Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

10 Teps to SOA


Published on

Published in: Technology, Business
  • Be the first to comment

10 Teps to SOA

  1. 1. TEST CENTER EXCLUSIVE JON UDELLSystinet’s Next-Generation Here at Last: SQL Server 2005 Innovation ToolkitsServices Registry p56 and Visual Studio 2005 p14 for the Masses p55 ®November 7, 2005 b Issue 45 GET TECHNOLOGY RIGHT ® Creating a service-oriented architecture that drives true business agility demands a plan. Here’s where to start p23 i INFOWORLD.COM
  2. 2. Service-oriented architecture begins and ends with business process, marshaling a sprawling set of technologies along the way. Don’t know where to start? Try Step 1.SOA is an idea, not a technology. INFOWORLD SOA EXECUTIVE FORUM SPECIAL ISSUE True, SOA (service-oriented architecture) builds on the stack 24 Step 1: Think Big, Start Smallof protocols that define Web services, but it is hardly limited 25 Step 2: Go to the Whiteboardto that stack and draws as much on time-honored notions of 25 Step 3: Survey Your Surroundingsbusiness “re-engineering” as it does on XML, SOAP, and 28 Step 4: Connect Your First ServicesWSDL. Simply put, SOA is a broad, standards-based frame- 32 Step 5: Choose and Deploy a Registry or Repositorywork in which services are built, deployed, managed, and 32 Step 6: Start Tackling Governanceorchestrated in pursuit of new and much more agile IT infra- 34 Step 7: Lay Your Security Plansstructures that respond swiftly to shifting business demands. 36 Step 8: Build Out Your Messaging Infrastructure The breadth of that vision is what makes SOA seem so mad- 38 Step 9: Deploy Service Managementdeningly vague. Nonetheless, the potential benefits of 40 Step 10: Consider Orchestrationreduced IT costs and greater business agility have spurred PLUS:many organizations to start down the path to SOA, to the 45 Making SOA Workpoint where most large enterprises now have some sort of 46 BAT Builds SOA One Step at a TimeSOA initiative under way. One reason for that extraordinary 48 Sabre Answers to Customer Demandstraction: SOA may ultimately have a transformative effect on 50 Thompson Prometric Rethinks Business Processesthe entire enterprise, but in contrast to other “big bang” 51 Verizon Goes Back to the Workbenchendeavors, most of the applications and infrastructure you’vealready deployed can remain in place. BY ERIC KNORR AND OLIVER RIST Throughout the past two years, InfoWorld has interviewed ILLUSTRATIONS BY RON CHAN INFOWORLD.COM 11.07.05 23
  3. 3. countless enterprise architects, developers, and officers who already have a close relationship, or should you mix and are guiding their organizations toward SOA deployment — match best-of-breed solutions? And, as with any standards- and who are learning hard lessons, gaining insight, and based initiative, what do you do when many of the standards encountering infuriating technology gaps along the way. necessary to achieve the real benefits aren’t fully cooked yet? Many are already enjoying SOA’s early benefits of easy inte- Such questions lack easy answers, and missing pieces of gration and code reusability. Based on their experiences, and technology, industry disagreements, and vendor lock-in all the advice of industry technologists and analysts, we offer this threaten to dampen SOA’s much-ballyhooed benefit of hyper- step-by-step guide to planning, building, deploying, and man- agility. Nonetheless, you’ll find most of the key concepts aging an SOA. underlying SOA, a number of which may be familiar, right As you’ll see, SOA provokes many of the same questions here — although not necessarily in exactly the right order for that dog most grand IT schemes. Should you buy and deploy you. Just as with SOA itself, how you put it all together SOA-related technology from a single vendor with which you depends on what you’ve got and where you want to go.1 Think Big, Start Small SOA starts with a business promise: to enable enterprises to re-engineer themselves on the fly. From the outset, look for opportunities for agility. The more dynamic the business, the more it will benefit from a well-implemented SOA. And the more allies you have who share the SOA vision, the better. In particular, it helps to have powerful part- ners in your company’s business management who understand the critical legacy applications as services, providing access to important data and functionality to other applications for the first time. Or they use shared services to eliminate redun- dancy among several difficult-to-maintain stovepipe applica- tions that overlap in functionality. Such projects may yield significant benefits, but SOA deliv- ers the most value — and will scale far better in the future — when you begin by drawing a box around a set of related ultimate payoffs of cost reduction business processes that need streamlining, rather and accelerated response to than attacking technology problems first. Scott change across the organization. Thompson, senior architect at H&R Block, “We’re actually kind of fortu- puts it this way: “We had to switch our nate in that we don’t have to sell mentality from just rendering data and SOA,” says Ben Moreland, assistant just making a service out of it because director of foundation services at The we could, to asking: What’s the busi- Hartford, which got its SOA initiative ness problem that we’re trying to rolling a few years ago. “Our senior solve, and what applicability does that vice president, John Chu, recog- business problem have to other nized the benefits and the areas of the organization?” value of SOA.” Jean-Michel Van Lippevelde, This shared vision may be vast, but it pays business architect at Accelior Consulting, has to start small. “Don’t try to do ‘boil-the-ocean’-type reached the same conclusion. “Take a top-down approach projects,” advises Ed Horst, vice president of marketing at from a business-process perspective,” he advises. The results AmberPoint, who has watched overly ambitious initiatives can be highly visible, as they were in Accelior’s engagement falter. “I think the most successful initial projects we’ve seen with ING Lease Belgium, which targeted a request-for-quote are those that are small in size — about six to 10 services that process that included automatically generating contracts. integrate two or three things and take around six months to Before, the process typically took days. But after streamlin- complete.” ing the process, provisioning services, and automating for- Many organizations start by provisioning a few mission- merly manual steps, the wait time was reduced to minutes.24 INFOWORLD.COM 11.07.05
  4. 4. “I think the most successful initial projects we’ve seen [involve] about six to 10 services that integrate two or three things.” — Ed Horst, AmberPoint2Go to the WhiteboardYou can’t expect to dissect business processes and see whatmakes them tick all by yourself. In collaboration with busi-ness stakeholders, review and rationalize the processes in thedomain you’ve identified. Often, much of the heavy lifting willbe done by the business guys, as theyscratch their heads and figureout how to restructure process-es — and you determine the in line for our attention.” Timothy Vibbert, senior systems engineer at Lockheed Martin, takes a like-minded approach. In providing profes- sional services to government agencies, he’s logged an impres- sive amount of whiteboard time. “We go through full domain decomposition before we even think about services,” he says. At the same time, “you also start looking at what is out there that you might be able to reuse. And then you go into missionbreakdown collaboratively and or process identification, getting down to a spe-decide where new automation cific thing you want to tackle.”can make a difference. After the scope is defined, Vibbert says, “We started our process map- it’s important to determine who the par-ping by meeting with each agency ticipants