Integrated Systems & Solutions. Some Performance and Security Findings Relative to a SOA Ground Implementation. March 28, John Hohwald.

Integrated Systems & Solutions Integrated Systems & Solutions

Some Performance and Security Findings

Some Performance and Security Findings

Relative to a SOA Ground Implementation

Relative to a SOA Ground Implementation

March 28, 2007

March 28, 2007

John Hohwald

Integrated Systems & Solutions Integrated Systems & Solutions

Ground SOA Implementation Issues

Ground SOA Implementation Issues

‰

‰

SOA Benchmarking

SOA Benchmarking

¾

¾ Benchmarked a variety of vendorsBenchmarked a variety of vendors

−

− IBM Websphere Process Server 6.0.1; IBM Advanced Websphere (Message Broker) IBM Websphere Process Server 6.0.1; IBM Advanced Websphere (Message Broker) 6.0.0 (on AIX 5.3)

6.0.0 (on AIX 5.3)

−

− DataPower XS40 (HW appliance: XML Accelerator and SAML 2.0 Tokens)DataPower XS40 (HW appliance: XML Accelerator and SAML 2.0 Tokens)

−

− BEA Aqualogic 2.5 (on SUSE Linux)BEA Aqualogic 2.5 (on SUSE Linux)

−

− Oracle ESB Suite 10.1.3.1(on Windows 2003)Oracle ESB Suite 10.1.3.1(on Windows 2003)

¾

¾ Prototyped multiPrototyped multi-vendor ESB interaction and cross-vendor ESB interaction and cross--platform operationsplatform operations ¾

¾ Enabled legacy C/C++ code with gSOAP 2.7Enabled legacy C/C++ code with gSOAP 2.7 ¾

¾ .NET and J2EE Interoperability.NET and J2EE Interoperability ¾

¾ Performance with large messagesPerformance with large messages ¾

¾ Security (Multi-Security (Multi-Domain)Domain)

Integrated Systems & Solutions Integrated Systems & Solutions

Prototype SOA Infrastructure

Integrated Systems & Solutions Integrated Systems & Solutions

Prototype SOA Infrastructure

Prototype SOA Infrastructure

Client Service Proxy

Routing

Service A Service B Service C

Test Harness

ESB / Application Server Service Endpoint

Constructed web services

“Test Harness” to generate both sequential and concurrent service invocations

What additional overhead does an ESB carry compared to direct service invocation? What are the performance limiting factors in using web services?

Integrated Systems & Solutions Integrated Systems & Solutions

Implementing a Ground SOA

Implementing a Ground SOA

Comparison of Performance of ESB Products for Concurrent Requests

0 1 2 3 4 5 6 7 8

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 Sample Number

Ti

m

e

i

n

S

e

c

onds

Direct

IBM WebSphere IBM Advanced BEA

Oracle

All major ESB products handle concurrent requests relatively well – some variability due to dynamic “garbage collection”

50 Concurrent Service Invocations

Integrated Systems & Solutions Integrated Systems & Solutions

Implementing a Ground SOA

Implementing a Ground SOA

Comparison of Performance of ESB Products for Single Messages

0 5 10 15 20 25 30 35

0 200 400 600 800 1000 1200 1400 1600

Size in KB

Se

c

o

n

d

s

direct

IBM advanced oracle

WebSphere BEA

ESB overhead shows small but increasing overhead as message size increases – compared to direct service invocation

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services Performance and Large Messages

Web Services Performance and Large Messages

‰

‰

¾

¾ 3MB (335 hrs Eph Data) response:3MB (335 hrs Eph Data) response: −

− 30 seconds_{30 seconds}

¾

¾ 6MB (675 hrs Eph Data) response:6MB (675 hrs Eph Data) response: −

− 75 seconds75 seconds

¾

¾ 8.7MB (1080 hrs Eph Data) response:8.7MB (1080 hrs Eph Data) response: −

− 125 seconds125 seconds

‰

‰

¾

¾ XML Serialization in client + XML De-XML Serialization in client + XML De-serialization in server serialization in server −

