sysinfo.tex

\documentclass[a4paper]{jpconf}
\usepackage{graphicx}
\usepackage{hyperref}
\begin{document}

\title{The INFN Information System}

\author{
  S. Bovina$^1$,
  M. Canaparo$^1$,
  E. Capannini$^1$,
  F. Capannini$^1$,
  C. Galli$^1$,
  G. Guizzunti$^1$,
  B. Demin$^1$
}

\address{$^1$ INFN-CNAF, Bologna, IT}

\ead{
  stefano.bovina@cnaf.infn.it,
  marco.canaparo@cnaf.infn.it,
  enrico.capannini@cnaf.infn.it,
  fabio.capannini@cnaf.infn.it,
  claudio.galli@cnaf.infn.it,
  guido.guizzunti@cnaf.infn.it,
  barbara.demin@cnaf.infn.it
}

\begin{abstract}
The mission of the Information System Service is the implementation, management and optimization of all the infrastructural and application components of the administrative services of the Institute. In order to guarantee high reliability and redundancy, the same systems are replicated in an analogous infrastructure at the National Laboratories of Frascati (LNF).
The  Information System's team manages all the administrative services of the Institute, 
both from the hardware and the software point of view, and it is in charge of carrying out several software projects.
The core of the Information System is made up of the salary and HR systems.
Connected to the core, there are several other systems reachable from a unique web portal: 
firstly, the organizational chart system (GODiVA); secondly, the accounting, the time and attendance, 
the trip and purchase order and the business intelligence systems. 
Finally, there are other systems which manage the training of the employees, their subsidies, their timesheet, the official documents, 
the computer protocol, the recruitment, the user support etc.
\end{abstract}


\section{Introduction}
The INFN Information System project was set up in 2001 with the purpose of digitizing and managing all the administrative and accounting processes of the INFN Institute, 
and of carrying out a gradual dematerialization of documents.\\
In 2010, INFN decided to transfer the accounting system, based on the Oracle Business Suite (EBS) and the SUN Solaris operating system, 
from the National Laboratories of Frascati (LNF) to CNAF, where the SUN Solaris platform was migrated to a RedHat Linux Cluster and implemented on commodity hardware.\\
The Service “Information System” was officially established at CNAF in 2013 with the aim of developing, maintaining and coordinating many IT services which are critical
for INFN. Together with the corresponding office at the National Laboratories of Frascati, it is actively involved in fields related to INFN management and administration, developing tools for business intelligence and research quality assurance; it is also involved in the dematerialization process and in the provisioning of interfaces between users and INFN administration.\\
Over the years, other services have been added, leading to a complex infrastructure that covers all aspects of people's life working at INFN.

In 2018, the Information System service team at CNAF was composed of 8 people, both developers and system engineers.\\


\section{Infrastructure}
In 2018, the infrastructure-related activity was composed of various tasks that can be summarized as follows: 
firstly, the consolidation of the Disaster Recovery site in Bari and the restore of CNAF as primary site; 
secondly, the finalization of Puppet 3 phase out and related Foreman upgrades; 
thirdly, the improvement of our ELK (Elasticsearch/Logstash/Kibana) and monitoring infrastructure and finally, several ``Misure Minime'' AGID and GDPR compliance adjustments.
\newline

After the complete revisiting and upgrade of the ELK stack to version 5 last year, 
many activities have been done to enhance systems and applications monitoring using this set of tools. 
To improve the discovery and resolution of problems, several views and dashboards (see Figure~\ref{fig:presenze_kibana}) have been created on Kibana, 
as well as a deep analysis and customization of application logs to introduce useful information.

\begin{figure}[htbp]
    \begin{center}
        \includegraphics[scale=0.5]{presenze_kibana.png}
    \end{center}
    \caption{\label{fig:presenze_kibana} Time and attendance system manual squaring statistics on Kibana (ELK).}
\end{figure}


With the aim of enhancing our cronjobs management, improving its monitoring and management, avoiding cronjob overlap and in order to identify ``dead-man-switches'''
a new cronjob management tool has been adopted.
Cronjob executions are available both on Kibana and Grafana (as annotation), 
so they can be used to be correlated with system events (see Figure~\ref{fig:cronjob_annotation}); In the same way, software releases are also displayed on Grafana.


\begin{figure}[htbp]
    \begin{center}
        \includegraphics[scale=0.5]{cronjob_annotation.png}
    \end{center}
    \caption{\label{fig:cronjob_annotation} Annotations for cronjobs on Grafana.}
\end{figure}

\newpage


Because of the recent regulations that came into force (``Misure Minime'' AGID and GDPR), many audits and related adjustments were made, also relying on both official Center for Internet Security (CIS) guides and Openscap scan, using the Payment Card Industry - Data Security Standard (PCI-DSS) profile.

