Transcription
VA Service Oriented Architecture (SOA)Technical Framework v0.3.1DraftApril 16, 2011Department of Veterans AffairsOffice of Information and Technology (OIT) Product Development (PD)VA Service Oriented Architecture (SOA)Technical FrameworkDRAFTV 0.3.1April 16, 20121
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Abstract: VA has recognized that a Service-Oriented Architecture (SOA) is the most effectivemechanism to allow VA agencies to share information and to implement business processes that spanorganizations. It also sees the use of an SOA as the most appropriate mechanism for allowingmultiple VA organizations to share interfaces with external entities. This document describes theframework within which VA expects to implement its SOA. This document discusses the technicalaspects of Service-Oriented Architectures and is intended to provide technical guidance for VAtechnology infrastructure needed to instantiate the SOA and to allow services to be developed. Thisdocument does not deal with the business process reengineering or other changes to VA policies orprocesses that may accompany a move to an architecture such as SOA. As used in the VA SOA, theterm service is distinct from the term “Web service.” While the SOA supports and recommends theuse of Web services where appropriate, it recognizes the need for services other than Web servicesand allows such non-Web services where necessary to meet VA or agency mission requirements.This document assumes that the reader is familiar with large-scale application systems and themethodologies used to support their design and development.2
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Document ApprovalLorraine LandfriedDateExecutive DirectorOIT, Office of Product DevelopmentAdditional Signatures (please print name and title below signature):DateDateDateDate3
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Document ControlAmendment RecordIssueDateAuthorComments0.1 (Draft)12/1/2011JeffreyMohrInitial Draft0.2 (Draft)12/15/2011 JeffreyMohrTechnical Edit and Content Update0.3.(Draft)1/9/2012JeffreyMohrUpdates to reconcile with EnterpriseApplication Architecture0.3.1 (Draft)4/16/2012JeffreyMohrMinor updates for consistencyThe latest version of this document supersedes all other previous issues.Distribution RecordIssueDateRecipients0.112/1/2011Selected Reviewers0.212/15/2011ASD and PD Management and Technical Review0.31/9/2012ASD and PD Management and Technical Review0.3.14/16/2012ASD and PD Management and Technical Review4
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Index of Acronyms and AbbreviationsACLAccess Control ListASCIIAmerican Standard Code for Information InterchangeAPIApplication Program InterfaceARMApplication-Capability Reference ModelACIDAtomic, Consistent, Isolated, and DurableATOAuthority to OperateBAMBusiness Activity MonitoringBPELBusiness Process Execution LanguageBPMNBusiness Processing Markup NotationBRMBusiness Reference ModelB2BBusiness-to BusinessCPICCapital Planning and Investment ControlCOECenter of ExcellenceCACertificate AuthorityCRLCertificate Revocation ListC&ACertification & AccreditationCCBChange Control BoardCIOChief Information OfficerCOTSCommercial Off the ShelfCOICommunity of InterestCCBSCore Common Business ServicesCCISCore Common Infrastructure ServicesDASData Access ServicesDISData Interchange ServicesDCOMDistributed Component Object ModelDRMData Reference ModelDBMSDatabase Management SystemDoDDepartment of DefenseDAADesignated Approving AuthorityDRDisaster Recovery5
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011DNSDomain Name ServiceDLLDynamic Link LibraryEDIElectronic Data InterchangeEDIFACTElectronic Data Interchange For Administration, Commerce andTransportEAIEnterprise Application IntegrationEAEnterprise ArchitectureELDMEnterprise Logical Data ModelERAMEnterprise Release Allocation MatrixESBEnterprise Service BusXMLExtensible Markup LanguageXSLTExtensible Stylesheet Language TransformationsETLExtract, Transform, and LoadSRMFEA -- Service Component Reference ModelFBCAFederal Bridge Certificate AuthorityFEAFederal Enterprise ArchitectureFEAFederal Enterprise ArchitectureFIPSFederal Information Processing StandardFismaFederal Information Security Management Act of 2002FPKIPAFederal Public Key Infrastructure Policy AuthorityFTPFile Transfer ProtocolFOCFull Operational CapabilityGUIDGlobal User IdentificationGAOGovernment Accountability OfficeGUIGraphical User InterfaceHL7Health level SevenHSPDHomeland Security Presidential DirectiveHTTPHypertext Transfer ProtocolHTTPSHypertext Transfer Protocol Secured SocketMQIBM WebSphere MQ SeriesIV&VIndependent Verification and ValidationIOCInitial Operational Capability6
