Docstoc

Digital Archive

Document Sample
Digital Archive Powered By Docstoc
					Digital Archive

Technical Infrastructure (P370S)

Version: Issued: Status: Approved:

2.0 21 January 2010 Draft No

The current version of this document is held electronically on the project LAN and is uncontrolled when printed.

AMENDMENT HISTORY BLOCK
Version Number 1.0 1.1 1.2 1.3 Final Version Added comments from Paul Ricketts Minor modifications Updated Centera rack diagram Added naming standard Updated logging section 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 2.0 Added estimates for total monthly Bytes transferred over Internet Link Reworked network topology to use new IP addresses and separate development from production. Add solution for NAS remote LAN connectivity Rework of Archives One integration Updates to Documentum implementation after design review Updates to NAS configuration Updates to software installed on servers Updated with comments by NL and GH. Updated with OPSWAT details and JDK versions Updated SMTP services Added scalability scenarios, security domain diagram Further amendments to the architectural views Updated with production hardware details Updated with production hardware/network details Further amendments to the architectural views Updated according to Production configuration, including review recommendations Updated to include recent changes to environments David Fanning Sarah McKay Sarah McKay 08/11/04 25/10/04 22/12/04 Neil Penman Neil Penman Neil Penman David Fanning David Fanning Neil Penman David Fanning Neil Penman David Fanning David Fanning Neil Penman David Fanning Ian Richards 04/06/04 25/06/04 29/06/04 07/07/04 27/07/04 2/08/04 6/8/04 9/8/04 10/8/04 23/8/04 30/08/04 20/09/04 22/10/04 Description of Change Person Making Change Neil Penman Neil Penman Neil Penman Neil Penman Date

06/04/04 13/04/04 30/04/04 05/05/04

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 2 of 49 21/01/2010

DISTRIBUTION LIST
Name Title

Howard Quenault Lucy Hastewell Nicholas Leask Ian Richards Graeme Hairsine All

VERS Program Director Digital Archive Project Manager Technical Manager Fujitsu Project Manager PROV System Administrator Project Team Members

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 3 of 49 21/01/2010

TABLE OF CONTENTS
1 2
2.1 2.2 2.3 2.3.1 2.3.2 2.3.3 2.4 2.5 2.6

GLOSSARY ......................................................................................................... 7 OVERVIEW .......................................................................................................... 8
Production Infrastructure .................................................................................... 8 Development Infrastructure ................................................................................ 8 Test Infrastructure ............................................................................................... 9 Unit Testing............................................................................................................ 9 System Testing ...................................................................................................... 9 UAT and Performance Testing ............................................................................... 9 Maintenance Infrastructure ................................................................................. 9 Training Infrastructure......................................................................................... 9 UPS ....................................................................................................................... 9

3
3.1 3.2

ARCHITECTURAL VIEWS ................................................................................ 10
Archives One Integration ...................................................................................10 Transfer Accession to the Digital Archive (BP 2.0) ..........................................13 Requirements .......................................................................................................13 Integration Technology..........................................................................................13 Security ...............................................................................................................14 Virus Checking ......................................................................................................14 Network Security ...................................................................................................14 Authentication and Authorisation ...........................................................................14 Public or agency users accessing the external application ............................16 Public users logging into the external application ..........................................17 Agency users logging into the external application ........................................18 PROV users logging into the external application ..........................................19 PROV users logging into the internal application ...........................................20 Agency users logging into the external inbox.................................................20

3.2.1 3.2.2 3.3 3.3.1 3.3.2 3.3.3

3.3.3.1 3.3.3.2 3.3.3.3 3.3.3.4 3.3.3.5 3.3.3.6 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8

Logging .................................................................................................................20 Intrusion Detection ................................................................................................21 Encryption .............................................................................................................21 Server Hardening ..................................................................................................21 Security Domains ..................................................................................................22
Digital Archive Page 4 of 49 21/01/2010

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

3.4 3.5 3.6 3.7

PROV Website Integration ..................................................................................23 Performance Monitoring .....................................................................................23 Storage Replication to the Secondary Site .......................................................23 Email ....................................................................................................................24

4
4.1

TECHNOLOGY INFRASTRUCTURE CONFIGURATIONS ............................... 25
Production ...........................................................................................................25 Performance, Availability Capacity ........................................................................25 Requirements ................................................................................................25 Scalability ......................................................................................................25 Availability .....................................................................................................26 Disk Capacity ................................................................................................27 Network Capacity ..........................................................................................27 Performance Tuning ......................................................................................29 4.1.1.1 4.1.1.2 4.1.1.3 4.1.1.4 4.1.1.5 4.1.1.6 4.1.2

4.1.1

Operations ............................................................................................................29 Development .......................................................................................................29 Programming Model ..............................................................................................29 Version Control .............................................................................................29 Configuration Management ...........................................................................29 Release Management ...................................................................................30 Unit Test........................................................................................................30

4.2 4.2.1

4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.3 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6

Test ......................................................................................................................30 Rack Layout ........................................................................................................31 Centera Rack – North Melbourne ..........................................................................31 Celerra Rack – North Melbourne ...........................................................................31 Compaq Rack – North Melbourne .........................................................................32 Sun Rack – North Melbourne ................................................................................33 Communications Infrastructure .........................................................................33 Requirements .......................................................................................................33 Network Services ..................................................................................................33 Network and Server Topology ...............................................................................34 Radware Configuration .........................................................................................35 Network Address Translation ................................................................................35 Firewall .................................................................................................................36 Filter Rules ....................................................................................................36
Digital Archive Page 5 of 49 21/01/2010

4.5.6.1

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

4.5.7

Hardware Summary ..............................................................................................36

5 6
6.1

APPENDIX 1 – HARDWARE NAMING CONVENTION ..................................... 38 APPENDIX 2 – SUPPLEMENTARY BANDWIDTH CALCULATIONS .............. 39
Internet Usage (Bytes / Month) ..........................................................................39 Internet Usage Scenario 1 ....................................................................................39 Internet Usage Scenario 2 ....................................................................................39 Internet Usage Scenario 3 ....................................................................................39

6.1.1 6.1.2 6.1.3

7
7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9

APPENDIX 3 – PRODUCTION HARDWARE / SOFTWARE CONFIG .............. 40
dap1-s – Content Server .....................................................................................40 dap2-s – Database Server ..................................................................................40 dap1-i, dap7-i – Internal Application Server ......................................................41 dap2-i – External Inbox .......................................................................................41 dap3-i, dap4-i – Internet Application Servers ....................................................41 dap5-i – Docservices ..........................................................................................42 dap6-i – Administration Server ..........................................................................43 dap1-c – Primary CAS.........................................................................................43 dap1-n – Primary NAS ........................................................................................43

8
8.1 8.2 8.3 8.4 8.5

APPENDIX 4 – DEVT HARDWARE / SOFTWARE CONFIG ............................ 45
Developer Workstations .....................................................................................45 dad2-i – Development Application Server .........................................................46 dad1-i – Development Inbox...............................................................................47 dad3-i – Development Docservices, Code Repository .....................................48 dad1-s – Development Docbase Server ............................................................48

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 6 of 49 21/01/2010

1 Glossary
Term CAS Description Content Addressable Storage Disk storage that uses a unique key to find files. The location of the file on disk is hidden from the user. Concurrent Versioning System Stores current and prior versions of files (primarily program source code). Digital Archive Digital Data Storage A magnetic tape technology. Documentum Foundation Classes Java classes from Documentum that can be incorporated into an application. Documentum Query Language File Transfer Protocol Protocol for copying files between computers. Java Development Kit Java Runtime Environment Linear Tape Open A magnetic tape technology. LTO generation 1 (LTO 1) each tape will hold 100GB. With generation 2 each tape will hold 200GB. Network Attached Storage Disk storage not connected to a server but accessible over a TCP/IP network. Oracle Transparent Gateway Provides access to tables in remote non Oracle databases as if they were local Oracle tables. Passive An option in the FTP protocol which allows the client to initiate the transfer. The original default required the server to contact to the client for each file transferred. This causes problems for firewalls. Web Services Director A product from Radware that performs load balancing and bandwidth management of network traffic.

CVS DA DDS DFC DQL FTP JDK JRE LTO 1, LTO 2

NAS OTG

PASV

WSD

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 7 of 49 21/01/2010

2 Overview
2.1 Production Infrastructure
PROV Data Room – North Melbourne Prov A1 RDBMS SQL Server Dap1-f Firewall Only a single physical firewall is required Radware WSD Internet Fujitsu - Clayton Drp1-c CAS Drp1-n NAS Drp1-i

LTO Library

Dap1-I Internal Web App 1 CPU, 2 GB RAM Apache, Tomcat

Dap7-I Internal Web App 1 CPU, 2 GB RAM Apache, Tomcat

Dap2-I WebDav In Box 1 CPU, 2 GB RAM Apache Server, WebDav

Dap3-i External Web App 2 CPU, 4 GB RAM Apache, Tomcat

Dap4-i External Web App 2 CPU,4 GB RAM Apache, Tomcat

Dap1-f Firewall Dad1-S Standby Server (Devt machine) 2 CPU, 2 GB RAM Content or Database

Dap1-c CAS

Dap1-s Content Server V240, 2 CPU

Dap6-i Administration Server (Firewall access) 1 CPU, 2 GB RAM

LTO

Dap2-s Database Server V480, 2 CPU

Dap5-i Docservices Virus Scanner 1 CPU, 2 GB RAM

DDS

DVD/ CD

Dap1-n Network Attached Storage

Figure 1 - Logical Production Configuration Note: 1. Refer to section 4.5.2 for a description of the physical network topology.

