This article was published in the November 2002 issue of the IBM developerWorks journal .
The previous version of UDDI added significant support to help fuel the growth of Web services, primarily through its introduction of business relationships and external taxonomy validation, more powerful inquiry and internationalization features, and others. Unfortunately, significant gaps still exist in UDDI, which have confined its adoption primarily to use in private registry settings on company intranets, typically within a single business. Both UDDI adopters and implementation providers alike have identified various areas that require further development, resulting in a number of focus areas for the UDDI V3 specification development effort:
- Support for multi-registry environments.
- Separation of policy from implementation.
- Security features.
- Enhanced inquiry.
The July 2002 release of the V3 specification addresses each of these areas. This article discusses each area, covers key features in V3, and illustrates how to use these features.
The UDDI documentation also received a major facelift in V3 as well. In V2, there were several specification documents: APIs, Data Structures, Replication, and Operators. The V3 specification presents a unified, organized document that eliminates redundancy and conflicts that were present in the prior documentation. The new documentation also has significant explanatory and descriptive information in a set of appendices that covers the use of key features. With the addition of many new features, the document clearly differentiates between normative features, requiring implementation by registries, and non-normative features, which specify required registry behavior if implemented.
That said, the unified V3 specification is a somewhat daunting document; this article summarizes the capabilities of V3 and assumes some familiarity with prior versions of UDDI (see Resources).
Generally, Web services environments are not homogeneous. Sometimes it is appropriate for Web services to be visible to all, limitations on their general use notwithstanding. A public registry is best for these cases. In other situations, certain Web services may be proprietary or otherwise restricted, limiting the ability to discover their existence or to obtain information on how to invoke them to be used by certain groups, such as within a company or an organization specific to an industry segment. These cases are best served by the use of private registries. Private registries enable their owners to exert control over their visibility, content, and use.
The UDDI Business Registry (UBR), often termed the public registry, is jointly operated by IBM, Microsoft, NTT Communications, and SAP, serving the needs of those who are interested in publicly visible Web services. Support for UDDI in products is available from various companies, including IBM. You can configure products and use them to fill the role of private and semi-private registries.
So what's been missing? For starters, there has not been a good solution for use cases, such as when a private service needs to go public. Transferring registry information on existing businesses and their services from one isolated registry to another, in a way that fully preserves the keys used to uniquely identify these entities, has not been possible. This was because saving new entities required generating a new and unique key by the registry itself. Prior to V3, UDDI registry implementations had no relationship to one another. Identical entities having the exact same keys could not be saved into multiple registries.
In recognition of the reality of multi-registry environments, V3 introduces the concepts of root and affiliate registries to provide guidance on interregistry associations. A root registry acts as the authority for key spaces. Such registries are used to delegate key partitions so that other registries can rely upon the root registry to verify and maintain the uniqueness of such key partitions. The UBR is a good example of a root registry, which Figure 1 illustrates (adopted from the UDDI V3 specifications).
Affiliate registries interact with a root registry. These affiliates rely upon the root registry for delegating unique key partitions. Afterwards, data can be shared between and among the root and affiliate registries with the assurance that each given key partition is unique. Do not confuse the affiliation of multiple registries with the concept of replication, which UDDI has always supported for sharing entities identically between two or more node implementations that compose a particular registry.
Figure 1. Root and affiliate registries
V3 enables registry affiliation by providing two features: publisher-specified keys and subscription. Prior to V3, the formatted Universally Unique Identifier (uuid) keys uniquely identified the core UDDI data types (
tModel). Specification of keys associated with such entities was limited to the registry itself. Publishers creating new entities would simply leave out the value for the key in their
save_xx API request and the registry would automatically generate one. Supplying a key value implied an update to existing data in the registry. An error occurs if the registry finds no match during the
In V3, it is now possible for publishers to specify their own key values when they create new entities. This provides the ability to save the same entity with the same key value in more than one registry. Entities in a private registry, for instance, can now be copied into another affiliated private registry for broader exposure or into a root registry, such as the UBR, for public consumption. The reverse also is true.
