Shaanxi Rural Credit Cooperative's full-stack OA system project based on cloud native architecture was rated as an excellent case

Project Background

Innovation in the application of information technology (hereinafter referred to as "innovation") is the foundation of information security and network security, and is of great significance to my country's digital economy and information security. As an important industry related to the lifeline of the national economy, the independent control of the core technology of the financial industry is not only a strategic requirement for national security, but also an inevitable trend of the development of the times. As the main force of Shaanxi's local financial industry, Shaanxi Rural Credit Cooperatives adopts a "bottom-up platform" work strategy (unified planning from the infrastructure layer, and unified deployment of the platform-based technology stack throughout the bank), and takes the lead in building an innovative cloud platform supported by innovative software and hardware products such as servers, networks, storage, operating systems, distributed databases, and middleware. Based on this, various information systems are transformed or newly built in batches, and the independent controllable capabilities are gradually enhanced. As the first batch of information systems in our company that support innovative technology with a full technology stack, the office system (OA) has effectively improved the level of independent control of the office system and accumulated experience for the subsequent transformation and construction of innovative information systems.

Project Plan

Project objectives

The construction process of the Shaanxi Rural Credit Cooperatives office system is divided into three stages, and the construction goals of each stage are as follows: The first stage is to conduct independent research and development based on the Springcloud+K8s+Devops cloud native architecture to complete the full-function production of the office system. The second stage is to replace the entire technology stack with trusted innovation products to improve the level of independent control and realize the dual-track operation of the office system. The third stage is to replace the plug-ins and streaming software used on the desktop with trusted innovation products, and run them on a single track in a mode compatible with non-trusted innovation terminals, and ensure that the system performance and user experience are not reduced, providing an undifferentiated service experience for the daily office of users across the province.

System Architecture

This project is based on the implementation of basic software such as the Xinchuang cloud platform, database, and application software such as streaming software, layout software, and electronic signatures. The project construction work is carried out based on the unified development platform and cloud native architecture within the bank. During the implementation process, the "middle platform" concept of our company's digital transformation is integrated, and the document middle platform is innovatively introduced to solve the problem of our company's office system being compatible with multiple PC operating systems when running on a single track.

Operating platform

The Shaanxi Rural Credit Cooperative Office System runs on the Xinchuang Cloud Platform, realizing the full Xinchuang replacement of chips, servers, cloud computing software, network equipment, and operating systems. The IaaS layer uses all Xinchuang chip servers, network equipment, and Xinchuang operating systems to achieve unified integration and orchestration of computing, storage, and network resources; the PaaS layer deploys containers and distributed databases to provide basic PaaS services for application systems. The cloud management platform uniformly manages the ARM architecture resource pool and the X86 architecture resource pool, realizing the "one cloud, multiple cores" infrastructure and full-stack domestic independent control.

Applications and databases

This project uses Tongxin Browser and Sequoia Database as alternative products for trusted computing. During the transformation process, on the one hand, compatibility development is carried out on the front-end display components and JS in the application to adapt to the Tongxin Browser; on the other hand, the SQL syntax, execution efficiency, and foreign keys are transformed to adapt to the native distributed kernel of Sequoia Database.

Layout software

The layout software is replaced with a trusted version that supports the OFD standard. The main modifications are as follows: First, the electronic signature and online reading server versions on the server are upgraded to support installation and deployment on trusted servers, and provide official document signature and document format conversion services; Second, the reader on the PC is upgraded to ensure that OFD format documents can be read on both trusted servers and ordinary PCs.

Streaming software

In the early stage of the office system production, the streaming software (WPS/WORD) installed on the PC was called by a third-party online editing plug-in to realize online editing of official documents. However, this plug-in has poor compatibility with some old streaming software versions and requires manual installation by users, which results in poor user experience. This project abandons third-party plug-ins and instead directly calls the online editing service of the document middle platform deployed on the server side. By integrating the document middle platform to provide online editing, redlining, and draft cleaning services, it is possible to modify documents online, view review comments, redlining, and other official document processing functions.

Middleware

Since the operating platform has been replaced with Xinchuang Cloud, the middleware used by Web services and application services must also be replaced with corresponding Xinchuang products. The built-in tomcat middleware in the office system Springcloud was replaced with Puyuan Appserver in this transformation to ensure that it can be installed and deployed in the Xinchuang operating system. At the same time, the WEB service middleware Nginx was changed to BES WebServer to achieve load balancing and reverse proxy services.

