Building SOA your way

Every enterprise needs to find its own balance between complete, scalable architecture and simply building a service-oriented architecture that works

1 2 Page 2
Page 2 of 2

Providence Health Systems deploys what’s becoming a typical two-tiered SOA to support its clinical and business applications and its physician and patient portals. A set of coarse-grained services, which map closely to business processes, are woven from another set of more elemental services. Although some advanced standards are in use, such as WS-Security, Providence doesn’t deal with them directly. “We rely on our vendor’s implementation of the security stuff,” says Mike Reagin, vice president of development at Providence. The vendor in this case is Infravio, whose Web services management system provides the framework within which Providence deploys and manages its services.

Infravio implements UDDI, but Reagin says that, with relatively few services in play, directory lookup isn’t a big deal. Declaring and enforcing policies that control the use of those services, however, is a very big deal, as is monitoring service activity.

In Infravio’s model, services are provisioned as producer/consumer pairs, each of which is governed by a contract. The master patient index, for example, is a common service used by both the physician and patient portals but in slightly different ways. The patient’s health-plan member number, which appears in the patient portal, must be stripped from the physician portal. By creating separate WSDL interfaces for separate consumers, Infravio enables the common service to be reused rather than duplicated. This variation is achieved in a declarative way, rather than by writing code.

37FEsoaevolve_in1.gif
Click for larger view.

Providence’s SOA deployment is, for now, largely internal. Services feed its outward-facing portals but are not yet directly exposed to partners. That day will come, Reagin feels sure, and when it does, he expects that his use of the core standards, SOAP and WSDL, will enable more advanced scenarios: orchestration, reliable messaging, policy-governed security, and auditing. Which pieces of the WS-* stack will enable those scenarios? Reagin doesn’t lose sleep over the question. When the time comes, he’ll buy -- rather than build -- the needed infrastructure.

Pfizer: Trusting the Fabric

Security and reliable messaging are key requirements for the Pfizer Global Pharmaceuticals (PGP) group. The pharma giant’s SOA deployment meets those requirements with the help of Blue Titan’s Network Director, which manages PGP’s Web services traffic across the enterprise.

On the security front, Blue Titan’s “fabric” enforces a policy that routes requests through a DataPower intermediary for compliance auditing and through an Oblix system for authentication. Martin Brodbeck, PGP’s application architecture director, sees WS-Security as the integration framework for these activities. Although he doesn’t deal directly with related standards, such as WS-Policy or WS-Trust, Blue Titan does in fact support them.

It’s worth noting that a number of standards said to be “vendor-driven” are primarily of interest to vendors. For example, another architect interviewed for this story was hands-on with WS-Security but unaware that WS-Trust plays a role in his implementation. Why? The WS-Trust protocol is spoken only between his security broker, VordelDirector, and his identity provider, Entrust. The messages exchanged between his company and its Web services partner have nothing to do with WS-Trust, says Mark O’Neill, CTO of Vordel. “We and Entrust chose to use it because it’s a spec that we don’t have to work out ourselves,” he says. The WS-Security protocol used by the service end points and the WS-Trust protocol used by infrastructure components are “solving completely different problems -- it just so happens that both involve specs that begin with WS."

Along with security, reliable messaging is a key PGP concern. With various flavors of message-oriented middleware in play, along with multiple versions of some of these (such as JMS), the company values the Network Director RM’s capability of hiding the differences. Although that product’s support for WS-ReliableMessaging is not immediately relevant, PGP is evaluating Indigo, which natively supports the standard. “Blue Titan in concert with Indigo will make RM [reliable messaging] really, really easy to do,” Brodbeck says.

To the short list of important standards such as WS-Security and WS-ReliableMessaging, Brodbeck adds RSS, the wildly popular format for Weblog syndication. That PGP would regard this variant of WS-Lite as strategic may surprise you, but if you think about how collaboration and knowledge management drive the top line in an organization such as Pfizer, it shouldn’t. What PGP envisions, however, is not your garden-variety blogging software. “We have to recontextualize RSS for the enterprise,” says Richard Lynn, PGP’s vice president of global applications and architecture.

PGP’s requirements include virtualizing RSS feeds so that they’re independent of hard-coded addresses, aggregating them for specific business functions and securing them using the same kinds of declarative policies that govern existing Web services. According to Frank Martinez, founder and CEO of Blue Titan, a forthcoming release of Network Director will address these requirements, building on the product’s capability of wrapping WS-Heavy infrastructure around WS-Lite protocols.

Heavy, Lite, or Just Right?

When you regard the WS-* stack as a whole, you have to conclude that the critics are right: It really is a monster. Taming it will require, in part, a unifying conceptual framework. That’s a point that Gannon, Khan, and Subramaniam each make in different ways. Gannon points to a series of blueprints and reference models published by OASIS. These documents aim to help architects understand how the various WS-* specs, which are designed as modular building blocks, combine to solve specific problems. For Ohio State’s Khan, it’s not just about blueprints. He needs a toolkit that tames the complexity and thinks Indigo will be that toolkit.

RouteOne’s Subramaniam hopes that a recent initiative called JBI (Java Business Integration) will be a unifying force in the Java world. What’s hard about Web services, he says, “is that you have to see the whole picture -- WSDL, and then SOAP, and relevant parts of WS-Security, and BPEL.” He’s anxious for vendors such as SeeBeyond, which was recently bought by Sun Microsystems, and webMethods to embrace JBI. “When you can see how it all fits together in the big picture of JBI, a very nice infrastructure emerges,” he says.

Of course, toolkits and frameworks are double-edged swords. Even when wire protocols are standard and open, you can get locked in to proprietary abstractions layered on top of those protocols. That’s why pragmatic architects and developers who don’t yet need advanced WS-* features tend to focus on the basics: SOAP and WSDL. “If you need some kind of envelope, why wouldn’t you use SOAP?” Subramaniam asks. “And if you need to describe your interfaces precisely, why wouldn’t you use WSDL?” Frank Grossman, co-founder of Mindreef, says that most of the customers who use his company’s SOAPscope diagnostic suite have adopted this strategy, which he adroitly labels “WS-JustRight."

For Grossman and others, WS-JustRight means using SOAP and WSDL to strike a balance between formal contracts and agile interoperability, while laying a foundation for future use of more advanced SOA features. PGP’s Brodbeck agrees that WSDL is the key enabler of reusable business transactions and processes.  He also extends the definition of WS-JustRight, however, to include enterprise-enabled RSS as the key enabler of reusable content.

For many practitioners, WS-JustRight now includes aspects of WS-Security, too. For a few, it includes reliable messaging, transactions, routing, and policies related to these features. The definition will evolve over time, but the only one that really matters now is the one that’s just right for you.

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2