Who has a "huge" TM1/PA installation ?

Post Reply
BobMilli
Posts: 5
Joined: Thu Feb 28, 2013 9:45 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Who has a "huge" TM1/PA installation ?

Post by BobMilli » Thu Jan 03, 2019 12:51 pm

Hello all,
It has been quite a while since I've been to this TM1 Forum and I'm quite happy to see that it's still alive and active :D

We're about to migrate this year our whole TM1 10.2.2 / TM1Web / EV platform toward TM1 11 / PAW / PAX and as we're building a brand new architecture, we're trying to find the best of breed to have something reliable and scalable.

We plan to have 5 kind of "boxes":
  1. Some Database servers: hosting only pure Business TM1 data. We'll have one Windows Server per "big" databases and "small" databases will be put together on a dedicated Windows server
  2. Authentication server: a specific TM1 Database used as a repository for all our TM1 instances (around 40) and users (around 800). It will be used to authenticate people accessing PAW. This instance will also, through REST API queries, check, on a daily basis, that there are no users declared direcly on the business databases and if so delete them as we want users to be declared in the central repository and deployed to the target databases through REST API queries
  3. Adminhost servers: hosting only adminhost software, named in a business way (Finance, Marketing....). Each Business TM1 Database will registered itself against one or more adminservers.
  4. PAW Servers: at least one per Business topic (Finance, Marketing...) but we may need to have mixed PAW servers (one for Finance and Marketing). Our issue here is how could we synchronize PAW views between PAW servers
  5. Remote App servers: It's the way we're already using it for version 10.2.2. We don't deploy anymore the client software on the user laptop but we give them access to a remote app (Perspectives, PAX) which runs on the server but from a user point of view seems to be installed on their laptop.
I'm not pretending it's a really huge architecture but it's hard to get some real life community user feedback, either from the company we're working with for TM1 topics as from IBM themselves.

We had some trouble implementing our own security certificates and we felt quite alone to solve them all...
Are we the only one who don't rely on the default IBM certificates ?

We plan to put load balancing for remote desktop servers as well as for PAW servers. Does anybody do such a thing ?

We searching TM1/PAW customers with many TM1 servers and many TM1 users worldwide in order to see what was the choices you've made.

Feel free to ask if you've got questions about the above message, I'll be more than happy to answer.
Regards,
Bob

User avatar
ykud
Posts: 37
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: Who has a "huge" TM1/PA installation ?

Post by ykud » Thu Jan 03, 2019 10:59 pm

Hi Bob,

I did a couple largish deployments (>1k users), but they are still on 10.2.2 with the goals to migrate this year, so the stuff below is more of my thinking on the topic before we upgrade rather than real experience. disclosure: I work for a consultancy, not on client-side.

Re your boxes:
a. good approach, are you hosting on premise or cloud? if on cloud, I'd try to see if you can automate deployment of additional boxes via creating standard image (AMIs in AWS terminology, for example) and updating the configuration for each server post initialization (setting up the required TM1 servers, etc). Depending on how many servers you have it might be useful to automate the whole process so that you can do upgrades by 'redeploying' the new AMI
b. this is something I haven't seen so far. I'd suggest using Cognos BI for authentication (CAM / IntegratedSecurityMode = 5) as it will give you SSO with AD (if you use it) and will work with PAW / PaX / TM1Web. Maintaining users / passwords in TM1 is something I try to avoid due to security exposure, better push out to AD :)
c. why multiple adminhosts? you want to limit the number of servers people see on connection?
d. PAW is built for multi-tenancy / scaling, so I'd build a central multi-server load-balanced setup for PAW and connect all servers to it rather than building 'business area' specific instances. Would make everything faster and you'd require less servers in the footprint.
e. It's fine, although PAX is really optimised for WAN and should be deployed as a local excel plugin (as opposed to Perspectives that is only viable via Citrix/TSC on WAN)


Security certs are possible for sure, we did this for PA 2.0.4, 2.0.5, there's a bit of dancing around as you need different formats for TM1Web / PAW / Cognos BI / TM1 itself. I'd suggest leaving the builtin certs for internal communication (adminhost - TM1 database) and using custom certs on client facing apps (TM1Web / PAW / PAX).

Load-balancing on remote servers : are you using Windows Terminal Services or Citrix? I saw both in cluster configurations, but mostly Citrix. It's a bit of a choice between license cost for remote desktop licenses and hassle of deploying / maintaining PaX locally, I'd weight it again. We've recently been deploying local PaX and disabling CItrix as a part of PA upgrades.

Cheers,
Yuri

Bakkone
Posts: 70
Joined: Mon Oct 27, 2014 10:50 am
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2013

Re: Who has a "huge" TM1/PA installation ?

Post by Bakkone » Sat Jan 05, 2019 1:43 pm

Hi,

I have to agree with Yuri on trying to limit the custom certs to client facing, and much easier to implement, systems. Using custom certs could also affect the ease of upgrading your TM1 environment. But this will all depend on what kind of solution you have for creating certificates etc.

BobMilli
Posts: 5
Joined: Thu Feb 28, 2013 9:45 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: Who has a "huge" TM1/PA installation ?

Post by BobMilli » Sun Jan 06, 2019 1:42 pm

Hello Yuri, hello Bakkone,

Thanks for your answers.
Here are some additional informations about our target infra for TM1 11 and PA.

First of all, everything is on premise regarding our TM1/PA installation.
For the TM1 databases servers, we should have between 10 and 15 servers as for small TM1 databases, we'll put them on the same Windows server.
Regarding authentication, I've never been a big fan about CAM but we've made a test in order to see if it can do the job or not for us. The answer was no and here are the main reasons. Finance don't want SSO. We're already validating the passwords against our AD. We have created a widget for our portal product which relies on a specific security model. Using CAM would have drive us to develop a specific Java plugin in order to connect our specific portal security model to CAM. Using the "impersonate" REST API feature is much more easy and reliable. Our centralized security server will also be used in order to monitor our licence comsumption and check that we're aligned with our licence contract.
For the multiple adminhosts, you get the main idea, it'll make it easy for business users accessing TM1.
We're already registering each TM1 instance on multiple adminhosts for our current 10.2.2 version as it is the only way to publish a websheet mixing data coming from different server with a single connection involved ;-)
Your remark about the fact that PAW is multi-tenancy is quite interesting. Do you know if it applies for on premise installation too ? I would be pleased to get more information about it !
The remote app server (TS technology, no Citrix) was sold to business users as a "performance enhancer" but the Infra idea was more to ease the patching/maintenance of the client software. As said before, we've got around 800 users all around the world so we don't want to patch each single laptop every time the version of the client is updated. Another good point for the remote app is the fact that when you unplug your laptop from its docking station, you don't loose you connection or you just to have to reconnect to the remote app to get back where you've left (no TM1 disconnection).

For the certs, I get your point but it was a request of our security department and our Infra team manage to get it work perfectly now :-)

When I initiate this thread, my main goal was to see if there was customers with a huge TM1 infra and to get their advices. Prior to the company I'm working for since 3 years, I've been working as a consultant/expert on OLAP technologies and for the last 10/15 years on TM1. The majority of the customers were just having a very few servers and sometimes a single one !

We've got an appointment with IBM and our consultancy company so I hope we'll get some advices from them :-)

Regards,
Bob

Post Reply