2.2 Development Infrastructure

PROV Network

Development and Test PCs

Firewall

Dad1-I WebDav In Box

Dad2-i Devt App Server HTTP Server, Tomcat 1 CPU, 2 GB RAM

a1d1-i A1 Dev and test SQL Server 1 CPU, 2 GB RAM

1 CPU, 2 GB RAM

Dap1-c CAS

Dad1-s Content Server Database Server V240, 2 CPU

Dad3-I DocServices, Virus Scanner, CVS 1 CPU, 2 GB RAM

Dap1-n Network Attached Storage

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 8 of 49 21/01/2010

Figure 2 Development Configuration

2.3 Test Infrastructure
2.3.1 Unit Testing
Unit testing will occur on a combination of the developer workstations and the development environment. The external and internal web applications will run on local Tomcat instances on the developer workstations, which will utilise both the DAD1_S Content Server and A1D1_I Archives One server for all data services. Unit testing will comprise a combination of manual test scripts and automated test scripts based on the Apache JUnit framework. The development team will document (informally) the results for both testing types.

2.3.2 System Testing
System testing will be performed entirely in the development environment except for the test clients. The development configuration described in Figure 2 will be used to provide application services for the internal and external applications, along with data services to Documentum and Archives One. The data for system test will be physically separate to the unit testing environment by means of separate Oracle instances to host the development, system test and user acceptance test Documentum Docbases. The Archives One data will be physically separate by the means of virtual hosting of the development, system test and UAT environments with VMWare. The detailed description of the Archives One test environments is beyond the scope of this document. The Oracles instances for each environment are: DOCBASE (for DEV), DAST1 (for ST) and DAPRD1 (for UAT and Prod) Once the production environment goes live, User Acceptance Testing will then move back to Development and a DAUAT1 instance will be created on test Oracle server, dad1-s. „Snapshots‟ of system testing data maybe requested by the system test team on an ad-hoc basis in order to support the base lining of testing data. The Oracle database tables for the DA_ST1 instance will be backed up appropriately to support system test. Regular backups will be at the discretion of the system testing and development teams.

2.3.3 UAT and Performance Testing
User Acceptance Testing and Performance testing will occur on the production environment prior to deployment. This will be the case for both phases. The testing clients will be the same configuration as those used for system testing, with the development A1 environment being used for all testing (via the VMWare hosting mechanism as mentioned above).

2.4 Maintenance Infrastructure
At the end of the development phase the Digital Archive will move into maintenance. The existing development environment will be used for this new environment with the following exceptions: 1. The maintenance Documentum Docbase will be configured to store VEOs accepted into permanent storage on the NAS. This will eliminate the risk of writing and deleting VEOs onto a production component. If the CAS interface must be tested then the VEOs should be set for immediate expiry so they can be deleted. 2. Separate volumes will be created on the NAS to isolate maintenance data from the production systems.

2.5 Training Infrastructure
Training will occur on the system test / development environment. Refer Figure 2.

2.6 UPS
A Powerware 9305 Series UPS has been installed across the entire DA infrastructure. This provides between 20 and 40 minutes battery backup in the event of building power failure, depending on power use of the DA equipment. The system as installed provides an alerting capability through the Onlinet software that has been installed on the dap6-i server. Orderly shutdown capabilities can be built with this software via a batch process, but a batch file needs to be created for the purpose. This is yet to be done. More sophisticated capabilities could be provided to enable orderly shutdown to occur through connection of the UPS to the DA network. This capability has not been provided in the purchased equipment. The UPS has been linked via cable to the dap6-i server to enable monitoring to occur.
f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd Digital Archive Page 9 of 49 21/01/2010

3 Architectural Views
3.1 Archives One Integration
Design Principles: 1. Minimise (or no) changes to Archives One code base 2. Utilise the existing database components of the Archives One system 3. Avoid calling Archives One business components (COM/DLL) from within the Java code unless the business logic is high value 4. Minimise the use of data abstraction layers within the Digital Archive application. 5. Move common administrative functions from A1 to the Digital Archive 6. Maintain a loose coupling between the Digital Archive and A1 systems by ensuring each element of data is only maintained by one system. 7. Minimise fragmentation of the user experience caused by the use of two systems to complete business processes. Note: the A1 database is approximately 5GB. The following diagram shows the resultant integration model:

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 10 of 49 21/01/2010

Archival Control Mgmt

Accessioning

Archives One Business Objects

Ordering



Registration of Stds and Guides

Picking and Issuing

User Registration

Job Management




Searching and Browsing




A@V Business Objects

Archives One
User Regn, User Mgmt Browsing/Searching, Ordering

Overnight replication

A1 Search DB

Documentum Synch

Remote A1 View

DA Docbase

LDAP Server
User Regn User Mgmt

Full-Text Searching

Content Server

DMCL DFC DA Data Services

LDAP JNDI LDAP Data Services DA Business Services JDBC A1 Data Services

User Mgmt

User Regn

Internal/External Application Layer Web Development Kit JSP Servlets XML HTML CSS Oracle Transparent Gateway DCTM Products/Components Archives One Components Sun/Java Components Digital Archive Components

PROV/Agency/Public User Access to Digital Archive

1.) Interfacing to Archives One data through the Oracle Transparent Gateway (OTG):
f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd Digital Archive Page 11 of 49 21/01/2010

Full-Text Searching

Ordering

Browsing







The OTG provides a seamless mechanism for accessing Archives One data from the Digital Archive. The OTG is based on an ODBC connection between Oracle and SQL Server and provides a fully functional, two phase commit interaction between the databases. The tables within Archives One appear as a homogenous data source to Oracle client applications such as Documentum. The presentation of the homogeneous data sources within Oracle allows the SQL Server tables to be registered within Documentum to facilitate „cross database‟ queries via DQL between the Digital Archive entities are their related Archival Control Entities within Archives One. The OTG provides the Digital Archive will „real-time‟ access to the Archives One data in support of functions required by the internal and external applications.

2.) Ordering  The replacement of the existing Archives@Victoria website will require the new DA external interface to contain a fully functional ordering facility.  The new ordering facility will contain all of the functionality offered by the current Archives One and Archives@Victoria systems, in addition to enhancements designed for the DA system, resulting in the deprecation of ordering from both existing systems.  The „master‟ copy of the ordering data will remain in the Archives One database to support the existing „Picking and Issuing‟ functions.  To ensure the „master‟ copy is accurate and up to date, the DA ordering facility will update the Archives One database using DQL via the OTG.  All new ordering functions will query the „master‟ copy in the Archives One database implementing all of the existing business rules as required (including holds, items already on order, limits, etc.) 3.) Searching  Full text searching of Archival Control Entities within Archives One will be provided by the existing Archives One Search database. The database contains a replicated copy of several Archives One tables with the additional of full text index catalogs against several fields in each table.  Due to a limitation of the DQL parser within Documentum it will be necessary to interface directory to the Archives One Search Database using an appropriate data service layer connected to the Microsoft SQL Server 2000 JDBC Type 4 driver.  The searching logic within the external interface will utilise the full text indexing capabilities of SQL Turbo to provide searching of paper records and Archival Control entities in Archives One.  Searching of any Digital Archive Docbase content, including full text searching will be provided by the default searching capabilities of Documentum Content Server via application based DQL statements. 4.) User Management  All public, agency and PROV Digital Archive and Archives One users will be maintained in a master directory and accessed via a Lightweight Directory Access Protocol service. The users will be stored under one class for which the attributes will contain those necessary for Documentum replication and Archives One. See detailed design document: \\DVC10\LGVCI\PROV\obiwan\VERS\Vers Coe\Technology & Telecommunications\Implementation\DA Development\Documentum Solution Design v1.9 JW-20041028.doc  The DA internal interface will have the functionality to create, update and inactivate (logical delete) all users. The external interface will have the ability for a public or agency user to register and maintain their details, including their password.  All PROV, public and agency user maintenance actions will be synchronised with Archives One „on the fly‟ using the Oracle OTG via DQL statements. The Archives One user maintenance screens will have the „create user‟ and „update user details‟ functions disabled. User details will be available as read-only information. The implications of the proposed integration model are: 1. A de-commissioning of the ordering functionality within Archives One, 2. A de-commissioning of a sub/superset of user management functionality within Archives One, 3. A clear separation of data ownership by the Archives One and Digital Archive systems, 4. The use of Archives One to update all data currently maintained by Archives One with the exception of ordering, user creation/deletion updates to user details. 5. The use of the Digital Archive internal and external interfaces to update all digital record meta data, including the data pertaining to transfer management and repository management 6. The need for existing business processes to utilise both the Archives One and Digital Archive interfaces as required.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 12 of 49 21/01/2010

3.2 Transfer Accession to the Digital Archive (BP 2.0)
3.2.1 Requirements
1. Provide physically separate (R38) inbox and quarantine area as per following diagram from B3.3.1.

2. 3.

Files are in quarantine for 4 weeks to be checked for viruses. (B3.3.1) In-box is separated from the DA and Internet by a firewall (R44).

3.2.2 Integration Technology
PROV Staff Inbox Agencies Workflow Messaging Quarantine Processing

Content Server

WebDav

WebDav VEO Transfer

CD, DVD, LTO, DDS

PROV Staff Dap5-i (HP) Doc Services (Virus Check) Dap1-s (Sun) Content Server

Firewall

Agency Equipment

Servers

In-Box

Staging Area / Quarantine / Internal Inbox / Non VEO etc Local Disk

Staging Workshop (Internal Inbox/Quarantine/ Docbase Area Processing) DA Docbase NAS

Digital Repos CAS

Storage

Figure 3 Integration Technology Notes: 1. 2. Objects being transferred electronically to PROV will be initially stored on the external inbox. Objects arriving in the external inbox will be moved to the „staging area‟, located on the NAS by a scheduled Documentum Job. 3. Objects being transferred on physical media to PROV will be copied directly to the „staging area‟, prior to being „ingested‟ into the internal inbox. 4. The internal inbox, quarantine, non VEO or VERS Compliance Support (VCS), processing and digital repository storage areas will be implemented as Documentum Docbases. 5. The only entry point for objects entering Documentum will be via the staging area. 6. Objects being moved from the staging area into Documentum will undergo virus and validation checks and be segregated into VEO or VCS compliance system, where appropriate. 7. All objects will be verified whenever the content is physically moved to ensure the content has not been corrupted. 8. The only file transfer protocol provided for electronic transfer of objects from agencies, in the initial release, will be WebDav. 9. The WebDav protocol will be used to move objects from the external inbox to the staging area. 10. The following security measures should be applied to the WebDav server

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 13 of 49 21/01/2010

Transfer via removable media
Agencies can provide PROV with VEOs on any of the following media types: 1. CD a. CD-R, (63, 74 minute) b. ISO 9660, Joliet file extensions 2. DVD a. DVD-R, DVD-5 3. LTO a. LTO-1, LTO-2 4. DDS a. DDS-1, DDS-2, DDS-3, DDS4 The tapes may have PAX and/or TAR files. A PROV staff member will load the contents of these media directly on to the staging area of disk from within the data room. The external inbox should be bypassed for media transfers as this eliminates a potential disk space bottleneck.

