Cisco on Cisco
Business Applications IT Deployment in Progress: How Cisco IT Improves Commerce User Experience by Securely Sharing Business Services with Partners
Offloading XML processing to the ACE XML Gateway improves service performance and simplifies application development.
Cisco’s Commerce Transformation initiative is redefining the company’s processes and systems to make it easier for customers and partners to conduct business with Cisco. “By adopting a Services Oriented Architecture approach, we are creating a solid architectural and technology foundation that will deliver scalable solutions, enhance the customer experience, and provide our entire ecosystem with secure access to the services they need,” says Guillermo Diaz Jr., vice president of commerce IT.
To support the cross-company Commerce Transformation initiative, Cisco IT needed a secure way to share certain internal business services with partners and customers. Examples include pricing promotions and a configuration service for Cisco® network devices, services, software, and solutions. These business services reside within Cisco’s network, where partners cannot access them. Therefore, partners have no option other than calling Cisco employees, which creates additional work and prolongs deal cycle times.
“We realized that we could save time for customers, partners, and Cisco by developing a set of reusable application services with appropriate controls,” says Harvinder Kalsi, IT architect, Cisco. Examples of network services, which are common to multiple Cisco business services, include security and XML processing. “We would also need a secure, scalable, and manageable way to expose business services,” says Steve Adachi, IT manager, Cisco. “Reusability was very important because customizing and maintaining the same business services for different partner and application requirements would take too much time to be practical.”
Cisco IT first identified common network services in the business services that the company wants to expose to customers and partners. Examples include security, XML processing, virtualizing the physical service endpoints so that they are not visible to partners, and monitoring message traffic. “It’s much more efficient to manage network services like these independent of the business service logic,” says Kalsi. “This is easy to do when you place the services in the network and use the network as a platform for delivery.”
Next came selecting a platform to manage the network services. Cisco IT tried out third-party SOA management solutions, but these software-based solutions failed to meet the business requirements. They did not provide the flexibility to work with the different middleware used within Cisco, so Cisco IT would need to write separate code for each type of middleware. The solutions lacked support for IBM WebSphere and Java Message Services (JMS), Cisco’s biggest development environments. And, like all software solutions, they imposed overhead that detracted from overall service performance.
Cisco IT decided to use a network-based web services platform. The team selected Cisco’s own Application Content Engine (ACE) XML Gateway, a web services gateway designed specifically to manage web services security, XML processing, and encryption. “The Cisco ACE XML Gateway provides a robust SOA platform that provides essential functions common to many of our business services,” says Ravi Akireddy, IT architect, Cisco. “Offloading XML processing to the network improves service performance and simplifies application development.” The application delivery services that the Cisco ACE XML Gateway provides are a core network service as part of the Service Oriented Network Architecture framework.
With support for industry standards, the Cisco ACE XML Gateway integrates with third-party products in Cisco’s infrastructure, including middleware. It maps partner requests to the appropriate middleware, such as Tibco BusinessWorks or IBM WebSphere, over JMS or HTTP transports that the application developer has exposed. The gateway does not host application-specific code. Instead, Cisco application developers use an intuitive web-based administrative interface to configure policies that provide services for their business applications.
Beginning in July 2007, Cisco IT conducted a proof of concept using the Cisco ACE XML Gateway to expose current promotions to partners so that they can find the discounts for which they qualify (Figure 1). The gateway delivers the following services:
- Authenticates users with username and password, tokens, or certificates
- Offloads XML processing to improve application performance
- Performs schema validation
- Encrypts and decrypting messages
- Performs fast XML transformations
- Signs XML payload
- Performs protocol translations, such as HTTP to JMS
- Enforces web services policies such as service versioning
- Performs XML firewall screening
- Prevents denial-of-service (DoS) attacks against application servers by throttling XML traffic
- Virtualizes the physical service endpoints and provides content-based routing
Cisco IT established a secure channel between the internal gateway and the gateway between the Internet and firewall, using HTTP with bidirectional Secure Sockets Layer (SSL) encryption (Figure 2). “We were able to segregate internal and external traffic and provide a secure
Figure 1. Architecture for Secure Delivery of Web Services to Partners Using ACE XML Gateway
After the successful proof of concept, in September 2007, the IT team began the pilot, which included load testing. Cisco IT deployed 24 ACE XML Gateways in the San Jose, California data center as well as the Research Triangle Park, North Carolina data center used for disaster recovery. Each gateway occupies only one rack unit, which reduces data center space, energy, and cooling requirements. The manager gateway collects metrics and produces reports summarizing performance, number of hits, and errors.
