Services Monitoring and Management at runtime

Services Monitoring and Management at runtimeSkill Level: Intermediate

Yu Chang Jiao ([email protected])Software EngineerIBM

21 Jan 2010

Services monitoring and management enables you monitor your services, providesmanagement and governance methods, gain control over deployed services, andhave flexibility about service deployment and interactions to fulfill the needs ofbusiness.

Overview

Services monitoring and management which enables you monitor your services andprovides management and governance methods is becoming more and moreimportant through SOA lifecycle. It allows organizations to gain control over theirdeployed services, and have flexibility about service deployment and interactions tofulfill the needs of business. It is the effective management of this lifecycle that is thekey goal of SOA Governance. A services monitoring and management frameworknamed IBM Services Monitoring and Management (ISMM for short) based on IBMproducts will be described in this article. New features of these products includingIBM® WebSphere® Service Registry and Repository V6.2, IBM® Tivoli® CompositeApplication Manager for SOA V7.1.1, WebSphere® Application Server V7.0 andTivoli® Security Policy Manager V7.0 and WebSphere DataPower V3.7.3 will alsobe demonstrated. More importantly, service security problems which are becomingmore and more important today will also be solved by ISMM.

Problems encountered in our SOA lifecycle and our ISMMsolution architecture

With widespread application of Service Oriented Architecture (SOA for short),

Services Monitoring and Management at runtime© Copyright IBM Corporation 2010. All rights reserved. Page 1 of 15

mailto:[email protected]

http://www.ibm.com/legal/copytrade.shtml

businesses are becoming more and more flexibility, business processes arebecoming more and more dynamic, integrations are becoming more and moreeasier, and costs are becoming more and more lower. Meanwhile, new problemshave arisen. Enterprises are not receiving all the benefit they expected from SOA.

The first problem encountered is how to manage and control services as any otherresources. Services are valuable assets inside enterprise. They must be managedas any other resources. But currently, monitoring and management of services aredifficult tasks. Almost nobody knows how many services are in place, where they areor what they do. IT organization does not have information on usage and state ofservices. And there is no way to visualize what services are running. So manyservices are often duplicated twice or more. These duplicated Web Services must beidentified. Therefore, services usage statistics must be collected and analyzed. Onlythen promise of reduced maintenance costs with SOA can be realized.

The second kind of problem is how to monitor and utilize the Quality of Service(QoS for short). Services used in business process cannot be static. In certainsituations services must be selected at runtime from a set of services based on QoS.Only available web services should be used at that time. Calls to offline webservices must not even be attempted. Sometime we need to discover poorperforming service endpoints and make them unavailable based on configuredthresholds. So service calls can be routed based on QoS.

The third kind of problem is how to report service health and alerts dynamically.Clients need to monitor service health metrics at the business level to helpidentifying Service Level Agreement (SLA for short) violations and service outages.And find a way to visualize these metrics. Further more, alerts must be sentautomatically when violations detected to notify administrators to take action.

The fourth kind of problem is how to solve security problems. Enterprises realizethat services are not used internally because they cannot be trusted. There are alsomany security threats from external access. They cannot open up services tocustomers, partners, and suppliers due to lack of security. Service usage iscumbersome due to multiple Authentication and Authorization systems needed togive partners access. Therefore, services security problem is also an important issuethat must be solved.

In order to solve these kinds of problems, an IBM Services Monitoring andManagement Framework based on IBM products and solutions has been provided.Below is the architecture of ISMM solution.

Figure 1. Architecture of ISMM solution

developerWorks® ibm.com/developerWorks

Services Monitoring and Management at runtimePage 2 of 15 © Copyright IBM Corporation 2010. All rights reserved.


Figure 1 is the design architecture of ISMM solution. We will divide it into threelayers. The first one is client layer. Services can be provided to clients and businesspartners in this layer. For security reasons, we need authorization and authenticationto service requests, so we add a DMZ (Demilitarized Zone) as the second layer toimplement authorization and authentication.

