JPMorgan uses Web-services technology to create a single-sign-on security platform for its credit-risk-management group.
Over the past couple of years, JP Morgan, and now JPMorgan Chase, has been working internally to rewrite some of its legacy applications that perform credit-risk-management functions in enterprise-Java technology. This year, JPMorgan has taken its drive toward Web services to the next level by launching a platform-independent, single-sign-on package for internal use across the credit-risk group.
This sort of "pilot program" to put Web services into action brought together the functionality of four different sites in the risk area, which were typically accessed separately by internal users and did not share information. With the Web-services concept in place, users can now enter one of the sites and have access to all four with a single sign-on. The four Web servers where the applications sit are now connected through this standard Java-based framework.
"The problem at JPMorgan was that each of the sites had different log-in protocols," explains B.J. Fesq, an independent-enterprise architect consulting with JPMorgan's credit-risk-management group. "They wanted to simplify access to all of their sites with a single-sign-on security mechanism. Now, users can log into any one of the sites and, in doing so, be logged into all the sites to which they have access. Behind the scenes, user-authentication credentials and authorization rights are transparently shared across all of the servers using Web-services technologies."
JPMorgan was looking to allow its MS and J2EE applications, as well as any others, utilize this single-sign-on functionality. The Web-services concept was appealing as a central-log-in concept, as well as an efficient way to exchange authentication and authorization data, says Fesq.
JPMorgan is mainly relying on Simple Object Access Protocol to connect its applications. SOAP basically wraps the information in XML and transmits it, while Web Services Description Language (WSDL) is used to describe the XML-based Web service. "The whole idea of using Web services here is that we can take these applications that are Java, .NET, Excel and connect them all together," says Fesq.
A key reason for using Web services in the risk-management area is "reuse of applications," says Fesq. "There is a push to build service-oriented applications with functionality that is generic enough so that they can be reused by other applications," he says. "Additionally, where proven solutions already exist, teams are investigating the value of Web service enabling those best-of-breed applications."
Fesq explains that while the different business lines have different roles and therefore require access to different areas, JPMorgan's Global Enterprise Services Group controls all requests for access in a centralized format. "GES receives all access-control requests and are responsible for obtaining confirmation from the appropriate business sponsors before actioning any requests. GES can then grant or revoke those permissions with a Web-based administration tool that notifies all of the impacted Web servers, which stay in sync using a common Web-services interface," says Fesq.
In addition, the databases can be updated automatically with any changes made by the end user or the GES group. Previously, the servers would have to be restarted or the changes would be made through overnight processing. "We're using Web services primarily as a means of achieving cross-platform communication. Each Web server registers itself with the authentication server, in essence subscribing to receive notifications of any access-control changes." says Fesq.
He explains that there is a central repository of security information that includes authentication and authorization information. On top of that repository, which is stored in a Sybase database, is the Java package responsible for the Web-services aspect that pulls the necessary data out of the database.
There is also work being done at JPMorgan to use Web services within the market-risk group to expose certain market-data areas through Web services. "Single sign-on is nothing new, but there are very few applications out there using Web services to achieve it," says Fesq. "One of the challenges is that the security protocols and transactional support are still being standardized." In this area, Fesq says that the group is building a proprietary format for sending security information back and forth.
Following the risk group's successful use of Web services, the concept is now spreading to other areas within JPMorgan. "We see Web services as a very significant technology," says John O'Hara, global architect for institutional equities at JPMorgan Chase. "Opening up and standardizing the technical aspect across both public and private networks is very important."
"The biggest opportunity for Web services is in linking our front-end applications, which are predominantly Microsoft-platform based, with our back-end applications, which are mainly J2EE and Java based," says O'Hara. "The only bridge that we have to link those two islands together is Web services and that's the bet that we're making."
Mark Etherington, global head of infrastructure and architecture for institutional equities at JPMorgan Chase, adds that his group is using Web services as an important enabler between two technologies, allowing integration and communication between different systems.
More specifically, Web services are being used to allow Investment Bank Portal users to access multiple products in the same fashion. "Web services are being used as the glue between the IB Portal to get some consistency and uniformity for the client experience," says Etherington. The information that clients can access through this format ranges from standard-benchmark data to underlying instruments and key contact information, as well as links to JPMorgan research and other research sites. "It's a simple paradigm of product tabs and keys and consistent layouts across product lines," he adds.
O'Hara also points out that the Web-services architecture leverages existing Web infrastructure within the firm, which drives down the total cost of ownership. The Web-services interfaces also have a significantly lighter footprint and are more easily managed.
He describes the Web-services concept as similar to a Web page that is used for an application. "The technology a browser uses to read a Web page is the same technology an application can use to access another application's services," he says. "So the same types of technology we've been using can be retargeted to Web services."
These Web services technologies are predominantly used in the pre-trade area and are replacing "very arcane technologies done before - mainly CORBA, DCE and COMM," says O'Hara. "Web services makes it much easier - people can understand how to link together using XML and http." In the future, O'Hara sees the Web-services model being extended into the post-trade area. "We'd be looking into the transactional systems and repositories and enabling access across multiple areas," he says.
The Sites Served Up
- The Credit-Risk-Management Web site (CRM) - contains mostly static-content information about the credit-risk group, its systems, and inter-system workflow. This site uses SSO for access to some of the more interactive features, like its shared-document repository (users can upload/catalog documents to a browser-based shared drive).
- The DCEM / EDG Shared Interface (DESI) - provides workflow and reporting around the credit-charge process, allowing EDG (Equity-Derivatives-Group) users in the middle office to collaborate electronically with DCEM (the group responsible for monitoring the upload of initial credit charges). Credit-charge calculations are performed downstream in a strategic system called Sampras (used by other businesses too, not just equities).
- Pay As You Go (PAYG) - With some short-lived deals, or deals based on exotic instruments, it is sometimes more advantageous to calculate credit charge using a customized calculation methodology, rather than feeding the deals downstream to Sampras, which can not handle certain exotics.