Introduction To Sunone

Jeff Bounds Systems Engineer Sun Microsystems, Inc.

Agenda • Sun ONE™ Overview • Sun ONE Architecture • Sun ONE Studio – Java IDE • Sun ONE Application Framework • Sun ONE Application Server • Sun ONE Portal Server • Sun ONE Identity Server • Java vs .NET

1

The IT Advantage for ROA Do More

with Less

A New Role for IT •

Transform the business

•

Optimize the value chain

•

Move closer to customers

Customers

Partners

Employees

Services On Demand

Evolutio n Not Revolution

D.A.R. T.

Sun ONE Architecture Service Creation, Assembly and Deployment Tools

Service Integration

Service Container

Service Delivery

Access to Data, Applications and Other Services

Runtime Environment

Connection Location Aggregation Formatting Content Delivery Syndication Personalization Caching Synchronization Application Management Provisioning

Persistence State Management High Availablity

Applications/ Core Web Services Web Services

Identity and Policy Roles, Security, Privacy, Management, Monitoring, QOS

Platform

Operating System, Hardware, Storage, Network

Sun ONE Standards Service Creation, Assembly and Deployment UML, BPSS, WSDL, NetBeans

Service Integration

Service Container

Service Delivery

UDDI, ebXML, JMS, Java Connectors, SQL, JDBC, CORBA, JavaMail, FTP, BPSS, EDI

J2EE

WebDAV, SyncML, RDF, RSS, WML, cHTML, J2ME, MIDP, JavaCard, VoiceXML

Applications/ Core Web Services ESMIP, IMAP, POP, S/MIME, SMS, iCal, SIP, SIMPLE

Web Services (see Right Column)

Identity and Policy: Liberty, LDAP, vLIP, SP-DAN, DSML, UDDI, ebXML, SASL, SAML, XACML, X.509, PKCS, PKIX, OCSP, CM, CIM-SOAP, WBEM, Kerberos, IKE, JAAS, J2SE Policy/Perms, JCA/JCE, P3P, XKMS, XML DSIG, XML Encrypt POSIX, NFS, FTP, Bind, Sendmail, DHCP, TCP, IPv6, Mobile IPv4, IPSec, GSS-API, PPP, Fibre Channel, SCSI, Infiniband

Platform:

Throughout: HTML, XHTML, HTTP(S), SSL/TLS, Java, J2SE, J2EE, (EBJ, JSP, Servlets, JNDI, JMS, ...) JAX* (JAXM, JAXR, JAX-RPC, JAXB, JAXP), SOAP, WSDL, XML, XSLT, XML Schema, SAX DOM Italic = Emerging/ Future Standard

Evolution of Networked Computing

1

Scope of Sun ONE

1

Services on Demand

Services on Demand Services on Demand is an umbrella concept for delivering services any time, anywhere, on any kind of client device. The concept comprises: – Internet Web Application delivery platform today – Emerging infrastructure for basic Web Services – A roadmap for enhancing Web Services for Federated Commerce with identity services and contextual awareness – Specifications for access by current and future deployment environments: J2EE, J2ME, Jini, JXTA, Grid Computing, etc. 1

Sun ONE Architecture: Integrated, Integratable Integrated Stack

Integratable Stack Service Creation, Assembly, and Deployment

Service Creation, Assembly, and Deployment Applications/ Core Web Services

Service Container Service Delivery

Applications/ Service Core Web Services Integration Web Services Identity and Policy Platform

•

Service Delivery

Service Container

Service Integration

Web Services

Identity and Policy Platform

Two Audiences for the Architecture – Enterprises and Service Developers – Software Vendors: Gap Fillers, Competitors 1

Sun ONE Studio 4, Enterprise Edition

1

Sun ONE Studio 4 SOS EE SOS CE

SOS ME(new)

www.sun.com/software/sundev/jde 1

Sun ONE Studio today April 2002

•

Quantitative feedback –

March 2001

Fortefor Java Oracle JDeveloper

– –

–

4/ 5 Stars

Over 1,977,000 downloads 4/ 5 Stars Over 4.1 million distributions Rave reviews and awards (JavaWorld, PC Magazine, Software Development Online, InfoWorld) "We evaluated every Java IDE available and none offered the flexibility and freedom of the Forte for Java product.” Tim Ferrell, IT Director McGee Corporation