− CPU time and memory intensiveCPU time and memory intensive

¾

¾ Message Size/Complexity dependentMessage Size/Complexity dependent

‰

‰

¾

¾ But heap size and timeout must be increasedBut heap size and timeout must be increased

Performance (Msg Size)

3 6 8.7 0 20 40 60 80 100 120 140

0 2 4 6 8 10

Size (MB) T im e ( S e cs)

Integrated Systems & Solutions Integrated Systems & Solutions

Addressing Large Messages in Web Services

Addressing Large Messages in Web Services

‰

‰

Message Transfer Options

Message Transfer Options

¾

¾ SOAPSOAP

−

− Ordinary XML encoded payload document in SOAP envelopeOrdinary XML encoded payload document in SOAP envelope

¾

¾ SOAP with Attachments (SwASOAP with Attachments (SwA))

−

− Compound Document StructureCompound Document Structure

−

− MIME Encoding (De-MIME Encoding (De-facto usage standard) of attachment informationfacto usage standard) of attachment information

−

− DIME Encoding (Direct Internet Message Encapsulation) largely obsoleteDIME Encoding (Direct Internet Message Encapsulation) largely obsolete

¾

¾ MTOM (Message Transmission Optimization Mechanism, W3C), XOP (XMLMTOM (Message Transmission Optimization Mechanism, W3C), XOP (XML-

-binary Optimized Packaging, W3C) binary Optimized Packaging, W3C)

−

− Relatively new standardsRelatively new standards

¾

¾ Out-Out-ofof--Band TransferBand Transfer

−

− E.g., pass URI and use other transfer mechanism (FTP)E.g., pass URI and use other transfer mechanism (FTP)

−

− Places burden of decoding message payload back to the applicationPlaces burden of decoding message payload back to the application

PREVIOUS DATA RESULTS

Alternatives exist to mitigate performance bottlenecks of XML Serialization/De-serialization with large messages

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services Performance Findings

Web Services Performance Findings

‰

‰

Additional Performance Considerations

Additional Performance Considerations

¾

¾ SOAP Encoding StylesSOAP Encoding Styles

−

− RPC/EncodedRPC/Encoded (Worst Performance)(Worst Performance) o Deprecated and not WS-I compliant

−

− RPC/LiteralRPC/Literal (Middle)(Middle)

−

− Document/Literal WrappedDocument/Literal Wrapped (Best Performance)(Best Performance) o Greater user control of parsing

o Namespace element tagging allows complex datatype validation

‰

‰

Performance Conclusions

Performance Conclusions

¾

¾ True performance bottlenecks due to XML Serialization and De-True performance bottlenecks due to XML Serialization and De-serialization serialization

of large messages

of large messages—mitigate via:—mitigate via:

−

− Alternative transfer mechanisms (e.g. SwAAlternative transfer mechanisms (e.g. SwA) for XML payload messages > ~ 10 MB) for XML payload messages > ~ 10 MB

−

− SOAP encoding style (Document/Literal)SOAP encoding style (Document/Literal)

−

− H/W appliance XML AcceleratorsH/W appliance XML Accelerators

¾

¾ ESB products add modest overhead which increases as message sizeESB products add modest overhead which increases as message sizes s

grows grows

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services and SOA Security

Web Services and SOA Security

‰

‰

Multi-

Multi

-Domain SOA Security

Domain SOA Security

¾

¾ Do not confuse Do not confuse MultiMulti--Domain SecurityDomain Security with with MultiMulti--Level SecurityLevel Security (MLS)(MLS) ¾

¾ Multi-Multi-Level Security implies a single domain with electronic access byLevel Security implies a single domain with electronic access by one or one or

more individuals not briefed at all security levels (or compartm

more individuals not briefed at all security levels (or compartments) for data ents) for data within the system

within the system

−

− Typically requires DCID 6/3 PL-Typically requires DCID 6/3 PL-4 protection4 protection

¾

¾ Multi-Multi-Domain Security implies there are multiple infrastructure domains, Domain Security implies there are multiple infrastructure domains,

managed by different organizations, that may have different requ

managed by different organizations, that may have different requirements and irements and standards

standards

−

− Data in each domain may in fact have same set of Classification Level(sData in each domain may in fact have same set of Classification Level(s), ), Compartments

