFavourites Log-in serviceLog-in service Basket serviceBasket service CheckoutCheckout

http://www.euro.dell.com/countries/uk/enu/dhs/products/model_dimen_dimen_8300.htm

Tesco.com ArchitectureTesco.com Architecture

ADO.NET

CommonCheckout

SQL Server

CommonBasket

CommonCustomer

Store #Broker

CommonStore

InterfacesASP.NET Store #Store #

#1 #2 #n

Presentation Business Logic Data

ExternalWeb

Services

Approx 2000 Tesco Stores 3rd Party Suppliers

Tesco Back End Systems

BizTalk Server

Some BenefitsSome BenefitsBusinessBusinessImproved Customer SatisfactionImproved Customer SatisfactionReduced errorsReduced errorsStaff and Process EfficiencyStaff and Process Efficiency

““10,000 personal shoppers and 3,000 drivers… If 10,000 personal shoppers and 3,000 drivers… If you can cut just 15 minutes out of their weekly you can cut just 15 minutes out of their weekly schedule the scale effect is enormous”schedule the scale effect is enormous”

In-store stock control process improved 40% by In-store stock control process improved 40% by equipping 10,000 stock controllers with PocketPC using equipping 10,000 stock controllers with PocketPC using Web Services to communicate stock information to Web Services to communicate stock information to back end mainframesback end mainframesITITHigh developer productivityHigh developer productivity

Truck Routing and delivery system built by one Truck Routing and delivery system built by one developer in 6 weeksdeveloper in 6 weeks1st new virtual store added in 8 weeks1st new virtual store added in 8 weeks

Easy transfer of skills from desktop to mobile device Easy transfer of skills from desktop to mobile device developmentdevelopment

Other

Excel

WS

E

Win2K

PolitikenPortal

Danske BankDanske Bank

Danske Bank Web Danske Bank Web ServicesServices

Stock quotesStock quotes Bond quotesBond quotes Currency tradingCurrency trading

InstitutionalPartners

Web Service

Politiken Readers

ERP

Mainframe

XML

Cache

15min RefreshRouting Based on User

Real Time

Danske Bank - FactsDanske Bank - Facts

SecureSecureSupports latest Web services security standardsSupports latest Web services security standards

Cost Efficient Cost Efficient Using routing feature in .NET the cost savings Using routing feature in .NET the cost savings for mainframe use for stock quotes alone is for mainframe use for stock quotes alone is $1M per year$1M per year

Rock Solid PlatformRock Solid PlatformBillions of dollars to be traded annuallyBillions of dollars to be traded annually

New Revenue StreamsNew Revenue Streams(.NET) and Web services enables possible new (.NET) and Web services enables possible new customer segmentscustomer segments

ERGO - FactsERGO - FactsERGO Insurance Group – 2ERGO Insurance Group – 2ndnd largest in Germany largest in Germany

29m customers across Europe29m customers across Europe

ERGO needed toERGO needed to

lower IT costslower IT costs

developing new channels of distribution to developing new channels of distribution to reach customers in innovative ways.reach customers in innovative ways.

Benefits Benefits

Single platform that meets a diverse set of Single platform that meets a diverse set of needs needs

Faster time-to-market Faster time-to-market

Lower development costs Lower development costs

Increased sales force productivity Increased sales force productivity

Connected business partnersConnected business partners

ISABizTalkServer

CommerceServer

W2K W2K W2KW2K

ERGO - Intodo Solution ERGO - Intodo Solution Architecture Architecture

WebTier

Web Service

BusinessLogic

SAPHTTP MSMQ DCOM

SQL 2000

1. Customer Places Insurance Products in Shopping Basket

2. Details sent to Intodo

3. Insurance Policye-mailed to Customer

CIC

ST

ran

sa

ctio

nG

ate

wa

y

ERGO HLPA.NET ArchitectureERGO HLPA.NET Architecture

(HLPA - High Level Protocol Adaptor)

IBM CICSMainframe

ApplicationsIIS

W2K

WebService

Ho

st

Integ

ratio

nS

erve

r

LU6.2

ABV usingWeb Forms

Name

Ticker

CCY

Exch

Win Forms

Call Centre

Name

Ticker

CCY

Exch

Siebel

Clear2Pay - VisaClear2Pay - VisaA new system was A new system was required by the banks to required by the banks to automate the processing automate the processing of VISA Purchasing Card of VISA Purchasing Card transactionstransactions

New VAT requirements New VAT requirements and Euro complianceand Euro compliancePrevious solution was a Previous solution was a CD-Rom that had to be CD-Rom that had to be installed on merchant installed on merchant PCPCHad to meet the needs Had to meet the needs of wide variety of of wide variety of merchantsmerchants

Tectrade Tectrade (acquired by (acquired by Clear2Pay)Clear2Pay) were chosen were chosen because they because they demonstrated an Web demonstrated an Web Services approach Services approach

Developer BenefitsDeveloper Benefits

Ease of integrationEase of integration

time-to-market of three time-to-market of three monthsmonths

Flexibility to accommodate Flexibility to accommodate customers needscustomers needs

