410 likes | 545 Vues
The Battle to Transport XML Business Documents OASIS / CEFACT JMT. David RR Webber XML Business Development SmartDraw VisualScripts. Focus:. Today’s medium to large enterprises face a bewildering array of interchange format and mechanism choices. Agenda. Looking at the business problem
 
                
                E N D
The Battle to Transport XML Business Documents OASIS / CEFACT JMT David RR Webber XML Business Development SmartDraw VisualScripts
Focus: Today’s medium to large enterprises face a bewildering array of interchange format and mechanism choices.
Agenda • Looking at the business problem • Messaging Solutions • Evaluation of capabilities
XML Agents Templates Web Implementation Foundation Processing Methods Logic Fusion Repository EDI Global Reference Dictionary Business Methods Fusion of EDI and XML – roadmap to attain this? • Today, we can effectively manage and transfer business information for our enterprise and with partners. • Leverage the experience and capabilities of EDI and XML.
Business Goals • Since everyone’s business needs vary depending on their own circumstances, the focus here is on providing the means to understand the technology capabilities and then giving guidelines on how those relate to solving typical business needs. • Obviously the optimum business solution is to purchase just the right amount of technology to solve the given business requirements.
It’s All About Business… • Top-down or bottom-up, global B2B standards, interoperability efforts or web services… • The success of all standards, current and evolving, is dependent on the capability to satisfy business needs. • It’s all about business – understanding the business needs, objectives, processes and their execution within or outside of your enterprise. • Knowledge is power…use it effectively.
Secure and tamper proof delivery mechanisms • Verification that my order or invoice was received • Capability to understand whom I am transacting with • Confidence that the message received is what my trading partner sent • Lower maintenance costs due to adequate error handling • More control over deployment costs with certified interoperable software components
Messaging Technologies Summary
Selection of common solutions • FAX • IVR • EDI/VAN • AS2/EDIINT • Email • Dial-in modem (BBS) • Web Pages • SOAP • ebMS
TCP/IP Common Protocols Nomenclature for TCP/IP messaging protocols:
Delivery failure recovery Packaging control Message Structure validation Envelope validation Signature support Encryption support on envelope Encryption support on payload Payload structure validation Routing support Receipt confirmation Backend application control Activity tracking Robust Delivery Feature Set
FTP Basics • FTP (File Transfer Protocol) is a standard transport protocol used for File Transfer. • An FTP Client initiates a conversation with an FTP Server and file transfer can occur in both directions. • A very common way to exchange files over the internet or a network. • Files can be of any type and do not need a browser necessarily to view. • FTP can be performed via a client or from the command prompt • You can also update (delete, rename, move, and copy) files at a server
User SMTP Commands/Replies And Mail Sender-SMTP Receiver-SMTP File System SMTP Model Connection established between sender (client) and receiver (server) • Port 25 connection / receiver acknowledgment • Announcement of recipient and sender • Delivery of message SMTP
MIME Basics • MIME (Multi-Purpose Internet Mail Extensions) is the magic behind associations between file types and their appropriate “player” • Extension of original email protocol • Some players are built into browser • MIME headers are inserted at the beginning of web transmission • Defines the standard representation for "complex" message bodies. • It offers a simple standardized way to represent and encode a wide variety of media types for transmission via the Internet. Example: On a website that has a url ending in .pdf…when you click on this link, your browser knows to open up Adobe Acrobat.
MIME Types The 7 Content-types defined in MIME are:
IT Security • Authentication • Proves Identity of a user -- Are you who you said you are? • Basis of all security enforcement • Digital Signature -- the receiver can be sure of the sender's identity and that the message arrived intact without being changed • Authorization • Proves access rights of a user -- Do you have the proper security clearance? • Usually handled at application level • Apartment Building example / Secure Id example
S/MIME • S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending encrypted data over the internet • S/MIME describes how encryption information and a digital certificate can be included as part of the message body • S/MIME envelopes HTTP and encrypts data • S/MIME is the standard means of enveloping and transporting virtually all eMail on the Internet • Can be used as a security mechanism for AS2
S/FTP What is S/FTP? • S/FTP can be used to securely transfer files to internal and hosted applications over the Internet. • It meets the growing need for applications that require the client and server to authenticate one another and exchange sensitive information confidentially and securely. • S-FTP meets this requirement by providing a secure communication mechanism between an FTP client and server.