3.3 Security
3.3.1 Virus Checking
All VEOs will be checked for viruses in two stages. An initial scan will be performed in the staging area prior to the VEOs being stored in Documentum. If the VEOs fail the initial scan they will be loaded into the VCS Docbase (Workshop). VEOs passing the initial scan and the validation rules will be placed into the Internal Inbox (DA Docbase). Once the objects are moved to Quarantine (DA Docbase), another virus scan will be performed before moving from quarantine to processing. Any virus infected VEOs detected in quarantine will be moved to the VCS (Workshop) Docbase. Virus scanning will be performed as follows: 1. File objects identified as VEOs will have the encoding extracted and decoded from base-64. 2. Each encoding will be scanned by the virus engine 3. Control of the virus scanning process, including explicit control of the virus engine, will be performed by the digital archive application. Virus scanning will take place on the dap5-I server initially using the CA eTrust AntiVirus product 4. The appropriate business rules will be applied if a virus is detected. Control of the virus scanning engine will be performed via the OPSWAT API. The API is an ultra thin program layer that allows vendor independent, fine grain control of the virus engine. The API will allow the CA eTrust AntiVirus engine to be replaced or used in conjunction with an additional virus engine/s without changing the application logic. The digital archive will utilise the „in-memory‟ scanning capability of the OPSWAT API to optimise the scanning of base-64 encoded content within the VEO objects. All Windows based servers will have the CA eTrust AntiVirus engine installed and configured for scanning of local disks. The virus scanning engine on the external inbox server, dap2-I, will be configured to exclude scanning of the document root where sets are transferred from agencies. The PROV workstations used to access content in the VCS Docbase (via the Documentum Webtop application) should in addition, have their virus scanning engines suitably configured to protect objects in the VCS Docbase that have been marked as infected.

3.3.2 Network Security
Refer to section 4.5.4, Firewall.

3.3.3 Authentication and Authorisation
All Digital Archive users will be maintained in an LDAP directory located on the content server. The Digital Archive users fall into two broad categories: Documentum and Non-Documentum. The principle difference between the two categories equate to the use of purchased Documentum licences. The Digital Archive project has licences for 100 full access and 370 read only users. These licences have been allocated to PROV staff and agencies accordingly. In order to support public access of 50,000+ users, all public users will be classified as Non-Documentum user accounts and will utilise a generic Documentum licence when accessing the Digital Repository.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 14 of 49 21/01/2010

Therefore the use of Documentum licensing across the applications can be summarised as: Application Internal Web Application External Web Application Documentum Access Individual PROV staff accounts Generic read-only account + Generic read-only agency accounts External Inbox Agency Not required Refer to section 3.1 for details on how these user details are shared with the A1 system. Users PROV Staff only Public/ Agency

Internet / Reading Room Agency User General Public

PROV User Prov Network

DA Firewall Internal Web Application Inbox DA Firewall Account

DA Firewall External Web Application

Authorise (Role Based) Authenticate Authorise The Individual Staff member

Authenticate Individual or Anonymous

Documentum Users 100 Licenses Content Server

LDAP Users
Unlimited Logons

External Role Public Agency 1 Agency 2 ….

Figure 4 - Authentication and Authorisation Model Notes: 1. All user credentials will be transferred using the HTTPS protocol 2. Passwords will be stored in encrypted format in the LDAP directory. 3. Account information for agency transfers will be set up on the external inbox using Apache Http Server‟s native authentication realm and subsequently removed after the transfer is completed. The authentication model for the Digital Archive has three domains; internal application, external application and external inbox. The authentication mechanism is unique for each domain and is described by the scenarios below.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 15 of 49 21/01/2010

3.3.3.1 Public or agency users accessing the external application

Public/Agency User

External Web Application

LDAP Directory

DCTM Content Server

Access Website()

Check login status()

Get Generic DCTM Account()

User has not authenticated

Connect/Login()

Authenticate()

Cache Connection()

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 16 of 49 21/01/2010

3.3.3.2 Public users logging into the external application

Public User

External Web Application

LDAP Directory

DCTM Content Server

Access Website()

Check login status()

Get Generic DCTM Account()

User has not authenticated

Connect/Login()

Authenticate()

Cache Connection() Login()

Authenticate()

Authenticate against LDAP

Get user details()

Check user type()

Get cached connection() Connect to generic user Connect()

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 17 of 49 21/01/2010

3.3.3.3 Agency users logging into the external application

Agency User

External Web Application

LDAP Directory

DCTM Content Server

Access Website()

Check login status()

Get Generic DCTM Account()

User has not authenticated

Connect/Login()

Authenticate()

Cache Connection() Login()

Authenticate()

Get user details() Authenticate against LDAP Check user type()

Connect/Login()

Authenticate() Connect to DCTM as agency user Cache Connection()

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 18 of 49 21/01/2010

3.3.3.4 PROV users logging into the external application

PROV User

External Web Application

LDAP Directory

DCTM Content Server

Access Website()

Check login status()

Get Generic DCTM Account()

User has not authenticated

Connect/Login()

Authenticate()

Cache Connection() Login()

Authenticate()

Authenticate against LDAP

Get user details()

Check user type() Deny Authorisation()

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 19 of 49 21/01/2010

3.3.3.5 PROV users logging into the internal application

PROV User

Internal Web Application

LDAP Directory

DCTM Content Server

Access Website()

Login Challenge()

Login()

Connect/Login()

Authenticate()

Cache Connection()

3.3.3.6 Agency users logging into the external inbox

Agency User

External Inbox

Access Inbox()

Login Challenge()

Login()

Authenticate()

3.3.4 Logging
Logs will be written to a Syslog Server. 1. Documentum  The WDK applications generate logs using Log4j (Apache). The applications will be configured to write to the syslog server.  Documentum Content Server/Docbroker will write logs to the local file system in temp/logs.  The output from scheduled Jobs is classified into reports and logs. Standard Documentum jobs will produce output in report format which are stored within the Docbase for which they are running. The Digital Archive application jobs will, in addition to the reports, produce application logging to the syslog server.
f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd Digital Archive Page 20 of 49 21/01/2010

2.

3.

Java / Web Applications  Will use Log4j (Apache) for logging.  All logs will be written to the syslog server. Infrastructure components.  Components include the Firewall and Radware WSD  All logs written to the syslog server.

3.3.5 Intrusion Detection
Not in scope.

3.3.6 Encryption
1. 2. 3. HTTPS will be used to encrypt user credentials during login. VEOs will not be encrypted in the Centera CAS. The CAS has the highest integrity of any part of the system. However a decryption key will need to be stored outside of the CAS. If lost the VEOs would also be lost. Data transmitted entirely within the DA data room will not be encrypted.

3.3.7 Server Hardening
Please refer to \\DVC10\LGVCI\PROV\obiwan\VERS\Vers Coe\Technology & Telecommunications\Implementation\Server Hardening.doc

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 21 of 49 21/01/2010

3.3.8 Security Domains
This section describes the Digital Archive Security domains. Each domain has a different level of trust and the transition of data from a lower to a higher trust level is controlled. The following diagram shows the security domains, their level of trust and the transitions between them.

Trust Level 1 PROV Network 14 Internet 1 2 Agency Inbox 3 Staging 5 4 Int Inbox 6 Quarantine 8 7

Key
Non DA Domain DA Domain Transition

2

Development

3

PROV Application 12 Servers

Web Application Servers 9 Processing 11

Non VEO

12
4 5
Domain Internet Trust Level 1 PROV Network Agency Inbox Staging Area Internal Inbox Quarantine 2 2 2 3 3 Web Application Servers PROV Application Servers Processing Digital Repository DR Domain 3 3 4 5 5

10

NAS Control Station, Repository
Storage None Services1 None

12 Disaster 14Recovery
Transition To 1) Web Application Servers 2) Agency Inbox 14) PROV Application Servers 3) Staging Area 4) Internal Inbox 5) VCS 6) Quarantine 7) Processing 8) VCS 9) Processing

Figure 5 Security Domains

None Local: /inbox/set # NAS: staging NAS: Internal Inbox (Docbase) NAS: Quarantine (Docbase)

None dap2-i:WebDav Server – read, write, delete dap5-i:inbox get – read, write dap5-i:ingest – read, delete dap1-i:IntranetApp dap7-i:IntranetApp dap5-i:ingest – read dap1-i:Intranet App dap7-i:IntranetApp dap3-i:InternetApp – none dap4-i:InternetApp – none dap1-i:Intranet App dap7-i:Intranet App dap1-s:Content Server – read, write, delete dap1-s:Content Server – read, write None dap5-i:ingest – Write dap1-i:IntranetApp – Write dap7-i:IntranetApp – Write dap1-i:Webtop – Read, Write, Delete dap7-i:Webtop – Read, Write, Delete Developer workstations – read, write None

None

None

10) Processing

NAS: Processing (Docbase) CAS NAS CAS NAS: VCS

11) Digital Repository 14) Disaster Recovery 12) Digital Repository, Processing (Disaster Only) None

