Have an account?
  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Prime Service Catalog 11.0 Administration and Operation Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Prime Service Catalog 11.0 Administration and Operation Guide

Chapter Title

Providing Infrastructure as a Service (IaaS)

Results

Updated:
October 12, 2016

Chapter: Providing Infrastructure as a Service (IaaS)

Providing Infrastructure as a Service (IaaS)

This chapter consist of the following topics:

Providing Infrastructure as a Service (IaaS) using Prime Service Catalog

Cisco Prime Service Catalog integrated with UCS Director and Intercloud Fabric for Business (ICFB) provides single self-service ITaaS catalog for the self-service provisioning and lifecycle management of VMs in the private and hybrid cloud workloads. You can provide services such as provisioning virtual machines on a hybrid cloud using ICFB or on a private cloud using UCS Director and perform the lifecycle operations on these public and private VMs. This section covers the infrastructure services such as virtual machines, fenced containers, Virtual Application Container Services (VACS), and APIC Container Catalog on UCS Director and virtual machines on Intercloud Fabric for Business.


Note

  • VACS containers are verified and certified only on UCSD 5.2 platform.

  • The public cloud operations are verified and certified on Amazon Web Services (AWS).

Prime Service Catalog also supports Advanced Catalogs from UCS Director. These advanced catalogs are a wrapper around workflows defined in the UCS Director. Prime Service Catalog creates services for these advance catalogs during the UCS Director discovery process. Out of box, these Advanced Catalog-based services can only create requests or objects in UCS Director and do not have any service item dictionary associated with them. However, these generated services can be customized to manage life cycle of objects created through Advanced Catalogs. These services can be customized by adding a service item dictionary, and populating the dictionary with conditional rules. Then, lifecycle operations for the service item can be added via associated services for the service item.

Note

Prime Service Catalog currently does not support the popup table input type for UCSD advance catalog workflow.

Using Prime Service Catalog for Cloud IaaS, you can:

Generating Orderable Services for UCSD and ICFB Entities

For creating orderable services for provisioning VMs in cloud, you must perform the following steps:

Steps

Topics

Step 1

Integrate UCS Director and/or Intercloud Fabric for Business with Prime Service Catalog.

Integrating UCS Director or Intercloud Fabric for Business with Prime Service Catalog

Step 2

Discover the IaaS entities from UCSD and ICFB.

Step 3

Set up automatic or manual synchronization with UCSD and ICFB.

Managing UCSD or ICFB Synchronization

Step 4

  • Configure search facets, permissions, and presentation for hybrid cloud provisioning services in Prime Service Catalog.
  • Set up the display category for these cloud services.

Based on the permissions, end users can now order the hybrid cloud services and perform lifecycle operations on the provisioned containers and virtual machines. For more information on ordering these services, and on the available lifecycle operations for the UCSD and ICFB entities, see Cisco Prime Service Catalog 11.0 User Guide.

Integrating UCS Director (UCSD) or Intercloud Fabric for Business (ICFB) with Prime Service Catalog

Prime Service Catalog allows you to provide infrastructure and application stack as a service by integrating with UCS Director application. You can provide services such as virtual machines, fenced containers, VACS, APIC container catalog and use Service Catalog for lifecycle management of these UCS Director entities. You can manage VMs in hybrid cloud using a unified web interface in Prime Service Catalog after integrating with UCSD and ICFB.

Note
Prime Service Catalog allows you to integrate with only one instance of UCSD in the Managed Service Provider (MSP) mode. In a non-MSP mode, you can connect to multiple UCSD instance or connect to only one UCSD and one instance of ICFB.
Prerequisites
  • To establish an SSL connection with UCSD or ICFB, you must add an SSL certificate to the UCSD or ICFB. You can use:
    • A self-signed certificate that matches the hostname or IP address of the UCSD or ICFB server.
    • (Recommended) An SSL certificate that matches the Fully Qualified Domain Name (FQDN) of the UCSD server or ICFB, signed by a trusted certificate authority.
  • If LDAP is integrated, Prime Service Catalog and UCSD and ICFB must be integrated with the same LDAP to support single sign-on.
    Step 1   Choose Administration > Manage Connections > UCSD Integration or Intercloud Fabric For Business.
    Step 2   Click + icon and enter the details to connect to the server where UCSD or ICFB is installed. For https connections, import the root CA certificate of the ICFB or UCSD server. Copy the content of the root CA certificate of the server and paste it in the text area. If the root certificate is a chain of certificates, paste the content one below the other. The connection would fail, in case the SSL certificate of the server becomes invalid or untrusted. To prevent connection failure when SSL certificate of the server becomes invalid or untrusted, select the option - Allow Untrusted SSL Certificate on the Server.
    Step 3   Check Enable Background Sync if you want to configure automatic polling for the subsequent connections with UCSD or ICFB connections.
    Note   