In March 2008, Cisco IT rolled out the web services to all worldwide Cisco partners as part of the Partner Deal Registration application.
As of June 26, 2008, 13,074 Cisco partners had signed up for the Partner Deal Registration application, demonstrating strong interest and acceptance. These partners have used the web service for more than 58,000 deals, with benefits that include:
- 7500 hours saved for Cisco sales teams because of partner self-service
- Reduction in average deal cycle time from 10.5 days to 6 days
- Reduction in discounts and nonstandard pricing, for estimated savings of US$17 million to date
Figure 2. Service Oriented Architecture Implementation
The Partner Deal Registration application is using only a tiny fraction of the gateway’s capacity of 30,000 XML transactions per second. “This level of scalability would be difficult to achieve with a software-based solution,” Kalsi says. “As we expose more and more services, the scalability and load-balancing capabilities in the Cisco ACE XML Gateway will become more critical. We might receive hundreds of thousands of hits daily.”
The ACE XML Gateway offloads XML processing from the application, accelerating application performance. Average response time for the “Get Price” feature is 500 milliseconds, which seems almost immediate to the consumer. The response time includes back-end business logic.
Traditionally, schema validation and other XML processing are performed in software, which degrades application performance and scalability. “Offloading schema validation to the gateway not only improves performance, it also frees up application development teams to focus on core business logic, which increases their productivity,” says Amit Srivastava, IT program manager. Cisco IT can expose the business services rapidly, as well. In just two months in mid-2008, the team securely exposed the following internal business services to partners:
- Next-generation configuration
- Cisco Service Contract Center install-base search
- Order orchestration
The Cisco ACE XML Gateway lets the IT team add capabilities that were not possible previously. One is to perform deep packet inspection of any XML traffic entering the network, an important capability because the XML payload can carry different types of attacks. “Stopping bad requests at the gateway offloads the application from having to perform packet inspection, which improves performance,” says Srivastava.
Cisco IT plans to use the Cisco ACE XML Gateway for the following business services by March 2009:
- Opportunity collaboration and integration with salesforce.com
- Customer Registry Address Services
- Customer Service Address Services
- Human Resources IT Champion program, which recognizes and rewards Cisco employee behaviors that foster success
- Partner Deal Promotion, which provides information about incentive programs, promotions, and offerings
- Manufacturing IT Arvato Integration
- Integrated Commerce Workspace, which provides information about sales, orders, and pricing
- Integration with Scientific Atlanta
- Customer Services: Worldwide Reverse Logistics, responsible for redeploying returned products to bring the best value to Cisco
- Cisco Capital Finance
- Manufacturing IT
- Real estate leasing
- HireRight Integration
Cisco IT plans to let individual project teams make their own policy changes, including specifying the partners authorized to use the services and the dates they can use them. “The goal is to maintain centralized control of web services while delegating policy configuration management,” says Kalsi.
Cisco IT plans to use the Cisco ACE XML Gateway in conjunction with the Cisco ACE module to simplify the delivery of web services. The Cisco ACE module will provide the same functions as the Cisco Content Switching Module and also support multiple virtual gateways, each mapped to a distinct set of web services. The ACE XML Gateway will segregate services to particular gateways based on payload and protocol. “Using the ACE XML Gateway as a shared platform rather than dedicating a separate physical gateway to each set of web services will increase return on investment and reduce our support cost,” says Srivastava.
As the deployment expands, Cisco IT will automate the process of deploying new policies to the gateways. When this occurs, application teams will be able to use the Cisco ACE XML Gateway as a service for the applications they develop. The Cisco Application Networking Services business unit is aware of the need for management APIs and is committed to providing them in upcoming releases.
An end-to-end security solution requires securing messages to the final endpoint. Cisco IT is currently using HTTP over SSL for last-mile security. Later it might use Security Assertion Markup Language (SAML)/federation and a secure transport layer.