introduction to tibco activematrix governance
DESCRIPTION
Goveranace a very rare oneTRANSCRIPT
DeeDee KatoSenior Product Manager, TIBCO
Chris Martha
Senior Product Manager, TIBCO
Introduction to TIBCO ActiveMatrix Governance
Agenda
� Governance Overview
� Operational Governance
� Integrated Services View
� Policy Manager
� Service Performance Manager
� Q&A
Simply PutSimply Put
Provision Provision Provision Provision CustomerCustomerCustomerCustomer
Order Order Order Order FFFFFFFF
ManufactureManufactureManufactureManufacture
.NET/J2EE application
SOA application
Your IT InfrastructureYour IT Infrastructure
�� Is varied Is varied -- third party apps, trading commerce, legacy third party apps, trading commerce, legacy apps, web commerce infrastructure.. apps, web commerce infrastructure..
�� Grows organically over time Grows organically over time
�� Is heterogeneous Is heterogeneous –– Java, .net, Perl/Ruby, Java, .net, Perl/Ruby, ……
�� Has complex dependenciesHas complex dependencies
�� Is ever changingIs ever changing
Challenges in IT
Enterprise ArchitectEnterprise Architect
� How do I promote reuse through
visibility and trust
� Are there rules to change /
validate / approve services?
� How can I make sure the
services comply to design time
policies such as WS-I basic
profile?
� How do I implement
heterogeneous Enterprise Level
Governance?
IT DeveloperIT Developer
� Where does all of the service reference information reside?
� How is this information
searched and accessed?
� How is access to the
information controlled?
� How can I be notified of any changes?
Challenges in SOA
Operations & AdministrationOperations & Administration
� Which services are available?
� Are all required services up and running?
� Are the right consumers accessing the right services?
� Are my services secured from unauthorized access?
� If a service is changed who and which other services will be affected?
� How can things be fixed when something goes wrong?
� Is the required Quality of Service (QoS) provided?
Overall BusinessOverall Business
� No SLA Violations
� Ensure security and auditing requirements are met
� Regulatory compliance requirements (e.g.. HIPAA, SOX)
� Ensure time to market
� Cut costs
SOA Governance is about Accountability (clear roles and responsibilities), Visibility (of assets and their access control, and Auditability (who did what) through the entire lifecycle.
1. Decide what services to expose
2. Register the services
3. Monitor environment
4. Secure services
5. Manage Service Level Agreements for operational assurance
6. Virtualize the services for location transparency and high availability
7. Integrate/Mediate Services
“Ensuring and validating that assets and artifacts within the architecture are acting as expected and maintaining
a certain level of quality.” Gartner, Magic Quadrant for SOA Governance, 2007
What is SOA Governance?
Developers/Producers
TIBCO’s Governance Layer
Integration Warehouse Accounting Sales Supplier Distributor
TIBCOEcosystem
C/C++Ecosystem
COBOLEcosystem
Java EEEcosystem
.NETEcosystem
???Ecosystem
Core Business Process
ServiceConsumers
Web 2.0
Composite and
AJAX Rich Internet
Applications
Deploy Deploy Deploy Deploy Deploy Deploy
Administrators
Policy PolicyPolicy PolicyPolicy
Policy
Developers/Producers
TIBCO’s Governance Layer
Integration Warehouse Accounting Sales Supplier Distributor
TIBCOEcosystem
C/C++Ecosystem
COBOLEcosystem
Java EEEcosystem
.NETEcosystem
???Ecosystem
Core Business Process
ServiceConsumers
ActiveMatrix
Admin Console
Deploy Deploy Deploy Deploy Deploy Deploy
Administrators
Service Virtualization
SOA Governance
(Service Registry, Integrated Services View, Policy Management, Service Performance Mmgt)
Composite Mappings
Operational DashboardSecurity Policy
Governance
Rules
SLA
Commitments Orchestrations
ActiveMatrix Administration Console
�� Ability to deploy heterogeneous technologies in same nodeAbility to deploy heterogeneous technologies in same node
�� Integrated, unified deployment of Integrated, unified deployment of
•• .NET.NET
•• JavaJava
•• BusinessWorksBusinessWorks
•• MediationsMediations
•• Adapters, etc. Adapters, etc.
�� Embedded service monitoring and trackingEmbedded service monitoring and tracking
•• OOTB statistics include counts, average, min, max, etc.OOTB statistics include counts, average, min, max, etc.
