vordelfeeds

Live from 36000 Feet - How to deploy the Vordel Gateway in Multiple Environments

Josh Bregman — Wed, 24 Aug 2011 06:56:00 +0000

First of all, a quick acknowledgement of my lack of blogging. Life at Vordel has been really fast paced, and I've been traveling the country working on a lot of interesting use cases with some really great customers. I'm flying from San Diego to San Francisco, and this flight has WiFi, so I guess I'm out of excuses.

A quick note on feature that was added in 6.0.3 - envSettings.properties. This is the ability to externalize attribute values in the gateway's per environment. The file can be found in the $VINSTDIR\conf directory. The text below, from the file explains how to use it.

# This file is read when the server starts up. If a server configuratio

n contains a value in the format

# ${env.X}, where X is any string (for example, MyCustomSetting), this file MUST contain an equivalent

# name-value pair of env.MyCustomSetting=MyCustomValue.

# When the server starts up, every occurrence of env.MyCustomSetting is expanded to the value of MyCustomValue.

# For example, if a port in the server configuration is set to ${env.LISTENER_PORT}, specifying a name-value

# pair of env.LISTENER_PORT=8080 results in the server opening up port 8080 at start up.

env.LISTENER_PORT=8080

Here we see the corresponding configuration in the Policy Studio

This is a very simple. but powerful approach for configuring the gateway to work across environments. It also aligns nicely with most enterprises existing approach for moving configurations among environments.

Looks like I forgot to charge my battery, and no AC power on the flight, so this is going to have to be a short post :)

Finalized Agenda for First Meeting of the Boston Chapter of CSA - NOTE: NEW LOCATION

Josh Bregman — Fri, 22 Apr 2011 09:14:00 +0000

I've got the agenda for the first meeting of the Boston Chapter of the Cloud Security Alliance.

When: Wednesday April 27, 2011 - 6:00 PM - 7:30 PM
Where: CA Offices in Framingham, MA

Agenda: Two presentations, each with their own unique and insightful perspectives on the topic of cloud security.

Presentation #1: Cloud Computing Risks

Speaker Bio:

Bhargav Shah is a Director within KPMG Advisory practice. He has over 12 years of experience as a trusted advisor to C-level and Senior IT leadership having led multiple engagements in Outsourcing, Cloud Computing, IT Solution Delivery/Application Development, Process Engineering, and IT Services Management. Mr. Shah regularly speaks at conferences and IT leadership forums on various topics related to Outsourcing and Cloud Computing. He also leads KPMG’s solution development initiatives related to IT implications of cloud computing.

Abstract:

As the paradigms of technology consumption change, cloud computing is at the forefront of an IT transformation providing infrastructure, platforms, and software as services to the business. While some call it a technology fad, the pervasive buzz around cloud computing is here to stay. Cloud computing provides many benefits but introduces just as many risks. Successful organizations must understand and mitigate these risks to get more out of their cloud computing initiatives.

In this session, Bhargav Shah will share his insights on the types of risk you need to be aware of while utilizing cloud computing, how they vary by cloud model you use (Public vs. Private) and what controls you can consider to mitigate some of these risks associated with cloud computing.

Presentation #2: Cloud Computing and it’s impact of Identity & Access Management (IAM) Infrastructure

Speaker Bio:

Robert Levine brings more than 25 years of technology management experience to SENA Systems that includes significant customer and vendor side enterprise software and knowledge. Robert has served as SENA’s President & CEO since 2001 and with the SENA management team has overseen its growth in the US, Europe, Asia and the India operations center as well as its merger in March of 2008 with aurionPro Solutions LTD. Robert presently holds the position of President of aurionPro Solutions Inc as well as the head of the SENA Systems business unit. Prior to joining SENA Systems, Robert worked for Venture Consulting Group, Inc. a provider of management services to early stage and restructuring companies, as a strategic business advisor to both public and private companies.

Robert previously served as the VP of Business Development for Transindigo, a startup e-infrastructure company providing mission critical solutions for securely managing transactional entitlements and authorizations that was sold to RSA. Robert also served as the co-concept originator, interim CEO and technical advisor to Transindigo prior to its launch in January 2000. Prior to Transindigo, Robert served as Managing Director, Deutsche Bank Strategic Ventures and as Managing Director in Bankers Trust's Technology and Operations Group where he was a member of the management team responsible for Global Technology Infrastructure. Robert served on the board of IQ Financial, a global software supplier of front, middle and back-office financial services technology selling to global financial firms that was later sold to Misys. He also served as the technical advisory board of mFormation a wireless network management products and services company. Robert was a founding member and Vice President of SIMC, a nonprofit organization, that focused on advancing the capabilities of middleware in the financial services industry. Robert is a strong believer of community service and currently serves in a Line Officer capacity as Sergeant of his local community EMS Rescue Squad

Abstract:

No conference, seminar or a CXO level technology roadmap meeting today is complete withouta discussion on Cloud Computing. Every organization is asking the question – how could, would and should cloud computing impact or influence their plans related to IAM.

In SENA’ talk on Cloud Computing we will discuss the following considerations:

· Two Fold impact of Cloud Computing on IAM Services

o Protecting cloud based applications with should IAM Services.

o Providing IAM Services over a Cloud infrastructure.

· IAM Infrastructure

o Considerations related to Software as a Service, Platform as a Service and Infrastructure as a Service including SENA’s plans regarding such offerings.

o Differentiating the advantages and challenges related to

§ Identity Management

§ Access Management

· A frank assessment of where the security industry is with regards to Cloud offerings.

Call for Speakers - First Meeting of the Boston CSA Chapter - April 27 6:00 @ Oracle Offices in Burlignton

Josh Bregman — Mon, 21 Mar 2011 07:03:00 +0000

I'm happy to announce that we're going to have our first meeting of the Boston Chapter of the Cloud Security Alliance on Wednesday, April 27th at 6:00 at the Oracle office in Burlington, MA.

The topic for this meeting is Cloud Security Architecture. We wanted to cover both the conceptual (NIST, CSA Reference Architecture, etc) and the practical - real world examples of what people are using/deploying in their environments. The agenda will be something like this:

6:00 - 6:15 Introductions
6:15 - 6:45 Presentation 1 - Cloud Security Architecture - Conceptual
6:45 - 7:15 Break/Networking Session
7:15 - 7:45 Presentation 2 - Cloud Security Architecture - Practical/Use Case
7:45 - 8:00 Closing

We're looking for speakers on both the abstract notion of "What is Cloud Security Architecture?" and a more practical hands on use-case driven view of the topic. If you are interested in speaking or participating in a round-table type discussion, please send me which topic you're interested in presenting, and speaker's BIO (linkedin profile). Please send this to me (josh.bregman@vordel.com) by Thursday, March 31st.

Looking forward to a great first session.

Minutes from the Boston Chapter of the CSA's first Board Meeting

Josh Bregman — Fri, 04 Mar 2011 15:41:00 +0000

After many scheduling challenges, we had our first CSA Boston Chapter Board Meeting. The "Board" consists of me (Vordel), Prateek Mishra (Oracle),Matthew Gardiner (CA), and Kevin Fox (Cisco). A really good session for planning out the year. Here's the basic thinking:

- Divide the CSA guidance into 4 units and have 1 meeting focused around each unit
- The events will be about 2 hours - 1 hour on high-level information contained in the CSA guidance and 1 hour on a lower level details of someone who is actually living/implementing the scenario
- We'll rotate the location among CA, Oracle and Cisco locations - basically 128/495

The next steps are to have Matt, since it was his idea, to group the domains into the four meeting "buckets", and for us to meet again in two weeks to start the planning of the 1st meeting - targeted for some time in April.

Once we get the meeting "themes" worked out, we'll be publishing them with some tentative dates, and we'll be issuing a pseudo "call for speakers". Ultimately we're looking to have some really interesting speakers and presentations that are worth the trip - but for that to happen we'll need everyone's help. Ping any of the board members if you have a topic to suggest (aligned with the CSA Guidance) or a speaker that you think would be good.

We're also open to any other suggestions/guidance that people may have, so don't hesitate to speak up.

How to turn an XML Gateway into a Maven Repository

Josh Bregman — Wed, 02 Mar 2011 18:36:00 +0000

I've made some real progress on the Maven integration with the Vordel XML Gateway. I've updated the incubator with the latest set of policies. These policies provide two main features:

The ability to download the Gateway libraries as dependencies directly from the gateway
The ability to deploy Maven artifacts to the gateway

Exposing the libraries of the Gateway as POMs

One of the main challenges in getting a technology like the gateway that isn't built using Maven into the Maven world is the mapping of jars to POMs. As I showed previously, you can do this, but its a manual process. You could automate it with ANT tasks, but its still tricky. I encountered this problem before when I was trying a similar exercise with Oracle Entitlements Server. For that I wrote a bunch of custom code and deployed it as a WAR to the OES Admin Server. Not bad, but with the gateway it was even simpler.

Basically I used the static content service to point to the directories on gateway, and then used a policy to handle a view of the subtleties - we only have MD5 checksums, POMs need to get generated since we don't have them, some of the mappings for the org.eclipse libraries are irregular. For the main case, retrieving the jar, I'm just manipulating the http.request.uri property and passing it to the static content service. Magically, it returns the POM, the JAR, and the MD5 checksum of the JAR. I also used a cool feature new to 6.0.3 - the ${env.xxx} capabilities. You can use this namespace from inside of a policy, and the gateway will resolve the value based on the envSettings.props file. I used this to specify the values of the location of the gateway in my environment


env.maven.gateway.path=c:\\Users\\jbregman\\Documents\\products\\xml gateway\\vordelgateway\\system\\lib
env.maven.policystudio.path=c:\\Users\\jbregman\\Documents\\products\\xml gateway\\policystudio\\plugins
env.maven.repo2.path=c:\\Users\\jbregman\\repo2

In order to take advantage of my gateway as a repository, I modified the parent POM of the sample-filter, to include:


<repositories>
    <repository>
       <id>vordelgateway</id>
        <url>http://localhost:9090/repo</url>
    </repository>
</repositories>

This means that when its looking for the dependencies, it will check the gateway, and they will be downloaded to your local repository so you can compile. Maven supports SSL and Basic Authentication, so these things could easily be added to both the Maven configuration as well as applied to the Maven policies running on the gateway.

Deploying Maven Artifacts to the Gateway

The first question is "Why would you want to do that?". One use case that I'm working on is for custom filters. Once the jar is built, it needs to be copied to the gateway's lib directory, so this is the foundation for that. I'm not there yet - need to do something with the file once its there, but I like the simplicity of using the mvn deploy task to push the artifact to the gateway for me. Ultimately my goal is to package up all of the dependent artifacts and push/deploy them to the gateway.

The policies for this one were a little more complicated because the static content service only gets me so far - it doesn't handle HTTP PUT requests- which is what Maven uses to push the files to the server. No problem - I simply used the Save to File filter - to store the file on disk. Again, I used the ${env.xxx} to define the location on disk for the repository.

In order for projects to take advantage of this capability, I again modified the parent POM:


<distributionManagement>
  <repository>
    <id>dev-integration-gateway</id>
    <name>Dev Integration Gateway</name>
    <url>http://localhost:9090/repo2</url>
  </repository>
  <snapshotRepository>
    <id>dev-integration-snapshot-gateway</id>
    <name>Dev Integration Gateway</name>
    <url>http://localhost:9090/repo2</url>
  </snapshotRepository>
</distributionManagement>

This means than when you run mvn deploy the artifact can be pushed and stored on the gateway. Presumably, in addition to just deploying the file, other actions could be taken - synchronously or asynchronously.

Implications for the SDLC

Notice that in the parent POM, there is the same server (localhost) referenced both times. I put the two separate repositories on different relative paths to simplify the implementation, but in practice these repositories are likely to be on separate instances. The idea is that a developer working on a sandbox instance can download the libraries to their local repository, develop the component and then deploy it to the dev-integration-gateway. The thinking here is that this gateway is the first managed gateway. The gateway's configuration is then pushed using the policy directory from the dev-integration gateway to QA. Getting all of this to work end-to-end using Maven is the goal of Maven Integration project on the incubator.

If you like where this is headed, get involved, join the incubator at cloudservicebroker.googlecode.com.

REST API for message level and system level metrics for the XML Gateway

Josh Bregman — Thu, 24 Feb 2011 18:32:00 +0000

In my first few weeks at Vordel, I've been spending a lot of time on the "cool" part of the product - building circuits and policies. As a developer, I really enjoy (am amazed) at how quickly you can know things out. But this is a job after all, so I also have to spend time coming up to speed on some of the less "glamorous" yet really important and valuable features of the product.

I've started to look at the various administrative interfaces in the product and see what makes them tick. One really powerful feature of the Vordel XML Gateway is its out-of-the-box real time monitoring capabilities. The application itself is a Flash app that displays all of the details of the usage of the gateway - successful messages, blocked messages, failed messages - traffic to various remote hosts.

One thing that it also has is the system utilization - memory and CPU. This is really nice because you can get both the message (application level) and system-level information from a single source. This makes the task of integrating this information into an enterprise operations system much simpler. But how do you get at the information. Simple, http://gateway:8090/metrics

Notice that I'm just accessing the URL form a browser and you can see both the system information, as well as all of the statistics for the messages.

This is the same URL that the flash application accesses to retrieve the information in the real time monitor. The URL is protected with HTTP Basic authentication (all of the admin services are out of the box) so access is restricted as well as audited. Now that you know that the REST API is available, you can integrate this information into your environment.

How to Use an XML Gateway with an Asynchronous Web Service using WS-Addressing

Josh Bregman — Tue, 22 Feb 2011 20:40:00 +0000

In general synchronous web-services are simpler and more common than asynchronous web services. I like them, because for 99% of cases, the security can be done at the transport level using 2-way SSL. Asynchronous web-services introduce additional security challenges - mainly that messages are likely to be in memory or on disk where the transport is not there to keep the contents of the message secure. The purpose of this post is not to explore the security challenges of using asynchronous web-services, but another complexity - proper handling of web-services callbacks through an intermediary.

One of the main uses of an XML gateway is to encapsulate the end-point of the actual service from the caller. This approach is aligned with SOA best practices, but from a security perspective not letting people know where your service actual lives is a really good idea. This principal can also apply in the callback use case - we may want to hide the location of callback URL from the actual service - let's for the sake of this discussion consider it need to know. The end service can just callback to the gateway, and the gateway will deliver the message back to its appropriate destination.

Now assuming that we're not passing the location of the callback - in WS-Addressing this is called the wsa:ReplyTo address - then when the gateway finally receives the response, how does it know where to send the message? To solve this problem, the gateway needs to create a cache of replyTo URLs keyed off of the messageId. Each request has a wsa:MessageId. When the server sends its reply, the original message id is reference in the wsa:RelatesTo header. This way the gateway can correlate the request with the response.

