Cloud platforms and cloud-based solutions are a reality. More and more businesses are taking advantage of hosted software, solutions and services, outsourcing non-core competencies to lower costs and increase productivity.
For businesses looking to accelerate time to value, it is easier to build upon existing assets rather than start from scratch. In a cloud environment, asset sharing and reuse becomes imperative. A new asset, for example, a specialized application for a small number of users, can easily be created by importing an existing asset (perhaps another existing application) and tweaking it for a specialized purpose.
Software as a Service (SaaS) applications such as IBM® Blueworks Live that allow business users to collaborate, create and share assets, are considered to be asset-centric. In the case of Blueworks Live these are business process management (BPM) assets that can be shared with others in the team.
For such asset-centric SaaS applications, it is important to provide the right amount of isolation and sharing features. Certain assets may be shared with the entire cloud community, while others may be confidential and available only within a tenant boundary. While securing assets within a tenant's boundary is imperative, asset-centric collaboration between tenants is also desirable. We call this collaborative multi-tenancy, wherein users across tenant boundaries can work together to develop and share artifacts, if they so choose.
In the course of building out several SaaS applications, we have used the IBM Rational Asset Manager as a shared component in the IBM Cloud to satisfy many requirements around asset-centric collaboration. IBM Rational Asset Manager is a collaborative software development tool that organizations can use to identify, manage, and govern the design, development, and consumption of software assets and services. Think of it as a repository of assets coupled with a rich set of asset-centric functions such as upload, download, search, reporting, governance, to name a few. It handles any kind of asset, including applications, components, patterns, software that runs systems and products, services, frameworks, and templates.
This article shows an approach that enables collaborative multi-tenancy using Rational Asset Manager and describes the crucial role that RAM plays in supporting collaboration, while maintaining the desired levels of asset isolation and privacy for multi-tenant applications. Find practical information on how to provision, configure and manage RAM in the IBM Cloud.
Asset isolation and sharing in a multi-tenant environment
Asset isolation and sharing is the ability to support the scenario where an asset that belongs to one tenant is not visible to another tenant, unless that behavior is explicitly requested. This behavior can be achieved easily utilizing the "asset communities" concept that is provided by RAM.
Rational Asset Manager defines asset communities as collections of assets that are grouped by a common use and purpose. A community is an environment in which users interact with a group of related assets. Community administrators assign roles and permissions to users and user groups to set different levels of access to the community. This scoping can be utilized to implement asset isolation as follows:
- For every tenant, create an asset community in Rational Asset Manager with the tenant administrator as the community administrator. This asset community is private. Assets in this community are visible only within the tenant boundary.
- All the registered users of the tenant become registered members of this asset community with the ability to publish and download assets.
- When publishing an asset, users can publish to the community by default.
- Optionally, allow each community administrator to set up additional roles for the users in their organization, for example, to support an asset review or governance process.
Public asset communities
To promote collaboration across tenant boundaries and enable new patterns of partnerships between tenants, thereby driving greater value for the overall cloud community, a SaaS provider might want to create some public asset communities, and prime them with some assets that can be reused by all the tenants. Tenants wanting to seek feedback on an asset, or collaboratively develop an asset with another tenant may also want to leverage a public asset community:
- Create one or more public asset communities in Rational Asset Manager.
- Create implicit membership for public communities, where every user registered in your cloud solution is automatically a member of these public communities.
- Allow any registered user to publish and download assets from the public communities.
Figure 1 show the architecture for asset sharing and isolation.
Figure 1: Asset isolation and sharing between cloud tenants
Provisioning Rational Asset Manager in the IBM Cloud
The IBM Cloud offers an image of Rational Asset Manager, currently version 126.96.36.199. Use the Add Instance wizard, as shown in Figure 2, to provision a VM that has Rational Asset Manager installed on it. This Rational Asset Manager instance is running on embedded IBM WebSphere Application Server. It is useful for development and testing purposes.
Figure 2: RAM single instance image in IBM Cloud
However for a production environment, you need to install a Rational Asset Manager cluster for workload balancing and failover capabilities. At this time the IBM Cloud does not provide such a production image so you have to set it up yourself. In the following section, we share our experiences.
Configuring a Rational Asset Manager Cluster in the IBM Cloud
The basic idea is to start from the base Red Hat Enterprise Linux (RHEL) image and then build up the Rational Asset Manager cluster. Figure 3 shows the overall topology. Each rounded rectangle represents a VM running in the IBM Cloud. Specifically:
- RAM Node 1 and RAM Node 2: A 2 node Rational Asset Manager cluster, each node running two Rational Asset Manager servers. It is possible to scale by adding more nodes and/or more Rational Asset Manager servers within a node.
- RAM Deployment Manager and License Server: The Rational Asset Manager setup application, which orchestrates the installation and configuration of Rational Asset Manager on a cluster, must be installed on the deployment manager node. The Rational License Server must be installed with sufficient license keys to allow the anticipated level of concurrent user access to Rational Asset Manager.
- Rational Asset Manager Load Balancer: A VM that distributes the load across the Rational Asset Manager servers. This VM is the entry point for any client that wants to use the Rational Asset Manager cluster.
- Storage Mount VM: A VM attached to the IBM Cloud storage which is used to store the assets.
- Database: A shared VM in the system for a database server.
- LDAP: A shared VM in the system for a user directory.
Figure 3: Rational Asset Manager running in production environment on the IBM Cloud
Configuring the RAM Nodes and Deployment Manager is a multi-step process that is well explained in the product documentation. The following sections describe the additional configurations that are necessary to make the cluster work in the IBM Cloud.
