Technical SaaS Overview
Introduction
Redwood offers cloud-based Enterprise Process Automation Software as a Service (SaaS) that enables you to improve the consistency and quality of all your business and IT processes. With this SaaS offering you can connect and coordinate your process activities between all of your strategic business and IT applications - across all platforms, silos and technologies.
Redwood SaaS Architecture
With the Redwood SaaS offering there is no need to maintain and manage all aspects of the central automation platform. This allows you to focus on configuring automation tasks for your business-critical processes, without having to worry about managing the underlying infrastructure.
Upgrades to the server environment, operating system and database maintenance and monitoring of the infrastructure are all taken care of by Redwood, as part of the service.
Figure 1: Redwood SaaS Architecture
As shown in Figure 1 the Redwood SaaS architecture consists of a customer specific area based in the cloud; this is connected to managed systems and applications at the customer location via secure networking across the internet. The mechanism used will depend on your type of target system. Operating system-level tasks are managed by a Redwood platform agent, downloadable from the Redwood Control Center and installed on the relevant server. Applications such as SAP® Oracle E-Business Suite, PeopleSoft, BusinessObjects and Services such as Web Services, SQL are connected via the Redwood platform agent acting as a 'Secure Gateway'. Users access their environment using a supported web browser via the Internet.
Security
Redwood deploys a 'defense in depth' approach to security; it applies multiple layers of security to prevent unauthorized access. The following paragraphs provide an overview of security. For more detail, please contact your local Redwood representative or partner.
Secure Internet Connection
The Redwood SaaS architecture is designed so that no specific knowledge of, or access to, the underlying infrastructure is required. Each customer operates in a dedicated zone within the Redwood cloud. Users connect to their SaaS environment via a web browser, accessing their own environment using the URL provided by Redwood (<region>.###.cloud for example dublin.runmyfinance.cloud). Because the Redwood cloud is running in the Amazon Web Services infrastructure it will benefit from all built in security measures provided by this service (https://aws.amazon.com/compliance/ and https://aws.amazon.com/security/).
All communications between the user and the environment, and the connections to the remote servers and applications on which processes are being automated, are secured with HTTPS / TLS 1.2+ and a SSL certificate.
User Access and Roles
Customers can only access their environment through the Redwood provided SaaS portal. Specific users at the customer location are designated as account administrators. These individuals can create and modify additional users for the account, depending on the level of service purchased. Protection against unauthorized user access is provided by: the built-in access control
- Browser authorization. You cannot access the SaaS portal and solution from an unknown browser on an unknown desktop.
- User ID and password combination. There are built-in rules that enforce the use of complex passwords.
- User lockout after a pre-determined number of failed login attempts.
or SSO can be configured using SAML to authenticate against your local Identity Provider. Protections like 2-factor authentication, password rules or lockout will then be controlled by the customer's configuration. Further protection is provided by role-based access. This allows account administrators to control the level of access (Administrator, Operator, Business, Viewer, Login only, No Access) each user has to each environment (Production, Test, Development). You can also create custom roles to provide more granular control over access to specific objects in the environment. See Managing Users and Roles document and the SSO Guide for full details.
Managed Servers
Managed systems are the servers on which Redwood manages process tasks. To automate tasks on a managed server in your environment, Redwood connects to a 'platform agent'. You download the necessary agents from the Redwood Control Center, each agent is unique to your own environment.
The agent initiates the installation process by contacting the Redwood cloud server from inside your network. If the server can access the internet the agent will set up the connection. This avoids the need to make changes to the inbound protection provided by your firewall. This is also shown in Figure 1. Redwood supports internet access via an HTTPS proxy server.
See the Install Platform Agents for full details.
Secure Gateway
The Secure Gateway is a technology invented by Redwood that allows a single, secure channel for all application connections that are not platform agent dependent.
The Secure Gateway capability is a characteristic of the platform agent and can be enabled for designated agents as required. One agent will act as the active gateway by the system at start-up.