    This option is disabled for UCSD connection that is in Managed Service Provider mode. Manual synchronization is recommended in the UCSD Managed Service Provider mode.

    Step 4   Click Save and click Test Connection to authenticate the credentials.
    Step 5   After the connection is successful, click Connect & Import. The system starts to discover the data from UCSD or ICFB. For more information on data discovered from UCSD or ICFB, see Cisco Prime Service Catalog 11.0 Designer Guide.
    Note   

    The UCSD scheduler in the Prime Service Catalog automatically polls UCSD or ICFB entities. You can also manually discover these entities using the web interface in Prime Service Catalog. For more information on discovering UCSD and ICFB entities in Prime Service Catalog, see Managing UCSD or ICFB Synchronization.

    Step 6   On UCS Director or Intercloud Fabric for Business tab, you can:

    • View all the discovered entities in the Discovered Objects tab.

    • View the services created for the imported catalog and container entities in the Discovered Services tab.

    • Select a service and configure the category, presentation, facets, and permissions for these services. For more information, see Configuring Permissions and Presentation for Private and Hybrid Cloud Services.

    Managing UCS Director or ICFB Synchronization

    Scheduling UCS Director or ICFB Synchronization

    You can automatically discover UCS Director or ICFB instances at scheduled intervals using the scheduler. Use the below procedure to configure the scheduler.

      Step 1   Optionally edit the following properties files. These files can be located in the RequestCenter.ear/config directory.
      • In the newscale.properties file, change the interval of polling, as shown in the example below: 
        ###########################################
#Data Poller
###########################################
#Cron Expression wakes up poller every 10 minutes of an hour
ucsddata.poller.cron=0 0/10 * * * ?
#Cron Expression wakes up health check for 3rd min and 5 mins thereafter of the hour ex: 03,08,13 minutes
uscddata.poller.health.check.cron=0 3/5 * * * ?
#High Availability Health checks threshold, this should be greater than Poller cron time specified in minutes
ucsddata.healthCheck.threshold=15
      • In the support.properties file, set the poller value as “true”, as shown below: 
        ###### Data Poller Settings ###################
# In non-cluster mode: this should be enabled for the Requisitions Data script to be run from the Poller
# In clustered mode: this can be either enabled on all nodes in the cluster OR on a specific node in the cluster
# - only 1 node in the cluster will run at any given time, even if this is enabled on multiple nodes in a cluster (which ever node starts it first)
ucsdData.poller.enable=true
###########################################
      Step 2  
      Note   

      • The following step is critical for automatic synchronization

      • All entities except Users will be automatically synchronized if you have enabled the Scheduler. Any change in User on UCS Director or ICFB should be manually synchronized in Prime Service Catalog. For more information on manual synchronization, see Manually Importing UCSD or ICFB Synchronization.

      In Administration > Settings page, select the UCSD Scheduler option.
      Manually Importing UCSD or ICFB Synchronization

      If Prime Service Catalog and UCSD or ICFB are integrated with LDAP, it is recommended to manually poll users information using the web interface whenever the user roles are changed in UCSD or ICFB. This is to ensure synchronization of the user’s RBAC permission to Prime Service Catalog services with the changes made in UCSD or ICFB.

      You can manually import UCSD or ICFB instances using the UCSD or ICFB Integration page. When you perform this process, all entities including users and roles are synchronized.