Inside enterprise is the Enterprise Layer which is the most important one. DirectoryServer stores user profiles and provides a trusted identity data infrastructure forauthentication. Process Servers is a high-performance business process automationengine to help form processes that meet your business goals. Enterprise ServiceBus (ESB for short) helps to enable fast and flexible application integration withreduced cost and bridging to next-generation interconnectivity. Process Servers andESB deployed here can also help to dynamically determine service to use based onQoS.

Service Registry & Repository provides Service Visibility and Governance for SOAservices, policies and associated metadata, with support for SOA Governance.Security Policy helps strengthen application access, facilitates compliance, andsupports operational governance across the IT infrastructure. All these componentsare based on IT Service Management (ITSM) which monitors your SOA life cycle toensure high availability and performance. ITSM offers integrated management toolsthat speed and simplify identification and resolution of SOA problems.

Figure 2. Product mapping of ISMM solution

ibm.com/developerWorks developerWorks®



Figure 2 is the product mapping of ISMM solution. You can map each product inFigure 2 to the corresponding component in Figure 1. WebSphere® DataPower SOAAppliance is used here as security gateway to authenticate and authorize servicerequest. Tivoli® Directory Server used here as Directory Server stores user profiles.WebSphere® ESB is used here as ESB to implement service selection and routingbased on QoS. WebSphere® Service Registry and Repository product is used hereas Service Registry and Repository component to implement services registry andmanagement. Tivoli® Security Policy Manager is used here as Security Policycomponent to manage security policy. Tivoli® Composite Application Manager forSOA platform is used here as ITSM to monitor and manage QoS data.

Our ISMM solution can be implemented using these IBM products which enablesyou monitor your services and provides management and governance methodsthrough SOA lifecycle.

Controlling and elimination of "rogue services"

Figure 3. Monitoring and Analysis of Rogue services




Services must be managed as any other resources. Only then can services bemonitored and issues mediated. ITCAM for SOA platform can monitor only invokedservices and collect usage, performance and availability metadata of these services.WSRR is the registry and repository Center of services and services should beregistered into WSRR. Discovery Library Adapters (DLA for short) which is a specialprogram that extracts data from a source application and generates an XML file,called a discovery library adapter book, using the Identity Markup Language XMLformat is used in this scenario to transfer those metadata. After a DLA generates aDLA book file which includes relationships between services, service ports,operations, business processes, and the application servers and computer systemson which they are deployed, users can load this kind of files into TCORE and displayit on Tivoli® Enterprise Portal. Two kinds of sources are used in ISMM, one isITCAM for SOA including running services information, and another one is WSRRincluding registered services information. You can refer to ITCAM for SOA info




center for details.

After DLA Books were loaded successfully, service-to-service relationships andtopology will be built automatically in ITCAM for SOA. Service usage, registry status,flows and relationships will be also displayed on Tivoli® Enterprise Portal.

As you can see in Figure 4, rogue services are those marked with red rectangle.They are services that observed by ITSM but not registered into Service Registryand Repository. This kind of services is called rogue service. You can also identifyservices which only have been registered into WSRR but not been invoked at all.This kind of services is marked with yellow rectangle in Figure 4 and calledshelf-ware services. The less amount of shelf-ware services, the betterimplementation of SOA solutions. There is still other kind of services that onlyobserved but not registered. You can call it rigid services. Rigid services are out ofcontrol and will destroy service management. So you must eliminate this kind ofservices.

Figure 4. Services Overview in TEP

By means of above process duplicated Web services can be identified, and unusedservices will be reported to limit shelf-ware. IT organization will have information onusage of deployed services and way to visualize what services are running. Onlythen promise of reduced maintenance costs with SOA could be realized.