InfoWorld Review, April 2001

2001 Innovator Award

April 2001 1

h

Sun ONE Studio – based on an Open Tools Platform ●

●

●

Sun ONE Studio is based on the NetBeans framework -- an open tools platform that can be extended by the developer community Open source ensures APIs are not controlled by any one vendor The IDE is a platform: –

Provides feature rich functionality

–

ISV partners provide value added plug-ins that easily integrate into the IDE

–

ISVs can use NetBeans to develop own tools and solutions 1

www.siemens-mobile.com 1

www.gentleware.com

1

www.gentleware.com

www.refactorit.com

1

Developer Ressources Portal http://forte.sun.com ●

Product Support FAQs, Knowledge Base, Newsgroups, Bug Fixes, Docs, Fee Based Support, Web Based Training Community Participation – Newsgroups, Early Access Program, Chats, Contribute Content, Advisory Council, Newsletter Java programming support Submit and review bugs Download patches and modules –

●

●

●

●

1

JSP Debugging - HTTP Monitor

• Source level debugging • Integrated with Web

Containers (Tomcat/iWS) • HTTP Monitor records / plays back web requests 1

Sun ONE Studio Update Service ●

Powerful Web-based Service for Developers – Wizard in the IDE – Patches – Module Updates – New Modules

Join the Early Access Program at http://forte.sun.com/eap/

1

Sun ONE Studio ●

●

Sun ONE Studio, Mobile Edition –

Development of CLDC/MIDP Applications

–

UEI Support for Integration of Emulators

One IDE Toolset for Java and C/C++/Fortran – Debugging across Java and C/C++ Applications – Native Connector Tool: Automatic Generation of Java Classes accessing C/C++/Fortran Functions

●

Sun ONE Support –

XSLT Plug-In Module for Sun ONE Integration Server

–

Plug-In Module of Sun ONE Application Framework Plug In Module for Connector Builder and Portlet Builder

1

Sun ONE Studio 4, Enterprise Edition • Full J2EE 1.3 Support – EJB 2.0 (MDB) – JSP 1.2, Servlets 2.3 – Java Connector Architecture (JCA)

• Web Services Support • J2EE 1.3 Application Server Support • Windows NT, 2000 and XP, Solaris 8 and 9,

Red Hat Linux 7.2a

1

Application Server Integration ●

Plugging Modules for: ●

●

●

●

●

●

J2EE Reference Implementation 1.3.1 Sun ONE Application Server 7 Tomcat 4.0 Oracle 9i Application Server BEA WebLogic 6.1 & 7

Open source Application Server Integration API

1

Sun ONE Studio 4, Enterprise Edition

1

Sun ONE Application Framework

1

S1AF – Key Features Pure J2EE JAVA

•

Evolving graphical tools.

•

Enterprise strength Web Application Development

•

Powerful Component usage methodology

•

Well defined Models (and Custom models)

•

Multiple Rendering (same business logic)

•

Events (application level, page level and field level)

•

Web Services using JAX RPC (requiring no developer 1 code) •

S1Af Architecture

1

S1AF – Architecture •

VIEWS – Provides developers a client agnostic, hierarchical representation of the model data. Enabling multiple rendering specifications to reuse common presentation logic, ensuring great structure and flexibility.

•

COMPONENTS - “Out of the box” visual components such as Button, Check Box, Combo Box, etc. are available as well as 3rd party add-on components .

•

MODELS - Common interface for using any Enterprise resource. ●

Web Service resources

●

Database resources

●

UIF (Enterprise Connectors) resources

●

J2EE Connector Architecture resources

1

Sun ONE Studio and S1AF

1

Sun ONE Studio and S1AF

1

Useful URLs • Www.sun.com/software/sundev • www.netbeans.org • forte.sun.com • java.sun.com • wireless.java.sun.com • wwws.sun.com 1

