Friday, December 19, 2008

Viewing XML Gateway traffic in Real-Time

From the Tips-and-Trick Department:

You might already know that you can view XML messages traveling through the Vordel XML Gateway in real-time using the Adobe Flash based Real-time Monitoring facility of the XML Gateway:

But did you know that you can also point the Vordel Monitoring Console at the XML Gateway in order to view XML message content in real-time? To enable this, first enable "Logging to remote console":

Then run the Monitoring Console (from /win32/bin/vordelmonitorconsole under Windows, /posix/bin/vordelmonitorconsole under Linux and Solaris). Choose "Socket Connect" and connect it to the XML Gateway, entering the credentials to authenticate to the XML Gateway. You'll then see the XML traffic in real-time.

Note that the Monitoring Console can also be used as a log viewer, by opening up the logs which are written by the XML Gateway. If you want to view historical trends in service usage, plus information about which clients are using which services, then VordelReporter is the tool for that job.

Thursday, December 11, 2008

Automotive supply chain management

Some good news from the auto industry:

Vordel XML Gateway is being used to secure and manage the exchange of business sensitive information across the Mazda dealer network. Mazda Australia sought to improve the integration of its B2B communication channels, predominantly with its dealers, but also various business partners. The key objective was to improve overall business process efficiency at the regional dealerships and head office via accelerated data exchanges relating to vehicle sales; reservations; model and pricing information to ensure that Mazda"s and the dealers" systems are always complete and up to date. It also planned to aggregate data from multiple systems within Mazda and provide a single interface to detailed information on the most up to date vehicle warranty, service and customer information.

Tim Ballingall, National Information Systems Manager, Mazda Australia said "Following a comprehensive review of the market offerings, we selected Vordel"s XML Gateway solution as providing the optimum levels of deployment flexibility combined with the most mature product set on the market to address our requirements. Throughout the pre and post-sales implementation process, the experienced Vordel team has proved to be very attentive and appreciative of our requirements, making the entire SOA experience relatively pain free.
We have found Vordel's products to be second to none in their abilities to deliver on our requirements and they have become an integral part of the Mazda Australia architecture."

Tuesday, December 9, 2008

XML in Practice 2008

I'm at XML in Practice in Washington DC yesterday and today. Today I'm chairing a number of sessions, including "SOA for the Intelligence Community" which looks very interesting.

"XML in Practice" used to be the "XML 200X" conference, but this year the name change reflects the fact that is it more focused on real-life case studies.

Wednesday, December 3, 2008

On onramp to the Cloud

It is clear that organizations wish to use Cloud Computing. The reasons include saving money, deploying new services quickly, and, of course, the desire to take advantage of the latest technology trend.

What is less clear is how an organization can connect their internal systems up to a Cloud-based infrastructure in a secure, managed, manner. If an organization connects their internal applications up to Cloud-based services, there is the danger that private information leaves their network and travels up to the service-provider. Additionally, any network outages between the internal application and the Cloud results in latency for the user, and potential lost data.

Therefore, there is a place for application gateways to act as "onramps" from the local network up to the Cloud. They can data sent up to the cloud for private information which should not be leaving the local network. And, by caching data and by hosting local functionality, they also mitigate against network outages which can negate the value of using the Cloud within an application infrastructure.

Monday, December 1, 2008

How to configure XKMS in an XML Gateway policy

XKMS (XML Key Management Services) provides a way to perform certificate validation using Web Services standards such as SOAP and XML. It gets around the problem that OCSP is often not used. For example, it is an interesting fact that many browsers support OCSP and CRLs, but do not actually enable them, because they may add latency to page loads. XKMS could be an answer for that problem. However, it has to be said that XKMS never really took off. The difficulties around certificate management continue to be about issuing and managing the certificates themselves, not the protocols to validate them.

Here we see a sample policy before we add XKMS. You can see that the policy, configured in Policy Studio, is performing WS-Security X.509 Authentication and then is running a shortcut to a sub-policy (think of it like a subroutine) to examine the incoming XML for threats. Then, it is performing dynamic routing.

We now drag in an XKMS filter, so that we will validate the client's certificate after we perform WS-Security X.509 Certificate Authentication. This is dragged from the Certificate "drawer" on the right of Policy Studio, and dragged into the policy canvas itself.

It is important that the XKMS responder does not become a bottleneck for the whole policy. To that end, we setup a group of XKMS responders which will be cycled through. If one is down, the other will be used. If both is down, a "Fatal" condition is raised which can then be managed at the policy level. This is an important technique to use for any identity management connector.

Next we see the XKMS filter added to the policy. Notice that we've also dropped in an alert filter, and we raise an alert if the client's certificate fails XKMS validation. We also promptly block the message in that situation also. You could also customize a message back to the client in the event of XKMS validation failing (such as "Please check your certificate validity").

XML Gateway performing double-duty as an XKMS responder

Notice how Policy Studio's certificate "drawer" also contains filters which implement OCSP, CRLs, and other certificate trust checks. It is easy to imagine how you can create an actual XKMS responder using the XML Gateway. In that case, the XML Gateway would receive the XKMS SOAP message, and then would validate the certificate using "traditional" non-XKMS methods, and then return an XKMS response. In that case, the XML Gateway is the XKMS responder. That cuts out the requirement for a seperate XKMS responder as part of the architecture, since it's something which they XML Gateway can perform.

CA World Presentation now live

My talk on "Secure SOA - Challenges and Opportunities", at CA World in Las Vegas last week, is now live. It can be downloaded from here:

The session discussed how control can be applied to SOA and Web Services.

[ Vordel is CA's OEM partner for the delivery of the SOA Security Gateway as part of CA SOA Security Manager ]