Customer BenefitsCustomer Benefits

Supports Multiple Channels Supports Multiple Channels

Continuous Real Time Continuous Real Time AuthorisationAuthorisation

direct links to the credit card direct links to the credit card networks improves security, networks improves security, increases speed and lowers increases speed and lowers the transaction cost the transaction cost

one solution for small and one solution for small and large merchantslarge merchants

easy integration with existing easy integration with existing applications applications

ClearPark SystemClearPark System

Advanced Web ServicesAdvanced Web ServicesAdvanced Web ServicesAdvanced Web Services

Nigel WatlingNigel [email protected]@microsoft.comMicrosoft EMEAMicrosoft EMEA

AgendaAgenda

Web Services ArchitectureWeb Services Architecture

SecuritySecurity

ReliabilityReliability

TransactionsTransactions

Web Services EnhancementsWeb Services Enhancements

Architectural FrameworksArchitectural Frameworks

Web Services ArchitectureWeb Services ArchitectureObjectives

Build on basic Web servicesBuild on basic Web services

Add capabilities necessary for Add capabilities necessary for enterprise-level computingenterprise-level computing

Secure, reliable and transacted Web Secure, reliable and transacted Web servicesservices

Preserve benefits that have led to Preserve benefits that have led to success of basic Web servicessuccess of basic Web services

InteroperabilityInteroperability

Ability to be implementedAbility to be implemented

Add no more complexity than neededAdd no more complexity than needed

Web Services ArchitectureWeb Services ArchitectureSpecifications

Open standards processOpen standards processSpecification proposed by industry leadersSpecification proposed by industry leaders

Microsoft, IBM, BEA, et al.Microsoft, IBM, BEA, et al.

Initial implementations of proposed Initial implementations of proposed specificationsspecifications

Feedback and interoperability workshopsFeedback and interoperability workshops

Proposed specification submitted to Proposed specification submitted to standards bodiesstandards bodies

W3C, IETF, OASISW3C, IETF, OASIS

WS-I promotes interoperabilityWS-I promotes interoperabilityProfiles interoperable use of specificationsProfiles interoperable use of specifications

Web Services ArchitectureWeb Services ArchitectureRoadmapRoadmap

Security ReliableMessaging

Transactions

Messaging

XML

Meta

data

TransportsTransports

Connected ApplicationsConnected Applications

Web Services Architecture Web Services Architecture Design PrinciplesDesign Principles

ComposableComposable

ModularModular

FederatedFederated

ReliableReliable

Decentralized and autonomousDecentralized and autonomous

Transport independentTransport independent

Web Services ArchitectureWeb Services ArchitectureComposabilityComposability

The cornerstone of WSAThe cornerstone of WSAEach specification solves an immediate Each specification solves an immediate need and is valuable in its own rightneed and is valuable in its own right

Combine independent specifications to Combine independent specifications to provide more powerful capabilitiesprovide more powerful capabilities

Enables incremental consumption and Enables incremental consumption and progressive discovery of new concepts, progressive discovery of new concepts, tools, servicestools, services

Allows development of core functionality, Allows development of core functionality, then supports additional capabilities then supports additional capabilities

Only pay for technology actually usedOnly pay for technology actually used

Web Services ArchitectureWeb Services ArchitectureMessagingMessaging

SOAPSOAPLanguage of Web service messagesLanguage of Web service messagesSOAP 1.1 is current standardSOAP 1.1 is current standardSOAP 1.2 is emerging standardSOAP 1.2 is emerging standard

WS-AddressingWS-AddressingMechanisms to address Web services and Mechanisms to address Web services and messagesmessagesEnables message exchange patterns beyond Enables message exchange patterns beyond HTTP request-responseHTTP request-responseDefines a resource modelDefines a resource model

Organization of resources behind a service is opaque Organization of resources behind a service is opaque to the clientto the clientKey abstraction is EndpointReferenceKey abstraction is EndpointReference

Supersedes WS-Routing and WS-ReferralSupersedes WS-Routing and WS-Referral

SecuritySecurity ReliableMessagingReliable

Messaging TransactionsTransactions

Messaging Messaging Meta

data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureMessagingMessaging

WS-EventingWS-EventingEvent-oriented message exchange Event-oriented message exchange pattern; publisher-subscriber protocolpattern; publisher-subscriber protocol

MTOMMTOMSOAP Message Transmission SOAP Message Transmission Optimization Mechanism (MTOM)Optimization Mechanism (MTOM)

Optimize transmission or wire format of Optimize transmission or wire format of SOAP messageSOAP message

Selective re-encoding of portions of the Selective re-encoding of portions of the message message

Supersedes WS-Attachments and DIME Supersedes WS-Attachments and DIME for attaching binary datafor attaching binary data




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureMetadata OverviewMetadata Overview

Interface DescriptionInterface DescriptionWSDL and XSDWSDL and XSD

PolicyPolicyFramework for making assertions about a Framework for making assertions about a service’s requirements, capabilities and service’s requirements, capabilities and preferencespreferences

Specific policy assertionsSpecific policy assertions

DiscoveryDiscoveryQuerying a central directory for resources (UDDI)Querying a central directory for resources (UDDI)

