HP CloudSystem Enterprise

Technical white paper HP CloudSystem Enterprise Creating a multi-tenancy solution with HP Matrix Operating Environment and HP Cloud Service Automation Table of contents Executive summary 2 Multi-tenancy overview 2 Multi-tenancy in CloudSystem Enterprise 4 HP 3PAR Storage 4 HP BladeSystem c-class 5 HP Virtual Connect 5 HP Matrix Operating Environment 6 HP Cloud Service Automation 8 How to implement multi-tenancy in HP CloudSystem Enterprise 9 Reference implementation 10 Overview 10 Test configuration 10 Active Directory 11 Matrix OE organizations 12 Add organizations, providers, offerings, and blueprints in CSA 14 Create and publish service offerings 17 Deployment 18 Summary 20 For more information 20

Executive summary As part of HP s Converged Cloud, HP CloudSystem enables enterprise and service providers to build and manage services across private, public and hybrid cloud environments on a simplified, integrated architecture. Based on proven, market leading HP Cloud Service Automation and Converged Infrastructure, HP CloudSystem is tailored for the requirements of enterprises and service providers at various stages of cloud maturity with three offerings: Entry configuration for infrastructure-as-a-service (IaaS) with HP CloudSystem Matrix that lets customers provision infrastructure and applications in minutes. Full-scale deployment of private and hybrid cloud environments with HP CloudSystem Enterprise, which lets customers unify management across private, public and hybrid clouds and adds advanced infrastructure-toapplication lifecycle management. Advanced capabilities for service providers with HP CloudSystem Service Provider, facilitating deployment of public and hosted private clouds that deliver complete service aggregation and management. HP CloudSystem Enterprise helps customers deploy the full service models delivered directly to the line of business teams that are highly flexible, scalable and customizable. This offering provides an integrated catalog of easy-to-order services and applications, while automating service provisioning by matching workloads to server, storage and networking resources. Line-of-business users can manage the full lifecycle from discovery to provisioning, patching to configuration management, and script execution to compliance assurance. While HP CloudSystem Enterprise is optimized to work in an HP environment, customers can extend and protect their investment by integrating legacy infrastructure and software into CloudSystem s hybrid cloud environment. For further information about HP CloudSystem Enterprise, refer to the solution brief. This document describes multi-tenancy features in HP CloudSystem Enterprise. It covers the integration between the different components of CloudSystem Enterprise to create a multi-tenancy solution. A sample reference implementation is used to describe and illustrate the integration. Target audience: The intended audiences of this white paper are system integrators, installers, and administrators of CloudSystem Enterprise. One should be familiar with CloudSystem Enterprise, HP Matrix Operating Environment (Matrix OE), HP Matrix OE Infrastructure Orchestration (HPIO), and Cloud Service Automation (CSA). Multi-tenancy overview Multi-tenancy in cloud computing allows for the dynamic and secure allocation of computing resources among organizations. Idle or under-utilized resources are no longer tied to a particular organization but instead can be available for other organizations to use. In an environment without multi-tenancy, each organization s resources are isolated in their respective silos. Each organization has their own set of dedicated servers, storage, and network resources. Figure 1 shows how multi-tenancy breaks down computing barriers and makes all resources available to all organizations. Organizations often require network separation at some level. It is also possible to have all networks available to all organizations using Matrix OE multi-tenancy. In the sample diagram below, each organization has one network connection (solid line) but each could also be connected to other networks (dashed line). 2

Figure 1: Matrix OE multi-tenancy overview 3

Multi-tenancy in CloudSystem Enterprise CloudSystem Enterprise uses a variety of resources to enable a full multi-tenancy solution. For hardware, these include HP 3PAR disk arrays for storage and HP BladeSystem c-class server blades with HP Virtual Connect for the networking. For software, these include the Matrix Operating Environment and HP Cloud Service Automation. Let s take a closer look at each component shown in Figure 2 and their multi-tenancy capabilities. Figure 2: CloudSystem Enterprise multi-tenancy hardware and software components stack HP 3PAR Storage Multi-tenancy at the storage level can be implemented by using HP 3PAR Storage. HP 3PAR Virtual Domains Software delivers up to 1,024 Virtual Private Arrays with secure isolation of array management access to separate disk pools and hosts. By providing secure, administrative segregation of users and hosts within a shared storage infrastructure, HP 3PAR Virtual Domains allow individual user organization groups and applications to achieve multi-tenancy security as well as lower TCO management cost with greater flexibility. This functionality is highly leveraged by hosting providers to deliver virtual private array services and enterprise IT organizations to deliver self-service storage that is both secure and capable of high quality-of-service levels. Each virtual domain shown in Figure 3 represents an organization. Multiple organizations can be grouped in a virtual domain set. 4