Depending upon the policy of the particular registry, V3 also enables the use of vanity keys. The uuid-based keys are an essentially random hexadecimal string in a defined format that serves no purpose beyond that of ensuring uniqueness. One of the drawbacks of such a scheme is that these long, meaningless strings are difficult to manage, remember, and use. While tooling generally hides most of the pain associated with this, a more flexible and useful solution often has been requested. Vanity keys allow publishers to specify a meaningful name for a key as an alternative to having a uuid-based key assigned automatically by the registry.
The V3 specification establishes some rules on how this is done. While it is a registry policy decision, the V3 specification recommends an appropriate keying policy. First, keys are now Universal Resource Identifiers (URI) instead of simple
uuids. Each key in V3 is now known as a
uddiKey. A uddiKey can be either a
domainKey, or a
derivedKey. A uuidKey is essentially the V3 equivalent of a uuid-based key, in the form "uddi:" uuid. A domainKey takes the form "uddi:" domain, where the domain is based upon an established DNS record. A derivedKey has the form uddiKey ":" KSS, where the key specific string (KSS) is composed of upper and lowercase characters, numbers, and other symbols permitted in a URI. Given the number of
is in this clinical explanation, a few uddiKey examples might help:
- Here is an example of a typical
uddi:2AB7E4BF-887B-923A-9936-443EAAC8AE23. Essentially, this is the familiar and sometimes despised pre-V3 uuid entity key, converted into a uuidKey by prefixing "uddi:" to it.
- Here are some
uddi:yourdomain.com. In each case, mydomain.com and yourdomain.com are the respective domains.
- Finally, a few
derivedKeyexamples are useful:
uddi:mydomain.com:my Product:browsingService. The
myProduct:browsingServiceare the KSS part of the derivedKey.
For registries that use the V3 recommended key policy, there are also some rules for using keys that are derived from a
domainKey. You must acquire a license to publish such keys. This entails creating a special
tModel known as a domain
tModels establish a key partition from which
uddiKeys can be derived and used in other entities, which are created and controlled by the publisher. The
tModelKey for these
tModels must be in the form of a domain_key and must end with the term
keyGenerator. The publisher must categorize the
tModel using a value of
keyGenerator from the uddi-org:types value set. Depending upon registry policy, the publisher may need to sign these
tModels. Publishers may then create derived keys based upon the domain identified by a
tModel that they own.
The subscription feature in V3 enables you to track changes in the content of a UDDI registry through either synchronous requests for this information or through asynchronous notifications made by a registry node to the requestor, as illustrated in Figure 2.
Figure 2. Types of subscriptions
While subscription is a non-normative part of the V3 specification, it fills a key role in enabling registry affiliation. In scenarios where one or more affiliated registries rely upon a root registry to manage key spaces, an affiliated registry may want to be aware of changes of interest in the root registry and then reflect copies of those entries into the affiliate.
As an example, a pharmaceutical industry segment has an affiliate registry that manages the Web services that its member companies offer to each other, covering everything from the acquisition and distribution of raw materials and supplies to product distribution and business process management. Some services of general interest used by these companies also are public in nature and are registered in the UBR, which is the root registry for the pharmaceutical affiliate. For the convenience of its members, the affiliate wants to include copies of such entries in its registry. Subscription provides a simple means by which the affiliate can identify the types of entries in which it has an interest and request notification when such entries are added, changed, or deleted by the owning publisher(s). In this way, the affiliate can easily keep up-to-date.
There are, of course, many other examples of where subscription is useful, such as the business that wants to be kept aware of when its list of potential suppliers changes. Another example might be of a business that issues certifications or organizational memberships. It could use subscription to determine when others are attempting to assert such a relationship by tracking when a
publisherAssertion of this nature is created against its
The subscription API set provides a great deal of flexibility on how information of interest is identified and communicated back to the subscriber. Subscribers define the filter criteria for a subscription, which determines which registry changes will be tracked for the subscriber. Subscribers establish a subscription by issuing a
save_subscription request. This is essentially a compound API, because the filter criteria, known as a
subscriptionFilter, is essentially a compound request. A
subscriptionFilter must contain one of the UDDI inquiry API requests, such as
get_BusinessService. The subscriber may establish multiple subscriptions, if additional criteria need to be used.
