27.02.2008

Security and SOA

In an service oriented architecture the deployments of webservices and bpels have become more and more complex. This creates additional challenges for securing applications or message exchange.
You can use an old, mature standard to address these challenges:
transport-level security. With SSL it is very easy to secure the data . But this solution gets a little bit difficult, if you want to implement message routers, which should look into the payload. You have to distribute certificates to all routers. This is not feasible for large installations involving many department or many contractors...

Is this all? No! There are some new options like the WS-* specifications...
Now you will say: "Ok, these WS-* things are very helpful. I like the WS-makeitfast and WS-generateitwithoutwork..."
You can find a diagram which shows all this WS-* specifications here (from www.innoq.com)
Yes there are many WS-* specifications and here the attempt to explain WS-Security. To achieve this goal we have to start with two other specifications:

1.) XML Encryption can encrypt the whole element (example from www.w3.org):
  <?xml version='1.0'?>
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number>
<Issuer>Example Bank</Issuer>
<Expiration>04/02</Expiration>
</CreditCard>
</PaymentInfo>

or just the content:
  <?xml version='1.0'?>
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>


2.) XML Signature can add a signing entity (example from www.w3.org):
<Signature Id="MyFirstSignature"  
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference
URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>


WS-Security is using XML Encryption to provide confidentiality and XML Signature to provide data integrity. The SOAP headers of WS-Security can be enhanced for authentication purposes with X.509 certificates, kerberos tickets, SAML or some others....

Oracle support WS-Security and there was a very nice article at Oracle magazine where Mike Lehmann explained how to use WS-Security with JDeveloper.

So with Oracle AS 10g and JDeveloper you can easily secure your SOA and the webservices with SSL or WS-Security....

24.02.2008

UMPC: Elonex ONE


There is another new competitor for Asus' EEE. A british company named Elonex announced a umpc for less than 130 Euro (without tax). Here the link to the homepage of the Elonex ONE.
The laptop should contain
integrated WiFi, flash-based memory (undisclosed amount), "tough" outer shell, a wireless music server, and a three-hour battery life.

(cited from http://www.mobilemag.com) and it should run on Linux. Further details will be provided on the Education Show 2008 at 28th february:

So here a short summary of all the UMPCs described further on this blog:

Noahpad (touchpad, no keyboard)
Belinea s.book 1 (touchscreen)
FIC CE260 (integrated bluetooth phone)
Asus EEE ....

20.02.2008

10 years XML

On w3.org they celebrate 10 years XML and they have created a batch for everyone, who want to celebrate with them:

w3.org provides a page, where they try to explain XML in ten points.
Nice icons illustrate the points like this one adding structure into data by using XML
...XML is a set of rules for designing text formats that let you structure your data. XML is not a programming language, and you don't have to be a programmer to use it or learn it. XML makes it easy for a computer to generate data, read data, and ensure that the data structure is unambiguous. XML avoids common pitfalls in language design: it is extensible, platform-independent, and it supports internationalization and localization...

It is a really nice introduction for all, who are not so familiar with programming. I think, they should add an eleventh point:
XML is today the key point for data exchange in the world of service orientation and it is the base for WSDL, BPEL and other languages, which will influence the evolution of IT for the next ten years.

Oracle has integrated native XML handling into their Application Server 10g. There is an XML developement kit with the following key features available:
XML 1.0 (Second Edition)
DOM Level 2.0 Specification
DOM Level 3.0 Specification
SAX 2.0 & SAX Extensions
XSLT/XPath 1.0 Specifications
XSLT/XPath 2.0 Specifications
XML Schema Specifications

If you download the XDK, there are many demos included. I liked the XSLSample.java which you can invoke with two command line arguments. First one is the XSLT, the second one is the XML. With this example you can easily verify XSLTs and on the other hand you can learn how to write Java code to do it...
The SOA Suite uses this XDK for all XML processing. For all details take a look at this page. Examples are provided here.
I think everyone should be familiar with details of SAX/DOM (or XSLT or XPATH or...) and should know how it could be coded in Java or C.
Ten years after the specifiation of XML it is very well supported on all platforms and programming languages. Many generators are provided to help the programmers for their daily work with XML.
Let's see where we going in the next ten years....

18.02.2008

Review at amazon: Soa Approach to Integration

Last week i read the book "Soa Approach to Integration" (www.packtpub.com).


This book is really excellent. It covers in nearly 360 pages all things you should know about SOA and it will provide you with examples, guidelines and historical backgrounds.
If you are not familiar with XML, XSD, WSDL and BPEL you will get a tight introduction with many best practices. The authors came up with a very good balance of going in to details and coverage of different technical infrastructures like Java or .NET.
If you are interested (and if you understand german), read my review at amazon.de.
If you are not able to read german, you can read the reviews on www.amazon.com.
In my opinion, everyone who is talking about SOA should know the content of this book!

PS: The BPEL-chapter is based on Oracle BPEL PM and one of the reviewers of this book was Clemens Utschig, the SOA guru from Oracle!

15.02.2008

Oracle Lifetimes

On the web it is very difficult to find the lifetimes or end of life dates for Oracle products. So here the attempt make this easier:
The lifetimes for all Oracle product can be found in this PDF including Siebel, Peoplesoft, etc.
Here a screenshot of this PDF for the most important software pieces:


If you do not know what is meant with premier support, extended support or sustaining support, take a look here.

09.02.2008

Oracle Support...

A few days ago i spent an evening to become an Oracle Technology Support Champion. Why does Oracle offer such certificates? I think there are many people, who have no glue where to start for getting support and informations about the lifecycle of Oracle products.

For this certificate i had to answer many questions about end of life, premier support, extended support, etc...
Here a short summary:

A very important thing is a metalink account (metalink.oracle.com). It is not for free, you have to purchase support for your Oracle databases, application servers, ...

Oracle provides five years support for their main product from their general availability date (Database, Fusion Middleware, Oracle Applications). This is calles Premier support.
You can extend this support for another three years. (Extended Support)
After that you can buy Sustaining Support (For the details look at the tabular below)

For the details of the Premier Support follow this link.
Oracle says about its support:
more than 14,000 application and technology developers and 7,500 support professionals worldwide
24x7 real-time support with MetaLink—over 1.3 million registered users
Global Support Center Hubs offer proactive support anytime, anywhere, from 18 major hubs on 5 continents
Extensive global reach with support in any of 27 languages
Faster problem resolution with our integrated case-resolution and escalation processes
Knowledgebase of over 400,000 solutions on over 650 products

05.02.2008

InfoWorld 2008 Technology of the Year Award: Oracle SOA Suite

Sometimes people award prices just on marketing flyers and never take a deeper look into the software...
InfoWorld has given one of their Technology of the Year Award to the Oracle SOA Suite. Yes the SOA Suite is a very good piece of software especially the Oracle BPEL PM is the best BPEL engine on the market. But in their article about the SOA Suite they are talking most of the time about the Oracle ESB and the Rule Engine.
Ok, i am on Oracle Certified Professional and i am glad when Oracle wins some prices. In my opinion the ESB is a well done piece of software but it was released two years ago. Noone believes that such a newbie is better than Websphere MQ or Tibco?
Here the link to InfoWorld.

If they want to award a price to Oracle SOA Suite, they should give it because of the Oracle BPEL PM which is really the best BPEL engine around and this is the major building block of the Oracle SOA Suite....