KPNQwest Appendix
The following were some of the specific tasks I undertook during my 10 months working as a contractor for KPNQwest. For background information click here.
Migration and Development of the Web Interface
One of my primary tasks in the project was to migrate, repair and develop both the Web Server and the Oracle database behind it. Apart from giving an overview of the application and displaying access points, the web service was used by customers to view their usage and invoices, change their personal password and log into the mailserver. There was also an administrator section that was used for adding customers, troubleshooting and updating user data.
On the original traveller system the Web server, Merit Radius Server and Oracle 8.0.4 database resided on a single Sun Sparc 10. In the new architecture the Web server was on one Sun 220R and it communicated remotely with an Oracle 8.1.5 database residing on another 220R. The migration was done from first principles meaning that the two 220R’s were unboxed , installed in their racks and Solaris 2.8 installed on them. I then had to install all relevant 3rd party software on them. This included gcc, emacs, ssh 2.0, perl 5.6, apache 1.3 with SSL and Oracle. It also included optional CPAN perl packages such as the DBI, DBD::Oracle, Date and Credit Card modules.
When the platform was ready to receive the application, I had to update the web based Perl CGI scripts to support both remote database communication via DBI and remote configuration of the Radius Proxy/Authentication servers using ssh. This involved solving several technical issues as the web, database and radius servers all coexisted on the same machine in the old system. The large differences in version between 3rd party software on the old and new systems was also a source of problems.
During the script migration process I made several enhancements to existing functionality and implemented new provisioning business rules from Product Management. These included more control of customers over their own accounts, better realm selection by Traveller administrators and immediate propagation of relevant web based changes to the Radius server configurations. The latter changes meant that when new users were added via the web, they could instantly login using their new account. Likewise when they changed their login password via the web, this change was instantly picked up during the login authentication process.
After the new web service was fully functional, the data had to be migrated from the old to new database. There was a period of time where both databases were being used in parallel and I wrote a Perl/SQL program which I used to help merge these. I also had to add new columns to tables and a new table to the database. Finally data itself needed to be changed to reflect company rebranding and I wrote and used a generic script to make global string changes within an Oracle database table. All of this involved appropriate communication to customers in the form of emails been sent out and a suitable web redirect being put in place.
Web and General Security
On the new web server I installed openssl and modified the web pages so that https and ssl were used where appropriate. I created a certificate request for the new site which was signed by a certificate authority and installed. Whenever there was communication needed between the web server and other servers such as radius I installed ssh and used its hostkey based authentication method. This avoided the use of passwords for remote communication yet it had the benefit of a secure encryption process.
On the old web site I found several places in the traveller application where password and credit card information could be obtained by URL tampering. I made a complete audit of the Perl code and rewrote all modules where tampering could reveal customer information. The credit card verification was offline but I tightened the validation procedures to perform both first and last digit checks. I looked at data entry in the application and improved data integrity checking and associated error messages.
Web Look and Feel
One of the marketing requirements during the migration of Traveller was that the new web system have a new look and feel. In the old web system, all html pages and perl scripts which produced html had the look and feel hard coded. I completely restructured the system so that all html pages and all html output from Perl scripts were written on top of a chosen template. A new template was then designed by a web agency and once it conformed to some simple specifications a single configuration change was all that was necessary to start using this template throughout the system.
Nokia Interface
One of the main features in Traveller was a facility for users of the Nokia 9110 Communicator to be able to subscribe to the service without having any existing Internet connection. On a 9110 there was a web option called Internet Setup which allowed the user select an access point based on the country they were in. These access points were all Points Of Presence (POPs) either directly owned by KPNQwest or by a partner of it. When the user selected the required POP, a hard-coded configuration on the communicator was used for that POP. This specified the access number along with a special user account and password. It also specified the address and port of a web proxy server to be used during the session. When the user connected using the access number, this special account was authenticated by the Traveller Radius authentication Server and a filter id was returned to the Network Access Server (NAS). The filter applied restricted session access to the port and IP address on which the web proxy server was listening. This squid server was configured with access control lists so that only the Traveller web site and a site owned by Nokia could be visited.
After the user had connected using the configured POP, the second part of the Internet Setup procedure allowed them to go to the Traveller Nokia web pages. From these pages they could subscribe to the Traveller service using their credit card and they were allocated their own personal login and password. A mailbox was created for them and they could use the Traveller mail relay. The subscription process gave them the option of automatically configuring their communicator using the SMART Messaging specification to send/receive mail and use their new Internet access point (IAP). Using their chosen IAP and new login they could instantly access the Internet and use the mail facility. If they wished, they could also automatically configure their communicator to use different access points in other countries.
In the migration of the traveller service from Amsterdam to the Hague, I had to completely rebuild the Nokia Interface and redesign its modules. I installed the Squid web proxy server on a Sun 220R and configured it to use a cache, a redirector program and restrict access to the Traveller web service. I changed the Radius configuration so that the new Radius proxy and authentication servers in the Hague were being used. As the IP address and port number of the proxy server were hardcoded in the communicator and could not be changed, I configured this /30 subnet as a virtual network interface on the new machine running squid and got the Network Operations Center to redirect traffic for this subnet to the new machine. With the Nokia web application itself I rewrote several of the perl cgi scripts to support later versions of Oracle/Perl/DBI and give improved usability and security.