Understanding the Example

I've created an example project that demonstrates how the gateway works in the above scenario. I'm using the gateway to play the role of 3 different use case actors - client, gateway, and server.

Client - SOAPBox is sending the initial request to the service. I created an HTTP service listening on port 11000 to serve as the destination of the final wsa:ReplyTo.
Gateway - When the service gets invoked, the gateway stores the wsa:ReplyTo in a cache (keyed by the wsa:MessageId) and modifies the wsa:ReplyTo and wsa:To fields accordingly. In the callback service, the gateway retrieves the original wsa:ReplyTo from the cache (pulling the key from the wsa:RelatedTo) field, and sends the request to the original wsa:ReplyTo
Server - This is just using the gateway to simulate the back end server. When it receives the message, it simply sticks the file on disk. The gateway has a directory scanner configured. Directory Scanner is the ability for the gateway to process files sitting on the file system. When the Directory Scanner finds a file, it modifies the response (read: appends "Hello" to the message) and then sends it to the address in the wsa:ReplyTo which is the gateway.

You can see what an end-to-end flow looks like in the Real Time Monitor

The Gateway Policy Details

The example contains policies for all three roles.

I wanted to spend some time here to review in a little more detail the gateway and what it does when it processes the request, and handles the callback. When the request arrives, the original message looks something like this:


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<soap:Header>
 <wsa:MessageID>uuid:6B29FC40-CA47-1067-B31D-00DD010662DA</wsa:MessageID>
 <wsa:ReplyTo>
     <wsa:Address>http://localhost:11000/callback</wsa:Address>
 </wsa:ReplyTo>
 <wsa:To>http://localhost:12000/SoapContext/SoapGreeterPort</wsa:To>
 <wsa:Action>Greet</wsa:Action>
</soap:Header>
<soap:Body>
 <x1:greetMeOneWay xmlns:x1="http://apache.org/hello_world_soap_http/types">
     <!-- Element must appear exactly once -->
     <x1:requestType>Asynch Client using WS-Addressing</x1:requestType>
 </x1:greetMeOneWay>
</soap:Body>
</soap:Envelope>

The message gets picked up and processed by the following policy:

I'm using policy shortcuts to encapsulate all of the details, but you get the basic idea. The message leaving the gateway has been transformed to have the gateway address in the wsa:ReplyTo and the server's address in the wsa:To. This is the resulting message sent to the server.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<soap:Header>
   <wsa:MessageID>uuid:6B29FC40-CA47-1067-B31D-00DD010662DA</wsa:MessageID>


   <wsa:Action>Greet</wsa:Action>
<wsa:ReplyTo>
<wsa:Address>http://localhost:12000/SoapContext/GreetCallbackSoapPort</wsa:Address>
</wsa:ReplyTo><wsa:To>http://localhost:13000/SoapContext/SoapGreeterPort</wsa:To></soap:Header>
<soap:Body>
   <x1:greetMeOneWay xmlns:x1="http://apache.org/hello_world_soap_http/types">
       <!-- Element must appear exactly once -->
       <x1:requestType>Asynch Client using WS-Addressing</x1:requestType>
   </x1:greetMeOneWay>
</soap:Body>
</soap:Envelope>

So when the reply comes back from the server, and arrives back at the gateway, it has a new wsa:messageId, but the original messageId is available in the wsa:RelatesTo header.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
   <wsa:Action
       xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
   <wsa:MessageID
       xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
       uuid:Id-0000012e5303f409-0000000000a96fd2-2
   </wsa:MessageID>
   <wsa:RelatesTo
       xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
       uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
   </wsa:RelatesTo>
   <wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
       http://localhost:12000/SoapContext/GreetCallbackSoapPort
   </wsa:To>
</soap:Header>
<soap:Body>
   <x1:greetMeResponse
       xmlns:x1="http://apache.org/hello_world_soap_http/types">
       <!-- Element must appear exactly once -->
       <x1:responseType>
           Hello Asynch Client using WS-Addressing
       </x1:responseType>
   </x1:greetMeResponse>
</soap:Body>
</soap:Envelope>

The callback policy then picks this message up and applies the following filters:

This is the basic caching pattern used by the gateway. The cache's key is the wsa:messageId set by the incoming request. This can then be retrieved from the cache by pulling the wsa:RealtesTo messageId. The resulting URL is then set as the destination (wsa:To) of the response, and the reply is sent. The final message looks like this:


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
      <wsa:Action
          xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <wsa:MessageID
          xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
          uuid:Id-0000012e53675a57-0000000001f76db2-18
      </wsa:MessageID>
      <wsa:RelatesTo
          xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
          uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
      </wsa:RelatesTo>
      <wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
          http://localhost:11000/callback
      </wsa:To>
  </soap:Header>
  <soap:Body>
      <x1:greetMeResponse
          xmlns:x1="http://apache.org/hello_world_soap_http/types">
          <!-- Element must appear exactly once -->
          <x1:responseType>
              Hello Asynch Client using WS-Addressing
          </x1:responseType>
      </x1:greetMeResponse>
  </soap:Body>
</soap:Envelope>

I've exported this project and added it to the Vordel Incubator. You can download the config here. Let me know what you think.

Architectural Pattern for XML Gateway - Service Bus Sandwich

Josh Bregman — Fri, 18 Feb 2011 06:05:00 +0000

I was in a discussion yesterday with a customer and the question of "Do I need an internal gateway in addition to my ESB?" came up. In general, people thing about XML gateways as the security appliance that you stick in the DMZ to prevent unauthorized access to services (i.e. the Super PEP). So, why do I need another one in my internal network?

Service Bus Sandwich

I think the most basic reason is that the system that does security processing at the front of the bus should be the same system that does security processing at the back of the bus. This promotes a consistent approach - same policies, same certificates, same administrative interfaces. This also optimizes the capabilities of each component in the architecture - XML Gateway off loads the security processing from the ESB - SSL Termination, XML threat checking, authentication, authorization, message encryption/signing etc. - and the ESB does what it does best - routing, transformation, service virtualization, protocol translation etc.

So, with all of the security processing off loaded to the XML Gateway, how should the ESB and the XML Gateway work together to pass security context. I think the simplest way is to simply use 2-way SSL between the front XML Gateway and the 2-way SSL between the back XML Gateway. This ensures that the ESB is receiving valid messages from the XML Gateway and that it can continue processing the message. Likewise for the back XML Gateway - since it trusts that the request is from the ESB, it can send the message off to its next destination. This makes the sole security interface between the XML Gateways and the ESBs a common trusted Certificate Authority.

If more information needs to be passed form the XML Gateway to the ESB - like the identity of the calling service/user, then you can simply use SAML bearer profile. This profile basically means "trust this assertion if you want.". Since we know the request is over 2-way SSL, bearer seems fine. You could optionally have the XML Gateway or STS sign the assertion, but its probably not necessary. If you're inclined to add the additional control of the signed assertion, you're only adding a public key/CA to the ESB - still a pretty minimal binding.

Looking at the back XML gateway, this is basically the Cloud Service Broker - mediating out access to services in the cloud - but what if you're not using any cloud services yet. Do I still need have the 2nd XML Gateway? Besides the benefits of centralization and consistency, lets look at another real world use case. Information arriving at the front gateway was secured in transmission using 2-way SSL, but contains PII that needs to be masked from the ESB while being processed - it can't be exposed in the clear, in logs, etc. - but the target service requires that information for processing. In this case the front XML Gateway can encrypt/mask the contents of the message and the back gateway can decrypt/unmask the message prior to being sent to the back end service.

In summary, in architectures that contain an ESB, having both a front XML Gateway to secure incoming traffic and a back XML Gateway to secure the outbound traffic provides real benefit. This may or may not represent two physically separate deployments - it just depends if the out bound traffic is allowed to be sent back out through the DMZ. The trust among the components can be done via transport - typically 2-way SSL. This greatly simplifies the administration of security policies, and optimizes the utilization of both the ESB and the XML Gateway.

It Takes A Village....Announcing the Vordel Incubator

Josh Bregman — Tue, 15 Feb 2011 20:22:00 +0000

After much debate, I'm pleased to announce the Vordel Incubator. I'm modelling after the wildly successful Oracle Coherence Incubator. The idea is to work as a community - company, customers, partners - on building solutions to real-world problems.

I've started the project off very modestly with a publishing of the full Maven project that I discussed earlier. As people know, I'm very interested in Maven and believe it is a really good tool for integrating a product into an enterprise SDLC. We'll be using it for the incubator. As such, there is some work to do in short order to extend the existing Maven support through out the fuller lifecycle - automated testing, deployment etc. I eager to work on these topics.

Additionally, as my team works with customers, there a common requests for solutions or examples that everyone would benefit from. Its my intention to grow a library of such solutions in the incubator as well.

Ultimately what I want is to try to harness the enthusiasm of the customers/partners that I've met over my first 6 weeks at Vordel - and channel into building things together that benefit everyone. But to do that, I need people's help and participation. If you are interested in participating in any way, please let me or anyone at Vordel know, and we'll get you looped into what we're doing. I've created a public google group to host discussions, so you can express your views/interests there.

I look forward to working with all of you on this.

How to extend the Vordel XML Gateway with Maven

Josh Bregman — Mon, 14 Feb 2011 18:30:00 +0000

One of the strengths of the Vordel XML Gateway is the ability of the product to be extended using Java. You can do this in two ways: JavaScript and through writing custom Filters. The really clever part about how the XML Gateway is engineered is that the underlying XML layers are written in native code so the product is really fast even when you have to use Java to customize it.

Recently, I had a customer ask "How do I build filters using Maven?". This is obviously a person after my own heart. I had spent a lot of time last year working with Maven, in particular for the OES/Spring/JBOSS/AOP integration I did. So, these are the steps for building the Example Filter using Maven.

Step 1 - Load the Dependencies into the Local File System

This for me is always the trickiest part. For things that are "non-Maven" you need to get them loaded as dependencies - but how? In order to get the XML Gateway APIs loaded into the local repository, you need to use the install:install-file goal to load some of the jars. As I continue to invest in this solution, look for other more elegant approaches, but for now this is what I'm going with.

This is the commands I ran, in my linux environment:


mvn install:install-file  -Dfile=/opt/vordel/vordelgateway/system/lib/circuit.jar  -DgroupId=com.vordel.vordelgateway -DartifactId=circuit -Dversion=6.0.3  -Dpackaging=jar

mvn install:install-file  -Dfile=/opt/vordel/vordelgateway/system/lib/server.jar  -DgroupId=com.vordel.vordelgateway -DartifactId=server -Dversion=6.0.3  -Dpackaging=jar

mvn install:install-file  -Dfile=/opt/vordel/vordelgateway/system/lib/entityStore.jar  -DgroupId=com.vordel.vordelgateway -DartifactId=entityStore  -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/manager.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=manager -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/common.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=common -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/client.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=client -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file   -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.gef_3.2.101.v20070814.jar  -DartifactId=gef -DgroupId=org.eclipse -Dversion=3.2.101  -Dpackaging=jar

mvn install:install-file  -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.jface_3.3.1.M20070910-0800b.jar  -DgroupId=org.eclipse -DartifactId=jface -Dversion=3.3.1  -Dpackaging=jar

mvn install:install-file  -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.swt.gtk.linux.x86_3.3.2.v3347.jar  -DgroupId=org.eclipse -DartifactId=swt -Dversion=3.3.2 -Dpackaging=jar

Step 2 - Create a Parent POM

The parent POM references all of the dependencies, as well as simplifies the rest of the building process:


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.vordel.vordelgateway</groupId>
 <artifactId>parent</artifactId>
 <version>6.0.3</version>
 <packaging>pom</packaging>
 <build>
  <plugins>
   <plugin>
    <version>2.3.1</version>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jar-plugin</artifactId>
    <configuration>
     <archive>
      <manifestFile>src/main/resources/META-INF/MANIFEST.MF</manifestFile>
     </archive>
    </configuration>
   </plugin>
  </plugins>
 </build>
 <dependencies>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>circuit</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>server</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>entityStore</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>manager</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>client</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>com.vordel.vordelgateway</groupId>
   <artifactId>common</artifactId>
   <version>6.0.3</version>
  </dependency>
  <dependency>
   <groupId>org.eclipse</groupId>
   <artifactId>jface</artifactId>
   <version>3.3.1</version>
  </dependency>
  <dependency>
   <groupId>org.eclipse</groupId>
   <artifactId>gef</artifactId>
   <version>3.2.101</version>
  </dependency>
  <dependency>
   <groupId>org.eclipse</groupId>
   <artifactId>swt</artifactId>
   <version>3.3.2</version>
  </dependency>
 </dependencies>
</project>

With the POM created, run mvn install to load the POM into your local repository

Step 3 - Create the Example Filter Project

I used eclipse and the Eclipse Maven Plugin. I created a new Maven project that referenced the Parent POM


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <parent>
  <artifactId>parent</artifactId>
  <groupId>com.vordel.vordelgateway</groupId>
  <version>6.0.3</version>
 </parent>
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.vordel.vordelgateway</groupId>
 <artifactId>example-filter</artifactId>
 <version>0.0.1-SNAPSHOT</version>
 <build>
  <plugins>
   <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-compiler-plugin</artifactId>
    <version>2.0.2</version>
    <configuration>
     <source>1.6</source>
     <target>1.6</target>
    </configuration>
   </plugin>
  </plugins>
 </build>
</project>

I then moved some files from the original example to conform with the Maven structure. I moved the simple.gif and resource files to their proper Maven place under resources. I also moved the MANIFEST.MF file to src/main/resources/META-INF so it is included in the jar.

You should be able to build the project. All that's left to do is copy the jar to the /opt/vordel/vordelgateway/ext/lib and the /opt/policystudio/plugins directories, and your plugin should be good to go.

How to retrieve an OAuth token from a WS-Trust based Security Token Service (STS)

Josh Bregman — Fri, 11 Feb 2011 19:01:00 +0000

I'm finally back home after 4 straights days in airports. During the week I delivered a really interesting use case that I wanted to share. This was in support of a demo where the customer wanted to understand how OAuth works with the XML Gateway. Given the natures of POCs, I had already built much of the demo around the customer's other requirement - retrieving a SAML assertion via a WS-Trust based STS. I had to come up with a way to add the OAuth functionality to the existing scenario. I think the approach that I came up with is novel and so I wanted to share it on the blog.

If you look at a WS-Trust RST (Request for Security Token) message, the initiator can request a token type, so the call to the STS can reasonably start with a request for an OAuth token, but the real question is "What to return and how to return it?". One thing that I liked about this particular scenario was that it gave me a change to dig a little more deeply into OAuth 1.0. I think I understand it much better. There have been many places where OAuth has been explained, so I won't cover everything, but basically for the Gateway scenario calling a service protected with OAuth, you need an access token and a corresponding access token secret. For the purposes of this scenario, I assumed that the access token and access token secret were already available to the STS - let's just say this happens when the user elects to allow the gateway application access to its information.