Business Functions

The Shaanxi Rural Credit Office System mainly includes seven modules: portal, official document management, personal office, information management, knowledge management and system management.

1. Portal: It includes three levels of portals: provincial, municipal and county. Each legal entity can configure the columns to be displayed on the portal according to its own needs. The main columns include notices, internal dynamics, rectification notices, etc. At the same time, the portal also includes functions such as to-do and completed reminders, and application center.
2. Document management: including functions such as documents to be read, documents to be sent and received, reports, document retrieval, and document configuration, to support the entire process of receiving and sending documents. It also supports different approval processes according to different document types and institutions.
3. Personal Office: Mainly includes functions such as leave, meeting reservation, and personal matters reporting, and standardizes daily work and internal control management through process management.
4. Information management: including the release management of news, announcements, notices, laws and regulations. It can realize the editing and approval of information to be released, as well as the hierarchical management of the access rights of the released information.
5. Knowledge management: Useful knowledge can be uploaded and shared with designated personnel after being reviewed by the column administrator.
6. Report statistics: Connect to the internal report system data to display business data in intuitive forms such as dashboards, pie charts, and bar charts to provide decision-making data for managers.
7. System Management: Configure and manage the office system, including user permissions, approval processes, documents and other parameters.

Deployment Architecture

The Shaanxi Rural Credit Cooperatives Office System is deployed based on the bank's in-house cloud platform

The office system is deployed in a front-end and back-end separation mode. Among them: the front-end application provides users with an operation interface and specific functions, and uses BES WebServer as the middleware for deployment. Business microservices implement various complex processing logics, and use Puyuan Appserver and Dongfangtong TongWeb middleware for deployment. The database uses the domestic Jushan distributed database, and the data is scattered and stored between distributed nodes to ensure the high availability of the database. The front-end application, business microservices and database are all deployed in a clustered manner, supporting horizontal expansion. When the use of physical resources is close to the bottleneck, the system service capability can be improved by expanding the capacity.

Innovation

The system is independently designed and developed, and the technical route can be flexibly selected

The Shaanxi Rural Credit Cooperatives Office System is independently designed and developed based on the bank's unified development platform and technical standards. The system functions can continue to evolve with business development and deeply match the actual and development requirements of Shaanxi Rural Credit Cooperatives. Compared with purchasing mature office system products in the industry, the independently developed office system can be fully adapted and transformed according to the overall technical route selected by our company, effectively avoiding the problem of passively binding the technical route when selecting mature products.

Build a trusted document center to improve compatibility and user experience

The innovative introduction of the document middle platform solves the problem that the trusted and ordinary versions of streaming software are independent of each other, affecting the promotion efficiency and customer experience. The use of the document middle platform: First, it completely solves the problem of poor compatibility with old streaming software versions, and users no longer need to install plug-ins, which improves the user experience. Second, the document middle platform can be compatible with ordinary PCs and trusted PCs at the same time, which can better adapt to the evolution of the gradual use of trusted terminals.

Full-stack cloud-native architecture application

This project is our company's first attempt to carry out a full-stack credential innovation transformation of the cloud native architecture. During the transformation, many middleware, basic class libraries, configuration files, and jdk in the SpingCloud open source code were upgraded and replaced, which better adapted the credential innovation operating system and middleware, so that the architecture can eventually run stably on our company's credential innovation cloud. In addition, the credential innovation cloud platform has carried out credential innovation transformation of the underlying chips, network equipment, and computing resource pool from the laaS and PaaS layers, and thus completed the implementation of the full-stack localization transformation technology based on the cloud native architecture, which has a strong reference significance for the industry.

Technical Implementation Characteristics and Advantages

Fast development efficiency and highly available system architecture

This project is developed with Springcloud+K8s+Devops, and has the following features: First, the project uses devops tools for version building and automated deployment, reducing manual participation and improving R&D efficiency. Second, the office system is split into multiple microservices, which can deploy service resources in a targeted manner according to the business complexity and importance of the microservices to improve resource utilization. Third, the private cloud deployment model is adopted, and the K8s management platform on the cloud can dynamically monitor the operation of microservices and automatically create application instances to ensure high availability of services.

