11
PowerCenter Real-Time Development
Brian Bunn, Project ManagerSerco
Jay Moles, Sr. Informatica DesignerSerco
Tom Bennett, Sr. ConsultantInformatica
2
Agenda
• Overview of PowerCenter Web Services
• Error Handling
• Performance Tuning
• Web Services Security
• Implementation – Case Study• SERCO
3
Overview of Informatica PowerCenterWeb Services
4
PowerCenter Web Services Hub
• Application Service• Client application gateway to PowerCenter Domain
• Batch Web Services• Integration Service Access• Repository Metadata Access
• Real-Time Web Services• Exposes Workflows as Web Services• PowerCenter Web Services Provider
5
Informatica PowerCenterWeb Services Provider
• Architecture
6
Informatica PowerCenterWeb Service Consumer
• Allow Integration with Web Services• 3rd Party• Provider
• Integration Sources• URL to Web Service• WSDL File• UDDI
7
Error Handling
8
SOAP Fault Messages
• FaultCode
• FaultString• Describes the error
• FaultFactor (Optional)• URI of the host generating the error
• Detail (Optional)• Describes the cause of the error
9
Error Handling
• No SOAP Faults: Capture Source
10
Performance Tuning/Scalability
11
Performance Tuning• Parameters to tune at the Workflow
12
Web Services Performance Tuning
• Parameters to tune at the Session level
Idle Time
Message Count
Reader Time Limit
13
Web Services Scalability
• Associate multiple repositories with a Web Services Hub
• Associate a repository with multiple Web Services Hubs
• Run multiple instances of a web service workflow
• Run web service sessions or workflows on a grid
Load Balancer
14
Web Services Security
15
Security Use Cases
• Protect a web service from unauthorized usage (by requiring username and password)
• Manage web services as part of overall security policies and integrating with LDAP
• Prevent a web service from DOS attacks or authentication attacks
• Allowing a secured web service to be load balanced across multiple WSHs for performance and scalability
16
Web Service Hub Security
• Encryption• Encrypts repository information in the configuration file and
in responses to Web service clients for login requests
• Authentication• Authenticates Web service clients’ user name and
password
• Authorization• Checks Web service client has execute permission on a
folder to run the service
3
17
Informatica WS-Security
• Support for Standard• Oasis WS-Security UsernameToken Profile 1.1• Single pass authentication – user specifies the appropriate
security headers in the actual request to the service
• Supports multiple WSHs load balancing scenario• Username Tokens are associated with a repository within a
specific domain and should be applicable to all WSHs associated to that repository
• Advanced support for encoded passwords• Hashed Passwords• Digested Passwords
• Prevent repeated DOS/login attack• Support for NONCE values
18
WS-Security Feature Details (Part 1)
• UsernameToken Format:
19
WS-Security Feature Details (Part 2)• Password Format Supported
• Clear Text• Hashed – Same as clear text, but the password is encoded
into a base64 20 bit hash value. Two hash algorithms supported: SHA-1 or MD5
• Digested – A generated password that is of the following formula:
• BASE64( SHA1_HASH (USERNAME + NONCE + CREATED) )• NONCE – random generated value that’s valid only once for that
specific username token, it’s provided to allow someone to specify a one-time only authentication token
• CREATED – timestamp of when the UsernameToken was made in UTC timezone format
• Example: 2008/08/11T18:06:32.425Z(yyyy/MM/dd’T’HH:mm:ss.SSS’Z)
20
WS-Security Feature Details (Part 3)
• Custom Property for NONCE and CREATED• NonceExpirationTime – custom property that can be set at the WSH to
determine how long the hub should hold down to a specific NONCE value of a UsernameToken. By default this value is set to 300 seconds (5 minutes)
• If a request is made containing the same NONCE value outside of this timeframe, the request will fail.
• CreatedFreshnessPeriod – custom property that determines how long a user has between the time the first request is made using the CREATED value and the next. By default this value is set to 300 seconds (5 minutes)
• If a request is made before this timestamp or after the expiration time following the timestamp, the request will fail.
• These two customer properties can be used independently of each other or together to ensure greater security.
21
Case Study : Implementation Architecture
22
Case Study: Architecture
23
Web Services Throughput (examples)
• Production Environment (Multiple Servers)• RowsPerSecond – Overall numbers range between 100 and 1000 rps
• If a request results in >10K rows, some customers have timed-out.• RequestsPerMinute – Overall numbers range between 10 and 100.
• If a request takes over 20 minutes, some customers have timed-out.
24
The ETL Behind-the-Scene
• Production Web-Service – ‘Broadcast’ing Data• ‘Filtered’ Data – SOAP request has ‘parameters’ for result set• ‘SQL’ Transformation – the data source can be ‘dynamic’ [access/name]• ‘Sequence Generator’ Transformation – XML output has multiple rows!
