REALME REPLATFORMING FREQUENTLY ASKED QUESTIONS - VERSION 1.1 (FINAL) MARCH 2021 - REALME FOR DEVELOPERS

Page created by Regina Hudson

Health & Fitness

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

RealMe® Replatforming
Frequently Asked Questions

                             Version 1.1 (FINAL)
                                    March 2021

Frequently Asked Questions

Revision History
Version            Date               Description of changes
0.1                9 March 2020       Initial draft
0.2                19 March 2020      Refinement based on DIA feedback
0.3                24 April 2020      New RSA Token and Data Centre
                                      locations questions.
0.4                18 May 2020        Revised Data Centre response.
0.5                14 October 2020    Minor updates to reflect changes to RSA
                                      Token solution and the new EIT
                                      environment.
0.6                17 February 2021   Updates to browser information (3.2 and
                                      3.3).

1.0                23 March 2021      Final version for go-live.

1.1                31 March 2021      Minor update to include supported
                                      Browser versions.

                                                                   Page 2 of 7

Frequently Asked Questions

Table of Contents
1. REPLATFORMING PROCESS .............................................................................................. 4
1.1. What do I need to do to integrate with the replatformed RealMe®? ............................. 4
1.2. Is there a reason for the single cutover in Production? Would it be possible for the
existing and replatformed RealMe to run in parallel for a period of time? .................... 4
1.3. Would it be possible to perform a ‘dry run’ and test application connectivity to
Production before go live? .............................................................................................. 4
2. DATA MIGRATION ........................................................................................................ 4
2.1. Will data be migrated for all environments?................................................................... 4
2.2. Why are you only migrating three years of audit data? .................................................. 4
2.3. Will the format and content of the FLT remain the same? ............................................. 5
2.4. How will the migrated data be validated? ...................................................................... 5
3. TECHNICAL.................................................................................................................. 5
3.1. Where are the Data Centres located? ............................................................................. 5
3.2. What Browsers will the replatformed RealMe® support? .............................................. 5
3.3. What Browsers will the replatformed HelpDesk Web Application support? .................. 5
3.4. Will the ‘SMS Watcher’ functionality be available in the replatformed ITE
environment? .................................................................................................................. 5
3.5. What functionality will the replatformed MTS environment provide?........................... 6
3.6. Will the replatformed RealMe support Artifact Binding? ............................................... 6
3.7. We are using Artifact Binding and want to amend our firewall rules to allow access to
the new endpoints. Is there a reason that you’re not providing the IP Addresses for
the new endpoints? ......................................................................................................... 6
3.8. Will you continue to support RSA Tokens for applications other than the RealMe Help
Desk? ............................................................................................................................... 6
3.9. What is the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? ....... 6
3.10. Will there be two separate DNS names for the primary / secondary Data Centres? ..... 6
3.11. Will you be synchronising DNS data? .............................................................................. 6
4. TIMELINE.................................................................................................................... 7
4.1. What is the expected outage period? ............................................................................. 7
4.2. Has the timeline been communicated to the executive level of each agency? .............. 7
5. DOCUMENTATION ........................................................................................................ 7
5.1. What is covered by the Certification and Accreditation process and what information
will we receive? ............................................................................................................... 7
5.2. Will the existing ITE environment remain available at the same time as the
replatformed environment? ............................................................................................ 7
5.3. What other information is available? .............................................................................. 7

Page 3 of 7

Frequently Asked Questions

1. Replatforming Process
1.1. What do I need to do to integrate with the replatformed RealMe®?
For most agencies the process for application replatforming will be a simple configuration
change to use a new Identity Provider (IdP) metadata file. This file will contain a new
certificate and new endpoints for RealMe services. Depending on your network configuration,
some agencies may also require amended firewall rules to allow their application to access
the new endpoints.
There will be no requirement to supply new Service Provider metadata files and/or certificates
as these will be migrated as part of the replatforming exercise.
For further information regarding the requirements for replatforming your application, please
refer to the Agency Onboarding Pack available on the Developer’s website.