So, then how should we return this information. Both the access token and access token secret are just strings. The solution I used was to return them as Attribute Statements inside of a SAML assertion. One of the great things about SAML is its ability to include attributes related to the subject. The eliminated the need to come up with a custom token or simply pass them pack in the transport. The transport is OK, but I like the elegance of using SAML and quite frankly how easy it was to implement using the gateway.

On the caller side, I needed to modify the request to the STS to have the right token type

and then retrieve the assertion from the response.

The XML Gateway has a single filter that retrieves attribute assertions...couldn't have been easier.

On the STS side, this was also really simple. I just added a branch in the STS policy to handle the case where an OAUTH token has requested and the call the policy to add the SAML Attribute Assertion.

A quick re-deploy of the policy and I was in business. For the purposes of this demo, I used the LinkedIn API which is protected by OAuth, and made a simple call to get my network updates for the day.

I did all of this in about 1 hour very late at night - another strong testimony for the tool. The fact that I could get and set the SAML assertions so easily, really made the whole thing "just work".

I know that OAuth 2.0 has a binding for passing a SAML assertion to retrieve an access token, but the convergence between SAML and OAuth is definitely underspecified.

The scenario I'm showing here is the binding of an OAuth access token to a SAML assertion. From a specification perspective, I think all you would need to formalize are the constants for requesting the token from the STS (token type) and the attribute names (OAuth access token) themselves. I'll get Mark on it after he gets back from RSA :)

How to Secure the Cloud?

Josh Bregman — Tue, 01 Feb 2011 08:56:00 +0000

I'm in the process of getting the Boston chapter of the Cloud Security Alliance started. I'm just waiting for the "paperwork" to go through, but I'm really excited about what I'm hearing from customers about the cloud. Coming from Oracle, you get a bit of the "Larry Hates the Cloud" mindset, but in my limited time here at Vordel, I can see the deep interest from customers.

Mark O'Neill has published a few articles recently on a few topics within cloud security (SSO to Google Mail and Security Checklist for Cloud Security) but there is single "Cloud Security" solution. Probably the only term less well defined than "Cloud" is "Security". CSA is starting a whole new focus are on "Security as a Service" - again we could have/and will continue to have a debate over what is a "Service".

Unlike SOA, IT people are being asked by the business "What are we doing about the cloud?". This is because the "cloud" model continues to drive real cost savings. So, given the state of security in the cloud....what should you do?

From my perspective, the technical alignment between the traditional XML Gateway use cases and the Cloud Service Broker use cases suggests that though the space and the standards are evolving, an investment in an XML Gateway will provide significant value moving up into the cloud. What do you think?

Architectural Patterns for XML Gateways

Josh Bregman — Fri, 28 Jan 2011 18:53:00 +0000

What a week! I didn't get stuck anywhere - except for snowed in at home - but it was really busy. I did have the pleasure of ending the week briefing a group of really smart architects and pre-sales people on the Vordel Gateway.

When talking about the gateway, it is easy to get into the weeds of does it support this crypto accelerator or this version of the WS-SecureConversation spec, or this version of some 3rd party I&AM product. For this particular audience I was trying to get to the essence of how customers deploy this technology. Here's my architectural taxonomy for XML Gateways.

Super PEP - The super/uber policy enforcement point. This is the way that XML Gateways are traditionally deployed. The idea here is that it can enforce any type of policy you can image - WS-Security, Authorization (XACML), SLA Policy, Routing Policy, XML Threat Policy... This is of course a very solid model for the gateway, and the way that most people think of it.
Security Services Platform - There has been a lot of talk about reusable security services for a long time. It was how we originally sold WLES/ALES/OES. The Oracle Platform Security Services - OPSS - has picked up some of that same flavor - and the concept is a good one. Let's have a set of security services that can be called from a central location. There are standard interfaces like SAML, XACML, WS-Trust, SPML etc, but how do you actually go build that into an enterprise? XML Gateway to the rescue. I think of this model as turning the gateway on its "side". Basically, the gateway has the ability to expose these WSDLs, and it has integration with all of these 3rd party I+AM vendors like Oracle/Sun, CA, Tivoli, RSA - as well as various LDAPs - that constructing these services is very straight forward. The gateway today has the ability to be an WS-Trust end-point, CRL endpoint as well as exposing an XML Encryption/Decryption and XML Signing/Validation service. Its a simple exercise to extend this model to any API - standard or otherwise. Furthermore, since the Vordel XML Gateway has very fast XML and crypto processing, the services will perform and scale.
Cloud Service Broker - This is like you take the XML Gateway and flip it around. Mark O'Neill talked about this convergence between XML Gateways and Cloud Services on his blog. I like the architectural symmetry. By flipping it over, you mediate access to services in the cloud. The Vordel XML Gateway is really good at protecting things like API keys - to avoid the issue of having everyone in the enterprise have unfettered access to the company's storage cloud. The distributed caching capabilities of the Gateway can help in cloud scenarios in two way. First of all, caching boosts performance - no need to go to the cloud to get that file, if the gateway has a recent cached copy. The second is that it can save firms money by optimizing calls to cloud services. In the storage example, this eliminates unnecessary GETs. In a transactional example, some provides give better rates for bulk operations, so the requests can be queued in the cache, and then sent en masse, again saving money.

These three architectures provide a simple way of summarizing the capabilities of the Vordel XML Gateway. Like any pattern, they can be used in conjunction with each other. For example, you could put the Super PEP in-front of the Security Services Platform or have the Security Services Platform call the Cloud Service Broker (off site authentication via cloud). As I continue to work with customers, and learn more about how they are using the gateway, I'll be sharing more of these patterns.

How to Securely Integrate Web Services in an Enterprise Environment

Josh Bregman — Wed, 26 Jan 2011 15:00:00 +0000

I spent the bulk of today updating the technical sales presentations for some upcoming training that we're giving in Boston. While brainstorming about the key messages to deliver to customers, I came across this cartoon.

It's admittedly a little silly, but I really like the core concept of the story. The idea is that the quality of the XML Gateway solution is not strictly about speeds and feeds, but the ability of the product to work across teams to deliver real value. This is not some slight of hand - look over here at this other stuff - the performance of the Vordel Gateway is "unbelievably good" - but simply an observation about the challenges that customers face in deploying a solution like this. I drew inspiration from this presentation, so if and when you see the technical presentation, you may recognize some of the themes. As for the presentation in its raw form, I think its more "appropriate" as a web video. Enjoy!

How to Integrate Web SSO with REST web-services using Oracle Access Manager

Josh Bregman — Fri, 21 Jan 2011 03:54:00 +0000

Nothing inspires me to blog like being stuck in an airport. I'm stuck in DC on a return from my first Vordel customer trip. We saw customers in San Diego, Los Angeles, Bay Area, and Seattle. Some of them there were very interested in the integration between Oracle Access Manager and Vordel. Once again, Mark O'Neill, CTO of Vordel to the rescue.

The video demonstrates a few on the interesting scenarios combining a Web Access Management product with an XML gateway

Authentication - By simply selecting Oracle Access Manager as a repository, usernames and passwords are authenticated against OAM - encapsulating the directory specifics and optimizing connections
Identity Propagation - Once authenticated, the OBSSO cookie is available to down stream applications
Single Sign On - By adding another filter - Validate Oracle Access Manager Token - the token is validated by the ASDK and the identity available to the service.

The thing that impresses me about this demo is how easy it is to do. I'm still a relatively new to the Vordel product, but the UI metaphor on building the policies using filters and wiring them together is really simple and easy to grasp. Also, the way that you can pull the output of one filter into the input of another is really useful. The UI will also mark filters as RED is you're missing an upstream input.

Having seen experts like Mark and some of the long time Solutions Architects work with the product, you can get very productive with the tool and build super complicated security scenarios with amazing ease. The biggest challenge is that the 6.0 product ships with over 140 filters. This is not a bad thing...it means that the product provides tremendous value out of the box....its not just a framework. But as some one trying to come up to speed, you realize that there is a 99% chance that there is a filter (or set of filters) that will allow you to do the job.

The other really amazing thing about the filters, is that when you're trying to debug a policy, you can use the real-time monitoring, and see the success/failures of each of the individual filters. This is super useful in diagnosing problems in any environment.

Well, they're calling my flight. Wish me luck getting home. Time stuck on the tarmac is just more time to get up to speed on the product :)

How to Enforce Fine Grained Authorization to REST Services with Vordel and Oracle Entitlements Server

Josh Bregman — Thu, 13 Jan 2011 17:51:00 +0000

Hello from Dublin,

I'm nearly at the end of a very long week for Vordel Company kick-off, but I wanted to take the time get the new blog headed in the right direction. I know that my blogging activity tailed off over the last few months, but one of my 2011 New Year's resolutions is to blog once a week - and lose 15 lbs.

Not surprisingly, my first post of the new year is on Vordel's integration with Oracle Entitlements Server. Mark O'Neill, the Vordel CTO, has posted a video demo of the integration. It follows the same basic use case as the Oracle Entitlements Server-Oracle Web Services Manager integration that I did last year, except through the magic of the gateway, its protecting a REST service.

A little background on this integration. This was an integration that the A-Team helped Vordel with a while back. What's really nice about it is that it uses the Java SM. This means that all of the calls are made inside of the Gateway. So if we take the real world scenario described in the demo of the trader making a call to get a price, then performance is super critical. A more naive approach would be to call out using XACML. The problem here is that the additional over head of creating an XML request, sending in, parsing in inside of the WS-SM, packing up the response, sending it back, and parsing again is > 100 ms. Did you even know a trader that could wait 100 ms? Also there is the additional operational complexity of having to stand up two instance of the WS-SM so that there is no single point of failure.

Ultimately, I think the best solution would be OpenAz...then you get a standard and likely an in-process implementation. Now, if you have a XACML endpoint and want to call out - Vordel does this OOTB. If you want this approach, my recommendation would be to run the XACML PDP from Oracle or other XACML vendors co-located on the Gateway (you can run the gateway as a software appliance), and then leverage the XML processing power of Vordel.

The point here is that the quality of the integration and the quality of the platform does matter. A good tight integration, like the one between Oracle Entitlements Server and Vordel has real benefits (lower latency, operational efficiency) to customers.

Why Vordel?

Josh Bregman — Thu, 30 Dec 2010 19:07:00 +0000

This is my inagural post in this blog - in my new job - as Chief Solutions Architect at Vordel. In my time at Oracle, I had the opportunity to work with Vordel at a number of customers, and two things really stood out - the quality of the products and the quality of the people. It's a really good small company that reminds me very much of the early days of Netegrity. They have been the thought leaders in XML Gateways - a key element in SOA Security - for over a decade. Their push into the Cloud Service Broker/Web 2.0/REST Security area is very exciting to me as it represents the next generation of security solutions.

For people who are familiar with the Fusion Security Blog, you'll see that I'm quite shamelessly copying the layout. Its also my intention to replicate its basic approach - no manifestos, just good technical information on solving real world problems. The focus here will obviously be on Vordel and its primary product the Vordel Gateway, but I'll also cover some of the broader SOA Security/WS-* use cases and approaches that we did on the Fusion Security Blog.

For people who know me, they know that I was fairly reluctant to start blogging. Quite to my surprise, I have found it really useful in being able to connect quickly with customers. So, once again proving that old dogs can be taught new tricks, I've also created a twitter account @xmlgatewayguru . I'll be honest - I'm not really sure what I'm doing with the "twitter-machine" yet, but I'll figure it out.

Wishing you a happy and healthy new year and a successful FY 11,

Josh

Sorry for beeing late ..

Axel Grosse — Wed, 27 Jul 2011 07:05:00 +0000

Hallo Zusammen,
nachdem mich eine netter Ex Kollege darauf aufmerksam gemacht das mein Blog sehr verwaist wirkt (Danke Wolfgang) ...

Es gibt hier grade so viel zu tun, das ich es einfach nicht schaffe das hier regemässig zu pflegen .. also sein mir nicht Böse ...

Soald ich Luft habe gibt es auch die ersten Infos ... mal in Deutsch mal in Englisch ... je nachdem wieviel Zeit ich habe

ciao Axel

Version 6.0.3 ist verfügbar !

Axel Grosse — Tue, 01 Feb 2011 18:27:00 +0000

Die Version 6.0.3 ist heute veröffentlicht worden und über das Extranet von Vordel verfügbar.

Die Release Notes sind hier verfügbar.

Axel

Warum Vordel ?

Axel Grosse — Mon, 17 Jan 2011 08:47:00 +0000

Das ist mein erster Post in diesem Blog ... und in meinem neuen Job ... als Solution Architekt bei Vordel.
In meinen vorherigen Job bei Oracle, habe ich mich ausgiebig mit SOA- und WebService Architekturen auseinandersetzten dürfen. Dabei bin ich einerseits über eine Mangel an Sicherheitsbewusstsein im Umfeld von SOA und andererseits über Vordel gestolpert. Bei Vordel haben mich 2 Dinge überzeugt, ein gestandenes und ausnehmend gutes Produkt und eine Spirit wie ich ihn in meinen Anfangstagen bei Oracle im letzten Jahrtausend erlebt habe.
Vordel ist seit über 10 Jahren führend mit ihrem Produkt - XML Gateway - in der SOA Security unterwegs und ihr neues Produkt - der Cloud Service Broker - ist der nächste Schritt in der Absicherung von großen SOA Netzwerken.

Dieser Blog wird sich sicherlich hauptsächlich um Vordel drehen, aber ich habe vor auch abstraktere Themen rundum die Absicherung von Web Services und Cloud Services zu betrachten. Die Basis werden echte Fallbeispiele sein ... also keine Werbeplakate, sonder technische Informationen um echte Probleme zu Lösen.

Wer mich kennt, weiss das das mein erster Start in die Welt der Blogs ist .... Alte Hunde, neue Tricks ... geht doch.

viel Spass bei lesen und verfolgen
Axel

Throttling – A Variation

Tue, 23 Aug 2011 11:42:56 +0000

In my last post I showed how simple request rate based throttling could be adapted to provide a more proactive approach to managing service consumption limits; applicable to a range of scenarios like capacity management, service metering and critical service protection. I also emphasized the difference between request throttling and concurrent connection throttling. Over the course of the past few weeks I have had cause to think a little harder about how to control and restrict the number of “in-flight” transactions for a particular service.

The obvious point to note here is that the number of requests processed per second does not necessarily relate to the load on the target system (whatever that may be);for example a search request with broad parameters that returns a huge amount of data will consume more resources on the service provider system than an update that contains a unique identifier for a record and a couple of values. The ability to restrict the number of concurrently processing, high cost requests should be considered as important as controlling the rate of incoming requests. Failing to provide this type of protection for mission critical services has seriously undesirable side-effects.