Afterwards, we introduced a proactive security model on some pilot projects, adopting tools for static code analysis and dependency scanning (see Figure~\ref{fig:deps_scan}).

\begin{figure}[htbp]
    \begin{center}
        \includegraphics[width=1.0\textwidth]{deps_scan.png}
    \end{center}
    \caption{\label{fig:deps_scan} Dependencies scan tool in action on Gitlab-CI.}
\end{figure}


In addition to this, the Platform as a Service (PaaS) infrastructure based on RedHat Openshift Origin (3.x) was upgraded to release 3.11 
and a signature/scan services was deployed at container registry level for all container-based projects (see Figure~\ref{fig:container_ci}).

\begin{figure}[htbp]
    \begin{center}
        \includegraphics[width=1.0\textwidth]{container_ci.png}
    \end{center}
    \caption{\label{fig:container_ci} Container registry details and related Gitlab-CI pipeline.}
\end{figure}

\newpage


In 2018, Oracle databases related activities concerned their maintenance, 
an initial analysis about the necessary activities to upgrade to later versions and the study on how to achieve real-time replication 
between the Oracle databases of the Accounting application. Periodic recovery tests were also conducted on the Bari Disaster Recovery site.


\section{Time and attendance system improvements}
The time and attendance system allows employees to clock in and out electronically via swipe card. 
The data is instantly transferred into a database and shown in a web-based application. 
This system tracks the working hours and offers employees self-service that allows them to handle many time-tracking tasks on their own, 
all subjected to customizable approval workflows, which include reviewing the hours they have worked, the current and future schedule and requests of paid or unpaid leaves.
In 2018, the Time and Attendance system related activities concerned both the introduction of new features and the modifications of the existing ones. Furthermore, developers focused on the performance improvement of the system through the optimization of some common procedures.
The Time and Attendance system was enabled to ``read'' codes introduced together with the clock in/out: through this mechanism, employees can specify the reasons for their leave of absence without using the web-based application.
Some modifications have been carried out to implement some changes occurred in the national collective agreement. This activity included two new leaves of absence and an extension from three to four months of the period for the check of the average weekly working hours.
As concerns performance, the developers' team have optimized the procedure that manages the clock in/out by web portal, and the report that shows the paid overtime aggregated in sectors, employees and months. 


\section{Oracle EBS improvements}
In 2018, a new Electronic Payments and Receipts (EPR) Framework was introduced, 
in compliance with the standard set by the Agency for Digital Italy (Agenzia per l'Italia Digitale, AgID) and transmitted through SIOPE+.

SIOPE+ is the new infrastructure that enables general government entities and banks that provide treasury services
to exchange information, with the aim of improving the quality of the data used for monitoring government expenditure and tracking the payment times to firms that supply general government entities.

SIOPE+ responds to the following needs:
\begin{itemize}
\item availability of detailed information on payments made by general government bodies without burdening the entities involved in the flow of outlays and collections. This will make it easier to obtain information on the payments of trade receivables and, more broadly, to monitor public sector financial flows in real time.
\item standardization of information exchange between government bodies and treasury service providers by adopting a single digital standard OPI (Ordinativo di Pagamento e Incasso) in place of the previous local standard OIL (Ordinativo Informatico Locale), with the aim of raising the quality of treasury services, facilitating further integration between the accounting systems of the entities and between payment processes, and supporting the development of electronic payments services.
\end{itemize}


\section{Business Intelligence improvements}
In 2018, the main task was investigating alternative technical solutions to the current Business Intelligence installation, 
with the aim of reducing licensing costs, while remaining on an open source solution and preserving functionalities and compatibility with other INFN tools and platforms.
At the end of this activity, the current solution, based on TIBCO platform, was confirmed the best one.
%At present, we are converting reports that are using deprecated features. Once all reports are converted, the Business Intelligence infrastructure will be upgraded to the last version.


\section{Contratti}
Contratti (previously named Repertorio Contratti) is a new Java application (in test phase) for long term preservation of contracts made between INFN and an external supplier, based on Alfresco and mDM protocol.
Each contract is enriched with a full set of metadata which describe the contract in its relevant parts, and suppliers are extracted automatically from the central supplier registry, together with details of the contract signer.

Last year, several bugfix and improvements have been made, in order to respect our customers requirements. Improvements can be summarized as follows:
\begin{enumerate}
\item integration with mDM protocol:
\begin{itemize}
\item it is now possible to manage a set of folders where to store the contract file, as if it was a complete folder explorer;
\item before the contract file is stored in mDM, a protocol signature is written onto the document, without invalidating PAdES signature of the issuer.
\end{itemize}
\item complete refactoring of the ACLs mechanism used to manage document and app permissions;
\item added email notification in order to send a contract link to a set of recipients, extracted automatically from Godiva;
\item it is now possible to print a label containing the relevant characteristics of the contract;
\item complete UI restyling in order to improve both readability and usability of the product.
\end{enumerate}


\end{document}