will be. “And once you define those,individually,” says Dan Thomas, direc- you start building use cases. Then you starttor of the DC Stat program at the Office of decomposing the use cases. And then you getthe Chief Technology Officer in the District into resource allocation and data allocation,of Columbia. Thomas’ ambitious program start naming your services at a high level,is tying together the data repositories of and also talk about the data that65 separate D.C. government agen- flows,” he says, emphasizing thatcies to give senior officials trans- these steps are iterative, withparent, up-to-the-minute informa- multiple passes required to cre-tion with which to make policy ate the right plan of attack.decisions. Every SOA initiative is unique, so the duration of Thomas’ team met with each agency to map out its the planning process varies wildly, but Vibbert provides a hintdata-gathering policies and to find out how that data was dis- of how long you’ll be sniffing dry-erase marker: “If youtilled for presentation. “It’s a time-consuming process,” he already have some pieces of an SOA in place, you can trimsays, “but we didn’t try for all 65 agencies out of the gate. We down the time frame relatively quickly. An SOA from scratchpared it down to a manageable number. Now they’re getting … it could take months if not longer.”3Survey Your SurroundingsHere’s where all that process work starts to meet technologi-cal reality. Before you implement, look carefully at what youhave in place to leverage. A basic tenet of SOA, particularlyin its early phase, is to work with what you’ve got when pos-sible but to avoid locking yourself into practices or technolo-gies that will stymie future interoperability or expansion. Taking inventory is a multistage process. First, you need todocument the data sources and existing applications that will be involved in your initial deployment — remembering to identify partner services outside the firewall that you may need to connect with and to catalog those services as careful- ly as you do internal ones. Second, take stock of technology you have on hand that will play a role in your SOA. Yes, this is a big job, and no, it’s not necessary to complete it before mov- ing toward an initial project. But neither can it be ignored if SOA, rather than a limited project, is your goal. INFOWORLD.COM 11.07.05 25
  5. 5. “Take a top-down approach from a business-process perspective.” — Jean-Michel Van Lippevelde, Accelior Consulting An SOA involves a sprawling set of technologies. The short If you’re not an SOA expert and are leery of hiring a con- list: tools to build or provision those services; a registry in sultant, don’t despair. There’s no need to run to the Learning which to expose them; a messaging infrastructure over which Annex for a crash course. Get as far as you can. If your enter- services and applications will communicate; a means of prise consists of little custom code and mostly off-the-shelf orchestrating services; and some sort of services management software, contact your software vendors one at a time. Ask involving intermediaries. Application-layer net- about their SOA plans and capabilities. Often, you’ll be working may also play a role, and down the road, pleasantly surprised by their direction — and you may so may BPM (business process management) obtain valuable information that will affect project and BAM (business activity monitoring) scheduling and future applications. You’ll also want to take platform choices. a hard look at the Web services “We moved our interfaces of your commercial product portfolio enterprise apps. towards SOA specifi- That’s quite a stack of stuff, cally because our cus- but you don’t need to make tomers asked us to,” sweat-inducing technology deci- says Dwain Kinghorn, sions about what you’ll change, add, or CTO of Altiris, a large manufacturer of keep quite yet. You’ll be busy enough figur- asset, network, and security management ing out how to map and normalize data among platforms. “It allows our customers to free the systems involved. As Timothy Vibbert of Lockheed notes, themselves from our management consoles. They can now data among various systems can be “defined 15 different ways, grab specific pieces of management data and incorporate 15 different times for the same data element.” Reconciling that those into any SOA-based management dashboards they may metadata is hard, tedious work. have developed on their own.”4 Connect Your First Services Time to get your feet wet. Take that whiteboard map and focus on one area as a pilot project. Identify a key point of redundancy in your set of related applications, spec out your first service, decide who will build it with what tools, and start provisioning. After testing, you can start modifying apps to call your new, shared service. What basic characteristics should a service have? Timothy Vibbert of Lockheed lists them: “They’re reusable, they have and so the reusability of those wasn’t quite as high as what we had liked it to be,” he says. “So we’ve gone back and redesigned a lot of our services to be more reusable, not only to a specific project but really more in tune with the business purpose that they were designed to serve.” Several stovepipe applications, for example, may have their own way of opening a customer account. Create a single coarse-grained service that each application can call on to a contract, they’re loosely coupled, they’re stateless, and open an account, and you eliminate redundancy and reduce they’re discoverable.” Most SOA practitioners would add that application maintenance. Along the way, you may be able to a service should also be “coarse-grained” — that is, it should glean other benefits: better compliance information, more map to a business process step or function rather than, say, security across a single repository rather than multiple data an application component. This helps ensure reusability and dumps, and better Web site management. avoids overlap with other functionality. Typically, services are published as Web services — which Scott Thompson of H&R Block learned the value of the promises the greatest potential for reuse because the stan- coarse-grained approach the hard way. “I think in our early dard protocols that define Web services are designed to tran- design, we tended to develop services that were more in tune scend platforms and programming languages. In practice, with our object layer than they were true business services, however, SOAs typically expose other types of services, such as28 INFOWORLD.COM 11.07.05
  6. 6. “We moved our product portfolio towards SOA specifically because our customers asked us to.” — Dwain Kinghorn, Altiristhose accessible via JMS (Java Message Service). cation servers, on Windows Server, or provisioned on How do you decide what type of service to use? “One thing legacy systems themselves — and thanks to Web ser-it depends on is the payload,” Lockheed’s Vibbert says. vices interoperability, your developers can generally“If the messages you have going back and forth have choose their favorite tools and platforms forrelatively small data sizes, Web services are fine. provisioning. “One of the things that a service-Or if it’s not time-critical, Web services are probably oriented architecture gives you is the benefitthe best choice. But if you’ve got things that of rendering that decision secondary,” saysinvolve large amounts of data going Charles Stack, CEO of open source reg-back and forth or are time- istry provider Flashline. “You cancritical, you might not change deployment platformsgo with a Web service” at the service level withoutand instead build affecting your service-ori-a service accessible ented architecture. Ser-through JMS or some other vices abstract that verybinary protocol. infrastructure level. It’s much less of a Services can be deployed on Java appli- strategic decision than that sort of thing used to be.”