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftISAInterconnection Security AgreementICDInterface Control DocumentIATOInterim Authority to OperateIAInternal AffairsJ2EEJava 2 Platform, Enterprise EditionJDBCJava Database ConnectivityJMSJava Message ServiceLDAPLightweight Directory Access ProtocolLANLocal Area NetworkMHSMilitary Health SystemMIMajor InitiativeMTBTMean Time Between FailureMTTRMean Time To RecoverMOAMemorandum of AgreementMOUMemorandum of UnderstandingMOMMessage Oriented MiddlewareMOMMessage Oriented MiddlewareNARANational Archive and Records AdministrationNIEMNational Information Exchange ModelNISTNational Institute of Standards and TechnologyOLAPOn-line Analytical ProcessingOLTPOn-line Transaction ProcessingODBCOpen Data Base ConnectivityODMSOperational Data Management SystemPRMPerformance Reference ModelPRMPerformance Reference ModelPEDPersonal Electronic DevicePIIPersonal Identifiable InformationPIVPersonal Identity VerificationPOCPoint of ContactPIAPrivacy Impact AnalysisPTAPrivacy Threshold Assessment7April 16, 2011
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011PHIPrivate Health InformationPMASProject Management Accountability SystemPKIPublic Key InfrastructurePUBPublicationRFIDRadio Frequency IDRARegistration AuthorityRMIRemote Method InvocationRPCRemote Procedure CallRoot CARoot Certificate AuthorityRESTRepresentation State TransferSSLSecure Socket LayerSAMLSecurity Assertion Markup LanguageSRASecurity Risk AssessmentST&ESecurity Test and EvaluationSBUSensitive But UnclassifiedSQLSequel Query LaneSCBAService Based Component ArchitectureSCRMService Component Reference ModelSIPService Insertion PackageSLAService Level AgreementSRMService Reference ModelSOService-OrientedSOAService-Oriented ArchitectureSOxService-Oriented Architecture or Service-Oriented IntegrationsSOIService-Oriented IntegrationSOAPSimple Object Access ProtocolSLSSingle Level SecuritySDLCSoftware Development Reference ModelSPSpecial PublicationSORNSystem of Record NoticeSDLCSystems Development Life CycleTRMTechnical Reference Model8
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011TRMTechnical Reference ModelTLSTransport Layer SecurityUDDIUniversal Description, Discovery, and IntegrationUIDUser IdentityUTCCoordinated Universal TimeVAVeterans AdministrationVistAVeterans Health Information Systems and Technology ArchitectureVPNVirtual Private NetworkWSDLWeb Service Definition LanguageWSILWS-InspectionXSDXML Schema Definition9
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Table of Contents1.Service-Oriented Architecture151.1. Introduction . 151.2. SOA Services vs. Web Services . 151.3. Role of Services . 171.4. Goals of the VA SOA Effort . 171.5. Purpose of this Document. 181.6. Scope . 182.Basis for VA Service-Oriented Architecture192.1. Relationship of this SOA to the OneVA EA and other Architecture Documents and Guidelines202.2. Relationship of Services to the VA Systems Development Life Cycle . 212.3. Service Support for Business Process Management . 212.4. Service Centricity . 222.5. Types of Services . 293.SOA Implementation Considerations293.1. Use of Standard, Syntactically, and Semantically Harmonized Data Definitions. 293.2. Extensible Markup Language (XML) as a Wire Format . 313.3. Need for Services to be Independent of Legacy Systems . 333.4. Need to Tie SOA to Technology-Based Architectures . 333.5. Nature of Services to be Provided. 343.6. Architecture Tiers / Service Layers / Service Types. 353.7. Enterprise Service Bus . 424.ESB Conceptual Model534.1. Interface Layers . 554.2. Functional Services Layer . 554.3. Utility Services Layer . 564.4. COTS Messaging Layer . 564.5. VA SOA Management and Governance Tower . 574.6. VA SOA Security and Privacy Tower . 575.ESB Logical Model5810
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 20115.1. Interface Level Services . 585.2. Web Services / Services . 605.3. Services Management . 625.4. Logical Model Component Descriptions . 635.5. Operational Overview . 706.Governance726.1. Use of the OneVA EA as the Basis for SOA Governance . 746.2. Portfolio Management . 756.3. Development, Specification, and Modification of Services . 756.4. Systems vs. Services. 786.5. The Effect of the SOA on Cross-Project Dependencies . 796.6. Project Responsibilities . 806.7. Sources for Services . 816.8. Service Contracts . 836.9. Service Level Agreements . 846.10.Managing SLAs . 866.11.Repositories, Directories, and Registries . 866.12.Service Discovery and Service Registries . 886.13.Publishing Services . 896.14.Quality Control for Services Published at the Enterprise Level . 897.Data Architecture907.1. Data Ownership and Stewardship . 907.2. Data Services . 917.3. Data Sharing . 948.SOA Security1038.1. Domain Model . 1068.2. Token or Credential Based Security. 1088.3. Security Implementation for Services . 1118.4. Identity Management Services . 1148.5.9.Services Logging . 115SOA Services Programming11811