Once the agent-initiated connection to Redwood has been established, applications such as SAP, Oracle E-Business Suite, PeopleSoft and BusinessObjects communicate directly with the cloud through the Secure Gateway.
Secure Gateway implements the following security measures to protect the connection:
- TCP connection is always initiated from customer site to the Redwood cloud
- Single conduit for all traffic irrespective of the number of managed systems
- Connection is TLS encrypted using a Redwood certificate
- Hostname verification
- 'Man in the Middle' tampering detection
- Highly available connection to Redwood for managed entities
- Military grade encryption through TLS 1.2+ and the most secure industry standard ciphers.
The Secure Gateway is fault tolerant. If the designated Secure Gateway host happens to fail, the agent running on another system will automatically take over ensuring that processes continue to run.
See the Configure the Secure Gateway for full details.
Connection to ERP Systems
Connection to for example SAP or Oracle EBS systems is managed through the Secure Gateway and established using standard ERP system connect string protocols. To authenticate the Redwood server to ERP Systems normally locations and username and password are required.
ERP spool data is managed by the Spool Host component. This reduces the level of network traffic and improves data security by retaining customer ERP spool data on the customer site.
See the Configure the Spool Host, Connect to SAP and Connect to Oracle EBS for more information.
High Availability
The Redwood SaaS environment uses industry standard container solutions running in a cloud environment; this is built for high availability and scalability. There is no dependence on specific server hardware or physical storage components, and there is no single point of failure.
We monitor the service around the clock so that any issues with the environment are immediately detected and corrective action can be taken, so that it will not impact customers' business.
The customer can configure Alerts Rules so that individual connections are monitored. If a managed system goes into a 'connecting' status something could be wrong, so an alert can automatically be raised and sent to a designated recipient at the customer.
Data Backup and Disaster Recovery
Technical product and Job logs of customer environments are backed up daily, whereas the client databases are constantly streamed to all availability zones allowing near zero data-loss continuous backups and point in time recoveries. This continues backup is there for 'Disasters' such as Host, Database and Datacenter issues, not for object specific backup and restore purpose.
Redwood environments run on Amazon Web Services (AWS) hardware with dedicated storage and networking to ensure full isolation of the environment. An overview of the AWS infrastructure can be found here: https://aws.amazon.com/about-aws/global-infrastructure/.
The customer is responsible for Object backups inside the Redwood solution. These built-in extracts (and archives) should be scheduled, copied to the customer environment, and removed from the Redwood cloud. Redwood is not responsible for backing up and restoring specific objects.
Upgrades
Redwood strives for optimum reliability and security of its SaaS environments; to this effect, upgrades are mandatory, patch-level upgrades (for example from 9.2.8.5 to 9.2.8.6) are optional for Finance Automation environments. Upgrades are announced via Message Of The Day in the SaaS dashboard; General – Notifications/Reports contacts (Security > Contacts) will be informed via email. For RunMyJobs, all three environments must be upgraded following a precise calendar, based on the day of the release.
Finance Automation automatic upgrades are suspended, for the time being.
Service Packs
Service Packs consist of new features, new supported systems and security, stability enhancements. They can be scheduled as the customer desires within certain boundaries described below.
Environment | Scheduled (from day of release) | Re-schedule |
---|---|---|
Development | 1 week | 1 week |
Test | 2 weeks | 1 week |
Production | 4 weeks | 2 weeks |
Figure 2: Service Pack windows
This means that the Development environment must be upgraded in the fortnight following a release, Test environment within three weeks of a release, and Production within six weeks of a release.
Example: a new version was released on June 1st.
- Development upgrade was scheduled for June 7th and could be rescheduled to, at the latest, June 14th.
- Test upgrade was scheduled for June 14th, and could be rescheduled to, at the latest, June 21st.
- Production upgrade was scheduled for June 28th and could be rescheduled to, at the latest, July 12th.
Once an upgrade is scheduled for one of your environments, you can initiate the upgrade or reschedule once in Environments > Upgrades. You can easily add update schedules to your calendar by clicking the "Add to calendar" button. The "Upgrade now" button will schedule the upgrade immediately.
