The Information System Service's mission is the implementation, management and optimization of all the infrastructural and application components of the administrative services of the Institute. In order to guarantee high reliability and redundancy the same systems are replicated in an analogous infrastructure at the National Laboratories of Frascati (LNF).
The Information System's team manages all the administrative services of the Institute, both from the hardware and the software point of view and they are in charge of carrying out several software projects.
The core of the Information System is made up of the salary and HR systems.
Connected to the core there are several other systems reachable from a unique web portal: firstly, the organizational chart system (GODiVA); secondly, the accounting, the time and attendance, the trip and purchase order and the business intelligence systems. Finally, there are other systems which manage: the training of the employees, their subsidies, their timesheet, the official documents, the computer protocol, the recruitment, the user support etc.
\end{abstract}
\section{Introduction}
The INFN Information System project was set up in 2001 with the purpose of digitizing and managing all the administrative and accounting processes of the INFN Institute, and of carrying out a gradual dematerialization of documents.\\
In 2010, INFN decided to transfer the accounting system, based on the Oracle Business Suite (EBS) and the SUN Solaris operating system, from the National Laboratories of Frascati (LNF) to CNAF, where the SUN Solaris platform was migrated to a RedHat Linux Cluster and implemented on commodity hardware.\\
The Service “Information System” was officially established at CNAF in 2013 with the aim of developing, maintaining and coordinating many IT services which are critical for INFN. Together with the corresponding office in the National Laboratories of Frascati, it is actively involved in fields related to INFN management and administration, developing tools for business intelligence and research quality assurance; it is also involved in the dematerialization process and in the provisioning of interfaces between users and INFN administration.\\
The Information System service team at CNAF is currently composed of 8 people, both developers and system engineers.\\
Over the years, other services have been added, leading to a complex infrastructure that covers all aspects of people's life working at INFN.
\section{Infrastructure}
In 2016 the infrastructure-related activity was composed of various tasks that can be summarized as follows. Firstly, the migration to a new hardware infrastructure, secondly the setup of some new services to improve our development process and software release workflow, thirdly the setup of a "Yum" and "Maven" repository (using Artifactory) and finally the setup of a playbook to automate and standardize common tasks using Rundeck.
\newline
More in detail we worked on:
\begin{itemize}
\item The consolidation of the monitoring system, obtained by the creation of specific dashboard with a focus on java applications and databases;
\item The production of new enclosure based on DELL m1000e;
\item The storage system reorganization;
\item The migration of production applications on the new hardware infrastructure.
\end{itemize}
\section{Time and attendance system improvements}
Most part of 2016 was dedicated to the porting of the application to the new infrastructure. This task involved a lot of effort which was spent in various tasks such as the adaptation of the code to the new environment (new Apache-Tomcat, JDK, operating system version), the testing of all the functionalities as used by the administrative staff, the removal of the software packages not any more used, the new installation of the Oracle DB from 10g version to 11.2 and so on.
In addition to the migration, some software development activities have been conducted in 2016.
We included in the system the opportunity, given to all the employees, to specify to have worked from home (teleworking). This new feature has become necessary given the new regulations that involved the Italian Public Administration.
Furthermore, some regulations changed for what concerns the use of the parental leave. Thus, the system was modified in order to adopt the new legislation. In particular, it has been given the opportunity to the employees to specify the parental leave of a half workday duration, making its use more flexible.
\subsection{Migration}
In 2016 our effort was mostly spent in porting the whole application, included the database, from the old to the new infrastructure.
\newline
The migration has been divided into 2 steps:
\begin{itemize}
\item Upgrade of the Oracle DB from 10g version (on RedHat 5 operating system) to 11.2 (on Oracle Linux 6 operation system);
\item Porting of application from Java 6 (on RedHat 5 operating system) to Java 7 (on CentOS 6 operating system).
\end{itemize}
The migration task has been particularly challenging mainly because the management of the old installation was in charge of an external vendor and did not follow any best practice or standard rules.
In addition to that, we had to deal with a complex application part composed of several and dependent projects as shown in Table~\ref{tab:presnumbers}.
\begin{table}[htbp]
\caption{Attendance system numbers}
\centering
\begin{tabular}{r|p{3cm}}
\br
\textbf{Resource}&\textbf{Amount}\\
\hline
\textbf{Project}& 77 (29 unused) \\
\textbf{Jar}& 42 \\
\textbf{War}& 6 \\
\textbf{Applet}& 1 \\
\textbf{Repository}& 1\\
\end{tabular}
\label{tab:presnumbers}
\end{table}
\newpage
From a careful analysis we have identified the following weaknesses in the system:
\begin{itemize}
\item Application not designed for parallelization;
\item Hard-coded configuration parameters;
\item Wrong FQDN of the application (sysinfo-12 instead of presenze.infn.it);
\item "Home made" SSL verification and wrong certificates management;
\item No automated tests;
\item Poor knowledge of the server setup (made by an external vendor several years ago);
\item No use of system management tool (e.g. Puppet);
\item No dependencies management system, and no Jar repository;
\item Not standardized deploy workflow;
\item Mandatory configuration changes after software releases;
\item Confused organization of applet Jars;
\item Missing version number in jar files;
\item Monolithic repository and build process entrusted to the developers PC;
\item Public application managed with the same ACL of backoffice application.