�� Common logging environmentCommon logging environment
�� Hot deployment of additional instances to dynamicallyHot deployment of additional instances to dynamically
adjust to spikes or outages in environmentadjust to spikes or outages in environment
�� Configure and apply policiesConfigure and apply policies
�� Automatic corrective actions with predictive service Automatic corrective actions with predictive service
managementmanagement
Service Insight and Visibility
Hot deployment of additional instancesHot deployment of additional instances
�� Add more nodes and Redeploy with zero downtimeAdd more nodes and Redeploy with zero downtime
Hot deployment of Policies through Policy Manager Console
� ActiveMatrix
Administrator integration
� Leverages
ActiveMatrixfacilities such
as the
Common
Logging
Framework
Agenda
� Governance Overview
� Operational Governance
� Integrated Services View
�Policy Manager
� Service Performance Management
� Q&A
Service Design without a Governance Layer
Process returnsProcess returns
subset of datasubset of data
Service 1Service 1Returns all dataReturns all data
Service 2Service 2returns Nonreturns Non--SensitiveSensitive
Process returnsProcess returns
all dataall data
All dataAll data
Subset ofSubset of
datadata
When the developer implements security…
� Developers MUST understand security standards and how to implement them across all technologies and packages:
• .NET, J2EE…
� Policies definitions are not globally defined, applied, and managed
� Policies are atomically applied to services by the developer
� Policy changes typically require the developer to modify all the affected projects
� Changes require re-deployment of the application code
Policy Management & Service ImplementationPolicy Management & Service Implementation
Introducing a Governance LayerIntroducing a Governance Layer
Service & Policy LifecycleService & Policy Lifecycle
Developer Developer
Policy and Service
Implementation done by
Developer
Stage
Admin
Deploy
Ops
Manage
Policy
Config
uratio
n
Policy
Def
initi
on
Auditor
Security
Officer
Line
Manager
Service LifecycleService LifecycleIm
plem
ent S
ervi
ce
Des
ign S
ervi
ceBusiness Analyst
SecurityAuditingRouting
SecurityOfficer
Line Manager
Admin
Ops
Policy Management & Service ImplementationPolicy Management & Service Implementation
withwith a Governance Layera Governance Layer
Stage
Deploy
Manage
Deploy
Enforce
Policy
Config
uratio
n
Policy
Def
initi
on
Policy LifecyclePolicy Lifecycle
Auditor
DeveloperImple
men
t Ser
vice
Des
ign S
ervi
ceBusiness
Analyst
Service LifecycleService Lifecycle
� Advantages of declarative, run-time defined policies over hard-coding policies into functional components:
• Division of Effort, Leverage, Concise Specification, Comprehension,
Flexibility
�� Advantages of declarative, runAdvantages of declarative, run--time defined policies over hardtime defined policies over hard--
coding policies into functional components:coding policies into functional components:
•• Division of Effort, Leverage, Concise Specification, ComprehensiDivision of Effort, Leverage, Concise Specification, Comprehension, on,
FlexibilityFlexibility
Policy Manager Components
PolicyManager
Console
OrderService
WarehouseService
ShippingService
CreditService
Create Policy
User specifiedsettings
Policyassertions
Agent
Agent
Agent
Agent
Apply Policy
User specifiedsettings
Policyassertions
User specifiedsettings
Policyassertions
User specifiedsettings
Policyassertions
Policy Management 1-2-3
�� Step 1: Integrating with Infrastructure ComponentsStep 1: Integrating with Infrastructure Components
•• LDAPLDAP
•• UDDIUDDI
�� Step 2: Registering Step 2: Registering
a Servicea Service
•• ManuallyManually
•• AutomaticallyAutomatically
-- UDDI SyncUDDI Sync
-- Registration UtilitiesRegistration Utilities
�� Step 3: Applying & Step 3: Applying &
Defining PoliciesDefining Policies
•• LoggingLogging
•• AuthenticationAuthentication
•• Credential MappingCredential Mapping
•• Censor ResponseCensor Response
Types of Policies
� Authentication • Add a digital signature to outbound messages. • Validate the digital signature on inbound messages.
� Authorization • Check that the requestor has valid credentials and appropriate access
permissions� Encryption / Decryption
• Encrypt messages as they exit an endpoint• Decrypt messages as they enter an endpoint.
� Credential Mapping • Automatically attach appropriate credentials to request messages before
they arrive at services.� Censor Mapping
• To modify response messages to censor sensitive information based on the role of the requestor.
� Log Faults • When a request results in a fault message, log the details for later
analysis by an administrator.
Embedded Mgmt
Agent for WAS
J2EEProvider
Policy Enforcement Options
1.
2.
3.
Provider-side
proxy
Client-side
proxy
Client-side
proxy
� Proxy Agent Approach
� Embedded Agent
Approach deployed
natively in
ActiveMatrix(comes free
with ActiveMatrix Service
Grid, ActiveMatrix
BusinessWorks,
ActiveMatrix Service Bus)
� NEW! Embedded Agent
for JAX-RPC and JAX-WS
services hosted in J2EE –
Solves last-mile security
issues extending out to
heterogeneous
environments!
�� Proxy Agent ApproachProxy Agent Approach
�� Embedded Agent Embedded Agent
Approach deployed Approach deployed
natively in natively in
ActiveMatrix(comesActiveMatrix(comes free free
with with ActiveMatrixActiveMatrix Service Service
Grid, Grid, ActiveMatrixActiveMatrix
BusinessWorksBusinessWorks, ,
ActiveMatrixActiveMatrix Service Bus)Service Bus)
�� NEW! Embedded Agent NEW! Embedded Agent
for JAXfor JAX--RPC and JAXRPC and JAX--WS WS
services hosted in J2EE services hosted in J2EE ––
Solves lastSolves last--mile security mile security
issues extending out to issues extending out to
heterogeneous heterogeneous
environments!environments!
