Technical Services Briefing Document
TalentLink
Architecture
John Wilson (Head of Technical Services)
Version
2
.
0
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
2
Contents
Contents
Introduction
................................
................................
................................
...........................
3
Client Side Requirements
................................
................................
................................
...........
4
Phys
ical Architecture
................................
................................
................................
................
5
Key to Architecture Overview Diagram
................................
................................
.....................
7
Software Architecture
................................
................................
................................
...............
9
Firewalls
................................
................................
................................
.........................
10
SSL termination and load balancing
................................
................................
........................
10
Email Anti
-
virus/Anti
-
spam appliance
................................
................................
......................
10
Apache web server
................................
................................
................................
.............
10
Web services
................................
................................
................................
....................
10
Secured
-
ftp directories
................................
................................
................................
.......
10
Mail server
................................
................................
................................
.......................
10
SMTP gatew
ay
................................
................................
................................
..................
11
JBoss
................................
................................
................................
.............................
11
Search Engine
................................
................................
................................
...................
11
Data eXchange HR
-
XML
................................
................................
................................
.......
11
TalentHub
................................
................................
................................
.......................
12
Data Tier
................................
................................
................................
...........................
13
Shared directories
................................
................................
................................
.............
14
Single Sign On
................................
................................
................................
...................
14
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
3
Introduction
Purpose
The purpose of this document is to describe the current architecture of TalentLink. TalentLink is a web
application designed to run in SaaS (Software as a Service) mode; the application is hosted in a data centre and
customers connect the software using I
nternet access via a browser. This document describes:
Client
-
side requirements
Physical architecture
Software architecture
Scope
This is a high level document showing the architecture of the TalentLink application and its underlying
infrastructure; i
t is not intended to provide the reader with a detailed explanation of these components and
their architecture.
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
4
Client Side Requirements
The different components required to use
TalentLink
are listed below:
B
rowser
The m
ain component required is the
Internet browser
which sends and
receive
s
https requests.
TalentLink
is
compliant with most of the current browser
s
(
a
list of
currently
supported browser
s can be found
in
the
Technical Requirements document).
Browser
s
should
be configured to
accept cookies and JavaScript execution.
No plug
-
in’s
are
required to run
TalentLink
.
M
ail
C
lient
Many features in
TalentLink
use electronic mail
; TalentLink
users should have an e
-
mail client running on their
PC.
S
ecured
FTP
As an option
, a secured
-
ftp client can be
used
to get or put files for the Interface module.
Secure
-
ftp
directories are hosted on same platform as
TalentLink
and are
only
accessible with
Public Key authentication
.
M
icrosoft
W
ord
The
TalentLink
CRM
and Contract management featu
res require the use of MS Word.
L
ocal
N
etwork
R
equirement
Customer
Firewall
s
should
be configured to
accept request
s
going to and coming from
TalentLink
URLs.
Access is
over
HTTPS and SSH
, a complete list of IP addresses and URLs
being available
on requ
est.
Where customers
deploy a l
ocal proxy server
, this should be configured not to
cache
TalentLink
pages.
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
5
Physical Architecture
The infrastructure
used to deliver TalentLink
is lis
ted below:
Internet Feed
Diversely routed, high capacity
in
ternet feeds are provided by our data centre partner
configured as an
Active/Passive pair
into separate switching infrastructures.
Firewall
Dual Checkpoint firewalls configured as an Active/Passive pair provide routing and a
ccess controls between
networks
within the data centre area.
IPS/IDS
Dual Checkpoint IPS blades configured as an Active/Passive pair
Load Balancing
Dual BIGIP F5 LTM load balancers configured as an Active/Passive pair provide load balancing functions across
the web tier as well as SSL te
rmination
.
Web Tier
HP DL380G7 servers configured as a VMware vSphere H
igh Availability (H
A
)
cluster provide the base
infrastructure for
multiple front and back end
Web servers to run
as virtual machines
.
Application Tier
HP DL380G7 servers configured as a
VMware vSphere HA cluster provide the base infrastructure for
multiple
supporting
Application servers to run
as virtual machines.
Database Tier
Dual HP DL380G7 servers configured as an Active/Standby pair running Oracle Database provide the database
tier.
The servers are configured to have no single point of failure by using redundant components where
necessary.
Storage
A highly available Storage Area Network provides storage for the
TalentLink
application. The SAN is designed to
have redundant componen
ts where necessary to ensure it has no single point of failure. This includes, but
is
not
limited to, dual Cisco Fabric switches, dual Compellent controllers, dual
Power Supply Units (
PSU
)
, RAID disk
configurations and dual
Host Bus Adaptors (
HBA
)
.
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
6
Access
to individual
storage Logical Unit Numbers (
LUN
)
is controlled by access controls on the SAN controllers
and both hard and soft zoning on the Fabric switches.
Network
A highly available Network infrastructure is provided
by multiple Cisco 4500 chassis
; e
ach connection to the
network is multi
-
homed with automatic failover.
Network segregation is achieved using
Virtual Local Area
Networks (
VLAN
)
.
