2010/12/29

Oracle SOA Foundation Practioner exam

The Oracle Middleware Fusion 11g stack has a certification path for SOA:
1Z0-451 Oracle SOA Foundation Practitioner.
When you pass this exam you may call yourself: Oracle Service Oriented Architecture Infrastructure Implementation Certified Expert.

Today I passed the exam with 81% but I must say the questions were pretty detailed.
So you really must have practical experience with the Oracle SOA Suite 11g, but this is a good thing because that is where Certification is for.

Suggested preparation:
* Follow a SOA Suite 11g Bootcamp (or follow the book: Getting Started with Oracle SOA Suite 11gR1)
* Play with the product at home
* Follow the recommended learning path as mentioned here (for this you must be a registered Partner)

The questions are of high level and detailed level, with Choose Applicable, True/False, and Select Correct type of questions.

A CIBER colleague of mine also passed this exam: Michel Christianen

2010/11/28

Do not use generated database webservices in Cordys

Introduction

Cordys BOP4 has the great option (just like all other respected EAI tool) to generate webservices on top of your databases.
In fact you can even generate a GUI on top of it, so that you can adapt data within your database through a GUI.
Sounds great or not !?

Watch out, because there can be a catch and this all has to do with a good SOA design!

Using webservices

In a project I work in, there has been decided to use generated webservices within the BPM processes.
This can easily be done by generating the MetaData of the database and then generate webservices for it, or even customized webservices by
using you own SQL statements.
This all works fine, but ..
1) You have to catch exceptions within all the BPM processes that use these webservices
2) The data within the databases can change (types, extra data elements, data elements removed, partitioning of data, primary key changes)
3) This will impact all the BPM processes that use these generated webservices

Define Data Services

The advise I want to give is to encapsulate the generated database webservices in Data Services (sub processes).
This way:
* Define the interface of the Data Service within a WSDL and use Contract By Design
* Call the generated database webservices within the Data Service
* Handle all technical errors within the Data Service, or expose when needed
* Use this Data Service within the other BPM processes

This way the changes of the database are encapsulated within the Data Service.

Conclusion

By using Service Oriented Principles within the Cordys BOP4 product it will increase the maintainability and usability.

Principles:
* Abstraction (by using Contract By Design pattern and Data Service)
* Loose Coupling (by adding just an extra layer on top of your generated database services, so that database changes can be handled better)

So actually use the generate webservices feature of Cordys !
But use it with care and keep the SOA principles in mind!

2010/10/28

Cordys: Sharing Message Maps

Cordys has a handy feature and that is of sharing Message Maps. A main process can share its message map with child processes.

The way to do this:

1) Select the sub process within your main process and select Properties


2) Check the Share Message Map


The Message Map is automatically copied to the subprocess. However sometimes this is not the case and the easiest way to do this is to copy
the message.

3) Goto the Mesage Map of the main process and select a Message and right click Show XML


4) Copy the XML
5) Goto subprocess and select Paste XML as Element

This feature is handy when you want to use a generic Message within your process

2010/10/22

Exception handling in Cordys BPM

A couple of days ago I was discussing the handling of all kinds of errors within your BPM.
In this case within the Cordys BOP4 product.
To handle technical errors (like a webservice can not be reached due to system crash) and functional errors the "normal" BPM flow gets blurred with all these exceptions.

We discussed ways to handle this:
1) Using different Views on your BPM (this is not (yet?) a feature in Cordys), so viewing your BPM with/without error handling)
2) Using different colors in your BPM
3) Using Embedded Subprocess


 
Example of option 2




Example of option 3

2010/10/21

Cordys BOP External Services Configurator

Introduction

For external webservices within the UDDI connector you have the possibility to configure the endpoints of the webservice.
This way in each environment (Development, Test, Acceptance, Production) you have a way to configure the endpoint differently.
You can use the External Service Configuration. However when I did this i ran into a problem.

Import WSDL

To use an external webservice you can import the WSDL.
  • Goto Workspace Folder where you want to create the webservice (probably a Web Services Folder somewhere).
  • Right-click New > Other > Web Service
  • Select Import WSDL as the source, give it a name and description
  • Next you have to give up the URL where the WSDL is located
    Note: This can be ackward but for the moment not the issue i got

Give logical endpoint to the service

When you look at the properties of the imported webservice by double click on it you will see:




I advise to change the <serviceuri> into a more logical endpoint name instead of the one filled in after importing the WSDL.
This way you will be aware that the correct endpoint still has to be filled in within the External Services Configuration tool.

  • Goto External Services Configuration
  • There you will see the logical service uri and the physical endpoint

Problem when test webservice

However when i tested the webservice I got the following error:


So it appears that the logical endpoint is taken instead of the Service URL as defined within the External Services Configuration.

