// removed jquery ui css and js

Federated CCM Management

Overview

The CloudCenter platform supports a Federated CCM Management infrastructure.

A Federated CCM Management infrastructure refers to a collection of CCM servers that are connected as a federation of networks to enable information sharing, reduce complexity, and improve management flexibility within a private cloud infrastructure.

Concepts

GlossaryDescription
Parent Manager (or CCM)

The CCM that centrally manages all its registered child CCMs.

A Parent CCM can in turn become a child of another Parent CCM thus resulting in a Federated CCM Management architecture that can be N-level deep.

Subordinate Manager (Subordinate CCM or
Child CCM)
The child CCM that is currently being managed by the Parent CCM.
Linked Manager (or Linked CCM)

Once a Parent CCM and a child CCM establish a trust relationship using TLS-encrypted TCP Port 8443, the linked child CCMs are displayed in the parent CCM UI's Linked Manager tab.

The linked CCMs are only displayed to users with View or Manage permissions for a linked CCM.

Federated user

 A common user in both the Parent CCM and a linked Subordinate CCM.

Benefits

Federated CCM management has the following benefits:

  • Allows you to use an on-premise, private CCM (Parent CCM) to configure, launch, and monitor applications locally within a Datacenter or Private Cloud infrastructure, and if required, within a Public Cloud deployment (Subordinate CCM) using a hosted service deployment.
  • Enables the Parent CCM to delegate existing Roles, Permission Control (Federated CCM Management), Application ProfileFinancial Control, and other management functionalities to the Subordinate CCMs. 
  • Ensures that each linked Subordinate CCM reports the CloudCenter Cost and Fees and the metrics collect from Policy Management APIs to its Parent CCM.
  • Ensures that the cost incurred by the use of public cloud deployments is billed to the appropriate Subordinate CCM's account.

Firewall Communication

Each CCM in a federated architecture is an isolated CCM and does not allow browser access outside the firewall.

In the example depicted above:

  • Each CCM manages its own set of public, private, or hybrid clouds.
  • The application running cost and the deployment summary is reported to the Parent CCM by the Subordinate CCMs.

The Parent CCM can:

  • Integrate using SSO – the tenant admin establishes the link relationship and tracks costs.
  • Communicate with linked Subordinate CCMs and vice versa.
  • Selectively (just the user's Parent Manager operations or all usage, including remote operations) enforce Usage Plans and Fees for a user if created from the Parent CCM UI.
  • Aggregate cost reports from Subordinate CCMs.
  • Monitor basic application deployment summary on Subordinate CCMs.
  • Enforce usage plans (including remote operations) for the same user.

User interaction:

  • Users in Subordinate CCMs: Must be manually created and can have different passwords.
  • Users can perform remote operations on a Subordinate CCM from outside the firewall as long as a they connect to the Parent CCM UI.
  • Users are restricted to operations based on:
    • The Permission Control (Federated CCM Permissions) level assigned to them on the Subordinate CCM.
    • Operations allowed by the Parent CCM on the Subordinate CCM.
  • Federated users see an additional dropdown list of Managed CCMs next to their login name:

Process Behind the Firewall

To set up federated managers behind a firewall, follow this procedure (as applicable for your use case).

  1. Create a DNS entry for the external IP of the Parent CCM.
  2. When you Configure and Setup the CCM VM using the wizard, enter the DNS name in the Public DNS field and CloudCenter External URL (outface DNS) in the Server_Info field. See CloudCenter External URL for additional context.
  3. Add a line to the CCO server's /etc/hosts file with the internal IP of the Parent CCM. This allows the CCO to communicate internally with the CCM.
  4. Add a line to the AMQP server's /etc/hosts file with the internal IP of the Parent CCM. This allows the AMQP to communicate internally with the CCM.
  5. When linking the Federated Managers, enter the DNS name in the link request. A subordinate CCM residing behind a firewall, does not automatically imply that a DNS name is required for it.
    • If your setup includes Network Address Translation, the public IP for the parent CCM is used in the link request.
    • If the subordinate CCM also wants to act as the parent to another federated CCM, that it will need a DNS name of its own.

User Management

User management differs based on the use of SSO.