Network flows
The diagram below contains components and flows which are described in the following table:
AA
CA
Internet
SG
LB
IDS
WS
AS
FS
RB
DB
F
1
F
2
F
3
F
4
F
5
F
6
F
9
F
12
F
7
F
8
F
10
F
11
DR
Figure
1
: TalentLink Physical Architecture Overview
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
7
Key to Architecture Overview Diagram
Key
Components
SG
The Security gateway of TalentLink
is a system consisting of hardware based components for
connecting IP based networks
in a secure way. In this case secure means that only traffic which is explicit allowed can pass the gateway and every else
traffic gets dropped.
The name security gateway
is used to point out that TalentLink
uses not only a sta
ndard firewall system, but a group of
nested systems having different tasks like traffic monitoring, intrusion detection, packet filtering or antivirus, anti spam
scanning for securing the network.
IDS
Dual Checkpoint IPS blades configured as an Active/Pa
ssive pair
LB
Load balancers are responsible to balance the traffic coming to web servers. The hardware modules of SSL accelerations
accelerate the traffic to https (TLS or SSLv3) protocol.
WS
TalentLink web servers can be accessed through HTTPS protocol only. The communication to the application servers is
managed by Load Balancers which also provide the load balancing for the application servers.
The
TalentLink
Mail server sends and receives
e
-
mails and uses different security technologies like SPF, DNS checks, SSL
and TLS encryption. This mail server is only used by the application.
AS
The applications are deployed on different virtual machines.
FS
File servers are in charge of storing upl
oaded documents and keeping local backups
DB
Database servers are based on the relational database Oracle. The RDBMS acts as database for the application servers and
assures that users can access their data efficient and under centralized control.
RB
All relevant files and databases are backed up to the remote backup location
DR
The disaster recovery centre is located in Milton Keynes (UK)
.
Data
is
synchronized daily using encrypted transfer from
the
Primary
data centre
to
the
Disaster recovery centre.
CA
Client access, e.g. from an applicant with a SSL3.0/TLS1.0 compliant internet browser. Connection attemp
t
s with less
secure encryption formats are refused.
AA
Administrators
access
the service
through an encrypted connection
with VPN
Flows
F1
Communication between TalentLink and a user (CA) through the internet.
F2
Communication with an administrator (AA) using a VPN client for opening an encrypted tunnel.
F3
Communication between the internet and TalentLink (SG).
F4
Dual Checkpoint IPS blades configured as an Active/Passive pair
F5
Requests accepted by the security gateway (SG) are forwarded to the load balancers, which decrypt https requests and
send unencrypted data to web servers (WS).
F6
Replies from the web se
rver (WS) are sent through load balancers (LB), encrypted and then through security gateway (SG)
back to sender.
F7
The web server (WS) forwards the request to an application server (AS).
The application server checks incoming request
and refuses illegal
requests.
Replies of the application server are sent back to the web server (WS) and get translated to
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
8
web pages.
F8
The application servers (AS) communicate with the database (DS) by using the JDBC protocol.
F9
Uploaded documents, mails and logs fro
m applications (AS) are stored on fully redundant storage
F10
The database (DB) is backed up at runtime (hot backup) using
i365
Evault technology
F11
All backups are transferred to the RB server.
F12
Data
is
transferred from
the
Primary
data centre
to
the
Disaster recovery centre.
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
9
Software Architecture
The below diagram shows a logical view of the software architecture and the data flows between components.
The main layers are;
Security Tier
Web Tier
Application Tier
Data Tier
Figure
2
: TalentLink Application Architecture
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
10
Security Tier
Firewalls
Redundant firewalls filter
all requests coming into the
TalentLink
platform.
A
“
deny by default
”
policy is used.
SSL termination and load balancing
SSL
termination i
s
provided by the F5 LTM
load balancer
devices, these provide
decryption of incoming requests
as well as encryption of outgoing flows.
Load balanc
ing ensures that requests are dispatched to
multiple web servers and keeps
track of connection
s
for
session p
ersistence.
Rules are created for manipulating the traffic flow as necessary.
Email
Anti
-
virus/Anti
-
spam appliance
McA
fee Secure Internet Gateway
appliances are
employed to check all
incoming mails
,
block
ing
them if any
virus
es
are
detected
or if they ar
e
identified as
spam
.
All
mail
items found to be safe are
forwarded
through
a
secure encrypted tunnel
to the
TalentLink
mail server.
New virus fixes and anti
-
spam rules are automatically
downloaded hourly.
Web Tier
Apache
web
server
TalentLink uses mu
ltiple Apache web servers running on
the
Debian O
perating
S
ystem (OS)
, a pool
o
f
web server
s
for the Back
-
office and a separate
pool of web servers for the Front
-
Office (TalentLink
components called within
customer pages)
:
Apache
caches
all static resources
for example,
images
and
JavaScript
files
Apache
requests JBoss
application server to
generate any pages (
ColdFusion
, JSP)
Web services
TalentLink
connect
s
to external world services using web services
; as an example,
web services ar
e used to
connect SMS provider
s
for SMS delive
ry, or to integrate with
job board
s.