Inspecting a resource for metadata Inspecting a resource for metadata

(WS-MetadataExchange)(WS-MetadataExchange)

Dynamic announcement and discovery of Dynamic announcement and discovery of resources (WS-Discovery)resources (WS-Discovery)




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureMetadata – PolicyMetadata – Policy

WS-PolicyWS-Policy

Policy assertion represents an individual requirement, Policy assertion represents an individual requirement, capability or preferencecapability or preference

Extensible to other characteristicsExtensible to other characteristics

A policy is a collection of policy assertionsA policy is a collection of policy assertions

A policy assertion is represented by an XML element (a A policy assertion is represented by an XML element (a policy expression)policy expression)

A policy expression has a well-known name and A policy expression has a well-known name and meaning (i.e., published in a specification)meaning (i.e., published in a specification)

Assertion usage: required, rejected, optional, Assertion usage: required, rejected, optional, observed, ignoredobserved, ignored

Preference can be expressed when there are multiple Preference can be expressed when there are multiple choices for a capability or requirementchoices for a capability or requirement

Policy expression bound to policy subject, the resource it Policy expression bound to policy subject, the resource it describes (e.g., WS endpoint, object, resourcedescribes (e.g., WS endpoint, object, resource

Web Services ArchitectureWeb Services ArchitectureMetadata – PolicyMetadata – Policy

WS-PolicyAttachmentWS-PolicyAttachmentDefines a mechanism for attaching Defines a mechanism for attaching policy expressions to XML elements, policy expressions to XML elements, WSDL definitions, UDDI entriesWSDL definitions, UDDI entries

WS-PolicyAssertions WS-PolicyAssertions Defines general message assertionsDefines general message assertions

WS-SecurityPolicyWS-SecurityPolicyDefines common security assertionsDefines common security assertions




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureMetadata – DiscoveryMetadata – Discovery

UDDIUDDIUniversal Description, Discovery, and Universal Description, Discovery, and Integration Integration

Version 3.0 published July 2002Version 3.0 published July 2002Registry mechanism for Web servicesRegistry mechanism for Web services

WS-DiscoveryWS-DiscoveryMulticast discovery protocol to dynamically Multicast discovery protocol to dynamically locate Web serviceslocate Web services

WS-MetadataExchangeWS-MetadataExchangeRequest policy, contract, and schema from an Request policy, contract, and schema from an endpointendpointDefines messages to retrieve specific types of Defines messages to retrieve specific types of metadata associated with an endpointmetadata associated with an endpointBootstrap communication with a Web serviceBootstrap communication with a Web service

Efficient, incremental retrieval of WS Efficient, incremental retrieval of WS metadatametadata




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureSecurity OverviewSecurity Overview

Security is critical for cross-organizational Web Security is critical for cross-organizational Web servicesservicesWe need:We need:

Authentication, message integrity, confidentiality, trust Authentication, message integrity, confidentiality, trust and privacyand privacyFederation of security between organizationsFederation of security between organizations

Web services securityWeb services securitySecuring the messageSecuring the messageSupports various cryptographic technologiesSupports various cryptographic technologies

Secure conversationSecure conversationSecuring an ongoing exchange of messagesSecuring an ongoing exchange of messages

TrustTrustExtending trust relationships across distributed servicesExtending trust relationships across distributed services

FederationFederationJoining services into a single security domainJoining services into a single security domain




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureSecuritySecurity

WS-SecurityWS-SecuritySecuring the messageSecuring the message

Signed, encrypted security tokensSigned, encrypted security tokens

Sign message or selected elementsSign message or selected elements

Seal message or selected elementsSeal message or selected elements

Security token profilesSecurity token profilesWS-Security UsernameToken ProfileWS-Security UsernameToken Profile

WS-Security X.509 Certificate Token ProfileWS-Security X.509 Certificate Token Profile

Security using KerberosSecurity using KerberosWeb Services Security Kerberos BindingWeb Services Security Kerberos Binding




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data


WS-SecureConversationWS-SecureConversation

WS-Security not optimal for long duration, multi-message WS-Security not optimal for long duration, multi-message conversationsconversations

Initiating a secure conversationInitiating a secure conversation

Start conversation with WS-SecurityStart conversation with WS-Security

Then use WS-SecureConversation to agree on Then use WS-SecureConversation to agree on conversation-specific keysconversation-specific keys

Similar concept to initiating a session in SSLSimilar concept to initiating a session in SSL

WS-TrustWS-Trust

All security depends on trust relationshipsAll security depends on trust relationships

WS-Trust delegates trust relationships across distributed WS-Trust delegates trust relationships across distributed servicesservices

Key concept: Security Token ServiceKey concept: Security Token Service

Type of Web service that issues, exchanges and validates Type of Web service that issues, exchanges and validates security tokenssecurity tokens




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data


WS-FederationWS-Federation

Allow a set of organizations to establish a Allow a set of organizations to establish a virtual security domainvirtual security domain

Agent logged into any member of the Agent logged into any member of the federation is effectively logged into all federation is effectively logged into all federated membersfederated members

