• IT Manager
• Desktop Team Leader
• Senior Desktop...
• BUSINESS ANALYST / IT PROJECT...
• Marketing Manager

Open standards in a Web services world

Michael Kleef, Information Age

14/12/2005 09:43:48

Historically, IT systems have been plagued with interoperability problems that have caused manual business processes to be employed along multiple different technologies in order to manage them, but standardisation and interoperability is nothing new. The Industrial Revolution introduced standards and as such manufacturing processes benefited from the interconnected and standardised parts and systems.

To quote Karl Kruszelnicki in a recent article on the ABC Science Web site1: "...In the Industrial Revolution, it soon became obvious that threaded fasteners made it easier to assemble products, and they also meant more reliable products. But the next big step came in 1801, with Eli Whitney, the inventor of the cotton gin. The lathe had been recently improved. Batches of bolts could now be cut on different lathes, and they would all fit the same nut...The next invention was by Henry Maudsley, an English inventor. He built a lathe that could cut screws of any diameter...Between 1800 and 1810, his invention dragged the art of making threads into modern engineering practice. In 1841, Joseph Whitworth delivered his paper A Uniform System of Screw-Threads to the Institution of Civil Engineers. In 1964, the International Organisation for Standardisation adopted two thread systems for the whole world -- the ISO Inch Screw Thread System, and the ISO Metric Screw Thread System..."

More recently the Internet itself can be seen as a standardised delivery platform for content, data and media across "standard" protocols such as Hyper Text Transfer Protocol (HTTP) despite the Web servers running the services being from a plethora of different vendors both open source and proprietary in origin.

There are many ways to achieve interoperability, ranging from (1) designing products with intrinsic interoperability-enhancing functionality, (2) implementation of industry standards (including both open standards and/or proprietary standards) in products and services, (3) licensing of an organisation's intellectual property to other interested parties that wish to interoperate, and (4) industry collaborations.

This paper aims to discuss open standards and particularly those in emerging Web services standards as an enabler to business and government success and industry adoption of two particular standards in WS-Federation and WS-Management.

Web services background In many cases, interoperability between existing and new IT systems is accomplished through custom development and/or solutions for particular organisations and particular legacy systems. Often vendors themselves struggle to offer products and solutions because of the prevalence of proprietary interfaces and, in some cases, workarounds must be developed in order to address the needs of the customer while at the same time attempting to comply with the technical requirements of the product or technology that needs to be interoperated with.

Of course, the need to create such individualised solutions for each interoperability issue results in ever-increasing complexity. Businesses and government agencies - even large companies - face significant cost and resource limitations as they struggle to keep up with the documentation, testing, and minute technical details required by this approach.

Services Oriented Architecture (SOA)2 was born out of the need to address a more modular enterprise architecture that could allow a service to be coupled or decoupled from the architecture or solution without necessarily affecting existing working components. This style of architecture allows tremendous flexibility in allowing businesses to choose the best services for their needs and integrate or remove them as necessary. To explain this better, think of a leave request as a business process and that the manual paper form for leave request is a standard message with a standard schema between the services of HR "service" and the employee "service". The HR service is replaced and moves to an outsourced model but given that the new outsourced HR service accepts and correctly processes the standard form from the employee service with changing anything else we have essentially achieved a modular service architecture.

While this is a nice thought, in reality there's a few major hurdles preventing it -- namely lack of standardised interfaces, protocols and schemas to allow this interoperability to occur.

To address these system complexity and cost issues, the IT industry has been developing and deploying a new generation of software that actually builds interoperability-enhancing functionality based on eXtensible Markup Language (XML) directly into the software.

This "interoperability by design", in turn, enables the more direct and efficient sharing of information across many different kinds of software. For example, when two systems exchange a standard document such as a purchase order (assuming a standard schema), if the attributes of that document are described in XML, then any receiving XML-based system can use that description to translate and use the enclosed information in a seamless fashion. Note, however, that in some scenarios direct exchange between different applications is not possible using XML alone. XML as the standard data language is also serving as the foundation for "Web services" on which dozens of companies in the industry including IBM, Sun, Microsoft, Oracle and BEA are collaborating in order to provide an Internet-based set of protocols for distributed computing. As part of this collaborative effort, numerous IT companies have invested significant resources to ensure that Web services implementations from different companies really are interoperable.

This has involved industry workshops, extensive testing, revision of specifications in the face of experience, and even setting up an industry body known as WS-I to help ensure interoperability.