Figure 3: Virtual domain and virtual domain sets HP BladeSystem c-class HP BladeSystem server blades reduce data center sprawl, simplify management, and can be fully integrated with HP 3PAR storage through HP Virtual Connect. HP BladeSystem is the cornerstone of HP s Converged Infrastructure initiative and continues to lead the market in technology and innovation. In a multi-tenant configuration, blade servers can be dynamically allocated from one organization to the next. Under-utilized and unused servers can be allocated to other organizations that require more resources. HP Virtual Connect HP Virtual Connect provides the world s first wire-once interconnect solution for virtualized and cloud-ready environments. LAN or SAN connections are virtualized at the server edge for simplicity, flexibility, and mobility. A variety of Virtual Connect modules are available to enable this important piece of the multi-tenancy technology. Virtual Connect reduces configuration complexity, provides fast provisioning, lowers infrastructure cost, and reduces latency. In a traditional LAN or SAN, the connection options could become large, complex, and difficult to manage. Changes in the server environment can place administrative burdens on LAN and SAN administrators. HP Virtual Connect reduces management complexity by introducing an abstraction layer between servers and external networks. The abstraction layer pools and shares LAN and SAN connections for servers. A server administrator uses Virtual Connect management software to create an I/O connection profile for each server. More than one connection profile can exist for a server but only one can be active on a server at a time. Any changes in the server environment are transparent to the LAN or SAN environments. 5

HP Matrix Operating Environment HP Matrix Operating Environment (Matrix OE) is the common platform that manages and orchestrates converged infrastructure configurations and operations. Matrix OE is the glue that ties together all the components of a multitenancy configuration. Matrix OE can dynamically allocate servers, service offering templates, storage, and network connections to different organizations. Matrix OE first introduced multi-tenancy features with version 7.0, which allows the dynamic and secure allocation of data center resources that are managed by Matrix OE among different user groups or organizations. Matrix OE can dynamically allocate specific servers, templates and network connections to an organization. This set of resources is then dedicated to the assigned organization and other organizations cannot access it. Figure 4 shows a sample implementation of three organizations (Finance, Marketing, and Sales) sharing resources and how each organization s resources remain isolated. For example, the Finance organization, color-coded in blue, has a set of six compute servers, four HPIO templates, and two networks allocated to it. A different set of resources is allocated for the Marketing organization and a different set for the Sales organization. The storage resources are defined on the type of template used. Storage resources are defined as a storage pool entry (SPE) in Matrix OE. SPEs specific to an organization can be given a tag name that can be specified on a template. Figure 4: Matrix OE multi-tenancy overview 6

Organizational resources can be configured with finer granularity. Users can have different levels of security and access. Certain users are granted access to specific applications that are configured for a particular server. An organization s administrative user can create server pools and grant access to specific users in the organization to implement this level of security. Servers can only be allocated to a single pool at a time. To illustrate, Figure 4 earlier shows the six servers allocated to the Finance organization. These servers can be grouped into different server pools. Figure 5 shows four servers configured in a server pool while the other two servers are in a different server pool. Server access is restricted to specific organization users per server pool. For example, finance1 user has access only to Server Pool 1, finance 2 user to both server pools, and finance user 3 only to Server Pool 2. Figure 5: Resource allocation granularity 7