      This process is used in the following scenarios:

      • If you do not want to use a Scheduler.
      • If you are using a Scheduler and UCSD or ICFB and Prime Service Catalog are integrated with LDAP. To improve the performance, the Scheduler does not synchronize users and roles. Because of this behavior, if an administrator makes changes to users and roles in UCSD or ICFB, these changes are not communicated to Prime Service Catalog. To synchronize these changes with Prime Service Catalog, you must manually import UCSD or ICFB instances, which in turn synchronizes the users and roles.
        Step 1   Choose Administration > UCS Director or Intercloud Fabric Director Integration (Connection Manager) page.
        Step 2   Select the UCSD or ICFB instance, and click Connect & Import.

        Configuring Permissions and Presentation for Private and Hybrid Cloud Services

        Based on the permissions granted to an end user, the discovered services from UCSD and ICFB becomes orderable in the Service Catalog module.

        To understand the UCSD, ICFB groups and roles mapping to Prime Service Catalog groups and roles, see Prime Service Catalog Roles Mapping with UCSD and ICFB Roles and Users and User Groups Imported from UCSD and ICFB.


        Note

        Prime Service Catalog creates catalog services only for standard catalogs in ICFB.

        Depending on the UCSD or ICFB integration, you can discover standard catalogs, container catalogs, and container templates services for end-user provisioning and maintenance of VMs on private and public cloud. Using these services, end users can:

        • Order and self-service provision virtual machines (VMs) using predefined parameters such as the cloud name and group name to which a VM is bound through ICFB.
        • Order services created based on service container catalog, standard catalog, advanced catalog, and fenced container templates from UCS Director.
        Before You Begin

        Discover the Services from UCSD or ICFB by integrating with the UCS D or ICFB instance. For more information on integrating UCSD or ICFB, see Integrating UCSD or ICFB with Prime Service Catalog.

          Step 1   On UCS Director or Intercloud Fabric for Business tab, select a service from the Discovered Services tab
          Step 2   Select the Presentation tab, click Attach, to select an image to be associated with the service or select Image URL to enter the URL of the image. Default option selected is Image File.
          Step 3   Select an image from the list of Select Image window and click Add. Cisco provides a number of images out-of-box that you can assign to the service. You can also upload an image to be used for the service.
          Step 4   Enter a description for the service by selecting the Overview or Service Form options, and click Save.
          Step 5   Select the Facets tab.
          Step 6   Select the Permissions tab to do the following:
          • Select the roles from the list and click Remove Selected to remove the permission.
          • Select from the Add Permissions drop-down list to add or select the roles from the list.
          • For catalog services created in Prime Service Catalog for ICFB:
            • If a catalog is associated to a group in ICFB, users in the corresponding group in Prime Service Catalog can only order services that the group has access to.
            • If a catalog is associated to All Groups in ICFB, users in the corresponding group in Prime Service Catalog can order the services that All Groups have access to.If a catalog is associated to All Groups in ICFB, the users imported from ICFB to Prime Service Catalog can order the services accessible by all the groups.
          • For container templates, container catalogs, standard catalogs, and advance catalogs services created in Prime Service Catalog for UCS Director:
            • If these services are associated to a group in UCS Director, users in the corresponding group in Prime Service Catalogs can only order services that the group has access to.
            • If the services are associated to All Groups in UCS Director, users in the corresponding group in Prime Service Catalog can order the services that All Groups have access to.
          Step 7   Click Save. The new service will be displayed in the Service Catalog module based on the category you have selected.

          Users and User Groups Imported from UCS Director or Intercloud Fabric for Business


          Note

          In a single pane of glass, where PSC, UCSD, and ICFB are connected to LDAP:

          • The Home OU of a user is always determined by LDAP mapping .
          • The User gets group membership of both ICFB and UCSD if the user belongs to any of the (UCSD/ICFB) imported groups.
          • If the User data that is imported (discovered) does not exist in PSC, the same is created in PSC and the normal flow for OU, Group and Role is executed.
          • A User who has a certain role in UCSD should have the same role in ICFB. Additionally the Enterprise vDC created in both these systems should be same.

          When Prime Service Catalog connects to a UCSD or ICFB for the first time, Prime Service Catalog creates a:

          • UCSD or ICFD::<ID>::All Groups:

          Where <ID> is the 3-letter identifier of the UCSD or ICFB server. This group will be the parent group for all groups imported from this UCSD or ICFB server.