Monitor and utilize the QoS of services

Qualities of Services (QoS for short) such as performance and availability can becollected and utilized for dynamic service endpoint resolution. As our businesses arebecoming more and more dynamic, web services used in business processescannot be static. Web services must be selected at runtime from a set of servicesdefined in an external service registry. And we also need service availabilitymanagement. Only available Web services should be used. Any calls to offline web




services must not even be attempted. So poor performing service endpoints must bediscovered and made unavailable based on configured thresholds.

With ISMM solution, Using WSRR, ITCAM for SOA Platform, and an EnterpriseService Bus, the ESB can use a mediation to dynamically retrieve service healthinformation from WSRR to route service requests to ensure adequate qualities ofservice. And ITCAM for SOA Platform monitors running services and updates theservice metadata in WSRR to reflect current runtime status for performance,availability, etc.

Figure 5. Services Overview in TEP

Figure 5 shows the retrieval of candidate service statistics and the dynamic selectionand late binding to a service endpoint. As you can see from Figure 5, ITCAM forSOA platform, WebSphere® Enterprise Service Bus, WebSphere® Service Registryand Repository are used in this scenario. The provider service is selecteddynamically based on clients’ request. The whole procedure is:

1. ITCAM for SOA platform collects QoS data of services, such asavailability and performance of these services.

2. All collected QoS data will be synchronized to WSRR to update the




corresponding service metadata by ITCAM for SOA Integration Module.You can refer toftp://ftp.software.ibm.com/software/integration/support/supportpacs/individual/sa04_UserGuide_6.0.2.pdffor detail information of ITCAM for SOA Integration Module.

3. A client service request will be received by WESB. Client identity tokenand other related information will be encapsulated in the client requestmessage.

4. When a message is received, the ESB reads the policy information andattributes from WSRR, executes a matching algorithm, and selects outthe appropriate service to be used based on observed quality of service inthe environment. You can add a "Custom Mediation" primitiveimmediately after the Endpoint Lookup primitive of WESB, the "CustomMediation" will sort through the WSRR Endpoint Lookup results andselect the "fastest" endpoint. While selecting the "fastest" endpoint, theJava™ code in the "Custom Mediation" primitive sort the Endpoint Lookupresults in the ascending order of the WSRR "ResponseTime" propertyand set the routing target (destination url) to the URL with lowest"ResponseTime". This "Custom Primitive" also has a promotable property(i.e., "ResponseLimit"). In the above Java code, if the WSRR"ResponseTime" is greater than the promotable property("ResponseLimit"), then the Java code should reject this endpoint.

5. The requester will be bound to the selected service endpoint and theninvoke it. Client with low priority will be routed to the first service endpointwhile client with high priority will be routed to the second service endpoint.

6. Client with high priority will be routed to the second service endpoint.

Dynamic reporting of service health and alerts

A service-level agreement (SLA for short) is a formal contract between a serviceprovider and a client guaranteeing quantifiable network performance at definedlevels. However, poor performance of service endpoints usually leads to SLAs notrespected. Services that are in production must be monitored and managed toensure they meet their service level agreements.

In ISMM, IBM Tivoli® Composite Application Manager for SOA (ITCAM for SOA forshort) platform can also be used to allow operators to monitor service groups at thebusiness level to help prioritize SLA violations and service outages. You can useTivoli® Enterprise Portal (TEP for short) to view information supplied by ITCAM forSOA and determine the root cause of service runtime problems.

Firstly, many service groups will be created. As shown in Figure 6. A service group




is a set of related service operations that collectively might represent or encompassa business function or application in your enterprise. This might consist of a serviceflow, a subset of a flow, or any collection of operation aggregates that representsomething meaningful to you in your monitored environment.

Figure 6. Customer view of Service Health

The default status of service group is healthy which means no issues with anyservice in this group. It will be marked with a green check symbol. The service groupobject conveys health indictors such as Performance (Response time, in seconds)data and Volume (message counts) which will be calculated every 2.5 minutes (bydefault) and displayed on service group views. If these indictors exceed thethreshold defined by operators, certain situation will be fired and alerts will beactivated.