VCS

2

Development Production

3 5

Concurrent Versioning System (CVS) NAS, Local Disks

13) Production 14) Disaster Recovery

Notes: 1. The format of the data under services is “Hardware Name:Software Module – Permissions in the domain”. 2. Server connections are made; a. Within a domain
f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd Digital Archive Page 22 of 49 21/01/2010

3. 4. # 1 2

b. From a higher trusted domain to a lower trusted domain only It is assumed that virus‟ are dormant whilst Base64 encoded within a VEO Virus infected Non VEO objects Transition Internet – Web Application Servers Internet – Agency Inbox Agency Inbox – Staging Area Staging Area – Internal Inbox Staging Area – VCS Internal Inbox – Quarantine Quarantine – Processing Quarantine – VCS Web App Servers – Processing PROV App Servers – Processing Processing – Digital Repository DR Domain – Processing Development – Production PROV Network – PROV Application Servers Control Firewall – HTTP, HTTPS only Firewall – WebDav protocol over HTTPS only User name / Password set up for a single set and revoked afterwards. Restricted access to IP ranges used by agencies. Firewall – WebDav protocol over HTTPS only Files are scanned for viruses and XML syntax verified. It is assumed that unknown viruses encapsulated within valid VEO objects are benign. DMCL protocol used to transfer file contents to Documentum. None – Transition to same level of trust. Documents are only placed here if they have a virus or do not conform to the VERS specification. DMCL protocol used to transfer file contents to Documentum. None – Same level of trust. File content is only logically moved by privileged code. Virus check completed. File content is only logically moved by privileged code. None – Lower level of trust Firewall – Limited protocols Firewall – Limited protocols. Centera Security – Only Content Server can transfer the VEOs Refer to Disaster Recovery Plan Deployment will be implemented by a script under version control and can be rolled back if required. Firewall, protocols restricted to HTTP. Restricted range of IP addresses allowed through.

3 4

5

6 7 8 9 10 11 12 13 14

3.4 PROV Website Integration
The new Digital Archive external application will be „integrated‟ with the existing website using the following techniques: 1. The external interface will be constructed using the existing website‟s „look and feel‟ including the same header, footer and „left hand side‟ navigation menu. 2. A URL will be added to the PROV website to link users to the Digital Archive external interface, which will be „served‟ from the DA public web application servers. Therefore public and agency users will be able to navigate seamlessly between the websites.

3.5 Performance Monitoring
The web application servers will write performance logs using log4J. These can be used to provide detailed information on the performance of the system. However they will not show end to end performance or availability. To measure this would require robots running at remote sites, which is not included in the scope.

3.6 Storage Replication to the Secondary Site
VEOs stored in the digital repository will be kept under a „permanent storage‟ regime which will ensure that VEO objects are never lost. The permanent storage is based on EMC‟s Content Addressable Storage (CAS) and includes a secondary CAS stored at the Digital Archive secondary site at Noble Park. The primary CAS will replicate all changes to the secondary site. A VEO object will only be considered to be in permanent storage when the object has been

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 23 of 49 21/01/2010

replicated to the secondary CAS unit. A Documentum job will be used to verify the existence of VEO objects on the secondary CAS. The Digital Archive will also contain a primary and secondary NAS located at PROV and Noble Park respectively. The NAS will contain all of the non-Digital Repository content and all of the metadata for VEOs in the Digital Repository. The NAS will also contain additional storage areas for the staging, scratch and maintenance. Only those storage areas requiring back-up will be replicated to the secondary site. The partitions to be replicated are shown below.
Remaining disk spare to be kept spare and allocated as required Size Partition 10GB Staging 400GB Prod_DocBase 50 GB 100 GB 50 GB 100GB 50GB 80GB Primary

Workshop Prod_Dctm, LDAP

Prod_DB Scratch (Oracle)

Maint_Ora DABackup

Replicate

Replicate

Replicate

Replicate

Dad1-s Mount on Demand

Partition Size

Prod_DocBase (DA Docbase) 400GB

Workshop (Docbase) 50 GB

Prod_Dctm, LDAP 100 GB

Prod_DB (Oracle) 50 GB

Restore 100GB

Secondary

1.5 Terabyte

Figure 6 NAS Configuration Notes: 1. 2. 3. Network capacity to secondary site is 2 Mbits/second The network impact of changes to the database, and production Documentum partitions will be low. VEOs, of average size 1 MB, will be transferred to the secondary CAS at a minimum rate of 6 per minute.  Approximately 1 Mbit of network capacity.  This assumption is not directly related to NAS but affects the network usage of the link to the secondary site.  If VEOs are transferred from the Docbase to the primary CAS faster than 6 per minute then the replication queue could become lengthy. This should not be a problem as the requirement to store to permanent storage at 6 VEOs per minute would still be met. The system administrator should monitor this CAS replication queue to ensure it is operating correctly. VEOs, of average size 1MB, will be transferred from staging area to production and work docbases no faster than 6 per minute.  Approximately 1 Mbit of network capacity.  This assumption is required in order that the replication of the docbases can keep up with disk changes. Having a substantial queue of NAS changes would be considered a problem as the time at which a consistent replica would be written to the secondary site could not be pre-determined and may be substantially longer than 15 minutes.  Hence the application code will need capability of throttling the rate of transfer.

4.

3.7 Email
The EMC equipment uses email to notify first level support at EMC of potential problems. These emails will be sent directly via the Internet connection. Email may be used for other purposes which will be determined during detailed design. These potential uses include:  Alerting the system administrator about issues

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 24 of 49 21/01/2010

4 Technology Infrastructure Configurations
4.1 Production
4.1.1 Performance, Availability Capacity
4.1.1.1 Requirements
Requirement R276, 278 – External Users R275 – External Availability Specification Users: 20,000 scalable to 50,000 Concurrent: 500 scalable to 5,000 8am – 10pm: 99% (2 hour max downtime) Other Times: 95% (8 hour max downtime) Simple: 80% in 2 seconds 100% in 5 seconds Complex: 80% in 3 seconds 100% in 6 seconds Read only: 100 Update: 100 Reporting: 50 Concurrent: 50 8am – 10pm: 99.9% (2 hour max downtime) Other Times: 95% (8 hour max downtime) Simple: 80% in 2 seconds 100% in 3 seconds Complex: 80% in 2 seconds 100% in 4 seconds 6 VEOs per minute 4 Weeks Notes

R274 – External Response Times

R406, R408 – Internal Users

Scalable to twice these figures

R405 – Internal Availability

R274 – Internal Response Times

R66 – VEO Import Rate 3.3.1 – Quarantine Duration

4.1.1.2 Scalability
The configuration of the solution has been sized to meet initial the capacity requirements. A sizing spreadsheet from Documentum was used to identify the size of the Documentum server. Other components were sized by comparing the requirements and solution architecture to other systems. The architecture should be scalable to support the requirements for 5 years and beyond. The following scenarios illustrate how the configuration can be modified to meet increasing demand:  Scenario 1 – Increasing number of concurrent external users, or an increase in the load per external user. o Add additional external web application servers, each with up to two processors. Use the Radware WSD to balance the load across the application servers. (refer to Radware o Add additional small Sun boxes to cope with increase in load on the document management server (dap1-s). This approach has the advantage of increasing availability. Alternatively the document management server can be replaced it with a larger machine having more processors. Note: the v240 specified for dap1-s can only support 2 processors. o Increase the number of processors on the database server (dap2-s). We have initially specified two, however up to four can be accommodated in the box. After that either a second machine can be added and Oracle‟s clustering used, or the V480 can be replaced with a larger multiprocessor box.  Scenario 2 – Increase in the number of concurrent internal users, or an increase in the load per internal user. o The approach is the same as in scenario 1, except the number of internal web servers is increased.  Scenario 3 – Increase in VEOs to be stored beyond 1 TB.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 25 of 49 21/01/2010



5.7 Terabytes of disk has been installed, however only 1 Terabyte is charged for. As the usage increases past 1 TB, an additional charge will be made for the extra disk used but there will be no change in the deployed hardware. o Additional NAS storage can be added if the total space used for indexes, database, quarantine etc, exceeds 1 TB. This is considered unlikely. Scenario 4 – Increase in VEOs to be stored beyond 5.7 TB. o Additional Centera modules can be installed. Maximum current capacity is 1 petabyte; however this maximum is increasing as technology improves.

o

4.1.1.3 Availability
High Availability / Failover 1. External Web and Application Server  The external web application will run in Tomcat application servers, on dap3-i and dap4-i.  Both dap3-i and dap4-i are 2 CPU Intel machines will each run an instance of the Apache HTTP server and at least 2 instances of Tomcat. The Radware WSD will load balance across the two HTTP servers, which will be configured to load balance across the 4+ Tomcat application servers.  Session affinity will ensure that an individual user is always connected to the same Tomcat instance that holds their session details.

Radware Web Services Director

Apache HTTP Server

Apache HTTP Server

Tomcat App Server

Tomcat App Server

Tomcat App Server

Tomcat App Server

Internal Web and Application Server  The internal web application will (like the external web application) run in the Tomcat application servers, on dap1-i and dap7-i.  Both dap1-i and dap7-i will run one instance of the Apache HTTP and Tomcat server. The Radware WSD will load balance across the two HTTP servers. 3. NAS (Celerra)  The NAS is a highly available component.  The NAS will be configured with a redundant data mover. If the primary fails then the secondary will take over the IP address and continue processing.  A second NAS is available for disaster recovery. However this will not be configured for availability. 4. CAS (Centera)  The CAS is a highly available component.  The CAS has been configured with 4 IP addresses on the same subnet. To improve availability the Documentum content server should be configured to use all of these addresses.  A second CAS is available for disaster recovery. However this will not be configured for availability. Standby (Manual Intervention) 1) Core Switch  Affects all production services  The development switch can be swapped over with the core in the event of an outage. Alternatively a spare switch could be added to the rack. 2) Content Server  The Documentum application will be stored on the NAS. If dap1-s fails the development machine can be utilised as the content server. 3) Database Server  Oracle will be installed on the NAS. If dap2-s fails the development machine can be booted as the database server. Single Points of Failure The following are single points of failure, however they are considered sufficiently highly available that the expense of automatic failover is not justified and that they will not negatively impact the achievement of the availability target.
f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd Digital Archive Page 26 of 49 21/01/2010

2.

