TalentLink Architecture V2.0x - Index of

idiotcanvasΑσφάλεια

17 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

108 εμφανίσεις





Technical Services Briefing Document

TalentLink
Architecture

John Wilson (Head of Technical Services)

Version
2
.
0



idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
2

Contents

Contents

Introduction

................................
................................
................................
...........................

3

Client Side Requirements

................................
................................
................................
...........

4

Phys
ical Architecture

................................
................................
................................
................

5

Key to Architecture Overview Diagram

................................
................................
.....................

7

Software Architecture

................................
................................
................................
...............

9

Firewalls

................................
................................
................................
.........................

10

SSL termination and load balancing

................................
................................
........................

10

Email Anti
-
virus/Anti
-
spam appliance

................................
................................
......................

10

Apache web server

................................
................................
................................
.............

10

Web services

................................
................................
................................
....................

10

Secured
-
ftp directories

................................
................................
................................
.......

10

Mail server

................................
................................
................................
.......................

10

SMTP gatew
ay

................................
................................
................................
..................

11

JBoss

................................
................................
................................
.............................

11

Search Engine

................................
................................
................................
...................

11

Data eXchange HR
-
XML

................................
................................
................................
.......

11

TalentHub

................................
................................
................................
.......................

12

Data Tier

................................
................................
................................
...........................

13

Shared directories

................................
................................
................................
.............

14

Single Sign On

................................
................................
................................
...................

14






idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
3

Introduction

Purpose

The purpose of this document is to describe the current architecture of TalentLink. TalentLink is a web
application designed to run in SaaS (Software as a Service) mode; the application is hosted in a data centre and
customers connect the software using I
nternet access via a browser. This document describes:


Client
-
side requirements


Physical architecture


Software architecture

Scope

This is a high level document showing the architecture of the TalentLink application and its underlying
infrastructure; i
t is not intended to provide the reader with a detailed explanation of these components and
their architecture.





idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
4

Client Side Requirements

The different components required to use
TalentLink

are listed below:

B
rowser

The m
ain component required is the
Internet browser
which sends and
receive
s

https requests.

TalentLink

is
compliant with most of the current browser
s

(
a
list of
currently
supported browser
s can be found

in
the
Technical Requirements document).

Browser
s

should
be configured to
accept cookies and JavaScript execution.

No plug
-
in’s
are
required to run
TalentLink
.


M
ail

C
lient


Many features in
TalentLink

use electronic mail
; TalentLink

users should have an e
-
mail client running on their
PC.

S
ecured

FTP

As an option
, a secured
-
ftp client can be
used

to get or put files for the Interface module.

Secure
-
ftp
directories are hosted on same platform as
TalentLink

and are
only
accessible with
Public Key authentication
.

M
icrosoft

W
ord


The
TalentLink

CRM

and Contract management featu
res require the use of MS Word.


L
ocal
N
etwork
R
equirement


Customer
Firewall
s

should
be configured to
accept request
s

going to and coming from
TalentLink

URLs.

Access is
over
HTTPS and SSH
, a complete list of IP addresses and URLs
being available

on requ
est.

Where customers
deploy a l
ocal proxy server
, this should be configured not to
cache
TalentLink

pages.




idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
5

Physical Architecture

The infrastructure
used to deliver TalentLink

is lis
ted below:

Internet Feed

Diversely routed, high capacity
in
ternet feeds are provided by our data centre partner
configured as an
Active/Passive pair

into separate switching infrastructures.

Firewall

Dual Checkpoint firewalls configured as an Active/Passive pair provide routing and a
ccess controls between
networks
within the data centre area.

IPS/IDS

Dual Checkpoint IPS blades configured as an Active/Passive pair

Load Balancing

Dual BIGIP F5 LTM load balancers configured as an Active/Passive pair provide load balancing functions across
the web tier as well as SSL te
rmination
.

Web Tier

HP DL380G7 servers configured as a VMware vSphere H
igh Availability (H
A
)

cluster provide the base
infrastructure for
multiple front and back end

Web servers to run
as virtual machines
.

Application Tier

HP DL380G7 servers configured as a

VMware vSphere HA cluster provide the base infrastructure for
multiple

supporting
Application servers to run
as virtual machines.

Database Tier

Dual HP DL380G7 servers configured as an Active/Standby pair running Oracle Database provide the database
tier.

The servers are configured to have no single point of failure by using redundant components where
necessary.

Storage

A highly available Storage Area Network provides storage for the
TalentLink

application. The SAN is designed to
have redundant componen
ts where necessary to ensure it has no single point of failure. This includes, but
is
not
limited to, dual Cisco Fabric switches, dual Compellent controllers, dual
Power Supply Units (
PSU
)
, RAID disk
configurations and dual
Host Bus Adaptors (
HBA
)
.


idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
6

Access

to individual
storage Logical Unit Numbers (
LUN
)

is controlled by access controls on the SAN controllers
and both hard and soft zoning on the Fabric switches.

Network

A highly available Network infrastructure is provided

by multiple Cisco 4500 chassis
; e
ach connection to the
network is multi
-
homed with automatic failover.