Several models for providing federated securitySeveral models for providing federated security

Federated property spaceFederated property space

Each participant has secure, controlled Each participant has secure, controlled access to each member’s property access to each member’s property information about usersinformation about users

End-user identity protected by pseudonym End-user identity protected by pseudonym modelmodel

Protects user information and properties from Protects user information and properties from other federated membersother federated members




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data


Federation requestor profilesFederation requestor profilesWS-Federation Active Requestor ProfileWS-Federation Active Requestor Profile

How WS-Federation is used by active How WS-Federation is used by active requestorsrequestors

E.g. connected applicationsE.g. connected applications

WS-Federation Passive Requestor ProfileWS-Federation Passive Requestor ProfileHow WS-Federation is used by passive How WS-Federation is used by passive requestorsrequestors

E.g. browsersE.g. browsers

Limited to HTTPLimited to HTTP




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Security ChoicesSecurity ChoicesPoint-to-point vs End-to-endPoint-to-point vs End-to-end

SSL/TLS/IPSecSSL/TLS/IPSecPoint to pointPoint to point

More performantMore performant

WS-SecurityWS-SecurityEnd-to-endEnd-to-end

Message levelMessage level

XML signing and encryption costly: XML signing and encryption costly: canonicalizationcanonicalization

WSE 1.0 and 2.0WSE 1.0 and 2.0

RecommendationRecommendationWS-Security preferredWS-Security preferred

HTTPS/IPSec for higher perf scenariosHTTPS/IPSec for higher perf scenarios

Web Services ArchitectureWeb Services ArchitectureReliable MessagingReliable Messaging

Reliability:Reliability:Essential for mission critical applicationsEssential for mission critical applicationsMust ensure messages are delivered and Must ensure messages are delivered and processed in orderprocessed in order

WS-ReliableMessagingWS-ReliableMessagingErrors can interrupt message exchangeErrors can interrupt message exchange

Messages may be lost, delayed, duplicated or Messages may be lost, delayed, duplicated or reorderedreorderedServer failures cause loss of volatile stateServer failures cause loss of volatile stateConnectivity may be intermittentConnectivity may be intermittent

Identify, track and acknowledge successful Identify, track and acknowledge successful transfertransfer

Unique identifiers for messages; sequence numbersUnique identifiers for messages; sequence numbersAcknowledgement of range in sequenceAcknowledgement of range in sequenceRetransmit lost messagesRetransmit lost messages

Assure end-to-end reliability; transport Assure end-to-end reliability; transport independenceindependenceReliability enhances securityReliability enhances security




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Reliable MessagingReliable MessagingChoicesChoices

MSMQMSMQPart of WindowsPart of WindowsReliable, proven, high performance traditional queuing Reliable, proven, high performance traditional queuing infrastructure and APIinfrastructure and APIThe next version of MSMQ will interoperate with IndigoThe next version of MSMQ will interoperate with IndigoMSMQ 3.0 (XP, CE and 2003) can use HTTP and SOAPMSMQ 3.0 (XP, CE and 2003) can use HTTP and SOAPSystem.Messaging is the managed APISystem.Messaging is the managed API

BizTalk Server 2004 Messaging QueuingBizTalk Server 2004 Messaging QueuingHigh performance adapter for MSMQ (“MSMQ-T”)High performance adapter for MSMQ (“MSMQ-T”)Used to integrate an MSMQ application with Biztalk Used to integrate an MSMQ application with Biztalk Server 2004Server 2004

SQL Server 2005 Service BrokerSQL Server 2005 Service BrokerEnables database developers to build (internal) queuing Enables database developers to build (internal) queuing semantics into Microsoft SQL Server 2005 applicationssemantics into Microsoft SQL Server 2005 applicationsE.g. E.g. A database app Stores & Forwards records to A database app Stores & Forwards records to another Yukon Server for processinganother Yukon Server for processing




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureTransactionsTransactions

TransactionsTransactionsNeed to protect investment in existing transaction Need to protect investment in existing transaction infrastructureinfrastructureExtend to various kinds of distributed activitiesExtend to various kinds of distributed activities

WS-Coordination WS-Coordination Defines base protocols to establish coordinated activities Defines base protocols to establish coordinated activities among servicesamong servicesOnce established, an activity may be governed by an Once established, an activity may be governed by an agreed on coordination protocolagreed on coordination protocol

E.g. protocol to agree on outcome of the activityE.g. protocol to agree on outcome of the activity

WS-AtomicTransactionWS-AtomicTransactionCoordination protocols for distributed atomic transactionsCoordination protocols for distributed atomic transactionsLocal 2PC transactions can participate in larger, Local 2PC transactions can participate in larger, distributed transactiondistributed transaction