S/FTP • Client and server to authenticate one another and exchange sensitive information confidentially and securely • S/FTP is the same protocol as FTP but uses “certificates” for authentication of sender and receiver • Encryption is used to ensure that data is protected from interception and modification during transmission. • Securing the data is via Secure Sockets Layer
S/FTP - Proxy What is a Proxy? • Standard Internet Security term that refers to a program that receives requests on behalf of another application and passes them along. • A proxy is used as an intermediate that passes a client’s requests to the internet (multiple NIC Cards) • Neither the requestor nor the sender realize that they are dealing with a third party (proxy) when passing data back and forth • Can be used in many ways such as filtering content and other security purposes
Internet Host A C S/FTP Proxy EnterpriseFTP Server Firewall 2 Firewall 1 Intranet DMZ B The S/FTP Proxy determines the Enterprise Host from the configuration or from values sent by the client (e.g. myuser@mymachine.com:12345) S/FTP Proxy Functions
AS2 Background • AS2 (Applicability Statement 2) is the standard that vendor applications transport EDI, XML, or UDF via the internet using HTTP • 2nd generation standard built upon AS1 which uses SMTP • Secure document transport • Specifies means to connect, deliver, validate, and reply to data -- it does not validate data structure • The Drummond Group works with software vendors and the standards community and facilitates interoperability conformance testing. • GE Global eXchange Services are one of 8 companies (as at August 2001) to have successfully passed Drummond Group AS2 interoperability tests. The AS2 specification supports EDI or any other data transmittals over the Internet using HTTPs.
AS2 Benefits • The AS1/AS2 standards benefits the user by significantly reducing traditional communications costs associated with EDI • AS2 supports the use of HTTPS (SSL) for secure channel connections, SMIME, and PGPMIME • Reduction in VAN costs by using the internet • A side benefit has also been the decrease in turn-around time for business transactions • Since ROI is tied to transaction volume or savings per transaction, higher volumes will show higher payback more quickly. AS 1 & AS2 are transport mechanisms
AS1 and AS2 Tech Specs • The AS1/2 Sender determines the security options for the ‘Session’. • When sending data, the AS1/2 Sender can: • Digitally Sign the message • Encrypt the data • Both sign and encrypt. • AS1/2 Sender can request that receipts are signed. • AS1/2 will support 1024bit keys for Public Key encryption and 128bit keys for Symmetric Encryption • SHA1 and MD5 for hashing and Triple-DES (3DES) for encryption • Security dependent on transport protocol • AS2: HTTP - SSL3/TLS 1.0 , SMIME, or PGP/MIME • AS1”SMTP - SMIME or PGP/MIME
Example: Receiving AS2 Message AS2 System Web server AS2 System receipt AS2 Inbound data data data Receiver’s System data receipt receipt AS2 Outbound receipt Internet HTTP Proxy Internet DMZ Intranet
Deployment Flows / Components Collaboration Partner Profiles 4 5 Collaboration Partner Agreements To/From Partner Registry 2 Events Adaptors 2 3 Rules Messages Transform BP engine Verbs Nouns 4 Content Payload 1 Process Secure Content Delivery Messages Messaging Verbs Nouns 2 Roles Templates ebXML / WS 1
Registry Server Runtime Stack Components CPP/A BP Rules BPEE ebXML Message Content BPSS ebXML MHS URL config Port Security I/O App Server Payload(s) O/S
ebXML Message Structure Communication Protocol Envelope (HTTP, SMTP, etc.) SOAP Messages with Attachments MIME Envelope Message Package MIME Part Header Container SOAP-ENV:Envelope SOAP-ENV:Header ebXML Header Information eb:MessageHeader eb:TraceHeaderList Other:etc… SOAP-ENV:Body ebXML Message Service Handler control data eb:Manifest eb:etc… Other:etc… MIME Part Payload Container(s) Payload
Interchange sequence detail • A complete interchange consists of successfully: • passed authentication/access control • sent the bits to the other end • checked the packaging • checked the header structure • checked the header data • checked the signature on a header (*) • decrypted the payload (*) • verified the signature on a payload (*) • checked the structure of a payload (*) • passed the translated payload to a backend system/application for processing • Backend application successfully processed the payload • Receipt confirmation (*) Note: Items denoted (*) are optional
Web service – brief history • Trigger point – weakness of HTML model for e-commerce solutions. • Emergence of XML and SOAP messaging. • Bowstreet early market definition and mission. • Formation of UDDI cartel – to facilitate and exploit automation of e-commerce.