HP Cloud Service Automation HP Cloud Service Automation (CSA) is the industry s most comprehensive, unified solution for brokering and managing application and infrastructure services in private and hybrid cloud environments. HP Cloud Service Automation (CSA) sits on top of Matrix OE. CSA has its own implementation of multi-tenancy, which is independent of Matrix OE. In CSA, the isolation of resources is limited to the service offerings assigned in the organization s catalog. Whereas Matrix OE resources for multi-tenancy are isolated at the hardware level and to templates that use the hardware. CSA service offerings are similar to HPIO templates in Matrix OE. A template could be assigned to all organizations, or it can be isolated to just one or a few. Similarly, a CSA service offering could be assigned to a global catalog to make it visible to all organizations, or it can be isolated to a specific organization or sets of organizations. In Figure 6 below, two service offerings are visible to each organization s catalog. The Finance organization catalog has LAMP and Amazon web services. The Marketing organization catalog has LAMP and Simple Compute Linux. The Sales organization catalog has Simple Compute Windows and Amazon web services. The Global catalog has the HP SiteScope service offering assigned to it. Any service offering in the Global catalog are available to the Finance, Marketing, and Sales organizations. Figure 6: CSA Multi-Tenancy overview 8

How to implement multi-tenancy in HP CloudSystem Enterprise Multi-tenancy for HP CloudSystem Enterprise integrates the Matrix OE multi-tenancy implementation with CSA. Multitenancy is first configured in Matrix OE. After the organizations are created and set up in Matrix OE, the same organizations are created in CSA. The names of the organizations defined in CSA must match those in Matrix OE, such as Finance, Marketing, or Sales. Service offerings (SO) can be configured for each organization using various resource offerings (RO) with the sample Matrix OE multi-tenancy blueprint or service design. The service offerings are created based on the organization restrictions that are defined in Matrix OE, for example some templates defined in Matrix OE may only apply to a specific organization. The service offerings configured in CSA can be deployed to the organization s Consumer Service Portal. Service offerings deployed from each Customer Service Portal will interact with its organization counterpart in Matrix OE. Matrix OE will in turn process the request based on the type of HPIO template that is defined in the service offerings and allocate the appropriate resources configured for the organization. Figure 7 shows the integration between CSA and Matrix OE. Figure 7: CSA and Matrix OE integration 9

Reference implementation Overview This document describes the hardware and software used to demonstrate HP CloudSystem Enterprise multi-tenancy. The following are the steps required to complete the reference implementation: Set up the organization groups in Active Directory Configure the multi-tenancy organizations in Matrix OE Configure the multi-tenancy organizations in CSA Deploy the organization service offerings from the Customer Service Portal Test configuration The configuration used to test the multi-tenancy integration between CSA 3.0 and Matrix OE 7.1 included a minimum of one BladeSystem c7000 enclosure populated with a mix of HP ProLiant BL460c G7 and Gen8 server blades. The c7000 enclosure was attached to the HP 3PAR F-Series storage in a boot-from-san configuration. The software components tested in this reference implementation are outlined in Table 1. Figure 8: Multi-tenancy integration test hardware configuration 10

Table 1: Software Versions Type Software Version Cloud Service Automation 3.00 Operations Orchestration 9.03.0001 Operations Orchestration Content Pack OO CP8 and OO-SA CP 9.00.07 System Software Server Automation 9.13 Matrix OE 7.1 VMware vcenter 5.0 CSA Database Microsoft SQL Server Apache 2008 R2 SP1 2.x (as shipped with RHEL 5.x) Applications MariaDB WordPress 3.2.1 5.x (as shipped with RHEL 5.x) PHP 5.2.4 VMware ESX/ESXi 5.0 Operating Systems Red Hat Enterprise Linux (RHEL) Windows Server 2008 5.8 x86 and x64 R2 x64 Active Directory CSA 3.0 uses Lightweight Directory Access Protocol (LDAP) as the security mechanism for authenticating user access. Active Directory is a database system that provides authentication and access policies in a Windows environment. LDAP protocol is one of the protocols used to communicate to AD. In this reference implementation, three organizations configured in Active Directory are named Finance, Marketing and Sales. Figure 9 shows a Groups folder that contains the three organizations. An optional fourth group named CSA Admins is also created in the same folder. This group contains select users other than the default admin user that will have administrative access to configure CSA. Figure 9: Active Directory configuration of the organizations 11