SSO Used?CCM Password StorageUser Management Details
Yes
  • SAML SSO usage at the tenant or system level.
  • Password is NOT stored in the CCM database.
  • See SSO AD for additional details.
  • Shared User Directory: If both the Parent CCM and the Subordinate CCM share the same IDP and user directory, this  integration continues to work in the Federated CCM architecture.
  • Restricted User Directory: If the user directory cannot be shared in your Federated CCM model, then tenant administrators for the federated CCMs must collaborate to identify and share a set of common users who are allowed to perform remote operations and resource propagation.
NoThe user password is stored as a one-way salted hash in the CCM database.The same user must exist in both the Parent CCM and the Subordinate CCM tenants.
  • This user can have different passwords.
  • The tenant administrators for the federated CCMs must collaborate to map this user in the required CCM.
Sometimes
  • SSO: Password is NOT stored in the CCM .
  • Without SSO: The user password is stored as a one-way salted hash in the CCM database.

If your federated model uses SSO selectively (only some CCMs use SSO):

  • The tenant administrators for the federated CCMs must collaborate to identify and share a set of common users who are allowed to perform remote operations and resource propagation.
  • The user can have different passwords.

Identity Management and User Authentication

CloudCenter CCM supports SAML-based SSO at the tenant level or the system level. See SAML SSO for additional details.

In a clustered CCM environment, you must ensure to enable SSO on both the Parent and Subordinate CCMs.


Establishing a Trust Relationship

All communication between federated CCMs are based on HTTPS protocol defaulting to Port 8443. The Parent CCM can only communicate with mutually authenticated Subordinate CCMs. See Phase 2: Configure Firewall Rules > CCM for precise port information.

To allow a parent CCM to manage the subordinate CCM, the subordinate CCM tenant administrator must be registered with the parent CCM tenant. Admins can link:

  • One Subordinate CCM tenant to only one Parent CCM tenant
  • Multiple tenants within one Subordinate CCM to one Parent CCM tenant

Parent CCM Link Initiation

During the federated registration process, the tenant admin for the Parent CCM initiates the request to link to a Subordinate CCM by providing the Subordinate CCM's URL and Tenant Name along with the tenant admin's credentials (email and password).

See Sub-Tenants for additional context on Tenant ID and Tenant name dependencies.

CCMs must be linked and have certificates from the same root Certificate Authentication. See Certificate Authentication for additional context.

At this point, the tenant admin for the Subordinate CCM receives a request and can decide the permissions to provide to the Parent CCM. The available options are:

You can change these permissions even after the link exchange is established. Other than these permission options, all other information is visible and accessible by the Parent CCM and can be invoked on the Subordinate CCM.

Once the tenant admin for the Subordinate CCM approves the link request and the federated registration is established.

Subordinate CCM Link Handling

When the Parent CCM sends a new link request, the information for this link is displayed in the Subordinate CCM's Linked Subordinate Managers page. The Child CCM tenant admin receives an email and a system notification on the first login after the request is sent.

The tenant administrator can view link requests from the Parent CCM in the CCM UI and use the provided icons to perform the following tasks:

  • Obtain more information on each linked server
  • Reject a link request (once approved, the Subordinate CCM cannot delete the link to the Parent CCM)
  • Approve or decline a link request

Federated Handshake

Once a link request is approved between the parent and the subordinate, the Subordinate CCM admin must import the parent certificate to its trust store and sends its own certificate back to the parent.

The Parent CCM admin can review and decide to accept or reject the certificate.

If this handshake using each other's certificate is mutually authenticated, the link is successfully established. Otherwise, CloudCenter displays an error message.

Status

The following table identifies the states displayed in the Status column for Federated CCMs:

StatusDescription
PENDING

If still pending, this status displays on the Parent CCM UI.

Approved

If successfully established, this status displays on the on the Parent CCM UI.

Rejected

If the request was declined by the Subordinate CCM's admin, this status displays on the Parent CCM UI (see the previous image).

Pending ACK

If the request was approved and the link is not mutually authenticated, this status displays on the Parent CCM UI

Parent CCM Link Handling

The Parent CCM tenant administrator can perform the following tasks:

  • Obtain link details (click Details).
  • Set up/edit user permissions for a linked CCM (click Permissions).
  • Edit the link name (click Permissions dropdown arrow > Edit).
  • Disable a linked CCM (click Permissions dropdown arrow > Disable).

    If you disable a link, you will no longer have access to the established Child CCM.

  • Access each linked CCM (navigate/edit/manage within each linked CCM UI).