1. 2. 3. 4.

NAS CAS DA Firewall  A second PIX 515E could be provided and connected in standby mode if required. Radware WSD  Affects Internet access  This could be replaced by a switch or a hub during an unplanned outage  A second Radware WSD could be provided and connected in standby mode if required.

4.1.1.4 Disk Capacity
The following assumptions and calculations are used to estimate disk usage for initial sizing purposes. They may not be relevant for other aspects of the design. For example the assumption that the maximum VEO size is 50 MB should not be used elsewhere in the design without additional justification. In practice the disk allocation will not restrict the maximum VEO size to only 50MB. Assumptions 1. The inbox disk will not be located on the NAS as it will be on a separate DMZ. 2. The maximum job size accepted from an agency into the In-box will be 10GB. Two simultaneous transfers at this size will be accepted. Disk quotas will be used on the Windows 2000 inbox server to enforce this requirement. This implies that we guarantee to support only 2 agencies simultaneously performing an electronic transfer. There is no assumption about how long these transfers will take. 3. The quarantine area will not be used as a buffer for incoming VEOs. Hence sufficient disk needs to be allocated only to support the target throughput of 6 VEOs per minute. Further assume 6 / minute is peak and average is 3 per minute. 4. Average VEO size is 1 MB 5. Target capacity 1 Million VEOs (1 Tera Byte on Centera) 6. Max VEO size < 50 MB. Allocate enough disk space to store 10 VEOs of maximum size. 7. VEOs imported only during normal business hours 8am – 10pm, 5 days per week 8. Maintenance will use a separate Oracle Instance 9. An average of 1 thumbnail per VEO, each thumbnail is 40K In-Box Requirements 2 * 10GB Inbox 20 Gigabyte (Local Disk) Quarantine disk requirements, to support the target throughput rate minimum allocation: Throughput per day * working days in Quarantine * Average VEO size (3*60*14) * (20) * 1MB Minimum quarantine disk allocation is 50 GB (which is greater than 10 * Max VEO size). Add further disk to use Quarantine as a buffer. Documentum flat files - Full Text Indexing, Thumbnails Full Text Indexing: 5GB (From Paul Ricketts) Thumb Nails: 40GB (40K * 1 Million) Documentum Application: 10GB (Guess) Documentum Flat Files: 55GB Database (Include Oracle files) Meta Data (1 Million VEOs): 10GB (From Paul Ricketts) Oracle Installation files: 5GB (Guess) Database: 20 GB Maintenance Oracle: 10GB (Guess) Documentum: 10GB (Guess) Scratch Area: 10GB (Guess) Maintenance: 30GB This NAS configuration is illustrated in section 3.6. NAS File System Types It is proposed to only use NFS for all file system types including connections from the Windows Servers. Microsoft‟s Windows Services for UNIX (SFU) will be used to mount the NFS file systems.

4.1.1.5 Network Capacity
Assumptions: 1. Concurrent Internet users will on average:
Digital Archive Page 27 of 49 21/01/2010

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd



2.

3. 4. 5. 6. 7. 8. 9.

10.

Retrieve 1 significant page of HTML per minute (Generating a transaction against Content Server)  Download 1 VEO per 15 minutes Concurrent PROV users will on average:  Perform 2 significant transactions per minute (Each generating a transaction against the Content Server) Average VEO size is 1MB Average page size is 100KB (Including thumbnails) VEO downloads will receive lower priority than search and browse All concurrent users are active (Probably aren‟t) Network must be capable of delivering the average page size in 2 seconds Network must be capable of delivering an average VEO in 60 seconds A single agency doing uploads at any moment in time must be able to transfer 10 GB in 8 hours. Note this is an entirely arbitrary assumption which would allow an agency to complete an upload to the maximum allocation of 10GB in a working day. VEOs placed into permanent storage on the primary CAS will be transferred to secondary storage at a rate of 6 per minute.

Content Server Transaction Rates Internet + Intranet (500*1) + (50*2) Content Server (Database) Transaction Rate: 600 TPM Browse / Read Access for Internet Users Non download: Number of users * average # Bytes / Second * Bits / byte 500 * (1*100KB/60) * 10 = 8 Mbits Downloads: Number of users * average # Bytes / Second * Bits / byte 500 * (1MB/15/60) * 10 = 0.5 Mbits Latency for Non Download: 2 seconds for 1 page At least 0.5 Mbit must be available Latency for download: 1 minute for 1 VEO At least 166 Kbit must be available Required Internet Bandwidth is 10 Mbit Notes: 1. The capacity required for VEO download appears relatively low, however bandwidth management is required as this could peak at a much higher level and should not affect interactive use of the system. Agency Upload Bandwidth (Only includes VEO uploads, interactive usage included in Browse allocation) Uploads: Bytes / Second * bits per byte (10GB/3600/8) * 10 = 14 Mbits Required Agency Upload Bandwidth is 3.5 Mbit Monthly usage (bytes transferred) over the Internet and uploads from Agencies Section 6.1 describes three scenarios which calculate a total monthly usage of 152, 285 and 670 GB. The average of these estimates is 369 GB. Hence: Expected monthly usage is 369 Gigabytes Disaster Recovery Bandwidth VEOs entering permanent storage #of VEOs per minute * average size / 60 * Bits / byte 6 * 1 MB / 60 * 10 1 Mbit must be available for the CAS Database This will be substantially smaller than the CAS replication Work in Progress Double the rate to allow for work in progress 1 Mbit will be made available for WIP The DR link should be 2 Mbit.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 28 of 49 21/01/2010

4.1.1.6 Performance Tuning
Web Application Servers 1. Configure optimum number of Tomcat instances 2. Implement Tomcat and Apache tuning recommendations Database 1. Standard Oracle tuning, Oracle Transaction Gateway tuning and implementation of Indexes. 2. Follow recommendations of Documentum Hardware and Networking: 1. Ensure Production Sun Ethernet cards connected to NAS are in 66MHz PCI bus. 2. Use dedicated crossed network links with Jumbo frames from db server to NAS

4.1.2 Operations
The system administrator will be provided with VNC to administer the machines in the data room. Other system management tools will run on a server in the data room and can be accessed via VNC. This approach means that the administration can be performed from any PROV PC and the firewall will not need to be opened to allow SNMP and other protocols into the PROV network. Tools to be installed include: 1. Centera Admin Tools 2. NAS Tools – To Be Completed 3. Radware Console System Administrator Workstation Operating System: Windows 2000 Number of machines: 1 Service VNC viewer Vendor Realvnc.com Ver 4.0.0 Comment Remote administration tool to manage servers.

4.2 Development
4.2.1 Programming Model
4.2.1.1 Version Control
All digital archive application components, including code, images, database DDL scripts, ANT scripts, html files and the like will be under version control using CVS. The development team will utilise the concurrent versioning and merging facilities of CVS to allow concurrent development of application components. The version schema to be used by the digital archive team will be major.minor.patch.build where: major – Represents a release of major functional changes and enhancements in addition to bug fixes minor – Represents a release of minor functional changes and enhancements in addition to big fixes patch – Represents a release of bug fixes and very minor functional changes and or enhancements build – Represents a build number for a digital archives release prior to being migrated to the production environment. The build number will serve as a unique identifier for tracking changes and incidents through the system test and user acceptance test environments. The first release of the digital archive to production will be 1.0.0. The build number will be incremented for every build of the digital archive that is released to either the system test or user acceptance test environments prior to the production release. The specific versions of application components used for a build will be „tagged‟ in CVS with the full version number. The digital archive application will include updates to the Archives One application

4.2.1.2 Configuration Management
Configuration management of application code will be script based. ANT scripts will be constructed to extract specific versions of the digital archive components and build a release. In addition to specific versions, the ANT scripts will

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 29 of 49 21/01/2010

contain a number of deployment targets for various components of the application, such as Java Method Server, the internal and external applications. All ANT scripts will be stored in CVS. The combination of CVS „tagging‟ and build scripting with ANT will allow the development team to easily maintain multiple deployment targets for each testing environment with a full rollback/rebuild capability.

4.2.1.3 Release Management
Releases will be constructed using the appropriate ANT script with all release components being „tagged‟ in CVS as per 4.2.1.1. A release will be implemented in the target environment and will undergo a „bedding down‟ period prior to handover to the appropriate testing team. A release, under normal circumstances, will undergo a migration from System Test (ST) to User Acceptance Test (UAT) with appropriate environment specific configuration changes being included by the ANT build scripts. The digital archive will be tested using a series of releases that will not migrate beyond the UAT environment. In the event that a critical bug fix must be migrated to the UAT environment, an individual release may be implemented directly into UAT without prior testing in ST. Scripted using ANT. Refer 4.2.1.2.

4.2.1.4 Unit Test
Unit testing will be performed by the application developers on the development workstations. The workstations will host the application server (Tomcat), development tools and the application components. The majority of unit test cases will be constructed and executed using the JUnit framework. The framework allows the developers to programmatically script detailed unit test cases which can be subsequently regressed at regular periods.

