Introduction
PC is a software solution to confirm or sign digitally transactions in digital banking and/or electronic document management (e-docflow) systems.
The primary purpose of PC is to create a better customer experience and increase security level compared to SMS, one-time passwords (OTP) solutions, scratch cards, MAC tokens and etc.
PC can be used to confirm declarations of intention in digital banking transactions, authentication, creation and execution of documents, facts of receiving and/or reading a certain document.
Component parts
PC consists of following parts:
Component | Part | Description |
---|---|---|
Server | PC Server | PC Server is a pre-configured server or an application for an existing application server. PC functions can be accessed by the application system with calls to PC web services via REST API. This enables integration with any application platforms. The server part must be installed within the security perimeter of the application system. This component is integrated with the server part of digital banking or e-docflow system and performs the following functions: |
PC External | PC External Server is a pre-configured server or an application for an existing application server. PC External functions are not accessed by the application system. It interacts with PC Server on one end and with the client app on the other. Includes such function as: |
|
PC Pusher | PC Pusher is a pre-configured server or an application for an existing application server. PC Pusher functions are not accessed by the application system. It only communicates with the PC Server. Sends transaction confirmation push notifications to the mobile app. |
|
Client | Performed as a mobile application for iOS 10.0 (and above) and Android 4.4 (and above) with the following functions: |
See Figure 1 for the component interaction diagram.
Server component supply options
PC server components can be supplied as:
- Java applications (WAR files) containing PC Server modules, that run on the Wildfly application server;
- Pre-configured virtual machines (CentOS Linux + PostgreSQL only).
The recommended option is to install Java applications on virtual machines (or containers) provisioned by the customer according to the organization's internal needs. Virtual infrastructure also offers a better option for scaling, backup and restore in case of system failures.
Typical machine components
A typical machine (or a container) consists of the following installed components:
Component | Description |
---|---|
Operating system | Linux-based |
Application server | WildFly |
Application server operation environment | Java 8/11 |
DBMS | PostgreSQL |
All the PC components are launched automatically with the operating system. No manual settings for start/shutdown is required.
If neither a physical nor virtual servers are supplied, the OS preparation is carried out by the customer. Preparation includes:
- Installation of the operating system;
- Proper configuration of DNS records;
- Installation of the Java Runtime Environment;
- Preparing TLS certificates (if necessary).
The following alternative components can be used:
Component | Description |
---|---|
Operating system | Microsoft Windows |
Application server operation environment | Java 8/11 |
DBMS | Microsoft SQL Server 2012/2014/2016, Oracle DB 11g/12c/18c |
OS and DBMS licenses and the DBMS (one of the options) are provided by the customer.
The DBMS must provide DB scaling and fail-safe features. If a non-PostgreSQL DBMS is used, connection options and DBMS type must be considered accordingly.
If a non-PostgreSQL DBMS is used, connection options and DBMS type must be consistent with each other.
PC server components
The PC Server component is logically separated into the following three parts:
- PC Server
is used to communicate with the application system within the controlled security zone; - PC Pusher
is used to send push-notifications to Google and Apple servers over the Internet (it initiates outbound https connections); - PC External
is used to communicate with the client component over the Internet (it accepts incoming https connections); - Conflict resolution workstation
is a web server which supports PHP code and provides access to its functions over the web interface. The conflict resolution workstation uses an HTTP(s) connection to the PC Server and a PC Server DB connection to access the requested data.
Each part of the PC server component can be installed either individually or in combination with any other component. See Figure 2 for the component interaction diagram and the recommended logical configuration.
Push notifications addresses
PC Pusher Server requires network access to the following addresses to send push-notifications: - https://api.push.apple.com - https://fcm.googleapis.com
Integration options
Connections specified as HTTP in the diagrams can be replaced with HTTPS as required.
Default incoming TCP ports are specified in the diagrams. They can be changed if necessary.
Callback address can be specified in PC settings or can be generated by the Application for each transaction when the transaction is created. You can contact the manufacturer or the Application support organization for the up-to-date parameter values.
Separated
See Figure 2 for the recommended integration diagram of completely separated components into the infrastructure.
Combined
PC Server and PC Pusher on the same machine
If in accordance with the company’s internal rules the infrastructure configuration does not block access to certain Internet resources from the server segment of the network, then the PC Server and the PC Pusher can be deployed on the same machine within the perimeter. In this case, the component diagram will be as shown in Figure 3.
Principal requirement: servers that send push notifications (Apple Push Notification Services and Google Firebase) must have access to push-servers.
PC Pusher and PC External on the same machine
PC Pusher and PC External can be deployed on the same server if the customer installs and configures an URL filter for incoming request (including TLS) before them from the side of the Internet (Figure 4).
Test installation
For testing purposes, when only simulated (test) data are used, all the three server components and the conflict resolution workstation can be deployed on the same machine (Figure 5).
Interaction with application systems
Calls to PC Server web services over the HTTP protocol are used to interact with application systems. Default port is 8080.
If HTTPS is used, the default port is 8443.
Customization options
Internal database deployed on a machine with the PC Server or a remote database can be used to store information.
Resiliency and scaling
Application Server redundancy
Resiliency
If an external database with its own resiliency mechanism is used, redundancy is only required for the application server which runs the functional web services of the PC component. Requests to functional web services can be handled by one or several machines.
See Figure 6 for the redundancy diagram.
The DBMS itself is to provide DBMS availability and redundancy.
Scaling
Two ways of scaling can be used in this configuration:
- By increasing the computing power of the virtual or physical machine of the PC server component;
- By increasing the number of virtual or physical machines that handle requests for functional web services.
A customer-provided and customer-configured balancing component must carry out load balancing between the machines and monitor the availability of each machine.
Complete redundancy
Resiliency
If an internal DBMS is used, redundancy must be achieved via hot or cold backup of the entire virtual or physical machine of the PC component. In this case, requests to functional web services must be handled at a single machine at any specific time.
Regular replication is required for the backup copy to be up-to-date at all times.
See Figure 7 for the redundancy diagram.
Scaling
In this case, scaling is achieved by increasing the computing power of the virtual or physical machine.