Digital/SSL Certificates

SSL Certificates
First time into the world of SSL Certificates; need simple, practical, usable, tips and explanations to implement one, alright then let’s get started. Few concepts:
SSL also known as Secure Socket Layer is a secure protocol which makes http traffic secure i.e. makes it https. It is a transport level protocol, meaning end to end traffic [e.g. from your browser to IIS] is encrypted using Public/Private Key pairs. This is as opposed to message level encryption where each individual Message [SOAP packet] is encrypted.

What is Public/Private Key Pair?
This question could be asked in no: of ways; what is PKI Infrastructure or what is Asymmetric Encryption? The answer is as follows:
Symmetric Encryption (e.g. DES) uses same key at both ends of traffic flow to encrypt and decrypt whereas Asymmetric Encryption uses a Private Key at Server end. A Private Key is secure and sits only on server; consider it the identity of the server. Public key is at the other end of traffic to decrypt and encrypt. Although there are no: of protocols available, SHA1-RSA seems to be a popular cocktail for Asymmetric encryption.

What is a CA?
This could also be asked as what is root authority? Or what is your root? This is really guys like Versign, Thawte, Geocert. Digicert etc. – Clarification: when I say ‘guys’, I mean ‘Digital Certificates’ of these companies. Think of these as the ‘Parent’ or ‘Master’ certificates. These are able to ‘issue’ SSL certificates which you would install on your server. Sometimes these issued certificates aarre able to issue more certificates. This is referred to as ‘Chain’ of certificates By default, our machine contains a no: of these pre-installed ‘Root’ and ‘Intermediary’ certificates.
To get to these pre-installed certificates, go to Internet explorer-->Tools-->Internet Options-->Content-->Certificates .


Here is a screenshot of Trusted Root CAs – i.e. your browser inherently trusts any certificate issued by these CAs. Remember these are Certificates of CAs themselves, i.e. these are certificates which ‘issue’ other certificates.



<

Here is another screenshot of the actual certificates installed on your machine. For e.g in the following screenshot, there is a certificate I issued to myself:

You can also look at certificates using Microsoft management console too. Go to Start-->Run-->type mmc-->File-->Add-Remove Snap-in-->double click Certificates-->Select ’Computer Account’ on ensuing pop-up-->Next-->Finish-->OK. This will show you the following view:



What is a Digital Certificate?
This question could also be asked as – what does a SSL certificate do? Or what does a Server Certificate do? Answers follow:

1. It secures all traffic from one end of traffic [Browser/Server] to other [IIS server] and is installed on a server e.g. a Web Server like IIS. It also contains a Private Key.

2. It is usually issued by a public CA [Certification Authority] like Verisign, Thawte etc but it can also be issued by an inbuilt CA in our local machine – a web server or even a XP/Vista Machine.

3. Digital certificate can be used for :
A) Transport Level: End to end authentication whereby the browser establishes session key with the web server and the encrypted session key is used for the duration of the session; all data passed between client and server is encrypted. e.g. ebay, paypal and your bank’s net banking services.

B) Authentication: If the server has a SSL certificate installed, then the client browser connects to the server and as the server responds to the client, it authenticates itself to the client; confirming it is who it claims to be. E.g. Company A. There are 2 levels of authentication provided by the SSL certificate:
i) Domain Authentication: Just the domain name is verified i.e. if someone connects to your server; the browser is guaranteed it is connecting to “www.yoursite.com”. The guarantee is provided by the issuer (e.g. Verisign)

ii) Organisation Authentication: The fact that Company A owns “www.yoursite.com” is verified. This is true SSL certificate and this si what you would want for your web server.

C) Mutual Authentication: This is a special case of Authentication. Imagine there are 2 web servers and both of them are required to authenticate/identify to teach other e.g. Company A’s Server A when initiates traffic flow with Company B’s Server B, the SSL certificate is requested from Server B and when Server B responds it asks Server A for its certificate.

In the next article on this series, I will discuss how to create and Install SSL certificates – in development and Production environment. Any suggestions, corrections or comments are welcome.