Solution

When you restart the UDDI connector it takes the correct endpoint.

Conclusions

  • Use logical names within the webservice properties
  • Define the real endpoint with External Services Configuration
  • Restart UDDI connector when the endpoint is changed

2010/10/12

What to put in BPM?

Introduction

When implementing a BPM or using a BPM tool I see a lot of functionality that (in my opinion) does not belong into that layer, but within a SOA Service.
But are there some general rules or guidelines that you use to decide what to put in BPM and what to put in a Service?
This blog item is a first try.

Put in a Service

This is a list of items/functionality that I would put in a Service:
  • Static calculations not dependant on business data (example: Fahrenheit to Celcius calculations)
  • High performance / complex calculations on data (example: complex calculations over series of data)
  • Technical orchestrations (example: Getting data out of several different databases)
  • Sending messages (in a particular format) to another department or even another organization (B2B)
    (example: ebXML messages, HL7 messages)
  • Adapters (example: database-, file-, mailadapters)
    These are always implementation specific in most cases and the implementation should be abstracted with a service.
    However in most cases you will see these adapters used within the BPM tools.

Put in a BPM

This is a list items/functionality that I would put in a BPM:

  • A step in a business process implemented in a Service operation or sub process.
  • Scheduled triggers to execute a business process (example: every day execute a particular business process)
    You can put the schedule in a business rule to make it flexible
  • Steps / Activities that mean something to the business
    Remark: Discuss in depth because even business people dive into technical details.

You are invited to increase the list !

Conclusion

I think there will remain discussions where to put which functionality. With the BPM tools nowadays you can use integration software that you do not want in the BPM layer, like
a database adapter or file adapter. This should be put in a Service and abstracted. However time-to-market and ease of implementation is often a (maybe valid) argument to
do it like this. But hope you take a step back and think about it when you use a BPM tool because also with this tool you can make spaghetti !
And last but not least: Do not use a BPM tool as just another visual programming tool

2010/10/03

SOASchool: Module3

Friday I had my 3rd exam SOA Design & Architecture.
In this exam you also get 50 questions and you need to have 80% right.
This exam is about understanding the 8 principles of Service Orientation.
It has strong resemblance with the first module, but this exam was more detailed.

Up to module 8 of my SOA Architect Certification.

2010/09/27

Service Orientation: Exception handling pattern

Introduction

I am a great fan of the service orientation principles described by Thomas Erl: http://www.soaprinciples.com/
And also of its patterns: http://www.soapatterns.org/
This will not be a sucking up story about Thomas, but the need for a pattern on error handling.

Layering

One of the patterns is that of Service Layering, in which the Services can be categorized in the following layers:


The Utility Service Layer consists of Services that are of agnostic functional nature and are not functional related to a business entity or business process.
The Entity Service Layer contains Services that are related to business entities and are usually also agnostic.
The Task Service Layer is more related to Services that are specific to a particular task or process.
Usually you also have a Orchestrated Task Service layer contains Services that orchestrates Services to fulfill a business process.

My question is how to deal with errors in the separate layers?

Error Types

Let me first describe the type of errors we can have:
  • Technical Errors
    Those are errors of technical nature, like database can not be reached, wrong message format. Mostly internal service errors that occur.
  • Capability Errors
    Those are the errors due to the fact that a capability of a service can not be executed. These errors are more of a functional nature.
  • Business Process Errors
    Those are errors that occur within the logic of a business process.

The next item you have to think about, is which errors you want to expose.

Expose errors?

The first option that comes to mind is that all errors remain internal, using the Abstraction Principle.
However if you think deeper then:
  • Technical errors may kick off other processes that will deal with service errors, by sending mails to maintenance for example. Then technical errors are part of the service contract.
  • A composite controller may handle a capability error by trying it again or using an alternative path.
    A service does (generally) does not know in which activity it participates, so the service can not decide what to do when something happens. Then the error is also part of the service contract.

How to expose errors?

When you decided to expose errors then you have to think about how to expose the errors.
When looking at webservice services you have several options:
  1. Return an error within the output message
  2. Generate a soap fault
  3. Generate a business event that something happend
I am more in favorite of the last two, because the first option always blurs your goodweather logic and this way the maintenance of your code can be more complex.

Conclusion

Hope this gives you some stuff to think about when designing your service contract.
Other suggestions are welcome !

2010/09/20

Cordys: Connectors open source

Taken from Cordys Wiki:


Cordys has always had two types of connectors. The first group of connectors are developed and supported by the Cordys platform engineers. Examples include the E-mail and the FTP connector. The second group of the connectors are developed and supported by the former Cordys professional services group (a.k.a. COE). Examples include the JMS connector and Command Connector.