Sun ONE Portal Server

1

Portal Computing Is the Solution Data No Matter Where It Resides

Securely Aggregated and Personalized

Targeted Communities Employee

Enterprise, Legacy, & Business Intelligence 3rd Party Data and Information Feeds

Supplier

Communication & Collaboration Web pages & links

Partner

Process Automation Services

Customer 1

Identity Enabled Portal Platform Data No Matter Where It Resides

Securely Aggregated and Personalized

Targeted Any Device Communities

Enterprise, Legacy & Business Intelligence

Employee

3rd Party Data and Information Feeds Supplier

Communication & Collaboration Web Pages & Links

Partner

Process Automation Servcies Identity Identity Attributes Functions

Authentication Mechanism Customer

1

Sun ONE Portal Server & Identity Management Sun ONE Portal Server

Increases Security

Personalization

●

Portal ●

Central control decreases inconsistencies Finer-grained policy enforcement

Reduces Costs ●

Sun ONE Identity Server Delegated Administration

Directory Identity Credentials Roles & Groups Preferences Policies & Profiles

●

Web Single Sign-On

●

Flexible Usage & Deployment ● ● ●

Centralized Access Control

Less duplication; common infrastructure Integrated, one product IT efficiencies

●

Single sign-on Delegated administration Portal installation includes Identity Server Multiple portals and applications leverage common1 infrastructure

Sun ONE Portal Server Product Line ss e c Ac

te Secure Access to: o m Re Intranet File Servers, Legacy Apps e r u Internal Web Apps Sec User Desktops

ss e c Ac e l Any Device Access bi Mo

Q2CY03

Groupware Connectivity

VoiceXML, WAP 2.0/WAP Push J2ME Device & Sync Support

Sun ONE Portal Server Identity & Policy Management Development Tools

Web Services and

Personalization

Aggregation & Presentation

Search

Security

Sun ONE Identity Server Sun ONE Directory Server Sun ONE Web/Application Server 1

Portal Server Architecture Sun ONE Portal Server Portal Server Services Desktop (JSP and Template) Providers

Display Profiles

Rewriter

Template Manager

NetMail

Search & Indexing

Sun ONE Identity Server Policy Services

Admin Services

Java Development Kit, JAXP, JSS

Sun ONE Web Server Installer

Sun One Directory Server

Use of Multi-Roles and Groups AXA Financial – BtoC and BtoB Portals Challenge ●

Improve customer and partner interactions while gaining efficiencies and cost savings

Solution ●

Sun ONE Portal Server (Business to Business and Consumer Portals)

Benefits ●

●

Platform reusability reduces time-to-market, lowers deployment costs Lower transaction costs 1

A Single Portal Infrastructure Serving Multiple Communities State of New Jersey -- Government Portal Challenge ●

Address the demands of citizens, employees, other government agencies and NJ-based businesses

Solution ●

Create multiple portals using Sun ONE Portal Server as common infrastructure

Benefits ●

The State of NJ realizes efficiences and cost savings while creating happy portal users enabling them to live and work 1 better in the state of New Jersey

Aggregation & Presentation Delivers integrated content, applications, and services through customizable portlets.

Aggregated content & services

1

Personalization ●

●

●

●

Tab-based grouping of content specified by portal users User defined personalization and preferences capability User Context and personalization via Standards-Based Identity for unified profiles and policy management Administrators control the customization options, down to portlet-level

1

Security ●

Support for multiple authentication types

●

Single Sign On

●

Access control

●

●

Policy enforcement

Authentication Methods

Windows NT domains UNIX log-n X.509 certificates LDAP Sun ONE Portal Server RADIUS SafeWord CrytoCard Java Card SmartCard

Identity management 1

Secure Web-Based Access VPN-on-Demand

Secure B2B and B2E Web-based access solution

Same authentication and authorization as on the Intranet

End user ease of use and familiarity without additional training

Integrated identity management Leverage existing corporate resources via the portal Low cost solution with increased ROI

Ease of administration and maintanence 1

Benefits of Secure Web-Based Access ●

Easy and cost-effective – Simplifies IT administration and maintenance overhead – Zero client footprint and Zero 'leave behind'

●

Pre-packaged, embedded components – Installs as a complete environment (i.e., Directory, Admin, Policy, ...) – No integration required!

●

Standards-based solution without compromise – Open Java API for channel, authentication, session, policy, profile, logging – Commitment to Industry Standards

●

Universal access – Delivers on the promise of the Internet for anytime, anywhere access to key 1 applications and services

How Does It Work? Gateway ●

Delivers encrypted access to data, applications and files securely using the policy-based authentication and access control mechanism of the Sun ONE Portal Server

Netlet (Patented technology!) ●

Provides Web, NT, Unix and Mainframe Applications that are either pushed to the client as HTML Web pages or presented as Java applets that are downloaded dynamically

Netfile ●

File access client provides access to most popular file systems, NT and Unix

Rewriter ●

Enables intranet access to HTML, XML, WML, Javascript and CSS content to remote client devices (i.e., similar to a Proxy Server)

1

Sun ONE Identity Server

1

Sun ONE Identity Server “A comprehensive solution for managing identity and enforcing access to services. It tightly integrates the Sun ONE Directory Server with policy and user management to simplify the administration of users and to provide a single identity across a range of web and application servers.”