The Release Vocab

I was looking at Windows 7 and how to Upgrade from Vista to Windows 7, If I get Windows 7 RC, can I upgrade to Windows Final version. What If I had to reinstall? After some intensive googling, I came with gollowing courtesy of Eric Jarvis' Post Here

CTP - community technology preview - this is just a point in time release to get more bits into hands of customers between beta releases, for those hard core people who want to be as close to the action as possible.
Beta - these releases get special attention from the QA Team, we plan for them, treat as a milestone, etc.
RC - release candidate, this is the one we hope will become an RTM. Testing additional RC candidates can get to be like a baseball game in extra innings. When we finally say "ship it" everyone celebrates.
RTM - release to manufacture, this is the RC that gets shrink wrapped.

Cheers.

MVC - Model View Controller

Recently while working on a Project I came across Navitaire Flight booking system and realised they used a fairly interwoven system of MVC and a WCF services layer.

Here are my 2 cents worth on MVC pattern.

MVC is an architectural pattern used in software engineeering. Successful use of the pattern isolates business logic from user interface considerations, resulting in an application where it is easier to modify either the visual appearance of the application or the underlying business rules without affecting the other.



MVC Pattern
The whole Navitaire application is based on the MVC or Model View Controller Pattern; also known as MVP or Model View Presenter design pattern.

Model
The Model is responsible for managing application data and state, and communicating with a server. When an operation is performed on a model that changes the data or state of an application, the model notifies all of its consumers.

View
The View represents the presentation layer of an application. A view does not necessarily refer to a Windows form or a Web page and may not be visual at all. For example, a Web service or voice interface can be different views of the application that present the application data to the user.

Controller
The Controller provides validation, security enforcement and application workflow logic. For each user operation defined in an application there should be a controller method that is invoked that validates the data and security before invoking method calls on a model object. Logic related to application workflow can also be contained in the controller and may be dependent upon the active view.

As usual don't forget to leave comments. Thanks.

How To Program WCF

There is so much to understand and so many classes for WCF, but fortunately programming for WCF is streamlined.

1. Object Oriented vs Service Oriented
Before we get into some programming syntax, let us look at what will be different for us as traditional OO (Object Oriented) programmers to get into the SO (Service Oriented) mode.

Object Oriented - Classes and Interfaces are the norm. Two Libraries dependent on each other communicating via dstributed object calls. Hence OO is a tightly coupled way to develop applications.

Service Oriented - Classes and Interfaces are still in use but there is decoration of WCF classes by attributes like ServiceContract, OperationContract. Since the application components and services are connected via messaging mechanism (passing messages) across different platforms, it is called loosely coupled.

e.g. A School Service:

[ServiceContract]
SchoolService
{
[OperationContract]
double CalculateStudentFee()
{
...
}
}

2. Understanding Service Model in WCF

Most of the functionality is provided by System.ServiceModel Namespace. A WCF Service Provides functionality/operations to other services or applications and consists of one or more End Points. Each End Point, in turn, consists of Address, Bindings and Contracts.

Address --> Where the service resides.

Binding --> How the service communicates, Protocols etc.

Contracts --> What the Service does, What it provides.

e.g. of System.ServiceModel Classes

NetTcpBinding, BasicHttpBinding, ChannelFactory, Identity (For Identification as messages are exchanged between End Points), ServiceHost (To Provide a Host).

e.g. of System.ServiceModel.Channels

These classes are used in communication between EndPoints. Some of the examples are as follows:

AddressHeader, MessageHeader, Binding (Collection of BindingElements used for specifying communications for each End Point), BindingElement, BindingContext.

Transactions

As with any other context, ACID Properties define a transaction i.e. Atomicity, Consistency, Isolation and Durability. There is a Namespace called System.Transactions which has couple of classes in it:

--> Lightweight Transaction Manager (LM)

--> OLETx Transaction Manager

As a final note, WCF allows passing transactions from Client to server.