          • UCSD or ICFD::<ID>::<Group Name>:

          Where <ID> is the 3-letter identifier of the UCSD or ICFB server. There will be group for each group in the UCSD or ICFB. All such groups are grouped under the parent group. Users belonging to various groups in the UCSD or ICFB are imported to the respective groups in Prime Service Catalog.

          • Default group. The default group is grouped under the parent group. Users without a group in the UCSD or ICFB are imported to this group.

          All the imported users from the UCSD or ICFB are assigned an Organizational Unit (OU) in Prime Service Catalog.

          During the subsequent connections, Prime Service Catalog checks for group membership changes and updates the records accordingly.


          Note
          For catalog services created in Prime Service Catalog for ICFB:
          • If a catalog is associated to a group in ICFB, users in the corresponding group in Prime Service Catalog can only order services that the group has access to.
          • If a catalog is associated to All Groups in ICFB, users in the corresponding group in Prime Service Catalog can order the services that All Groups have access to. If a catalog is associated to All Groups in ICFB, the users imported from ICFB to Prime Service Catalog can order the services accessible by all the groups.

          Note

          For container templates, container catalogs, standard catalogs, and advance catalogs services created in Prime Service Catalog for UCS Director:

          • If these services are associated to a group in UCS Director, users in the corresponding group in Prime Service Catalogs can only order services that the group has access to.
          • If the services are associated to All Groups in UCS Director, users in the corresponding group in Prime Service Catalog can order the services that All Groups have access to.

          Prime Service Catalog System Defined Roles for UCS Director or Intercloud Fabric for Business Integration

          Prime Service Catalog creates the following system-defined roles for the UCSD and ICFB roles it discovers. The following table lists the mapping of the UCSD and ICFB to Prime Service Catalog system-defined roles.

          Table 1 Prime Service Catalog Roles Mapping with UCSD and ICFB Roles

          UCS Director Roles

          ICFB Roles

          Prime Service Catalog System Defined Roles

          Description

          System Admin

          System Admin

          UCSD Sys Admin

          UCSD or ICFB Sys Admin user can view the details of Containers, vDC's and VM's as service items in My Stuff based on the Group permissions assigned to each of the UCSD or ICFB Service Item in Service Item Manager.

          Only users with this role can order Container Template Services.

          All Policy Admin

          Computing Admin

          Service End-User, Group Admin, Operation roles

          Service End User, Group Admin

          UCSD End User

          UCSD or ICFB End User can view the details of Containers, vDC's and VM's as service items in My Stuff based on the Group permissions assigned to each of the UCSD or ICFB Service Item in Service Item Manager.

          Users with this role can order services based on the group to which user belongs and catalogs which are assigned to a group in UCSD or ICFB.

          All other roles

          -

          UCSD Operator

          Users with this role can only view and use the self-service portal but cannot order the services.


          Note

          In a single pane of glass, where PSC, UCSD, and ICFB are connected to LDAP:

          • The Home OU of a user is always determined by LDAP mapping .
          • The User gets group membership of both ICFB and UCSD if the user belongs to any of the (UCSD/ICFB) imported groups.
          • If the User data that is imported (discovered) does not exist in PSC, the same is created in PSC and the normal flow for OU, Group and Role is executed.
          • A User who has a certain role in UCSD should have the same role in ICFB. Additionally the Enterprise vDC created in both these systems should be same.

          Configuring Display Categories for Private and Hybrid Cloud Services

          The new service will be displayed in the Service Catalog module based on the category you have selected.

          Before You Begin

          Discover the Services from UCSD or ICFB by integrating with the UCSD or ICFB instance. For more information, see Integrating UCSD or ICFB with Prime Service Catalog.

            Step 1   On UCS Director or Intercloud Fabric for Business tab, select a service from the Discovered Services tab .
            Step 2   In the General tab, do the following:
            1. Enter a service name and description for the selected service.
            2. Select an existing category or create a new category by clicking on the New option.
            Step 3   Click Save.

            Providing Multi-Tenant IaaS

            This feature enables service providers to use Cisco ONE Enterprise Cloud Suite to provide multi-tenant Infrastructure as a Service (IaaS) on ACI. The components required for this functionality are: Prime Service Catalog, UCS Director (in Managed Service Providermode), and ACI.