Identity Server Benefits ●

●

●

Provides consistent security policies across the network Supports centralized authentication and authorization Provides complete identity lifecycle management

Customers

Suppliers

Employees

Partners

Identity Management

Communication E-business Applications Applications

Enterprise Applications

Vertical Applications

Solution: Identity Management

Sun ONE Identity Management Framework Directory Server

Identity Server Access Management/User Management Web SSO, Authentication, Audit/Logging Delegated Admin, User Self-Reg/ Self-Mgmnt Federated Identity (Liberty)

LDAP Repository Performance, Scalability High Availability, Replication UDDI Private Registry

Directory Proxy

Certificate Server

LDAP Proxy Fail Over, Load Balancing Schema Mapping, Client Routing

PKCS standards compliance Registration/Certification Authority Bulk Enrollment, FIPS compliance

Meta Directory Synchronization, Consolidation Join, Identity Provisioning

Identity Management Framework Deployment

Identity Server

Web Proxy

Firewall

Web/App Servers

Firewall

LDAP Proxy

Certificate Server

Directory Server

Meta-Directory

HR/Database/NOS

Sun ONE Identity Framework

Identity Management Framework Benefits ●

Increases Security Centralized policy allows a single point of access enforcement  All access is logged to single point for use w/ audit or intrusion detection tools  Enables stronger security by allowing the use of digital certificates, token cards, smart cards, etc for all protected applications and resources 

●

Reduces costs Web single sign-on (SSO) enables major IT cost savings and user efficiencies  User self-service and delegated account administration reduces IT help desk costs  Centralized admin of users, policies, and services 

●

Increase operational efficiencies One button account management can create, maintain, and delete accounts from a single point across all services  Keeps information synchronized across multiple data sources (e.g. Windows accounts, mail accounts, HR systems 

Identity Management ROI ●

●

●

●

Average user spends 16 minutes/day being authenticated. At a 10,000-user company, this costs 2,666 employee hours per day. Any time savings will product productivity gains. On average, user-management takes 63% longer than necessary. This delay results in lost revenue, reduced communications, and lost productivity. Respondents predicted that time savings from the centralization and consolidation of user database management would be more than 1,200 hours a year. Managing users, user databases, authentication, and access control would result in an estimated 54,180 hours per year. Even a 25% improvement in efficiency in this case would result in a savings of more than 13,500 hours. Security is improved by offering a more exact match between the accounts and rights assigned to individuals and the rights needed by the business. Survey by META Group Oct 2002

Identity Server Positioning ●

Identity Management solution for Intranets & Extranets Component of S1 Portal Server, will be a component of Messaging, Calendar, and other Sun ONE product in 2003  Public APIs for easy integration by ISVs, OEMs, and customers  Provides Federated Identity (via Liberty) 

●

Provides Access Management (AAA) 

●

Web SSO, Authentication, Authorization, Audit/Logging

Provides common Admin GUI for Users, Access Management, Services 

Centralized/Delegated Admin, User Self-Registration, User SelfManagement

Project Liberty Organization ●

The Liberty Project is a business alliance formed to deliver and support a Federated Identity solution for the Internet Open – Specifications created by its members  Universal SSO  Affiliated services and programs 

●

Liberty membership includes: Financial, banking, travel, airlines, telecom carriers, ISPs, wireless/mobile operators, device manufacturers, technology vendors  17 founders, 26 sponsors, over 2 billion identities represented  Membership is open to affiliates non-profit government, public, or standards groups 

Secure Network Identity: Project Liberty Your choice: (1) Trust Microsoft with everything, or (2) Choose who you trust, when you trust them, and what you trust them to know: Project Liberty Project Liberty: Partnership of 100+ companies, representing more than one billion online identities, driving open, federated identity standards.