Web services themselves have been in the marketplace for around two years now so the benefits are obvious. Loosely coupled, platform and language independent running across "internet standard" protocols supported by nearly every vendor makes interoperability a reality - and a promise too good to believe.

Many would say that standardised communications and interoperability needs to happen in order for businesses to transform their business processes and encourage adoption of business enabling architectures such as SOA which looks at applications as services that can leverage information from other application services in order to reduce manual data duplication and streamline business activities.

Why can't this occur today? Because many products and solutions use proprietary interfaces and protocols that limit the ability for this to occur - Identity Management and Service Management are no different.

Identity management: a look at WS-Federation Nearly every business and government agency has an Identity and Access Management problem. We have all seen it before on many occasions - multiple passwords to access multiple different systems and applications. In some cases employees are unable to remember them all and write them down in order to remember them, thus breaching security guidelines and businesses are faced with a huge help desk cost of constantly resetting passwords for employees.

A NetworkWorld3 article written in 2002 estimated that the percentage of help desk calls attributed to password resets was as high as 35 per cent -- though most agree that depending on the organisation between 20 to 40 per cent of all calls are password related. There's also the cost of initial account provisioning and subsequent changes as the person moves roles within the organisation and eventual de-provisioning as the employee leaves - and it should be noted that mature solutions do exist to perform this "lifecycle" component of identity management.

Consistently, Request for Tenders (RFT) are released by organisations seeking to find a solution to the problem. Often companies and agencies seek to solve the full user pain (and subsequent cost) by asking for a Single Sign On solution with the goal of a single username and password and after signing on to the workstation all the applications "know" who they are and allow access.

Another wonderful idea, but technically very difficult to achieve because of proprietary standards and authentication protocols preventing federated interoperability. There are tools today that partially achieve this goal to assist with the business process of provisioning and de-provisioning of accounts and also the ability for automated password resets to occur; however, the issues surrounding Single Sign On or "pass through" authentication still remain.

WS-Federation is a Web services standard that aims to address the customer frustrations and pain around maintaining multiple different repositories of identity data as well as allowing customers to use whatever protocols they need to use today. It is definitely not a "rip and replace" identity framework but allows for harmonious coexistence with applications and operating systems in use today.

It's based on the premise of token-based authentication and a federated trust between authentication realms. An authentication realm is simply a security boundary for authentication and the "federation trust" is a mutually acceptable set of user claims and Access Control List (ACL) mapping backed up by authorities that verify the user's authentication and create tokens for access to the resource in the destination realm.

To make it easier to understand, let's use a scenario: Company "Adatum" is a very large global mining company. It wants to form a joint venture partnership with Company "Contoso", an engineering company that they are contracting to provide services around their mining contracts. The civil engineers between the companies need some shared services in order to collaborate so that they can effectively work together on the projects and they build an extranet with its own authentication separate to both companies.

Without identity federation each of these engineers would be required to log on explicitly to the extranet-based resources causing an additional administrative overhead and subsequent business cost. With identity federation all that's required is to provision the user's account in their respective authentication realms and add them to the group within their realm that gives them access to the resources.

In Figure 1, Users still log on to their own authentication realm (represented by the Account Partner Organisation) but need access services in a second realm (Resource Partner Organisation). The Resource Partner realm trusts user access from the Account Partner realm and provided that they authenticated successfully (and have appropriate access) are allowed access to services and resources in the Resource Partner realm. The actual WS-Federation4 standard is comprised of several other Web services standards such as WS-Security5, WS-Trust6 and WS-Policy7 and each required to make the required functions work. For example WS-Security is responsible for the token issuance to the requesting client and cross check by the resource, WS-Trust is used to form the trust between the two (or more) federation servers and WS-Policy is used for authorisation.

Microsoft implements the WS-Federation passive requestor profile8 in Windows Server 2003 R2 which allows for browser based applications to access resources in other authentication realms. Figure 2 highlights the process that occurs when a client needs to access a resource in another realm of authentication across its own security boundary. In order for authentication access to work in this example the client requestor attempts to access the resource but as the identity has not been verified by that resource it is redirected to its own Federation Server to authenticate and obtain an access token (1) so that it can then be verified by the resource's Federation Server (2) which in turn generates the appropriate token in order to prove identity (3) to the resource. In this way because each of the Federation resources have established trust based on a mutual agreement the access is allowed. Infrastructure management: a look at WS-Management

Just like Identity Management businesses also have multiple different applications, operating systems and hardware. As service level management becomes important to the business, demands are placed on IT departments to ensure that services experience minimal disruption. Often technologies are sought to monitor these services; however, since nearly every product on the marketplace uses Application Programming Interfaces (API) that are often proprietary in nature, there is no one product that can effectively perform best practice management on every platform and technology.