In this post I’ll give an example of how a gateway can be used to provide protection from system overload (at an operation level) and discuss the various approaches to managing this in an HA (High Availability) and dual site configuration.

First off let’s be clear about in-flight requests and concurrent transactions….

Assuming the target service is exposed to external consumers in the classic service virtualisation pattern above, an “in-flight” request is considered to have a lifetime that begins as soon as the request leaves the gateway (forwarded to the service) and that ends once the response from the service is received by the gateway. For longer running requests (in the order of 2 to 5 seconds or more) the effect of concurrent processing is exaggerated. To clarify, the requests do not need to be concurrent – it is the overlap of the lifetime of in-flight requests that constitutes a “concurrent transaction” in the context of MCT (Maximum Concurrent Transaction) throttling.

In the diagram above, (green dots representing requests) if a limit of 2 MCT had been applied to the service, then subsequent requests would be rejected until such time as one of the requests currently being processed completes and returns.

Clearly the objective here is to manage a count, applying a one-in one-out restriction when the maximum number of allowed transactions currently being processed by the target server is reached… sounds pretty easy, and in a single gateway in-line configuration it is.

Using either the service name, operation name (or a combination of both) or even the URI of the incoming request to provide the key for the increment allows the restriction of the number of concurrently executing requests on the target server.

The challenge here is how to scale, simply dividing the maximum limit by the number of gateways behind a load balancer is notoriously unreliable and could easily result in a loss of transaction capacity if the load balancer has any bias at all. The only real solution is to maintain an atomic transaction count across 1..n gateways.

I spent some time looking at the different options for achieving this, and whilst there are a few that are satisfactory from a functionality point of view, they all came with a cost (usually a performance hit).

The silver bullet was actually handed to me on plate by David Cooke at Oracle (thanks David), who introduced me to Oracle Coherence, a very cool piece of tech. The key to it all is providing a non-blocking lock on the count – allowing multiple gateways to read, increment and decrement the count for a given service/operation. The simple policy shown below is all that is required to implement service level MCT throttling (in its most basic form)

If the gateway fails to acquire a lock on a transaction a custom error message is returned back to the client. The fault handler (in blue) for this circuit also releases the lock – to prevent orphaned transactions. In this example the connection to the target service is also load balanced (by the gateways) to multiple hosts.

As a solution this is highly scalable (multiple gateways, 300+ services/operations) and also self healing; one or more gateways can be removed from the architecture without impacting the availability or the transaction count, as long as there is one gateway up and running. Orphaned transaction locks from a terminated gateway are automatically cleaned up and freed for use by the remaining gateways.

The load balancing performed by the gateway will also mitigate downstream server failure – by removing an unresponsive host from the available pool and adding it back in when it becomes operational and available again.

If that wasn’t enough, the transaction restrictions can be applied even in a dual / multi site (DR) scenario – although performance may vary depending on the inter-site connectivity.

The MCT throttling limits can be implemented as “hard” and “soft” limits with alerting (as described in the previous request throttling – and the concurrency can be tracked against almost any facet of the interaction service/operation/user/client IP address etc… Limits can be stored externally (abstracted to a directory/database / IdM solution) allowing the administration.

Request throttling – a proactive approach

Thu, 04 Aug 2011 16:55:53 +0000

I recently saw this great article by Mark O’Neill, CTO at Vordel about throttling. Take a look here http://www.soatothecloud.com/2011/07/how-to-configure-throttling-on-vordel.html.

Mark assumes you have a degree of familiarity with either the Vordel Gateway or Oracle Enterprise Gateway, if you don’t then take a look at my earlier “hello world” entries

What I’d like to do in this post is focus a little deeper on request throttling, and show how the gateway can help avoid partners and service consumers from overloading your services not just by blocking requests that exceed a certain threshold, but by giving advanced warning of erroneous excessive service consumption.

It is worth taking a few paragraphs to explain the very real value of request throttling, and perhaps to make a brief comparison with SLA management, quota management, traffic shaping and concurrent transaction processing limits.

In the context of gateways being used to virtualise services for external consumption, throttling is primarily concerned with the number of requests made by consumers to the target services. Restrictions take the form of a message count that is incremented and measured over a specific time period. The Vordel gateway provides both coarse and fine grained control of request counts and perhaps more importantly can track the request count based on virtually any index.

The throttling filter provides a variety of options for measuring and tracking request counts – the time period unit ranges from seconds, minute, hour, day, and week meaning that it can used to implement quota management as part of a pay-per-use solution.

The number of messages, period and period unit can also specified by parameter substitution – enabling complete decoupling of the throttling limits which could be managed in an external provisioning system or database.

Key to the successful implementation of a request throttling solution of enterprise scale is the ability to maintain a consistent count across multiple gateways in an HA / HA-DR deployment – achieved quite simply here by the use of the gateway’s caching mechanism.

Pay special attention to the “Track per key” setting that allows the request count to be applied to different contexts. In the screen shot above, the wildcard attribute of ${http.request.clientaddr} is being used – fairly obviously this will apply the request count restrictions based on unique IP address value of the calling client. The ability to control the “key” with attributes gives enormous flexibility, and because multiple throttling filters can be linked together in a policy (or circuit) limits can be applied to an incredibly low level. You could for example apply a global request rate limit across all services (good practice for mitigating DoS attacks). Legacy applications that have been “service enabled” may be a little fragile (having never been designed for web volumes) – it would make sense to apply a service wide limit in addition to the global restriction, but independent of the calling client – you could even be operation specific. Most of us are also familiar with the pattern that allows restricted service usage for “free”, and a tiered allowance for those signing up to the “pro” version – a good example of metered service consumption by role. Then there is the hard core application – of quota management by identity (which could be at individual user level or partner organisation).

For the record, throttling should not be confused with SLA (Service Level Agreement) monitoring and management. It may be sensible to offer an SLA within restricted bounds (of request volume) but SLA is more concerned with response times, number of failures (typically non 2xx response codes) etc…

The value here is pretty obvious, by implementing a well considered throttling strategy (which incidentally can be designed once and applied globally) you get the following

Protection from request volume based DoS attacks
Shielding of vulnerable servers, services (and even specific operations)
Service Consumption Metering (billable pay per use services)
Optional and conditional routing of excess traffic (maybe expanding into the cloud at peek times
Pro-active non-blocking alerting that allows action to be taken before critical limits are reached with built in alert storm protection
boundary volumes for tightening SLA agreements

Using externally set parameters means that limits can be changed an applied dynamically (or in extreme cases even scripted!!) you could for example automate the increase of a limit on receipt of payment for a particular partner / customer.

The wealth of functionality in just one filter component is impressive in its own right, and… there’s more… Mark’s blog describes a relatively simple design…. once you reach the throttling limit for the service then future requests are “rejected” until such time as the rate calculation falls below the specified threshold. By introducing a soft limit we have the capability to provide non-blocking alerts that give prior warning of an impending breech .

Working through an example….

1. Basic service throttling

The figure above shows rudimentary service throttling (at 100 requests per second is used as an example only). If the number of requests to the service exceed this, then a soap fault will be returned by the gateway and the request is not sent to the target service (blocking).

If we introduce another throttling filter (different key for tracking!) with a lower limit, we can provide an alert to an appropriate party (operations / partner administration contact / account manager or all)

2. Setting a “soft” limit

In this example I’ve chosen to set the warning level at 80 requests per second – and changed the key to track by to avoid a double increment with the hard limit filter.

At first glance, it looks a little odd – basically we don’t change the policy execution path when we exceed the SOFT limit. This will however show in trace files, real time monitoring and the new Traffic Monitor

3. Take some action on exceeding the SOFT limit

a) For demonstration purposes I’ll use a syslog alert, but it should be obvious at this point that the conditional processing that occurs as a result of a SOFT limit breach is not restricted to syslog alerting – or alerting at all! – setting up an alert

Having set up an alert target, it can now be used to flag a soft limit breach… n.b. the alert filter is found in the Monitoring category

The actual alert configuration is outside the scope of what I want to discuss here, I’ll perhaps cover it in greater detail in a different post

So from the top down …..

If the request being processed causes the 80/s count to be exceeded we follow the failure path (the red line) to the “Alert” filter – my alert is configured to send a message to syslog with details of the service soft limit breech.

In the above policy I have chosen not to put the alert on the critical path, in real terms this means that even if the alert fails then message processing will continue. Then the policy checks the HARD limit which is where we started at step 1… meaning that if the request is over the soft limit but below the hard limit then the alert is sent and the request is processed as desired, only when the hard limit is exceeded are requests blocked.

** The brighter readers of this might observe that this means you could have 20 alerts in a second for each request that is >79 but less than 100 ** essentially an alert storm. Fortunately the alerting filter provides the ability to prevent this by configuring a limit for the number of alerts that can be sent in a given time period…. the clever guys at Vordel think of almost everything

Hello Joe

Mon, 27 Jun 2011 12:54:43 +0000

Hopefully you’ve been able to set up your new and shiny gateway and go through the simple hello world policy. In this post we are going to extend the HelloWorld policy to introduce some authentication and gateway attributes.

So far we have used the set message filter to set the message value to some arbitrary text, and then used the reflect filter to bounce this back to the requestor with an http response code of 200.

To add some simple authentication, the first thing we will need is a User.

1. Creating the user

Select the users section on the configuration navigation panel on the left hand side.

Then click on the Users node of the User Store

Click Add – and enter some details for your user (I have used ‘joe’ with a password of ‘joe’)

Note the option to assign an X509 cert here – this can be used for crypto operations and mutual SSL – which are topics for a later post.

Notice also the attributes tab, click this and add an attribute

I’m going to set an age attribute with a value of 30

Add a couple more if you feel like experimenting – just the one will serve for the purpose of this post – remember – pretty much everything is CASE SENSITIVE by default.

Click OK and now you have your user “joe” in the built in user store

2. Adding authentication to the policy

Now we have a user to work with, lets put some authentication requirements on our Hello World policy – starting with http basic. Navigate to the Hello world policy (select the policies section on the left hand navigation panel and click on the policy in the tree node, or if it is already there select it from the list of tabs in the design panel (central panel by default).

Type “authentication” into the filter text box at the top of the pallet – you should be getting used to where things are by now… and expand the Authentication category.

In the authentication category you will see many options for providing authentication to services – some of which enable out of the box integration with third party IdM products – we won’t be looking at these in the blog but feel free to submit a comment if you need assistance with something specific like Tivoli, RSA, CA, ADFS etc…

Remember that each of the filters here will have a context based dialogue that allows you to enter the parameters required to integrate – NO CODE REQUIRED.

For those of you not familiar with how Mutual SSL authentication (or Client certificate authentication) don’t expect to be able to use this just yet, as we haven’t set up an https interface … so it’s not possible just yet …. have patience

Anyone wanting to play with kerberos – feel free but I’m not a big fan so won’t be covering it here unless someone forces me too

Left click, hold and drag the filter onto the design canvas – it is best to drop it on to an “empty” part of the canvas – dropping filters on top of each other or directly on to connectors has a different effect which we will cover later.

Configure the filter with the following settings:

and click Finish – you should have something like this.

Remember any filter that is not the start filter, and is not connected to it by a downstream path is not part of the policy.

Obviously it makes sense here for http basic authentication to be the first step we perform in the policy – it may seem trivial right now, but we don’t want to waste processing power performing tasks for an un-authenticated user!

There are a couple of ways of achieving this, and it’s basically down to personal preference – either set the filter as the start filter (right click – set as start) and then join the others, or use the to link the http basic filter to the set message filter… then set it as start – I typically do the later.

There are no RED warnings – so all attribute requirements are satisfied – all that remains to be done is deploy the update policy to the gateway

to deploy the configuration hit the F6 function key, or click the deploy icon – changes to policy do not affect the running [active] gateway until they are deployed.

In a browser of your choice – load up your hello world uri

http://localhost:8080/blog/tutorial01/helloworld

– you should be challenged for a user name and password

Enter the credentials for the user you added in the first step of this tutorial – in my case – ‘joe’ and ‘joe’

and you should be granted access to the hello world page

** There are a couple of things to keep in mind when it comes to using browsers as a test client; they tend to cache authorisation headers – so if you got your username and password wrong here then to try again you may have to shut down ALL browser sessions before you can try again – or even clear your browsing history – ultimately it is better to use a testing tool like Vordel SOAP Box that will all0w you to send a variety of requests at the gateway (including http GETs) without the browser functionality getting in the way of you testing – we’ll take a look at SOAP Box in the next couple of blogs – and its a free download with no “pro-version” limitations **

So we have layered http basic authentication over the hello world service – now that we have a user identity established as part of the policy we can add some personalisation – let’s start by changing the welcome message.

Go back to the hello world policy and double click on the set message filter –

edit the text to say Hello $

Notice that as soon as you press the ‘$’ key a scrollable list of attributes is presented for auto insertion – continue to type “authentication” and then select the “authentication.subject.id” attribute and hit enter. Your message text should now look like this.

Hello ${authentication.subject.id}

Click finish.

This is the general syntax for attribute insertion (or substitution) – the authentication.subject.id attribute is populated by way of the http basic authentication filter we inserted earlier. You can see what attributes are generated, required and consumed by right clicking on the design canvas and selecting the “show all attributes” menu item.

There are other attributes available (populated by default as part of handling an http request – http.request.uri and http.client.addr for example that are not shown in this list – all the attributes are documented in detail in the gateway documentation. available at http://localhost:8090/docs/

Deploy [F6 function key, or click the deploy] your updated policy and browse to the url http://localhost:8080/blog/tutorial01/helloworld

for fun you could then try setting your message to something like this.

Hello ${authentication.subject.id}
You are on ip address ${http.request.clientaddr}
and accessing the relative path ${http.request.uri}
via the HTTP method: ${http.request.verb}

Next we will look at retrieving joe’s age from the user store.

In the filter textbox on the pallet – type attributes and expand the attributes section

Again there is a wealth of functionality that deals with attributes of all kinds, shapes and sizes – scrolling down you will find the filter we need for this example

Remember you can customise the filters that are shown or hidden, and add your most frequently used filters to the Favourites (Favorites for you folks in the US) category.

If you fancy a change and don’t want to drag and drop then you could right click on the canvas and select add filter, then select the retrieve from user store filter.

Configure the filter to use the authentication.subject.id as the User ID, – the authentication.subject.id will be used to uniquely identify the user whose attributes we wish to retrieve. – you can add individual attributes to selectively retrieve, or leave the attribute list empty to return ALL attributes for the user from the built in store

Now wire in the retrieve from user store filter. Logically it would not make sense to retrieve attributes before we have identified the user – so you should be able to figure out where this one should go – again there are different ways to rewire the policy – by preference I connect the filter I have just added using the success connector to the filter that should follow it, then move the end of the path that should connect above it like this.

