Introduction to TIBCO ActiveMatrix Governance

DeeDee Kato
Senior Product Manager, TIBCO

Chris Martha
Senior Product Manager, TIBCO

Agenda

Governance Overview Operational Governance

Integrated Services View Policy Manager Service Performance Manager

Q&A

Simply Put

SOA application .NET/J2EE application

Provision Customer Order FF

Manufacture

Your IT Infrastructure
Is varied - third party apps, trading commerce, legacy apps, web commerce infrastructure.. Grows organically over time Is heterogeneous Java, .net, Perl/Ruby, Has complex dependencies Is ever changing

Challenges in IT

Enterprise Architect IT Developer How do I promote reuse through Where does all of the service visibility and trust reference information reside? Are there rules to change / How is this information validate / approve services? searched and accessed? How can I make sure the How is access to the services comply to design time information controlled? policies such as WS-I basic How can I be notified of any profile? changes? How do I implement heterogeneous Enterprise Level Governance?

Challenges in SOA
Operations & Administration Which services are available? Are all required services up and running? Are the right consumers accessing the right services? Are my services secured from unauthorized access? If a service is changed who and which other services will be affected? How can things be fixed when something goes wrong? Is the required Quality of Service (QoS) provided? Overall Business No SLA Violations Ensure security and auditing requirements are met Regulatory compliance requirements (e.g.. HIPAA, SOX) Ensure time to market Cut costs

What is SOA Governance? SOA Governance is about Accountability (clear roles and responsibilities), Visibility (of assets and their access control, and Auditability (who did what) through the entire lifecycle.
1. 2. 3. 4. 5. Decide what services to expose Register the services Monitor environment Secure services Manage Service Level Agreements for operational assurance 6. Virtualize the services for location transparency and high availability 7. Integrate/Mediate Services

Ensuring and validating that assets and artifacts within the architecture are acting as expected and maintaining a certain level of quality. Gartner, Magic Quadrant for SOA Governance, 2007

TIBCOs Governance Layer

Service Consumers

Web 2.0 Composite and AJAX Rich Internet Applications

Core Business Process

Deploy Administrators Developers/ Producers

Deploy

Deploy

Deploy

Deploy

Deploy

Policy

Policy

Policy

Policy

Policy

Policy

TIBCO
Ecosystem

C/C++
Ecosystem

COBOL
Ecosystem

Java EE
Ecosystem

.NET
Ecosystem

???
Ecosystem

Integration

Warehouse

Accounting

Sales

Supplier

Distributor

TIBCOs Governance Layer

ActiveMatrix Admin Console

Service Consumers

Core Business Process SOA Governance (Service Registry, Integrated Services View, Policy Management, Service Performance Mmgt) Deploy Administrators Developers/ Producers
SLA Commitments

Deploy

Service Virtualization Deploy Deploy

Deploy

Deploy

Security Policy

Governance Rules

Composite Mappings

Operational Dashboard

Orchestrations

TIBCO
Ecosystem

C/C++
Ecosystem

COBOL
Ecosystem

Java EE
Ecosystem

.NET
Ecosystem

???
Ecosystem

Integration

Warehouse

Accounting

Sales

Supplier

Distributor

ActiveMatrix Administration Console

Ability to deploy heterogeneous technologies in same node Integrated, unified deployment of
.NET Java BusinessWorks Mediations Adapters, etc.

Embedded service monitoring and tracking

OOTB statistics include counts, average, min, max, etc.