1.2. Is there a reason for the single cutover in Production? Would it be possible
for the existing and replatformed RealMe to run in parallel for a period of
time?
The single cutover is required because it is technically complex and very costly to develop and
support synchronisation of data between two incompatible database structures. This is
exacerbated by the sheer volume of data which must be migrated, meaning that it will not be
possible to run the two RealMe instances in parallel. Several data migration approaches were
considered, and a single cutover was assessed as lowest risk option.
A Proof of Concept has been run to validate this approach and we will continue to assess, test
and validate every step of the way. For further information regarding data migration refer to
section 2.4 (below).

1.3. Would it be possible to perform a ‘dry run’ and test application connectivity
to Production before go live?
The Production endpoints will be available prior to go live to allow agencies to ensure the
endpoints are accessible, however, it will not be possible for agencies to integrate their
applications to the Production environment until go live. The Message Testing Site (MTS) and
Integrated Testing Environment (ITE) should be used to test application integration.
The new Early Integration Test (EIT) environment will also be available to agencies who utilise
the Assert then Login flow and/or run their own RealMe Help Desks. As per our previous
correspondence, if you’re not in the aforementioned group and would like to participate in
early integration testing, please let us know and we will endeavour to accommodate you.

2. Data Migration
2.1. Will data be migrated for all environments?
Yes, RealMe® user data and three years of associated audit data will be migrated from the
MTS, ITE and Production environments to the replatformed RealMe. Note that data held by
the Identity Verification Service (IVS) and Address Verification Service (AVS) will continue to be
hosted onshore by Datacom and NZ Post respectively and will not be migrated to MS Azure
B2C.

2.2. Why are you only migrating three years of audit data?
RealMe is technically only required to hold three years of audit data. However, all audit data
will be archived should it need to retrieved for any reason.

Page 4 of 7

Frequently Asked Questions

2.3. Will the format and content of the FLT remain the same?
Existing Federated Login Tags (FLT) will be migrated and will not change.
New FLT will be the same length, i.e. a maximum of 35 characters, however, the first three
characters of newly issued FLTs will change to AZU from the current WLG and AKL prefixes.

2.4. How will the migrated data be validated?
A robust data migration process has been designed to ensure the integrity of both the user
and log data. A Data Migration Briefing Note which provides further information regarding
the data migration approach is available on the RealMe Developers website.

3. Technical
3.1. Where are the Data Centres located?
Microsoft have advised that their new Australian data centre will not be available by our
expected go-live date. The RealMe Programme Governance Board has therefore approved the
use of Microsoft’s United States data centre for the replatforming of RealMe. When the
Australian data centre becomes available (or the New Zealand data centre, as indicated
recently via media by Microsoft), then this decision may be revisited.
This change has been subject to a Privacy Impact Assessment and a Security Review, the
outcomes of which were reviewed by the GCDO Working Group and the DIA Privacy Advisor,
who subsequently endorsed the decision.

3.2. What Browsers will the replatformed RealMe® support?
The replatformed RealMe will support the following Browsers:
• Chrome version 53 and above
• Edge HTML16 and above
• Firefox 52 and above
• Safari 14.0.3 and above

The replatformed RealMe will no longer support Internet Explorer as Microsoft are
deprecating support for this browser. For further information refer
https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-
farewell-to-internet-explorer-11-and/ba-p/1591666.

3.3. What Browsers will the replatformed HelpDesk Web Application support?
The replatformed HelpDesk Web Application will support the following Browsers:
• Chrome version 89.0.4389.90 and above
• Edge version 89.0.774.57 and above
• Firefox version 78.8.0 and above

3.4. Will the ‘SMS Watcher’ functionality be available in the replatformed ITE
environment?
No, the ‘SMS Watcher’ functionality has been deprecated. Test users can be set up with a
Test Mobile Account and/or email as follows:
a. Mobile/Text MFA. We have enabled a series of test mobile numbers as follows:
- Enter a mobile in the format +64 11 N where N is a unique number of your choice. It
must be least 4 digits and no more than 16.
- The code is: 2bada985-5493-4edd-8aba-d3cfef7e4b31

Page 5 of 7

Frequently Asked Questions

b. Email. We have enabled a test email address as follows:
- Email: test@testing.com
- The code is: 4ec1e939-1cf5-4b64-9686-519f96ce9b60

3.5. What functionality will the replatformed MTS environment provide?
MTS will mirror the functionality available in the replatformed ITE and Production
environments and will provide a range of test tools to allow integrators to develop and test
their initial application integration to the replatformed RealMe.