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 20119.1. Services Programming Model . 1189.2. Publishing Services . 1199.3. Exposing Web Services . 1199.4. Service Contracts . 1229.5. Programming Synchronous vs. Asynchronous Services. 1229.6. Atomic Services . 1229.7. Orchestration . 1239.8. Compensating Services . 1239.9. Correlation . 12312
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011List of FiguresFigure 1 - Data Adapter to Translate from a Native Application Format . 30Figure 2 - Placement of XML Adapters . 32Figure 3 - Architectural Layers . 36Figure 4 - SOA Stack in the Enterprise Application Architecture . 43Figure 5 Point to Point vs. Standard Messages with Hub . 44Figure 6 - ESB Capabilities . 46Figure 7 -- Exception Processing for Orchestrated Services . 50Figure 8 - ESB Conceptual Model . 54Figure 9 - ESB Logical Model. 65Figure 10 - Data Access and Data Interchange Services . 92Figure 11 - Possible Locations for Data Transformation Adapters . 93Figure 12 - Data Reference Characteristics . 100Figure 13 - Recommended and Allowed Data Transfer Mechanisms vs. Organizations to which theData is Transferred . 102Figure 14 -- Digital Signature Process Flow . 110Figure 15 - Service Providing Multiple Functions and Multiple Interfaces . 118Figure 16 - Orchestration of a Service . 12013
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011List of TablesTable 1. Data Transfer Mechanism . 97Table 2. Data Sharing Relationships . 99Table 3. Data Reference Recommendations. 102Table 4. Key Security Capabilities . 11414
VA Service Oriented ArchitectureTechnical Framework v0.3.11.1.1.DraftApril 16, 2011Service-Oriented ArchitectureIntroductionA Service-Oriented Architecture (SOA) is an architecture in which business functionality is providedby a set of discrete, communicating “services” rather than by monolithic applications1. VA hasdetermined that using an SOA to provide internal and external applications access to data owned byand processing performed by VA is the best approach to sharing data within VA, acquiring data fromexternal sources, providing data to external users, and reducing redundancies across the VA businessareas. The SOA is also viewed as the best approach for both sharing data and assuringinteroperability across VA applications as well as supporting cross functional integration and datasharing across functional silos within a single business area and across business areas. Each of theseuses of an SOA is viewed as equally important aspects of this SOA.The use of an SOA is intended to provide many operational benefits, including improving reuse ofcode, providing more current views of data to all who need it, improving business functionality; allwhile lowering costs and improving overall operational effectiveness. High levels of code reuse comefrom having a single service to perform any given function, rather than the more traditional use ofcode from a code library.Some consider an SOA to be an abstraction layer that provides agile business services to the userwhile hiding the underlying complexity of the technology. However, an SOA is much more than justan abstraction layer. It provides a very different approach to architecting solutions than has been usedpreviously and requires a mind shift from designing monolithic (and ever growing) stovepipes todesigning reusable components that can be combined in multiple ways to perform different functions.One issue with SOA is that there are many definitions of SOA and many organizations haveimplemented something that they call an SOA, but each of which is markedly different. Therefore,lacking a standard definition of SOA, the definition of SOA as used in this Technical Framework isas defined in this Technical Framework, and should not be confused with alternative definitions thatmay be used elsewhere.1.2.SOA Services vs. Web ServicesThere is general agreement in the literature that the term service as used in SOA is distinct from theterm service as used in “Web services,” which are services specified by and provided based on aspecific set of standards – usually with a name in the form WS-XXXX. As used in this paper, theterm “Web services” specifically refers to services provided in compliance with that set of standards.1Architecture normally includes much more than just technology. An architecture normally includes businessfunctionality, people, and process as well as technology. However, the SOA described in this document is atechnology architecture. This document does not describe changes to the VA business or process architecturethat result from implementation of the SOA. This SOA is a technology / application architecture and not abusiness architecture. Aspects of the VA architecture including descriptions of business functionality, people,and processes are included in other portions of the OneVA EA.15
