6.2 Web Services Networks

6.2.1 Definition

A Web services network (WSN) makes the deployment of Web services practical. Web services networks provide the infrastructure and services that the requesters and providers of Web services require in order to conduct business. These business-class services include non- repudiation of messages, guaranteed delivery, once-and-once-only delivery of messages, encryption of messages, and authentication of requesters and providers. In addition, Web services networks facilitate the connection of requesters and providers of Web services to each other and provide the ability to manage, control, and monitor the machine-to-machine (or application-to-application ) interactions that are part of the Web services protocol.

The creators of Web services, using tools and platforms from companies such as IBM, Hewlett-Packard, BEA, and Sun, use the Web services network as a seamless part of their infrastructure, similar to how businesses today use telephone networks. Ideally, a WSN should not require any rework of code written to service-enable applications.

Table 6.1. Web Services Infrastructure

If we look at the infrastructure components of Web services in detail (an overview can be found in Table 6.1), we can see three major components that need to be available in every case: a service provision, a toolkit, and an application server. An example of a service provision (as defined in the table) might be an application that tracks the inventory level of parts within an enterprise. This can provide a useful service that answers queries about the inventory level. These applications usually already exist within an enterprise (in the form of legacy applications) or may be developed from scratch using a Web services toolkit.

Web services toolkits are available from many companies. IBM1 ^[1] provides the Web services development environment, and Microsoft ^[2] provides its Visual Studio .NET toolkit. These toolkits can be used to expose the inventory-level query service as a Web service that can be accessed over the Internet by any other program. While IBM, Sun, and most of the others use Java for the development of Web services, Microsoft is using Visual Basic and C#. The toolkit also ensures that the service provides a standard set of interfaces, which are accepted by all the applications that want to use it.

^[1] http://www.ibm.com/

^[2] http://www.microsoft.com/

As for application servers, there are many different types available. Most of them are built on Java technology, except for Microsoft. You can choose among Tomcat ^[3] server from Apache ^[4] , Websphere from IBM, and Weblogic from BEA ^[5] , just to name a few.

^[3] http://jakarta.apache.org/tomcat/

^[4] http://www.apache.org/

^[5] http://www.bea.com/

6.2.2 Advantages

So far, no vendor of toolkits or Web services platforms has supplied solutions for providing the full spectrum of business-class Web services. Indeed, they can't supply these solutions because their model is to sell platforms at a customer's site that then connect to another platform (paid for by the second customer) on another site. The connection itself is point-to-point, and the quality of service provided is negotiated and provided by each platform at each end of the point-to-point connection. However, we live in a networked world; we want to connect to dozens, if not hundreds, thousands, or tens of thousands of such platforms. The "edge," or the platform at one end of the connection, cannot supply the solution that is valid across the entire network of connections. ^[6] Platform providers are tied to the so-called hub-and-spoke model ^[7] , which is by necessity a proprietary solution.

^[6] Grid computing is the solution for this set of problems. It is a largely non-proprietary approach to connecting vast numbers of computers into a pool of shared resources. Arising out of scientific research communities, Grid computing portends a flattening of the computational resources hierarchy, not unlike the flattening in organizational communications hierarchy caused by wide adoption of email.

^[7] The hub-and-spoke model consists of the hub being a central or regional service center and the spokes being the services that could be integrated in such a center.

In a many-to-many world, they have a difficult time scaling to meet the needs of the new Web services ecosystem. The cost of creating a hub and then connecting the spokes is much higher compared to the cost of plugging into a network like a Web services network. The ease of use both in deployment and in the operation of the Web services network is unmatched by platforms.

Web services are cross-departmental and cross-enterprise . They pose unique challenges in deploying since the monitoring, tracking, and reporting of Web services interaction is not within the domain of a single department or enterprise. There is a need for an entity that is able to see the interactions at both ends of a Web services connection, both at the Web service provider's end and at the Web service requester's end. The functionality needed has been detailed in the section above. A Web services network meets all these needs.

As the use of Web services grows, enterprises require the ability to manage how their Web services are consumed, and the users of these Web services require the ability to manage and orchestrate their interactions with Web services. A Web services network that has visibility into both sides and can manage interactions is the best solution for an enterprise's needs.