Common logging environment Hot deployment of additional instances to dynamically adjust to spikes or outages in environment Configure and apply policies Automatic corrective actions with predictive service management

Service Insight and Visibility

Hot deployment of additional instances Add more nodes and Redeploy with zero downtime

Hot deployment of Policies through Policy Manager Console

ActiveMatrix Administrator integration Leverages ActiveMatrix facilities such as the Common Logging Framework

Agenda

Governance Overview Operational Governance

Integrated Services View Policy Manager Service Performance Management

Q&A

Service Design without a Governance Layer

Service 1
Returns all data All data Process returns all data

Service 2
returns NonNon-Sensitive Subset of data Process returns subset of data

When the developer implements security Developers MUST understand security standards and how to implement them across all technologies and packages: .NET, J2EE Policies definitions are not globally defined, applied, and managed Policies are atomically applied to services by the developer Policy changes typically require the developer to modify all the affected projects Changes require re-deployment of the application code

Policy Management & Service Implementation Introducing a Governance Layer

m en tS er vi D Po ce ef li in cy iti on

Se rv ic e

Security Line Officer Manager

Im pl e

es

Business Analyst

Developer

Developer

Policy and Service Implementation done by Developer

Deploy

Manage

Service Service Lifecycle & Policy Lifecycle

St a
Admin Ops

ge

Auditor

on Po fig lic ur y at io n

ig n

Policy Management & Service Implementation with a Governance Layer

Se rv ic e

on Po fig lic ur y at io n

Advantages of declarative, run -time defined policies over hard run-time hardcoding policies into functional components:
Business Analyst

m en tS er vi St ce ag e

Im pl e

es

on, Division Division of of Effort, Effort, Leverage, Leverage, Concise Concise Specification, Specification, Comprehensi Comprehension, Flexibility Flexibility

Developer

Auditor

Admin

Deploy

Deploy

Line Manager

Manage

Ops

Enforce

Security Auditing Routing

Service Lifecycle

Policy Lifecycle

D Po ef li in cy iti on
Security Officer

ig n

Policy Manager Components

Order Service

Agent
User specified settings

Apply Policy Create Policy

Policy assertions

Policy Manager Console

User specified settings Policy assertions

Agent

Warehouse Service

User specified settings User specified settings Policy assertions Policy assertions

Shipping Service Agent Credit Service Agent

Policy Management 1-2-3

Step 1: Integrating with Infrastructure Components
LDAP UDDI

Step 2: Registering a Service

Manually Automatically
- UDDI Sync - Registration Utilities

Step 3: Applying & Defining Policies

Logging Authentication Credential Mapping Censor Response

Types of Policies
Authentication Add a digital signature to outbound messages. Validate the digital signature on inbound messages. Authorization Check that the requestor has valid credentials and appropriate access permissions Encryption / Decryption Encrypt messages as they exit an endpoint Decrypt messages as they enter an endpoint. Credential Mapping Automatically attach appropriate credentials to request messages before they arrive at services. Censor Mapping To modify response messages to censor sensitive information based on the role of the requestor. Log Faults When a request results in a fault message, log the details for later analysis by an administrator.

Policy Enforcement Options

Client-side proxy Provider-side proxy

1.

BW Consumer

BW Provider

2.

Client-side proxy

Embedded Mgmt Agent

BW Consumer

AMX

3.

Client-side proxy

Embedded Mgmt Agent for WAS

BW Consumer

J2EE Provider

Proxy Proxy Agent Agent Approach Approach Embedded Embedded Agent Agent Approach Approach deployed deployed natively natively in in ActiveMatrix(comes ActiveMatrix(comes free free with with ActiveMatrix ActiveMatrix Service Service Grid, Grid, ActiveMatrix ActiveMatrix BusinessWorks , BusinessWorks, ActiveMatrix ActiveMatrix Service Service Bus) Bus) NEW! NEW! Embedded Embedded Agent Agent for -RPC and -WS for JAX JAX-RPC and JAX JAX-WS services services hosted hosted in in J2EE J2EE Solves -mile security Solves last last-mile security issues issues extending extending out out to to heterogeneous heterogeneous environments! environments!

Agenda

Governance Overview Operational Governance

Integrated Services View Policy Manager Service Performance Management

Q&A

Service Performance Management Workflow

Discover Services
Individual & Grouped

Measure Observables
Throughput & Latency Availablility Client Usage Faults Custom Metrics in the Business Payload

Analyze & Predict Behavior

Apply Rules

Monitor & Initiate Changes

Take Action!

