Wednesday, December 27, 2006

NuSOAP: An easy to use SOAP Stack for PHP

If you need to make your PHP-based application make SOAP calls into an application with a WSDL-based interface, consider using NuSOAP. It is simple to use and will get you up and running within minutes. The best part is that you dont have to install any new PHP Extensions. All you have to do is to download and unzip the NuSOAP files in your PHP-enabled web server and you are ready to go.

A couple of good resources for getting started with NuSOAP are:

1. NuSOAP Home.
2. Introduction to NuSOAP.

Thursday, December 21, 2006

JavaWorld: Naked Web services

JavaWorld published a piece titled "Are your Web Services Naked or Covered?" I co-authored this article to highlight the impact of exception handling techniqes on web services-based SOA. You will learn exception handling constructs that ensure your web services do not leak sensitive information to the consumer.

"Bottom line: For externally facing web services exposed to a large number of public consumers, only recoverable exceptions should be communicated. All other exceptions should be controlled, cleansed, or suppressed."

Sunday, December 10, 2006

Building & Testing your first Web Service using .NET

Alright - it this takes more than ten minutes for you to do, then I will change the instructions and try to simplify things so that you can build & test your first web service in less than 10 minutes. The over all steps are as follows:

1. Download and install .NET WebMatrix.

2. Goto: Start > All Programs > Microsoft ASP .NET Web Matrix > ASP .NET Web Matrix.

3. You will be prompted for with a screen shown below. Fill in the information as shown. Select "Web Services" in the left panel and the "Simple" template in the right panel. I created a C:\WebServices folder to store the .asmx file and picked C#.

3. This will auto-generate a web service for you with the following code:

4. Hit the play button in the IDE and it will prompt you for the start the web application on port 9090. Make sure your local firewall is turned off.

5. A web browser with operation Add will appear. You can click this and start playing with your first web services.

Within 5 simple steps, you should have successfully setup a web services.

Note: Web Matrix cannot be accessed remotely so all your testing has to be local. For remote accessibility you can deploy your web services file (MathWS.asmx) on an IIS server.

SOA testing and building is as easy as 1,2,3 -- and 4, 5 :-)

Wednesday, November 22, 2006

Oracle BPEL Process Manager

The following article published in SOA Web Services Journal provides a good glimpse into interoperability issues between Microsoft .NET WCF and Oracle BPEL Process manager. It highlights a couple of interesting items:

1. WS-Addressing is required for endpoint representation especially for long running transactions where the server invokes a callback to the client for sending the response once the processing is complete. Oracle BPEL Process Manager supports a different version on WS-Addressing than Microsoft .NET WCF. So out-of-the-box, the WS-Addressing will not work. Luckily, Oracle BPEL Process Manager supports WS-BPEL extensions (bpelx:headerVariable) that provides the BPEL process access to header information sent by the client. With a handle on header information, the BPEL process manager can manipulate WS-Addressing information and ensure that the the Process executes and that the call-back is compliant with what the .NET WCF client is expecting.

2. When a server is WS-Security enabled and is expecting a User Name Token, an X.509 token, or a SAML assertion in the SOAP Header, the BPEL Process Manager can again use WS-BPEL extensions such as (bplex:inputHeaderVariable) to stuff SOAP Headers with tokens before invoking an endpoint that expects this information.

Really Cool Stuff!

Web Services and SOA
— People sometimes ask what a service-oriented architecture enables today that could not have been done with the older, proprietary integration stacks of the past 5 to 15 years, such as those from Tibco, IBM, or Vitria. One such ability is the greater degree of interoperability between heterogeneous technology stacks that is made possible by the standards SOA is built on, such as Web services and BPEL. Although interoperability is only one facet of the SOA value proposition, it is one that has become increasingly more important, due in large part to the evolving IT environment, merger and acquisition activity, and increased partner connectivity.

Wednesday, November 08, 2006

CSI 33 Orlando

I like the fact that Orlando Airport offers a free wireless connection and that I am able to make this blog entry in front of Terminal 73 while I wait for my flight back to Boston.

CSI 33 is a Computer Security Conference where security professional gather to stay current with IT security related issues. This is my second CSI and just by the attendance at my talk, I can see the rapidly increasing interest amongst Security Professional in testing, discovering and remediating SOA security related issues. CSI 33 had an entire Web Service Track with four sessions around SOA Security and Threat related issues. I chose to present under the Attacks and Countermeasures track and was pleasantly surprised that the room was almost packed for an early morning session. I was also impressed by the level of questions coming in from the audience. One individual from was focused on security issues for the web services based AppExchange interface with over 400 third party applications developed against their API.

