WSDL and Reverse Invoke

Hi,

Sorry if this is answered previously…

Is there any changes do I need to make to the WSDL file generated by IS, if I want to invoke the same WSDL using Reverse Invoke concept?

I know for normal IS services i.e to invoke the following the service
http://your_internal_server:5555/invoke/wm.tn/receive
we can use
http://your_ri_server:80/invoke/wm.tn/receive
even through wm.tn:receive does not exist on your RI server.

Does the same principle holds good for Web Service calls? Apart from changing the Internal Server IP and port info with Reverse Invoke IP and Port info are there any changes do we need to do before providing the WSDL to the Partner.

Thanks in advance

Kevin

Same principal would apply, but the directive should be /soap/default or /soap/rpc or soap/custom_processor_directive instead of anything having to do with TN.

WSDL’s generated by the Developer’s Generate Code wizard have several limiations including only being able to describe a single IS service (little “S”) rather than describing all operations for a Web Serice (big “S”).

You should use a web services testing tool such as CrossCheck Network’s SOAP Sonar to run WS-Interoperability tests on any WSDL that you produce to increase the probability that the consumers of your service will be able to successfully invoke operations described in your WSDL.

Mark

Thanx Mark, TN service is just an example used to represent an IS service.

If I understand clearly

I just need to change the following info in WSDL generated?

<wsdl:definitions name=“DocLiteralWebServiceExample” targetNamespace=“http://Reverse_Invoke_ServerIP/”

<xsd:schema xmlns:xsd=“XML Schema” targetNamespace=“http://Reverse_Invoke_ServerIP/DocLiteralWebServiceExample/Hello” xmlns:tns=“http://Reverse_Invoke_ServerIP/DocLiteralWebServiceExample/Hello” xmlns:nsp=“hello.com”>

<soap:address location=“http://Reverse_Invoke_ServerIP:Reverse_Invoke_ServerPort/soap/default”/>

Thanks
Kevin

Yes, that should do it. Same thing applies if you want to have the endpoint in the WSDL point to a hardware load balancer or third-party proxy server in the DMZ.

BTW, an approach discussed WS-I is to break your WSDL into multiple physical files according to the level of abstraction in each section. This allows the more concrete portion that contains the protocal binding and the soap endpoint address to be maintained in a separate file from the more abstract types, messages and port type sections. At this time, WSDL’s generated by Developer do not support this “authoring style”.

Thanks again Mark,

Since we are planning to use a LB → Reverse Invoke IS → Internal IS

I will go with the following

<wsdl:definitions name=“DocLiteralWebServiceExample” targetNamespace=“http://LoadBalancerIP/

I do have a question related to security? i.e by default we have SOAP/HTTP and I am sure this is not a secure way to do it and there is always an option of SOAP/HTTPS, given the fact that IS still don’t support WS-Security standards what are the alternative options?

Well, since setting up an HTTPS port is very simple, you should do that unless all of your service consumers are internal and trusted (given your specification of a Reverse Invoke server I assume that is not the case).

IS does support WS-Security because it supports XML and WS-Security is just XML after all. You just need to write the code to process the security tokens and deploy it in a custom soap processor which is simply a Flow or java service registered to listen on a specific IS directive (e.g. /soap/secure or /soap/mysoapprocessor).

Also, why are you using both a hardware load balancer and Reverse Invoke? Doesn’t that mean you need two Reverse Invoke servers in your DMZ pointed at two or more IS server’s inside your DMZ?

If your firewalls are configured to only allow inbound connections from your load balancer, content switch or secure proxy I’m not sure you gain much from Reverse Invoke.

Mark

Mark,

I am sorry for being lazy…I should have read the following about WS-Security

[url]http://conneva.com/blog/archives/2005/07/adding_web_serv.htm[/url]

Coming to Hardware LB, we don’t want to expose our RI box to the external users. Arch should be as given below

ExternalUsers → LB → RI → Internal IS1
→ Internal IS2

Note: Both Internal IS1 and Internal IS2 are clustered.
Note: We will do the HTTPS configuration also

Any thoughts on this particular arch?

Why not? The primary function of a Reverse Invoke server is to provide enhanced security over the out-of-the-box IS configuration using a proprietary protocol that involves internal IS servers creating outbound connections through the firewall to the RI server. In this manner the firewall can be configured to block all inbound connections.

However, I usually recommend leveraging an enterprise’s existing web server security components in the DMZ rather than adding an IS-only proprietary solution. Why re-invent the wheel for securing the HTTP/S portion of IS when your organization has most likely already done this for its existing web servers or other HTTP-accessible components.

If your organization has no other HTTP security approach (how could this be?) I still suggest acquiring a third-party secure proxy, load balancing or edge server that could be used for non-IS products (such as webMethods Portal for example).

Reverse Invoke was a critical component in the early days of B2B, but unless you are absolutely determined to have an IS-only HTTP security solution, I do not recommend it.

Mark