Lets look at a code example and some explanation to understand the basic constructs of WCF programming:

[CODE EXAMPLE]

3. svcutil.exe

This is a utiltiy which will be used a fair bit in our strides into WCF programming. This generates service code from metadata docs and metadata from service code. Many switches/options for metadata generation, code generation and serialization etc. are available. In general svcutil syntax is as follows:

svcutil [options][metadatapath|assemblypath|metadataurl]

4. WCF Programming Methods

There are several ways to do WCF Programming. One or a combination of them could be used. In the next series of articles, Let's have a look at them one by one.

Blog Away

After almost a year of hibernation,I decide to venture back into blog arena and sure enough instead of concentrating on real purpose of my blog, I went into 'Make Blog Popular' Mode...

Increase your Blog Views - Register with Technorati
Increase even more - Register With Blog explosion
Blog views Stats - StarCounter
Monetize - Google adsense (Dont click on it yourself mate ;)

Anyway I am guilty of Blog philia this weekend. I will be back to my usual ramblings soon. Reading a book on WCF by Michelle Bustamante and some MS Architecture guidelines.

Catch you later.

SOA - An Overview

SOA - Service Oriented Architecture

What is SOA?
1. SOA is an approach to organize distributed IT resources into an integrated solution breaking down information silos and maximizing Business Agility.
2. SOA modularizes IT resources, creating loosely coupled business processes that integrate information across business systems.

Definition
SOA uses standard protocols and interfaces - usually web services - to facilitate access to business logic and information among diverse services. Because each process is exposed through a standardized interface, theunderlying implementation of individual service providers can change without affecting the consumers.

Why SOA
Service orientation makes systems more responsive to business needs, simpler to develop, and easier to maintain and manage. Implementing a solution architecture based upon service orientation helps organizations plan ahead for change, rather than responding reactively.

Who does SOA?
SOA is 'done' by developers and solution architects. However, stakeholders in a service-oriented solution span a range of roles, and it is critical that their interests not only be taken into account but that they actively drive the design of the SOA solution. e.g. IT Managers, CIO, CTO, Business Analysts and last but not the least - Developers and Solution Architects.

What SOA isn’t
There are numerous misconceptions about what SOA is—that it is a product that can be purchased (it is not, it is a design philosophy that informs how the solution should be built).
SOA is also a term used interchangeably with web services. SOA is made easier through broad adoption of web-services standard but web-services is an implementation methodology to implement a SOA solution.

SOA Approaches
Top-down and Bottom-up. Both approaches can have possible pitfalls that can prevent success. Many organizations that have attempted to roll out SOA infrastructure through a top-down approach have discovered that when the infrastructure is finally delivered it is out of sync with the needs of the business. Likewise, a bottom-up approach can fail as well, because it can lead to a chaotic implementation of services created with disregard to organizational goals.

The “middle-out” approach is a successful hybrid of the two other approaches. Business drivers and strategic vision are first employed to set clear direction and priorities.

SOA Lifecycle
Expose - The expose phase of the SOA approach focuses on which services to create from the underlying applications and data.

Compose - Once services are created, they can be combined into more complex services, applications, or cross-functional business processes.

Consume - Once a new application or business process has been created, that functionality must be made available for access (consumption) by either other IT systems or by end users. The goal of the consumption process is to deliver new, dynamic applications.

Getting Started
1. Don't “do SOA” rather than address a business need.
2. Organizations that are successful with SOA often adopt a middle-out approach — they start with clear business challenges and focus on creating business value.
3. Demonstrate value in rapid iterations. Time-to-value is a critical, healthy metric.

Cheers! and any feedback and/or comments welcome.

WCF Concepts and Constructs

We will look at the Main Concepts, main consituent components of what forms SOA and specifically we will discuss Messages, Channels, Services and Behaviours.

1. Messages

When we talk about messages, the first things we need to know is its structure - it consists of a SOAP Envelope, SOAP Header and a SOAP Body.

SOAP Envelope

This is the outermost element and container for Header, Body, Name and Namespace.