WS-BusinessActivityWS-BusinessActivityCoordination protocols for long-running, compensation-Coordination protocols for long-running, compensation-based transactionsbased transactions




data

Meta

data

XMLXML




data

Meta

data

XMLXML


Transactions

Messaging

XML

Meta

data

Web Services ArchitectureWeb Services ArchitectureTransactionsTransactions

Web ServicesActivities

WS-CoordinationCoordinated Activities

WS-BusinessActivityCoordinated outcome

short-lived activities within a

domain of trust

handling system-generated exceptions

activities transcend one domain of trust

tentative operations, intermediate results visible to third-parties

handling application-generated exceptions

WS-AtomicTransactionAll-or-nothing coordination

TransactionsTransactionsChoicesChoices

ACID TransactionsACID TransactionsSystem.EnterpriseServicesSystem.EnterpriseServicesDeclarative attributesDeclarative attributesSqlTransactionSqlTransaction

Business ActivitiesBusiness ActivitiesBizTalk Server 2004BizTalk Server 2004

But what about the WS-Tx protocols?But what about the WS-Tx protocols?We need a transaction manager (i.e. MSDTC) that We need a transaction manager (i.e. MSDTC) that can:can:

Understand WS-AtomicTransaction and WS-Understand WS-AtomicTransaction and WS-BusinessActivityBusinessActivityBridge the gap to Resource Managers like SQL ServerBridge the gap to Resource Managers like SQL Server

Note: System.Transactions will ship as part of Note: System.Transactions will ship as part of Visual Studio 2005Visual Studio 2005

Evolve and Extend

Secure, Reliable, Transacted

Fundamentals

Web Services ArchitectureWeb Services ArchitectureTimelineTimeline

20032000 2001 2002 2004 2005

WS-ReliableMessagingWS-ReliableMessaging

Relia

bility

Relia

bility

WS-I formedWS-I formed

Inte

rop

era

bility

Inte

rop

era

bility

WS-I BP 1.0WS-I BP 1.0

Security RoadmapSecurity Roadmap

Wh

itep

ap

ers

Wh

itep

ap

ers

Reliable Messaging RoadmapReliable Messaging RoadmapSRT Web Services WhitepaperSRT Web Services Whitepaper

WS-SecurityWS-Security

WS-TrustWS-Trust

Secu

rityS

ecu

rity

WS-Security AddendumWS-Security Profile for Tokens

WS-Security AddendumWS-Security Profile for Tokens

WS-FederationWS-Federation Active Requestor Profile

WS-FederationWS-Federation Active Requestor Profile

WS-Security SOAP Message SecurityWS-Security Username Token ProfileWS-Security X.509 Certificate Token Profile

WS-Security SOAP Message SecurityWS-Security Username Token ProfileWS-Security X.509 Certificate Token Profile

WS-Security Kerberos BindingWS-Security Kerberos Binding

WS-CoordinationWS-Transaction

WS-CoordinationWS-Transaction

Tra

nsa

ction

sTra

nsa

ction

s

WS-AtomicTransactionWS-AtomicTransaction

WS-BusinessActivityWS-BusinessActivity

SOAP 1.1SOAP 1.1

Messa

gin

gM

essa

gin

g

SOAP Messages with Attachments

SOAP Messages with Attachments

WS-ReferralWS-Routing

WS-ReferralWS-Routing

DIMEDIME WS-AttachmentsWS-Attachments

WS-AddressingWS-AddressingSOAP 1.2SOAP 1.2

MTOMMTOMWS-EventingWS-Eventing

WS-Policy 1.1WS-PolicyAttachments 1.1WS-PolicyAssertions 1.1

WS-Policy 1.1WS-PolicyAttachments 1.1WS-PolicyAssertions 1.1

WS-PolicyWS-PolicyAttachmentsWS-PolicyAssertionsWS-SecurityPolicy

WS-PolicyWS-PolicyAttachmentsWS-PolicyAssertionsWS-SecurityPolicy

Meta

data

Meta

data

UDDI 1.0UDDI 1.0

WSDLWSDLUDDI 2.0UDDI 2.0

WS-InspectionWS-InspectionUDDI 3.0UDDI 3.0

WS-DiscoveryWS-MetadataExchange

WS-DiscoveryWS-MetadataExchange

As of 2/2004

Web Services ArchitectureWeb Services ArchitectureProcessProcess

Specification Specification PublishedPublished

Customer and Customer and Industry Industry

FeedbackFeedbackGatheredGathered

Publish Publish Addendum(s),Addendum(s),

Deliver Dev Deliver Dev ProductProduct

StandardizationStandardization WS-IWS-IInteroperability Interoperability

ProfileProfile

Web Services ArchitectureWeb Services Architecture

Example:Example: WS-Security WS-Security

Specification Specification PublishedPublished

Customer and Customer and Industry Industry

FeedbackFeedbackGatheredGathered

Publish Publish Addendum,Addendum,Deliver Dev Deliver Dev

ProductProduct

OASIS OASIS StandardizationStandardization

April April 20022002

April - August April - August

20022002

August August 20022002

September September 20022002

WS-IWS-IInteroperability Interoperability

ProfileProfile

April April 20032003

ThreeThreePartnersPartners

Over 30 Over 30 PartnersPartners

Over 100 Over 100 PartnersPartners

Feedback WorkshopsFeedback Workshops

March 2003

WS-Policy and

WS-Trust

2002

February 2004

WS-EventingJuly 2003WS-

ReliableMessaging

February 2003

WS-Policy and WS-Trust November

2003WS-Federation

March 2004WS-

Transaction

Q2 2004WS-

SecureConversationWS-Trust

WS-FederationWS-Discovery

Open to everyone (feedback agreement)Open to everyone (feedback agreement)