The unavailability of a service group is based on this kind of situations that areassociated with the front-end services of the service group. These customizedsituations typically use the service unavailability attributes and metrics that areprovided by ITCAM for SOA.

Figure 7. Alert for Unhealthy Service Group




Service groups have been successfully defined now. All services performance andvolume data can be displayed on this view. Once there is something abnormal withthe monitored service group, alerts will be fired and displayed on this view. Asshown in Figure 7, a service group named VerifyCreditServiceGroup has beenmarked with a big red cross. This means some services within this group are in badperformance and result in critical situation fired. You can drill down (bydouble-clicking the node with a red cross) into the Interaction Detail view to checkthe detail status of every service in this group to find out what happened to them.

ISMM can provide better management and proactive monitoring of service levelagreements before they are breached and alert administrators of any potentialissues. ISMM can also enable the use of runtime metrics for further usage forservice selection later on for advanced scenarios.




Policy based service security management

In the implementation process of SOA, security related problems occur everyminute, every place on everybody. Services are not used internally because theycannot be trusted. Security threats from external access lead to loss of investmentand cause great damage to our business. You cannot open up services tocustomers, partners, and suppliers due to lack of security. If you solved theseproblems in traditional way, service usage may become cumbersome due to multipleAuthentication and Authorization systems needed to give partners access.Leveraging so many services for maximum business value across many differentbusiness contexts, one concept they must consider carefully is security policymanagement. The best choice you can try is ISMM. These issues can be solved byISMM.

Figure 8. Policy based service security management

In ISMM, policy is created and managed to control the authentication and themessage level protection of web services. Secure access control for services usingpolicies is also provided. A typical process of policy based service securitymanagement can be divided into five steps and described as follows.

1. SOA Architect defines and registers services into WSRR.




2. Security Architect authors security policy through Tivoli® Security PolicyManager (TSPM for short). Tivoli® Security Policy Manager is a productof IBM which helps strengthen application access, facilitates compliance,and supports operational governance across the IT infrastructure. It worksas a Policy Administration Point (PAP for short). Security Architectretrieves service definition from WSRR and binds policy to this service.

3. Then Security Architects can distribute these services and attachedpolicies to WSRR. WSRR works as a Policy Distribute Target (PDT forshort).

4. Security Architect can also distribute these services and attached policiesdirectly to DataPower. Then DataPower will be PDT.

5. No matter which component works as PDT, all these services andattached policies must be subscribed by DataPower at last. DataPowerworks as Policy Enforcement Point (PEP for short). A Web Service Proxyin DataPower for this kind of services is created. And WS-Policyconfiguration parameters and WS-Proxy settings are set up inDataPower.

6. Clients submit a request to services provided by this organization. Thisrequest will be routed to the Web Service Proxy first and must passauthentication and meet the policy defined by Security Architect.Pre-defined policy will be enforced in DataPower at this time.

Three kinds of security policy are inspected and verified in ISMM - message-levelprotection, role based authorization and rule based authorization.

First, for message-level protection, SOA architect wishes to enforce message-levelprotection on specific messages flowing within the enterprise. The Security Architectwill log into the TSPM UI and author a policy which requires that messages areencrypted and authenticated with a SAML assertion. The Security Architect will thenattach this policy to the provided service, configure the security policy in TSPM anddistribute it from TSPM to WSRR. DataPower will be configured to synchronizeWSRR subscription to retrieve WSDL with policy from WSRR. Security Architectcreates a simple web service proxy in DataPower. Clients request will be routed tothe web service proxy so that the message of service will be enforced to addmessage protection by security policy during the service transaction call. Consumersof this service must use a service request message flow which has been encrypted,and a SAML token added to the flow to access the service provider. In this scenario,IBM WebSphere® DataPower device will be leveraged as the Policy Decision Point(PDP for short) and Policy Enforcement Point (PEP for short).