Secured
-
ftp directories
For Interface purpose
s
, customer
s
can
request
their own secured ftp directories to put files for incoming
interface and to get files for outgoing in
terface.
An SSH connection is required to access these “secure ftp
directories”.
User access is granted
using PKI infrastructure
public key
s
be
ing
stored on
the server.
Mail server
A
n Exim
mail server is deployed to store the mailboxes related to the
M
ailgateway
interface
, providing
:
Ability for candidates to Apply to a job via mail (
Mailgateway
Application)
Ability for a
TalentLink
user to integrate candidates in
TalentLink
, forwarding candidate mails received to
TalentLink
Mailgateway
(
Mailgateway R
edirection)
2 mailboxes are defined per
TalentLink
“account”: one to store the
Mailgateway
Redirection mails and one to
store the
M
ailgateway
A
pplication mails.
This mail server provides POP3 services to a batch program
that
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
11
extract
s
the mails f
rom the mailboxes and populates the
TalentLink
database.
Each day, about 3
,
000 mails are
received in
TalentLink
.
SMTP gateway
The mail server above provides SMTP service for outgoing mails. Each day, about 30.000 mails are sent from
TalentLink.
Application Server Tier
JBoss
JBoss is the application serving the dyn
amically generated pages.
TalentLink uses both JSP and
ColdFusion
technologies to generate dynamic pages.
On each physical server are running several
JBoss
instances.
Separate insta
nces are configured to service
TalentLink Back
-
Office or Front
-
Office activity.
This separation provides better security and scalability.
There is no noticeable impact of Front
-
Office load on
Back
-
Office performance and vice versa.
Additionally, this ena
bles the ability to stop only one part (Back
-
Office
or Front
-
Office) during maintenance work.
Search Engine
TalentLink
uses
using Autonomy K2 Catalog 5.5.0 services to provide various search capabilities on Candidates or
Job Openings.
The e
nd
-
user is
abl
e
to set various type
s
of searches from basic full text search to advanced
highly configurable searches based on candidate questionnaires.
Two set of collections exist:
Candidate collection:
this
contains the entire candidate folder including the candida
te attached d
ocuments
(CV, letter of intent, etc.
).
Job collection: t
his
contains the entire Job Opening folder
The collections are populated “on the fly” to enable almost immediate pertinent search on objects
created/modified.
This is done by the “Inde
xation
process” which retrieves data f
r
o
m Oracle tables and from
attached documents stored on disk.
Search requests are sent from
ColdFusion
MX pages to Autonomy K2 engine
using a Java API.
Autonomy K2 engines handling the searches are redundant processe
s running on top of the
collections.
At execution time, if
one
search engine is not available, the request is automatically handled by
another one.
Data eXchange HR
-
XML
TalentLink
contains a standard Interface module based on XML schemas for extracting J
ob and Candidate
information from
TalentLink
database and also for uploading Job and Candidate information inside
TalentLink
database
. This module call DXC (Data eXc
hange) is based on HR
-
XML SEP1.1.
The following diagram illustrates
the different layers that conforms DXC and the relationships that exist among them, as well as the technology
used to implement each of them:
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
12
TalentH
ub
TalentH
ub is the
name for the
connectivity layer of TalentLink
.
It consists of a set of functional and technical
touch points, designed to support integrations to any 3
rd
party technology, and cater for the needs of all
integrations. Through a framework of APIs
exposing the business layer of TalentLink
t
his
“
One Stop Shop
”
for
integrations supports interactions with:
ERP and HRIS systems
Multiposting engines and job boards
Vendor management, and payroll systems
External search engines
Sourcing and CRM solutions
Online testing and background checking vendors
Social networks
Figure
3
: Dat eXchange Module
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
13
Figure
4
: TalentHub
Data Tier
Relational
Database Management System
TalentLink is a “data processing” application. The heart of such application is the database engine. Oracle 10g
R2 is used as the RDBMS engine. TalentLink database runs a separate schema per Client.
All client schemas have
same
oracle objects. Table below describe number of existing Oracle objects for each type:
FUNCTION
15
INDEX
1315
LOB
23
PACKAGE
16
PROCEDURE
20
SEQUENCE
277
SYNONYM
3
TABLE
344
TRIGGER
52
VIEW
15
Data inside Oracle is usually accessed
from a dedicated layer using Hibernate which is an open
source java
persistence framework.
TalentHub
Talent
Link
idiotcanvas_7cb5ba01
-
2b99
-
4f14
-
8950
-
85a433f43653.docx
10/05/2011
Page
14
Shared directories
NFS v4 is used to share directories containing client documents (candidate files, template documents, reports)
among the different servers.
Sing
le Sign On
Single Sign On solution greatly increases TalentLink adoption by eliminating numerous credential requests.
Additionally it increases security of the application as phishing success is considerably reduced.
Proposed Single Sign On infrastructure
is based on Open AM (
formerly
known as SUN Open SSO) using SAML 2.0
standard as an authentication protocol between Service Provider (TalentLink) and Identity Provider.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment