Tuesday May 21, 2013

Use Ops Center Cloud Infrastructure APIs to Manage Solaris Zones - A Quick Start




Oracle Enterprise Manager Ops Center Cloud Infrastructure API offers a set of Web Service interface to manage virtual datacenter (vDC) resources. It enable access to a subset of vDC functionality. Cloud users now have a way to programmatically manage allocated virtual resources in a vDC account. It's simple to use, calling the Web Service interface is simply to assemble a URL. The basic format of the URL is: https://HOST/iaas/?REQUEST_IAAS_DATA&SIGNATURE_BLOCK

Where: 



  1. "HOST" is the host name or IP address of the Ops Center Enterprise Controller

  2. "iaas" is the base URL of the web service

  3. "REQUEST_IAAS_DATA" is the request data

  4. "SIGNATURE_BLOCK" is the signature of the request, this information is to assure the security of the API invocation



An example:



https://10.1.2-DOT-24/iaas/?Action=DescribeVservers&Version=1&Timestamp=1320105338731&Expires=1820105638731&AccessKeyId=AK_101&Signature=[Signature of the Web Service Request Action]&SignatureMethod=SHA512withRSA&SignatureVersion=1


The Ops Center Enterprise Controller will response above request with the result looks like the following:



<result xsi:type="DescribeVserversResult" requestId="102"><items>

<id>VSRV-de74d7ee-5001-4e58-9bc1-b91c2bc396a5</id>

<name>vSvr1</name>

<status>RUNNING</status>

<vnets>VNET-489f7190-3ba7-4b5a-a012-48437d12b927</vnets><ipAddresses>10.1.2.97</ipAddresses>

<serverTemplateId>TMPL-545c9dde-3838-43ac-a991-610c86825e0d</serverTemplateId>

<keyName/><vserverType>5929</vserverType><ha>true</ha></items></result>



Above example shows how to retrieve a list of virtual server (actually Solaris Zones) from virtual datacenter. The string in orange is the "REQUEST_IAAS_DATA", and the string in green is the "SIGNATURE_BLOCK". For "REQUEST_IAAS_DATA", there are five key-value pairs:




  1. Action:             the management action you want to do on target virtual datacenter, in our example, DescribeVservers means to get vServer attributes. 

    • Some actions need additional parameters, "StartVservers" for example. You simply insert more key-value pairs into the query string, like "vserverIds" in the case of action "StartVservers".

    • By the way, this action is wrongly documented as "DescribeVserversRequest" in product document of Ops Center v12.1.3.0.0.



  2. Version:            the version of IAAS cloud infrastructure API, use 1 for Ops Center 12c R1

  3. Timestamp:          using the system time is a common practice, in milliseconds.

  4. Expires:            the time of when the request will be invalid.

  5. AccessKeyId:        used to identify who is invoking the request.


Here's an example shows how to get "AccessKeyID" for user "vdcuser101" (this is a one-off effort):




  1. Send a HTTP request: https://vdcuser101:password-AT-10.1.2.24/akm/?Action=DescribeAccounts&Version=1&Timestamp=1330954619299&Expires=1390954919299

    • The HTTP response will be something like this:




      • <result xsi:type="DescribeAccountsResult" requestId="107">

        <items><account>ACC-f6d2855f-84ab-445b-a214-bee989193366</account><name>vDC-user101</name>

        </items>

        <forUser>vdcuser101</forUser>

        </result>




    • We will use the retrieved "account ID"(quoted by <account> ) in the next step.



  2. Get the "accessKeyID" and register to Ops Center by sending a HTTP request:  https://vdcuser101:password@10.1.2.24/akm/?Action=RegisterAccessKey&Version=1&Timestamp=1330975344&Expires=1333975344&account=ACC-0162da5a-5d25-4096-af59-3dd1de27cfad&publicKey=[CONTENTS OF FILE publickey.pem]

    • The HTTP response will be something like this:




      • <result xsi:type="RegisterAccessKeyResult" requestId="1113">

        <accessKeyId>AK_101</accessKeyId>

        </result>







In the second step, we used [CONTENTS OF FILE publickey.pem] for parameter "publicKey". To generate a public key file for user "vdcuser101", we need to do these (this is also a one-off effort, and the following sample shows how to do it under Solaris OS):




  1. $ openssl genrsa -out privatekey.pem 2048

  2. $ openssl rsa -in privatekey.pem -pubout -out publickey.pem


Next, we'll prepare "SIGNATURE_BLOCK". There are three key-value pairs:




  1. Signature:            Signed REQUEST_IAAS_DATA, in Base64 encoding.

  2. SignatureMethod:      the signing method used to sign the REQUEST_IAAS_DATA, "SHA512withRSA" in our example.

  3. SignatureVersion:     uses 1 for Ops Center 12cR1.



To generate "Signature", we do the following:



  1. openssl pcks8 -topk8 -inform PEM -outform DER -in privatekey.pem -nocrypt > privatekey.DER // one-off action to get DER encoded private key file for user "vdcuser101"