Financial Svcs Customer Community

Online Community

Telecommunications Community Online Community

Wireless Community

Retail Community Payment Community

1

More on the Liberty Alliance:

www.projectliberty.org

1

Liberty Specification ●

1.0 (July 15, 2002) 

Identity Federation / Federation Termination 

Name Registration – way to implement Federation that may speed performance (2 way index)

Single Sign-On  Single Sign-Off (Global Logout) 

●

2.0 (Summer 2003) Attribute exchange (profile data exchange)  Services Framework – way to find where a user has services available when there is a centralized Identity Provider, and multiple Service Providers 

Java vs .NET

1

The purpose of this debate Question: Why are we having this debate?

1

Sun's purpose z z

z

We want to help you build open systems We want to demonstrate how the JavaTM Community and J2EETM technology give you choice We want to show you how to build services deployable today on any server platform, available from any client or device

1

Opposing Strategies z

Sun's strategy: Define open standards for JavaTM, XML, and Internet protocols with community, then compete on implementation ●

●

z

Maximizes your choice in development tools and deployment environments Choice reduces your technical and business risk

Microsoft's strategy: Corrupt standards with proprietary .NET lock-ins, bombard the market with tools supporting their lock-ins, then call .NET “open” because some (but not all) of its components are based upon standards 1

Microsoft's Notion of Choice

Which version of Windows and Internet Explorer will you choose?

Screenshot: .NET Framework download using Windows Update 1

What you should do z

z

z

Listen carefully to the debate, and to your “gut”. Don't wait for MS to lock you in when .NET server finally ships someday. Choose to use the Java™ Platform and widely deployed J2EE™ technology today to build scalable, secure, cost effective systems. 1

What is the Java™ Platform? z

The Java Platform includes: ●

●

z

Java Virtual Machine, core APIs, and related technologies defined by the Java Community in J2EETM, J2SETM, and J2METM specs. Related API and technology specifications defined via the Java Community Process (JCP)

Focus on JavaTM APIs as well as implementations and tools from Sun, partners, and the Java Community

1

TM What is the Java Community? z More than 650 individuals and companies from around the world constitute the Java Community (http://jcp.org/participation/members/) z

They use the Java Community Process (JCP) to define new Java technology standards ●

●

z

200+ Java Specification Requests (JSRs) to date, and counting (http://jcp.org/jsr/all/) Majority of JSRs (55%) aren't led by Sun

Apache, JCP, and Sun coordination insures that the open source community can implement JSRs (http://jcp.org/procedures/jcp2 and http://jakarta.apache.org/site/jspa-agreement.html)

1

TM

The Java Numbers

Java programmers:

● ●

2.5 million, as of 2001 (source:

●

Prediction of 4 million by 2003 (source:

Gartner) IDC)

Java in universities:

● ●

●

Community: Strength in

78% teach Java, 50% require it (source:

TMC)

Java usage is expected to grow 29.4% in 2003 alone (source: IDC Worldwide Developer Model, via

http://www.devx.com/judgingjava/articles/skills/ )

1

TM

The Java Community: J2EE TM J2SE Executive Committee

●

Apache (ASF) Apple BEA Systems Borland Caldera Systems Cisco Systems Fujitsu Limited

●

Hewlett Packard

● ● ● ● ● ●

● ● ● ● ● ● ●

TM

&

IBM IONA Technologies Doug Lea Macromedia Nokia Oracle Sun Microsystems

* Term,

representatives, and other details from: http://jcp.org/participation/committee 1

TMJ

J2EE Technology: Available Everywhere You Need It • OSes with J2EE implementations include:

Solaris, Linux, Win32, zOS, OS/390, MacOS, HP-UX, Compaq Tru64, Compaq OpenVMS, (source: AIX http://java.sun.com/jdc/technicalArticles/J2EE/deployathon3)

• 38 J2EE licensees with 16 J2EE 1.3 and 21

J2EE 1.2 implementations tested compliant (sources: http://java.sun.com/j2ee/compatibility.html and http://java.sun.com/j2ee/licensees.html)

• J2EE app server market share: >90%

(source: "Server showdown between J2EE and .NET", Wireless Week, 15 April 2002) 1

.NET Products: Definitely .NOT Standards Based • .NET is a set of Microsoft products. • CLI and C# may be ECMA standards, but: ●

Other, major parts of .NET have not been standardized (ASP.NET, ADO.NET, Winforms/ Webforms, Managed services of CLR, etc.)

• Microsoft guarantees no real competition is

possible, and your risks are maximized.