For each group, test administrator and standard users are configured as shown in Table 2. Table 2: Organization test users Finance Marketing Sales finance-admin finance1 finance2 finance3 marketing-admin marketing1 marketing2 marketing3 sales-admin sales1 sales2 sales3 Matrix OE organizations When the organizations have been configured in Active Directory, you can set up and configure the organizations in Matrix OE. This section describes the steps to configure the Finance, Marketing, and Sales Active Directory groups as multi-tenancy organizations in Matrix OE. For further details on the rules and restrictions in setting up a Matrix OE organization, refer to Multi-Tenancy in HP Matrix Operating Environment Infrastructure Orchestration 7.0, which can be found at http://h20195.www2.hp.com/v2/getdocument.aspx?docname=4aa3-9202enw. Create the organization in Matrix OE To set up the organization in Matrix OE, complete the following steps: 1. Open the HP Matrix Operating Environment Console. 2. Launch Infrastructure orchestration from the Tools dropdown list. 3. Select the Organization tab. 4. Click Create. Figure 10: Create the Matrix OE organization 5. For each organization, follow these steps to assign networks, templates, and compute servers: a. Select the organization. b. Select a network, template, or compute server and click >> to assign it to the organization. Templates can be assigned to multiple organizations. Compute servers can only be assigned to one organization. Only unassigned servers can be assigned. c. Click Save. 6. On the Organization tab and select the Organization. 7. Click Details/Edit. 8. For each organization, assign the administrator and users as they are configured in Active Directory. Enter in the format: <DOMAIN>\<username>. 12

Set up organization server pools To set up server pools for the organization, complete the following steps for each organization: 1. Open the organization s portal at https://<cms>:51443/oap/<organization_name>. 2. Log in as the administrator for the Organization, such as MOE_DOMAIN\finance-admin. You will notice that the server pool and users are not defined. 3. Click Create Pool to create a server pool for the organization. 4. Select compute resources from the Unassigned pool. 5. Enter a name for Destination pool. 6. Click Modify Users to assign users to the server pool. 7. Select the users and click >> to add them to the Assigned Users group. 8. Click Save. When you return to the Home tab, the current status should be all green, as shown in Figure 11. Figure 11: Verify organization status 9. Select the Organization tab and enter the Organization Title. 10. Click Change. 11. Log out. You should see the change on the login screen, as shown in Figure 12. 13

Figure 12: Verify organization customizations Test the organization To test the organization, complete the following steps: 1. Open the organization s Self Service Portal at https://<cms>:51443/ssp/<organization_name>. 2. Log in as an end user. The user name should be something like MOE_DOMAIN\finance1. 3. Deploy one of the assigned templates. In this example, a physical IO template is deployed. a. Select the Templates tab. b. Select the template. c. Click Create Service. The request will pause until the organization administrator approves the request. Log in to the organization administrator portal page and approve the pending request. You can monitor the progress from the Matrix OE Infrastructure Orchestration Requests tab, from the organization s Administrator Portal, or from the organization s Self Service Portal. Once you have confirmed that your multi-tenancy organizations are working in Matrix OE, you can integrate the organizations into CSA. Add organizations, providers, offerings, and blueprints in CSA Create organizations The following steps are used to configure the multi-tenancy organizations from Matrix OE in CSA. To create organizations in CSA, complete the following steps: 1. Log on to the Cloud Service Management Console as an administrator. 2. Select the Administration tab. 3. Click Create Organization near the bottom of the panel on the left. The Create Organization dialog will open. 4. Enter a name for the organization. The organization names you create now must match the organizations you created in Matrix OE. 5. Click Create. 14

Repeat these steps to create the same groups you created in Matrix OE. In our example, we created Finance, Marketing, and Sales, and shown in Figure 13. Figure 13: Groups in CSA Refer to the online help for detailed steps to set up the properties for each organization, particularly the LDAP authentication and their respective Cloud Service Portal (CSP) access pages. Add a provider To add a resource provider, complete the following steps: 1. Log on to the Cloud Service Management Console as an administrator. 2. Select the Resource Management tab. 3. Select HP Matrix Operating Environment in the panel on the left. 4. Click Create New Provider in the toolbar on the Providers tab in the central panel. 5. Complete the steps to create a new provider. After you have created the resource provider, you should see it on the Providers tab as shown in Figure 14. Figure 14: The HP Matrix OE provider has been created Import the service blueprint You must import the service blueprint into HP Cloud Service Automation. This file is included in the out of the box content of HP Cloud Service Automation installer: MOE_SCL_MT.xml Importing this blueprint will create a service design for HP Matrix OE. To import the service blueprint, complete the following steps: 1. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges. 2. Select the Service Design tab. 15