It should be mentioned that Simple Network Management Protocol (SNMP) is also an open standard that assists in providing service information. The two main problems with SNMP are that it's limited as a management interface and in many companies is seen as a security risk, and disabled.

WS-Management9, first released in June 2005, provides a scriptable interface and like WS-Federation is a conglomeration of standards such as HTTPS, SOAP over HTTP (WS-I profile), SOAP 1.2, WS-Addressing, WS-Transfer, WS-Enumeration, and WS-Eventing. It is supported by major vendors such as AMD, Dell, Intel, Microsoft, Sun and others.

It provides a standard interface and single Web transport protocol with which to query management interfaces and allows for a central management and alerting product to be used in order to manage the infrastructure and applications, and while today is in draft form, will eventually be handed over to standards bodies for ratification.

Dave Mendlin, Director of web services at Microsoft Corporation, discussed WS-Management in a recent Microsoft PressPass interview10. "...With WS-Eventing, the Web services eventing protocol, you can connect it to a Web service that's running your ERP system because they are speaking the same language.

"Then you can, for example, have a printer automatically reorder toner or parts when needed. A projector that's bolted to the ceiling of a conference room can communicate with the ERP system to order a new lamp, using the same protocol it uses to file a trouble ticket in another system. It's all about having this common language for management events. While that has many benefits by itself, it also means you'll be able to connect your management systems with all the other Web services-based systems in your enterprise..." To date, only Microsoft and Sun have implemented this with Microsoft in Windows Server 2003 R2 due at the end of calendar year 2005 and in recently released Sun Solaris 10. For this purpose and to convey understanding of the WS-Management web service, its best to show an implementation specification rather than a reference one. Microsoft actually implements WS-Management (see Figure 3) as a wrapper to existing instrumentation and management interfaces. It's a smart idea actually when considering nearly every product and platform in the marketplace already has some form of interface for management either proprietary or otherwise, wrapping a standards-based front end actually makes sense. The benefit is a standard interface with both a common protocol and model for access that allows full standards-based scripting as per the WS-Management standards but the ability to integrate and interoperate with anything that can query and work with the standard.

Conclusion The benefits are obvious. Web services enable a comprehensive set of standard interfaces in which disparate systems and applications can work together to provide leveraged access and interoperability between other systems and applications. They allow flexibility in allowing multiple concurrent scenarios to occur in Business to Business (B2B) via direct application to application communication, Business to Consumer (B2C) in rich clients accessing aggregated services as well as others. Its this standard mechanism for interoperability across standard transports and protocols that's important to businesses and to government.

True business value is derived by leveraging information and data to make clever business decisions that either create or save money. Through Web services, a Services Oriented Architecture can be established that leverages data from other services, reduces information islands and streamlines business activities that were previously manual processes because of the lack of standardisation within the products or technologies used.

References (1) Kruszelnicki - http://www.abc.net.au/science/k2/trek/4wd/nuts1.htm (2) Sessions (2003) SOA Understanding http://www.objectwatch.com/newsletters/issue_45.htm (3) Bort (2002) http://www.networkworld.com/supp/security2/password.html. Statistic referenced was an estimate of one company's finding only. (4) Microsoft Corporation, IBM Corporation et al (2003) WS-Federation Whitepaper http://msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation.asp (5) OASIS WS-Security v1.0 specification (2004) http://www.oasis-open.org/specs/index.php#wssv1.0 (6) Microsoft Corporation, IBM Corporation, BEA et al WS-Trust specification (2005) http://specs.xmlsoap.org/ws/2005/02/trust/WS-Trust.pdf (7) Microsoft Corporation, IBM Corporation, BEA et al WS-Policy specification (2004) http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf (8) Microsoft Corporation, IBM Corporation et al WS-Federation Passive Requestor Profile (2003) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/passive-client-profile.asp (9) Microsoft Corporation, IBM Corporation WS-Management Specification (2005) (PDF Document) http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-management.pdf (10) Microsoft Corporation (2004) WS-Management Specification Press Release Article http://www.microsoft.com/presspass/features/2004/oct04/10-08WSManagement.mspx

Michael Kleef is a IT Pro Evangelist working for Microsoft in Perth. He previously worked for a national systems integrator, focusing on Microsoft and Novell products.