Second, for role based authorization, Security Architect discovers and imports




services from the registry, map the role to the existing identity system - IBM Tivoli®Directory Server, and then author, configure and distribute security policies fromTSPM to DataPower. Clients' request to services will be denied if he is not amember of the role. Security Architect can modify the role membership to grant therole to clients. Only then he can access these services. For example,UpdateEmployeeSalary service is a service used to update employees' base salaryand can only be accessed by people granted Manager Role. Jack is an employee ofthis company. He can not access the UpdateEmployeeSalary service as he is not a"Manager". In this scenario, IBM WebSphere® DataPower device will be leveragedas the Policy Decision Point (PDP) and Policy Enforcement Point (PEP).

Third, for rule based authorization, the rule will require specific entitlements. SecurityArchitect can author a rule with condition expressions and specific entitlement toaccess to the provided services.

Conclusion

Services Monitoring and Management implemented by ISMM demonstratesgovernance decisions within the context of the lifecycle of service components,services and business processes, for example. ISMM helps us to understand keyaspects of SOA Governance, Security and Management. ISMM also helps us todescribe the IBM SOA Foundation products that provide an integrated solution toService Governance at Runtime for SOA. You can understand how severalgovernance aspects can be enforced at runtime using ISMM. ISMM enables youmonitor your services and provides management and governance methods throughSOA lifecycle.




Resources

Learn

• "Use SLAs in a Web services context, Part 1: Guarantee your Web service witha SLA" (developerWorks, Oct 2004) is a guide that should be included in a SLA,and gives examples of testing a Web service for SOAP interoperability beforelaunching it into the production environment as an exposed Web service that iscovered by a SLA.

• Learn more about WebSphere Process Server.

• Learn more about WebSphere Enterprise Server Bus.

• Learn more about WebSphere Service Registry and Repository.

• Learn more about Tivoli Security Policy Manager.

• Learn more about Tivoli Composite Application Manager for SOA.

• Check out the information center for Tivoli Composite Application Manager forSOA.

• Learn more about Tivoli Security Policy Manager.

• In the SOA and Web services area on developerWorks, get the resources youneed to advance your skills in the architecture arena.

• Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

• Download IBM product evaluation versions or explore the online trials in theIBM SOA Sandbox and get your hands on application development tools andmiddleware products from DB2®, Lotus®, Rational®, Tivoli®, andWebSphere®.

Discuss

• Check out developerWorks blogs and get involved in the developerWorkscommunity.

About the author

Yu Chang JiaoYuChang JIAO is a software engineer in China SOA Design Center. He specializes inSOA application development. He works with worldwide SOA Technical Salse teamto provide cross-brand SOA solution and PoT. Before that he is a senior developer inSOADEE.



http://www.ibm.com/developerworks/webservices/library/ws-sla/

http://www.ibm.com/developerworks/webservices/library/ws-sla/

http://www-01.ibm.com/software/integration/wps/

http://www-01.ibm.com/software/integration/wsesb/

http://www-01.ibm.com/software/integration/wsrr/index.html

http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/

http://www-01.ibm.com/software/tivoli/products/composite-application-mgr-soa/

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.itcamsoa.doc/kd4dlmst.htm

http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/

http://www.ibm.com/developerworks/webservices

http://www.ibm.com/developerworks/apps/SendTo?bookstore=safari

http://www.ibm.com/developerworks/downloads/

http://www.ibm.com/developerworks/downloads/soasandbox/

http://www.ibm.com/developerworks/downloads/soasandbox/

http://www.ibm.com/developerworks/blogs/

http://www.ibm.com/developerworks/community

http://www.ibm.com/developerworks/community


Trademarks

This is the first trademark attribution statement.This is the second trademark attribution statement.




Documents

Services Monitoring and Management at runtime