3. Click Import Service Design. 4. Browse to select MOE_SCL_MT.xml from the distribution files. 5. Click Save to import the blueprint. 6. Copy the imported service design and rename it to MOE_SCL_MT_<organizationName>. Figure 15: Copying the Matrix OE MT blueprint 7. Edit the service design MOE_SCL_MT_<organizationName>. 8. Change the TEMPLATENAME properties to point to an HPIO template assigned to the organization, as shown in Figure 16. 9. Repeat steps 6 through 8 to create and configure another copy. Figure 16: Editing the service design 16

Create and publish service offerings A service offering must be created in HP Cloud Service Automation before subscribers can request services based on this service design. To create service offerings, complete the following steps: 1. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges. 2. Select the Service Offerings tab to display all available service offerings. 3. Click Create Offering in the left panel. The Create New Service Offering dialog will open. 4. Enter a name for the new service offering. This is the name of the offering that will be visible to the subscribers of this service. 5. Select the MOE_SCL_MT blueprint. 6. Click Create. 7. After the offering is created, you can modify the pricing information, associate documents, or modify the subscriber options. 8. Repeat these steps to publish service offerings for the two copies of MOE_SCL_MT that you made. After you create the service offerings, you must assign them to a catalog, as shown in Figure 17. Figure 17: Assigning the service offering to the organization s catalog 17

Deployment To deploy the multi-tenancy organization s service offering in CSP, complete the following steps: 1. Log on to the organization s HP CSA Customer Service Portal. 2. Select the Catalog tab. 3. Select the service offering, as shown in Figure 18. Figure 18: Deploying the service offering 4. Select the Requests tab and verify that the request gets approved. 5. Once approved, select the Subscriptions tab to monitor the deployment. 6. Log on to the organization s SSP page at https://<cms>:51443/ssp/<organization_name>. You should log on as a regular organization user, such as sales1. Figure 19: Verifying deployment progress in SSP 7. If you see a pending request, log on to the Organization Administration Portal: https://<cms>:51443/oap/<organization_name> and approve the request. Figure 20: Verify deployment progress in OAP 18

8. Verify that the request goes through in the organization s SSP page. Figure 21: Verifying deployment progress in SSP after approval 9. Verify in the main Matrix OE page that the correct organization is also referenced by the subscription request. Figure 22: Verifying deployment progress in Matrix OE main page 10. After you have verified a successful deployment in CSA and Matrix OE, cancel the subscription in CSA. Verify in Matrix OE that the subscription service was deleted and the resources are returned to the available (Unassigned) pool for the organization. 19

Summary HP CloudSystem Enterprise allows customers to deploy the full service models delivered directly to the line of business that are highly flexible, scalable and customizable. The multi-tenancy feature of HP CloudSystem Enterprise provides secure and dynamic allocation of data center resources to different customer organizations. HP Matrix Operating Environment s (Matrix OE) multi-tenancy offers allocation of compute servers, HPIO (service design) templates, and network configuration to different organizations. HP Cloud Service Automation (CSA) multi-tenancy offers a higher level of isolation between organizations where service design offerings are assigned. This document provides a brief overview of the multi-tenancy reference implementation in HP CloudSystem Enterprise multi-tenancy. HP CSA and Matrix OE work together with HP s Converged Infrastructure to provide a complete multi-tenancy solution for HP CloudSystem Enterprise. For more information To read more about CloudSystem Enterprise go to http://www8.hp.com/us/en/business-solutions/solution.html?compuri=1145331 Understanding the HP CloudSystem Reference Architecture http://h20195.www2.hp.com/v2/getdocument.aspx?docname=4aa3-4548enw Multi-Tenancy in HP Matrix Operating Environment Infrastructure Orchestration 7.0 http://h20195.www2.hp.com/v2/getdocument.aspx?docname=4aa3-9202enw HP BladeSystem servers http://www.hp.com/go/bladesystem HP 3PAR and Virtual Connect solution brief http://h20195.www2.hp.com/v2/getdocument.aspx?docname=4aa4-1557enw HP Virtual Connect http://www.hp.com/go/virtualconnect To help us improve our documents, please provide feedback at hp.com/solutions/feedback. Get connected hp.com/go/getconnected Current HP driver, support, and security alerts delivered directly to your desktop Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omiss ions contained herein. 20 Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA4-3697ENW, Created September 2012