Specification revised based on feedbackSpecification revised based on feedback

Yield well-engineered technologyYield well-engineered technology

Provide fastest time to marketProvide fastest time to market

Interoperability Events & Interoperability Events & WorkshopsWorkshops

August 2002XML Web Services

One

September 2003 Bill Gates (Microsoft)

Steve Mills (IBM)

October 2003WS-

ReliableMessaging

Nov 2003WS-Trust

WS-SecureConversation

September 2003 OASISWS-Security

December 2002

CDBi - EMEA

July 2003Catalyst(Burton

conference)

SOAPBuilders

2002

March 2004WS-Federation Passive Profile

H2 2004WS-

SecureConversationWS-Trust

WS-ReliableMessaging

WS-PolicyWS-

AtomicTransactionWS-BusinessActivity

WS-Discovery

Specification revised based on interoperability Specification revised based on interoperability feedbackfeedback

Helps refine the important scenariosHelps refine the important scenarios

Grounds the development effortsGrounds the development efforts

Web Services Enhancements Web Services Enhancements WSEWSE

Supported Add-on to VS.NET and the .NET Supported Add-on to VS.NET and the .NET Framework providing the latest advanced Web Framework providing the latest advanced Web service capabilities service capabilities

Greatly simplifies development of secure Web services Greatly simplifies development of secure Web services across multiple intermediaries and trust domainsacross multiple intermediaries and trust domainsAdditional features include support for multiple hosting Additional features include support for multiple hosting environments, alternative transports, and message environments, alternative transports, and message routingroutingRevs more quickly than VS.NET to provide early Revs more quickly than VS.NET to provide early implementations of the latest WS-* specifications implementations of the latest WS-* specifications published by Microsoft and industry partnerspublished by Microsoft and industry partners2 years mainstream + 1 year extended support2 years mainstream + 1 year extended support

Deployed and in production in numerous Deployed and in production in numerous enterprise accounts todayenterprise accounts todayDownload from Download from http://msdn.microsoft.com/webserviceshttp://msdn.microsoft.com/webservices

http://msdn.microsoft.com/webservices

Web Services Enhancements Web Services Enhancements

WSE is for early adoptersWSE is for early adoptersUse where functionality is needed Use where functionality is needed todaytoday

WSE provides needed functionalityWSE provides needed functionality

Implements proposed standardsImplements proposed standards

Avoids creating and implementing Avoids creating and implementing proprietary solutionsproprietary solutions

When the architecture changes, the When the architecture changes, the product changesproduct changes

Rooted in open standards Rooted in open standards

Underlying specifications are maturingUnderlying specifications are maturing

Effort to keep changes smallEffort to keep changes small

Web Services Enhancements Web Services Enhancements

RoadmapRoadmap

WS

-IS

up

port

ASP.NET

Basic Web services

WSE 1.0

Adds certain proposed specifica-tions

WSE 2.0

Adds more proposed specifica-tions

Whidbey

…

BP 1.0 capable

BP 1.0 capable

BP 1.0 capable

BP 1.0 compliant

Indigo

…

BP 1.0 compliant

…

WSE 1.0WSE 1.0Features OverviewFeatures Overview

WS-SecurityWS-Security

X509 certificates, digital signatures, X509 certificates, digital signatures, XML encryption, and custom binary XML encryption, and custom binary security tokenssecurity tokens

Content based routingContent based routing

Attachments with DIMEAttachments with DIME

Custom filtering modelCustom filtering model

WSE 2.0 WSE 2.0 New FeaturesNew Features

Multiple transportsMultiple transportsHTTP, TCP, in-processHTTP, TCP, in-process

Hosting environment independenceHosting environment independenceMessagingMessaging

WS-AddressingWS-Addressing

MetadataMetadataPolicyPolicy

SecuritySecurityImproved authentication and authorization Improved authentication and authorization OASIS WS-Security supportOASIS WS-Security supportTrust, secure conversation, security policiesTrust, secure conversation, security policiesKerberos, XML security token supportKerberos, XML security token support

WSE 2.0WSE 2.0Comparing WSE 1.0 and 2.0Comparing WSE 1.0 and 2.0

WSE 1.0 and 2.0 WSE 1.0 and 2.0 SecuritySecurity

AuthenticationAuthenticationSupport for common typesSupport for common types

IntegrityIntegrityNonrepudiation: verify the senderNonrepudiation: verify the sender

Verify message contentsVerify message contents

ConfidentialityConfidentialityPrivacyPrivacy

Symmetric and asymmetric Symmetric and asymmetric cryptographycryptography

XML

WSE 2.0WSE 2.0SecuritySecurity

Trust Issuing Framework (WS-Trust)Trust Issuing Framework (WS-Trust)

Secure Conversation (WS-Secure Conversation (WS-SecureConversation) SecureConversation)

Roles based authorization Roles based authorization

Security Policy (WS-SecurityPolicy)Security Policy (WS-SecurityPolicy)

WSE 2.0WSE 2.0TrustTrust

Relationships and identity: signed Relationships and identity: signed security tokenssecurity tokens

How do I prove who I am?How do I prove who I am?