Some time ago the professional services group moved to CSC, leaving the status of the professional services connectors a bit unclear. People were still maintaining professional services connectors, but it became more difficult because they needed to focus on CSC projects. Not on maintaining the connectors.


Another development is the creation of alternatives for platform connectors. The development of platform alternative takes a lot of time and blocks the possibility of including the enhancements into the product since they were on a different code base. So Cordys had to revise its strategy. One particular idea that kept showing up, both within as outside of Cordys: make the platform and professional services connectors open source. External developers will then be able to customize and enhance a connector instead of rebuilding it from scratch and Cordys will have the option to include a snapshot of the open source connector into the platform. Connectors shipped with Cordys will have support, which makes the customers happy.

The last two weeks this idea was validated with customers, partners and colleagues. All parties were positive about the overall idea. Thus Cordys decided to go forward with it.

The next step is creating a concrete proposal which includes details like timing, a definition of what Cordys support means, the location sources and a list of connectors to start with. 


This is a good idea and will hopefully increase the number of connectors and also the quality. Looking forward to it.



2010/09/16

Cordial 2010

Introduction

The 14th and 15th September I visited the Cordial 2010 event with 5 of my CIBER colleagues. This is a small overview of the event and my findings.

Overview

The subtitle of the event was Accelerate Time To Value.
The whole message of the event was that the Cordys offerings will shorten your time to value, a promise of all BPM vendors, but I think Cordys can actually achieve it.

The majority of the presentations were about Cloud computing, so the terms IaaS, SaaS, PaaS and  BPaaS were mentioned a lot.
Cordys also has launched a new product in 2009 called Cordys Process Factory (CPF).
This new product was built on top of BOP4 and will nicely integrate with BOP4. The product is meant to build dynamic MashUps in the Cloud with little effort.
It abstracts the more complex features of BOP4, to make it simple to use. Cordys now can offer services on premise, in the cloud and both.
 


Per Jonsson was presenting on his first month as the new CEO of Cordys. Quiet, calm, smart Scandinavian gentleman, something different as oppose to the more energetic Jan Baan.
Jan Baan launched his book on BPM.
Theodoor van Donge, the CTO of Cordys, gave us a nice preview of the most important new features in Cordys FP1.

Product Update

Cordys Process Factory

  • New: MashApps on Mobile
  • New: Connection On-Premise
  • SSO
  • SAML2.0 to access On-Premise services
  • OAuth to access Cloud services

BOP4

  • Multi Browser support in CWS (Chrome, Safari, IE, Firefox)
  • Improved Internationalization
  • Context based help in modeling (showing the next possible steps possible)
  • BAM further aligned
  • Advanced task management features to handle a case
  • MDM modeller included in BOP4
  • Change tracking of Models
  • KPI in Processes in Activities
  • Less navigation needed during modelling

Cloud Provisioning

The Cordys Business Operations Platform complements the Business Operations Platform with automated provisioning and metering of applications for the Cloud.
  • New: Admins can maintain environments of customers and their applications offerings
  • New: External application can be partitioned over different clusters
  • New: Multi Browser support

Collaborative Engineering



Strategic Update

The mission of Cordys was mentioned by Hans de Visser (CMO):
We help our customers to improve their business operations with world-class, process oriented software which allows them to change and innovate the way they do business with greater speed and flexibility.

So What's Cordys?
  1. Cordys is one single platform
  2. Two propositions: 1-Business Operating Platform 2-Cordys Process Factory
  3. Three domains: 1-Integration 2-BPM 3-Composite Application Development
  4. Cloud
  5. Focus on vertical markets: Communications & Media, Banking, Financial Services & Insurance, Energy & Utilities, Manufacturing & Logistics, Government

Produkt Oriented --> Marketing Oriented
Development of the platform but implementations are done by Partners (like CIBER).

Multiple Deployment Models
On-Premise (BOP4)
Cloud (CPF)
Hybrid (BOP4/CPF)

Social Contextual Collaboration
Integration with Google Wave to collaborate
Integration with other social network tools (Facebook, Twitter, ..)

Certification

It is now possible to certify yourself in Cordys. First you need Fundamentals and then you have the option to specialize in BPMS Developer, UI Developer and Backend Developer.
In case you have all, you can name yourself Solution/Product architect.

Conclusion

Not all presentations were useful, but the time of the parallel sessions was also very limited (only 30 min for a presentation). This makes it difficult to tell the story.
Hopefully next year these sessions take more time.

