Running Axiomatics Policy Server in the Cloud

Joffry Ferrater   ·   Tuesday, March 28th, 2017

Part 1: How to Containerize

Containerization is a trend we’ve seen at the enterprise level and among the federal government for some time now. If the term is new to you, here is a simple metaphor that explains why organizations are shifting towards this IT practice:

Imagine the struggle of early importers and exporters, shipping multiple pieces of cargo, all different sizes, shapes and weights, across various water channels. The need for a safe, consistently viable shipping option led to the creation of the standardized shipping container you now see on docks. There is a standard size for objects, a standard place for where the doors go, for how the locks work, and where the mount points are to pick it up, so that they all fit on ships and they can get them on and off efficiently and there’s weight restrictions. The shipping company doesn’t need to know what’s inside, only that it hits all of the specs and adheres to all of the standards.

That’s what a container does. It takes all your services, your apps, or other people’s apps and it bundles them up in a standard way where you can now have orchestration at the software level and deploy them to different machines.
In addition to that, containers are driving the microservices architecture. This is the concept of having a dedicated service that does only one specific task. Inside the container there might be several components deployed but the container only exposes one service that other applications or API’s can make use of. Let’s look at how the Axiomatics Policy Server fits into this model.
There are two main applications within what we call the Axiomatics Policy Server (APS): the management system, Axiomatics Services Manager (ASM) and the Policy Decision Point (PDP).
ASM is used across all of our runtime authorization solutions and provides the web based policy editor and management capabilities for further configuring the runtime authorization environment.
The PDP is the actual authorization engine that is called by an API gateway, an application or some other entity that is requesting access.
It is fully possible to for example deploy both ASM and PDP into the same system. Our APS Express Edition package does just that and comes with an installer that guides through the installation process and deploys the two applications into a tomcat application container. Express Edition is great to get a deployment up and running very quickly as it guides through the tasks of configuring the system such as setting endpoint URL’s, generating self-signed certificates and setting up the needed user accounts.
We frequently get the question if it’s possible to deploy APS in a Docker container. The short answer is yes, it is absolutely possible. Especially the PDP is well suited for this deployment model as the Docker container running the PDP will run as its own micro-(authorization)-service.
It is also possible to deploy ASM in a Docker but here we also need to configure a database that ASM uses to persist its configuration data (policies authored, authorization domain configurations, attribute connectors, etc.). The database could actually run in its own Docker container, however it should be noted that if that container stops running the data could be lost and actions would have to be take to persist the data in the container itself.
There are a couple of specific prerequisites for installing both ASM and PDP regardless of what underlying architecture is used. Oracle Java is one example and an application container is another for example. To help with the creation of an ASM and/or PDP Docker container we have prepared a basic image that the ASM and/or PDP Docker image can be built upon.
You can get this base image by running
docker pull axiomatics/axiomatics_base
This obviously assumes that you have Docker installed on your system. Follow instructions from Docker on how to get started with that.
When you have the base image downloaded you can start creating your own Docker image by building your own Docker file. Here’s a simple example of what that could look like.
FROM axiomatics/axiomatics_base:latest
MAINTAINER jonas.iggbom@axiomatics.com
ENV CATALINA_HOME /usr/share/tomcat
#add files to container
ADD asm-pdp.war $CATALINA_HOME/webapps
ADD setenv.sh $CATALINA_HOME/bin
ADD tomcat-users.xml $CATALINA_HOME/conf
ADD postgresql-9.4.1212.jar /tmp
ADD server.xml $CATALINA_HOME/conf
ADD pdp_init.sh $CATALINA_HOME
#switch to tomcat user
USER tomcat
#expose ports needed
EXPOSE 9090
EXPOSE 9443
As you can see in the first line we are building this image based on the previously downloaded Axiomatics base image. The base image contains the needed prerequisites such as Oracle Java, Apache Tomcat, Metro Web Services Stack.
Note that this is a very simple example of what a deployment like this could look like. The Axiomatics Customer Relation (CR) team has more detailed configuration examples available upon request.
Contact us at support@axiomatics.com if you have further questions or specific Docker related deployment considerations you’d like to discuss.