6.2.3 Quality of Service

A successful infrastructure makes it quick and easy for authorized users to access the appropriate information and services while it remains well protected from intruders or unauthorized personnel. Businesses that fail to bolster their infrastructure to handle rising IP traffic can count on big problems, such as frustrated customers and business partners . Building an IT infrastructure that can handle current and future e-business demands has become a strategic initiative.

Building a stable infrastructure, however, is one of the greatest challenges IT managers face. Reconstructing the enterprise to meet demands of e-business will also be important over the next few years . Investments will go toward building combined voice/data networks that use high-bandwidth technologies such as Gigabit Ethernet, and integrating network management platforms, storage area networking, and wireless communications. Once these high-bandwidth networks are in place, businesses will focus on finding ways to make them perform better.

To ensure that the most critical applications receive the infrastructure services they need, companies increasingly are looking to two emerging technologies: Quality of Service (QoS) and policy management. These tools are designed to work around the "best-effort" performance that is an inherent quality of IP networks such as the Internet.

Without QoS, all services on the Internet are treated as equalthere is no way to allocate bandwidth or guarantee high performance for specific applications. This results in unpredictable and unreliable performance for all services, which could severely limit its growth and use, not to mention the development of future networked applications.

Web services networks can provide QoS guarantees and make the use of Web services (which may extend out to thousands of users) manageable. These QoS guarantees can be provided in security, reliability and manageability.

When a network and an application both incorporate QoS protocols, the application is able to request and receive predictable bandwidth or priority service. Policy management describes the use of rules, or policies, set by the enterprise to establish the level of service that will be granted to particular users or types of traffic. Companies that offer policy management technology include Lucent ^[8] , Cisco ^[9] , and Orchestream ^[10] .

^[8] http://www.lucent.com/

^[9] http://www.cisco.com/

^[10] http://www.orchestream.com/

These infrastructure technologies use different methods to meet the same goal: getting the best-possible performance out of an increasingly crowded Internet. And while content managementan additional technologydoesn't directly affect network performance, it is being integrated with caching, load balancing, and policy management systems with increasing frequency because it is a critical piece of the e-business infrastructure puzzle.

Delivering rich media content such as live presentations or video broadcasts further stresses the network infrastructure. These kind of media especially require high levels of QoS to avoid breaking the visual or auditory experience, i.e. to prevent "stuttering."

6.2.4 Security

One of the biggest concerns with Web services is security. Many people fear that these personalized and automated services can create privacy issues by releasing information to the wrong people and services and without the consent of the user . Microsoft and its Passport service are probably best known for this situation. Microsoft offers the ability to store personal information, such as addresses and credit card information, on its servers, which can be pulled from online shops to reduce the need for retyping the information each time. While in theory a good idea, it means that Microsoft controls the information flow of these vital pieces of information. Many consumer advocates and service providers have balked at this prospect.

Communication via the Internet is, by default, open and uncontrolled. This conflicts with the needs of businesses and customers, which require privacy, confidentiality, and integrity in their transactions. The growing demand raises the awareness of security issues and concerns about conducting secure business via the Internet. News reports on Internet security are hypercritical and increase the fear that business on the Internet is dangerous. Network-based fraud is growing dramatically and has made Internet security a business issue, not just a technical issue, to be resolved in the IT departments of companies considering an Internet business strategy. Not surprisingly, as society becomes more dependent on network systems, information security will become even more of an issue.

A major problem is the identification of the users. In a real shop, a customer is identified by his or her appearance, but on the Internet everyone looks the same. Although it is possible to pretend to be someone else in real life, it is even simpler online. Nobody can be sure about the identity of the other person without deploying additional technologies. Neither is it possible to identify a single person or a company reliably. To make me-centric computing successful, it is necessary to automate many things, among them the identification of the communication partner. Only if this can be established does it make sense to create Web services that exchange information automatically.

To enforce information security, unauthorized access to electronic data on the business-critical systems of a company or the private systems at home must be prevented. Unauthorized access can result in the disclosure of information and the alteration, substitution, or destruction of content. Individuals and organizations that use computers can describe their needs for information security and trust in terms of five major requirements: confidentiality, integrity, availability, legitimate use, and non-repudiation.