I am very excited on the number of people that visited the event and met a lot of interesting people.
I am curious to see if the Process Factory product will gain momentum and I can't wait to use it for customers.
For the moment a SOA and use of BPM is already a big step for most customers, but BOP4 is a very good solution.
Its now time for Cordys to harvest after almost 10 years of development.



More can be read on http://cordial.cordys.com

2010/09/10

Cordys BOP4 and SSL be aware

Introduction

In one of my previous Blog item about Cordys BOP4, I described how Apache WebServer and Cordys BOP must be configured for using secure two-way-SSL.
I discovered some behavior of this set-up which i want to share in this blog.


Behavior

When you configure two-way-SSL in Apache Webserver, the client certificate is used by the Apache WebServer to check whether this client may access the WebServer.
However this certificate is also used by Cordys BOP4 for the identification of the User within BOP4.
For this you have to configure a User that has the client certificate attached to it.

* Goto User Manager > Users Roles
* Select a User, Right click Edit
* Select as Authentication Type: Certificate
* Click Use Certificate and import the public certificate of the client (X.501 compliant)


When you sent a soap message to the platform you must NOT use wsse:Security tags in the soap header anymore
  

      
         
            Roger
            Password
         
      
   

When you do this you will get the following error:

   
   
   
      
         ns0:Client
         Not a valid user.
         
            
               
                  Cordys.ESBServer.Messages.invalidUser
               
            
            com.eibus.security.identity.InvalidIdentityException: Failed to determine identity: Could not determine identity, found multiple identities in the SOAP message
    at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:80)
    at com.eibus.soap.Processor._determineIdentity(Processor.java:1608)
    at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:312)
    at com.eibus.soap.SOAPTransaction.<init>(SOAPTransaction.java:175)
    at com.eibus.soap.Processor.onReceive(Processor.java:956)
    at com.eibus.soap.Processor.onReceive(Processor.java:929)
    at com.eibus.connector.nom.Connector.onReceive(Connector.java:417)
    at com.eibus.transport.Middleware$NonTransactionalWorkerThreadBody.run(Middleware.java:1722)
    at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:64)
Caused by: com.eibus.security.identity.IdentityCreationException: Could not determine identity, found multiple identities in the SOAP message
    at com.eibus.security.identity.UserIdentityFactory.determineIdentity(UserIdentityFactory.java:66)
    ... 8 more
         
      
   


Conclusion

A client certificate with two-way-SSL is also used by Cordys for identifying the logical User within BOP4.
This means that if you want a client server to have several different users, with different roles, use Cordys, the server must also have different client certificates.

I would expect that the client certificate was only used for server authentication and that the WS-Security tags were used to authenticate the logical user.

2010/09/09

Cordys in the Cloud

Introduction

Cloud is one of the buzzwords today and Cordys also has a Cloud platform: The Cordys Process Factory (CPF).

So what is it?
It is a webbased integrated cloud environment for rapid Cloud Application Development. You can build forms, business processes, integration with other webservices and reporting.

How does it work?
A CPF Composer is used to design forms, business processes, business rules, using external webservices, reports and charts (PDF, HTML, MS Word, or MS Excel).

SaaS
There is a CPF marketplace where you can sell your cloud application as a SaaS product and where you can buy other products as well.

A Simple example

When you fill in you credentials the Cordys Explorer or MashupComposer is shown.










* Select "Create a new application" and fill in the application information, click Save and go to Composer

* The Composer is shown

* Select Build Forms > New Form and fill in the following details

* The Forms composer is shown. Drag-and-Drop a Number field and fill in the properties

* Add Another Number2 field

* Add another Sum (Number field) with the following properties:

* Click Save
* Click Check In. This way other users can use it.

Create Application Tab and Add Form to it


* Click Configure Application > Application Tabs
* Click Check Out (in order to make changes to it)


* Click New Tab and fill in Properties and click OK

The Tab is added to the existing Tabs


* Click Save and click Check In

Publish the Application

Now we are ready to Publish the application

* Click Publish Applications on the Composer Assistant

Use the Calculator Application

Now we can use the calculator application
* Click Change Application and you can select the Calculator App

* Click the Calculator Tab and fill in some numbers

Notice that the numbers are automatically added.

Conclusion


This blog item showed the possibilities of the Cordys Process Factory Cloud Platform with which you can develop Cloud Mashup Applications.
More information can be found here and you can register here to start developing cloud applications.

2010/09/06

Book review: SOA: An Integration Blueprint

Introduction

This describes a review of the book: Service-Oriented Architecture: An Integration Blueprint. The book is written by Guido Schmutz, Daniel Liebhart and Peter Welkenbach.
The book is about successfully implementing your own enterprise integration architecture using the Trivadis Integration Architecture Blueprint (TIAB). The authors try to set a standard for integration problems that organisation face.