25
Web Services Latency (examples)
• Single Server Web-Service• Initialization – it takes the WSH from 3 to 11 seconds to prepare the ETL. • Processing – it then takes the WSH about 1 second to start processing
the ETL. At this point, the response time depends on the processing.
• Multiple Server Web-Service• Initialization – it takes the WSH from 3 to 11 seconds to prepare the ETL• Invocation – it takes the WSH about 3 seconds to prepare the SOAP
Request and invoke the internal web-service. • Processing – it then takes the internal WSH from 3 to 11 seconds to
prepare the ETL, then the response time will depend on the internal processing.
26
Timeout/Fault Handling (examples)
• Input – Web-Services Source• Validation – ETL tests/verifies content of the request
• Output – Web-Services Target• Response – ETL always sends same formatted output, either a ‘status
message’ or a pre-determined value
• Processing – depends on WSConsumer• Application Connection ‘Timeout’ – property set for internal WSH call
• Will wait for a connection to internal WSH indefinitely.• Will wait for a response from internal WSH indefinitely.
• These two properties prevent a forced timeout from the WSH.
27
Example – Our ‘Hello!’
• Simple Web-Service• No ‘input’ fields in SOAP Request, static text in SOAP response • Validates customer’s connection via SSL – ‘Hello!’
28
Example – Our ‘Addition’
• Two-Step Web-Service• Two ‘input’ fields in SOAP Request, ‘sum’ returned in SOAP response • Validates customer’s request will invoke internal web-service(s)
29
SSL Configuration
30
SSL Configuration – Setting Up SSL
• Keystore for Web Services Hub• Use the ‘keytool’ utility. You generate a keystore, generate a ‘signature
request’ from it, have it signed by an authority, then install the signed file into your keystore.
• Default keystore generated by the PowerCenter ‘installation’ process can be used for WSH, but be aware it is self-signed.
• Truststore for Web Services Hub• Add customers certificates to the ‘ca-bundle.crt’ files. • Use ‘openssl’ utilities to convert format if necessary. PEM format is
required to add certificate to the ‘ca-bundle.crt’ files.
31
SSL Configuration (examples)
• Creating the Keystore for Web Services Hub• Example of the ‘keytool’ utility. Prompts in black text, inputs in red.
32
SSL Configuration (examples)
• Creating the ‘Signature Request File’• Example of the ‘keytool’ utility using the created keystore.
• Have request ‘signed’ by your Authority• Independent firms: VeriSign.
• Install the ‘Signed Response File’• Example of the ‘keytool’ utility for the keystore and response.
33
SSL Configuration (examples)
• Installing the Customer Certificate• Customer certificates need to be in ‘PEM’ format.
• If certificate is not PEM, convert it using ‘openssl’ utility. If customer’s certificate file is in a binary format, DER for example, convert it.
• Add customer certificate text to the end of the ‘ca-bundle.crt’ files.• Add “PEM Data:” line before certificate text. Entry will look like this:
• File in PowerCenter Installation Directory, sub-folders ‘server/bin’ and ‘services/shared/bin’ – both!
34
SSL Configuration (examples)
• Using the Keystore in the Web Services Hub• Define the WSH service to use your signed-keystore. • URLScheme must be set to either ‘HTTPS’ or ‘HTTPandHTTPS’ for the
Web Services Hub to utilize SSL and access the keystore.• Enter the keystore name and password used to create your keystore.
35
Tips, Best-Practices, etc.
• SOAP Request/Response: WSDL or Manual?• Inputs – XML of the in-bound request: one or multiple rows? • Outputs – XML of the out-bound response: one or multiple rows?• Processing – Initially, set up a ‘pass-thru’ with an ‘exp’ transformation
and just the fields coming in and going out of the web-service. Basic ‘static’ test version. Then, add bits and pieces.
• TESTING your Web-Services• WSH and ‘TryIt!’ – ability to ‘run’ web-service, but limited.• soapUI– open-source tool (FREE!) that expands testing capabilities.
Basically a ‘SOAP Client’ GUI.
36
Informatica Velocity MethodologyVelocity is the blueprint for delivering efficient and successful Informatica solutions that solve business problems.
New Website• New search capability • Filtering/viewing content by
• project type• project phase • or other tags
• New accelerator tools• Hot links between the articles
Access at: mysupport.informatica.com
Visit the Informatica Pavilion at the Technology and Solutions Fair for more details. Check out
more than 100new articles!
3737
Questions?
38
Stay In Touch!
• LinkedIn• Informatica Power Center Real-Time
3939
Thank You