Confidentiality is necessary to control who gets to read the information and to conceal the information from all others. Integrity assures that information and programs are changed only in a specified and authorized manner, and that the data presented is genuine and was not altered or deleted during transit. Availability ensures that authorized users have continued access to information and resources. Legitimate use means that resources cannot be used by non-authorized persons or in a non-authorized way. Repudiation is defined as "the rejection or refusal of a duty, relation, right, or privilege." If an electronic transaction is viewed as a binding contract between two parties, a repudiation of the transaction means that one of the parties refuses to honor its obligation to the other as dictated by the contract. Thus, non-repudiation can be defined as the ability to deny a false rejection or refusal of an obligation with irrefutable evidence.

These five requirements may be weighted differently depending on the particular application. In some cases, integrity is more important than legitimate use; in other cases, confidentiality is very important, while the availability of the system is not a problem. A risk assessment must be performed to determine the appropriate mix of requirements. A number of different technologies can be used to ensure information security. These technologies exist, but need to be implemented in a wider security strategy, as the processes around security are probably even more important than the technology itself.

6.2.5 Reliability

Reliability refers to the fact that a Web service works in the way that it is intended to work for a business in all reasonable circumstances. The messages passed back and forth during a Web service life cycle should be delivered to the right receiver(s), in the right amount of time, in the right order, and the right number of times under all reasonable circumstances. If for some reason any message is not reliably delivered, then the sender, receiver, or manager of the Web service should be alerted to the fact. The Internet does not even try to guarantee this reliability.

Web services networks have to guarantee reliability building on top of standard Internet protocols. They should impose no special requirements on applications while doing so. The most important aspects of reliability are guaranteed delivery, non-repudiation, and once-and-once-only delivery.

A Web services network should provide the guarantee that once a message is sent over the Internet as part of a Web services interaction, it reaches the intended recipient. Time-outs and resends should be handled automatically and transparently . The capability to queue messages to be delivered when the receiver is able to accept them should be provided. Guaranteed delivery implies that an application can make a request to send a message and not have to write state-keeping routines that check whether a message has reached its intended destination with the intended results.

Once a Web services network is able to implement guaranteed delivery, in conjunction with its authentication capabilities and the keeping of records within the network, it can guarantee that a recipient cannot repudiate a message that the recipient received and also that a sender cannot repudiate a sent message. The customer order information can be kept within the network, in the scenario above, so that even if the customer's systems do not record the sending of an order via the Web service at the manufacturer's site, the network will be able to prove that was indeed the case.

A Web services network has to guarantee that a message that is intended to be delivered once should be delivered (guaranteed delivery) and should not be delivered more than once. If a message is delivered more than once, it could have a major impact on the reliability of the service. Imagine a bank that would execute a money transfer five times instead of once or an online shop that would send you seven books instead of one.

6.2.6 Manageability

Once Web services are deployed throughout an enterprise, managing access to them, tracking their usage, logging the services performed, and potentially billing the users for the service all become problems that need a solution. Web services networks provide a network solution that manages all the Web services and the connections between Web services and requesters of those services. This is a very important function that can have a huge impact on the ROI of Web services deployment.

If these deployments can be managed at low cost and low risk, then the ROI will be as intended. Cost overruns will inevitably hit projects that do not plan for these management tasks while deploying their Web services. Web services networks provide low-cost, seamless, low-risk solutions to this management problem.

First of all, it is important to make sure that everything is logged. This means that every event happening at the user end, the service provider end, and in between while invoking a Web service has to be logged and easily visible to the managers of the Web service. Web services networks need to provide the logging facilities and the reporting facilities over the logs; otherwise , it is almost impossible to find out if something went wrong.

To make sure that all anomalies are found, it is necessary to introduce monitoring services. Web services need continuous visibility into the performance metrics of Web services requests /replies, endpoint states, and message delays. Web services networks should provide this functionality, again without altering the standards-based Web services interactions in any way. In this way, it is easy to identify problems and make sure that they can be followed up.

In case something goes wrong, it is very important to be able to track down the problem. Real-time knowledge of the state of a user request and the reply from a Web service is required. The importance of tracking increases when messages are queued asynchronously for delivery. Web services networks should provide tracking functionality that is easy to use and does not interfere with the normal functioning of a Web service.

From a security point of view, it is very important to implement access management on the Web services network level. While deploying Web services, categories of users are allowed various access levels to different Web services. This setup and the management of the access given needs to be implemented by a Web services network. A new user being allowed to enter orders would need to be allowed to access the Web service; this should happen transparently through the actions of the Web services network without effecting the functioning of the Web services in any way.