Connect the retrieve from user store filter to the set message filter

click the success path joining the http basic filter and the set message filter then drag the arrow end to the retrieve from user store filter

click the arrow head and drag it onto the retrieve from user store filter and release

Now we have a nice visual representation of the flow –
1. authenticate
2. get attributes from user store
3. set the personalised message
4. return the message to the requestor

we just need to update the message to include our ‘age’ attribute

change the message text in the set message filter to

Hello ${authentication.subject.id} you are ${user.age} years old

Notice that the age attribute is prefixed with “user.” this is because the attribute belongs to the user, and NOT the message – distinguishing between user attributes and message attributes becomes more important later when inserting SAML assertions amongst other things.

Deploy the updated policy and check it out….

You can change “joe’s age” by modifying the age attribute value for joe in the user store – remember to re-deploy before you test again.

Notice that the Set Message filter is now RED – warning that one or more required attributes may not be available at run-time – this is because we used the retrieve filter to return ALL the values – therefore the GUI cannot confirm with any certainty that the “age” attribute will ALWAYS be available. If you show all attributes you will see it is the user.age attribute that is the cause for concern.

What you should have learnt

How to add a user (with attributes) to the local user repository
How to configure http basic authentication against the local user repository
How to insert a filter (rather than just add) into an existing circuit
How to retrieve user attributes from the local user repository
How to substitute retrieved attributes using the wildcard syntax into the set message filter
Where to access the list of available attributes (in the product docs!!)
How to detect attribute dependencies in policies
How to navigate between the different configuration sections – policies, services, users

Fundamentals

User attributes are prefixed with “user.”
selecting a success or failure “arrow” allows the arrow head to be dragged and reconnected to change the flow of the policy
ALL changes need to be deployed – even updating user attributes
Changing the starting filter affects the whole policy – there is more than one way to achieve the desired flow through the policy / filter circuit

Up next….

Fault handling and policy shortcuts… a short introduction on how to create re-usable policies that can be invoked from multiple “parent” policies, and how this helps to keep a clean and clear visual representation of gateway policies; and how to create policies that handle errors and failures.

Hello World

Tue, 07 Jun 2011 18:59:56 +0000

I find it easier to get to grips with products when I use them, tool tips and “tip of the day” splash screens bug me, I actually prefer meaningful error messages when I mess things up. With that in mind I’m not going to go through each and every facet of what you can see in the design tool you just fired up I’m just going to walk through a simple example… which will educate as well as stimulate some questions…..

Having said that, it is helpful to know which end of the proverbial oar to use before starting to paddle so here is the express tour of the main Policy Studio design window.

The main policy studio window has two sections – the section on the left is for configuration navigation and is split into 5 separate viewing perspectives

Services – For configuring inbound channels e.g. http listeners, jms and pop3 consumers
Policies – Viewing and managing policies – we will explore this in more detail later
External Connections – external databases and repositories, AuthN and AuthZ / IdM Provider integration, SMTP, JMS etc…
Users – A built in user repository that can be used to apply AuthN and AuthZ without requiring a 3rd Party User Repository or IdM product
Certificates – self explanatory – contains functionality for managing certificates and keys

Selecting the different sections on the bottom left hand container changes the explorer tree node view.

left clicking on any of the node items changes the contents of the tabbed central panel to a context sensitive display

If you are anything like me then you’ll probably have tried clicking, double clicking and right clicking on just about everything that looks clickable by now (I’m every IT trainers worst nightmare). Hopefully you managed to cancel out out of everything you weren’t sure of and tried deleting anything you thought you understood to get back to ground zero…. if you didn’t then don’t worry about it simply close the top level gateway configuration tab, choose to discard your changes and then click “edit active configuration again” and phew…you’re back!…

First things first check you have the gateway running on port 8080 (this can be changed no problem but will be covered in a separate post) **TODO** link to changing ports post

Next fire up your browser and navigate to http://localhost:8080/healthcheck – you should get a little message back saying “OK” – depending on your browser it may or may not be rendered as XML

Use your browsers view source facility to take a look at what is actually sent back by the gateway

the gateway URIs are case sensative http://localhost:8080/HealthCheck will give you a totally different result (again this can be overridden but is out of the scope of this post)

If you haven’t already fired it up and had a look around already then check out the traffic monitor and real time monitoring tools at http://localhost:8090/

the traffic monitor is a really useful tool for development and diagnostics…. and shows policy execution, trace and payload information, we will take a look as part of the first policy exercise.

So now we have the basics in place, and we can navigate the different configuration sections we can go right ahead and develop our first policy.

The gateway is often used in the context of a reverse proxy for web, xml and ReST services, in the case of Web Services we can use an import wizard to load up a WSDL and auto-generate a policy framework that virtualises the service. Ironically this makes more sense when you know more about how the gateway actually works. So instead of plumping for the standard StockQuote Service (which I promise to cover in a later post) I’m going to take a step back and work through setting up an “echo” style service on the gateway – no SOAP, no WSDL, no XSD just an http request and response.

Start by creating a new Policy Container under the Policies node in the node tree on the left hand configuration explorer pane

You can also add a sub container if you like, containers are essentially just folders that help you keep your policies organised – this is particularly important for separation of concerns and for re-usable “utility policies”.

Once you have the containers configured as you want them then add a policy to the appropriate container.

Policies appear in alpha numeric order (so as a tip – start with at least one leading zero :-) – you can rename them later if you need to.

When you click ‘OK’ the blank design canvas will load up into the central tabbed panel along with the filter pallet on the right hand side

Remember to use the text lookup box at the top to help you find the filter components you need to build the policy – You can also customize the pallet to show and hide individual filters and categories

Under the “Conversion” section you will see the “Set Message” filter – we are going to use it to build our “Hello World” message that will be sent to the calling client.

The “Conversion” category contains a whole bunch of filters that are used to manipulate messages; XML, SOAP, Attachments, text, binary, pretty much anything.

The “Set Message” filter can be used to create a template message of a particular mime-type which can then be populated with information drawn from other sources – SAML Assertions, LDAP repositories, Databases, message headers or protocol information.

Learning what each of the filters does, and how to combine them is the essence of good policy design – if you are resorting to using the scripting and extensibility features of the design environment then the chances are you haven’t thoroughly explored what’s available or not thought through what exactly is involved in achieving the desired result; as with all “development” there is no real substitute for a good design document and a few flow / sequence diagrams to help you get it right.

I would start by adding the “set message” filter to my favourites though.

Left click on the filter in the categories list and DRAG it onto the design canvas for your hello world policy – then let go. You will be prompted with a dialogue to configure the set message filter …. do something like this…

Notice that the content-type has been set to text/plain – this means we don’t have to go writing html or xml and the message will render ok in a browser without issue – if you want to put some XML or HTML then feel free to give it a go, just be sure to use the appropriate content type (text/xml or text/html as appropriate)

Notice the “Next” button at the bottom – pretty much every configuration dialogue has one of these and it opens up the logging options for each filter – again feel free to take a look, but I’ll cover this off in a different post.

Click finish

Now you have a “greyed” out set message filter on your canvas.

Every policy must have at least ONE filter and ONE START; A Policy MAY have just ONE filter that IS the START

As it is our policy doesn’t have a start point, we just dragged on a filter and configured it. To set our set message filter to be the start filter we need to

Right click on the filter on the design canvas and chose “set as start”.

The filter now shows as both Start and End

So far so good…. but we need to “bounce” or “reflect” this back to the calling client – for http/https requests we use the “reflect” filter from the utilities section to do this.

type reflect in the pallet lookup text box and expand the “Utility” Section

Click and drag the filter onto the canvas and click Finish

You will see that the reflect message filter is not joined to the set message filter which is our starting filter – and so at the moment it is inactive to make it part of the policy we need to connect it with one of the connectors.

Almost every filter in the pallet has two possible outcomes SUCCESS and obviously

Policies are constructed by building logical trees (Binary decision trees) of filter execution – so in “pseudo-speak”… when the message has been set successfully we want to reflect the result.

To link our Set Message filter to the newly added reflect filter click on the in the pallet on the right hand side – this puts the mouse into “success connector mode”

Left click *and release* on the set message filter – then left click on the Reflect filter

Note: success and failure paths are not dragged from the pallet.

To exit “Connector” mode either hit the escape key or click on the component in the pallet.

The reflect message filter SHOULD turn RED this is to warn us that the filter may not have enough information to execute properly – to see what the problem is hover over the filter

To execute properly the reflect filter needs http headers (i.e. it needs to be part of an http request response pair – the http headers will be provided by an incoming request to the gateway that invokes our hello world policy – So all that is left for us to do is wire the policy up to a suitable URI to expose our hello world service.

Select the services category on the left hand configuration explorer panel and expand the nodes down to the “default services” node.

Right clicking on the Defualt Services node gives us an option to add a “relative path” – or you can do this by selecting the “Default Services” node and using the link in the design panel

Chose a meaningful path – /blog/tutorial01/helloworld

and then select the hello world policy as the “Path Specific Policy”

Again, the audit settings aren’t what this post is about, but feel free to have a look around -

click Ok and navigate back to your hello world policy (use the tab at the top of the central pane or the “browser back” button from the toolbar menu at the top left.

The reflect message filter now has the required http.headers attribute (that will be populated by the http request) so there are no “red” warnings.

To deploy your configuration (as we haven’t actually made any changes to our gateway yet) hit the F6 (function key) or click the Deploy icon in the toolbar menu at the top.

** Notice the status bar at the bottom **

Now we can test our policy using the browser –

The default http listener that we added our relative path to was on port 8080 – so to test our policy we combine the protocol (http) the host name (localhost) the port number (8080) and the relative path (/blog/turorial01/helloworld) to give us our uri.

http://localhost:8080/blog/tutorial01/helloworld

What you should have learnt ….

How to start up the gateway and connect policy studio
How to navigate the primary sections of policy studio
How to create containers to organise your policies
How to use the filter lookup text box to search for the filters you need
How to create a basic policy using the drag and drop filter components
How to link filters with the success connector
How to add a relative path to a service node and map it to a policy
How to deploy your configuration to your gateway
How to detect when a filter doesn’t have enough information available to execute

Fundamentals

A policy must have at least one filter, and at least one of the filters must be set as the start point for the policy.

A policy that has only one filter which is set as the start filter can be valid

Any filter not linked directly or indirectly downstream of the start filter will be inactive – inactive filters are shown greyed out

Up Next

Hello Joe – the hello world policy gets a little more personal as we explore some basic authentication, failure paths and using “attributes”.

Starting at the beginning

Wed, 01 Jun 2011 14:35:28 +0000

When we are sure that we are on the right road there is no need to plan our journey too far ahead. No need to burden ourselves with doubts and fears as to the obstacles that may bar our progress. We cannot take more than one step at a time.

Orison Swett Marden (1850-1924)

What you will need:

Apart from coffee, and a machine (Win/Linux/Solaris … oh and Mac too if you can run a VM), you will need

Vordel Gateway – available for OS as above and Virtual Image
Vordel Policy Studio – design tool for the gateway
Vordel SOAPBox – neat service testing tool – all the usual stuff supported (http/s SOAP XML attachments encryption etc…)
Probably a good idea to have a browser with the latest flash plugin installed

Later I might dip into centralised management for distributed gateways provided by Vordel Director and the various reports, and stats that can be extracted with Vordel Reporter… so you may as well get those while you’re at it…

If you can’t download and install then it is possible you’d be better suited to a career in sales… but seriously….contact me via this blog or the guys at vordel … sales@vordel.com, and just tell them I sent you

Once you’ve installed, then your good to go … you could even design your first policy on the train…

So let’s start at the very beginning, and the first thing to do is get everything fired up and connected. For the purposes of this blog I’ll be using the Windows 7 version of the Vordel Gateway and Policy Studio if you need info or assistance with different a different OS then either contact me directly or post a comment on the blog.

I could just say RTM, but if you’re anything like me that will be one of the last things you want to do…. far easier if someone just showed you right? My gravestone will probably read “Here lies Ian…. who should have read the manual”. So if you can’t find the manual, or the dog ate it, this is how we get started … assuming you managed to run the installer (or extract the tar.gz) and that you have a valid licence …. if you don’t have a licence or aren’t sure what to do with the one you have STOP and see this separate post on getting a licence

Step 1: Start the Vordel Gateway

Open a command prompt (no really you can do this without a picture)

Change to the bin directory cd C:\gateway_install\Win32\bin

run the command vordelgateway.bat

n.b. if you have installed as a windows service – you can use the program files menu to start / stop the gateway. the advantage of running in a command or terminal window is that you can see the gateway trace without having to tail or open the trace file. You can just double click the .bat file in an explorer window, but if there is a problem (like you forgot to get and install a licence key) the window will terminate without giving you any clue as to what happened.

Notice that the gateway by default starts up using 2 different ports – 8080 and 8090. You can browse to http://localhost:8080/healthcheck to see if your gateway is behaving as it should.

You should also open up http://localhost:8090/ and login to see the gateway “home page” that gives you access to trace files, real-time monitoring and other cool stuff that we will play with later. The user name and password defaults are admin and changeme

Step 2: Starting Vordel Policy Studio

For windows users this is easy – either use the start menu, programs, vordel, policy studio link or

double click the policystudio.exe in the installation folder (you could of course do this from the command line too if you like)… either way you should see something like this

Assuming you haven’t messed with anything you should be able to go right ahead and click on the link to “Gateway – localhost”

The user name and password defaults again are admin and changeme and you’re in

Hit the shortcut to edit active configuration or double click on the Vordel Gateway in the process list and you can take a look at the gateway configuration as it comes out of the box.

When you are prompted for a “passphrase” just click ok.

Introduction

Mon, 24 Jan 2011 16:14:16 +0000

One question that I am often asked is

“So what does a gateway do anyway?”

Many think of it just as a piece of security infrastructure that “secures web services and XML traffic”, and yes it does that (too). Others perceive it as a transformation engine converting between disparate data formats and protocols, they too would be correct. There are a few SOA fanatics that recognise a gateway as providing a point of enterprise wide control, monitoring and reporting – and as a key architectural component for both design time and runtime governance. In fact the Vordel Gateway provides all of these features and more.

I have been involved in countless gateway implementations across all market verticals and whilst I have seen similarities in designs and some common requirements for gateway functionality, I can honestly say that no two implementations are the same. One of the greatest strengths of the gateway is flexibility. It could and often is considered a network Swiss Army knife, the real challenge being to know which blades to use for what.

The purpose of this and future posts is to share a little of what I know the gateway can do, and perhaps draw attention to some of those that require a little lateral thinking, a few “How Tos” and “Why Tos” and hopefully comments from readers that will prompt a little health debate.

I’ve listed a few topics that I intend to cover below, but I’m happy to go ‘off road’ and take a steer on what ground to cover from any comments that are posted.