Subscribers also register a number of other preferences when saving a subscription request, such as how they want to receive the results of activity matching their subscription criteria. You can opt to have the registry provide notifications through either e-mail or Simple Object Access Protocol (SOAP) messages to a service that the subscriber supplies and on a schedule that the subscriber defines (although this and numerous other aspects of subscription are subject to individual registry, node policies, or both). A
bindingKey corresponding to a
bindingTemplate with a valid endpoint is required in the subscription to use this feature.
To take advantage of the SOAP message option, subscribers are required to support a SOAP (subscription listener) service endpoint that processes
notify_subscriptionListener messages from the registry containing their subscription results. Large result sets can be chunked into multiple groups to facilitate a subscription listener's needs. Subscribers can elect to receive results in detail (which takes the form of the standard results provided from the particular inquiry API used as part of the filter criteria in their
subscriptionFilter), or in brief, for which only a list of the affected entity keys is provided.
Here is a simple example of how this works, along with some XML code showing some of the new V3 SOAP messages. The Association of Micro-Brewed Beer Producers (AMBP) offers membership in its organization to beer producers who meet their strict criteria for quality and who pay the annual dues. Membership in the AMBP is desirable to producers because it indicates to customers the high quality standards they have met. Dues include both a monetary payment and a substantial product-based donation made directly to the organization board members -- apparently judging quality requires extensive testing. With membership comes access to many Web services tailored to their industry for everything from equipment and supply ordering to more generalized services, such as invoicing. The AMBP operates a semi-private UDDI registry whose use is restricted to its membership. This is an affiliate registry of the UBR. The AMBP populates its affiliate registry with copies of Web services of interest from the UBR.
To monitor UBR activity related to its areas of interest, the AMBP establishes a subscription with one of the UBR node operators. This subscription requests daily notifications through SOAP messages on activities of interest. It will operate a Web service to respond to the messages provided and process the entries returned for inclusion in its own affiliate registry. To set this up, it first needs to register a service in their AMBP
businessEntity with a
bindingTemplate that indicates its desire to receive such notifications, as shown in Listing 1.
<save_binding xmlns="urn:uddi-org:api_v3"> <authInfo>AMBP_AuthCode</authInfo> <bindingTemplate bindingKey="uddi:AMBP.org: subscriptionListenerService:binding" serviceKey="uddi:AMBP.org: subscriptionListenerService"> <description>notify_subscriptionListener service binding for AMBP subscription to UBR. </description> <accessPoint URLType="https"> https://AMBP.org/services/ notify_subscriptionListener </accessPoint> <tModelInstanceDetails> <tModelInstanceInfo tModelKey="uddi:uddi.org: v3_subscriptionListener"/> </tModelInstanceDetails> </bindingTemplate> </save_binding>
<save_subscription xmlns="urn:uddi-org:sub_v3"> <authInfo>AMBP_AuthCode</authInfo> <subscriptions> <subscription brief="true"> <subscriptionFilter> <find_service xmlns= "urn:uddi-org:api_v3" > <categoryBag> <keyedReference tModeKey="uddi:ubr.uddi.org: taxonomy:unspsc" keyName="Beer" keyValue="50.20.20.02.00"/> </categoryBag> </find_service> </subscriptionFilter> <bindingKey>uddi:AMBP.org: subscriptionListenerService:binding </bindingKey> <notificationInterval>P1D </notificationInterval> <maxEntities>1000</maxEntities> </subscription> </subscriptions> </save_subscription>
Next, it registers its subscription request for daily notification, as shown in Listing 2. The simple filter criteria chosen seeks services , based on UNSPSC classification, that are classified as beer producers.
In reality, such a subscription request would include many more classifications to establish a complete list of the types of services to be retrieved. The node would now use the SOAP access point to invoke the Web service identified by the
bindingTemplate of the subscription. This would entail use of the API
notify_subscriptionListener. The node would issue this call, as illustrated in the code sample in Listing 3.