Cost Metering and Reporting

After the federated handshake, a common user for both the Subordinate CCM and the Parent CCM will share the SAME Usage Plan as the Parent CCM. When this user deploys an application (local to the Parent CCM, local to the Subordinate CCM, or remote to either CCM), CloudCenter meters and reports the application cost accordingly.

For example, if Tenant User A has the following plans as a federated user:

  • Parent CCM = Usage Plan 1
  • Subordinate CCM = Usage Plan 2

After the federated handshake, the following rules apply:

  • To enable federated billing execute the following command on both Parent and Subordinate CCMs:
    echo "billing_type=federated_billing"
    in the /usr/local/osmosix/etc/profile.properties file and restart the CCM service for both Parent and Subordinate CCMs.
  • The UI displays the local plan assigned to a user. When the user submits a job, if the same user also exists on the parent CCM, the plan on the parent CCM is displayed and used to verify the quota.
    The UI for the parent CCM displays the usage from linked deployments. For example, if the parent has a VM hour subscription plan, you see the hours used increase based on the jobs launched by the linked CCM. See Usage Summary Report for additional context.
  • Tenant User A is forced to have Usage Plan 1 on the Subordinate CCM as well. When this user performs local or remote operations, the usage is counted towards this user's usage plan on the Parent CCM. For example:
    • If Tenant User A's plan is a100-VM plan (with additional hourly overage rate) on the Parent CCM that already has 80 VMs running on its clouds and has permission to deploy Hadoop remotely
    • When Tenant User A remotely launches a 50-VM Hadoop cluster on the Subordinate CCM, then:
      • The 50 VMs are aggregated with the existing 80 VMs on the Parent CCM.
      • Tenant User A is charged the overate fees for the additional 30 VMs (80 + 50 = 130 -100 = 30) at the hourly overate rate specified by the 100-VM plan.
  • When Tenant User A deploys an application from the Parent CCM, it is metered, reported, and billed to the Parent CCM according to Usage Plan 1.
  • When Tenant User A remotely launches an application from the Subordinate CCM, it is:
    • Reported to both the federated CCMs.
    • Metered and Billed to the Subordinate CCM according to Usage Plan 1.
  • When Tenant User A directly logs into the Subordinate CCM and deploys an application that is local to the Subordinate CCM, it is Metered and Billed according to the Subordinate CCM according to Usage Plan 1.
  • With the required permissions in place, Tenant User A can generate Global Reports from the Parent CCM:
    • To include the following information: Deployment Name, Application Name, User Launching the Application, Cloud Name, Start Time, End Time, Tags, and Cost.
    • The listed deployments include both locally and remotely launched application deployments
    • If Tenant User A is also its tenant admin, the report includes both the admin's deployments and all tenant user deployments.

End-to-End Federated Management Configuration

The following use case depicts the flow to set up federated CCM management in both CloudCenter deployments and establish a link from the Parent CCM to the Subordinate CCM.

  1. Enable your CloudCenter deployment for the federated environment.

     Specific to Your Environment
    1. Review the concepts provided earlier in this section and apply them as applicable to your deployment requirements.
    2. Download the certificates ZIP file to each CloudCenter component to be linked in federated mode. The downloaded file for your federated environment is saved to your default download location. See Federated Certificate Management for additional details. 

    3. Repeat this process for each CCM server for each CloudCenter installation in your federated environment.
      1. Stop the server to update the downloaded certificate.

      2. Import the downloaded certificate file to the server.

        cd /usr/local/osmosix/
        jar xf /tmp/certs.zip ccm
        jar xf /tmp/certs.zip cco
        jar xf /tmp/certs.zip gua
      3. Enable federated billing on the server by adding the following line to the /usr/local/osmosix/etc/profile.properties file:
        echo "billing_type=federated_billing"

      4. Change the permissions of the /usr/local/osmosix folder to cliqruser.

        chown -R cliqruser:cliqruser /usr/local/osmosix
      5. Restart the server.

    4. Configure the CCM server(s) in each CloudCenter installation to accept multiple CAs. See Federated Certificate Management for additional details. 

    5. Repeat this process for each CCO and Guacamole server for each CloudCenter installation in your federated environment.

      1. Stop the server to update the downloaded certificate.

      2. Import the downloaded certificate file to each server.

        cd /usr/local/osmosix/
        jar xf /tmp/certs.zip ccm
        jar xf /tmp/certs.zip cco
        jar xf /tmp/certs.zip gua
      3. Restart the server.