Pop3 to SOAP/ReST API
Controlling services at runtime
Selective Tracing (runtime debugging)
Service throttling – in-line and abstracted
ReST [style] Façade for Services – no code required!
Why SSL May Not Be Enough – data at rest and message level encryption
Detecting Client Certificate Expiry [before the event]
Using Active Directory Group membership for Authorisation
Service/Operation based User, Rate and Quota Provisioning – with database integration.

In addition to the above list I’ll be covering high availability and gateway scaling in general. If what is here isn’t enough, there is a whole host of valuable information, tips and tricks, videos and more from CEO Mark O’Neill http://www.soatothecloud.com/ and also various contributions from the Vordel Solution Architecture Team at http://xmlgateway.blogspot.com

The Unbundling of Banking - Will banks be "Twilio-ed" ?

noreply@blogger.com (Mark O'Neill) — Tue, 22 Sep 2015 08:42:00 +0000

This week is API Days Open Banking and Fintech, appropriately taking place in London which is fast establishing itself as the financial technology capital of the world.

I'm privileged to be speaking on the keynote on Weds 23 on the topic of "Innovating at the Speed of Customer Expectation – Laying the Digital Foundation for Financial Services", and then taking part in a panel with Lloyds, Erste Bank, and BBVA about Banking API Strategies.

One thing I'm sure which will be discussed at the conference is the so-called “unbundling of banking”. Banks are now competing with specialized fintech companies who generally do one thing, and do it well - e.g. rick analysis, or bitcoin blockchain services. Often they have an API into that service and operate as an "API First" company.

Where has this happened before? The answer is telecoms. In the telecoms world, there is the example of Twilio, a classic "API First" company whose SMS API is very widely used. Just look at apps created at any hackathon, and you'll see how popular the Twilio API is (you'll often also see someone from Twilio there, which shows their investment in the API community). Telecoms operators have thus been disrupted by Twilio, and indeed some have launched their own SMS APIs in response.

Is there a danger that banks will also be "Twilio-ed"? Or is this a opportunity for banks to move, in the words of an architect I spoke to at a US bank recently, from a “Banking Products and Assets focus” to being a “Micro-service aggregator and networked value creator”. Can banks embrace these pure-play fintech services by aggregating and using them in their own "full-stack banking"? We see some brand new banks doing this - e.g. how Fidor includes now Bitcoin support through using the Kraken API.

In TheFinancialBrand.com, Ron Shevlin argues for this, suggesting that the real value for banks is to create a “full stack”, which can include this aggregation of “single-stack” API-First fintech services. He makes the point that aggregating these services into a full-stack is easier than before:

Consumers need a full stack solution. But up until now, the only way to deliver that full stack was with proprietary service offerings and formal relationships between firms that determined who was or wasn’t in the service stack. Revenue-share agreements will make it easier for fintech startups to participate in full stack banks’ solutions, enabling a more open banking environment.
http://thefinancialbrand.com/53975/full-stack-banking-how-fintech-will-fuel-api-based-competition/

This echoes the Harvard Business Review piece by Bala Iyer and Mohan Subramaniam that "Corporate Alliances Matter Less Thanks to APIs", that APIs make it much more easy for these types of business relationships to happen (and indeed the HBR piece uses Twilio as a key example).

With banks bringing dedicated fintech services into their "full stack", through APIs, it leads to the question: Is the value in the aggregation, or in the service? Are banks at risk of becoming just “dumb pipes” (echoing what Martin Fowler describes in his Microservices vision: the real “smarts” are in the services). Are banks at risk of being Twilio-ed? Will there be specialists (e.g. for payments) and then aggregators can create a “virtual bank” by aggregating these specialists? Is Fidor leading the way?

I look forward to discussing all of these questions, and more, at API Days Banking and Fintech this week.

Solving the Digital Business Puzzle Using APIs and Microservices - Axway and Forrester

noreply@blogger.com (Mark O'Neill) — Thu, 17 Sep 2015 17:07:00 +0000

When organizations make the choice to put a digital platform in place, a discussion on MicroServices is never far behind. By putting a MicroServices layer in place, an organization creates the springboard to launch into the digital future, whether that involves apps, rich Web clients, or IoT devices such as in-store beacons. Individual MicroServices, or orchestrated groups of MicroServices, serve as the foundation for this innovation. The data being passed to and from MicroServices also serves as the basis for behavioral analytics and Big Data, allowing organizations to tailor their digital services based on their users. But what are MicroServices and how are they used?

To answer this question, I'm pleased to say that next week we're running a webinar with Randy Heffner from Forrester, who is an expert on how APIs and MicroServices are used to deliver digital business.

Randy Heffner is VP & Principal Analyst at Forrester Research. He's a leading expert on designing business applications and software architectures that are secure and resilient in the face of continuous business and technology change, Randy has for the past 30-plus years, and across multiple industry sectors, led solution architects in using technology to delight customers and to continuously improve business outcomes. He is the author of some excellent papers on API Design and usage.

You can catch the webinar next Tuesday, September 22, at 11am Pacific, 2pm Eastern by registering here. We already have a large number of people signed up, and it promises to be a lively session with a lot of Q&A.

For people in Europe and the Asia-Pacific region, we're re-running the session on Thursday October 8 at 9am UK/Ireland, 10am Paris/Madrid/Berlin, 4pm Singapore & Chinese Standard Time. You can sign up for this October 8 session here.

What's old is new again

In many ways, MicroServices are not new, since they bring established principles to bear on integration. Martin Fowler has written extensively on Microservices, including componentization and services – topics which will be familiar to any architect deploying infrastructure over the last 15+ years. He writes about the centrality of events in a Microservices architecture, where MicroServices can subscribe to events from other Microservices. This event model brings to mind established best practice integration patterns. At Axway, we’ve also seen this trend with our customers, who leverage the inbuilt message queue in our API Gateway for such a publish/subscribe pattern between their services.

MicroServices also borrow from the worlds of SOA, DevOps, and Operations. Martin Fowler famously speculated that MicroServices may be “service orientation done right”. We see how MicroServices leverage SOA principles of separation of concerns, encapsulation, and loose coupling. From the world of DevOps they bring agility advantages including distributed development, automated testing, and continuous delivery. From the Operations world they bring the advantages of independently deployable components, load distribution, and parallel processing.

MicroService Aggregation

One way in which MicroServices diverge from SOA is in their implementation technologies. SOA was associated with a raft of WS-* standards. There was also, in the words of Martin Fowler, “the tendency to hide complexity away in ESB's”. Digital platforms are designed to avoid these pitfalls, by using REST and MicroService aggregation instead of an ESB. This is often described as "smart endpoints and dumb pipes"

Another aspect of MicroServices management is Operational Intelligence. The data flowing to MicrosSrvices, and being produced and consumed by their event model, can provide valuable behavioral analytics. This Operational Intelligence allows organizations to anticipate future trends and be agile to their customers’ needs. The data also allows bottlenecks to be detected and addressed.

I look forward to some great insight from Randy Heffner on the webinar - sign up and see you then!

Taking API Firewalling to the Next Level

noreply@blogger.com (Mark O'Neill) — Thu, 17 Sep 2015 02:09:00 +0000

One of the chief functions of an API Gateway is to act as an API Firewall. Many people are familiar with a Web Application Firewall (WAF), but may not be familiar with the concept of the API Firewall. You can think of an API Firewall as a "WAF++", because as well as blocking Web Application attacks such as SQL Injection, it must also block API-level attacks such as API Key replay attacks, or (for older style XML Web Services) the infamous XML Bomb. When I wrote my Web Services Security book back in the early 2000s, I didn't now that, today, attacks such as the XML Bomb would still be a concern.

In 2015, API Security is vital because APIs are the foundation of so much of the digital world. Randy Westergren has shown how APIs can be a weak link in Internet of Things (home automation systems in that case). Troy Hunt has shown that APIs also are often the point of security weakness for mobile apps. Because API Security is an important topic, it's vital to drive awareness. With noted expert Gunnar Peterson, we've been publicizing API Security: you can view the Top 10 API Security Issues video, and read the associated White Paper on API Security here. We're also pleased to announce new API Firewalling features in our API Gateway. We had a major announcement about these features this week. The new API Firewalling features include:

Built-in rules to implement best practices for protecting against common threats such as the OWASP Top 10 Attacks.
Support for ModSecurity-based rule sets to allow companies to leverage all free or commercial rules sets built by one of the largest communities of threat protection experts in the world. Companies can also implement their own ModSecurity-based rule sets.
Black- and white-listing rules to combine the best of both types of threat protection.

Adding support for ModSecurity is a big deal because it means that Axway customers can leverage the ecosystem of existing ModSecurity rules. As Alexei Balaganski of the analyst firm Kuppinger Cole notes in the release announcement, "By adding API Firewalling capabilities that can leverage existing rulesets from the Open Source ModSecurity project, Axway has further expanded the scope of API security and threat protection of their offering."

To further highlight the importance of API Firewalling, last week we did a joint webinar with Smartbear where we demonstrated API Firewalling in action (showing a vulnerable API being protected). You can view the recording of the webinar here.

We're also proud that Axway earned the distinction of “Leader” in KuppingerCole’s “Leadership Compass for API Security Management” analysis report (you can download a free copy of the report from the Axway Website). The report examined various vendors’ capabilities within the API security management market and Axway was positioned among the Leaders within all four API security management leadership categories.

There have been many API Security issues recently (including Buffer and the IRS). An API Firewall protects against these threats, which is so important in the new Digital age, when mobile apps and IoT depend on APIs. I look forward to more and more awareness of API Firewalling in the future.

Mobile + IoT Summit next Thursday, with Oracle, Appian, Red Hat, Axway, and Cisco

noreply@blogger.com (Mark O'Neill) — Thu, 17 Sep 2015 00:31:00 +0000

Next Thursday, 24 September, I'm taking part in the online Mobile + IoT Summit with Oracle, Appian, Red Hat, and Cisco. I'll be talking about where mobile and IoT fit in a digital platform, combining digital engagement with a digital foundation. These events always have great question-and-answer sessions - hope to see you there!

Axway API Management expert required by Cognizant

noreply@blogger.com (Mark O'Neill) — Thu, 03 Sep 2015 12:55:00 +0000

Readers of this blog might be interested in this full-time position with Cognizant in Bridgewater, New Jersey, which lists hands-on experience with the Axway API Gateway as required.

As well as the Axway API Gateway, the skills required include:

Candidates will be integral part of API Management practice. You will have an opportunity to develop intellectual property, white papers, internal and external webinars, business development education materials and much more.

Sounds like a great position for Axway API Management experts interested in working on exciting API projects. Good luck!

Test and Protect your APIs - Smartbear and Axway webinar on Sept 10

noreply@blogger.com (Mark O'Neill) — Fri, 28 Aug 2015 14:06:00 +0000

This week, Axway released our plug-in for the Smartbear Ready!API testing tool. The plug-in provides integration between Ready!API and Axway's API Management solution.

As part of the launch, we're also running a joint webinar on September 10th, where we will discuss the two sides of API Security - testing and protection. The webinar includes a demonstration of API Security in action: both the testing (Smartbear Ready!API Secure) and the protection (Axway API Gateway). We'rerunning the webinar twice on the day, to accommodate different timezones.

Here are some of my thoughts before the webinar:

Is API Security new?

The API Economy has taken off in recent years, and it is tempting to think that API Security is a new thing. But it has a long history. Security of SOAP APIs has, of course, an infamous history involving many WS-* standards (some of us wrote whole books on these :) ). SOAP/XML attacks like the XML Bomb keep coming back to haunt developers. However, REST has a longer history than people realize. Way back in 2003, Jeff Barr in Amazon, famously pointed out that only 15% of Amazon Web Services traffic is SOAP based, and [here comes the pun] the rest is REST. Both types of APIs had to be secured.

At the RSA Conference in 2006 (almost 10 years ago, yikes!), I gave a talk on REST Security, when much of the discussion was about "pure" versus "practical" REST. Mobile then became a driving factor in how APIs are used, creating facts-on-the-ground that moved us on from much of the theoretical discussion.

How important is API Security?

API Security is very important. Everyday users may think "I never call APIs, only developers do that", but the reality is that mobile apps and IoT devices call APIs regularly. And this is where API security issues manifest. Let's look at what two researchers have found with API Security for mobile and IoT:

On the mobile front, Troy Hunt's influential "Hack Your API First" article and training makes it clear that much of mobile security is actually really API Security. As Troy explains, if you want to probe an app's vulnerabilities, a good way to start is to see how it calls APIs. If you have your app use a proxy (simply by changing your phone's connection settings), and then by running a tool like Fiddler, you can often see very obvious security vulnerabilities.

On the IoT front, Randy Westergren has shown how IoT devices can call APIs in insecure ways. These APIs calls become the vulnerability. In this case, a security layer was needed in front of the APIs to protect them. An API Gateway fits the bill. My colleague Rob Meyer has talked about how Just-In-Time principles can be applied to DevOps testing, remarking that "Testing is the Andon cord of DevOps" (don't know what "Andon cord" is? I highly recommend checking the article).

So, on the API Security webinar on September 10, I'm looking forward to a great discussion about the two sides of API Security - testing and probing for vulnerabilities (the "sword") and protection (the "shield"). See you there!

Is an API Portal a Wiki of APIs?

noreply@blogger.com (Mark O'Neill) — Tue, 25 Aug 2015 13:29:00 +0000

Last week I spoke at the Integration Developer News SOA & API Summit on the topic of "How APIs are Driving Digital Transformation". You can still view the recording (as well as the talks by IBM, Oracle, Red Hat, and Neuron ESB) on the SOA & API Summit event page.

One of the questions which came up, from a view at a large system integrator, asked is an API Portal "more of Wiki of all the APIs?". This is one of the questions where the answer is "Yes, and....". So, let me answer it in this blog post.

An API Portal is the place where developers go in order to get all the information they need to use an API. Developers using the API can contribute to the content (usually through a wiki or forum or blog), as can the developers of the API itself. The actual API itself is shown at the API Portal using what is often called "active documentation", where developers can drill into the API definition in a Swagger interface, and perform "Test in place" testing to ensure they are using the API correctly.

To show this in action, here's some screenshots of the Axway API Portal. Of course, when customers deploy the API Portal, it is re-skinned (think "Acme API Portal"), but here is it in its Axway-branded incarnation. In the screenshot below, we see active documentation of a SOAP API (yes! the Axway API Portal can be used for SOAP as well as REST).

Here's a REST API below, shown in the API Portal. Notice the "Try it out!" button at the bottom, to try out the API. You can also see all the information needed to call the API (the model schema on the right):

For those who prefer it, API documentation is also a provided at the API Portal in PDF format, including SDK information and info on how to access the API from Android or iOS:

Finally, many APIs have a monetization model, as explained by this seminal presentation by John Musser. As well as learning how an API is used, it's important that the developer using the API also understands the costs of the API. This monetization is supported by the API Portal as pricing plans. We see some of these shown below.