More so than ever, I believe that Web Services & SOA security is something security professionals are not just aware of, but now see as their responsibility. Security Professionals are making great strides in understanding the nuances of web services security and how it is a logical extension of their domain given that they are already dealing with application security issues within HTTP(S), HTML, Cookies and the HTTP header in general. Now they have to go deeper in the SOAP packets and make sure that the back end systems are tested and secured for SOAP-borne vulnerabilities.

Wednesday, November 01, 2006

BEA WebLogic 9.2: Testing SOAP Encryption

One of the most powerful capabilities of application servers such as BEA's new WebLogic 9.2 is message-level security. Such features make WebLogic a natural component for a SOA deployment.

In the article, posted on BEA's website, the message level encryption capabilities of WebLogic are explored and a step-by-step guide is provided from downloading the server to setting up you first policy.

Give WLS 9.2 a spin, its simple, easy and powerful.

Sunday, October 29, 2006

Load Testing Web Services

Syscon September Edition of SOA Web Services Journal has a number of good pieces on web services testing. I found Load Testing Web Services interesting, especially in its description of important parameters in Load Testing web services.

Load Testing Metrics and Parameters
The results obtained by load testing Web Services can potentially be reflected in terms of the following parameters.

  • Response time: It's the most important parameter to reflect the quality of a Web Service. Response time is the total time it takes after the client sends a request till it gets a response. This includes the time the message remains in transit on the network, which can't be measured exclusively by any load-testing tool. So we're restricted to testing Web Services deployed on a local machine. The result will be a graph measuring the average response time against the number of virtual users.
  • Number of transactions passed/failed: This parameter simply shows the total number of transactions passed or failed.
  • Throughput: It's measured in bytes and represents the amount of data that the virtual users receive from the server at any given second. We can compare this graph to the response-time graph to see how the throughput affects transaction performance.
  • Load size: The number of concurrent virtual users trying to access the Web Service at any particular instance in an interval of time.
  • CPU utilization: The amount of CPU time used by the Web Service while processing the request.
  • Memory utilization: The amount of memory used by the Web Service while processing the request.
  • Wait Time (Average Latency): The time it takes from when a request is sent until the first byte is received.

We have deployed WS-SOA Gateways at many locations worldwide, and most of the deployments are 1-u Appliances with dual CPUs and crypto accelerators. Most of the load requirements center around message sizes. I have yet to see a deployment that comes close to harnessing the 1000-2000 TPS capacity of appliances when small to mid size documents are invovled ranging from 1K-100K. Where things get interesting is in the > 2G range of SOAP Attachments. In such deployments we typically see the back end application server croak on such documents once the gateway has processed it and given it a clean bill of health. And by the way, only at one deployment, did number of concurrent users even matter. Web Services are typically used for Application-to-Application communication where 1000's of concurrent connections are unnecessary, unlike in B-to-C deployments.

What's even more interesting is the lack of SOA Testing Tools that can handle such large documents without choking. Of course you can always write your own testing scripts or propose to do so if you are in the consulting business ;-)

Thursday, October 19, 2006

ChoicePay: Rising above the SOA Testing Challenge

Recently, Salman Akhtar, CEO Techlogix, published a good case study regarding SOA Testing Challenges and how ChoicePay, an electronic billing company, overcame these challenges "without throwing more bodies at the problem."

The article, published by SOA /WS Journal is a good read for anyone concerned about SOA Tesing:

Monday, October 16, 2006

Web Services Testing NetWeaver Application Server, Java EE 5 Edition

SAP has recently released one of the first Java EE 5 compliant application servers. I tested this server's web services capabilities and found it to be easy to use. SAP NetWeaver Application Server, Java EE 5 Edition install contains the application server, the NetWeaver DeveloperStudio and MaxDB database. My biggest challenge was installation, but SAP Developer Network (SDN) came to the rescue and after my installation was complete, I was off to the races.

Details of the evaluation are published on

You can also see details of the installation and test process at:

Give NetWeaver Application Server a spin - you'll be publishing web services in no time.

Monday, October 02, 2006

How to use Amazon EC2 WSDL

If you are interested in testing the Amazon EC2 WSDL API as well as the S3 WSDL interface, you can go to the URL below for details on how to setup SOAPSonar, a web services testing tool by Crosscheck Networks.

Loading up X.509 certificates in SOAP headers for authentication to Amazon EC2 is the most interesting part of this article.