Acronym Soup • XML – Standard Language for denoting information content and process control • SOAP - (Simple Object Access Protocol) XML based Messaging Protocol • UDDI - (Universal Description, Discovery and Integration) Yellow Pages for Web Services • WSDL - (Web Services Description Language)
Capability FAX Dial-in IVR EDI VAN (sftp) AS2 EDIINT Email Dial-in modem Web Pages SOAP ebMS Authentication/ access control Dialers # printed on FAX PIN required from user Account passwords and access ports Account passwords and access ports Limited ability to trace sender PIN / account validation, dialers # PIN / account validation Access port address Account passwords and access ports score 6 5 8 8 4 6 6 5 8 Robust delivery protocol FAX-3 checks delivery Directed Menu, call restarts if not complete Dedicated transmission lines Internet delivery via TCP/IP SMTP and TCP/IP Modem protocols TCP/IP TCP/IP TCP/IP or SMTP. score 7 8 9 8 8 8 8 8 8 Delivery failure recovery Re-dial, re-send Re-dial Re-send Real-time delivery Manual diagnostic required Manual post-check required Manual post-check required Real-time delivery Reliable messaging score 7 5 9 5 3 3 3 5 9 Packaging control None Menus EDI segments EDI segments Attachments Limited Pages XML based XML, MIME + attachments score 0 5 8 8 6 6 6 8 9 Message Structure Pre-printed forms Menus EDI structure, and XML EDI structure, and XML XML or similar payload Limited XML server-side output XML + DTD / Schema XML + business templates, and EDI score 5 5 8 8 5 5 9 8 9 Comparative Matrix (fragment)
Capability FAX Dial-in IVR EDI VAN (sftp) AS2 EDIINT Email Dial-in modem Web Pages SOAP ebMS Robust delivery with - proven / independently certified -interoperable solutions Yes, FAX group 3, but delivery controls weak Can create XML formats; telephone interfaces error prone Yes Yes, but real time model limits robustness Yes, but error recovery weak and delivery unspecific. Can deliver text and XML formats, proprietary connections / delivery Yes (W3C test suite) Single source thru Apache project, weak error recovery Yes (IIC test suite and conformance tests available)[1] Score 7 5 9 8 4 6 6 6 9 Open source and very low cost tools available Yes Low cost tools Some limited open source No open source, some low cost tools Yes Yes Yes Apache project Yes. Score 9 8 8 6 9 9 9 9 9 Completeness of information gathered Weak validation and format checking Menu driven limits data content Post Validation supported Post Validation supported Supports text content but weak error support Supports text content but weak error support Yes But form edits may restrict options for entry XML validation but weak post validation support XML validation and post validation supported Score 3 5 8 8 6 6 8 7 8 Availability and Suitability Matrix (fragment) [1]ebXML IIC Test Framework (Conformance and Interoperability) and Basic Interoperability Profile for ebMS (Interoperability only). The OAG-NIST Test Bed; focused on interoperability - is using the IIC framework. And KorBIT/Asian ITG: focused on interoperability - will also use IIC framework – and may lead to formalized certification testing there too.
Relative Suitability to Task Full report available from http://www.ebxml.org
OASIS / CEFACT JMT http://www.ebxml.org/ Thank You • www.oasis-open.org • xml.coverpages.org • www.xml.org • www.ebxml.org