  7. 7. 5 Choose and Deploy a Registry or Repository Many organizations mark the beginning of their SOA initia- tive at the point when they deployed a registry as a mechanism for service discovery. At a minimum, a registry prevents duplicative effort, a place where developers can determine whether a service has already been created. As Timothy Vibbert of Lockheed notes, “It could just be a Web site that lists [services]. It may be manual dis- mainly to have a more structured way to store and manage service metadata. To complicate matters, the distinction between “registry” and “repository” is rather slip- pery. The common definition is that a registry contains data about services — where they’re located, XML schemas, and so on — whereas a repository contains the services themselves. In truth, services still covery, but they’re discoverable.” run on their deployment platform, But as the number of services and the so repositories actually contain what applications that use them grow, you’ll amounts to a deeper level of meta- need a real registry. “We selected a UDDI data — plus, registries generally registry in 2003 and put it in production offer repository capabilities. They in 2004,” says Ben Moreland of The Hart- just don’t call them that. ford. “We use it for the dynamic bind- Choosing a registry may ing capabilities to give us the well be the first SOA-specific loose coupling between the client buying decision you’ll face. and the producer of the service.” And it may also be the first time Most SOA deployments employ you encounter the fundamental choice between some sort of commercial registry or repository that offers a single vendor’s offering and best-of-breed SOA solutions. deeper functionality than that defined by the UDDI spec, All the big platform players, including BEA Systems, IBM,6 Start Tackling Governance Registries are more than just containers in which services can be described by metadata and discovered by clients and other services. They are also centers of SOA governance, where IT can list human service owners, manage versioning, ensure compliance with enterprise requirements, and more. The sooner you start thinking about how governance will work, the better. Governance is best defined as a combination of workflow your business,” says Randy Heffner, vice president at Forrester Research. “They deserve attention and governance as much as the design of your business does.” SOA is fundamentally a new paradigm of IT, according to a technology exec at a major financial conglomerate who asked not to be named. “When you increase dependency and complexity, it presents a whole new set of problems,” the tech exec says. rules — who is responsible for what services, what happens “The more SOA is successful, the when quality assurance uncovers problems, and so on — plus more management becomes a management of service interface definitions. Those defini- problem.” This exec believes that tions become an analogue of an IT org chart gradually trans- governance should be distrib- formed by the disruptive effect of SOA. “The strongest way to uted rather than centralized, look at your service interfaces is that they are the design of in a manner similar to the32 INFOWORLD.COM 11.07.05
  8. 8. Microsoft, Oracle, and Sun have their own registries or repos-itories. But pure-play vendors abound — including Above AllSoftware, Flashline, Infravio, SOA Software, and Systinet —all of which boast a unique mix of capabilities. Depending onthe product, you may discover a wealth of stuff — graphic rep-resentations of the relationships between WSDL and services,identity-based security that limits access to certain services, arules engine to help manage service policies, and more. When it comes to registries or repositories, David Aubreytakes the single-vendor view. “If you’re using any kind offramework, they’ll push a repository,” says Aubrey, seniorarchitect at KomatiSoft, a New York-based financial applica-tion startup. “That’s one area, I wouldn’t try and force a third-party alternative unless I absolutely had to. At least not today.The key is interoperability with the framework and its rulesengine, and that’s what they’re guaranteeing. Bring in a third-party solution, and you’re putting that whole synergy at risk.” Not surprisingly, Flashline’s Stack takes the opposite view-point. “If you’re building your infrastructure for a service-ori-ented architecture on a proprietary vendor platform, I thinkyou’re making an enormous mistake,” he says. “We caution allof our customers from the infrastructure standpoint to put apremium on openness, because otherwise you’ll have theworst case of vendor lock-in you’ll ever see.”relationships among federal, state, and local government ina democracy. And he means that literally: He is currentlystudying The Federalist Papers for insight. In 2004, The Hartford formed an enterprise architecturegroup to put a “governance process around projects,” accord-ing to Moreland. In the beginning, he says, the governance process was all about communication. “We had architects talking together for the first time that were really solving the same problems, but in different lines of business. Now we’re to the point where we will actually stop a project if it does not conform to the reference architec- ture or the line-of-business blueprint. And we have the authority from upper man- agement to be able to do that.” Moreland provides a specific exam- ple of the types of problems good gov-
  9. 9. “If you’ve got things that involve large amounts of data going back and forth or are time-critical, you might not go with a Web service.” — Timothy Vibbert, Lockheed Martin ernance can avoid. Recently, one business unit of The Hart- ‘I don’t have the funding or the budget or the resources to do ford published a useful service in the proper SOAP format. A that. I’m tied up with other stuff,’ “ Moreland recalls. In such different area of the business applied to use that service but a case, he says, good governance stipulates that the service in also requested that the service return two additional data val- question should be owned by a group with a dedicated team ues within the XML. “The owner of that first service … said, that can maintain and modify it for the entire enterprise.7 Lay Your Security Plans Years ago, when the industry began promoting Web services, the first objection raised was: What about security? That’s because, back then, the emphasis was on XML integration across enterprise boundaries. By contrast, SOA tends to focus on the architecture of a single enterprise — or closely related enterprises — where the underlying assumption is that every- thing occurs within one, big trusted zone. “Many people have this sense of, ‘When I’m doing this kind for securing XML messages beyond the time when they’re in flight: WS-Security, which is perhaps the most often used Web services specification after SOAP and WSDL. Today, many enterprises combine WS-Security with SAML tokens to assert user identity through every stage of a multipart transaction — an especially useful solution for financial ser- vices organizations. Several other security specifications are in various stages of of stuff inside the firewall, based on restricted network seg- development. WS-Trust is an extension to WS-Security that ments or whatever else, I’m OK without a deeper sort of use ensures the service requestor is properly authenticated before of security in my services environment’,” Forrester’s Heffner security tokens are issued. WS-SecureConversation extends says. “But the time when everybody says, ‘I have to do some- the trust derived from positive authentication to groups of thing with security,’ is an external connection.” messages. And WS-SecurityPolicy enables services to Although SOA shifts the emphasis toward exchange security policies and to negotiate authentication internal architecture, B-to-B integration with and authorization without user inter- partners is a natural extension — and in many vention. None of these three specs, cases a core benefit. Across firewalls, the solu- which will be fairly essential in a tion can be as simple as a two-way SSL con- world where XML messages nection. But before you jump to any tech- routinely cross domains, has yet nology conclusions, Heffner advises that seen widespread use. you first decide whether your enterprise is a “For us, this is another area “hub” or a “spoke.” where we’re struggling through as Hubs, says Heffner, can simply lay best we can until new standards down the law. “If you’re a Wal- and practices emerge to make Mart, then as a hub, you just say the job easier,” says Bob Laird, what the architecture is going to be … because IT chief architect at MCI. Mean- everybody’s got to do what you say.” For the rest of while, Laird is focusing on solid external defense us spokes, “you’ve got to look at what your partners, the peo- systems, an effort that includes making his existing infra- ple you’re going to connect to, what sort of security architec- structure security managers aware of new traffic flows and tures they are doing. And then decide on the strategy of just transactions, and purchasing dedicated SOA defense hard- pure edge security, so you’ve got an XML security gateway ware such as XML firewalls from Sarvega. and can do authentication/authorization at that level,” or a “Something bad has to happen before SOA security tools deeper level of security, where authentication travels along really start happening,” Laird says. “We’ll see XML-based with XML documents as they move within the enterprise. attacks, maybe even viruses, hitting someone publicly — and Fortunately, the industry has agreed on a simple framework that’s what it’ll take to galvanize the industry.”34 INFOWORLD.COM 11.07.05
  10. 10. 8 Build Out Your Messaging InfrastructureYour next crucial technology choice: how messages will besent or received among services and applications. With small-scale SOA implementations, you can often get away withdirect, synchronous XML (most often, SOAP) connectionsthat essentially assume services will be available 24/7. Asdeployments grow larger and more complex, however, asyn-chronous, reliable messaging may be required — and becausedifferent messaging schemes support this in different ways,the danger of lock-in increases. ESBs (enterprise service buses), EAI middleware from suchstalwarts as Tibco or webMethods, and application serversfrom BEA, IBM, and Oracle enhanced with integration add-ons all provide asynchronous, reliable messaging functional-ity. All support a range of messaging protocols, includingSOAP, JMS (Java Message Service), and MQ (Message Queu-ing), and offer application adaptors for legacy systems. Today,however, each solution has its own way of ensuring the arrivalof messages, a situation that is unlikely to change even withbroad adoption of standards such as WS-ReliableMessaging. ESBs occupy a particularly confusing area. As Ben More-land of The Hartford says, "if you get 10 architects together,youre going to get probably 11 different definitions of an ESB.Some are going to say that its an architecture pattern; oth-ers are going to say its a single product. Others are going tosay its a suite of products." Even among ESB products, the
  11. 11. “The strongest way to look at your service interfaces is that they are the design of your business.” — Randy Heffner, Forrester Research InfoWorld Test Center encountered surprising diversity cost, and grow his SOA as IBM’s product set evolves. “And ( please don’t think we’re closing our eyes to ragged-edge tools,” Most people have a natural tendency to stick with what he says. Laird indicates that MCI actually encourages its they’ve got. Bob Laird at MCI provides a case in point. “We developers to try non-IBM tools as they emerge. Those that wound up using WebSphere because we already had IBM become popular are purchased in small quantities first and MQ installed,” he says. “It just made the most sense. Plus, it are integrated into specific projects. If they pass that test, allows our developers to be eased into SOA concepts through they’re rolled out in larger numbers. “This way, we keep our tools with which they’re already familiar.” options open while avoiding large-scale compatibility Lockheed’s Vibbert says he encounters this tendency all headaches,” he says. the time. Although he likes the lightweight, standards-based “Most companies that have a message-oriented middleware messaging solution offered by the JMS-based Sonic ESB, he system in place are more likely than not to leverage what they doesn’t try to convince clients to switch if they already have already have because it makes little sense not to use the robust a deep relationship with another vendor providing similar messaging topologies that many of these companies have in functionality. place,” Flashine’s Stack says. “So unless you don’t have one of But some folks, especially smaller shops, take a dimmer those, it seems to me that the MOM [message-oriented mid- view of the single-vendor default. “To us, flexibility is every- dleware] solutions are going to be the reliable messaging ser- thing,” says Paul Lindo, a 13-year veteran of development at vice — and most have announced their intent to support the the Federal Reserve and now CIO of a small New York-based reliable messaging protocols.” development company. “What you get with a messaging sys- A technology exec at a major financial conglomerate offers tem like MQ is a rehash of older proprietary technology with corroboration of this perspective. His company’s asynchronous a new SOA spin. For us, sticking to straight Web services stan- messaging solution is a well-established EAI product, which dards makes much more sense.” among other benefits provides the binary throughput neces- MCI’s Laird concedes that relying on IBM may limit his sary for high-volume transactions. When asked his opinion on choices in the long term, but he is willing to make that trade ESBs, he replies with a question: “Why should I go for a light- in order to start with SOA today, enjoy a low initial platform weight JMS solution when I already have a heavy-duty one?”9 Deploy Service Management If more than a handful of services are up and running, and if any are mission-critical, you need to manage them the way you would any network resource. Several vendors offer dash- boardlike solutions that monitor the health of services, maintain service levels, scale performance, set up fail- overs, handle exceptions, and so on. between the network layer and the application layer. Among other benefits, intermediaries virtualize services, creating proxies that hide the details of a service’s implementation from clients and thereby add security. They may also throw in XML firewall or acceleration features, as well as the abil- ity to modify large groups of services from a single control panel — to This is made possible by the wonder respond to changes in regulatory of XML messaging, which allows statutes, for example, or to meet new intermediaries — services in security requirements. themselves, sometimes pack- Services management is slowly aged in appliances — to tap moving toward standardization with into message streams. OASIS’s approval of WSDM (Web Services Dis- Intermediaries establish a new slice of functionality tributed Management) last March. A second specification,38 INFOWORLD.COM 11.07.05