4.3 Test
Type System Test User Acceptance Test Performance Test and Stress Test Availability Comments Uses the application version deployed to the development servers by the lead developer. Uses the application version deployed to the production environment As for UAT 1. 2. 3. 4. Turn off 1 application server and ensure service continues. Turn off Radware and replace with a hub or switch Replace production content server with development Sun Replace production database server with development Sun

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 30 of 49 21/01/2010

4.4 Rack Layout
4.4.1 Centera Rack – North Melbourne

Figure 7 – Centera Rack North - Melbourne

4.4.2 Celerra Rack – North Melbourne

Figure 8 - Celerra Rack – North Melbourne

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 31 of 49 21/01/2010

4.4.3 Compaq Rack – North Melbourne

Figure 9 – Compaq Rack – North Melbourne

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 32 of 49 21/01/2010

4.4.4 Sun Rack – North Melbourne

Figure 10 – Sun Rack North Melbourne

4.5 Communications Infrastructure
4.5.1 Requirements
1. 2. Production on separate subnet to development for security reasons. Ability to manage traffic between  Uploads of VEOs and browsing (Prime Requirement)  General public and agency users  Victorian users and others

4.5.2 Network Services
Service DNS Description Not used. Host files, containing IP addresses and host names, are used on the DA servers. Note: An external DNS will have host entries for both the External Inbox and the External Application servers (210.8.122.122 and 210.8.122.121 respectively) for the External users of the application. Sun One LDAP on dap1-s. This is used only to store DA user details. NFS. Windows 2000 servers have Microsoft‟s Services For Unix (SFU) which includes an NFS client Network Time Protocol (NTP). This will run on dad1-s.

Directory Services Network File Services Time

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 33 of 49 21/01/2010

4.5.3 Network and Server Topology
PROV network Firewall Nokia IP40 192.168.240.97 (Gateway) Switch Catalyst 2590-48 Development Workstations 192.168.240.100-126 192.168.240.99 192.168.240.98 dap1-f (Firewall - PIX 515 E) DA Data Room 192.168.240.128/25 Sandpit 192.168.240.96/27

Figure 11 – PROV Network
PROV (PROV Internal Network) dap1-f (Firewall – PIX 515 E) 192.168.240.193/27 (DOI) Switch 192.168.240.200 192.168.240.201 dap5-i dad1-s dap6-i dap1-s dap2-s 172.16.0.1 172.16.0.2 192.168.240.130 dad1-i dad2-i 192.168.240.132 dad3-i 192.168.240.133 dap1-ndm2 dap1-ndm3 (NAS) (NAS) 192.168.240.199 dap1-ncs (Control 192.168.240.198 Station) 192.168.240.194 192.168.240.195 192.168.240.196 192.168.240.197 a1d1-i 192.168.240.129/27 (DOI) Switch External (Internet)

DR Site 172.17.0.1/16 (Private)


172.18.0.1/16 (Private) Radware WSD 172.18.0.2 dap3-i 172.18.0.21 dap4-i 172.18.0.22 dap2-i 172.18.0.30 Internal 172.18.0.11 Services dap7-i 172.18.0.12 Application Services Key dap1-i



External Services

192.168.240.202 192.168.240.203

192.168.240.131

172.16.0.2

172.16.0.1



192.168.240.134-138 Development

dap1-c (CAS) Core

Network Equipment Servers Installed for Development Production Servers

Figure 12- Data Room Network Topology
Notes: 1. Crossed Gigabit Ethernet. Jumbo Frames (9,000 Bytes per frame). Class B private network addresses are used. 2. The development Inbox has been located in the development environment. Hence during normal development the use of a firewall will not be tested. 3. Network Address Translation will be used to allow the Internet servers to be accessed from the Internet and the PROV servers to be accessed from the PROV network. 4. The Archives One development machine, a1d1-i, has multiple IP addresses to support the virtual machines running under VMware.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 34 of 49 21/01/2010

Via Router and WAN link to Primary site

Switch 172.17.0.7 drp1-i

172.17.0.8

172.17.0.6

drp1-ndm4 drp1-ndm5 drp1-ncs (Control Station)

172.17.0.2 172.17.0.3 172.17.0.4 172.17.0.5

drp1-c (CAS) Key Network Equipment Servers Installed for Development Production Servers

Core

Figure 13- Disaster Room Network Topology
(dap1-f PIX 515 E)
172.18.0.1/27(Private)

Radware

WSD
dap3-i

Radware Farms: External Services 172.18.0.10

dap4-i

dap2-i

External Inbox Internal Services

dap1-i

172.18.0.20

dap7-i

Figure 14- Application Services

4.5.4 Radware Configuration
There are two Farms configured for the Application Services Servers. 172.18.0.10 and 172.18.0.20, both currently contain two servers. Radware load-balances the services for theses farms by forwarding the traffic onto one or the other service configured under each farm. Multiple servers can be added to each of the farms, therefore to cater for future extension; we have left 8 IP addresses between each farm (Note however this doesn‟t limit the servers in the farms to these addresses). Servers are connected via an ethernet switch and not directly to the Radware switch. ie. Internal Traffic comes through to the farm address 172.18.0.10 and is then currently forwarded on by Radware to either 172.18.0.11 or 172.18.0.12. Refer to Figure 14 above, and Table 15 below.

4.5.5 Network Address Translation
The Application Services servers IP Addresses have been translated for both the External (Internet) Interface and for the Internal (PROV) Interface. To both protect the private address range and to allow DOI network traffic to route correct through to the Digital Archive Environment.

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 35 of 49 21/01/2010

The following table shows the actual IP Addresses, what address are forwarded by Radware and the NAT addresses for both the internal and external interfaces: (users will communicate using one of the bolded addresses, depending on whether they are internal or external users) ie. Internal users will contact 192.168.240.170, which is translated (using NAT), to 172.18.0.10 and then in turn routed by Radware to either 172.18.0.11 or 172.18.0.12.
Server Name Functions/Applications DAP2-I DAP1-I DAP7-I DAP3-I DAP4-I External Inbox Internal Application, Webtop Internal Application, Webtop External Application External Application IP Address 172.18.0.30 172.18.0.11 172.18.0.12 172.18.0.21 172.18.0.22 Radware IP address NAT address for Radware External NAT Internal NAT address address 192.168.240.162 172.18.0.10 172.18.0.10 192.168.240.170 192.168.240.161 192.168.240.167 192.168.240.163 192.168.240.164 210.8.122.121 210.8.122.121 210.8.122.122

192.168.240.170 172.18.0.20 192.168.240.180 (required for testing) 172.18.0.20 192.168.240.180 (required for testing)

Table 155- IP Addresses (Real and Virtual, including NAT)

4.5.6 Firewall
The DA machines will be protected by a firewall with the following isolated Ethernet interfaces: 0. PROV – Connection to PROV network 1. Core – The core production servers and storage systems 2. Development 3. Application Services - Web, Application and File Transfer servers for PROV, external and agency users 4. Internet – External network connection to agencies, Internet. 5. Disaster Recovery Interface Internet PROV Disaster Recovery Development Application Services Core Security Level 1 10 10 89 95 99

4.5.6.1 Filter Rules
For more detailed documentation on the Firewall Rules please refer to \\Dvc10\LGVCI\PROV\obiwan\VERS\Vers Coe\Technology & Telecommunications\Operations\DA Configuration Management\Firewall\. Notes on the firewall rules: 1. Default rule: From Higher to Lower level of security is “Deny”. 2. Default rule: From Lower to Higher level of security is “Allow”. 3. These rules can be tightened further. This should be done prior to production release. 4. Where the source is marked as (developers) then the source can be restricted to those IP addresses used by Digital Archive developers. 5. The assumption has been made that the administration machine(s) is (are) on the PROV interface. 6. Direct access to the core network from the PROV and external networks should be minimised. 7. The development interface may be completely isolated from the core interface after the digital archive goes into production. Development will then use local disk rather than the NAS and CAS.

4.5.7 Hardware Summary
Archite cture Compo nent

Name

IP Address

Function

Type

Sub Type

Qty

Loc 1

As Bid

Notes

Core Servers / Storage
dap1-f dap5-i dap6-i dap1-s 192.168.240.193 192.168.240.200 192.168.240.201 192.168.240.202

DOI Address Range - 192.168.240.192/27 (193-222)
IP Address Only Virus Scanner Administration Server Content Server Server Server Server Content Content Content Digital Archive HP HP Sun 1 1 1 P P P Y Y Y Page 36 of 49 21/01/2010

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

V240 dap2-s dap1-c dap1-ncs dap1-ndm2 192.168.240.203 Server 192.168.240.194-197 192.168.240.198 192.168.240.199 Database Server Primary Centerra Primary NAS Primary NAS DVD LTO DAT/DDS Disk Disk Disk Peripheral Peripheral Peripheral Storage Storage Storage Storage Backup Backup Backup Sun V480 CAS NAS NAS NA NA NA 1 1 1 1 1 1 1 P P P P P P P Y Y Y Y Y Y Y Viper 200 (For HP) DDS4 (For HP) IP Address Only Devt Docbase Server Devt In Box Devt Application Server Devt Docservices, Development Administration A1 development and test machine UAT A1 virtual machine Server Server Server Server Content Interface Interface Content Sun V240 HP HP HP 1 1 1 1 P P P P Y Y Y Y Devt Virus Scanner, CVS Includes multiple virtual machines Installed on a1d1-i NAS Control Station NAS Data Mover 2

Development
dap1-f dad1-s dad1-i dad2-i dad3-i 192.168.240.129 192.168.240.130 192.168.240.131 192.168.240.132 192.168.240.133

DOI Address Range - 192.168.240.128/27 (129-158)

a1d1-i a1d2-i a1d3-i a1d4-i

192.168.240.134

HP

1

192.168.240.137

Application Services
dap1-f dap1-r dap2-i dap3-i 172.18.0.1 172.18.0.2 172.18.0.30 210.8.122.122 Internet 172.18.0.21 192.168.240.163 NAT 192.168.240.170 Radware 172.18.0.22 192.168.240.164 NAT 192.168.240.170 Radware 172.18.0.11 192.168.240.161 NAT 210.8.122.121 Internet 172.18.0.12 192.168.240.167 NAT 210.8.122.121 Internet

ISP Address Range/DOI Address Range - 192.168.240.160/27 (161-190)
IP Address Only Radware Switch External Inbox Internet Application Server Internet Application Server Internal Application Server Server Server Interface Interface HP HP 1 1 P P Y N Dual processor

dap4-i

Server

Interface

HP

1

P

N

Dual processor

dap1-i

Server

Interface

HP

1

P

Y

60 users

dap7-i

HP Internal Application Server

1

P

N

Disaster Recovery
172.17.0.1 drp1-i drp1-c drp1-ncs drp1-ndm2 172.17.0.8 172.17.0.2-5 172.17.0.6 172.17.0.7 Router

Fujitsu Address Range
Server Server Disk Disk Disk Peripheral Comms Comms Comms Comms Comms Facility Facility Facility Backup Backup Storage Storage Storage Backup Comms Comms Comms Comms Comms Facility Facility Facility HP CAS NAS NAS NA Netgear NA Netgear Radware Cisco PIX NA NA NA OSD KVM Switch 16 channel KVM Switch 8 channel 1 S 1 1 1 1 1 1 1 1 1 1 1 1 1 1 S S S S S P P S P P P P S P Y Y Y Y Y Y Y Y Y N Y Y Y Y Netgear GS524T Netgear GS524T Packeteer bid PIX 515 E NAS Control Station NAS Data Mover 2 Backup Manager Secondary Centerra Secondary NAS Secondary NAS LTO Tape Library

Miscellaneous Equipment
Switch Router Switch Traffic Management dap1-f 6 IP addresses Firewall Rack UPS Rack

1.