BWConsumer
BWConsumer
Embedded Mgmt
Agent
AMX
Client-side
proxy
BWConsumer
BWProvider
Agenda
� Governance Overview
� Operational Governance
� Integrated Services View
� Policy Manager
�Service Performance Management
� Q&A
Service Performance Management Workflow
Discover ServicesIndividual & Grouped Measure
Observables
Throughput & Latency
Availablility
Client Usage
Faults
Custom Metrics in the
Business Payload
Analyze &
Predict Behavior
Apply Rules
Assure &
Mitigate
Alert
Incident
ManagementWorkflow
Billing
Based on Rules
(Application built on BusinessEvents)
Monitor &
Initiate Changes
Take Action!
Example Use Cases
� Warn me in advance (predictive) if my performance levels are trending to failure.
� Provision new resources to maintain service performance guarantees to my Gold customers (autonomic computing).
� Borrow resources from standard users and give them to premium users during a volume spike
• Then release them back to the shared pool as things calm down (“Undo”)
� Tell me why did my order processing service slow down?
� Do I have enough computing capacity to handle a sales promotion on December 1st?
SLA Dashboard with Alerts & Triggers
Detailed Rule Summary Report
Building a Rule – Step 3 – Create Conditions
Building a Rule – Step 4 – Set Custom Actions
What is Service Performance Management (SPM)?
� SPM is an enterprise software platform that monitors and
proactively manages the health and performance of both IT
and Business services based on Service Level Agreements
(SLAs)
� SPM predicts and solves customer issues before
customers become aware of them. It enables your
organization to meet Quality of Service objectives
� SPM provides Autonomic Computing (Self-Healing) for your
SOA environment
� SPM - Managing your SLAs for your SOA.
In Summary
� Governance spans across heterogeneous environments and should not be integrated into any one vendor integration stack
� Governance starts with defining the Business issues and the
Organizational and Roles participating to address these issues
� Lifecycle Governance is about reuse, dependency and impact
analysis, and governance processes to provide consistency
� Operational Governance is critical to ensure service level
agreements are met through security policies and
enforcement, audit and logging requirements, performance,
and high availability of the environment
� You Should be Implementing Governance Now!
Questions…
SOA Resource Center
� http://soa.tibco.com
� Whitepapers
� Whiteboards
� Webinars
� Podcasts
� Case studies
� Articles
� Reports
Policy Manager Platform Support
Platforms
• Microsoft Windows (x86)- Windows XP Professional- Windows 2003 Server
• HP-UX 11.31 (IA-64)
• Linux 2.6 kernel (x86, 32-bit) with glibc 2.3
• Solaris 10 (SPARC 32-bit and 64-bit)
• Solaris 9 (SPARC)
Database
• Oracle 9i Release 2 (9.2)
• Oracle 10g Release 1 (10.1)
• Oracle 10g Release 2 (10.2)
• Microsoft SQL Server 2005
Identity Management Systems
• Microsoft Active Directory Server
• Open LDAP
• LDAP SSL support
• Sun Java System Directory
• CA Siteminder
WS-Standards
� WS-Security 1.0
• SAML 1.0 with 1.1 Assertions
• Username Token Profile 1.0
• X.509 Token Profioe 1.0
• No Kerberos support
� SOAP 1.1 and SOAP 1.2 with Attachments
� XML-Digital Signature
� XML-Encryption
� HTTP, HTTPS
� JMS - 2 way
� UDDI 3.0 - Universal Description, Discovery, and Integration
� WSDL 1.1
� XSLT, XPATH
What types of security policies can be implemented?
� Authentication
• Identity and Trust Management Systems (LDAP, CA Siteminder)
• SAML authentication
• To authenticate each request using X.509 signatures and certificates
� Authorization
• Authenticated users
• Classification by role
• Operations by role
� Crypto
• Forwarding by classification
• Forwarding by operation
• Receiving by classification
• Receiving by operation
• Encrypt Request Element
� Censor Response by Role
� Credential Mapping
• Basic
• By Role
• SAML
� Logging
• Full message, including SOAP
requests, responses and faults
• Faults only
• Messages that Satisfy XPath
Query
• All Operations
• Selected Operations
� Routing
• Failover Only
• Load Balancing with Failover
• Smart Routing
• Versioning
Policies NOT supported in Embedded Agent (AMX or WAS)
1. Crypto Forwarding by Operation/Classification (Client side agent enforces this policy)
2. Routing
3. Credential Mapping
4. Encrypt Request Element
5. SAML based Authentication is only supported at the external endpoint of the service (SOAP endpoint)
Differentiators
� TIBCO provides BOTH Lifecycle Governance and Operational Governance
� All integrated into one User Interface for end-to-end visibility
� Policy Manager is fully certified with both BusinessWorks and ActiveMatrix
� Superior SOAP/JMS/EMS performance
� One-stop shop for Governance and Integration offering for both Sales and Support