            The Tenant Managementmodule in Prime Service Catalog provides infrastructure services to multiple tenants quickly and efficiently. Using this module, tenants can manage their own set of services, and offer these infrastructure services to their end users. A tenant can contain several organizations and each organization can contain several users.

            Using Tenant Managementmodule:
            • A tenant administrator can manage tenant users, define quotas on computing resources and virtual machines for a tenant user, and delegate management of firewalls and load balancers.
            • An end user can self-service provision and manage VMs.

            The tenant workflow (for example: create, update, and delete tenants), VDC, and VM operations are executed through Advanced and Service Container Catalog workflow in UCS Director. Prime Service Catalog creates services for these advance and service container catalog workflows during the UCSD discovery process. For this feature to work seamlessly, a site administrator must map these UCS Director discovered services to the Tenant Management workflow in Prime Service Catalog. For more information, see Setting Up Tenant Management Module and Mapping Tenant and VDC Workflows from UCSD.

            Tenant Workflow Configurations in UCSD for Multi-Tenant IaaS

            For seamless multi-tenant IaaS operations, an administrator must ensure that multi-tenant IaaS-related objects are created and configured in UCS Director. An administrator need to configure only 3 of these multi-tenant IaaS workflows. Remaining workflow are pre-defined and configured during the installation process.

            This section covers the list of fields or attributes that must be configured for these workflows in the UCSD. For more information, on how to create these advance and container catalog workflow, see Cisco UCS Director Administration Guide, Release 5.3.

            Table 2 Configurations for Multi-Tenant IaaS Workflows on UCSD

            UCSD Workflow

            UCSD Advance or Service Container Catalog Fields

            VNX Tenant Onboarding

            • CPU Reservation (MHz) - (Sample Value - 10000): Value for this attribute must be derived by an Analyst or an Administrator.

            • Capacity (EMCSizeUnit) (Sample Value - GB)

            • Tenant Profile : Application caters to only one profile.

            • Service offering : Application caters to only one offering.

            • Service Profile : It is a mandatory value. Map this to an existing profile in the system.

            • Physical Server Reserved Space

            • Datastore Size Limit (GB)

            • VM Over Subscription

            • L2 VLan ID

            • L2 IP Subnet

            Update Tenant

            • Tenant Profile Name: Application caters to only one profile. This field should be same as specified in VNX Tenant Onboarding workflow.

            • Service Offering: Application caters to only one service offering. This field should be same as specified in VNX Tenant Onboarding workflow

            • CPU Reservation (MHz): Value for this attribute must be derived by an Analyst or an Administrator.

            • Service Profile Identity: It is a mandatory value. Map this to an existing profile in the system.

            • Capacity (GB)

            • Datastore Limit

            APIC Service Container catalog

            No specific fields to configure for APIC Service Container catalog. Make sure an APIC Service Container catalog is available in UCSD for VDC workflows.

            Setting Up Tenant Management Module

            A site administrator must perform the following steps for seamless multi-tenant IaaS operations.

            Before You Begin
            • Connect to a UCSD instance that is in the Service Provider mode.
            • In Prime Service Catalog, Service Link module, verify that UCSD Agent is up and running.
            • Verify that tenant management-related objects are created and configured in UCS Director. For information on the advance and container catalog workflow inputs that are configured on the UCSD, see Tenant Workflow Configurations in UCSD for Multi-Tenant IaaS.
              Step 1   Integrate Prime Service Catalog with UCS Director and discover the infrastructure entities from UCS Director. For instructions, see Integrating UCS Director with Prime Service Catalog.
              Step 2   Map the Advanced Catalog/Container Catalog services from UCS Director to the Prime Service Catalog workflow. For more information, see Mapping Tenant and VDC Workflows from UCSD.
              Step 3   Invoke workflow for creating tenants in Prime Service Catalog. For more information, see Onboarding a Tenant.

              Mapping Tenant and VDC Workflows from UCSD

              When Prime Service Catalog is integrated with UCSD, the discovery process creates services based on UCSD Advanced Catalogs and APIC service container catalog. The advance and the APIC service container catalogs in UCSD are used for publishing workflow for creating, managing a tenant and creating a VDC respectively.

