Stop press, WS-Security works!
by CBDi Forum
Despite two years of talk, the technology required for enterprise scale Web services is only now falling into place, and much of it still only runs in PowerPoint. Top of the priority list is security.
In general the SSL and Web server enforced security is not considered enough when deploying mission critical Web services on the Internet. To address this, IBM and Microsoft delivered the WS-Security specification and have recently made implementations of this available. Microsoft commissioned us as an independent third party to demonstrate how they can talk to each other. With alpha product from IBM and early product from Microsoft we set about getting the new SOAP signing and encryption implementations to interoperate.
By using signed messages, in our case using X509 certificates, the applications at both ends of the conversation can have confidence that the sender is authentic and the message has not been tampered with. Encryption can also be used to ensure that the conversation is private. Signing and encryption using X509 compliant with the WS Security specification is implemented in Microsoft's WSE (Web Service enhancements) release and the WSTK (Web services tool kit) released on IBM's AlphaWorks. So we set about seeing just how easy it would be getting the new software releases to each other.
Not being familiar with IBM's WSTK, we found that there was a significant learning curve to get through just to install and get the demos to run. WSTK is a module that adds itself to a Java Servlet server such as Apache Tomcat or IBM WebSphere. We struggled with the Tomcat option and gave up. With the IBM WebSphere toolkit we had more luck and apart from a glitch with a security class 'not found error' which plagued two completely independent installations, one on a virgin XP machine, we were up and running. It must be remembered that AlphaWorks releases are not production product, more an evaluation demo. This means that sometimes the important parts are black box and/or undocumented. For example the X509 signing and verification code are supplied as a .jar file which means you can't poke about inside the code and the handlers are set up using undocumented XML configuration files. The good news however is that they can be inserted into the SOAP handling chain for any service, so in principal IBM has shipped a really useful capability - if the license would only allow you to use it in production!
If our challenge with the IBM WSTK was that we had to reverse engineer the way the handlers are configured, our grumble with Microsoft is that you have to write it all in code. The good news is that in comparison to the WSTK it is easy to do and well documented.
In the dying days of 2002 we demonstrated the results to an audience of Microsoft partners and customers. There was one small snag - it didn't work. So while we could show exactly how it should work, we faced the challenge of all demonstrators - we didn't get the round of applause, or at least not for the successful completion of the demo. Of course everyone said that the exercise was incredibly useful and instructive, and of course it's going to work soon!
Stop press -- it's now working!
To cut a long story short, since then we have the demonstration working. We are now older and wiser and thanks to lots of help from the developers at both software giants we can, as of today, demonstrate a .NET form signing a SOAP request and then get a response back from IBM's Web service with the signed answer. We understand that neither IBM or Microsoft has yet completed this interoperability exercise, and that our demonstration looks like a world first!
The WS-Security SOAP enhancement is just one aspect of interoperability, but we believe it to be the really important one for serious Web services implementation. If you would like to know more, and to benefit from our experience with these toolkits and WS-Security implementations we have a workshop for architects and lead developers where we will do our best to flatten your learning curve.
CBDi WS-Security Interop Workshop
The WS Security Interop Workshop is an opportunity to gain a deeper understanding of the extended SOAP stack and to walk through the various Microsoft and IBM releases that support the new WS-Security specification. The day starts with a session where we build a development environment and examine the tools and get the basic interoperation working. From there we look at the signing and encryption offered by IBM and Microsoft and build a .NET client to access the secured services on the WebSphere server. The day is a mixture of practical work, presentations and discussion.
09:30 Building the environment
11:30 SOAP Standards
13:15 WS-Security Workshop
15:00 Web services Architecture
For more information contact:
Phone: +353 28 38071 or 73
Related report from CBDi
Platform vendors move in on Web services management
At CBDI we have discussed the extended SOAP stack in depth and reviewed many products that build on the foundation of SOAP and WSDL to provide security and management capabilities. In many of our reports we have hinted that the direction for the main players such as IBM, Sun and BEA will be to build extra layers of functionality needed for enterprise Web services into application servers. In the case of Microsoft the 'application server' is woven into the fabric of XP and .NET. The last months have seen the release of previews for the extended SOAP stack from IBM and Microsoft. Called WSTK and WSE respectively, and partly based on agreed protocols, we might expect them to be boringly similar. However the kits are notable by their difference in content, philosophy and target audience; we will start with the simpler, Microsoft, then try to scratch the surface of the IBM offering, and finally make some inspired guesses as to where the technology in these toolkits is going.
Copyright CBDi Forum Limited 2002. The CBDi Forum is an analysis firm and think tank, providing insight on component and web service technologies, processes and practices for the software industry and its customers. To register for the weekly newswire click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.