1

The Java™ Platform Enables Choice, and Choice is Good! z z

If Sun™ ONE products meet your needs, great. If not, mix and match our products with others' J2EETM implementations as needed ●

We even link to others' implementations

http://java.sun.com/j2ee/licensees.html) z

z

(see:

If your needs change, change the bits to meet them! Learn more: http://java.sun.com/j2ee http://www.sun.com/sunone

1

Sun™ ONE and Standards • The SunTM ONE stack is based upon open

standards at every level: ●

●

●

●

●

Programming model: The Java™ Platform (J2EE™, J2SE™, J2ME™) Business class Web services: Enabled via ebXML Simple Web services: WSDL/UDDI/SOAP Unix operating system and Internet networking technologies Project Liberty network identity and SSO 1

The Microsoft .NET Trap "Microsoft's offering, for example, in each they said 'When you pick this product, you also have to pick our operating system.'" "The fact that we were locked in, if we made a Microsoft solution, to an all-Microsoft environment – not only now but in the future – was scary." Larry Singer, CIO of the State of Georgia, interviewed by eWeek in "Sun's the ONE for Georgia Portal", 26 March 1 2002 www.eweek.com

Web Services Adoption Phases ●

1st Phase – Simple Web Services (Now) ●

●

2nd Phase – EAI Web Services (Begun) ●

●

Consumer-focused, stateless, SOAP over HTTP/S Deployed within organization boundaries to enable internal integration

3rd Phase – Business Web Services (2004?) ●

Deployed on extranets to enable business transactions with trading partners, suppliers, and customers, ebXML & UBL 1

Sun's Focus is on Business Web Services TM

●

J2EE ●

●

ebXML and UBL ●

●

●

●

Service implementation platform standard Business web services standards More than 16 vendors and several open source projects support ebXML ex) Australian gas industry uses ebXML NOW!

Liberty Project ●

Identity system standard

1

Our Approach to Web Services Standards ●

We believe any standard should be developed ●

●

And must be ●

●

Through open and inclusive process Royalty-Free (RF) license

Agree on Standards and compete in Implementation ●

This is what JCP is all about

1

The Security Problem Exponential growth of the Internet has lead to exponential increase in security incidents (now thousands yearly) Attacks by worms and viruses cost $17.1 billion USD worldwide in 2000 zCode Red, a Windows IIS worm, caused $2.62 billion USD damage in 2001 zLatest FBI/CSI Computer Crime Survey: $455.8 billion USD lost in the last year, up 367% over the last four years z

Sources: Investor's Business Daily (10 December 2001) 1 and www.gocsi.com

Sun's Security Principles z

z

z

Security must be addressed in all of your systems and services, with mutually reinforcing, independent, layered security controls Security must be integral with system design, not an afterthought Security must be built in, not bolted on

1

Sun Security in Practice: Designed in from the Beginning • Sun holds secure computing as a core

competency • We design for security in depth, from

hardware to OS to container to client ●

Trusted Solaris, Solaris at EAL3 since 1995 and EAL4 as of Solaris 8 in 2000, fundamental Java security baked in

• Sun security resources:

http://www.sun.com/security http://java.sun.com/security 1

Microsoft: 24 Years to Realize Security is Important "We didn't just fall off the turnip truck a year ago and realize we needed to do this... We started thinking about this three years ago." Craig Mundie, Chief Technical Officer, Senior Vice President, and head of Microsoft's “Trusted Computing” initiative, on why Microsoft waited 24 years to care about security, 13 November 2002 http://www.wired.com/news/technology/0,1282,56381,00.html

1

Microsoft's Security Record • IIS so bad, Gartner urges switching from

Microsoft IIS to Sun™ ONE Web Server or Apache (details, and how to switch: developer.chilisoft.com/whitepapers/SCASP_wp_iisswap.pdf)

• 52,000 viruses afflicting Microsoft

DOS/Windows, as opposed to 5 for Unix/Linux (as of 22 May 2000, source:

www.oreillynet.com/pub/a/network/2000/05/22/security.html)

• Microsoft shipped NIMDA worm on their

Visual Studio.NET CDs! (source: www.newsfactor.com/perl/story/18242.html)

1

Microsoft's Security Record • .NET isn't even released yet, and ASP.NET is

already broken (MS Security Bulletin “Unchecked buffer in ASP.NET”: 026.asp)

www.microsoft.com/technet/security/bulletin/MS02-

• C# permits “unsafe” operations (labeled as such),

sacrificing all language based safety

• .NET permits a mixture of managed and

unmanaged code ●

Imagine the damage unmanaged code can do 1

"Microsoft" and "Security", in the same sentence? • Security is about consistent behavior • .NET hasn't been around long enough to have

a record in the real world (internal development does not count), but so far things don't look good

• Microsoft's security record (or lack thereof)

speaks for itself: Why expect anything different from .NET?

