CEPM Capacity Planning Guide V3.3.1.0
Centralized Architecture Deployment
Download this chapter
Centralized Architecture DeploymentCentralized Architecture Deployment
Download the complete book
CEPM Capacity Planning GuideCEPM Capacity Planning Guide (PDF - 260 KB)
 Feedback

Table Of Contents

Scenario 2: Centralized Architecture Deployment

Shared-PAP and PDP

Component Guidelines


Scenario 2: Centralized Architecture Deployment

The shared PAP and shared entitlement-repository option discussed in Chapter 1, "Scenario 1: Distributed Architecture Deployment" may be considered a "centralized" deployment that allows multiple applications to share a common administration and entitlement repository infrastructure.

A shared infrastructure that eliminates the need even to host the PDPs in different geographies is also supported with CEPM via the Shared-PAP and PDP model described in this chapter.

Note The sizing estimates for this type of deployment are composed of the following elements:

Users: System designed to support 1,000,000 to 2,000,000 users with 5000 concurrent queries.

Resources: 1000 hierarchical resources each with multiple actions.

Latency required: User-level queries of less than 0.2 second per query response time for role- and rule-based decisions.

Distribution: One central enterprise infrastructure covering all geographies.

Shared-PAP and PDP

With the PAP, entitlement repository, and PDP all located in the same data center, which can be fully replicated for high availability and disaster recovery purposes, the PDP can directly work against the database. The Policy Enforcement Points (PEPs) can be set to automatically failover across two instances of the shared PAP and PDP.

Because the PEPs are remote, they need to communicate with the PDPs via a secured communication channel.Using CEPM, you can configure PEPs to choose the protocol for communication with the PDPs over (HTTPS and RMI). Policy decisions are communicated on the wire.

Figure 2-1 Shared PAP and PDP

Because of the diversity of business and organizational needs that change over time, a hybrid approach of PDP deployments is the most effective. In such an approach, some shared PDP deployments can be used by some applications for testing and production purposes. Some distributed PDPs are deployed closer to the applications but they still share the centralized PAP instances using delegated access.

In all of these scenarios, additional requirements may be imposed to restrict sharing of entitlement repositories or PDPs across different applications, which can be handled in one of two ways:

Delegated administration of PAP so that all actions are scoped within administration domains.

Delegated administration with entitlement domains. In this approach, entitlement domains can be created where there is no sharing of the entitlement data between entitlement domains. Multiple entitlement domains can be managed from the same instance of the administrative console.

Figure 2-2 shows a deployment with no sharing of entitlement repository data in the context of a shared PAP and PDP:

Figure 2-2 Deployment of Shared PAP and PDP Model

For all workloads, such things as the number of applications, depth of resource, group, and role hierarchy, besides the complexity of rules, affect sizing estimates. For workload 2, the variance may be higher. However, eight servers in New York and four each for the other two geographies should be enough, which totals 16 servers running PDPs for all geographies. With the administrative workload expected to be higher because of increased users, PAP must be deployed in a load-balanced cluster of four servers. Database sizing depends on the actual number of users.

All of the scenarios described in this guide easily coexist with reporting tools, such as Actuate and Microstrategy, via the PAP entitlement review APIs and supported database schemas for logs. Table 2-1 details the requirements for CPUs and memory.

Component Guidelines

Cisco Enterprise Policy Manager is agnostic to server platforms and versions for CEPM components such as the PAP and PDP servers.

Tip All the product components and dependent software components, including the number of instances of each type, should be listed out and evaluated against the product license and maintenance contract to ensure all license restrictions are understood.

Table 2-1 Policy Cache Memory Requirements

No. of Users
No. of Roles
No. of Resources
Size of DAT File (approx.)
Memory Required for Policy Cache

100,000

1000

20,000

400 MB

250 MB 1

1 When the heap size for the application server is set to 2-3 GB.


Table 2-2 Software Component Specifications (Scenario 1) 

Type of Software 1
Version
No. of Instances

Oracle

10g or 11g

2

JDK

1.6

Number of PDP and PAP instances

PAP

-

2 server instances

PDP

-

8 server instances

PEP

-

Varies

1 CEPM has been tested with and supports the component scenario listed in this table.


Table 2-3 Software Component Specifications (Scenario 2) 

Type of Software 1
Version
No. of Instances

Oracle

10g or 11g

4

JDK

1.6

Number of PDP and PAP instances

PAP

-

4 server instances

PDP

-

16 server instances

PEP

-

Varies

1 CEPM has been tested with and supports the component scenario listed in this table.


Table 2-4 Volumetric Analysis for Database (Sizing) 

Scenario
No. of Application Group
No. of Application
No. of Resource
No. of Roles
No. of Users
No. of Groups
No. of Requests (Per Month)
Diskspace Required when PDP Logs Enabled
Diskspace Required when PDP Logs Disabled
User Tablespace
Temporary Tablespace
User Tablespace
Temporary Tablespace

1

5

10

1000

600

10000

75

50000

2 GB

512 MB

1 GB

512 MB

2

5

10

1000

600

25000

75

100000

4 GB

512 MB

1 GB

512 MB

3

5

10

1000

600

50000

75

200000

8 GB

512 MB

2 GB

512 MB

4

5

10

1000

600

100000

75

400000

10 GB

1 GB

3 GB

512 MB

5

5

10

1000

600

500000

75

1000000

20 GB

2 GB

5 GB

512 MB