Based on Rules (Application built on BusinessEvents) Incident Management

Workflow Billing

Alert Assure & Mitigate

Example Use Cases

Warn me in advance (predictive) if my performance levels are trending to failure. Provision new resources to maintain service performance guarantees to my Gold customers (autonomic computing). Borrow resources from standard users and give them to premium users during a volume spike Then release them back to the shared pool as things calm down (Undo) Tell me why did my order processing service slow down? Do I have enough computing capacity to handle a sales promotion on December 1st?

SLA Dashboard with Alerts & Triggers

Detailed Rule Summary Report

Building a Rule Step 3 Create Conditions

Building a Rule Step 4 Set Custom Actions

What is Service Performance Management (SPM)?

SPM is an enterprise software platform that monitors and proactively manages the health and performance of both IT and Business services based on Service Level Agreements (SLAs) SPM predicts and solves customer issues before customers become aware of them. It enables your organization to meet Quality of Service objectives SPM provides Autonomic Computing (Self-Healing) for your SOA environment SPM - Managing your SLAs for your SOA.

In Summary

Governance spans across heterogeneous environments and should not be integrated into any one vendor integration stack Governance starts with defining the Business issues and the Organizational and Roles participating to address these issues Lifecycle Governance is about reuse, dependency and impact analysis, and governance processes to provide consistency Operational Governance is critical to ensure service level agreements are met through security policies and enforcement, audit and logging requirements, performance, and high availability of the environment You Should be Implementing Governance Now!

Questions

SOA Resource Center http://soa.tibco.com Whitepapers Whiteboards Webinars Podcasts Case studies Articles Reports

Thank You!
Introduction to TIBCO ActiveMatrix Governance
April 29, 2008 soa@TIBCO.com

Policy Manager Platform Support

Platforms Microsoft Windows (x86)
Windows XP Professional Windows 2003 Server

HP-UX 11.31 (IA-64) Linux 2.6 kernel (x86, 32-bit) with glibc 2.3 Solaris 10 (SPARC 32-bit and 64-bit) Solaris 9 (SPARC) Database Oracle 9i Release 2 (9.2) Oracle 10g Release 1 (10.1) Oracle 10g Release 2 (10.2) Microsoft SQL Server 2005 Identity Management Systems Microsoft Active Directory Server Open LDAP LDAP SSL support Sun Java System Directory CA Siteminder

WS-Standards
WS-Security 1.0
SAML 1.0 with 1.1 Assertions Username Token Profile 1.0 X.509 Token Profioe 1.0 No Kerberos support

SOAP 1.1 and SOAP 1.2 with Attachments XML-Digital Signature XML-Encryption HTTP, HTTPS JMS - 2 way UDDI 3.0 - Universal Description, Discovery, and Integration WSDL 1.1 XSLT, XPATH

What types of security policies can be implemented?

Authentication
Identity and Trust Management Systems (LDAP, CA Siteminder) SAML authentication To authenticate each request using X.509 signatures and certificates

Credential Mapping
Basic By Role SAML

Logging
Full message, including SOAP requests, responses and faults Faults only Messages that Satisfy XPath Query All Operations Selected Operations

Authorization
Authenticated users Classification by role Operations by role

Crypto
Forwarding by classification Forwarding by operation Receiving by classification Receiving by operation Encrypt Request Element

Routing
Failover Only Load Balancing with Failover Smart Routing Versioning

Censor Response by Role

Policies NOT supported in Embedded Agent (AMX or WAS)

1. Crypto Forwarding by Operation/Classification (Client side agent enforces this policy) 2. Routing 3. Credential Mapping 4. Encrypt Request Element 5. SAML based Authentication is only supported at the external endpoint of the service (SOAP endpoint)

Differentiators

TIBCO provides BOTH Lifecycle Governance and Operational Governance All integrated into one User Interface for end-to-end visibility Policy Manager is fully certified with both BusinessWorks and ActiveMatrix Superior SOAP/JMS/EMS performance One-stop shop for Governance and Integration offering for both Sales and Support

End Backup Slides

Introduction to TIBCO ActiveMatrix Governance
April 29, 2008 soa@TIBCO.com