SOA services deployment: Putting theory into practice

Rigorous testing is the name of the game, complemented by policies that nail down what service consumers can and cannot do

Services deployment is all about testing and early management. This is the phase during which you determine whether services work properly -- and which tools you use to diagnose problems. Next, you need to start getting serious about SOA governance.

Testing services requires that you think through service autonomy, integration, granularity, stability, and performance.

Checking for autonomy means determining how a service functions on its own, plus any other services it may depend on to function.

Integration testing ascertains how a service works when leveraged by other systems, some of which may be unknown at development time. You may think that building in Web services standards ensures interoperability, but those who have deployed services know that nothing is certain unless you test it. Different interpretations of standards among different vendors still occur -- and stop integration in its tracks.

Granularity testing determines whether a service is too coarse, too fine, or just right. This can be crucial to performance. For instance, if a service is too fine-grained, it can cause performance problems as a gaggle of fine-grained services yak back and forth across the network. Services that are too coarse, on the other hand, may have little use beyond a couple of closely related applications.

Stability testing subjects a service to worst-case scenarios to see which event combinations result in failure. This is usually simple regression testing, with some integration testing thrown in. Performance testing is just what you would expect: the ability to determine whether a service can handle many simultaneous requests, and any special architecture that may be required to ensure good performance, such as load balancing with transactions.

The testing arsenal

Several services testing tools do a fine job. Parasoft SOAtest is an automated Web services testing product that allows users to verify all aspects of a Web service, from WSDL validation, to unit and functional testing of the client and server, to performance testing. SOAtest addresses key Web service issues such as interoperability, security, change management, and scalability.

Another testing tool is SOAPSonar from Crosscheck Networks. This product ensures that the Web services function as advertised, with reliable performance and availability. It also checks for application vulnerabilities before they are exploited through Web Services APIs -- and will even alert compliance officers when business transactions violate corporate policies.

Governance groundwork

Start hammering out governance policies before you deploy in a production environment and add to them as you gain experience. The proliferation of moving parts that must be maintained by different organizations makes governance a challenging endeavor.

The core notion of run-time governance is to control the use of the services, stipulating which party can consume which service for what purposes. Service access logs may also be maintained, in some cases to comply with such regulations as Sarbanes-Oxley, HIPAA, and so on.

Solutions that cover design-time governance include Mindreef Coral, which enables the capturing of corporate best practices and policies as executable rules for analyzing WSDL contracts, XML Schemas, and SOAP messages. Codify that stuff early in the development lifecycle, and you’ll be more likely to produce reusable, interoperable Web services.

For run-time governance, Layer 7 Technologies provides an environment for enforcing SOA policies across loosely coupled Web services. This includes a facility for establishing PKI-based trust between a Web services client and provider, including the ability to build WS-Policy-compliant statements and execution instructions. Policy statements can be assembled from fine-grained policy assertions, including preferences for identity, credentials, security, SLA, data translation, and routing.

Successful service deployment is an iterative process. Although software development always requires testing and formalized control, the recombinant nature of services raises complexity by a magnitude. Test, test, and test again. If you update design-time and run-time policies as you go, you’ll be equipped to refine the testing process and ensure your SOA scales, even as you add services and build apps you never thought of before.