Chapters

The book contains 5 chapters, but unfortunately the subchapters are not numbered and sometimes it is difficult to see what belongs to what.
Chapter 1: Basic Principles
Chapter 2: Base Technologies
Chapter 3: Integration Architecture Blueprint
Chapter 4: Implementation scenarios
Chapter 5: Vendor Products for Implementing the Trivadis Blueprint
I will dive deeper into the chapters later on, but first some general remarks about the book.

General remarks

  • As sais before I missed the subchapter numbering.
  • The book describes an integration blueprint, so the term Service-Oriented Architecture as title is misleading. The book does not even mention Thomas Erl's books.
  • I miss the description of the WS-* standards, commonly used within integration- and service oriented architectures.
  • I miss the description of XML, XML Schema, XSLT, XQuery, commonly used within integration- and service oriented architectures.
  • The layering described within the book, of the integration solution is clear, but not totally new. There are a lot books already describing the 5-layering model used within a SOA.
  • On a scal of 1-5 stars, I would rate the book as 2.

Ch1 - Basic Principles

This chapter describes the basic principles of EAI, SOA, Grid Computing and XTP. Because of the missing subchapter numbering, this chapter looks chaotic.
All common terms are described like ESB, Hub-and-Spoke, Middleware, Communication methods, SOA, Broker, Router, EDA.
Some of the concepts are used within the blueprint, but most are not.

Ch2 - Base Technologies

This chapter describes a selection of the base solutions related to the implementation of solutions based on the Blueprint.
It covers OGSi, JCA, JBI, ESB, SCA and SDO.
Most of the technologies are not further described within the Blueprint exampels, so this chapters is a little bit confusing and misses a lot of other common technologies like XML Schema, XSLT, XQuery, WSDL, SOAP, etc.
At least the technologies could be mentioned.

Ch3 - Integration Architecture Blueprint

This chapter covers the Blueprint and is actually well worth reading. The authors make a distinction between the Applications and Data View and the Integration View.
The Integration View is divided in three levels: Application, Integration Domain and Transport level.
Within the integration there are 5 layers: Communication-, Collection-, Mediation- and Distribution layer. Each layer has its reponsibilities. In the next chapters all the layers are described in more detail.

The nice thing about the Blueprint is that it gives you a "standard" way to describe, design and implement a integration solution. It comes with a small set of notation elements too.

Ch4 - Implementation scenarios

This chapter describes some integration scenarios using the Blueprint. There is also an example that claims to be SOA but that remains to be seen. The approach taken is just the "old" integration using new technology.

Ch5 - Vendor Products for Implementing the Trivadis Blueprint

This chapter maps some product lines to the Blueprint. It covers: Oracle Fusion Middleware, IBM WebSphere, Microsoft Biztalk and Spring Framework.

Conclusion

I liked the layering approach of the Integration Blueprint but I miss the WS-* and XML standards in the book. Furthermore I think the Blueprint can get very complex when you also want to describe handling errors and other bad weather scenarios.
I missed the purpose of chapter2 mainly because it is not addressed further in the next chapters and how it is used within the Blueprint.

2010/08/03

Cordys BOP4: Database connector

Introduction

Just like any other Enterprise Service Bus, Cordys BOP4 also has connectors like file, ftp, mail and database.
This blog item shows how a database connector is configured within the product.

Note:
Within a Service Oriented Architecture that must be flexible and product independant I would advise not to use product specific
database connectors. I would recommend to implement an abstraction layer around the database with for instance Hibernate and expose it as a webservice.

Ws-AppServer

Within the Cordys BOP4 platform a database connector is implemented with a so-called Ws-AppServer. This is a java layer between the database and can be used to implement some business logic
and/or the place to react on database events.

For this example I have used a MySql database instance (Test) with an Employee table.

DROP TABLE IF EXISTS test.Employee;

CREATE TABLE test.Employee (
  EmployeeNumber varchar(255) NOT NULL DEFAULT '',
  FirstName varchar(255) NOT NULL DEFAULT '',
  LastName varchar(255),
  BirthDate date NOT NULL,
  PRIMARY KEY (EmployeeNumber)
); 

INSERT INTO `test`.`Employee` (EmployeeNumber, FirstName, LastName, BirthDate) VALUES (1,'Roger', 'van de Kimmenade', '1971-12-04');

Database Configuration

First we will create a database configuration which contains the database connection properties.
  1. Goto System Resource Manager

  2. Select Manage Database Configurations

  3. Select Insert Button

  1. Select MySql and fill database properties. Select green button to test the connection.
    Select Save to save this configuration.


