| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WSRR policy enforcement in IIB |
« View previous topic :: View next topic » |
| Author |
Message
|
| touchofcrypticthunder |
 Posted: Fri Oct 04, 2013 6:31 am Post subject: WSRR policy enforcement in IIB |
 |
|
Apprentice
Joined: 08 Jul 2009
Posts: 30
|
I am working on project where client is using Datapower XI52, IIB V9 and WSRR as Enterprise Service Layer.
They would like to govern participating services. We suggested Datapower as policy enforcement point at the front and back side. Client is asking us what is the reason to introduce Datapower for the backend services, why can't policy enforcement be done in IIB? Client concern is, if we introduce Datapower for backend as well, it will be another hop in the service call which will impact the SLA. We infact told them that, processing of XML messages is very fast in Datapower and it is optimized for policy enforcements. Moreover Datapower is in the same datacenter as IIB. Still they are looking for some more justification points.
I do know in IIB, we can query serivce endpoints (EndPoint Lookup node) and documents (Registry Lookup node). But the requirement here is to enforce the WSRR policies AUTOMATICALLY in IIB similar to what Datapower does. I am not sure if this can be done in IIB. For ex. in WSRR a policy is defined with SLA < 3 sec. If the policy violation occurs, Datapower takes automatic action defined in policy say notifying business about the breach and so on.
Can such automatic policy enforcement be done in IIB?
Please provide your comments so that it will be easy for us to come to a decision. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Fri Oct 04, 2013 6:38 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You've really touched on all the right points.
Yes, it can be done in IIB with the SecurityPEP (or other additional processing) node, but you are correct in saying that Datapower is the more optimized place to do it.
If your SLA is three seconds, you have loads of time to play with. Three seconds is an eternity so if you hosted in IIB, you will have plenty of time, even in light of the fact that it is not the optimized place to do it.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| touchofcrypticthunder |
| Posted: Fri Oct 04, 2013 8:49 am Post subject: |
|
|
Apprentice
Joined: 08 Jul 2009
Posts: 30
|
Thanks for the quick reply.
Security PEP node is used to enforce security policies like SAML assertion, LTPA and so on and this is not integrated with WSRR. Correct me if I am wrong.
Can we enforce Service level policies defined in WSRR like SLA using this node? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Oct 04, 2013 9:14 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| touchofcrypticthunder wrote: |
Thanks for the quick reply.
Security PEP node is used to enforce security policies like SAML assertion, LTPA and so on and this is not integrated with WSRR. Correct me if I am wrong.
Can we enforce Service level policies defined in WSRR like SLA using this node? |
No, but that's why i said 'or other additional processing'. Using the architecture as designed, of course you would put this at the DataPower device. Since someone in management who has never developed any such architecture is overriding you, you'll have to reinvent the wheel in Compute nodes or other processing nodes to perform the task that should be done at the DataPower device. Its sad when a person in the management chain who has no practical experience orders things that do not make sense.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| touchofcrypticthunder |
| Posted: Fri Oct 04, 2013 9:37 am Post subject: |
|
|
Apprentice
Joined: 08 Jul 2009
Posts: 30
|
| Thanks for clarification and this will help us a lot to come to decision. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Oct 04, 2013 9:41 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| touchofcrypticthunder wrote: |
| Thanks for clarification and this will help us a lot to come to decision. |
Good luck ! I hope the concept of technical merit wins out over management 'intelligence'.
At an insurance company, the Manager who was all thumbs when it came to SOA, ordered that all payloads flow through a canonical message queue even when a Web Services interface was available. What he did not understand was that when 1 million messages were being processed, the response time for the 1 million + 1 message was several hours. Therefore, those messages that needed an SLA of 90 seconds timed out. No matter what I explained to him, he was adamant about his canonical queue requirement. AFAIK, his transactions are still timing out today. When Asst VP queried him about it, he said he never knew about the timeout.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| touchofcrypticthunder |
| Posted: Fri Oct 04, 2013 1:37 pm Post subject: |
|
|
Apprentice
Joined: 08 Jul 2009
Posts: 30
|
Sometimes we have no choice but to implement solutions that makes no sense.
I hope we will be able to convince the client to have the right solution. I will give you the updates. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