3.6. Will the replatformed RealMe support Artifact Binding?
Yes, the replatformed RealMe will continue to support Artifact Binding until all agencies move
to POST binding.

3.7. We are using Artifact Binding and want to amend our firewall rules to allow
access to the new endpoints. Is there a reason that you’re not providing the
IP Addresses for the new endpoints?
This is not the preferred option as Microsoft cannot guarantee that the IP Address ranges will
remain fixed. If you wish to discuss this option, please contact us via
integrations@realme.govt.nz.

3.8. Will you continue to support RSA Tokens for applications other than the
RealMe Help Desk?
DIA has re-assessed the use of RSA Tokens and the decision has been made to integrate the
replatformed RealMe with the existing RSA Token Server. Agencies who currently use RSA
Tokens for applications other than the RealMe Help Desk will not need to take any further
action.

3.9. What is the Recovery Time Objective (RTO) and Recovery Point Objective
(RPO)?
The non-functional requirements for the replatformed RealMe state an RTO of 60 minutes and
an RPO of 5 minutes.
MS Azure B2C maintains zero RTO for token issuance and directory reads and in the order of
minutes (approx. 5 mins) RTO for directory writes. B2C maintains zero RPO and will not lose
data on failovers.
For further information refer to https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/active-directory-architecture.

3.10. Will there be two separate DNS names for the primary / secondary Data
Centres?
There will be a single DNS name for both Data Centres.

3.11. Will you be synchronising DNS data?
Yes, we will be performing DNS synchronisation of zone data and root hint data.

Page 6 of 7

Frequently Asked Questions

4. Timeline
4.1. What is the expected outage period?
The outage period has now been confirmed as follows:
o At 9pm on Friday 9 April 2021 the login and assertion services will be taken down.
o The team will perform the final data migrations and configure the new services from
9pm on Friday night until 6am Sunday. The team will advise agencies by 6am Sunday
that their integrations can start from 9am.
o Agencies will be able to integrate to the new platform from 9am Sunday 11 April.
Services will be unavailable to the agencies users until the agency completes its
integration on Sunday.
The process has been designed to streamline data migration as it ensures that the bulk of the
user and audit data will be migrated prior to go live.

4.2. Has the timeline been communicated to the executive level of each agency?
We expect agencies to communicate details of the RealMe replatforming internally. We will
also brief the new Digital Public Service (DPS) branch of DIA who lead development and
implementation of ICT Common Capabilities across government.

5. Documentation
5.1. What is covered by the Certification and Accreditation process and what
information will we receive?
The Certification and Accreditation process will cover all aspects of the replatforming of
RealMe®, including data migration. The following artefacts have been commissioned and
relevant excerpts will be released to agencies upon completion:
- Privacy Impact Assessment (completed, recommendations under review)
- Security Design Review
- Security Risk Assessment
- Controls Validation Plan and Audit
- Code and Configuration Review
- Penetration Testing
- Audit Report
- System Security Certificate
In the meantime, we would be very interested to know what you will require to assist you with
your internal C&A processes.

5.2. Will the existing ITE environment remain available at the same time as the
replatformed environment?
Yes, the existing MTS and ITE environments will run in parallel with the replatformed
environments until go live for support purposes. They will be taken offline as part of the go
live process and all future testing will be against the replatformed environments.

5.3. What other information is available?
Further information and documentation related to the replatforming of RealMe can be found
on the developer’s website. If you have a question which is not covered by the
documentation, please email us via integrations@realme.govt.nz.

Page 7 of 7

You can also read