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011As used in this paper, services is a more general term that includes Web services, but also includesservices that are not compliant with those standards.“Web services” as that term is most often used are very coarse grained services and will be usedprimarily for interactions with users and systems external to VA. The term Service-OrientedIntegration (SOI) has been used to refer to the use of services to expose functionality of legacysystems and thus foster the integration of functionality of those systems into a modern enterprise.Some writers have used to acronym SOx to refer to both SOA and SOI. Initially at least, a major useof services implemented as part of this SOA will be to expose functionality of legacy systems and toserve as a basis for the modernization of VA systems and thus, more properly fall under the rubric ofSOI. In this paper, the term SOA is used to cover the full range of service related concepts includingboth SOA and SOI, but decidedly not limited to Web services2. This SOA covers providing servicesboth to provide interoperability between VA systems as well as to support integration of thosesystems whether they are in the same business area or MI or whether they are in different businessareas or MIs.The use of services is an architectural style and paradigm for how applications are accessed and usedsubstantially predates the “Web” or “Web services.” A Service-Oriented Architecture could bedeveloped entirely for internal use and without regard to any of the Web services standards andprotocols etc.3 Web services includes a number of standards that allow services developed bydifferent organizations to interact in a standard manner and to develop levels of trust between theservice provider and the consumer. An organization could implement an SOA and support no Webservices or Web services standards. An organization could also implement a set of Web serviceswhile still supporting its business through a set of monolithic mainframe services. In fact, thisapproach is a very common approach to SOA implementation. The approach taken in this SOA is topublish a set of fine grained services that can be orchestrated into large complex systems.One goal of this SOA is to change the orientation of VA systems from being large monolithic systemsthat grow ever more complex as new requirements are added over time. The issue with thesecomplex monolithic systems is that they grow ever more costly to support and maintain in partbecause any change to the system may require regression testing of the full system. By buildingsystems through the orchestration of fine grained services new requirements can be met by building asmall number of new services and orchestrating those new services with existing services – allowingeach orchestration to be tested independently, thus decoupling the changes from each other andlimiting the growth in the complexity of the systems.2This SOA involves layering what may be termed a conventional SOA over a traditional n-tier application architecturethereby obviating the possibility of implementing traditional Web services that provide external service consumers withaccess to internal functionality. Services in the presentation layer may provide “Web services” to external users orsystems and may make service requests (typically by means of MQ Series messages) to business logic tier services. It isthe services at the business logic tier that are the primary focus of this effort.3Although the use of “services” as the basis for an architecture substantially predates the development of “Web services”,SOAs did become highly popular until the advent of “Web services” based on open protocols developed.16