Friday, September 22, 2006

Amazon EC2 and S3 SOAP API

For the SOAP/WSDL-types out there thinking of building mashups, you can use SOAPSonar Enterprise Edition from Crosscheck Networks for using and testing the EC2 and S3 WSDL APIs simultaneously. SOAPSonar handles X.509 Certificates and easily communicates with both S3 and EC2.

I used SOAPSonar for cleaning up my buckets that were populated with image files from EC2.

Thursday, September 21, 2006

Floating through the Amazon Elastic Compute Cloud

I have been at it again - OCD. My friend "lent" me his AWS account and I have been obsessively experimenting with Amazon's Elastic Compute Cloud or EC2. You can provision a Linux instance in a few minutes by choosing from Amazon's default image menu -- which I see growing, or you can build your own private image by either modifying a default image or build a brand new image on your Linux machine.

I love the fact that I can organize a bunch on different images on Amazon Simple Storage Service (S3) and provision a machine whenever I need to.

My QA team is responsible for testing our SOA/WebServices Gateway with a number of integration points such as Identity Server (LDAP, AD, SiteMinder, ClearTrust, TAM) for Web Service Authentication and Authorization, Database Servers (MySQL, Oracle, DB2, etc.) for Archiving and a number of App/Web Servers (Apache, WebLogic, WebSphere, etc.). And all of this across different versions.

Needless to say, our testing infrastructure is large, complex and expensive. It is going to save us a "crap" load of time & money by storing images on S3 and provisioning the "required" images when needed. I can hear the silence of all those sever fans in our labs now. The noise reduction itself is worth a premium.

And when my Field Engineers have to demonstrate how well our product (Forum Sentry) integrates with the IT assets in a corporate ecosystem, all they have to do is instantiate the clean, tuned, tested components imaged on S3. No more running around the day before trying to install WebSphere, or TAM. I will pay to see someone install some of these components on their demo laptops within a day.

Next steps -- using EC2 WSDL API along with the S3 WSDL API.

Stay tuned, my OCD stems from the thrill of being able to start 10 instance of MySQL with one command (ec2-run-instances).

Sunday, September 10, 2006

Amazon S3 - Penetrating Enterprise Backup Market

Amazon S3 (Simple Storage Service) is a virtual vault where one can store personal or corporate information. It is doing well with developers focused on building storage applications for personal use. I have a hard time backing up stuff and have had problems with my USB storage devices, so browser based applications like S3Fox seems really attractive.

I think S3 is great for enterprise backup. However, Amazon will have to figure out an SLA that gives enterprises the same comfort like the Iron Mountain folks give Fortune 500 companies. Fortune 500 companies readily turn in their back up tapes to Iron Mountain, but hesitate when you talk about data backup using S3.

Amazon should look into building a physical offering (software or appliance) that acts as a staging area and is deployed within the enterprise with an option of asynchronously uploading information to S3. The SLA boundary would then be around the appliance and the S3 service.

Or perhaps Amazon should partner with IBM and build a plug-in for their back up tapes that now include encryption.

Saturday, September 02, 2006

Why is SOA Testing Crucial?

After spending over 7 years working with XML-based messaging, I am really pleased to see that large vendors such as SAP, IBM, Oracle, BEA and Microsoft all expose their interfaces via WSDLs. This makes is easy for IT assets such as application servers, Databases, ESBs, Proxy servers, and Enterprise Applications to seamlessly work within a Service Oriented Architecture.

I have been on the road lately visiting my customers and reviewing their SOA deployments. SOAP-based messaging is getting deployed everywhere. WSDLs are being exchanged between trading partners and integrating with other systems in now easier than ever. One customer in particular has over 40 WSDLs with dozens of operations per WSDL. Their architecture is elegant with a SOA Gateway from Forum Systems and a BPEL engine from Active Endpoints. However, their SOA testing models are rudimentary using pre-SOA tools such as Mercury Interactive's QTP.

The ease of integration in a distributed and heterogeneous infrastructure puts tremendous burdens on the SOA Tester. Within a SOA, operations are heavily dependent on other operations that may be hosted by a services provider such as Amazon AWS. A SOA Tester has to build complex regression suites that test base operations as well as operations dependent on base operations. Such regression suites can get complex and need specialized techniques that keep SOA interoperability, security and reliability in mind.

I am happy to see larger commercial and public entities using web services to develop modern SOA. Now I hope that as web service deployments mature, SOA Testing techniques are shared and formalized to give modern system-to-system integration the necessary reliability, scalability and interoperability.