Service Group

Next we will create a Service Group (WS-AppServer) that is the connection pool to the database.
  1. In the System Resource Manager goto Show all service groups

  2. Select Plus sign

  3. Select WS-AppServer as application connector and click Next

  1. Fill in Name and Select all Web Service Interfaces and click Next

  1. Fill in Name and select Automatic as Startup Type. Click Next.

  1. Check Configure Database and select the database configuration created above (Employee database). Click Next.
Notes:
  • The Initializer Class Name is the name of the class that implements theiOnBsfConnectorinterface. This helps you implement custom logic that will run whenever WS-AppServer starts or stops. 

  1. Leave defaults and click Finish.

Database Metadata

Now we can generate a Database MetaData object that represents the structure of a database. It uses the metadata service to connect to the database and get the details.

  1. Create a Metadata Folder in you workspace

  2. Right click on the Folder and select Database Metadata document

  1. Select the Ws-AppServer service and click Save

  1. Fill in Name and Description and click Save

  1. The database tables are loaded and shown. You can click on a table to view the columns. You can Save and close the window.

Generating webservice operations

Now we are ready to generate webservice operations on the database tables.
There are three ways to do that, but i will only describe the first in this blog item.
  1. Generate Web Service Operations directly on the database
  2. Generate Java Code (WS-AppServer package)

  1. Generate Custom Web Service Operation

To generate webservice operations on the tables you have to do the following:
  1. Create a Web Services Folder

  2. Right click on the Employee Database Metadata and select Generate Web Service Operations

  1. Select the table on which the operations must be generated. In this case only one table (employee) is present. And click Finish.


  1. When you look in the Web Services Folder you can see the generated data and webservice operations

This concludes this blog about generating webservices on your database.

2010/07/28

Hermes ebXML SSL Configuration

Introduction

This blog item describes how I setup End-2-End security ebXML communication using the Hermes2 framework.
The ebMS client is on a Tomcat installation and it communicates with an Apache WebServer (running on Linux and redirecting ebms communication to Tomcat instance on the same server).


Prerequisite:
  • Hermes2 (client) and Tomcat installed
  • Hermes2 (server) and Tomcat installed
  • Server certificates generated (self signed)

Configuring Hermes2 (corvus webbapplication within Tomcat)


When you change the partner agreement to use the https:// protocol towards the receiver you will get the following error (look in the ebms.log of the ebMS sender).
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
    by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP SOAP request
    by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    by sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:578)
    at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:440)
    at hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
    at java.lang.Thread.run(Unknown Source)

  1. You need to edit the <CorvusWebApp>/WEB-INF/classes/hk/hku/cecid/piazza/corvus/core/conf/corvus.module.xml
    <module id="piazza.corvus" name="Piazza Corvus" version="1.0">

        <component id="logger" name="System Logger">
            <class>hk.hku.cecid.piazza.commons.util.LoggerLog4j</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.log.properties.xml" />      
            <parameter name="category" value="hk.hku.cecid.piazza" />
        </component>

        <component id="properties" name="System Properties">
            <class>hk.hku.cecid.piazza.commons.util.PropertyTree</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.properties.xml" />
        </component>

        <component id="messages" name="System Messages">
            <class>hk.hku.cecid.piazza.commons.util.MessagesTree</class>
            <parameter name="config" value="hk/hku/cecid/piazza/corvus/core/conf/corvus.messages.xml" />
        </component>

        <!-- Set up a SSL Trust Manager for SSL connection -->
        <component id="ssl-trust-manager" name="SSL Trust Manager">
            <class>hk.hku.cecid.piazza.commons.security.KeyStoreTrustManager</class>
            <parameter name="keystore-location" value="c:/program files/java/jre1.5.0_22/lib/security/cacerts" />
            <parameter name="keystore-password" value="changeit" />
        </component>

        <!-- Set up a SSL Key Manager for SSL connection, it is configured in application server most case (e.g. Tomcat server.xml) -->
        <component id="ssl-key-manager" name="SSL Key Manager">
            <class>hk.hku.cecid.piazza.commons.security.KeyStoreKeyManager</class>
            <parameter name="keystore-location" value="d:/local/programs/hermes2/plugins/hk.hku.cecid.ebms/security/corvus.p12" />
            <parameter name="keystore-password" value="password" />
            <parameter name="key-alias" value="corvus2" />
            <parameter name="key-password" value="password" />
            <parameter name="keystore-type" value="PKCS12" />
            <parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider" />
        </component>

    </module>

  2. Edit the <CorvusWebApp>/WEB-INF/classes/hk/hku/cecid/piazza/corvus/core/conf/corvus.properties.xml
    <?xml version="1.0" encoding="UTF-8"?><corvus>

