Integration Framework

The Integration Framework consists of five different layers that provide a distinct set of services as given below:

Vendor Connectivity Framework – Provides a consistent abstraction to expose Corporate Business Services.  Functional specifications include:

• Service Directory – List of all the business services.
• Service Locator – Provides an abstraction that searches for services based upon different criteria.
• Service Activation – Provides an abstraction that enables the execution of an identified service.
• Protocol – Defines the protocol to be used for accessing a service.
• Format – Defines the format to be used in accessing a service.

Security Framework – Provides a consistent abstraction for exposing the Unified Security Services. Functional specifications include:

• Access Control – Provides an abstraction for access control.
• Identity Management – Provides an abstraction that manages and maps the different profiles of an individual in Unified Back Office systems.
• Entitlement Management – Provides an abstraction that manages and maps the different authorizations of an individual in Unified Back Office services.
• Provisioning – Defines the procedures and tools for provisioning of users.

Business Integration Framework – Provides a consistent abstraction of the common services used by business functions.  Functional specifications include:

• Interfaces – Provides an abstraction that enforces common interfaces and standards.
• Data Schemas – Provides an abstraction that enforces consistent data schemas for inputs as well as outputs.
• Migration Tools – Provides an abstraction that enables migration of current applications to the new paradigm.

Utility Framework – Provide a consistent abstraction for exposing the utility services. Functional specifications include:

• System Management – Provides an abstraction for application instrumentation.
• Session Management – Provides an abstraction for managing application state.
• Audit – Provides an abstraction for application logging for service level commitments.
• Transformation – Provides an abstraction that enables the necessary transformation from the vendor format to the Unified format.

Back End Connectivity Framework – Provides an abstraction that enables applications to connect to various backend data sources in a consistent and efficient manner.   Functional specifications include:

• Host Access – Abstracts data access from host data sources and transactions.
• 3270 Access – Abstracts applications from 3270 transactions.
• Database Access – Abstracts database access services.
• External Access – Abstracts external access mechanisms (e.g. HTTP) for non-Corporate data.

Integration Framework Services

Vendor Connectivity Services

Provides connectivity services to the framework that will enable application services to be exposed to vendors.  Components are defined as:

• List of Services – List of all the business services, classification, documentation etc.
• Service Locator – Provides the ability to search services based upon different criteria.
• Service Activation – Provides the ability to execute an identified service.
• Protocol – Provides the protocol to be used for accessing a service.
• Format – Provides the data format to be used in accessing a service.

Security Services

Provides security services to the framework that enables applications to enforce Unified authorization and access policies. Components are defined as:

• Access Control – Provides services for the access control framework.  Provides distributed security services for Integration Framework that include authentication, authorization, policy enforcement.
• Authentication is based upon a set of credentials associated with the user. Upon successful authentication, a secure token/ticket is granted that enables single sign-on (SSO) to all the other sites that subscribe to the same security authority. Multi-factor authentication is used for securing sensitive/high-value transactions. An affiliate services model is also supported wherein SSO to/from trusted partner sites can be achieved.
• Authorization to access protected resources is based on Policies.  These policies are based on Group memberships as well as role specific rules as defined by the resource the user is attempting to access.  Applications can also utilize contextual role data for further enforcement of entitlements.  The separation of Authentication and Authorization functions results in a more secure and flexible solution.
• Role Based Access Control (RBAC) functions provide enforcement of authorization rules utilizing a declarative security model.  Based on a given functional role, contextual information is derived from the authenticated session and used to enforce functional, data and transactional access.  The implementation allows for coarse-grain to fine-grain protection of resources and data.
• Auditing and Accounting functions are provided in conjunction with the services provided by the Utility Framework.
• Identity Management – Provides services that manage and map the different identities of an entity back to Corporate Back Office systems. Identity Management provides identity integration focused on creating a unified view of the identity information scattered in disjoint systems throughout the enterprise.  The implementation also establishes identity ownership roles of individual systems and establishes business rules for how identity data is maintained across the enterprise.
• The goal of identity integration is to provide a consistent, accurate representation of identities and relationships across heterogeneous systems. There are three components of identity integration: connection, brokerage, and ownership. Connection focuses on promoting communication between systems. Brokerage involves translating and interchanging identity information between systems. Ownership includes identifying the authoritative roles of individual systems across the organization with regard to managing identity information.
• Entitlement Management – Provides services that manage and map the different entitlements of an entity in Corporate Back Office services.
• Provides entitlement aggregation focused on creating a holistic view of the entitlement information across multiple systems throughout the enterprise. Provides role mapping, role hierarchy, and specific entitlements to enable Role Based Access Control Functions.
• Entitlements can be defined and enforced at multiple levels to facilitate fine-grain and coarse-grain protection of resources. Specific entitlements can be associated with a user, a role, or an account that can be used to make access control decisions at run-time.
• Provisioning – Provides the services for provisioning of entities into various systems.  Provides a set of services to allow the combination and orchestration of complex repetitive administrative tasks that are primary to provisioning. These services comprise a scalable and extensible environment for these administrative tasks associated with provisioning and consider multiple categories of actors like Self Service, Assisted Service and Systematic.