So, in answer to the question from the SOA & API Summit, an API Portal is more than just a wiki for an API. It includes active documentation, forums and blogs, in-place testing, and monetization info.

Thanks for the question - and keep them coming!

SOA & API Summit online this Thursday - with Axway, IBM, Oracle, Red Hat, Neuron ESB

noreply@blogger.com (Mark O'Neill) — Tue, 18 Aug 2015 13:41:00 +0000

This Thursday, August 20, I'm participating in the SOA & API Summit which is a online event run by Integration Developer News. I'm talking about how APIs are driving digital transformation. I always recommend this event because it mixes a lot of viewpoints, with speakers coming from the new API world, mixed with speakers coming from the older ESB world. It also features a lot of Q&A related to digital themes, driven by Vance McCarthy who always has insightful comments and questions, as well as questions from attendees. You can still register online - hope to see you there!

Identity Bridge - How to use an API Gateway to bridge between X.509 Certificates, SAML, JWT, and OAuth Access Tokens

noreply@blogger.com (Mark O'Neill) — Fri, 14 Aug 2015 11:23:00 +0000

When integrating systems together, identity mediation can be just as vital as protocol mediation. Consider a situation where a user is authenticating with an X.509 certificate. The X.509 certificate could be an iOS certificate stored on an iPhone, or could come from a CAC/PIV card issued to a US Government employee. When the user is accessing a system that requires a SAML Assertion, how can that X.509 certificate be converted to a SAML Assertion?

The answer is an Identity Bridge. This term, originally coined by Mark Diodati who is now a Gartner analyst, is used to describe a service which converts identity tokens between domains, enabling seamless access. An API Gateway such as Axway's is an ideal tool to use as an Identity Bridge, because of the fact that it supports a wide variety of identity tokens.

With my colleague Daniel Wille, I've put together a video which shows the Identity Bridge scenario whereby a user is authenticated via one token type (in this case an X.509 Certificate) and then the API Gateway bridges to other tokens, specifically:

How to convert to an OAuth JWT
How to convert to an OAuth Access Token Token
How to convert to a SAML Assertion (containing attribute statements)

A REST API at the API Gateway is used to do the identity bridging (e.g. requesting an OAuth Token based on the initial X.509 token).

For more information, and to get a copy of the API Gateway to perform your own Identity Bridging, check out the Axway site.

Return of the XML Bomb

noreply@blogger.com (Mark O'Neill) — Wed, 05 Aug 2015 07:51:00 +0000

The XML Bomb is an attack which has a long history, which I've documented back in 2009. Today in 2015 it continues to be a cause of concern. As with many security vulnerabilities, perhaps the evocative name helps. I'm happy to say that our API Gateway blocks the attack, and has done for many years.

So how does the XML Bomb work? It's a clever attack and well worth examining:

Older types of APIs use XML, which can be defined using a Document Type Declaration (DTD). DTDs are an old technology now (actually originating in SGML) and largely superseded by newer technologies (XML Schema, JSON Schema).

The issue is that DTD implementations can be vulnerable to recursion attacks. The SOAP specification states “A SOAP message MUST NOT contain a Document Type Declaration” (http://www.w3.org/TR/SOAP/ Section 3). However, some XML applications process DTDs, and therefore products which protect XML applications must block DTDs.
The following DTD contains a recursively defined entity “&x100;” which would be expanded into the huge amount (2^100) repetitions of the string “hello” by any XML 1.0 standard compliant parser. This would cause excessive memory usage and/or excessive CPU usage:

<!DOCTYPE foobar [
<!ENTITY x0 “hello”>
<!ENTITY x1 “&x0;&x0;”>
<!ENTITY x2 “&x1;&x1;”>
<!ENTITY x3 “&x2;&x2;”>
<!ENTITY x4 “&x3;&x3;”>
...
<!ENTITY x98 “&x97;&x97;”>
<!ENTITY x99 “&x98;&x98;”>
<!ENTITY x100 “&x99;&x99;”>
]>
<foobar>&x100;</foobar>

It's important to ensure that your APIs are not vulnerable to this attack. An API Gateway is a great way to achieve this.

"Beyond the OWASP Top Ten" - watch the session recording by Smartbear and Axway

noreply@blogger.com (Mark O'Neill) — Tue, 04 Aug 2015 06:18:00 +0000

The recording of the "Beyond the OWASP Top Ten" session at API Craft Boston with Smartbear and Axway is up on LiveStream. Fast forward to minute 42 for Lorinda Brandon of Smartbear kicking off proceedings. Mike Giller gives a lot of examples such as the XML Bomb, and other clever attacks on APIs.

We got some great questions also - lots of interest in the topic of API Security.

Axway (Vordel) API Gateway skills required in Raleigh, North Carolina

noreply@blogger.com (Mark O'Neill) — Wed, 01 Jul 2015 13:20:00 +0000

Readers of this blog might be interested in this position in Raleigh, North Carolina, for a Network Security Engineer (API Gateway). Responsibilities include to "Manage and Design highly complex firewall and network environments for security of Fidelity's critical resources and enablement of revenue producing services". API Gateway skills are required, with Vordel (Vordel was acquired by Axway in 2012) specifically mentioned.

Good luck!

API First, beyond "portal first", for Electronic Health Records

noreply@blogger.com (Mark O'Neill) — Tue, 30 Jun 2015 19:42:00 +0000

This week, ProgrammableWeb has a very interesting article by Martin Brennan about how Electronic Health Record (EHR) portals are moving to use APIs. He quotes a Health Data Management story which says that:

"If the proposed Stage 3 Meaningful Use rule is finalized in its current form, application programming interfaces (APIs) could supplant portals as the preferred method adopted by providers to enable patients to “view, download and transmit” their health information."
http://www.itnews.com.au/CXOChallenge/404377,apis-rivets-for-the-composable-enterprise.aspx/0

This can be seen as part of the overall movement to an "API First" orientation. EHR began by being "Portal First". But, as Martin Brennan explains, an API First approach enables more innovation by empowering developers to use the patient data.

Of course, security and privacy are never far from mind in this discussion. Once EHR data is enabled via APIs, it's important to ensure that only authorized clients can see their own data. Sophisticated "dynamic authorization" rules can be applied, such as "only the patient can access their own data, unless they are under 18 in which case their parents or guardians can also access the data". An API Gateway is ideally suited to enforcing these types of dynamic authorization policies.

In APAC for example, the Axway API Gateway technology has been deployed as part of a personally-controlled EHR architecture. This is smart since it allows security to be applied at the API layer. Brant DeBow at Mobile Surge explains the security benefits of "API First" well:

"...focusing on APIs bring additional security benefits. With an API, you are separating different layers of your app. There’s a whole host of security issues that can sneak in when the UI is directly coupled back to core functionality."
http://themobilesurge.com/post/102891669120/why-ctos-need-to-think-about-apis-before-websites

So it is with EHR portals. By focusing on the API, you not only enable innovation, but you also have a point to apply security. I look forward to EHR moving more and more to being truly "API First".

APIs - the weak security link in IoT / Home Automation - How an API Gateway can help

noreply@blogger.com (Mark O'Neill) — Fri, 19 Jun 2015 14:56:00 +0000

ProgrammableWeb recently had a story about how Randy Westergren detected that the API into his home controller system was insecure. As he mentions, the response was "No, there is no authentication, your local network is supposed to be safe environment and protected from outside world using Wi-Fi passwords and firewalls" and a recommendation to use a proxy for security.

So this is obviously a bad thing, right? But wait... From a security point of view, it can often be a good thing to deploy a proxy to enforce security. A proxy, or Gateway, acts as a security enforcement point and means that the developers of the API can focus on building the API itself. The API Gateway is specifically designed for security. Last night at the Boston API Craft meetup, I used this slide which explains the API Gateway pattern (adapting a slide from my colleague Daniel Wille - thanks Dan!):

An API Gateway like Axway's API Gateway implements standards such as OAuth and OpenID Connect. This saves the developers from this trouble. It also implements API threat detection, checking for attacks like SQL Injection or (for older style APIs) XML based attacks like the XML Bomb. An API Gateway also does quota management and API usage throttling, plus orchestration of APIs.

Product APIs

You can think of APIs into home automation systems as an example of "Product APIs". Randy Heffner of Forrester often talks about the important of Product APIs as a class of APIs, which are sometimes overlooked. In his recent report "A Developer’s Guide To Strategies For API Success", Randy says:

"...you must start by understanding the four major categories of APIs: open Web, B2B, internal, and product APIs. The first three of these are commonly discussed in the industry, sometimes using the monikers public, partner, and private APIs. The fourth category, product APIs, is not often discussed, but is critical as an alternate perspective into brainstorming possible APIs and business ecosystems."
https://www.forrester.com/A+Developers+Guide+To+Forresters+Strategies+For+API+Success/fulltext/-/E-res122957

Product APIs can be too fine-grained for external consumption, and indeed they may just "do what they need to do" from a functional standpoint, purposefully leaving security up to a proxy or Gateway. It sounds like this was true in the case of the home automation APIs which Randy Westergren mentions. As well as security, the Gateway provides more value for Product APIs, by orchestrating them into more high-level APIs which are more suitable to high-level consumption.

So next time you hear of a Product API like a home automation API not having security built in, think of how an API Gateway can help.

API Security - protecting yourself from being the next breach - Boston API Craft Meetup

noreply@blogger.com (Mark O'Neill) — Fri, 12 Jun 2015 14:31:00 +0000

Over on ProgrammableWeb, Jennifer Wiggins has written a great round-up of discussion about the Buffer API security breach. Although it happened back in 2013, it continues to be a widely-cited API security issue. As Jennifer mentions, one of the recommendations is to use standards, such as OAuth. Ironically, the implementation of those standards themselves has to be secure.

Another good practice is to take advantage of two essential approaches: (a) API Security Testing to proactively probe for vulnerabilities, and (b) an API Gateway to provide protection.

API Security testing is an emerging category, and it's one which I'd argue is distinct from its cousin, Web Application Security. API Security testing has been a big interest of mine for a long time - I recall presenting about REST security at OWASP back in (yikes) 2005. Fast forward to today, and Smartbear is a vendor which provides API Security testing products (see this great blog post on the topic from them: API Security Testing: Think like a bad guy). This, alongside the fact that they are spread between Boston and Ireland, means they are a vendor after my own heart :). API Security testing complements API Gateways very well, as the yin and yang of security - testing and protection.

Next Thursday, June 18, I'm speaking alongside Mike Giller from Smartbear on the topic of "Beyond the OWASP Top Ten – protecting your API from new threats". It's at the Boston API Craft meetup, at 6.30pm at the Smartbear offices in Somerville. Come along if you're interested in API Security (and in not being the next big API Security publicized breach...)

Linking B2B with APIs

noreply@blogger.com (Mark O'Neill) — Tue, 26 May 2015 22:39:00 +0000

Bill Doerrfeld at Nordic APIs has written today about how APIs are evolving the B2B landscape. This is a particularly interesting article for me, because my personal background is working for an EDI provider, where I linked EDI processes from the private network to the Internet, over 15 years ago. Vordel was founded to allow new Web Services APIs to be used for B2B. Axway, a B2B software company, acquired Vordel in 2012 to link B2B with Web APIs. This caused a domino effect, with other API Management vendors being acquired shortly afterwards. However, none of the acquirers of the other startups had the B2B depth of Axway.

And since the acquisition we have been executing on that plan. In last month's Gartner MQ for Application Services Governance, in which Axway is classed as a "leader", Gartner reports that: “Axway acquired Vordel in November 2012 to mix integration, governance and cloud functions in a B2B infrastructure offering with API management capabilities, and it has been executing that plan since.”

APIs compliment B2B in many ways. In this white paper by Mark Boyd, I list some of them:

Often there are clear interfaces that make sense with APIs: price catalogs, order status lookups and shipment lookups, for example. B2B will require ways to go in and look at these interfaces, so they are good candidates to have available to partners as an API.
http://nordicapis.com/developing-the-api-mindset-private-partner-and-public-apis/

It's very exciting to see the ongoing usage of APIs for B2B, and for Axway to be at the center of this.

Service Control Gateway

noreply@blogger.com (Mark O'Neill) — Tue, 26 May 2015 00:14:00 +0000

I'm back from a week in London, where one of the highlights was Gartner AADI. This year, I had the privilege of presenting alongside Oliver Cronk from Three UK, and our talk was entitled "How APIs are driving Digital Transformation at Three". A key part of that digital transformation is the role of the Service Control Gateway pattern.

In the morning before our talk, Gartner's Anne Thomas explained how the "Service Control Gateway" pattern applies SDA (Software Defined Architecture) to Application Services, creating SDAS (Software-Defined Application Services). Anne's session was full to capacity, indicating the level of interest in this area. In the photo below, we see the role of the Service Control Gateway, in between consumers and application services. On the right of the photo, you can see the capabilities provided by the Service Control Gateway. Coming from an API Management vendor, I could not help noticing that these closely align to an API Gateway.

In our session, Oliver Cronk showed this pattern in action at Three. Here you can see the Service Control Gateway in between consumers (including, for example, ATMs for mobile topups) and underlying infrastructure such as an ESB.

Overall, this was a great conference. The highlight was the recognition of the role of the Service Control Gateway, and it was fantastic to be a part of telling the story of how an innovative organization such as Three UK has been at the forefront of taking advantage of this new pattern.

OpenID Connect (OIDC) on the Axway API Gateway

noreply@blogger.com (Mark O'Neill) — Fri, 22 May 2015 06:22:00 +0000

One of the great features on the latest release of the Axway API Gateway, and our API Management solution in general, is fully support for OpenID Connect (OIDC). OpenID Connect is a new specification which builds on top of OAuth 2.0, and it enables important "Social Login" use cases, among others. The OpenID Connect process follows the OAuth 2.0 three-legged authorization code flow, but with the additional concepts of an ID token and a UserInfo endpoint.

You can see in Policy Studio, there is the ability now to create an OpenID Connect Token, and associate it with claims:

We include prebuilt support for Google's OIDC implmentation, in an example flow documented below. You can see, at the bottom of the flow, that the "user_info" endpoint is called, to get info about the user (e.g. attributes). The "user_info" endpoint is one of the new features which OIDC builds on top of OAuth 2.0 itself:

Here's an example of the output from this user_info endpoint:

{ "kind": "APIManagementOpenIdConnect", "gender": "female", "sub": "sampleuser", "name": "Sample User", "given_name": "Sample", "family_name": "${User}", "picture": "https://URL.TO.IMAGE/", "email": "sampleuser@axway", "email_verified": "true", "locale": "en" }

This is all implemented in prebuilt samples, so you can see it in action in the API Gateway. See below "Use OpenID Connect" to sign in with Google (where Google is the IpD - Identity Provider) or sign in with the Axway API Gateway.