  2. java WebUtil signature ./privatekey.DER "POST" "10.1.2.24" "Action=DescribeVservers&Version=1&accessKeyId=AK_101" ./DescribeVservers.signed

    • "Signature" = the contents of the file "DescribeVservers.signed"





"WebUtil" is an utility bundled with Ops Center product. We can find it here: <http://docs.oracle.com/cd/E27363_01/doc.121/e25150/appendix.htm#BABBDBIG>. Here's a brief explanation:



  • java WebUtil \





    1. signature \              // Subcommand of WebUtil for signing Web Service API requests

    2. privatekey.DER \         // The private key file of the user who will submit the Web Service request, the URL

    3. HTTP_TYPE \              // "POST", HTTP Request type defined by the Web Service API specification

    4. HOST_IP \                // IP address of the Ops Center Enterprise Controller

    5. DATA_TO_SIGN \           // The REQUEST_IAAS_DATA without Timestamp and Expires

    6. signatureData            // The output filename of signed Web Service request





By now, we have gone through a complete process of using Ops Center Cloud Infrastructure API. As we can see, it's not necessary to install any particular software in client side to use the API. All we need is a browser. This makes the development process very flexible and easy to be conducted. In practice, developers can assemble, sign and send request URLs in their application. The Java source code of signing a request is provided by Ops Center. So it's convenient for developers to do so.


Finally, the current version of the API also has some limitations, which includes:






  • It only accesses resources in virtual datacenters(vDC), instead of arbitrary assets managed by Ops Center.

  • For current version of Ops Center, the supported virtualization technologies include Oracle Solaris Zones and Oracle VM Server for x86. Oracle VM Server for SPARC support will be added in future release, I suppose.

  • Not all the vDC functionalities are supported. Again, I think the fully supported version is a matter of time.



Acknowledgements


Thanks Amir Javanshir for his valuable suggestions and comments!








Thursday Jan 28, 2010

Cloud computing, a beneficiary of open source software



A nature of open source software (OSS) is that, anyone can have a copy of the source code as long as he or she agrees to the license of the OSS. For countries who want to expedite the development of their own information technologies, OSS provides a precious learning opportunity, and is a wonderful start point. Governments of these countries also tend to believe that, comparing to commercial software, OSS is less risky in terms of being controlled by vendors. In other words, the usage of OSS is inspected from a strategic point of view by some governments. It is linked to the security of the national information system infrastructure. Therefore, in some countries, governments encourage the application of OSS. For example, Chinese government has been showing its intention publicly for years. Preference on OSS is commonly witnessed during government procurement.


The good news is, cloud service providers, who are applying open source software
extensively, look like a beneficiary of government's preferential policy to me yet.


OSS are already been used pervasively in cloud computing world. Vendors build their cloud computing data center on top of mainstream OSS, like Linux, Xen, Hadoop, MySQL and so on. Apart from government support, OSS is likely to hold the economic advantage over commercial software. Typically, license models of commercial software are charged by user number or processor / core number. However, cloud computing systems are designed to serve high volume users. Charging by user number is not a good deal in this case. Cloud systems also run software on virtual machines. One physical machine usually runs multiple virtual machines, which means all the virtual processors of each virtual machine may be counted in the commercial license models. Such license models are financially unfavorable in cloud computing realm. In contrast, most open source licenses are cloud computing friendly, and have much less limitations on cloud-based deployment.



Monday Jan 25, 2010

Security, a disadvantage of cloud computing?


Indeed, for those companies who have strong IT expertise and sufficient resources to build their own data center, security may be a disadvantage of public clouds of cloud computing. However, vast majority of organizations are not capable to setup a sophisticated IT infrastructure on their own, because of lacking of either necessary conditions mentioned above. In most cases, organizations focus on functional requirements and are not able to pay adequate attention to security issues when building IT infrastructure. The consequence is many IT systems running without necessary security control procedures, and thus be in a dangerous environment. This is especially true for small and medium size enterprises (SME). For such organizations, cloud computing, even public clouds, actually becomes a more secure option. Cloud computing providers pervasively build network security and system security into the cloud infrastructure. They have well-equipped and professionalized staffs to protect the cloud system from network threats and virus. Security of cloud systems is one of the basic offerings of any mainstream cloud services and normally does not charge extra service fee. Thus, when facing government's requirement on system security, enterprises can effectively increase the security of their information system by leveraging cloud computing if they do not want to spend resources on this task. Here is an example of the security requirement from governments:



November 24, 2009, the state council of China required companies in the network media industry to take the responsibility of maintaining network security of their own information systems. One background of this requirement is, presently, most Chinese media companies are not specialized in network security. Most information systems have potential security problems, and the systems are vulnerable to network attacks. It is obligated for media companies to take action in response to this requirement from the government. In the traditional on-premise computing, the most common reaction is to allocate dedicated resources to take charge of network security. This manner normally implies more investment on computer hardware, software and human resources. Since this is not a one-off investment, so it has to be integrated into the cost structure of the company as a constant operating cost. In addition, network security does not belong to the core competence of a media organization. Hence, such investment may do harm to the profitability of organizations.

About

Jie Shen

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today