# Architecture SmartCMS is implemented as a **multi‑tier web application** based entirely on open standards, ensuring flexibility, security, performance, and seamless integration into complex enterprise environments. The system architecture consists of five main components: **Client**, **Web Server**, **Application Server**, **Database Server**, and **CA Service Gateway**. img SmartCMS was designed with two primary goals in mind: - **Simplicity and flexibility of deployment** - **High scalability at all architectural levels** # 1. Overview of the Multi‑Tier Architecture The SmartCMS architecture follows a clean separation of concerns between front‑end visualization, business logic, persistence, and cryptographic backend systems. The design offers: - Strong modularity - Stateless core application - DB‑driven session and state persistence - Transparent scaling of each architectural layer - Support for multiple CA backends (via gateway) The five major components are: 1. **Client (UKC – Universal KeyChain)** 2. **Web Server** 3. **Application Server** 4. **DBMS (Database Server)** 5. **CA Service Gateway** Each is described in depth below. # 2. Client (Universal KeyChain – UKC) The SmartCMS client consists of: - A **web application** built using modern standards (HTML5, CSS, JavaScript) - A local desktop component: **Universal KeyChain (UKC)**, developed by Bit4id The client interacts with the Web Server over **HTTPS** and supports the following browsers: - Internet Explorer - Microsoft Edge - Mozilla Firefox - Google Chrome - Apple Safari ### Client Capabilities - Reading/writing smart cards and USB tokens - Interacting with webcams, card readers, biometric devices - Handling digital signatures and cryptographic operations - Smart card logon - Zero‑configuration proxy handling (reads browser/system proxy automatically) UKC exposes all cryptographic functionalities required by the user and the CMS, replacing the need for multiple vendor‑specific client tools. # 3. Web Server SmartCMS uses **NGINX**, one of the fastest and most robust open‑source web servers. It is responsible for: - Accepting HTTPS client requests - Serving static assets (HTML, CSS, JS, images) - Routing dynamic requests to the Application Server - Enabling load balancing and failover mechanisms - Running lightweight master/worker processes with minimal memory footprint NGINX supports: - HTTP/1.1 - SSL/TLS - SNI - TLSv1.1 / TLSv1.2 - FastCGI - Reverse proxying - Load balancing across multiple Application Server nodes SmartCMS is platform‑independent and supports NGINX on: - UNIX - Linux - BSD - macOS - Solaris - Windows # 4. Application Server The Application Server is built on top of a **WSGI‑compliant Python environment** and contains all core SmartCMS business logic. It is fully modular, plug‑in‑based, and abstracted from: - Databases - CA backends - External identity sources - Hardware components ### Key Features - **Stateless architecture** The application retains no in‑memory state; all session/state information is stored in the DBMS. Enables horizontal scaling. - **DB adapters** for full compatibility with: - PostgreSQL - MySQL - Oracle - MariaDB and other relational databases - **Hot‑swap upgrades without downtime** New versions are deployed to a parallel environment and swapped live. - **High‑granularity logging** with customizable output destinations - **Monitoring interfaces** for performance and diagnostics The server uses an **Inversion of Control (IoC)** container, allowing external modules to be injected without modifying the application code. # 5. Database Server (DBMS) The DBMS stores: - All SmartCMS persistent data - User session information - Device lifecycle status - Certificate metadata - Organizational hierarchy - Audit logs (stored in a separate auditing DB) Supported deployment configurations: - **Clustering** - **Replication** - **Sharding** - **Failover-secondary nodes** - **High availability setups** ### Schema Migrations SmartCMS provides a fully automated **data migration system**: - Forward and backward migrations - Transactional safety - Automatic transformations of data - Safe schema evolution during module installation/upgrades This guarantees consistent upgrades in production environments. # 6. CA Service Gateway The **CA Gateway** abstracts communication between SmartCMS and Certification Authorities (CAs). It acts as a **broker**, enabling SmartCMS to operate with multiple CA backends simultaneously. Supported operations: - Certificate issuance - Batch issuance (when supported by the CA) - Suspension - Reactivation - Revocation - Renewal Each CA may expose different APIs (SOAP, REST, proprietary), and the Gateway contains specific connectors for each. This ensures **no changes** are required in the core system when adding or switching CA providers. # 7. Scalability Model SmartCMS was designed from inception for **horizontal scalability**, both in the frontend and backend. Key scalability features include: ### Stateless Application Servers All user session data is stored in the database. Any request can be handled by any node, enabling: - Load balancing - Infinite horizontal scaling - Rolling upgrades with zero service interruption ### Scalable Web Server Layer NGINX supports: - Multi‑worker processing - Load distribution across multiple App Server nodes - Graceful degradation - Failover handling ### Database Scalability Using replication, sharding, and clustering strategies, the DBMS can scale in both: - Read‑heavy workloads - Write‑intensive workflows (e.g., large‑scale issuance campaigns) # 8. Modularity SmartCMS utilizes a **modular architecture** with: - Clear API boundaries - Replaceable modules - IoC-driven dependency injection - No need for system-wide recompilation when replacing components This design supports: - Custom workflows - Customer-specific integrations - Additional identity verification steps - New device types - New certificate templates - Custom data models (extended personal data attributes) img # 9. Summary The SmartCMS architecture is: - **Modular** - **Scalable** - **Secure** - **Enterprise-ready** - **CA‑agnostic** - **Flexible and extensible** It supports deployments ranging from small organizational setups to national-scale digital identity infrastructures.