SOA Implementation:

HP IDM Case Study

May 24th, 2005

Ranil Dassanayaka, Client/Solutions Principal, HP
Anjali Anagol-Subbarao, Chief Architect, IDM, ebusiness,
HP
© 2004 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Agenda

•Challenges for HP IT’s Identity

Management System
•Solution/Benefits through SOA
•SOA Architecture
•Lessons Learned

February 13, 2009 2

 Challenge
s

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Challenges for HP’s IT IDM
system
• HP-IT's identity management system hosts 21
million users and is growing at a rate of 700K
users a month.
• Many ways to do registration which increased cost of
implementation
• Non-standard protocols
• Tight coupling between client and server
• Only web access management
• Access through different web sites which caused security
issues

February 13, 2009 4

Custom pipes to provide IDM
functionality

End-User Web Browser

EXTERNAL FIREWALL

Registration Web
API DMZ
services
Web site Site
HP Passport Site
Components Plugin -auth Plugin -auth Plugin-auth

REGISTRATION
SERVER

INTERNAL FIREWALL

Web
Services
Validator
App Server DATABASE
Cluster

February 13, 2009 5

 SOA Solution

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
How did we resolve the challenges
• To address the HP identity and access
management challenges
− HP-IT is implementing identity services through an SOA
model.
− Implemented registration, authentication, authorization
and federation services
− The identity services were hosted centrally and all
external facing web sites could consume these common
services
• Loosely coupled
• Interoperable across many OS/app/web servers
• Uses standard protocols

February 13, 2009 7

SOA-based Architecture
End- User
( Web Browser )
Device Rich Client Enterprise
Customers Web Service

EXTERNAL FIREWALL

DMZ
Registration Authentication
/ Federation
Web Authorization
Services
Services-2
HP Passport Services-1
Components

REGISTRATION
SERVER

INTERNAL FIREWALL

Web Validator
Services DATABASE
App Server
Cluster

February 13, 2009 8

Benefits
• Enabled new business opportunities
− Cross selling, up selling between SMB and enterprise storefronts
• Enabled extended enterprise
− Identity services helped bring these partners/outsourcers to have
a more seamless access to HP
− Extended functionality beyond web access management
• Achieved a Cost Reduction of 50%
− Leverage Idm to reduce business costs through identity services
− Used standard protocols and loose coupling
• Risk Mitigation
− Security Breaches avoided as one registration, authentication
service used throughout company
− Federation helped in maintaining regulatory compliance

February 13, 2009 9

 SOA
Architecture

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP-IT Reference SOA
Service Consumer/ Presentation
Web Rich Desktop Mobile Identity
Portal Client Rich Client Device
Email Voice
Management and Governance
Web Services Gov of Services &
Business Process Managment Management Gov of Usage
(process automation, service orchestration, rules engine) (Policy , Classification,
Compliance throughout
Policy, Meta Data, lifecycle )
and QoS
Business Services
Business Business Business
Service Service Service
Service
Registry &
Integration

Component Services (Application / SOI / Data / Utility Services) Repository

Principles

Utility Application Application

Service Service Service
Integration Integration
Data
Service Service
Service

Business Resources Custom

ERP CRM Packaged
Apps &
Legacy Management
Enterprise Semantics Service
Enterprise Information
Stores
Transactional
Monitoring
Content Referential Analytical Operational
Service

Security
Infrastructure Service
Infrastructure
Virtualized infrastructure Service
and provisioning

February 13, 2009 11

Identity Access Layer provides
abstraction in SOA – Burton Group
Consumers of Identity Operations

Federate Applications
Applications
Identity and policy
d Applications administration
domains
Services

Authentication Query Personalization

Federation & & & Security
Authorization Update Visualization

Underlying Identity Components

February 13, 2009 12

HP- IT Identity Services Over Layed
Consumers of Identity Operations

Federate Applications
Applications
Identity and policy
d Applications administration
domains
Services

Authentication Query Personalization

Federation & & & Security
Authorization Update Visualization

Federation Login EditProfile getUser Password Management

Web services Validate UpdateCredentials

Underlying Identity Components

February 13, 2009 13
 Lessons
Learned

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP Best Practices Established for SOA

• Designing for interoperability

• Follow standards – soap, wsdl
• Follow WS-I basic profile –to ensure interoperability
between J2EE and .Net.
− Avoid <wsdl:arrayType> in WSDL
− Using one messages mapped to one operation
− Using one parts in a message

February 13, 2009 15

HP Best Practices Established for SOA

• Publishing enduring Web services contracts

− Design the contract or WSDL first as it is the contract
between you and the customer- like all other contracts
− Version your contracts – once you have a contract, to
add functionality or conformance to new specification –
you need to have the ability to version these contracts
− Loosely couple the web services producer to the web
service consumer

February 13, 2009 16

HP Best Practices Established for SOA

Establish the Infrastructure to support

SOA ecosystem to provide Scalability,
Security, Manageability

Business Process Management

and transformations
Dynamic Rerouting
Management

Management
Web Services

Lifecycle

Security
Business Logic

Enterprise Systems

February 13, 2009 17

Use Frameworks to support
SOA

• Dealing with complexity

− Standards do not specify how to deal with the complexities of
designing and implementing modular, reliable, scalable and high
performance services

• Frameworks
− “Productize” best practices and provide a foundation to
developers for creating services
− Repeatability and consistency
− E-Biz SSA framework for designing and implementing services
− E-Biz WPA framework for UIs that consume services