1

Microsoft: Breaking Your Software to Fix Their Mistakes "We're going to tell people that even if (it) means we're going to break some of your apps, we're going to make these things more secure. You're just going to have to go back and fix it." Craig Mundie, Chief Technical Officer, Senior Vice President, and head of Microsoft's “Trusted Computing” initiative, on why Microsoft's years of ignoring security issues in their products are your problem, 13 November 2002 http://www.wired.com/news/technology/0,1282,56381,00.html

1

"Microsoft" and "Security", in the same sentence? "I can't tell if the Gates memo represents a real change in Microsoft, or just another marketing tactic. Microsoft has made so many empty claims about their security processes – and the security of their processes – that when I hear another one I can't help believing it's more of the same flim-flam." Bruce Schneier, Founder and CTO of Counterpane Internet Security, world reknowned security expert, and author of the best selling "Applied Cryptography" , commenting on Bill Gates' infamous January 2002 memo http://www.counterpane.com/crypto-gram-0202.html#1

1

Palladium: DRM By Any Other Name... "Large media corporations, together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you,” he wrote. “Proprietary programs have included malicious features before, but this plan would make it universal." Richard Stallman, founder of FSF and co-founder of the GNU project, on Microsoft's plans for Trusted Computing and Palladium, which he refers to as “treacherous computing” http://news.com.com/2102-1001-964628.html

1

.NET Wireless Strategy: Everywhere Windows z

Microsoft doesn't understand heterogeneity: "The strategy behind the compact framework is to deliver XML-based Web Services to next-generation, 'smart' mobile devices running on... Microsoft's Pocket PC and the upcoming Smartphone 2002." "Microsoft Launches .NET Mobile Platform", by Jay Wrolstad, Wireless NewsFactor, 17 April 2002 www.wirelessnewsfactor.com

z z

Worse still, industry support is non-existent Their biggest supporter, Sendo, abandoned Smartphone for Nokia/J2ME instead:

http://www.theregister.co.uk/content/54/28000.html

1

J2ME™ Executive Committee • • • • • • • •

BEA Systems Cisco Systems Ericsson IBM Insignia Matsushita (Panasonic) Motorola Nokia

• • • • • • • •

Palm Philips Research In Motion Siemens Sony Sun Microsystems Texas Instruments Zucotto Wireless

* Term,

representatives, and other details from: http://jcp.org/participation/committee 1

The J2ME™ Platform: By the Numbers • More than 50 Java-enabled handset models

(JavaOne, March 2002) • 22 to 25 million Java technology enabled phones deployed as of May 2002 • 60% of all data-phones will be Javaenabled by 2003 (Arc group, October 2001) • 120+ commercial J2ME licensees

1

Develop : Price Flexibility ●

Low Cost Tools: NetBeans ●

●

●

● ●

●

Sun Toshiba Mercury Interactive

● ●

●

Compuware Siemens Sitraka

Other Tools: Eclipse, jDeveloper, JBuilder Valuable Infrastructure: Ant, Struts, Xerces, Apache SOAP Choose the price of your tools based upon needs! 1

Deploy : Price Flexibility

• Low cost servers: JBoss, JRun, Oracle9iAS, Sun

ONE Application Server: ●

General Electric (see below)

●

Boeing

●

Dow Jones

• Apache/Tomcat: too many to count!

Consider how General Electric is really driving down development and deployment costs! http://servlet.java.sun.com/javaone/sf2002/conf/sessions/display-1078.en-96938.jsp

1

Cost to Deploy ●

Choose OS and Hardware ●

●

Solaris, Linux, Windows

Infrastructure costs falling ●

Oracle9i Application Server

●

Sun ONE Application Server

●

JBoss is significant

1

Cost to Maintain ●

●

Portable language and platform. ●

http://developer.java.sun.com/developer/technicalArticles/J2EE/deployathon3

●

Consider SAP savings

Productivity of JavaTM/J2EETM

• Training / Porting ●

Significant reduction in (re) training costs

1

Cost – Risk ●

●

.NET is fully shipping when? ●

What bugs will happen in CLR?

●

Security?