Network segregation is achieved using
Virtual Local Area
Networks (
VLAN
)
.

Network flows


The diagram below contains components and flows which are described in the following table:

AA
CA
Internet
SG
LB
IDS
WS
AS
FS
RB
DB
F
1
F
2
F
3
F
4
F
5
F
6
F
9
F
12
F
7
F
8
F
10
F
11
DR

Figure
1
: TalentLink Physical Architecture Overview



idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
7

Key to Architecture Overview Diagram


Key

Components

SG

The Security gateway of TalentLink

is a system consisting of hardware based components for
connecting IP based networks
in a secure way. In this case secure means that only traffic which is explicit allowed can pass the gateway and every else
traffic gets dropped.

The name security gateway

is used to point out that TalentLink

uses not only a sta
ndard firewall system, but a group of
nested systems having different tasks like traffic monitoring, intrusion detection, packet filtering or antivirus, anti spam
scanning for securing the network.

IDS

Dual Checkpoint IPS blades configured as an Active/Pa
ssive pair

LB

Load balancers are responsible to balance the traffic coming to web servers. The hardware modules of SSL accelerations
accelerate the traffic to https (TLS or SSLv3) protocol.

WS

TalentLink web servers can be accessed through HTTPS protocol only. The communication to the application servers is
managed by Load Balancers which also provide the load balancing for the application servers.

The
TalentLink

Mail server sends and receives
e
-
mails and uses different security technologies like SPF, DNS checks, SSL
and TLS encryption. This mail server is only used by the application.

AS

The applications are deployed on different virtual machines.

FS

File servers are in charge of storing upl
oaded documents and keeping local backups

DB

Database servers are based on the relational database Oracle. The RDBMS acts as database for the application servers and
assures that users can access their data efficient and under centralized control.

RB

All relevant files and databases are backed up to the remote backup location

DR

The disaster recovery centre is located in Milton Keynes (UK)
.
Data
is

synchronized daily using encrypted transfer from

the

Primary
data centre

to
the
Disaster recovery centre.

CA

Client access, e.g. from an applicant with a SSL3.0/TLS1.0 compliant internet browser. Connection attemp
t
s with less
secure encryption formats are refused.

AA

Administrators

access
the service
through an encrypted connection

with VPN


Flows

F1

Communication between TalentLink and a user (CA) through the internet.

F2

Communication with an administrator (AA) using a VPN client for opening an encrypted tunnel.

F3

Communication between the internet and TalentLink (SG).

F4

Dual Checkpoint IPS blades configured as an Active/Passive pair

F5

Requests accepted by the security gateway (SG) are forwarded to the load balancers, which decrypt https requests and
send unencrypted data to web servers (WS).

F6

Replies from the web se
rver (WS) are sent through load balancers (LB), encrypted and then through security gateway (SG)
back to sender.

F7

The web server (WS) forwards the request to an application server (AS).

The application server checks incoming request
and refuses illegal

requests.

Replies of the application server are sent back to the web server (WS) and get translated to

idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
8

web pages.

F8

The application servers (AS) communicate with the database (DS) by using the JDBC protocol.

F9

Uploaded documents, mails and logs fro
m applications (AS) are stored on fully redundant storage

F10

The database (DB) is backed up at runtime (hot backup) using
i365
Evault technology

F11

All backups are transferred to the RB server.

F12

Data
is

transferred from
the
Primary
data centre

to
the
Disaster recovery centre.





idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
9

Software Architecture

The below diagram shows a logical view of the software architecture and the data flows between components.

The main layers are;


Security Tier


Web Tier


Application Tier


Data Tier


Figure
2
: TalentLink Application Architecture



idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
10

Security Tier


Firewalls


Redundant firewalls filter

all requests coming into the
TalentLink
platform.

A

deny by default


policy is used.

SSL termination and load balancing

SSL
termination i
s
provided by the F5 LTM
load balancer
devices, these provide
decryption of incoming requests
as well as encryption of outgoing flows.

Load balanc
ing ensures that requests are dispatched to

multiple web servers and keeps

track of connection
s

for

session p
ersistence.

Rules are created for manipulating the traffic flow as necessary.

Email
Anti
-
virus/Anti
-
spam appliance

McA
fee Secure Internet Gateway
appliances are

employed to check all

incoming mails
,

block
ing

them if any
virus
es

are
detected

or if they ar
e
identified as

spam
.

All
mail
items found to be safe are

forwarded
through

a
secure encrypted tunnel
to the
TalentLink

mail server.

New virus fixes and anti
-
spam rules are automatically
downloaded hourly.

Web Tier


Apache

web

server

TalentLink uses mu
ltiple Apache web servers running on
the
Debian O
perating
S
ystem (OS)
, a pool
o
f

web server
s

for the Back
-
office and a separate
pool of web servers for the Front
-
Office (TalentLink
components called within
customer pages)
:


Apache

caches

all static resources

for example,
images

and

JavaScript

files


Apache

requests JBoss

application server to
generate any pages (
ColdFusion
, JSP)


Web services

TalentLink

connect
s

to external world services using web services
; as an example,
web services ar
e used to
connect SMS provider
s

for SMS delive
ry, or to integrate with

job board
s.