VA Service Oriented ArchitectureTechnical Framework v0.3.1DraftApril 16, 2011Externally exposed services should conform to applicable Web services or other required “nonservice” standards. These services will be relatively coarse grained and will provide relatively majorfunctional capabilities. Services that are only exposed within an application will likely be much finergrained and are less likely to conform to Web services standards. The notion is that services exposedexternal to VA will be relatively coarse-grained services – services that perform a reasonable amountof work. These services may be composed of a number of fine-grained services. Since services arealso viewed as a mechanism to simplify applications and to speed application development, servicesmay need to be very lightweight and to be used where there is a very high degree of trust between theservice provider and service consumer – a much higher degree of trust than typically exists betweenWeb service consumers and Web service providers who are typically unknown to each other.Each VA business area or MI may also internally publish a relatively much larger number of servicesdesigned exclusively for use within that business area or MI that will not be published externally 4 andwhich will not be directly accessible external to the business area or MI, but which may be called oraccessed by business area or MI services that are externally published. These internal services may,or may not, conform to some or all Web services standards. Further, individual projects may developand publish services exclusively for use within their internal application that may not be compliantwith Web services standards. These internal services will be relatively fine-grained and will performdiscrete functions.1.3.Role of ServicesThis SOA draws a distinction between SOA services and Web services or even large coarse grainedservices. This SOA requires the use of services for the full development of applications specificallyto include all data access logic, business logic, presentation logic, and interface logic. This meansthat this SOA must define the full range of services required to support all aspects of systemoperation. Therefore, this SOA will define a far wider range of services and the infrastructurerequired to support them then might be typical in many SOA descriptions.1.4.Goals of the VA SOA EffortMajor goals of the implementation of the SOA described in this document include: To provide information sharing across VA and between VA and DoD Reduce the implementation of duplicative interfaces with external organizations and theimplementation of the same capabilities in multiple VA systems Foster greater reuse of existing services that reduce cost and maximize applicationefficiencies4While the statement that many services may not be exposed externally to a business area, MI, or system may seemed tocontradict the goal of this SOA which is intended to promote interoperability and integration across systems, businessareas, and MIs, the use of very fine grained services makes exposing all services across the enterprise impossible as manyfine grained services will necessarily be built on the assumption that certain work has been performed (e.g., inputs havebeen validated, data has been converted to an internal format, users have been authenticated etc.)17
VA Service Oriented ArchitectureTechnical Framework v0.3.11.5.DraftApril 16, 2011 Implement all modernized applications completely as collections of services and that servicesare not just used to share information between applications or between agencies, but as thecore of the system Allow projects to rationalize and modernize those systems without impacting users of theinformation Allow systems and databases to be updated, merged, and / or rationalized Provide for the development of syntactically and semantically harmonized messages acrossVAPurpose of this DocumentThis document is intended to serve as a framework to guide the instantiation of an SOA andassociated technologies throughout VA to promote the sharing of information between VA and DoD,across portfolios of Major Initiatives (MIs) and business areas within VA, and with organizationsoutside of VA. These uses of an SOA would be considered to be the typical use of an SOA andapplication of services. However, this framework is also intended to provide the basis for theimplementation of applications using finer grained services than would be used to share informationacross business areas or MIs. The use of an SOA for these purposes embodies a significantlydifferent application development philosophy than is commonly used and which has resulted in thecomplex, monolithic applications that are common today. Because a change to applicationarchitecture philosophy is included, it is necessary
A Service-Oriented Architecture (SOA) is an architecture in which business functionality is provided by a set of discrete, communicating “services” rather than by monolithic applications1. VA h
