Introduction[edit]

This playbook covers topics required for establishing and sizing your environments for Pega Customer Decision Hub™ (CDH) (Pega Cloud Services or your premise). Configuring and providing access to and from those environments should begin in advance of project kick-off. This also includes understanding and planning the ongoing monitoring and managing the environments as well as the process and procedures to package and deploy Pega rules to the various environments.

The following figure provides a conceptual overview of the major components of Pega Customer Decision Hub:

Identifying, sizing, and configuring your Pega Customer Decision Hub environments and infrastructure covers four major areas:

• Identify, plan, and execute the activities, work efforts, and deliverables to size and provide the network, storage, and computing infrastructure for installing Pega Customer Decision Hub.
• Identify, plan, and execute the activities, work efforts, and deliverables to securely connect Pega Customer Decision Hub to other systems, applications, and data repositories including user access, data connections, and service APIs.
• Identify, develop, and deploy the business-as-usual (BAU) and IT operations processes and procedures to monitor, manage, and maintain the infrastructure to ensure the solution operates within the required availability and performance envelopes.
• Identify, develop, and deploy the Project and BAU processes and procedures (manual and automated) to package, save, and promote rulesets from one environment to another and to validate that the promoted rulesets properly function in the environment to which they were promoted.

Pega Support Contact Administrator[edit]

Appoint Pega Support Contact Administrators to be responsible for ensuring that designated individuals in your organization have appropriate role-based access to the Pega support and self-service resources. This includes activities related to:

• Opening and managing Product Support and Cloud Service SRs
• Initiating authorized self-service Pega Cloud Services operations

You can appoint Pega Support Contact Administrators as soon as you execute any license agreement with Pega. For more information related to the role of the Pega Support Contact Administrator, see the Support Contact Administrator Guide.

If your organization is already a Pega client, you can establish your Pega Support Contact Administrator immediately.

As a best practice and for contingency, you should have at least three Pega Support Contact Administrators for your Pega Customer Decision Hub application.

For Pega Cloud Services environment provisioning, designate one of the Pega Support Contact Administrators as the requestor for new Pega environments. You can rotate that responsibility among your administrators.

The Pega Support Contact Administrator is also responsible for keeping your designated support contacts up to date and for ensuring that your support contacts are assigned the appropriate roles for opening and managing Pega SRs and Pega Cloud Services requests.

Pega Customer Decision Hub environments[edit]

The standard Pega Cloud Services for Pega Customer Decision Hub architecture includes four environments:

•       Development for IT and Business Developers

•       Testing for QA and UAT testing

•       Simulation for Simulation processing as well as performance testing and staging.

•       Production

You can request additional environments for additional cost.

The sizing for production is determined through the Pega Hardware Estimation process which uses information from the following template. Sizing for non-production environments is provided based on the number of users, developers, and testers and the work that is anticipated in each of the lower environments. In addition, a PostGres relational database is provisioned to support Pega Rules, Pega Data, and Client data.

The following figure shows the typical Pega Cloud Services production infrastructure deployment:

Connectivity to Pega Customer Decision Hub[edit]

Connectivity to Pega Customer Decision Hub includes establishing the physical connections and the related configuration and security of your system and Pega's in the following three areas:

• User access including:
  • Business and technical developers who configure and test the rules, campaigns, actions, and other components of the Pega application.
  • End users who use the Pega application for their work (for example, member services representatives).
  • IT and business resources who manage and monitor the Pega application as well as review execution and results.
• Data import and export including:
  • Direct connection to your existing data sources
  • Batch processing
  • Data ingestion from and extraction to external services
  • Stream processing of external data sources
• Exposing or consuming services including:
  • Services exposed within Pega Customer Decision Hub to support Next-Best-Action requests and returned Responses to and from your channel applications and other data such as page Tag views
  • Services exposed by your other applications that must be consumed by the Pega Customer Decision Hub application for processing

To support connectivity, Pega Cloud Services configures load balancers to meet the standard Pega Customer Decision Hub guidelines. Typically, load balancer configurations include:

• User access to the Pega Customer Decision Hub application via the web / application tier nodes.
• Decision Hub tier nodes for “Make Decision” / Container requests, typically configured as “sticky sessions.”
• Stream tier nodes for “Capture Response,” page “Tags,” email opens (impressions), clicks, and click-throughs.

User Access[edit]

User access requires review, design, and configuration in three areas:

1. Network access: to ensure users can gain physical access to the application.
2. Authentication: to ensure users have the ability to sign in to the application.
3. Authorization: to ensure users have been granted rights to perform an action within the application.

Network Access[edit]

You need to review and agree on the network authentication approach across the 4 Network Security Layers for users, data transfers, and end customers.

The options available include:

• Internet-based security only
• Internet-based security plus private connection
• Private connection only

As part of the initial implementation, your Pega Lead System Architect works with your network administration team and Pega Cloud services to identify the details of the network configurations required to support the network authentication approach and ensure that the required network change requests for policy updates and certificates are opened in advance of project kickoff.

Note: If you require network-based authentication that limits access to the Pega Customer Decision Hub application to users who are accessing the application through your secure internal networks (private connection only), this requires additional planning and establishing the following resources:

• IP firewall rules and certificates to ensure that the user devices (desktops, laptops, and so on) accessing the servers which host the Pega Customer Decision Hub application and DB are limited to known and agreed origination IP address blocks.
• VPN remote access for all remote workers, for example, Pega and other contractors, to your network.

To support a common Network Access Transport Security, calls initiated to and from Pega Customer Decision Hub which include Browser Sessions and Web Service Requests (SOAP/REST) are expected to be encrypted via industry standard protections such as https/TLS1.2 (128 bit).

In addition, TLS encryption is a mandate and not optional when crossing network boundaries.

Certificates can be stored in trusted enterprise key stores and used to decrypt messages.

The Authentication process can use basic Pega internal credentials (User Name and Password manually configured for each user by a system administrator) or a variety of SSO providers including SAML, OpenID Connect, Kerberos, or "Client" customized authentication.

The authentication method will be designed by the Pega LSA working with your Pega Customer Decision Hub development and SSO enablement teams. In addition to establishing the authentication for Pega Customer Decision Hub users (for example, IT and Business developers), the authentication methods for both Inbound and Outbound services and related access should be planned and designed at the same time.

When a Pega Cloud Services environment is provisioned, Pega provides the initial “System Administrator” User ID and Password to the Pega Support Contact Administrator who has requested the environment.

• These credentials should be provided to your designated Pega Customer Decision Hub System Administrator who should work with the Pega LSA to ensure initial access and then change the provided password.
• Additional User IDs should not be set up until the Pega LSA and your Pega Customer Decision Hub application development lead establish the initial application, user authentication matrix and authentication method.

Authorization[edit]

You can manage authorization in Pega through access groups and permissions. You can also administer authorization through external APIs and customize it for integration with other providers.

• Access groups identify the Pega roles and permissions that you grant to operators:
  • Operators are the identified users of the application, both human and system users.
  • Permissions are the identified actions (such as view, read, write, create, delete) that are assigned to a role. Because there can be several thousand individual permissions identified for a Pega application, permissions are assigned to roles.
  • During the initial setup of the Pega application, the Pega LSA working with your Pega Customer Decision Hub application management and process management security team to review the application needs, establish an initial set of application access groups, and assign roles and permissions.)

• As operators are established, they are assigned to access groups.
• Pega Customer Decision Hub provides out-of-the-box access groups for the primary capabilities within the product. As a best practice, establish project-specific access groups by using the out-of-the-box groups as a starting point. For example:

Authorization also varies by environment (for example, a developer may be granted broad access and permissions in the development environment and have no access to higher-level environments).

As a best practice, implement the authorization process across all environments before you assign user IDs.

There are a number of caveats specific to Pega Cloud provisioning which you should review prior to establishing your Pega Customer Decision Hub project access groups and permissions. For more information, see Client access to Pega Cloud Services environments.

Data import and export using SFTP[edit]

Pega Customer Decision Hub applications may import customer-related data (customer, product, behavior, and so on) and export interaction-related data (Interaction History detail and summaries) using the batch file import and export processes, or processing via direct connection, services (REST) or stream processing, depending on data volatility.

Batch file transfer to and from Pega Cloud Services for Pega Customer Decision Hub applications uses SFTP.

The Pega Cloud Services SFTP Service provides you with simple, secure file transfers to and from your premise to your Pega Customer Decision Hub application providing the following features:

• Secure service for file uploads and downloads to and / or from your Pega Customer Decision Hub application.
• Static IP addresses that do not change for the life of the service, eliminating the need for you to whitelist a broad range of IP addresses for the service.
• Separate SFTP server with a unique URL, user credential, and folder for each environment.
• Bulk data processing through file listeners in your Pega Customer Decision Hub application with integration to your own configured file extracts or with Pega Business Intelligence Exchange (BIX) data extracts.
• Secure repository data storage until removal.

The following figure shows a typical SFTP transfer to Pega Customer Decision Hub:

The following figure shows a typical SFTP transfer of Pega Interaction History to your premise:

Monitoring your Pega Customer Decision Hub application in Pega Cloud[edit]

Monitoring your Pega Customer Decision Hub application in Pega Cloud Services is a shared responsibility between Pega and you.

The Pega Cloud Service reliability team monitors the health of your Pega Customer Decision Hub environments on a 24x7x365 basis from strategically located Service Reliability Centers around the world. The team, a collection of Pega application experts, database administrators, and service reliability engineers, delivers Pega-specific expertise to manage your Pega Customer Decision Hub environments. To ensure service reliability, the team manages client communications, performs routine maintenance, and responds to automatically generated alerts, routine maintenance activity, and service requests tracked within the Pega Global Customer Service (GCS) ticketing system.

The Pega Cloud Services reliability team will monitor the infrastructure components of your Pega Customer Decision Hub application in your environment using a variety of tools.

• Server responsiveness – Proactive, regular ping to verify server responsiveness
• CPU utilization – Proactive monitoring with alert when utilization exceeds threshold
• Memory utilization (buffered and cached) – Proactive monitoring with alert when utilization exceeds threshold
• Disk utilization – Proactive monitoring with alert when utilization exceeds threshold
• Application server accessibility – WGET/Curl, alert if no response
• Application server – WGET/Curl and JMX, alert if no response
• Application server Heap utilization – WGET/Curl, alert when utilization exceeds threshold
• Database query – Proactive, regular database query; alert if no response
• Database table space utilization – Proactive, regular database query; alert when utilization exceeds threshold
• Database errors – Proactive, regular database query; alert if error returned

It is your responsibility to also monitor your Pega Customer Decision Hub application's health using Pega Predictive Diagnostic Cloud (PDC).

• PDC is an intelligent agent that predicts, prioritizes, and notifies administrators about the health of your Pega applications.
• PDC leverages artificial intelligence to provide operations teams with a prioritized list of action plans that ensure your system’s reliability.
• PDC provides application insights across four dimensions:
  1. Responsiveness
  2. Throughput
  3. Stability
  4. Availability

Pega PDC supports infrastructure and operations management and development teams. In addition to establishing appropriate alert emails, your infrastructure and operations management teams must review and monitor your application performance and system health on a regular basis. It is also important for your development teams to review the alert summaries provided through the PDC “Stability and Improvement Plan” reports to identify and correct these issues to minimize their impact on your business.

For additional details, see Monitoring your Pega Cloud Service environments.

Pega DevOps[edit]

The Pega DevOps practices cover continuous integration and continuous delivery to quickly move application changes from development through testing to deployment on your production system.

Pega DevOps uses a combination of tools within Pega Platform™ and common third-party tools such as Jenkins to implement:

• Release pipelines
• Automated testing
• Integration and delivery
• Development workflow
• Deployment Manager
• Version control
• Pega Unit Testing

As a note, a Pega Cloud Services DevOps Environment will be provided as a support utility for your DevOps development.

For additional details, see DevOps Documentation and Pega Customer Decision Hub Implementation Guide.