Application of multi-mode fusion sensitive information protection technology

This project adopts a variety of measures to prevent documents from being illegally retrieved. First, the documents are stored on the document middle-end server to ensure that the document preview is not dropped, solving the problem that the cached data on the user's PC or mobile device may be illegally stolen; second, it connects to the bank's data leakage prevention platform, adds file download encryption, document watermarks and other protection measures to ensure that the files are viewed and browsed in a safe environment; third, it connects to the bank's password platform and unified authentication platform, uses the national secret algorithm to encrypt messages and passwords, and uses multiple authentication protections during the login process to improve account security.

Project Process Management

This project has gone through several stages, including feasibility analysis, overall scheme design, implementation, dual-track operation, and single-track operation. The main work contents of each stage are as follows:

1. Feasibility analysis stage

Initiate technical feasibility studies, build a test environment, and conduct feasibility verification on products and technical routes.

2. Overall design phase

Based on the technical verification results and the current status of the system, determine the project construction goals, clarify the scope of adaptation and transformation, confirm the technical route, and complete the overall scheme design.

3. Implementation phase

Adapt, develop and transform the system, and after the transformation is completed, test the system's compatibility, stability, usability, functionality, performance, etc.

4. Dual-track operation stage

Clarify the launch plan and emergency measures, complete the production of the trusted version, and run it in parallel with the existing non-trusted version. At this stage, trusted terminals access the trusted version, and ordinary terminals access the non-trusted version, and the two versions share the trusted database.

5. Single track operation stage

By introducing the document middle platform and solving the problem of dual-track operation, the office system transformation is completed to realize the single-track operation of the full-stack trusted innovation of the office system.

Operational Status

According to the requirements of the ICT and the results of the technical pre-research, the office system determined the scope of transformation and the selection of ICT alternative products, and completed the transformation and launch of the entire ICT technology stack, including applications, middleware, databases, and browsers, in August 2022. So far, the system has a total of 1.2 million logged-in users, more than 300,000 transactions, the interface response time is within 300ms, the service success rate is 99.99%, the application server CPU utilization rate is between 7% and 15%, the database server CPU utilization rate is about 10%, and the system resources are in good use.

Project Results

Significant improvement in autonomous controllability

In the process of the full-stack ICT transformation of the office system, we have gained a deep understanding and mastery of the performance, interfaces and differences of the ICT database, middleware and cloud platform from similar non-ICT products, accumulated valuable experience for the development and operation and maintenance teams, and achieved independent control of key infrastructure. After the ICT transformation was completed, all data was run on domestic servers, middleware and network equipment, effectively ensuring information security.

Significant improvements in system performance and user experience

After replacing the database, middleware, operating system, layout software, and streaming software of the office system with corresponding trusted products, rigorous performance testing was carried out. All performance indicators did not decrease compared with the non-trusted versions, and some indicators were improved. At the same time, when the dual-track operation is ended, the single-track switch can be completed by simply adjusting the user's login address, and there is no difference in function or page layout, ensuring that the user has no perception of the entire switching process, and maximizing the smoothness of the switching.

Gradually promote the adaptation of trusted terminals in compatible mode

The office system solves the compatibility issues between trusted and non-trusted terminals through the document middle platform. On the one hand, users can use all the functions of the trusted office system without installing plug-ins and office software, without giving users a redundant operating experience; on the other hand, it solves the problem of one-way binding between the terminal and the system, accelerates the application of trusted office computers, and effectively solves the promotion cost pressure and user experience issues.

Experience Summary

The full-stack OA project based on cloud-native architecture was transformed in accordance with the principle of "autonomy, controllability, safety and efficiency". The project is based on open source technology, domestic software and hardware facilities, and relies on Shaanxi Rural Credit's own development platform, distributed technology and cloud-native architecture. It adopts a variety of new technologies and processes to achieve autonomy and control of the office system, effectively improving user experience and performance indicators.

Through this full-stack credible innovation transformation of the office system (OA), the following experiences have been accumulated for the construction of subsequent credible innovation-related projects: First, the credible innovation cloud platform should have the ability to be compatible with multiple technical routes, and shield the differences of upper-level applications so that upper-level applications can focus on their own transformation. Second, pay attention to user experience, and do not cause significant differences in business functions due to credible innovation transformation, which will affect the operating experience. Third, pay attention to the syntax differences between different databases to avoid functional anomalies or reduced execution efficiency.