“P” – Primary Site, PROV, “S” – Secondary Site, Fujitsu

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 37 of 49 21/01/2010

5 Appendix 1 – Hardware Naming Convention
System: Prod / Dev: Machine Number: Interface: Dash: Hardware type: da | a1 ; digital archive or archives 1 p|d ; If used for both then 'P', Test or any non prod should be 'D' 1-999 ; Unique number in class a|b|c.. ; Optional code to differentiate interfaces ; Required to separate optional port identifier from hardware identifier [s]un | [i]ntel | [c]as | [n]as | [f]irewall | [r]outer | [ncs]nas control station

For example hardware being used for development would be: dad1-s ; The development Sun240 a1d1-i ; A1 host server a1d2-i ; A1 virtual machine a1d3-i ; A1 virtual machine dad1-i ; Development in box dad2-i ; Development application server dad3-i ; Development Documentum Services, CVS and general administration. dap1-n ; NAS (May need to be extended to support multiple data movers) dap1-ncs ; NAS control station dap1-c ; CAS

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 38 of 49 21/01/2010

6 Appendix 2 – Supplementary bandwidth Calculations
6.1 Internet Usage (Bytes / Month)
6.1.1 Internet Usage Scenario 1
This calculation is based on the peak transfer rate estimated previously, adjusted to get an average transfer rate across the day. An estimate is also included for agency uploads. Peak Transfer rate (Internet Users) 10 Sustained rate over peak hour 20% Percentage of daily transfer in peak hour 8.79% Mega Bytes in Peak Hour 720 Megabytes per day 8191 Giga bytes per month for interent users 246

Maximum Agency Upload Average percentage of maximum upload per transfer Number of transfers / month Giga bytes / month for agency upload

10 0.5 8 40

6.1.2 Internet Usage Scenario 2
This calculation is based on the number of registered users, the percentage that use the system each day and their usage pattern in terms of number of pages visited and number of VEOs downloaded. Number of registered Users: 15,000 Percentage of resgistered users accessing the system / day 20% Major Pages / Visit 20 K Bytes / Page 100 VEO's transferred per visit 5 K Bytes / VEO 1000 Total Giga Bytes per day 21 Giga Bytes per Month 630
Maximum Agency Upload Average percentage of maximum upload per transfer Number of transfers / month Giga bytes / month for agency upload 10 0.5 8 40

6.1.3 Internet Usage Scenario 3
This calculation is based on the current number of bytes transferred from the PROV web site, the increase in number of visits we can expect after implementation of the Digital Archive and an increase in the number of bytes per visit. Current Bytes Transferred per Month (April 2004) 7.50 Percentage change in number of visits after DA implemented 300% Percentage increase in data volumes after DA implemented 500% Giga Bytes per Month 112.5
Maximum Agency Upload Average percentage of maximum upload per transfer Number of transfers / month Giga bytes / month for agency upload 10 0.5 8 40

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 39 of 49 21/01/2010

7 Appendix 3 – Production Hardware / Software Config
7.1 dap1-s – Content Server
Software services: Service Content Server Solaris JRE Vendor Documentum Sun Sun Version 5.2.5 9 1.4.2_03 To be confirmed. Concept is to keep the JDK/JRE uniform across all platforms (Content Server + App Server + Dev Workstation) Comment Requires JRE 1.4.1

LDAP SMTP Server

Sun Sun The Sun will act as the SMTP server for outbound email messages. No email will be allowed inbound through the firewall. 4.1.30 Java Method Server is user to run all of the Documentum Methods (normally triggered by scheduled DCTM Jobs)

Java Method (Tomcat)

Server

DCTM

Hardware:
Com ponent Docbase Server Sun Fire V240 2x 1Ghz Ultrasparc IIIi, 4x 512MB Dimms, 2x 36GB drives, 4x 10/1000/1000 ethernet, redundant pow er 2 x Pow er cords Dual fibre channel interface X-option internal DVD rom drive Installation Gold support Part No Qty

N32-XUB2-9S-204AV2 X386L X6768A X7410A EIS-WGS W9D-N32-3G

1 1 1 1 1 1

.

7.2 dap2-s – Database Server
Software services: Service RDBMS Hardware:
Component Docbase Server Sun Fire V480, 2 X CPU 2 x Power cords Dual fibre channel interface X-option internal DVD rom drive Installation Gold support Part No N32-XUB2-9S-204AV2 X386L X6768A X7410A EIS-WGS W9D-N32-3G Qty 1 1 1 1 1 1

Vendor Oracle

Version 9i R2

Comment

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 40 of 49 21/01/2010

7.3 dap1-i, dap7-i – Internal Application Server
Software services: Service Webtop Tomcat HTTP Server Mod_jk JDK/JRE JDBC Vendor Documentum Apache SF Apache SF Apache SF Sun Microsoft Version 5.25 4.1.30 2.0.48 2.0.43 1.4.2_03 2.0 Tomcat module for Apache. Any servlet or JSP requests will be passed to Tomcat. Sun JDK (As per Documentum Compatibility) Type 4 JDBC driver for connection to the Archives One search database – see section 3.1 Comment Documentum Webtop As certified by Documentum for WDK.

Windows 2000 eTrust Antivirus

Microsoft CA

SP4 7.1 Configured to only scan of local storage

Hardware: Application Server DL380G3 Xeon 3.06GHz Server 2048Mb (2x1024Mb) 36GB 10K U320 Universal Drive IEC-to-IEC Power Cable (10ft) Redundant Hot Plug Power Supply Option Kit - DL380 G3 Prol Series ML370 and DL380 3yr 4hr 24x7 onsite response

310587-371 300679-B21 286713-B22 142257-003 313054-B21 U4545E

1 1 2 1 1 1

7.4 dap2-i – External Inbox
Software services: Service HTTP Server ActivePerl Mod_dav SFU JDK/JRE Windows 2000 eTrust Antivirus Hardware: Refer to 7.3. Sun Microsoft CA 1.4.2_03 SP4 7.1 Configured to only scan of local storage Sun JDK (As per Documentum Compatibility) Vendor Apache SF ActiveState Apache SF Version 2.0.48 5.8.4 Apache plug-in module for WebDAV protocol Comment

7.5 dap3-i, dap4-i – Internet Application Servers
These are dual processor servers. To meet performance targets it may be necessary to add SSL accelerators to these machines. This should be determined after load testing. Software services: Service Vendor Version Comment HTTP Server Apache SF 2.0.48
Digital Archive Page 41 of 49 21/01/2010

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Service Mod_jk

Vendor Apache SF

Version 2.0.43

Comment Tomcat module for Apache HTTP Server. Any servlet or JSP requests will be passed to Tomcat. As certified by Documentum for WDK.

Tomcat DFC JDK/JRE JDBC

Apache SF Documentum Sun Microsoft

4.1.30 5.2.5 SP2 1.4.2_03 2.0

Sun JDK (As per Documentum Compatibility) Type 4 JDBC driver for connection to the Archives One search database – see section 3.1 Configured to only scan of local storage

eTrust Antivirus Windows 2000

CA Microsoft

7.1 SP4

Hardware: Internet Application Server DL380G3 Xeon 3.06GHz Server Intel Xeon 3.06Ghz-512KBMB/533Mhz Processor Option Kit 4096Mb (4x1024Mb) 36GB 10K U320 Universal Drive IEC-to-IEC Power Cable (10ft) Redundant Hot Plug Power Supply Option Kit - DL380 G3 Prol Series ML370 and DL380 3yr 4hr 24x7 onsite response

310587-371 257916-B21 300679-B21 286713-B22 142257-003 313054-B21 U4545E

1 1 1 2 1 1 1

7.6 dap5-i – Docservices
Software services: Service Tomcat Vendor Apache SF Version 4.1.30 Comment Will be used to host the ‘Docservices’ web application will contain functionality to: 1. Synchronise objects between the external inbox and the staging area 2. Create folders on the external inbox 3. Perform a virus scan of an object on demand 4. Ingest objects into the internal inbox The functionality will be invoked by the Java Method Server using HTTP post requests. JDK/JRE OPSWAT SDK eTrust Antivirus DFC WebDrive Sun OPSWAT CA Documentum 1.4.2_03 1.6.x 7.1 5.2.5 SP2 Virus Scanning API Configured to only scan of local storage Required for Docservices Lightweight component to expose the external inbox as a drive mapping utilising WebDAV and/or FTP. Microsoft SP4

Windows 2000

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 42 of 49 21/01/2010

Hardware: Refer to 7.3.

7.7 dap6-i – Administration Server
Software services: Service Tomcat JDK/JRE Documentum Administrator Application Builder/Installer eTrust Antivirus Windows 2000 Hardware: Refer to 7.3. Vendor Apache SF Sun Documentum Documentum CA Microsoft Version 4.1.30 1.4.2_03 5.2.5 SP2 5.2.5 SP2 7.1 SP4 Configured to only scan of local storage Comment As certified by Documentum for WDK.