  12. 12. “We’re to the point where we will actually stop a project if it does not conform to the reference architecture.” — Ben Moreland, The Hartford WS-Management, which overlaps a bit with WSDM but “We use AmberPoint,” says Scott Thompson of H&R Block, focuses on managing network hardware rather than on appli- although he admits he has rolled out that vendor’s solution cation-level messaging, was submitted to the Distributed in a limited fashion. “We’re taking baby steps,” he says, “start- Management Task Force by Intel, Microsoft, and Sun ing out with basic service-level management monitoring. Microsystems last June. But today, for all practical purposes, Then we played with exception monitoring, but we really you need to use the same Web services management solution want to mature the model into managing encryption, decryp- across your SOA deployment if you really want centralized tion, authentication, and authorization types of functions.” control. As Bob Laird of MCI puts it, “It’s a big mess right Ben Moreland of The Hartford cites “the ability to be noti- now, and we just have to muddle through.” fied when there’s an SLA failure or there is a failure in the ser- Interestingly, the pure-plays — including Actional, Amber- vice [and] the ability to enforce policies” as reasons his orga- Point, Blue Titan, and SOA Software — lead the way in Web nization deployed a Web service management tool. services management. But the big network management Some see centralized policy management as the most players are catching up: BMC, Computer Associates, Hewlett- important promise of all. It’s relatively easy to check the Packard, IBM, and Novell are all sponsors of WSDM and are health of Web services running locally, but to reconfigure in various stages of incorporating Web services management thousands of Web services across an organization, you need a into their offerings. In addition, Cisco’s AON (Application- standard that works across platforms. The WS-Policy stan- Oriented Networking) initiative should soon result in net- dard is designed to address this, but implementation in prod- working equipment with service management capabilities. ucts remains at an early phase.10 Consider Orchestration Every platform includes some method for orchestrating ser- vices. Whether it works well is another question. Ultimately, service orchestration will be vital for whipping up new, process-based composite applications in the dynamic man- ner promoted by the SOA vision. Few are implementing it today, however, because it’s complex to pull off and because the relatively modest SOA rollouts that generally inhabit the real world don’t really require it. tainly not going to be able to have an orchestration happen in a quarter of the second. You may not even be able to get it to happen in 5 seconds.” Today, BPEL (Business Process Execution Language) pro- vides the only standardized means of orchestration, although BPM (business process manage- ment) solutions have provided proprietary orchestration schemes for years. “Orches- Randy Heffner of Forrester Reasearch offers some guide- tration is trying to codify BPM,” says lines. “One easy entry point for thinking about orchestration Lindo, who works at a New York-based is: I have one request coming. … development firm. “And that’s just unbe- How should I do a full and com- lievably complex. If you point it at certain plete business unit of work?” he industries like manufacturing, you can asks. “If the answer to that ques- focus enough to make the concept man- tion is, ‘Well, I’ve got to make sev- ageable. But for general business man- eral things happen in a sequence agement, the relationships are so across multiple underlying complicated that tackling such a pro- applications,’ then you’ve got ject from a coding or interface per- a scenario for orchestra- spective is a massive bear.” tion.” Heffner adds that orchestration also demands some Forrester’s Heffner draws a clearer distinction between ser- tolerance for latency. “Depending on how many things you vice orchestration and BPM, which has its roots in end-to- need to have happen in lower-level applications, you’re cer- end workflow modeling. “The two are not well-connected,”40 INFOWORLD.COM 11.07.05
  13. 13. “Orchestration is trying to codify BPM...and that’s just unbelievably complex.” — Paul Lindo, New York-based development firm he says. “In the modeling languages, … there’s no way to have SAP. “Down the road, we have BPEL4People, which is a stan- a full view of the complete process where I just say, ‘OK, push dard that a couple of the large vendors are now pushing these steps down into BPEL.’ I really can’t get that.” because they recognize that efficiency of workflow within the In the opinion of Flashline’s Stack, the failure to accom- BPEL specification,” he explains. “I think that those two lay- modate human interaction is a fatal weakness of BPEL. ers, the BPEL orchestration and the BPM workflow, are going “When the industry was debating BPEL last year, I think the to consolidate.” decision to go with the machine-to-machine-only orchestra- Meanwhile, it won’t hurt to explore proprietary BPM solu- tion protocol was a big mistake,” Stack says. “We don’t have tions, as Scott Thompson of H&R Block has discovered. Iron- any customers that are using BPEL in anything but a trivial, ically, working with Tibco’s BPM tool has helped SOA gain experimental sense,” he adds, including sophisticated Web traction in his company. “Until we started to orchestrate var- services customers such as Sabre and Countrywide. ious services together to form a business process, we didn’t Ben Moreland of The Hartford, however, sees potential in have outright adoption of our SOA,” he says. “It was more of an extension to the BPEL spec jointly proposed by IBM and a low-level IT type of project.” Stepping Into the Future Everyone has heard the clichés about “aligning business and business services, but a lot of them are application-level ser- IT,” as if technologists needed to be corralled into serving vices that aren’t really modeling the business per se but open- business needs. The problem, though, isn’t the will, it’s the ing integration paths to applications that people couldn’t get way. SOA provides the framework necessary for a new level to before.” That assessment may pale in comparison to big of IT responsiveness, even if some technology components promises about hyperagility, but for IT on the ground, it’s a have yet to mature. pretty big deal. Hooking up BPM (business process management) to large Meanwhile, those who attack the whiteboard in earnest portions of SOA infrastructure will represent one big step may be doing more to prepare for an SOA future than early toward the new era. Another will be wide deployment of inte- adopters who push orchestration to its current limits. Accord- grated BAM (business activity monitoring) solutions, which ing to Ben Moreland of The Hartford, “from an organiza- will tap into SOA message streams to help determine that tional perspective, the biggest issue we have is really SOA processes and composite applications are providing the best education and getting people to understand roles and respon- possible business value. Beyond those technologies, industry sibilities that are a little different than they were historically. SOA boosters set their sites rather high, prophesizing a self- There’s more of a shared responsibility. Now, you focus on optimizing IT nirvana in which applications and network your business area, leveraging services and infrastructure infrastructures monitor and reconfigure themselves based on from other [areas] where