Utility Services

Provides the listed utility services to the Utility framework. Components are defined as:

• System Management – Provides system management services to the utility framework. These services provide capability to acquire, store, classify, and distribute application and infrastructure events such as errors and warnings. Provides an abstraction for application instrumentation. This includes event logging and performance counting.  Properly instrumented applications would provide:
• Adequate advance notice such that anomalous condition would be reported before it resulted in a system failure and  Sufficient forensic detail such that a failure could be easily traced back to the root cause during the post-mortem analysis.
• The System Management system must be cross-platform and distributed.  The system shall provide support for both implicit and explicit Event Correlation.  Explicit event correlation is accomplished programmatically. Implicit correlation requires the System Management component to provide statistical deterministic post-processing.  Finally, the Systems Management must provide a user interface where all events across the enterprise can be consolidated into a single view on a console.
• These services also include Error Management and Tracing. Tracing provides information for monitoring a component for debugging purpose. Tracing is disabled during normal functioning of a component but can be enabled or disabled administratively.
• Session Management – Provides session management services to the utility framework. These services provide intra-application state management and inter-application context management functions.
• The session management will provide a contextual storage based on a having a unique session identifier.  This identifier could be the session key provided by Security.  There are no restrictions on the type or amount of information that can be stored in a session variable.  The variable itself is defined programmatically. The Session Management Service should be aware of which application has ownership of a variable.  The owner can write to the variable and anyone can read it.   If another application attempts to write to a variable then the Session Management component should log an error event (and allow the write to take place).   The Session Management system should allow this restriction to be overridden in order to prevent the intentional sharing of ownership from generating spurious events.
• Audit – Provides auditing services to the utility framework that can be leveraged by all other Integration Framework  components. Provides an abstraction for application logging for service level commitments.
• The audit system is a critical component that should have minimal system impact. We recommend a guaranteed delivery fire and forget mechanism where the storage of the logged event is guaranteed but the application will not have to wait around while the system stores the message.  But more importantly the system must guarantee that the message is stored even when the audit log store goes down.  This implies some type of queuing system.
• Transformation – Performs the necessary transformation from the requester’s format to the provider’s format and vice versa.

Back End Connectivity Services

Provides the listed connectivity services to the backend connectivity framework.  Components are defined as:

Host Access – Provides host access services to the framework. These services enable programmatic access to host based transactions. The details and semantics of the physical connectivity to the host are abstracted and exposed in a consistent fashion.

• 3270 Access – Provides 3270 transaction access to the framework. These set of services enable terminal mode access to host based transactions. Provides terminal setup and teardown functions and manages the screen scraping functions. The complexity of underlying gateways and protocols is hidden from the service requester.
• Database Access – Provides data access services to the framework. These set of services enable access to data stored in different databases, directories, file systems, cache-stores etc. The connection details and query semantics of the specific data stores are abstracted and exposed in a consistent fashion.
• External Access – Provides external data source access service (e.g. HTTP) to the framework. These services enable access to data-feeds like Research, Market Data etc that could be hosted externally. The data-source locations and connectivity details are abstracted from the service requester.

Business Services

Provides services to the business integration framework that expose the set of Unified Back Office business functions in a consistent manner. Components are defined as:

• Interfaces – Enforces common interfaces and standards.
• Data Schemas – Enforces consistent data schemas for inputs as well as outputs.
• Validations – Provides a declarative approach to validating inputs and outputs.
• Process Flow – Provides a means of controlling process flow.