        <!-- Home Directory -->
        <home>d:\local\programs\hermes2/</home>

        <!-- Plugin Registry -->
        <plugin>
            <registry>d:/local/programs/hermes2/plugins</registry>
            <descriptor>plugin.xml</descriptor>
        </plugin>

        <!-- Encoding settings -->
        <encoding>
            <servlet-request>UTF-8</servlet-request>
            <servlet-response>text/html;UTF-8</servlet-response>
        </encoding>
      
        <!-- Environment settings -->
        <environment>
            <properties>
                <http.proxyHost/>
                <http.proxyPort/>
                <https.proxyHost/>
                <https.proxyPort/>
                <sun.net.client.defaultConnectTimeout>30000</sun.net.client.defaultConnectTimeout>
                <sun.net.client.defaultReadTimeout>300000</sun.net.client.defaultReadTimeout>
                <file.encoding>UTF-8</file.encoding>
                <javax.net.ssl.keystore>d:/local/programs/hermes2/plugins/hk.hku.cecid.ebms/security/corvus.p12</javax.net.ssl.keystore>
                <javax.net.ssl.keyStorePassword>password</javax.net.ssl.keyStorePassword>
                <javax.net.ssl.keyStoreType>PKCS12</javax.net.ssl.keyStoreType>
                <javax.net.ssl.trustStore>c:/program files/java/jre1.5.0_22/lib/security/cacerts</javax.net.ssl.trustStore>
                <javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>
                <javax.net.ssl.trustStoreType>PKCS12</javax.net.ssl.trustStoreType>
            </properties>
        </environment>
      
    </corvus>

    Notes:
    * Be sure to use absolute paths for the keystore locations
    * The Keymanager store is used to store the Certificate for this ebMS instance
    * The Trust Manager is used to upload the Certificates this ebMS instance can trust. When sender ebMS try to establish a secure connection, the receiver ebMS will provide a public certificate to sender ebMS to identify its identity. If this certificate is self-signed, it should be added to the truststore defined on the sender side.


When you send a message again now to the https endpoint I got the error:
hk.hku.cecid.ebms.spa.task.DeliveryException: Cannot send the message
    by hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP SOAP request
    by javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate chain not trusted
    by java.security.cert.CertificateException: Certificate chain not trusted
    at hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:578)
    at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:440)
    at hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
    at java.lang.Thread.run(Unknown Source)

This is because I did not import the certificate of the Receiver yet into the Java TrustStore as defined above (In this case the server certificate was self signed).
  1. Import the server certificate in the trust store (be sure the certificate is X.501):
    keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

When I imported the server.crt and ca.crt (both generated on the Linux server with OpenSSL).

SSL: Tomcat and Apache some handy links

Introduction

I know there has been written a lot already about SSL configuration on Tomcat and Apache, but for my own registration I store some links I used to setup SSL.
It also contains some handy commands I used to generate certificates.

Links

Client Certificate Authentication with Apache
Apache webserver and SSL configuration

Nice overview of SSL and OpenSSL

OpenSSL and PKCS#12 FQA

Description of Java keytool
Most common keytool commands

Configuration of Hermes2 (ebXML framework) with SSL

Configuration of SSL in Tomcat

Terms

X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

PKCS#12
PKCS#12 is a standard for storing private keys and certificates securely. It defines a file format commonly used to store X.509 private keys with accompanying public key certificates, protected with a password-based symmetric key, and is the successor to PFX from Microsoft. PFX has received heavy criticism of being one of the most complex cryptographic protocols, but nevertheless remains the only standard way today to store private keys and certificates in a single encrypted file.
Note: There are other PKCS standards described here.

OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions.

RSA
In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

2010/07/27

How to explain Cordys BPM?

Today I got a question from Anita one of my Twitter followers:

"Most people just dont get the whole application, BPM, layered language, how do you explain Cordys to people?"

So to get a discussion going i post this question to my Blog so that we can discuss here !

A few questions come to me:
  • What do people don't get? The layering? The BPM language? Or the step towards Cordys?

The whole thing about BPM is that you get a flexible business architecture that is abstracting the business processes from the technical implementation.
This way you get technical flexibility as well as business flexibility. BPM brings business and IT together !

Cordys BOP4 is a platform that supports this notion of layering and processes with a service oriented architecture.
It follows the principles as set by Thomas Erl's SOA Principles.
Within the SOA patterns there is also the layering pattern:



This is about layering your Services into three abstraction layers. Thomas talks about
  • Task Services - A business service with a functional boundary directly associated with a specific parent business task or process.
  • Entity Services - A service centric service that bases its functional context and boundary one a related business entity.
  • Utility Services - Services that provide cross-cutting functionality, also known as application services or technology services.