              For a seamless multi-tenant IaaS operations, a site administrator must map these services with the UCSD workflows.

              Note
              Only three of the Prime Service Catalog tenant management workflows need mapping from an administrator. The remaining workflows are pre-defined and are configured during the installation process. For information on the workflows that needs mapping in Prime Service Catalog, see the table below .
              Before You Begin

              Integrate Prime Service Catalog with UCSD instance that is in the Service Provider mode. For more information, see Integrating UCSD with Prime Service Catalog.

                Step 1   Discover the UCS Director entities in Prime Service Catalog.
                Step 2   On the discovery page in Prime Service Catalog, select a workflow from the Manage Workflows option, and select an advance or a service container catalog service from the Services drop down on the right-hand side. For information on which services to select in this drop down, see the table below.
                Step 3   Based on the type of advance or service container catalog service selected in the previous step, select the values for the remaining workflow attributes and click Save.
                Note    Most of the attribute mappings are self explanatory except Organizational Unit. Organizational Unit should be mapped to GroupName.
                Step 4   Navigate to Tenant Management module and invoke workflow for creating tenants. The status of the service request is displayed as Completed, if the operation on UCS Director is successful.
                Note    If the attributes are not mapped properly, requisition is not created and an error is displayed.

                Prime Service Catalog Workflow

                		UCSD Advance/Service Container Catalogs

                Create Tenant

                Advance Catalog based on VNX Tenant Onboarding workflow

                Manage Tenant

                Advance Catalog based on Update Tenant workflow

                Create VDC

                Any APIC Service Container Catalog

                Onboarding a Tenant

                As a site administrator, you can create a tenant administrator. A Tenant administrator can create and manage users, Organization Units (OUs), and VDCs. In addition, the tenant administrator can specify which tasks the users can perform on their virtual machines and services, and can place quotas on computing resources and virtual machines.

                When you create a Tenant Admin, the Organization and Tenant User dashlets are automatically created and associated for that Tenant.

                The following prerequisites must be met before the site administrator creates a tenant:

                Note

                These prerequisites are also applicable for creating a VDC.

                Before You Begin

                • Add a UCSD connection that is in the Manage Service Provider (MSP) mode. You can connect to a UCSD instance in Administration > Manage Connections.

                • Map the advance/service container catalog services with the Prime Service Catalog workflows. For more information, see Mapping Tenant and VDC Workflows from UCSD.

                • UCSD Agent must be up and running in the Service Link module.

                  Step 1   Log in as Site Administrator.
                  Step 2   Go to Tenant Management.
                  Step 3   Click Add Tenant from the Tenant Management Dashboard.
                  Step 4   Enter the necessary details in the Tenant Information tab.
                  Step 5   Specify the reservation details for vDC in the Quota Management tab (based on the vDC template).

                  UCSD uses this information for resource allocation and to provision that tenant. The Tenant Administrator can then create and manage OUs, vDC, and users for each of the associated Tenant.

                  When the Tenant is in the Being provisioned status, the Tenant Admin icon will be disabled on Tenant Dashboard restricting the user (site admin) to view the User Management. An information icon 'i' is displayed in Status in the Tenant Dashboard and when clicked, displays an overlay of requisition, provisioning workflow summary, comments with date and timestamp.

                  You can also search and edit only the quota/capacity details (and not any other details associated to a VDC) by navigating to Tenant Management > Find a Tenant. The Tenant Administrator can navigate to Organization, Users, and VDCs from the User Dashboard.


                  Note

                  • You can delete a tenant from the Tenant Management dashboard. Deletion of a tenant takes place only if the tenant is not associated with a VDC, Organization, or any service item.

                  • You only provide a Display Name for the Tenant, and this is different than that of the logical Name which is created by the system.

                  • The Tenant Admin icon (next to Status column) is enabled or disabled based on the Status of the Tenant: If the Tenant is Active, you can navigate to User Management by clicking the Tenant Admin icon, for performing necessary tasks.

                  Was this Document Helpful?

                  FeedbackFeedback

                  Contact Cisco

                  Related Support Community Discussions

                  ABOUT US
                  CONTACT US
                  WORK WITH US