Who can vouch for me?Who can vouch for me?

How do you know you can trust them?How do you know you can trust them?

WS-Trust defines a protocol for WS-Trust defines a protocol for issuing and obtaining security tokensissuing and obtaining security tokens

WSE 2.0WSE 2.0TrustTrustSeveral models for Several models for

issuing tokensissuing tokensClient obtains token Client obtains token from a well known from a well known sourcesource

Service obtains token Service obtains token for clientfor client

Etc…Etc…

Client

Token Issuer

Service

Client Service

TokenIssuer 2

TokenIssuer 1

Client

TokenIssuer

Service

WSE 2.0WSE 2.0Secure ConversationSecure Conversation

WS-SecureConversation details how to WS-SecureConversation details how to issue a SecurityContextToken (SCT)issue a SecurityContextToken (SCT)

In WSE, this lightweight token takes the In WSE, this lightweight token takes the place of a more processing intensive tokenplace of a more processing intensive token

Services can issue their own SCTs:Services can issue their own SCTs: <autoIssueSCT enabled=true /><autoIssueSCT enabled=true />

Client

ServiceAnd

TokenIssuer

Request for SCT

SCT Issued to client

Series of messages

signed with issued SCT

WSE 2.0WSE 2.0Policy Driven ArchitecturePolicy Driven Architecture

Beyond WSDL, what else is needed to Beyond WSDL, what else is needed to describe a Web service?describe a Web service?

Security requirementsSecurity requirements

Reliable messaging assurancesReliable messaging assurances

Protocol versioningProtocol versioning

Etc…Etc…

These other attributes of a service can be These other attributes of a service can be described with WS-Policydescribed with WS-Policy

XML-based languageXML-based language

Complex: <Or>, <ExactlyOne>, etc…Complex: <Or>, <ExactlyOne>, etc…

WSE provides a Policy Framework with WSE provides a Policy Framework with send-side and receive-side policy supportsend-side and receive-side policy support

WSE 2.0WSE 2.0Policy MappingPolicy Mapping

Policy file contains policies and Policy file contains policies and mappingsmappings

A policy is mapped to a particular A policy is mapped to a particular message at runtimemessage at runtime

Mapping section scopes based on:Mapping section scopes based on:Endpoint URLEndpoint URL

ActionAction

Request vs. Response vs. FaultRequest vs. Response vs. Fault

WSE 2.0WSE 2.0Role-based Authorization with Role-based Authorization with PolicyPolicy

IPrincipal is the .NET interface for IPrincipal is the .NET interface for role-based authorizationrole-based authorizationbool IsInRole(String str)bool IsInRole(String str)

SecurityToken.PrincipalSecurityToken.PrincipalImplementation of IPrincipalImplementation of IPrincipal

Automatically set for UsernameToken Automatically set for UsernameToken and KerberosSecurityTokenand KerberosSecurityToken

Call method explicitly or use PolicyCall method explicitly or use Policy<wse:Role value=“role” /><wse:Role value=“role” />

WSE 2.0WSE 2.0Multiple Hosting EnvironmentsMultiple Hosting Environments

Applications can be hosted in Applications can be hosted in multiple environments: multiple environments: ASP.NET, .exe, NT Service, WinForms, ASP.NET, .exe, NT Service, WinForms, etc.etc.

Support for multiple transportsSupport for multiple transportsin-process communication (for testing)in-process communication (for testing)

Raw TCPRaw TCP

HTTPHTTP

Long running operationsLong running operations

WSE 2.0WSE 2.0SOAP Messaging APISOAP Messaging API

WSE offers four classes for messagingWSE offers four classes for messaging

SoapSenderSoapSender and and SoapReceiverSoapReceiverOne way messagesOne way messages

Low-levelLow-level

SoapClientSoapClient and and SoapServiceSoapServiceOne-way and two-wayOne-way and two-way

Uses SoapSender/SoapReceiverUses SoapSender/SoapReceiver

Offers XML Serialization support Offers XML Serialization support

Operation dispatchingOperation dispatching

WSE 2.0 WSE 2.0 AttachmentsAttachments

Data that is hard to serializeData that is hard to serializeBinary dataBinary data

Encoded dataEncoded data

Large XML documentsLarge XML documents

DIMEDIMEPayload appended after SOAP envelopePayload appended after SOAP envelope

SOAP envelope availabilitySOAP envelope availability

WS-Attachments and DIME will be WS-Attachments and DIME will be superseded by MTOMsuperseded by MTOM

Addresses concerns such as securing Addresses concerns such as securing attachmentsattachments

Additional WSE FeaturesAdditional WSE Features

New SamplesNew Samples

Security Settings WizardSecurity Settings Wizard

Standalone Config EditorStandalone Config Editor

X509 Certificate Wizard for managing X509 Certificate Wizard for managing your certificatesyour certificates