The fact that the Axway solution allows our customersto act as your their IdP is important, since it enables many so-called "Identity as a Service" (IDaaS) use cases. It means you yourself can implement "Sign in with My Company" of your own.

You can get your copy of the API Gateway, part of our API Management solution as a whole, over at www.axway.com

API Workshop tomorrow May 15 at Nordic APIs Seattle

noreply@blogger.com (Mark O'Neill) — Thu, 14 May 2015 14:46:00 +0000

First, that's not a typo. Nordic APIs is indeed in Seattle this year. Perhaps next year we'll see "Pacific Northwest APIs" in Stockholm :-).

The Seattle line-up for Nordic APIs looks great, with Microsoft, APIMetrics, and Splunk speaking [I'm giving a talk about the "API First" approach]. The event kicks off at 11.30am. But, you can warm up for the event at the API Workshop taking place that morning at the same venue (Seattle's South Lake Union Discovery Center). At the API workshop, we get down and dirty with APIs, including:

* Building a mobile app consuming APIs, with REST and API Keys
- What are the security considerations?
* Understanding REST API Security with OAuth and OpenID Connect
- How to secure REST APIs: Where do OAuth 2.0 and API Keys fit in?
* How to enable Single Sign-On with Cloud Identity Providers (IdPs) like Google?
- Mapping Cloud identity to enterprise identity
* Beyond REST: HTML5 WebSockets for API access
- Full duplex streaming of data, for next-generation Web APIs
* SalesForce API Access: Session management, caching, orchestration
* Cloud-to-Ground interoperability in a hybrid world
- How to safely connect Cloud services like Office 365 or Google Apps to your organization
* How to on-board and enable a partner developer community
- API Developer Portal tips and tricks

It's free to register for the API Workshop, and we do provide coffee and giveaways. Come along to get in the API mood for NordicAPIs!

A tale of two electric car smartwatch API strategies

noreply@blogger.com (Mark O'Neill) — Fri, 08 May 2015 14:03:00 +0000

Nikki Gordon-Bloomfield has written a piece in Transport Evolved this week about some third-party smartwatch apps developed using Tesla's unofficial API. These follow on from the original unofficial Tesla Apple Watch app developed by Elek. While it's definitely possible to see merit in "letting a thousand flowers bloom" of unofficial apps, it is understandably worrying for security people to think about car apps calling an unofficial reverse-engineered API.

Another approach is what BMW has done for smartwatch (and smartphone) apps for their BMWi electric cars. These apps make use of the ConnectedDrive API. In this Axway video about the BMWi apps, with our implementation partner IC-Consult, you can learn about how this API makes use of OAuth and other security technologies, through an Axway API Gateway.This ensures security of the API itself, as well as enabling end-users to choose which aspects of the car they want the app to control (mapped via OAuth scopes, as explained in the video).

Here is a still from the video which shows the various apps, including a smartwatch app:

The API Gateway layer applies security, between the apps and the ConnectedDrive infrastruture:

And here's a double-click down on the architecture, showing the smartwatch and smartphone iRemote apps (on the left), with the API Gateway implementing OAuth (in the center), in front of the ConnectedDrive infrastructure (on the right). Click on the image to see the full video, including the OAuth flow (this piece is approx minute 17 onwards):

The era of smartwatch apps connecting to cars is upon us. API security has a key role to play.

May is global API-palooza at Axway - 11 great API-related events in one month

noreply@blogger.com (Mark O'Neill) — Fri, 01 May 2015 16:40:00 +0000

With all of the API-related conferences today, I'm surprised there is not one called API-palooza. Maybe we're all waiting for Perry Farrell to organize it. But, here at Axway, our May schedule is like an API-palooza all of its own: a worldwide tour of API evangelism. Come along to any of the events and you can pick up one of our sought-after "API First" t-shirts, and hear all about API strategy best practices.

Here's the May calendar in full:

May 5: Innovation Forum Philadelphia - with Accenture and Bristol Myers Squibb

First up, next Tuesday, is the Innovation Forum in Philadelphia: a free event organized by Axway where you can hear experts from Accenture and Bristol Myers Squibb share API best practice. I will be speaking about Digital Transformation in the morning. Kevin Kohut from Accenture will be speaking about "API First", while Janette Bubinak and Ron Zhang from Bristol-Myers Squibb will be speaking about self-service API access. We also are running an API Workshop in the afternoon of the event, where we will walk you throught the soup-to-nuts process of creating a mobile app based on open APIs - think of it like a mini-hackathon. Sign-up for free for the Innovation Forum in Philadelphia here, there is still time.

May 6-7: API Days Mediterranea - Barcelona

Fresh from sponsoring API Days Berlin last month, and API Days Sydney back in January, Axway is once again a sponsor of API Days - this time it's API Days Mediterranea in Barcelona.

I recommend catching Axway's Ross Garrett speaking on the Hypermedia track at 10.30am on May 6. Hypermedia talk titles can never be accused of not being obtuse, and Ross's talk title doesn't disappoint: "A Babel fish from the swamp of POX". Here's Ross's talk abstract:

One of the foundational aspects of the Web is the concept that, even if the client (browser) and the server have 'never met’ they should be able to understand each other. They should be able to interact successfully. This was one of key problems Tim Berners-Lee and Robert Cailliau wanted to solve when they proposed hypertext to "link and access information of various kinds as a web of nodes in which the user can browse at will”. Today’s programmable Web has perhaps started to move away from this universal and browsable foundation, and in this session we’ll think about the language of Web APIs and how developers and clients must learn to understand them.

May 11: Nordic APIs Spring Tour - Denmark

This year Nordic APIs is going global. In fact the only spring Nordic APIs event which is actually in the Nordics is the first one: Nordic APIs Denmark, taking place in Copenhagen on May 11.

Axway's Philipp Schöne is speaking at 1pm on "Delivering API First: Is your API a first class citizen?".

Here is the abstract for Philipp's talk:

What does it mean to be “API First”? In this session, we answer that question using case studies where organizations have treated their API as a first-class citizen of their enterprise architecture. By treating their API as a first-class citizen, they avoid the temptation of simply creating ad-hoc APIs simply as “plumbing” for mobile apps. By taking the API First approach, these organizations also design their API security up-front, including the usage of OAuth, API Firewalling, and securely managed API Keys. We also examine the alternatives to API First, such as “Mobile first” development. Using an API First approach, we’ll see how enterprises with legacy applications, complex SOA environments and strict governance structures can embrace the API wave and architect for the future.

http://nordicapis.com/?post_type=sessions&p=3244

May 12: Nordic APIs Spring Tour - Germany

In Munich on May 12, there is another chance to hear Philippe Schöne speak on "Delivering API First: Is your API a first class citizen?", at 1pm. This looks like a fantastic event, with Stefan Weiss from Fidor TecS speaking later that afternoon on "Distripting Banking with an API" - a very hot topic for many Axway API Management customers in the financial services area.

May 12: Innovation Forum Chicago - with Accenture and Dun & Bradstreet

While Philipp is speaking at Nordic APIs Germany, I'm in Chicago speaking at the Innovation Forum Chicago event organized by Axway.

I'll be speaking on digital transformation, and we also have Accenture and Dun & Bradstreet speaking about APIs. Kevin Kohut from Accenture will be speaking on "API First" (can you see an "API First" theme here? :-) ). Dun and Bradstreet will be speaking about their very successful "D&B Direct" API, in a talk entitled "Liberating & Modernizing Data Delivery with API’s: The D&B Direct Story"

Registration for Innovation Forum Chicago is free, and a great opporunity to meet and mingle with some leading API practitioners.

May 13: Nordic APIs Spring Tour - London

The Nordic APIs tour rolls into London on May 13, and once again Philipp Schöne from Axway is speaking, this time at 12.40pm, on "Delivering API First: Is your API a first class citizen?". Catch Philipp, as well as the Axway UK team, there.

May 15: API Workshop, Seattle (co-located with Nordic APIs Seattle)

On the morning of May 15, just before Nordic APIs Seattle kicks off, I'm leading an API Workshop where we cover API security, mobile API usage, WebSockets, and other API-related topics in a hands-on environment. It's at the same location as Nordic APIs Seattle, the South Lake Union Discovery Center, from 8.30am to 11am. Coffee will be provided :-). Sign up is free for this API Workshop (and, indeed, Nordic APIs Seattle is also free - so there is no excuse to not go to both events!)

May 15: Nordic APIs Spring Tour - Seattle

Nordic APIs comes stateside for the first time, sponsored by Axway and Microsoft. I'm speaking at 12.40pm on the topic of (you guessed it!) API First. I'm particularly looking forward to this event, which includes, as well as Microsoft and Axway, APIMetrics, Splunk, and Pearson Media in the lineup. Arrive at 8.30am and you can catch the free API Workshop before the event kicks off at 11am.

May 18-19: Gartner AADI, London - with Three

Axway is again a Platinum Sponsor for Gartner AADI. I'm speaking at the event alongside Oliver Cronk, Enterprise Architect at Three (a large UK mobile telco). Our talk is entitled "How APIs are driving Digital Transformation at Three". We're looking forward to a great session, discussing the "Service Control Gateway" pattern, and how APIs drive new services.

Axway will also have a booth at Gartner AADI London, so come along and say Hi if you're at the event.

May 19: Innovation Forum San Francisco - with Accenture, Dun & Bradstreet, and Roche

The Innovation Forum tour rolls into San Francisco on May 19, and we have some great speakers lined up from Accenture, Dun & Bradstreet, and Roche. Roche are presenting on "Mobile and Cloud Integration to Serve a Global Community". Accenture are presenting on API First strategy, and Dun and Bradstreet are speaking about Data-as-a-Service (DaaS) to liberate data via APIs. This is a great opportunity to meet with some top API practitioners in what is probably the home of APIs - San Francisco. As with all the Innovation Forums, registration is free.

May 20: API Workshop - Sweden

Finally, rounding out the month (and giving time for a week of rest before June!), there is the Axway API Workshop event in Stockholm, Sweden. Like the API Workshop the previous week in Seattle, this is an opportunity to get hands-on with APIs and walk through scenarios like connecting to the SalesForce API, learn about API Keys and OAuth, and about APIs in general.

---

And that wraps up the API-palooza that is May! Come along to any of the events, and grab your API First shirt :-)

Catch Philipp Schöne at API Days / APIStrat Berlin this Friday

noreply@blogger.com (Mark O'Neill) — Mon, 20 Apr 2015 20:40:00 +0000

Unfortunately I won't be at API Days / APIStrat Berlin 2015 later this week. But if you're there, check out my colleague Philipp Schöne's talk on the "APIs, Data & Intelligence" track. Details are:

LOCATION: Room: Caroline & Wilhelm v. Humboldt
DATE: April 24, 2015
TIME: 10:50 am - 12:30 pm

I know Philipp has a great presentation lined up, and the format of the event ensures a lot of great discussion. Sad to miss it (and to miss the opportunity for some great German beer afterwards too!)

Accenture and Bristol Myers Squibb speaking about APIs at Axway Innovation Forum - Philadelphia May 5

noreply@blogger.com (Mark O'Neill) — Mon, 20 Apr 2015 20:27:00 +0000

On May 5 in Philadephia, Axway is running an "Innovation Forum" focusing on integration technologies including APIs. It's a free event which you can sign up for online, and we've some great speakers lined up. I'll be down in Philly for the event, and I'm really looking forward to it.

So what is an Innovation Forum? It's a way to get practitioners together to share best practices, network, and discuss the latest technologies. Expect to hear much discussion on microservices, on the latest API security breaches (and how to avoid them), and on Internet of Things.

On the API front, we have some great speakers lined up:

Bristol Myers Squibb:

Janette Bubinak and Ron Zhang of Bristol Myers Squibb (BMS) will be speaking on "API Management: Bridging to the Business". BMS have done some very innovative things around API management, especially relating to enabling self-service for business users, so I highly recommend this session.

Accenture:

Anyone who has seen Accenture's Kevin Kohut speak about "API First" knows that he is the leading expert in the field. And I really mean "in the field", because Kevin has assisted organizations as far away as Australia in architecting and deploying their APIs. We're very privileged in having Kevin speak at the Innovation Forum in Philadelphia, and I'm very much looking forward to his session.

Sign-up is free - see you there!

The API First Manifesto

noreply@blogger.com (Mark O'Neill) — Mon, 13 Apr 2015 18:11:00 +0000

With the UK elections coming up, and the US 2016 election gaining momentum, manifestos are in the news. In the API world, we also see the API First approach similarly gathering momentum. I recently had a good discussion with Alex Sword of CBR about what "API First" means. It's part of a larger article about security and devices. Here are the three recommendations I picked out in the article about API First:

1. Treat your API like a first-class citizen of your architecture
This is something which Accenture's Kevin Kohut has spoken about at Axway's API Workshop events and at our US Connections customer event. Kevin recommended treating an API like a product, with a name, a roadmap, and a designated product manager. Having someone whose responsibility it is to manage the API is important, because it reduces the risks that the API will be changed in a way which breaks existing client usage.

2. Build the API first, not as an afterthought as part of a mobile app project
API First means literally building the API first. All too often, ad hoc APIs are built just to get data to and from a mobile app, which is built first ("mobile first"). These ad hoc APIs can multiply and become a nightmare to manage. If you built the API first, and manage it as a product (see Recommendation 1 above), then when your mobile app developers need to access data then they can be directed to use the API.

3. Don't tie your API only to mobile
Another way API First is different from "mobile first" is that when you design your API first, you can design it in a client-neutral manner. This means that it's not only for mobile clients. APIs have traditionally been associated with mobile, but now we're seeing other types of clients, such sensors and wearable devices, come to the fore. By all means, you can design "Experience APIs" in front of the core API layer, to tailor the API UX to specific types of clients (e.g. adding pagination for mobile clients). But, the underlying API is designed first: another example of "API First".

Check out the whole article here:
http://www.cbronline.com/news/cybersecurity/physical/device-makers-put-your-faith-in-architecture-4528932

And contact Axway if you'd like an API First shirt :-)

Top 10 API Security Considerations - Gunnar Peterson White Paper now available

noreply@blogger.com (Mark O'Neill) — Mon, 06 Apr 2015 12:56:00 +0000

Last year I co-presented a webinar with Gunnar Peterson on the Top Ten API Security Considerations (you can view the API Security webinar recording here). Gunnar has now written a follow-up API Security White Paper which you can now download from the Axway website.

Gunnar has written a blog post about the API Security White Paper in which he notes "I see a lot of people rolling out APIs without a ton of thought given to the security fundamentals", and I agree. He explains that: "This paper is designed to help you build a model that works to protect your APIs." Click the image below to get the White Paper (short registration required):