SOAP Header

This contains important information not directly related to the message but optional information e.g. School Name for packets containing Student Info. This SOAP Header can also have Child elements called 'Header Blocks' - optional header info.

SOAP Body

This is the crux of the message i.e. basically collection of data items to be used by the SOAP receiver.

A Basic XML sample of Message

<env:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<env:Header>
<o:order xmlns:o="http://www.MySite.com/order" env:mustUnderstand="true">
<o:orderreference>591aef96-0c0d-4534-a1d2-4253b910b0b6</o:orderreference>
<o:orderdate>05/15/2006</o:orderdate>
</o:orderreference>
<p:purchaser xmlns:o="http://www.MySite.com/purchaser" env:mustUnderstand="true">
<p:name>Peter Spano</p:name>
<p:creditcardnum>1234-5678-9012-3456</p:creditcardnum>
</p:orderreference>
</env:Header>
<env:Body>
<c:price xmlns:c="http://www.MySite.com/bookcost">
<c:cost>
<c:retailcost>$49.99</c:retailcost>
<c:salecost>$39.99</c:salecost>
</c:cost>

</c:price>
<q:quantity xmlns:q="http://www.MySite.com/quantity">
<q:orderquantity>1</q:orderquantity>
</q:quantity>
<t:title xmlns:t="http://www.MySite.com/title">
<t:booktitle>WCF - The Book</t:booktitle>
</t:title>
</env:Body>
</env:Envelope>


SOAP Envelope



















Messaging Programs

In previous post I taked about SOAP Receivers, what it is and besides it what are the other messaging programs. Let's have a look:

Client --> This is the program which initiates message communication with a service.

Service --> This provides a service to the client and can also 'chain on' to another service.

Further, 2 Clients can call the same 'End Point' of the same Service and the sessions are isolated from each other by the service. Cool eh!

Communication Patterns are either Simplex i.e. One way transmission, Duplex i.e. both Client and Service can send simlutaneously or two way and finally Request-Reply where Client sends a request and waits for an answer.

2. Channels

This is the medium through which messages are exchanged. The process is somewhat liek this:

--> Client Establishes a channel.

--> Service accepts the channel request.

--> Client Sends message/s.

--> Service sends a reply back to the client.

Channel Stack - When each channel performs a specific function during message communication, then number of such channels are called a channel stack. Examples of such Specific functions include:

Security - Transport Security (https) and Message Security (SOAP)

Interop - WS, .NET , MSMSQ

Message Pattern - Simplex, Duplex etc.

Transport - http: Communication Info is not important, tcp: Communication info is important, Named pipes: Single Machine comms between processes, MSMQ: Reliable Delivery.

3. Services

Really the WCF is made up of 'Services' and 'End points' that communicate with clients. The Services are hence composed of:

A) Service Description: How to access this service and what functionality this service provides.

B) End Points: Each Service must have at least one End Point and further each End Point must have a unique Address e.g. "http://MyService/MyFunctionality..."

Each End Point is composed of a Binding, Contract and Implementation. Binding refers to http, basic http, WShttp, Nettcp etc. Contract is a definition of actions for this end point.

Contracts

The Structure and format of a WCF message and the behaviour of the Message is called a contract. It is in the shape of a well formed xml document like WSDL. Several kinds of Contracts:

A) Service Contract: Tells the Clients of the service, what operations this service will perform, the message data types and where this service is located.

B) Message Contract: Allows customization of the format/structure of the message sent and received by WCF. Also allows formatting the parameters of the message.

C) Data Contract: This is the data being exchanged between Client and the server. The two need to agree upon the format for the data exchange to take place. XML Serialization facilitates this exchange; however there is a new serialization in WCF called Data Contract Serialization.

4. Behaviours

The Service Behaviour basically controls the runtime behaviour of the service and/or the End Point. For e.g.:

--> Throttling - No: of threads per process, Concurrency Processing.

--> Security

-->Instancing - Per call, Per session, Single.

--> Transactions etc.

Hope you enjoyed the heaavy reading. Till next post signing off...

PV