J2EETM is stable proven and mature ●

JDK: 1.1, 1.2, 1.3,1.4,1.4.1

●

J2EE: 1.2, 1.3, 1.4

●

IBM WebSphere: 3.0, 3.5, 3.51, 4.0

●

BEA: 3.0,4.0,5.x,6.x,7.x 1

.NET : Deploy/Maintain ●

Hidden costs ●

●

●

Microsoft funding lots (most) activity in enterprise so it is hard to tell what development costs are so far. Server sprawl 1 app one server=>lots of machines to manage Support contracts are very often independently negotiated 1

Deploy : Hidden Costs

1

Coolest Thing

True innovation ! (from SmartCard to Mainframe and beyond)

1

Innovation ●

JavaCard ●

Secure Identity

●

Ubiquitous network access

●

Smart Card configures the “service” on behalf of the user

●

260+ Million cards already shipped

●

Smart Card is 5 years old

1

Innovation:Networking ●

●

JiniTM ●

Spontaneous Networking

●

Network Plug and Work

●

Services on Demand

●

Self Healing Networks

JXTATM ●

Collaboration

●

Messaging on steroids! 1

Innovation: Participation! ●

Anyone can learn JavaTM/J2EETM

●

Anyone can :

●

●

Examine Java/J2EE

●

Influence Java/J2EE

●

Implement Java/J2EE

●

Make money from Java/J2EE

Millions have learned Java ●

Google keyword java = 33,400,000 hits

●

Google keyword J2EE = 945,000 hits

1

Innovation: Participation! ●

With JavaTM/J2EETM you can: ●

Program smartcards to supercomputers

●

Copy and share with minimal restriction

1

Freedom: Right to innovate

JavaTM/J2EETM allows companies other than Microsoft the right and the ability to innovate! Quick examples: ●

Apache Software Foundation

●

JBoss

●

BEA

1

Truth about Mixed Language Environment of .NET

• You have to use Microsoft specific extensions or

cannot use certain features of the language in order to run it in .NET ●

It is not ANSI standard C++, COBOL, for example

• Mixed code could be hard to maintain • Mixed code could be hard to share and

communicate best practices

• Steep learning curve from VB to VB.NET and C#:

Why not try Java programming language instead?

1

Java PetStore the real story! ●

●

●

Sun creates Java Pet Store as an example of Multi-tier java/J2EETM design MicroSoft creates a brand new application Stored procedures => SQL Sever only Built from ground up (no portability here) Designed for a purpose. Oracle tinkers with SQL in Java Pet Store and runs much faster than the MicroSoft client server app 1

Java PetStore the real story! Examples of the 21 things Oracle changed in Java Pet Store 1.1.2 to blow away M$'s clientserver app. InventoryEJB modified to eliminate unnecessary ejbStore() operations

●

InventoryEJB modified to eliminate unnecessary calls to dao.load()

●

● ●

CatalogDAOImpl.java Some debugging in String handling 1

J2EE scales 400%better than .NET

1

The latest chapter in the fairy tale • Microsoft (significantly) funds TMC company

to run an exercise again with Java PetStore tutorial code (the old version) Can you guess what it showed?...

1

Spot the problems ●

TMC have apologized for a flawed exercise.

http://www.middlewarecompany.com/j2eedotnetbench/message.shtml ●

Testing or marketing ?

●

JPS is not a benchmark!

●

No run rules

●

No peer review

●

Hard to see any customer benefit

Very little disclosure (compare with SPECjAppServer) ●No expert tuning for J2EE but ●

Mi

ft

i

it

1

Spot the problems

Some more technical insights: ●

LOC comparison just wrong, worse it is misleading http://www.ejbsig.de/docs/PetShopArchitecture.html

.NET code not even object oriented! ●Pricing is wrong and extremely limited ●JDK version ? 1.4 much faster than 1.3 ●Database tuning - no details? ●Dubious hardware selection ●No detailed disclosure ●No vendors gave permission to use their software ●

●

.....I could continue. 1

Still there was some value This exercise shows just how portable J2EE applications are as TMC company tested JPS across 2 application servers apparently without code change!

1

Java PetStore : conclusion ●

●

Use industry standard benchmarks Beware Microsoft will use lots of influence to slow down the rate of adoption of Java and J2EE or anything else they don't like.

1

Jeff Bounds [email protected] Systems Engineer Sun Microsystems, Inc.