Secured
-
ftp directories

For Interface purpose
s
, customer
s

can
request
their own secured ftp directories to put files for incoming
interface and to get files for outgoing in
terface.

An SSH connection is required to access these “secure ftp
directories”.

User access is granted
using PKI infrastructure

public key
s

be
ing

stored on

the server.

Mail server

A
n Exim

mail server is deployed to store the mailboxes related to the
M
ailgateway

interface
, providing
:


Ability for candidates to Apply to a job via mail (
Mailgateway

Application)


Ability for a
TalentLink

user to integrate candidates in
TalentLink
, forwarding candidate mails received to
TalentLink

Mailgateway

(
Mailgateway R
edirection)

2 mailboxes are defined per
TalentLink

“account”: one to store the
Mailgateway

Redirection mails and one to
store the
M
ailgateway

A
pplication mails.


This mail server provides POP3 services to a batch program
that

idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
11

extract
s

the mails f
rom the mailboxes and populates the
TalentLink

database.

Each day, about 3
,
000 mails are
received in
TalentLink
.

SMTP gateway

The mail server above provides SMTP service for outgoing mails. Each day, about 30.000 mails are sent from
TalentLink.

Application Server Tier

JBoss


JBoss is the application serving the dyn
amically generated pages.
TalentLink uses both JSP and
ColdFusion

technologies to generate dynamic pages.

On each physical server are running several
JBoss

instances.

Separate insta
nces are configured to service
TalentLink Back
-
Office or Front
-
Office activity.

This separation provides better security and scalability.


There is no noticeable impact of Front
-
Office load on
Back
-
Office performance and vice versa.

Additionally, this ena
bles the ability to stop only one part (Back
-
Office
or Front
-
Office) during maintenance work.

Search Engine


TalentLink

uses

using Autonomy K2 Catalog 5.5.0 services to provide various search capabilities on Candidates or
Job Openings.

The e
nd
-
user is
abl
e

to set various type
s

of searches from basic full text search to advanced
highly configurable searches based on candidate questionnaires.

Two set of collections exist:


Candidate collection:
this
contains the entire candidate folder including the candida
te attached d
ocuments
(CV, letter of intent, etc.
).


Job collection: t
his

contains the entire Job Opening folder

The collections are populated “on the fly” to enable almost immediate pertinent search on objects
created/modified.

This is done by the “Inde
xation
process” which retrieves data f
r
o
m Oracle tables and from
attached documents stored on disk.

Search requests are sent from
ColdFusion

MX pages to Autonomy K2 engine
using a Java API.


Autonomy K2 engines handling the searches are redundant processe
s running on top of the
collections.


At execution time, if
one

search engine is not available, the request is automatically handled by
another one.

Data eXchange HR
-
XML

TalentLink

contains a standard Interface module based on XML schemas for extracting J
ob and Candidate
information from
TalentLink

database and also for uploading Job and Candidate information inside
TalentLink

database
. This module call DXC (Data eXc
hange) is based on HR
-
XML SEP1.1.


The following diagram illustrates
the different layers that conforms DXC and the relationships that exist among them, as well as the technology
used to implement each of them:


idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
12



TalentH
ub

TalentH
ub is the

name for the

connectivity layer of TalentLink
.
It consists of a set of functional and technical
touch points, designed to support integrations to any 3
rd
party technology, and cater for the needs of all
integrations. Through a framework of APIs
exposing the business layer of TalentLink
t
his

One Stop Shop


for
integrations supports interactions with:


ERP and HRIS systems


Multiposting engines and job boards


Vendor management, and payroll systems


External search engines



Sourcing and CRM solutions


Online testing and background checking vendors


Social networks


Figure
3
: Dat eXchange Module


idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
13


Figure
4
: TalentHub

Data Tier


Relational
Database Management System

TalentLink is a “data processing” application. The heart of such application is the database engine. Oracle 10g
R2 is used as the RDBMS engine. TalentLink database runs a separate schema per Client.

All client schemas have
same

oracle objects. Table below describe number of existing Oracle objects for each type:

FUNCTION

15

INDEX

1315

LOB

23

PACKAGE

16

PROCEDURE

20

SEQUENCE

277

SYNONYM

3

TABLE

344

TRIGGER

52

VIEW

15


Data inside Oracle is usually accessed
from a dedicated layer using Hibernate which is an open

source java
persistence framework.

TalentHub

Talent
Link


idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx

10/05/2011

Page
14

Shared directories

NFS v4 is used to share directories containing client documents (candidate files, template documents, reports)
among the different servers.

Sing
le Sign On

Single Sign On solution greatly increases TalentLink adoption by eliminating numerous credential requests.
Additionally it increases security of the application as phishing success is considerably reduced.

Proposed Single Sign On infrastructure

is based on Open AM (
formerly

known as SUN Open SSO) using SAML 2.0
standard as an authentication protocol between Service Provider (TalentLink) and Identity Provider.