Patches
Patches consist of only bug fixes and/or security updates and are crucial to ensure the security and stability of the Redwood SaaS platform.
Environment administrators can set a patch window (day + time) for non-production and production which will be used for each patch. Non-production will automatically roll out during the 1st week after release and production the 2nd week. This way production patches will always be applied after the non-production environment.
Figure 3: Patch window
The desired day/time for patches can be configured under Environments > Patches and will apply for all future Patches.
Hotfixes
A hotfix is a version of the software to fix a customer's specific issue that is provided at Redwood's discretion. If you have requested a hotfix and the request has been accepted, Redwood will arrange a time frame for installation. Just like for patches, non-production systems will receive the hotfix first, production will get the hotfix once testing has successfully been done.
Unlimited Connections and Platform Agents
Redwood SaaS is a subscription service with consumption-based pricing. This means there are no restrictions on the number of systems that can be connected and managed. Costs are based on a monthly subscription fee, plus a fixed price per automation process run.
From a technical perspective, this gives administrators the freedom to add and remove connections or install platform agents on as many target systems as desired without having to worry about licensing implications.
This makes complex system development and QA testing easy to plan and implement and makes it practical to configure connections to rarely used systems that run very few processes, but which would still benefit for automation.
The Supported Platforms documents in the Help section in the Redwood cloud portal provides an overview of supported agents and platforms.
Redwood SaaS Dashboard
Users log in to the Redwood environment through an authorized web browser. Once logged in, they have access to the Redwood cloud dashboard with access to features based on the type of user.
The dashboard allows authorized users to create other users, edit environment settings. All users have access to several documents in the Help section, to aid with the configuration and management of the Redwood environment. From the dashboard users connect to any one of the Redwood automation environments. These are notionally called 'Development', 'Test' and 'Production', but can be renamed as required (see 6.1.3 below). This changes the display name, but the endpoints will remain the same.
The dashboard provides information on key areas to help management of the Redwood environment. It is broken down into several areas which are described in this chapter.
Messages
Your account Messages on the dashboard home page contains messages informing you of upcoming system maintenance and news relating to your Redwood account.
Figure 4: Portal Dashboard
User Settings
If you want to change information about your account, such as the company address or your email address, click on your username in the top left-hand corner of the screen to access the 'Settings' menu. Settings might be limited in case SSO is configured.
Figure 5: User Settings
Environments
Authorized users can access the environments area to access more detailed information and perform various tasks. In the Dashboard shown on Figure 6 you can switch between environments
By clicking on Environments you are allowed to change the Description shown on the Dashboard, select which Redwood Support region will get (limited) access which allows them to help you in case of issues and you see Users and Activity
Patch and Upgrade configuration, as explained in an earlier section, are also managed from here.
Figure 6: Environments view
Security
The 'Security' area shows an overview of all users, including their access level to each environment and the type of user they are. Add a new user and select which level of access the user is to have to each environment from the 'pencil' icon on the top. Available roles are:
- Administrator - create objects, schedule tasks, run processes and monitor activities
- Operator - schedule tasks, run processes and monitor activities
- View - monitor activities
- Login - can connect but can only perform tasks granted via custom roles
- No Access - cannot access the environment
Different access levels can be assigned to a user for the different environments. User allowance and usage is indicated when using the 'Create User' tab. In the 'Security' area custom roles can also be created and the user activity log viewed.
Portal specific privileges can be given for people who do not need access to the Redwood system itself, only the portal. Besides having environment Access/Administrator you can also give users access as:
- Security Administrator - Allows a user to manage Security settings
- SSO Administrator - Allows a user to configure SSO for your SaaS environments
- Finance Administrator - Allows user to see Financial data in the portal
Figure 7: Portal Privileges
Consumption
The 'Consumption' area allows you to see near real time process consumption for each environment. The default view shows the consumption over all environments in the current year, listed per month. Clicking allows a drilldown to days or even hour specific consumption in total and per environment
Figure 8: Consumption overview
See Also
cloudTopic