    6. Identify the tenant to be linked in each CCM.

    7. Login to the Parent CCM.

    8. Login to the Child CCM.

  2. Initiate a federated link.

     Parent CCM - Initiate Link
    1. From the Parent CCM navigate to Admin > Linked Managers > Linked Subordinate Managers and click Send a Request. The Request a Linkage window pops up.
    2. Provide a name and Server Location Address (IP Address) for the Subordinate CCM and click Send.
    3. The Linked Subordinate Managers page refreshes to list the link request status. The following image displays the Pending Approval status that is displayed in the Parent CCM once the link request is sent.

      You have just initiated a federated link request from the Parent CCM.
  3. Approve the link request.

     Child CCM - Approve Link Request
    1. In the Child CCM, click Admin > Linked Managers > Linked Subordinate Managers to view the request from the Parent CCM. As this request is from the Parent CCM, you will see it listed in the Parent Managers section.
    2. Click Details in the Actions column. The Link Details page displays the Parent CCM link request information.
    3. In the Parent Manager Permissions section, select the permissions to allow the parent CCM's tenant admin. You can check one or more of the options provided in this section.

      After you approve the link request initiated by the Parent CCM, you cannot delete the link from the Child CCM. Only Parent CCMs can revoke linked CCMs.

      However, you can update the the options provided in the Parent Manager Permissions section at any time after the link is established.

    4. Click Approve in the Child CCM's Link Request page to accept this link request from the Parent CCM. The Approve Parent Manager window pops up to confirm your action.
    5. Click OK in the Approve Parent Manager popup. At this point two status updates occur:
      1. The Child CCM's Linked Managers page displays the Pending Confirmation status in the Parent Managers section.
      2. The Parent CCM's Linked Managers page displays the Pending Confirmation status in the Linked Subordinate Managers section.
      This state in both CCMs indicate that the Child CCM has approved the link request from the Child CCM. However, the link is not established unless the Parent Manager tenant admin confirms the link that has been approved by the Child CCM tenant admin.
  4. Accept the link confirmation.

     Parent CCM - Establish Link Confirmation
    1. From the Parent CCM navigate to Admin > Linked Managers > Linked Subordinate Managers and click Details in the row that displays the Pending Confirmation status for the recently approved Child CCM link request.The Link Details window pops up.
    2. Review and permissions granted by the Child CCM and click Confirm to establish the link. The Approve Subordinate Manager popup displays to confirm your action.
    3. Click OK in the Approve Subordinate Manager popup.  At this point, multiple events occur:
      1. On the Parent CCM:
        • The Linked Managers page displays the success status message at the top of the Linked Subordinate Managers section and the Status column displays Approved to indicate that the link is now established.
        • The managed CCMs listed in an additional field located right next to the login name now includes the Child CCM. This dropdown field displays all available managed CCMs and you can toggle from one managed CCM to another.
      2. On the Child CCM:
        • The Linked Managers page displays the Approved status in the Parent Managers section's Status column.
        • The managed CCMs listed in an additional field located right next to the login name now includes the Parent CCM. This dropdown field displays all available managed CCMs and you can toggle from one managed CCM to another.
        You have now established the link confirmation!
  5. Set up/edit user permissions for the linked CCM(s).

     Parent CCM - User Permissions
    1. Access the Parent CCM's Linked Subordinate Managers page.
    2. Click Permissions to configure the user permissions. The Permissions popup displays.
  6. Test your federated CCM setup.

     Parent CCM - Test Setup
    1. Access an application from the Parent CCM.
    2. Make a simple change to the application – for example, adding a logo or changing the description.
    3. Save your changes.
      Your changes are immediately effective on the Child CCM, even though you are accessing it from the Parent CCM.


Troubleshooting

  • When a Parent CCM initiates a request from the UI to create a Federated link to a subordinate CCM for a root tenant, the request fails if the root tenant is ALSO assigned a tenant short name in the same session. To work around this issue, log out from the UI on the parent CCM and log back in, the initial link request from the parent CCM succeeds.

  • If you change the vendor short name, you must reg-login to the UI. See Sub-TenantsTenant ID and Tenant Name Dependency for additional context.

  • Users cannot propagate a suspension policy or an aging policy from the parent CCM to a subordinate CCM for a tenant in Federated mode.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved