Ramesh Krishnamurthy, PhD

• Distributed System:  CWM is built  using Spring Cloud Framework, this provided standard patterns for developing Distributed Systems. We used the following in the application -

  • Externalized Configuration Management - Using Spring Cloud Config Server​

  • Service Discovery - Eureka Service Discovery which is a Netflix provided Open Source Software (OSS)

  • API Gateway - Zuul API Gateway - An abstraction layer and single interface for all external systems to interface.

  • Client Side Load-balancing - Using Ribbon to provide client-side load-balancing, and 'Feign' which provided declarative web-service client

  • Circuit-Breaker Pattern - Using Hysterix for circuit breaker pattern for increased fault tolerance.

​

​

• Security:​ Confidentiality, Identity and Authorization (CIA) together form the core of securing any application. For CWM security was achieved by using industry standard tools and technique -

  • TLS : Transport Layer Security (TLS) provides privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers. TLS Provides : Encryption, Authentication, and Integrity.

    • Encryption: hides the data being transferred from third parties.

    • Authentication: ensures that the parties exchanging information are who they claim to be.

    • Integrity: verifies that the data has not been forged or tampered with.​

For all the Microservices​ in the application, TLS v1.2 was enabled. All communication between the Microservices was also performed using TLS.

​​

• oAuth: oAuth 2.0 described in RFC 6749, is used between Microservices in our application to access data from each other after checking for authorization. The oAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. oAuth protocol defines four roles : 

  • Resource Owner​

  • Resource Server

  • Client

  • Authorization Server

For our application, Resource owner​ delegated ability to grant access to Authorization Server. Auth Server generated tokens based on JSON Web Token (JWT) is provided to the Client before the client can request a resource from Resource Server. The Client includes the token provided by Auth Server in the HTTP header. When the resource server receives the HTTP request with the token, it will send a request to Auth server to validate the token. Once the token has been validated, the Resource server will handle the request.

• SAML: Security Assertion Markup Language (SAML) was used in our application to provide Single-Sign On to users. SAML again has three main roles defined in the communication:

  • End-User​

  • Service Provider

  • Identity Provider (IdP)

In our application a Single Sign-On button was provided to end-users to authenticate agains​t the IdP. Once the user is authenticated by the IdP, a signed SAML response is sent to the Service provider ( our application in this case), the application then grants access to the End-user.

• RBAC: Role-Based Access Control (RBAC) was used in the application to provide tiered access, based-on User role. Each user is grouped in Roles and each Role had a set of permissions. Roles specified what operations any user can perform, when users login into the application. The SAML token includes the group the user is associated with, application uses that to apply RBAC rules.

• PAM: Pluggable Authentication Module (PAM) provides dynamic authentication support for applications and services. Since our application runs on a Linux system, we were able to leverage Linux provided mechanism to support PAM. The main reason for implementing this was to remove default login/password that usually gets built into an application.

• HSM : Hardware Security Module (HSM):  CWM application supports encryption/decryption of sensitive data stored within the application using keys generated by external HSM. There are specific logic in place to handle backup/restore of data with HSM generated keys. The HSM keys are rotated on a periodic basis, this is handled as well.

• Security SDL: For the development of CWM application the best practices of Secure Development LifeCycle (SDL) process was followed. The goal of this process is to reduce security risks, mitigate key vulnerabilities, and better meet customer demands for a more-secure product. The process followed include the following steps:

  • Secure Design - ​Threat Modeling and Security design review.

  • Secure Coding - Ranging from input validation, code-reviews etc.

  • Static and Dynamic analysis - Using tools such as SonarCube

  • 3rd Party Software - Identify and Register 3rd Party software

  • Penetration testing - Run scans against the software with standard tools 

​

​

• Message Broker:  RabbitMQ was used in a clustered mode with CWM. I have documented in detail the process I went through in deciding which Message Queue will work best is documented in my blog here​ .

​

​

• Multi-node :  CWM application supported Multi-Node using the following Architectural Components -

  • Spring Cloud Framework Components -​

    • API Gateway (Zuul)​

    • Service Discovery and Registry (Eureka)

    • Client-Side load-balancer (Ribbon)

  • ​Quartz Scheduler (Scheduler Library) – Clustered Mode

  • Rabbit MQ (Message Queuing  Library) -  Clustered Mode

  • Database Mirroring Across Nodes (Database As a Service)

​

​​

• Micro-FrontEnds - Angular 7/8 and Clarity Design Framework by VmWare -

  • The User Interface was built using Angular 7 and Clarity Design framework.​

  • A micro frontends approach  was used to split the front end code into multiple independent web applications. These were split along vertical feature boundaries and developed as library that gets built in to the base UI App.

  • Project Clarity provides UX guidelines, HTML/CSS framework, and Angular components working together to craft the UI.