ITVR - Automation of applicant income check with CRA

[jdon-zev]

Problem Description In order to ensure the required level of data security, the ITVR system needs to exchange applicant information with the CRA via their FTP system without manual intervention by EMLI staff.

Solution Needs

• The solution must enable the reliable exchange of applicant data, on a daily basis, with CRA via an FTP service.
• Any errors or problem in the automated process must be instantly identified so they can be addressed quickly.

Timebox

• Max 2 days

Outcome Details describing the outcome of the research

• What is the status of the work previously done by Vihbi on this issue, including the code developed and use of the dedicated windows server.
• What more work is required to implement a reliable solution, including notifications when the process has failed.

Additional Context

• If I remember correctly, Vibhi's solution involved using powershell to automate the Entrust program's encryption/decryption functionalities, and also relied on S3 object storage to relay the files between ITVR and the Windows server.
• Maybe look into whether Entrust has an API that can perform this encryption/decryption (https://www.entrust.com/resources/certificate-solutions/tools/developer-apis)

[airinggov]

I removed some of the description of this card for privacy reasons. Contact me if you need any additional info.

[AlexZorkin]

Here is our design of the Income Test Verification Rebate (ITVR) application verification process. Below is the current sequence of events:

Data Collection (Openshift/Django): The Openshift Django application runs a task every 24 hours that collects new rebate applications, filtering for a "verified" status and those needing an income level added. These applications are bundled into a file.

Monitoring Point: We should monitor the task to ensure it is running successfully and filtering the applications correctly.

Data Upload (Openshift/Django): The file containing the bundle of applications is uploaded to an S3 bucket.

Monitoring Point: We need to monitor the upload process to ensure no interruptions or errors occur.

Data Retrieval and Encryption (Windows/Entrust): A Windows server with Entrust encryption software checks the S3 bucket for new files (every hour, possibly via Windows Task Scheduler). When a new file is detected, it is downloaded to the Windows server.

Data Encryption (Windows/Entrust): The downloaded file is encrypted using the Entrust software.

Monitoring Point: We need to ensure the encryption process is successful.

Data Transfer (Windows/Entrust to CRA Server): The encrypted file is transferred to a directory on the CRA FTP server, awaiting processing.

Data Processing (CRA Server): The CRA server decrypts the incoming file, adds income levels to the applications, re-encrypts the file, and places the file back to a designated location. The processed files have different names in a specific format. The sequence number maintained in the database using django-sequences could be used to track new files.

Data Retrieval and Decryption (Windows/Entrust): The Windows server retrieves the processed file, decrypts it, and uploads the decrypted file back to an S3 bucket.

Monitoring Point: We need to monitor the process to ensure successful decryption and upload.

Processed Data Detection and Download (Openshift/Django): The Openshift Django application checks the S3 bucket for processed files. When a processed file is found, it is downloaded.

Data Update (Openshift/Django): The Django application updates its database with the rebate amounts determined by the income levels from the processed file.

Monitoring Point: We need to ensure the update process is successful and data integrity is maintained.

Data Transmission (Openshift/Django to NCDA): The Django application sends the updated applications with the new rebate amounts to the NCDA and sends an email to the applicant notifying them of their application's approval.

Monitoring Point: Ensure the data transmission to NCDA and email delivery is successful.

Data Integration (NCDA): The NCDA takes the received data and updates a SharePoint server. This file can then be accessed by car dealers to verify if a buyer qualifies for a rebate.

Given the complexity of this process, especially the integration between Django, Windows/Entrust, and CRA server, I estimate this as a high complexity task. Our current understanding is mostly based on inference and some direct knowledge, and it would be advisable to engage with the middle-tier team to ensure nothing is overlooked.

In addition to the specific monitoring points identified, I recommend a holistic monitoring and alerting mechanism to provide end-to-end visibility into the process. As the workflow involves multiple environments (Openshift, Windows/Entrust, CRA server), a unified approach will be critical. Potential issues such as service disruptions, security vulnerabilities, and performance degradation can be proactively identified and remedied with such a system.

In terms of tools, Openshift supports integration with popular monitoring and analytics platforms. One such tool is Prometheus, an open-source system monitoring and alerting toolkit that can handle multi-dimensional data collection. Coupled with Grafana for visual analytics, it can provide a robust solution for real-time monitoring and data visualization. By configuring Prometheus to scrape metrics from Openshift, we can collect relevant application and system metrics. This data can then be visualized using Grafana dashboards to provide a clear view of the health of our services.

Finally, I think we should explore the potential to modernize the encryption process, if possible. While the current setup uses an older piece of proprietary software, it's possible there could be an API or a more recent encryption library that we could use. We should assess the feasibility of this approach while considering the security and compliance aspects.