you may not have any control.” In easily adjusted business rules. other words, cultural change to meet the challenge of SOA If self-optimizing SOAs ever arrive on a grand scale, it won’t can begin any time you like. be in this decade. With the most advanced of today’s enter- As Bruce Richardson, chief research officer at AMR prises barely achieving orchestration, SOA clearly needs to Research, says, “SOA is a journey, not a destination.” Early fill a few gaps — in security, reliable messaging, semantics, SOA efforts are already establishing new lines of communi- process management, and so on — and work its way through cation between IT and business — and in some cases, begin- important governance issues. ning to affect the organization of business itself, as people What’s just as clear, however, is that SOA is delivering real grow to understand how service orientation can eliminate value now. “The thing that I see most folks doing across the duplicative effort and shorten development time. In these breadth of the industry is just getting services, of any kind, in instances, the future is already beginning to arrive. i place,” says Randy Heffner of Forrester. “Some of them are — Paul Krill contributed to this article.42 INFOWORLD.COM 11.07.05
  14. 14. implementing SOA (service-oriented architecture) isone of the most daunting projects that an enterprise IT orga- Four companies explainnization can undertake. Service orientation represents awhole new way of thinking and doing, one that changes the how service-orientedway developers operate and interact with the business. I spoke with IT managers from four companies about architecture has transformedtheir experiences implementing SOA, and each story wasdifferent. For British American Tobacco, developing a mea- their businesses and howsured, step-by-step approach was crucial. For Sabre Hold- their IT departments metings, the unique nature of its IT environment presented thekey challenge. Thomson Prometric learned that personnel the challengeand training were essential to success, whereas Verizon’sefforts took off only after it developed incentives for busi-ness units to adopt SOA. Industry best practices are beginning to emerge (see“10 Steps to SOA,” page 23), so there’s still no easy recipefor SOA success. But as these stories show, success is with-in reach, provided companies remain focused on theirunique business needs. BY LEON ERLANGER INFOWORLD.COM 11.07.05 45
  15. 15. “You really need the right human resources and skills deployed.” — Gavin Targonski, British American Tobacco BAT Builds SOA One Step at a Time governance and service management tools. Rounding out BAT’s SOA infra- For British American Tobacco (BAT), SOA success came early. The structure are an application router from Cast Iron Systems, which provides the challenge now lies in determining how quickly SOA should be standards-based back-end integration scaled across the enterprise, and for which functions. platform, and Network Director switches and servers from Blue Titan, The company’s SOA journey began with a pilot project to build a which provide Web service routing, Web services-based dashboard that to develop and consume Web services mediation, and management. could extract real-time metrics informa- as, and when, they needed to,” Tar- Early successes have demonstrated tion from legacy systems. The success of gonski says. the value of SOA to BAT’s business. that pilot convinced those involved that The right toolset came in the form of Now SOA’s proponents within the com- SOA could be the catalyst to move BAT’s Skyway Software’s Integrated Service pany are in the process of getting the IT away from siloed implementations to Management platform — now known news out to the development teams and an agile, supply-and-demand organiza- as Skyway SOA Platform. Its Builder business units, including providing a tion, says Gavin Targonski, global sys- module provided developers with a reference implementation to make SOA tems architect at BAT. model-driven, codeless development development an accepted practice in For a company like BAT, however, environment that could automatically the organization. According to Targon- ski, that can’t happen fast enough. Scaling Across the Enterprise “We need to get better at getting the BAT’s SOA abstracts legacy system functions and data as a set of core Web services consumed good news out more quickly. It’s easy by its dashboard and finance applications. to forget the value we’re adding because of the speed in which we’re developing applications, providing XML/SOAP Blue Titan Director Fabric prototypes, and approaching new (Web services routing, mediation, and management) business requirements with a different Finance app perspective,” Targonski says. Targonski also points out that with Cast Iron Application Router XML/SOAP (back-end integration) such quick development cycles it’s important to get a handle on how far SOA should go — and how quickly. “Do Dashboard app SERV we charge on or make sure the opera- SERV WEB IC WEB IC tional aspects are in line first? We ES ES decided we have to be certain that what Legacy system Legacy system we create is supportable and maintain- able and that we can manage services with more than 300 products in 180 generate standard J2EE Web services. from birth to death. It’s easy to forget markets and 90,000 employees world- “Skyway embeds an SOA approach in the guys who have to support this stuff wide, such a transformation would be the core of their tools,” Targonski says. and make the datacenter work,” he says. a tough challenge. For one thing, BAT “The ways in which objects are exposed One side effect of scaling SOA has had more than 1,000 IBM Lotus and externalized to the runtime are been that BAT’s IT organization has Domino applications, and many of its already SOA-enabled, so developers can had to start reinventing itself. “All of a developers were more versed in Domi- build SOA apps without having to think sudden, you don’t have a database guy, a no than Web services, .Net, or J2EE. about all those issues, such as what network guy, and a mainframe guy all GARY STRENG “We needed a way to make our exist- SOA means and how to do it. It makes working on their own,” Targonski says. ing development teams productive in SOA a no-brainer.” “All their skill sets have to be pulled SOA from the word go, allowing them Skyway’s product also provides SOA together because a Web service has so46 INFOWORLD.COM 11.07.05
  16. 16. “We’d go out and validate our ideas in customer meetings.” — Todd Richmond, Sabre Holdings many different touch points to make it and building a new finance application Some of those customers became work. You really need the right human with a Web services-based UI. beta testers, migrating from Sabre’s resources and skills deployed.” Targonski says that it has also been desktop products or their own screen- For all these reasons, BAT has been important to make sure BAT’s SOA scraping desktop applications to prod- developing additional services carefully, approach is moving in step with that of ucts that could consume Web services. targeting key projects to drive SOA and its largest technology suppliers, such as Meanwhile, Sabre started analyzing its forcing developers to deliver on ROI SAP, and vice versa. “You’ve got to be customer usage metrics. statements. Some of these initiatives cognizant that if you leave existing “We have a lot of data that helped us have included transitioning BAT’s glob- implementations behind, you’re not determine what might be interesting as a al messaging backbone from IBM necessarily delivering real value,” he Web service. Then, we’d go out and vali- MQSeries to SOA messaging standards advises. “Evolution, not revolution.” date our ideas in customer meetings and take their feedback,” Richmond says. Sabre Answers to Customer Demand As it turns out, Sabre’s customers were divided into major camps. “Some How does a technology-driven company with massive performance and said, ‘Just expose each individual host command as a Web service, and I’ll scalability requirements — and incredibly varied customer and supplier build the apps to aggregate them.’ Oth- bases — transition to SOA? For Sabre Holdings, the answer was a lot of ers said, ‘I don’t want to know about the host and the back end. Just show me in-house development and a complex interweaving of the old and new. the flights, select the flight, price it, sell Sabre’s three companies include the 2002, largely in response to requests it, and ticket it in high-level Web ser- Travelocity online travel service; the from its larger customers. “We were vices,’ ” Richmond explains. Sabre Travel Network, whose GDS pushing Web services to lower our So Sabre had to build both capabili- (Global Distribution System) connects costs, but [customers] were major dri- ties. According to Richmond, the com- travel agents and suppliers with travel- vers on what functions would be first on pany’s first release had 30 or 40 Web ers; and Sabre Airline Solutions, which the list and how we’d work out security services at the low level and another 30 supplies reservations and other services and business issues,” says Todd Rich- or 40 at the high level. “Now all those to major airlines. mond, Sabre’s vice president of strate- who asked for the low level are losing Sabre launched its SOA initiative in gic architecture. interest as they see what the high level can do,” he says. The architecture is complex. Rich- Sabre’s SOA Takes Flight mond’s team defined very terse XML Sabre’s SOA abstracts in-house IBM TPF and NonStop reservation systems and data and presents them as Web services based on the OTA’s XML standard. It also consumes and presents XML content from descriptions that are passed to services suppliers. Orchestration, management, and integration functions were all developed in-house. over an IBM MQSeries message queue or within a CORBA message. Sitting on In-house session manager top of the system are a set of services and aggregator that manage session, state, and transac- - Session management SERV - State management tion flow as data moves from Sabre’s WEB IC Internet ES Sabre customer - Transaction flow management IBM TPF (Transaction Processing Facil- - Rules engine ity) mainframes to open systems and - Service orchestration Third-party service then back out to the customer. So far, Sabre has done most of its SERV SERV back-end integration in-house, although WEB WEB IC IC Sabre customer it is looking to transition to tools from ES ES GARY STRENG Legacy TPF SeeBeyond — now a division of Sun system Microsystems. Sabre engineers have Legacy NonStop system also developed an aggregator that takes48 INFOWORLD.COM 11.07.05
  17. 17. an incoming request, parcels it out to “We sent our TPF and assembly lan- problems. Still, many challenges still liethe appropriate servers and applica- guage programmers to C++ school ahead in Sabre’s ongoing SOA efforts.tions, and uses a rules engine to tailor a because we thought that object-orient- “We have substantial transactionsresponse based on the particular cus- ed methodologies wouldn’t be difficult through our Web services gateway,”tomer’s contractual agreement. for people so experienced in the appli- Richmond says. “Do we push all the Many customers receive messages cation,” Richmond says. “The result is way off TPF or continue investing infrom Sabre as standard XML based on that we made some of the common TPF for the parts that run effectivelythe Open Travel Alliance (OTA) stan- errors that novice object-oriented pro- there? What we do with SOA is verydard ( Others still grammers make and did some other much tied to that decision. We also haveconnect over the same private links they stupid things. Now, we’ve had to go a lot of mom-and-pop travel agenciesused in the past, including teletype, X.25 back over it all and do a better job.” that are not necessarily interested inconnections, and an old UN/EDIFACT Richmond says Sabre also learned Web services and airlines with interna-(United Nations Electronic Data Inter- over time that someone has to have an tional locations [that are] still usingchange for Administration, Commerce, end-to-end view of transactions in 386 systems over 2400-baud lines. Ourand Transport) standard. This mix of order to ensure that infrastructure and strategic vision is there, but the rate atnew technologies and legacy systems application developers will work which we get there is in flux based onhas proved challenging in many ways. together to troubleshoot customer these business realities.”
  18. 18. “We had to do a lot of retraining and evangelism about SOA principles.” — Christopher Crowhurst, Thomson Learning Thomson Prometric Rethinks Processes services necessary to support them. Eventually, Crowhurst and his staff came “The biggest challenge we’ve faced in creating an SOA has been up with five services, which he calls Who, What, Where, When, and How. identifying exactly what a service is,” says Christopher Crowhurst, “Who is the customer; What exams vice president and chief architect at Thomson Learning. “Under- will they take; Where and When will they take them; and How will we collect standing what the business is doing, converting that to a set of ser- the fee — all our registration systems vices, and working out how to expose applications, when suddenly there was performed those functions in one way those services in a granular, extensible a eureka moment in which we realized or another,” Crowhurst says. way so that you’re not constantly break- we could create an abstraction between The next step was to define an XSD ing consumers’ interfaces — we learned all the different applications using (XML Schema Definition) that that many people just can’t do it.” XML. This triggered a whole process to described those processes and to build Thomson Prometric, a division of complete the design and was the gene- a set of SOAP interfaces. But, accord- Thomson Learning, is a leading sis for thinking about a whole SOA ing to Crowhurst, it was also tough to provider of technology-based testing environment,” Crowhurst says. get everyone’s hands around REST and assessment services, including At first, Crowhurst presented the idea (Representational State Transfer). GRE, TOEFL, GMAT, and Cisco certi- to Thomson Prometric CEO Michael “It requires a very different skill set fications. In total, it administers Brannick as a way to save money, but than what programmers are used to,” approximately 4,000 tests to 8 million Brannick had different goals. “He under- Crowhurst says. “People kept coming up people in 120 countries worldwide. stood the power of what we were doing with fine-grained RPC-style interfaces The company grew via acquisitions of and kept challenging us to do more,” that were no more extensible than what many smaller testing companies, each Crowhurst says. “He said, ‘I don’t want they were doing back in the CORBA, of which came with its own test centers you to save me money. I want you to COM+, object-oriented world. We had and test scheduling and registration make me money.’ It was very challeng- to do a lot of retraining and evangelism systems. Radical change was needed. ing, but a great time to be involved.” about SOA principles.” “I was sitting in a meeting with a As the SOA project got under way, The orchestration tier was built in number of project managers talking Crowhurst’s team spent many painful Microsoft BizTalk Server 2004, using about how to enable cross selling and months analyzing core business its BPEL (Business Process Execution reduce the number of contact center processes and attempting to identify the Language) tools. Tools from Actional provide SOA management, while secu- Integrating Disparate Systems Through Services rity is handled by XML gateway appli- Thompson Prometric’s SOA abstracts five core functions from its numerous test scheduling registration ances from Reactivity. systems and presents them to the user as a single registration interface. “At that time, all the WS-* standards were young, so we decided to abstract security, management, and orchestra- Actional SOA management framework tion to the three platforms [Reactivity, Customer SERV Actional, and Biztalk] and let the ven- Microsoft BizTalk Server WEB IC Internet dors keep up with the latest standards. ES 2004 Orchestration Now if someone says, ‘I want to use a Reactivity XML Security Gateway SERV Who, What, When, SERV new security standard,’ or ‘I want to use Where, How surname instead of last name as a WEB WEB IC IC ES ES descriptor in this field,’ we can just Customer make a configuration change instead of GARY STRENG doing a lot of recoding,” Crowhurst says. Test scheduling and reservation The next step will be further consoli- system dation. “We can view the business as50 INFOWORLD.COM 11.07.05
  19. 19. one, but there are still multiple systems behind us,” Crowhurst says. “We need to Verizon Goes Back to the Workbench collapse all those systems, migrate all To overcome its SOA roadblocks, Verizon had to build an entire SOA those legacy dependences into new ser- vices, and end-of-life the old registration operational infrastructure virtually from scratch — and it has the systems. We’ve done that successfully patents to prove it. “As a technology, Web services are great, but today’s with one, and we have three more to go.” For shops that are just getting start- standards don’t have nearly enough operational infrastructure ed with SOA, however, Crowhurst around them,” says Shadman Zafar, is that SOA risks simply becoming a stresses the importance of acquiring, Verizon’s senior vice president of toy for the developer.” training, and developing the right peo- architecture and e-services. “You can As have many other SOA implemen- ple to get the job done. end up with a plethora of Web services tations, Verizon’s started after a merger “Get a core group of architects and but no awareness of which of them are — in this case, the GTE/Bell Atlantic senior developers to understand, where and provide what function — merger that created Verizon. embrace, and buy into the strategy,” he and most important — which have the “I was tasked to integrate the two IT says. “And train. SOA requires a com- right kind of capacity and SLA to be departments to achieve strong synergy plete change in process and thinking.” usable by what and whom. The result targets,” Zafar says. “During our initialADVER
  20. 20. “We picked out 500 business functions and targeted them.” — Shadman Zafar, Verizon research, we found that many of our approval before they were started. If but also adds management capabilities. core business functions were imple- any of the functions were one of those For example, if one development team mented anywhere from five to 30 times 500 core business functions we had built an address-validation service that across different applications.” identified, or we found another suitable it wanted to expose to other applica- Verizon set out to use SOA to reduce business object, the team would have to tions, it could download a lightweight support costs by consolidating these implement it as a Web service. Once the agent onto its server that would regis- core functions from 20 or 30 imple- project was completed, it would go ter the Web service and its capacity and mentations to one or three, in each case. through a tactical architectural assess- define an SLA inside IT Workbench. The first step was to spend months ment session that would verify the Web After services have been registered, identifying roughly 500 key business services were built before giving clear- developers can go to the central directo- functions that were used over and over ance to go into production,” Zafar says. ry to find ones with their specific require- again for many applications. But as developers began building ments. For example, they can search for “We didn’t go through 10 million Web services, the operational road- a service with the capacity to support lines of code. We picked out 500 busi- blocks became clear. “There was a lot of 100,000 transactions per day with less than a two-second response time and a A One-Stop Shop for IT Services commitment to be available 99.8 percent Verizon’s IT Workbench system allows developers to locate services and register their own, complete of the time from 8 a.m. to 12 p.m. with service-level agreements that establish charge-back fees for service usage. Accounting and billing are also in place, Plug-in so the service provider can charge for Portals SOAP IT WORKBENCH services usage — another incentive to use SOA. (intranet, - Security extranet) Distributed runtime brokers - Orchestration “It started with onesies and twosies,” - Logging Zafar says. “But when it hit 10,000 - Performance SOAP - Usage transactions per month, [SOA] sud- B-to-b (apps, SOAP SOAP - Notification denly took off with exponential growth. interfaces) - Configuration Now it’s used in almost 10 million Service consumers Verizon apps Packaged apps transactions per day.” Service consumers SERV What’s more, any reluctance to SERV expose code has virtually disappeared. WEB IC WEB IC ES ES According to Zafar, developers are now competing to get others to use .Net, J2EE ERP, financials, others their services, as a way of gaining recognition within the company. The ness functions and targeted them,” resistance to using the services because most-used services are listed on the IT Zafar says, citing examples such as the of the lack of standards around four Workbench portal with the author’s credit check service, the telephone essential operational pieces: SLAs, name and photo. number engine that provides new cus- accounting, billing, and capacity man- “Before, people would say, ‘This is my tomers with telephone numbers, and agement. People weren’t willing to code, use your own,’ ” Zafar says. “Now the address validation service. “An entrust their mission-critical applica- they’re reaching out to each other over ordering system might go through four tions to each other,” Zafar says. the weekends, saying, ‘Why don’t you or five of these key components.” Developers were also very reluctant to use this service I built,’ so they can be Getting these 500 Web services built expose the code they had worked so hard more popular on the IT Workbench required deploying SOA not just as a to produce. In many cases, one develop- portal. In fact,” he adds, “developers are methodology, but as an IT governance er wouldn’t even know what infrastruc- trying to push applications as Web ser- principle. “We implemented a process ture the other Web services were using. vices that are not suitable because they GARY STRENG whereby all development projects To address these issues, Verizon built have few or no logical consumers. It’s an would have to go through a strategic IT Workbench, an infrastructure layer interesting social phenomenon that I architectural assessment session to get that houses the Web services directory never anticipated.”52 INFOWORLD.COM 11.07.05