\end{itemize}
\bigskip
Once installed the new server, we decided to put it in production following a smooth procedure: we set up two application servers in parallel, working on the same database; by exploiting ACL, we gradually opened the access to the new server to the INFN branches. This way, we had the chance to have the application tested initially by a small sample of administrative staff and we managed to fix the various problems encountered without affecting all the INFN branches.\newline
In order to succeed with this process we had to solve some issues: we had to introduce a "lock" system to manage concurrent process; we had to move all the hard coded parameters from the Java code to configuration files and
finally, we had to change the FQDN of the application to presenze.infn.it.
The migration of the system also involved the introduction or upgrade of some of the technologies employed:
\begin{itemize}
\item Recompilation of the attendance system with Java 7;
\item Migration from one monolithic SVN project, to several git projects;
\item Creation of a build script, used by all projects;
\item Activation of Continuous Integration (CI) on every project, automation of build and package processes (on Docker);
\item Migration of the build system from Ant to Gradle;
\item Addition of a dependency management system and Jar repo using Artifactory;
\item Modification of the type of release artifacts from war to rpm;
\item Complete revision the setup of the application and its configuration with Puppet;
\item Separation of the backoffice and frontoffice context with different ACL sets;
\item Implementation of a release workflow through Rundeck, Puppet and Gitlab-CI;
\item Introduction of a load balancer.
\end{itemize}
\section{Vamweb upgrade and access management system}
In 2016, the INFN's access management system, consisting of a proprietary PHP application called "VAMWeb" that is centrally installed at CNAF, Bologna, was updated to the latest release, called "Vam4". This update, given the level of criticality, required several days of testing on a pre-production server. All the Entrance-Point configurations have been migrated to the new system and the Oracle Database, used by the system to read and write information, was updated from version 10g to 11gR2 and patched to be suitable for the new version of the Vam software.
The update of the access management system has required a new installation of the software on a new virtual machine server, that was installed with a new operating system version and libraries.
In 2016, two new INFN locations have been configured in the access management system:
\begin{itemize}
\item One at CNAF, which has purchased and installed various hardware devices (Entrance Points) for access control, in particular to control the meeting rooms, the CED room and the Tier1 Computing Centre;
\item One at Legnaro National Laboratories (LNL), that has installed numerous Entrance Points, for the access control to the dining hall, the internal library and the accelerator.
\end{itemize}
\section{Protocol system migration}
In 2016, we introduced the new INFN's protocol system, more pertinent to the current laws and developed with modern technology. Furthermore, it was necessary to save and make available all the data processed and stored by the old protocol system (Webrainbow), thus we exported from it all the data, metadata and attachments in excel files. All these files have been stored on the Alfresco document management system. The Alfresco configuration management guarantees that the access to the data files depends on the role of the user in order to ensure data confidentiality.
\section{Oracle EBS improvements}
\subsection{Oracle EBS developments}
In 2016, several developments were conducted, to improve the usability and functionality of the INFN ERP system, in particular we:
\begin{itemize}
\item Modified the procedure of communication with the bank, following the introduction of new "Piano dei conti integrato";
\item Re-designed the system for creating and sending regularization movement (REG) flows;
\item Created new form "Gestione Impegni/Accertamenti" (under menu: "Finanziaria Nativa");
\item Implemented a procedure to import receipt and provisional data from the MIF logs;
\item Created ad-hoc Oracle report for the calculation of invoice payment indices;
\item Introduced several improvements to the "Anagrafica Fornitori" form and Oracle invoice registration system.
\end{itemize}
\subsection{Oracle EBS Monitoring}
Besides the standard EBS tools for monitoring, in 2016 some other PL/SQL tools were developed, registered and scheduled in the db to send notification via email in case of error.
\subsection{HR improvements}
In 2016, we worked on some improvements and bug fixing of the import mechanism implemented in 2015.
\section{Disaster Recovery}
Concerning some kind of personal data, a policy retention of 5 years has been established instead of the usual one of 30 days. The backup files are verified by scripts which execute the data restore, both local and remote, on a dedicated partition; the final result is compared with the original data.
Both the data and database backups are periodically checked by restoring the service in the remote site.