<notify_subscriptionListener> <subscriptionResultsList> <coveragePeriod> <startPoint>20020727T00:00:00 </startPoint> <endPoint>20020728T00:00:00</endPoint> </coveragePeriod> <subscriptionbrief="true"> <subscriptionFilter> <find_servicexmlns= "urn:uddi-org:api_v3" > <categoryBag> <keyedReference tModeKey="uddi:ubr.uddi.org: taxonomy:unspsc" keyName="Beer" keyValue="50.20.20.02.00"/> </categoryBag> </find_service> </subscriptionFilter> <bindingKey> bindingKeyOfTheClients NotifySubscriptionListenerService </bindingKey> <notificationInterval>P1D </notificationInterval> <maxEntities>1000</maxEntities> <expiresAfter>20030101T00:00:00 </expiresAfter> </subscription> <keyBag> <deleted>false</deleted> <serviceKey>uddi:BeerSupplies.com: maltSelectionService</serviceKey> <serviceKey>uddi:Containers.com:kegs: orderingService</serviceKey> ... </keyBag> </subscriptionResultsList> </notify_subscriptionListener>
Use of the brief attribute caused only the
serviceKey values to be returned in the
keyBag in Listing 3. Next, the AMBP subscription listener service can make requests to the UBR to retrieve the full business entities corresponding to these serviceKey values and integrate them into its own affiliate registry.
Policies describe the specific behavior of a registry or of a node within a registry, insofar as the UDDI specification permits such variances. In earlier versions, the UDDI specification mixed policy issues with UBR implementation concerns. V3 separates these and expands the role of policy by prescribing a set of policies that registries must address. The UDDI specification addresses issues of policy using several terms:
- Policy abstractions. Describes various types of high-level policies and provides broad definitions of high-level information management policies.
- Policy rule. The basic building block of any policy-based system. It defines the metrics of a set of actions mapped against a set of conditions.
- Policy decision. Involves the evaluation of a policy rule's conditions.
- Policy decision point (PDP). The logical entity where policies are decided. In UDDI, this will be either the registry or the nodes within the registry.
- Policy enforcement point (PEP). The point at which policies are enforced. In UDDI, this will be at either the registry or node level.
Figure 3. Hierarchical policy relationships in UDDI
Registries may delegate certain PDPs and PEPs to their constituent nodes. Figure 3 illustrates these relationships. The specification groups policies into several categories, including:
- Policy delegation. Covers policies for determining which sets of polices may be delegated to nodes.
- Keying. Defines policies on key format, generation, and so on.
- Information access and control. Defines policies on registration and authorization of users, privacy, and more.
- APIs. Defines policies on data confidentiality for each API set (Inquiry, Publication, Subscription, Custody, and others).
- User policies. Describes policies on user publication limits and ownership transfer.
- Data custody. Determines whether custody transfer is permitted.
- Replication. Determines whether replication is supported.
- Subscription. Determines whether subscription is supported and other related policies affecting the behavior and capabilities provided in subscription, such as the duration of a subscription.
- Value sets. Defines policies dealing with management of external validation and related caching behavior.
The UDDI security model is defined by the set of registry and node policies and their implementations. From a security features perspective, the capability most lacking in UDDI has been the ability to determine the veracity of data in a registry. Use of registries in completely private environments ameliorated this to some extent by allowing managed control over access to registry data and over who is in the user set, but the general problem of trust remained. V3 adds support for digital signing of all core data types to address issues of data integrity and authenticity not previously available in UDDI.
By digitally signing data in the registry, publishers can now ensure that no one can spoof their data with imitations that are easily mistaken by inquirers. Furthermore, once the data is signed by a publisher, altering it in any way breaks the signature, providing confidence in the data's integrity. By verifying the signature, inquirers using the registry can also be assured that a signed entity is valid and that the publisher represented by the signature created it. They can now also issue inquiries that only return results pertaining to signed data.
Given the multi-registry environment enabled in V3, the reliability of data becomes even more important. When signed data is copied between registries, you can guarantee its integrity by simply validating the signature.
To support digital signatures, both publishers and registry implementations must support normalization and canonicalization. In normalization, the registry must reduce each of the characters that make up the SOAP message to a single standard representation. This is necessary because in UTF-8, it is often possible to represent the same character with multiple encodings.
Canonicalization creates a standard representation of XML, addressing issues like the tag representation, attribute ordering, namespace declaration, expansion and ordering, and white space handling. Ensuring consistent behavior is critical. Registries must save and retrieve data in a well-defined way so that a digital signature is not broken. This also places a burden on the publisher, who must similarly process the data before signing it so that the registry will not modify it further during these steps so that the signature is not broken.
The use of digital signatures improves both the quality of data in UDDI and provides users with the trust and protection needed for Web services used in e-business and other applications.
Each version of UDDI provides significant new enhancements to the Inquiry API in response to user requests. V3 adds support for:
- new find qualifiers
- find qualifier extensibility
- compound queries
- management of large result sets.
Here is a quick tour of what has changed.
Recall that find qualifiers are essentially flags that alter the behavior of searching in UDDI, such as how results are sorted or matching is performed. The new find qualifiers provide enhanced selection options in the area of internationalization, but also formalize and expand some older capabilities as well. Those related to internationalization include:
- case Insensitive Match. Matches without regard to case.
- case Insensitive Sort. Sorts without regard to case.
- case Sensitive Sort. Sorts with consideration of case.
- diacritic Insensitive Match. Matches without regard to diacritic markings (for example, accents).
- diacritic Sensitive Match. Matches with consideration of diacritic markings.
- UTS-10. Sorts based on the Unicode Collation Algorithm on elements normalized, according to Unicode Normalization Form C.
Other new find qualifiers include:
- approximate Match. UDDI now has standardized wildcard matching based on an SQL LIKE syntax.
- binary Sort. Causes a binary sort by name.
- exact Match. Matches based on exact criteria supplied. This is the new default.
- signature Present. Returns only results that contain a signature.
The set of defined find qualifiers may be more easily extended by registries because now they may be either tModelKeys or can be represented by their short names. Compound queries were added to several of the inquiry APIs to facilitate common tooling idioms. In particular:
find_binding.Permits the discovery of binding Templates across
businessServiceelements, as well as the embedded use of the
tModelresults of this inner
find_tModelAPI are added to any that were supplied in the
tModelBagprovided with the
find_business.Permits the embedded use of the
find_tModelAPIs. When an inquirer includes the
find_relatedBusinessesAPI here, this causes the results returned by
find_businessto be an intersection of the businesses returned by the
find_relatedBusinessesquery and those returned based upon the other criteria supplied in the
find_businessquery. Use of
find_tModelbehaves similarly to that described previously.
find_service.Permits the embedded use of the
find_tModelAPI, with similar behavior as described previously.
Finally, V3 now supports large result sets, enabling inquirers to retrieve results in a quasi-chunked fashion. This is not a true cursor-like behavior because, while the registry allows chunked retrieval of results, these results do not represent a frozen snapshot in time. Data in the registry could change during the retrieval process (adds or deletes), which could affect the overall results.
This article focused on the key differentiators for V3 that create a more robust infrastructure for the Web services environment. There also are many other new features in V3, although they are too numerous to describe fully here. A few other areas worth mentioning include:
- Enhancements to the custody and ownership transfer APIs.
- Simplifications for external validation.
- Replication enhancements.
- More useful access point content and behavior.
- Improved WSDL support.
- Much tighter schema definition.
- Complex categorization (allowing categorization information to be logically grouped -- for example, latitude and longitude).
With the completion of V3, the uddi.org effort has ended, and the specification and related IP have been transferred to the OASIS group for further development. With OASIS, UDDI will continue to evolve to meet the registry needs of Web services.
- Read the "Understanding UDDI: Tracking the evolving specification" article which appeared in the May 2002 issue of the developerWorks journal for more information on UDDI V2.
- Take a quick look through the features of UDDI version 3 or read the full UDDI version 3 specification document from UDDI.org.
- For more information on UDDI version 3 schemas and WSDL interfaces, read the additional documentation from UDDI.org.
Tom Bellwood is a Senior Technical Staff Member with IBM and is an engineering professional with many years of experience in the technology sector, ranging from the world of semiconductor design and design automation to systems and application development. He is an expert on UDDI and how it supports the growing world of Web services. He is the technical lead for the IBM UDDI Business Registry, is a principal author of the UDDI V3 specification, is the OASIS UDDI specification Technical Committee cochair, and has spoken at many technical conferences. You can reach Tom at firstname.lastname@example.org.