Compartments

−

− Key issue is trust: you must trust that your partnerKey issue is trust: you must trust that your partner’s security implementation is ’s security implementation is reliable

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services and SOA Security: Logical Architecture

Web Services and SOA Security: Logical Architecture

Service

WS Gateway / XML Firewall WS-Trust

Service Identity Provider

(LDAP, AD, etc)

WS Gateway / XML Firewall

Internal Service Bus External Service Bus User

UID / Password Portal 1

2 3

Identity Provider (LDAP, AD, etc)

WS-Trust Service

4 5

6 7

9

8

DOMAIN A

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services and SOA Security: Configuration 1

Web Services and SOA Security: Configuration 1

Security

Domain 1

LDAP Windows Service Client

(Horizon) Windows

WS-Trust Windows

Security

Domain 2

¾

¾Complex and fragile architecture but acceptable performanceComplex and fragile architecture but acceptable performance ¾

¾Componentized architecture permits flexibilityComponentized architecture permits flexibility ¾

¾TFIM implementation of WS-TFIM implementation of WS-Trust and WSSM is still maturingTrust and WSSM is still maturing ¾

¾Enforcement via WS ESB is proprietary; no security on responseEnforcement via WS ESB is proprietary; no security on response

CONFI

G

UR

A

T

ION 1

Service Provider Windows 2003

Websphere Product Server ESB

Windows 2003

WSSM/Tivoli Access Manager

AIX

DataPower XML Gateway

SAML Token Exchange

Across security domains

Integrated Systems & Solutions Integrated Systems & Solutions

Web Services and SOA Security: Configuration 2

Web Services and SOA Security: Configuration 2

Security

Domain 1

Service Client (Horizon) Windows

Security

Domain 2

CONFI

G

UR

A

T

ION 2

Service Provider Windows 2003

Websphere Product Server ESB

Windows 2003

Tivoli Access Manager

AIX

DataPower XML Gateway

¾

¾Simplified and easy to configure; very fastSimplified and easy to configure; very fast ¾

¾Can transform and route messages based on content & policyCan transform and route messages based on content & policy ¾

¾Can sign and encrypt responsesCan sign and encrypt responses ¾

¾XML gateway product is proprietaryXML gateway product is proprietary

SAML Token Exchange

Across security domains

Integrated Systems & Solutions Integrated Systems & Solutions

Performance Overhead

Performance Overhead

–

–

Dynamic Routing & Security

Dynamic Routing & Security

‰

‰

(1--72 hours of Ephemeris 72 hours of Ephemeris Generation/Retrieval) Generation/Retrieval)

‰

‰

significantly degrade performance

performance

Secure ESB with Systinet Registry Overhead

0 2 4 6 8 10 12 14 16

1 6

11 16 21 26 31 36 41 46 51 56 61 66 71 Sequential Eph Hours

Ru

n

ti

m

e

Secured ESB Invocation Unsecured ESB Invocation

Adding security and dynamic routing to service invocation did not dramatically alter performance

Integrated Systems & Solutions Integrated Systems & Solutions

Summary and Conclusions

Summary and Conclusions

‰

‰

and de--serialization of XML messages at mediationserialization of XML messages at mediation

¾

¾ Size of response is the critical factor in performance analysis:Size of response is the critical factor in performance analysis: large size (MB range) large size (MB range) results in rapid performance degradation

results in rapid performance degradation

¾

¾ Alternative approaches for transferring large messages/files viaAlternative approaches for transferring large messages/files viaweb services web services required and available

required and available −

− Impacts how you should structure your servicesImpacts how you should structure your services

‰

‰

¾

¾ ESB products handle consistent, moderate loads dramatically better than sudden, ESB products handle consistent, moderate loads dramatically better than sudden, heavy loads

heavy loads

‰

‰

‰

‰

security

¾

¾ Additional network hops, but small data size exchanges in eachAdditional network hops, but small data size exchanges in each