Shared storage for assets
Rational Asset Manager uses the file system to store the artifacts. When you configure Rational Asset Manager, you must specify a folder location for persisting files and indexes. In a cluster environment, the folder must be on a shared drive so that all Rational Asset Manager servers can access the folder.
On the IBM Cloud, the equivalent capability can be realized using the Storage. As discussed in Best practices to architect applications in the IBM Cloud, the IBM Cloud Storage allows you to persist and share files between multiple VMs. Figure 3 shows the Storage Mount VM that is attached to the IBM Cloud Storage that was provisioned.
A Network File System (NFS) server is already available on the Storage Mount VM RHEL image and just needs to be configured and started. The NFS client was also started on each RAM Node to attach to the Storage Mount VM. With this set up, Rational Asset Manager can store the user artifacts on the IBM Cloud Storage. This is depicted in Figure 3.
Rational Asset Manager uses Rational Common Licensing for license enforcement. You need to provide a permanent license key or set up a Rational License Server with the required FLEXlm license keys, and configure Rational Asset Manager to connect to the License Server.
To generate FLEXlm-based license keys, you need the host ID of the machine on which the Rational License Server is installed. The host ID is used to identify the hardware to which you are registering your key. Host IDs can be disk serial numbers or MAC addresses. License key files run only on the License Server that was specified when they were generated.
The license keys that are served by the Rational License Server depend on the MAC address or disk serial number. In a cloud environment where VMs can be deleted and re-provisioned, for example to recover from failure, this can pose a new challenge. This is because the MAC address of a re-provisioned VM on the IBM Cloud is not the same as the MAC address of the previously de-provisioned VM even though they can have the same static IP.
So, in the event that the host ID of your Rational License Server changes, you must reissue licenses for the new host and register them with the License Server. Alternatively, having a permanent license lets you bypass the License Server altogether.
On ramp to enterprise
If a tenant wants to on ramp assets from the cloud environment into their enterprise environment that sits behind the corporate firewall, they can also authenticate via the Rational Asset Manager Eclipse Asset Management perspective, and then browse or import their assets. This is shown in Figure 4.
Figure 4: Using Eclipse Rational Asset Manager client to import assets into Enterprise
The deployment configuration to support accessing Rational Asset Manager from both a browser environment and an Eclipse environment turns out to be a bit tricky, depending on how it is accessed. RAM uses both form-based authentication (using a browser) and basic access authentication (using Eclipse). Hence, you must configure your platform access to support both basic and form-based authentication to enable both cloud access and on-premise access scenarios. This solution deploys a cluster of WebSEAL instances that are configured for both basic authentication and form-based authentication. Traffic is routed to the appropriate WebSEAL instance based on the HTTP header in the incoming request. The role of WebSEAL in the overall solution will be explained in more details in future articles.
Managing and monitoring Rational Asset Manager in the cloud
For each VM in Figure 3, activation scripts describe the sequence of actions that are required to start up the servers and services on that particular VM. For example, an activation script may include steps like starting up the NFS client, starting the WebSphere® Application Servers, and mounting the required shared storage. This ensures that if a VM is rebooted, it will come back up with all the services started up and accessible automatically.
IBM Tivoli® Monitoring is deployed in the IBM Cloud to monitor the performance and the availability of all our cloud VMs. By creating a number of agents to monitor URLs, logs and network connectivity, we were able to detect problems and in many cases automatically recover from the problems without human interventions. In the case of the Rational Asset Manager sub-system, some of the failures detected and attempted to recover from include:
- Inaccessible shared storage.
- One or more RAM servers are down or not responding.
- Errors in logs (e.g. ramDebug.log, SystemOut.log) such as license errors, connectivity issues, hung threads.
- Unavailable shared database server.
Future articles will describe how IBM Tivoli Monitoring can be deployed and configured to automate the monitoring and recovery of your cloud solutions.
Asset governance and security
In addition to getting your Rational Asset Manager production cluster up and running reliably in the IBM Cloud, you should also think through how you want to define the taxonomy and governance processes for your assets.
While there is no one answer here, and the best fit for your cloud solution might be different from someone else's solution, here are a few tips that may be useful to consider:
- What is the list of asset types that make sense for your cloud solution? For example, you might have high-level architectures and design assets, implementation assets, and even marketing and demos assets.
- Consider defining additional classification attributes on your asset types so that they can be used to facilitate search. For example, classification based on industry (such as retail or health care), domain within an industry, maturity level (such as level 1, 2, 3), adoption pattern, customization characteristics (for example, as-is vs. configurable).
- What are the semantic considerations for fine-grained access control on your assets? For example:
- Who can create an asset?
- Who can delete an asset?
- Can a user view or modify another user's assets?
- Can a user share an asset with another user?
- Is re-sharing of an asset allowed?
Although these considerations may not be specific to cloud deployment, the intrinsic sharing nature of the cloud makes it more important to consider these standard practices up front, and minimize changes after the solution is deployed, which can then affect many tenants.
This article described how asset-centric collaboration can bring together like-minded organizations to build applications at a fraction of the cost of traditional methods. Such a cloud solution lets users leverage popular social networking technologies to interact more with each other; yet still preserve the level of security, governance and integrity that are necessary for enterprise assets. This article also demonstrated how to unleash the power of asset-centric collaboration by deploying a cloud solution that is built on Rational Asset Manager.
- Check out the resources mentioned in this article:
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
- The next steps: Find out how to access IBM Smart Business Development and Test on the IBM Cloud.
Get products and technologies
- See the product images available on the IBM Smart Business Development and Test on the IBM Cloud.
- Join a cloud computing group on developerWorks.
- Read all the great cloud blogs on developerWorks.
- Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.