7.8 dap1-c – Primary CAS
Software services: Service Centrastar Hardware:
Com ponent Centera cab w /8TB raw capacity Centera 8TB raw capacity (Factory install) 2 CAT 5 LAN cables 25F Dual 40U rack w /pw r-Australia Modem Australia CentraStar Basic CPM RTU lic per 8 nodes CentraStar general public lic CentraStar RTU lic for replication for 8 nodes Part No CNRRK8TB CNR8TB CAT5CBL25 PW40U-ASTL SYMMOD-AUL CNR8NODEMSW CNRGPLLIC CNRREPSW Qty 1 1 2 1 1 2 1 2

Vendor EMC

Version 2.0-146

Comment Certified with Content Server 5.2.5

7.9 dap1-n – Primary NAS
Software services: Service DART Vendor EMC Version 5.1.18.5 Comment

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 43 of 49 21/01/2010

Hardware:
Component NS600 NAS FRONT-END W/2 DATAMOVERS EMPTY 40U CABINET NS600 DAE, OS, 5 10k/146GB drives NS600 STORAGE BACK-END NS600 CONTROL STATION ASSEMBLY CHV 146GB 10K 520BPS 12V 2Gb (RAID-5 (8+1)) CHV 146GB 10K 520BPS 12V 2Gb Hot Spare 40U RACK POWER CORDS-ASTL Modem Australia CELERRA NS600 DOCS & CD MONITOR FOR CELERRA NS600 SERIES NS600 CNM L Software CELERRA NS600 ENT LIC NS600 REP L Software Celerra NS602 Service Custom Remote Replication Service Part No NS602 RACK-40U NSDAE10146OS NS600-AUX NS600-CS CX-2G10-146 NS2G10-146-HS CX-PW40U-ASTL SYMMOD-AUL NS600-DCD NS600-CM-L NS600-CNM-L NS600-ENT-L NS600-REP-L PS-BAS-NS6 PS-CUS-RMTREP Qty 1 1 1 1 1 9 1 1 2 1 1 1 1 1 1 1 1

HSSDC TO FIBRE CONVERTER FOR TAPE CONNECT NS-MIA

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 44 of 49 21/01/2010

8 Appendix 4 – Devt Hardware / Software Config
8.1 Developer Workstations
The following workstation configurations are required:  Java / Documentum Developer (Includes Senior Developer and XML developer)  VB Developer  Tester Application Developer Operating System: Windows 2000 Number of machines: 4 Service NetBeans HTTP Server Vendor NetBeans.org Apache SF Ver 3.6 2.0.48 Comment J2EE Integrated Development Environment. Local HTTP Server to emulate development, testing and production environments HTTP Server plug-in for Tomcat Application Server Use for load testing Build scripting tool to automate test and production releases. 5.2.5 5.2.5 5.2.5 1.4.2_0 3 5.2.5 Browser based access to Documentum DocBases Windows Explorer based access to Documentum Docbases Web Development Kit for the public access and WebTop customisation Used by NetBeans IDE Documentum foundation class framework for manipulating DocBases (includes the DMCL for native RPC functionality) Remote access tool to manage development servers. General Purpose Editor General Purpose File Differential Viewer

Mod_jk Tomcat Jmeter Ant WebTop Desktop WDK JDK/JRE DFC

Apache SF Apache SF Apache SF Apache SF Documentum Documentum Documentum Sun Microsystems Documentum

2.0.43 4.1.30

VNC Viewer UltraEdit UltraCompare Web Developer Operating System: Number of machines: Service Dreamweaver MX

Realvnc.com IDM IDM

3.3.7 10.10 1.00a

Windows 2000 2 Vendor Macromedia Ver MX 2004 Comment HTML/JSP/Javascript Editor

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 45 of 49 21/01/2010

Documentum Developer Operating System: Number of machines: Service Application Builder Application Installer Desktop

Windows 2000 2 Vendor Documentum Documentum Documentum Ver 5.2.5 5.2.5 5.2.5 Comment DocApp development tool Deployment tool for DocApps Windows Explorer based access to Documentum DocBases

VB Developer Operating System: Number of machines: Service Visual Basic

Windows 2000 1 Vendor Microsoft Ver 6.0 SP5 Comment Visual Basic Integrated Development Environment for Archives One development (2 Licenses Maximum)

Crystal Reports

Business Objects

9.0 Dev

This is the Developer edition of the Crystal reports reporting tool/framework. Version previously used in A1 was 6.0. Single developer license Deploys on single production processor 3 concurrent users (AD supports queuing and caching for higher throughputs) Exports reports to PDF No ad hoc modification of reports by users

Sheridan Designer Widgets, Class Assist Tools, Data Grid 2.0c First Impressions Graph

Infragistics

-

Refer Archives One Development Environment Refer Archives One Development Environment

?

2.0

Windows Tester Operating System: Number of machines: Service Desktop Internet Explorer Internet Explorer Mozilla

Windows 2000 1 Vendor Documentum Microsoft Microsoft Mozilla.org Ver 5.2.5 6.28 sp1 5.0 1.6 Install on 1 PC Browser (Install on 1 PC) Alternatively test against Firefox also from mozilla.org Comment Windows Explorer based access to Documentum DocBases

8.2 dad2-i – Development Application Server
Software services: Service Webtop Vendor Documentum Version 5.2.5 Comment Customised by project. (Web Application)

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 46 of 49 21/01/2010

Service WDK Tomcat

Vendor Documentum Apache SF

Version 5.2.5 4.1.30

Comment Web Development Kit As certified by Documentum for WDK. Will host the internal and external web applications. If we need to test load balancing then Tomcat will also have to be installed on one of the other servers. Should actively look to upgrade Tomcat to 5.0.18+ prior to production deployment. Alternatively 4.1.30 which is latest 4.x. In order to get JSP 2 support we would need Tomcat 5+. Tomcat 4 supports JSP 1.2 and Servlet 2.3.

Documentum Administrator HTTP Server Mod_jk JDBC

Documentum Apache SF Apache SF Microsoft

5.2.5 2.0.48 2.0.43 2.0 Tomcat module for Apache. Any servlet or JSP requests will be passed to Tomcat. Type 4 JDBC driver for connection to the Archives One search database – see section 3.1 Sun JDK (As per Documentum Compatibility) Configured to only scan certain areas of local storage

JDK/JRE CA eTrust AntiVirus Windows 2000 Hardware:

Sun

1.4.2_03

Microsoft

SP4

Component Devt Application Server DL380G3 Xeon 2.8GHz Server 2048Mb (2x1024Mb) 36GB 10K U320 Universal Drive IEC-to-IEC Power Cable (10ft) Redundant Hot Plug Power Supply Option Kit - DL380 G3 Prol Series ML370 and DL380 3yr 4hr 24x7 onsite response

Part No 301111-371 300680-B21 286713-B22 142257-003 313054-B21 376912-371

Qty 1 1 2 1 1 1

8.3 dad1-i – Development Inbox
dad1-i will (sometimes) be located in a DMZ for testing purposes. This makes it unsuitable for use as the CVS code repository. Software services: Service Vendor Version Comment HTTP Server Mod_dav Windows 2000 CA eTrust AntiVirus Apache SF Apache SF Microsoft SP4 Configured to only scan certain areas of local storage 2.0.48 Apache plug-in module for WebDAV protocol

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 47 of 49 21/01/2010

Hardware: (Refer 8.2)

8.4 dad3-i – Development Docservices, Code Repository
Software services: Service Media Services Virus Scanner CVS Code Repository Tomcat Vendor Documentum CA eTrust AntiVirus Cvshome.org Version 5.2.5 Latest Latest 4.1.30 Will be used to host the ‘Docservices’ web application will contain functionality to: 5. Synchronise objects between the external inbox and the staging area 6. Create folders on the external inbox 7. Perform a virus scan of an object on demand 8. Ingest objects into the internal inbox The functionality will be invoked by the Java Method Server using HTTP post requests. JDK/JRE Sun Microsystems 1.4.2_03 To be confirmed. Concept is to keep the JDK/JRE uniform across all platforms (Content Server + App Server + Dev Workstation) Lightweight component to expose the external inbox as a drive mapping utilising WebDAV and/or FTP. Microsoft SP4 Configured to only scan certain areas of local storage Comment Installs Java SDK 1.3.1_04 Ensure version is compatible with OPSWAT

WebDrive

Windows 2000 CA eTrust AntiVirus

Hardware: (Refer 8.2)

8.5 dad1-s – Development Docbase Server
The purpose of the Docbase server is to host the Documentum Content server and RDBMS. The Docbase server will act as the gateway to all permanent storage (hosted on the CAS) and non-permanent Documentum Docbases. Software services: Service Vendor Version Comment Content Server RDBMS Solaris JRE Documentum Oracle Sun Sun 5.2.5 9i R2 9 1.4.2_03 To be confirmed. Concept is to keep the JDK/JRE uniform across all platforms (Content Server + App Server + Dev Workstation) Requires JRE 1.4.1 20 named user license

LDAP

Sun

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 48 of 49 21/01/2010

Service SMTP Server Sun

Vendor

Version

Comment Not used for production email. May not be required after the production server has been installed and configured to act as the email gateway.

Java Method (Tomcat)

Server

DCTM

4.1.30

Java Method Server is user to run all of the Documentum Methods (normally triggered by scheduled DCTM Jobs)

Hardware:
Com ponent Docbase Server Sun Fire V240 2x 1Ghz Ultrasparc IIIi, 4x 512MB Dimms, 2x 36GB drives, 4x 10/1000/1000 ethernet, redundant pow er 2 x Pow er cords Dual fibre channel interface X-option internal DVD rom drive Installation Gold support Part No Qty

N32-XUB2-9S-204AV2 X386L X6768A X7410A EIS-WGS W9D-N32-3G

1 1 1 1 1 1

f629d194-da7e-41e7-b655-8d89d01ba6f2.doc Fujitsu Australia Ltd

Digital Archive

Page 49 of 49 21/01/2010


				
DOCUMENT INFO