February 13, 2009 18

Call to action

• Look at http://openview.hp.com for the

OpenView Products
• Access DRC portal at http://devresource.hp.com
for Web services, SOA, life cycle development
tips
• Look at
http://www.oasis-open.org/home/index.php for
OASIS sp
• Refer to J2EE Web Services on BEA Web Logic by
Anjali Anagol-Subbarao at
http://www.amazon.com

February 13, 2009 19

For More Info…
J2EE Web Services on BEA WebLogic, by Anjali Anagol-
Subbarao

February 13, 2009 20

 Backup Slides

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
 Interoperability

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Problem Statement for Interoperability
• Needs to be integrated with applications accessible to
customers

• Integrate with disparate applications based on J2EE,.NET and

Visual Basic, Siebel, BEA WebLogic, Axis SOAP Engine, etc.

• Issues with interoperability

− Using <wsdl:arrayType> in WSDL
− Using many messages mapped to one operation
− Using many parts in a message

February 13, 2009 24

WS-I Basic Profile considerations
• Avoid <wsdl:arrayType> in WSDL
− Instead use min and max occurs
<complexType name="eProfileHeader">
<sequence>
<element maxOccurs="1" minOccurs="1" name="ApplicationID" type="xsd:string"/>
<element maxOccurs="1" minOccurs="0" name="LanguageCode" type="xsd:string"/>
<element maxOccurs="1" minOccurs="0" name="HPPID" type="xsd:string"/>
<element maxOccurs="1" minOccurs="0" name="SiteMinderSID" type="xsd:string"/>
<element maxOccurs="1" minOccurs="1" name="TemplateID" type="xsd:string"/>
</sequence>
</complexType>

• Need to specify order of parts

− When there are many parts in a message an optional
parameterOrder element cannot be null – this results in warning
in WS-I

February 13, 2009 25

WS-I Basic Profile considerations (2)
• Keep one-to-one relation between message and operations
− Many messages going to one operation results in warning in WS-I
basic profile
<operation name="createProfile">

<documentation>
Creates the user profile based on the user profile attributes
received in the request.
</documentation>

<input
message="eprofile:createProfileRequestMessage"
name="createProfileRequestMessage"/>

<output
message="eprofile:createProfileResponseMessage"
name="createProfileResponseMessage"/>

</operation>

• Avoid xsd:anytype as it causes interoperability issues

February 13, 2009 26

Easier and quicker integration with
applications
1. Interoperable with Siebel PRM with no run time issues, after
certifying Web service with WS-I tool

3. Testing decreased with new applications because trouble shooting

issues was easier

5. Decreased time to integrate and improved confidence in

applications being integrated
6. Configuration testing was eliminated. As WSDL was WS-I compliant
did not have to test with clients like .Net, VB, J2EE - BEA WebLogic,
Siebel, Axis.

8. Eliminated the development time for creating these clients

February 13, 2009 27

 Designing
WSDL

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
First design the interface
• Use WSDL editors (XMLSpy) to
create WSDL (for the
validateConfig service)
• Three abstract definitions -
types, messages and port type
• Two concrete definitions -
binding and service

February 13, 2009 29

 Versionin
g

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Design considerations for Versioning
• Leverage XML Schemas

• Patterns to facilitate Versioning

• Naming Convention

• Deployment Strategy

February 13, 2009 31

Details of versioning
• Using date stamp as part of the target namespace of your
XML Schema.
<SOAP-ENV:Body>
<m:inValidateConfigv1_2
xmlns:m="http://production.psg.hp.com/types/2004/02/04">
…..
</SOAP-ENV:Body>

• Use different end points in WSDL

• Use different operations

February 13, 2009 32

Versioning Lifecycle
1. Build transition plan
2. Make Changes to Service.
3. Test new Service version
4. Implement new Service version.
5. Add/publish new Service version to WSDL descriptions,
UDDI registries, etc.
6. Notify known Consumers of new Service version and
transition plan
7. Run Service versions in Parallel
8. Set Date for Retirement of older Service version
9. Notify known Consumers of retirement
10. Remove old Service version from descriptions, registries
etc. to stop new consumers discovering and using.
11. Remove functional behavior of old Service. Only return
appropriate error message
12. Retire old Service. Physically remove old Service
version.
February 13, 2009 33
 Securit
y

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Key Security Elements
• Secured the Web services using Transport Level Security – 2
way SSL
− Creates performance issues

• Now Web services can be secured using message level

security - WS-Security

February 13, 2009 35

Performance/Security and Web
services
• Performance numbers without SSL

• Performance numbers with SSL -- degradation of approx

30% Transaction Name Minimum Average Maximum Std 90 Pass
Perce
nt

AB_request 0.578 2.168 34.75 2.9 3.928 1,449

placeOrder_request 3.688 6.367 29.344 2.931 9.53 193

VC_request 0.719 2.172 24.078 2.252 3.804 10,080

February 13, 2009 36

 Performanc
e

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Enhancing the performance
• Making XML more efficient
− Use sTAX parser
− XML Beans for XML to Java Binding (now part of Apache open source)
− XML accelerators from HP

• Making SOAP more efficient

− SOAP parsers
• BEA SOAP engine measurements showed 72% faster than Apache Axis
− SOAP with attachments

February 13, 2009 38