When we talk about SOA layering you also see the 5-layering architecture. In those layering the presentation layer and application/data layer is added.
Example:

Within the Cordys BOP4 platform this is mapped to:
  • Visual Layer - XForms, WebBased GUI
  • Business Process Layer - BPM processes modelled with BPMN and exposed as WebServices
  • Business Service Layer - Entity Services modelled with BPMN and exposed as WebServices
  • Technical Service Layer - Application Connectors, like FTP, File and Database connectors, exposed as WebServices.
  • External Systems - These are the external systems that are used within the SOA/BPM architecture.

The WebServices is the Standardized Service Contract SOA Principle used within Cordys.

Can't wait to here your comments !


2010/07/26

Cordys: Authenticator is not instantiated via the properties

I was testing Basic Authentication with soapUI and got the following error:

"Authenticator is not instantiated via the properties".

<soapenv:Envelope xmlns:def="http://schemas.cordys.com/default" xmlns:mes="http://www.cvz.nl/csp/message" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

   <soapenv:Body>
      <soapenv:Fault>
         <faultcode xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/">ns0:Client</faultcode>
         <faultstring xml:lang="en-US">User validation failed for: '5517'.</faultstring>
         <detail>
            <cordys:FaultDetails xmlns:cordys="http://schemas.cordys.com/General/1.0/">
               <cordys:LocalizableMessage>
                  <cordys:MessageCode>Cordys.ESBServer.Messages.userValidationFailed</cordys:MessageCode>
                  <cordys:Insertion>5517</cordys:Insertion>
               </cordys:LocalizableMessage>
            </cordys:FaultDetails>
            <cordys:FaultRelatedException xmlns:cordys="http://schemas.cordys.com/General/1.0/">com.eibus.security.identity.IdentityValidationException: Could not authenticate username '5517': Authenticator is not instantiated via the properties constructor
    at com.eibus.security.identity.WSSecurityUsernameTokenIdentityType.validate(WSSecurityUsernameTokenIdentityType.java:71)
    at com.eibus.soap.SOAPTransaction.&lt;init>(SOAPTransaction.java:349)
    at com.eibus.soap.SOAPTransaction.&lt;init>(SOAPTransaction.java:175)
    at com.eibus.soap.Processor.onReceive(Processor.java:956)
    at com.eibus.soap.Processor.onReceive(Processor.java:929)
    at com.eibus.connector.nom.Connector.onReceive(Connector.java:417)
    at com.eibus.transport.Middleware$NonTransactionalWorkerThreadBody.run(Middleware.java:1722)
    at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:64)
Caused by: com.eibus.security.authentication.InvalidAuthenticatorException: Authenticator is not instantiated via the properties constructor
    at com.eibus.security.authentication.AuthenticatorFactory.getAuthenticator(AuthenticatorFactory.java:76)
    at com.eibus.security.identity.WSSecurityUsernameTokenIdentityType.validate(WSSecurityUsernameTokenIdentityType.java:63)
    ... 7 more</cordys:FaultRelatedException>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

The first thing that came to mind was that the Service Group was not configured yet for CARS authentication, so i did:

  1. Open LDAP Explorer --> Expand the Organization where the service is deployed --> Expand 'soap nodes' --> Open the properties of the Service Group of that WebService Container
  2. Select ... (button) behind  'bussoapnodeconfiguration' to open the XML Editor with the Service Group configuration.
  3. Add the next line underneath <configuration>:  <authenticator implementation="com.eibus.security.authentication.CARSAuthenticator" />

I restarted the Service Container and the problem was solved.

2010/07/24

Cordys: Contract First design

Introduction

One of the principles of Service Design is Contract First. With this principle you first design the service contract of the service and then implement it. This blog item will show a small example within Cordys BOP4.

Contract First

First I will create a simple HRM Employee service first. The WSDL can be found here



Before you can use this WSDL you have to import the WSDL.
  1. Create a Project with com/examples Folders

  1. Create new Web Service document in com/examples Folder

  1. Select Import WSDL and name the service, click Next

  1. Now you have to fill in the URL of the WSDL. I have installed Cordys on my Windows machine and put my EmployeeService within the <CordysInstallDir>/Web directory. This way the WSDL is accessable through a URL. Select Show Services to view the service defined within the WSDL. Check Interface WSDL, because it is just the interface and not the implementation we are importing.
  1. Now you are able to use this as a basis to define a Contract Based Business Process Model. Create a new Business Process Model within the same Folder with the following Properties. You must check Contract and select the Interface just imported in the previous step.

  1. When you press OK, a skeleton Process is generated for you with Process messages.



Regards, Roger