How do I build a SOA How do I build a SOA with .NET?with .NET?ShadowfaxShadowfaxShadowfax is a reference solution for Shadowfax is a reference solution for

building service oriented architecture with building service oriented architecture with the .NET Framework. It includes 3 main the .NET Framework. It includes 3 main pieces: pieces:

Enterprise Development Reference Architecture Enterprise Development Reference Architecture

Global Bank – Service Orientation Reference Global Bank – Service Orientation Reference ApplicationApplication

Architecture guide defining the key elements of Architecture guide defining the key elements of SOASOA

Releases:Releases:.NET 1.1 release: Summer 2004.NET 1.1 release: Summer 2004

Full implementation: Visual Studio 2005 Full implementation: Visual Studio 2005

More details:More details:http://www.gotdotnet.com/team/rojacobs/http://www.gotdotnet.com/team/rojacobs/

http://www.gotdotnet.com/team/rojacobs/

The ApproachThe Approach

Reference Architecture

Reference Implementation

• Integration of application blocks and services

• Use of .NET framework to expose service interfaces

• Multiple channels • …

• Small set of use case implementing believable user scenario

• Illustration of the use of key features of the architecture

Documentation

Recurring Architecture Recurring Architecture

Biz Component

Channels

Intercepting Filtersand Dispatching

Biz Operation Invocation

Shadowfax ArchitectureShadowfax Architecture

Proxy AdapPipelineSpecification

Proxy Adap

Proxy Adap

Proxy Adap

WebServ

MSMQ

Remoting

…

PipelineSpecification

Biz ActionComponent

ServiceInterfacePipeline

ServiceImplementation

Pipeline

ChannelsService Interface

ServiceInvocation Service Implementation

DCOMIn-procASMXMSMQ

ServiceAgent

Target ResultTarget Result

Guidance on how to consistently Guidance on how to consistently handle requests incoming over handle requests incoming over multiple channelsmultiple channels

Guidance on how to separate Guidance on how to separate business logic implementation from business logic implementation from addressing other requirements addressing other requirements

Guidance on how to handle different Guidance on how to handle different kinds of request payloads (from a kinds of request payloads (from a blob to strongly typed structures) blob to strongly typed structures)

Demonstration of end-to-end Demonstration of end-to-end integration of building blocks integration of building blocks

FABRIQFABRIQFABRIQFABRIQ

Q.NET + ES + WSE + SOA + HPC + Q.NET + ES + WSE + SOA + HPC + AgentAgent

FABRIQFABRIQ

Who?Who?Arvindra Sehmi, MS EMEA, DPE – Project LeadArvindra Sehmi, MS EMEA, DPE – Project Lead

[email protected]@microsoft.com

Clemens Vasters, newtelligence AG – Architect LeadClemens Vasters, newtelligence AG – Architect LeadEugenio Pace, MS Argentina, MCS – Development LeadEugenio Pace, MS Argentina, MCS – Development Lead

What?What?High performance, industrial strength architecture High performance, industrial strength architecture for .NET service oriented applications built on a fabric of for .NET service oriented applications built on a fabric of message-oriented, interconnected, distributed queuing message-oriented, interconnected, distributed queuing networksnetworksWSE best practices applicationWSE best practices applicationAgile Machine frameworkAgile Machine framework

Why?Why?Enable easier adoption of asynchronous computing Enable easier adoption of asynchronous computing models by a wider architect and developer communitymodels by a wider architect and developer communityBridge the cognitive gap on the road to Longhorn IndigoBridge the cognitive gap on the road to Longhorn Indigo

mailto:[email protected]

FABRIQFABRIQ

When?When?Summer 2004Summer 2004

How?How?High quality framework, documented design and High quality framework, documented design and architecturearchitectureBenchmarked using real-world scenarioBenchmarked using real-world scenarioMS EMEA Industrial Strength .NET SOA workshopsMS EMEA Industrial Strength .NET SOA workshopsnewtelligence AG Tornado Camp workshopsnewtelligence AG Tornado Camp workshops

ReferenceReferenceSlides: Slides: http://www.thearchitectexchange.comhttp://www.thearchitectexchange.comDemo: Demo: http://www.dotnetmaailma.com/dotnetmaailma/seminaarhttp://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EMEA+Architects+Tour.htmit/online/EMEA+Architects+Tour.htm Code: Code: http://staff.newtelligence.net/clemensvhttp://staff.newtelligence.net/clemensv Presentation: Presentation: http://www.dotnetmaailma.com/dotnetmaailma/seminaarhttp://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EmeaArchitectForum2004.htmit/online/EmeaArchitectForum2004.htm

DisclaimerDisclaimerFABRIQ IS FABRIQ IS NOTNOT A MICROSOFT PRODUCT A MICROSOFT PRODUCT

http://www.thearchitectexchange.com/

http://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EMEA+Architects+Tour.htm

http://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EMEA+Architects+Tour.htm

http://staff.newtelligence.net/clemensv

http://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EmeaArchitectForum2004.htm

http://www.dotnetmaailma.com/dotnetmaailma/seminaarit/online/EmeaArchitectForum2004.htm

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

Advanced Services - Beyond the Basics Case Studies II Lawrence Wilkes