ČSOB Stavební: Migration from OpenAM to Wren:AM

ČSOB Stavební needed to modernize its Identity Server, which, after years of running on OpenAM 13, had become limiting in terms of further development and increasingly demanding to maintain. To ensure service continuity for more than 1 million clients, nearly 1,500 sales representatives, and 19 connected applications, we designed and delivered a migration to Wren:AM. The goal was to eliminate technical debt, preserve the seamless operation of integrated systems, and prepare the solution for future development.

Initial situation

Since 2017, ČSOB Stavební had been operating an Identity Server based on a customized version of OpenAM 13 and OpenDJ storage.

A number of systems were connected to the solution, including the Client Zone, Nová eLiška, and Salesforce. The IDS authenticates ČSOB Stavební clients (OIDC), ČSOB Stavební sales representatives (OIDC), ČSOB Stavební employees (Kerberos), ČSOB clients (authentication transfer), and ČSOB employees (RADIUS).

Over the years, the robustness of the solution built on commercially supported open-source software and its ability to respond flexibly to new requirements had proven themselves. However, after six years of operation, OpenAM 13 had naturally become outdated, and the original vendor had also discontinued open-source development. This led to increasing maintenance demands and the need either to upgrade the core of the solution or move to a new system.

“The original application had limited options for further development. At the same time, we needed to introduce a system for user authorization and authentication for frontend applications such as NEL, KZ, SB, and others.”

— Pavel Jiránek, Head of IT Operations, ČSOB Stavební

Given the complexity of the entire system and the investment already made in building it, together with GEM System as the system integrator, we proposed an option to address the accumulated technical debt without requiring ČSOB to invest in a transition to a completely different system.

Core solution: migration from OpenAM to Wren:AM

After evaluating the alternatives, ČSOB Stavební decided to migrate to Wren:AM, the direct open-source successor to OpenAM, with support available in the Czech Republic. This solution was the most feasible and the most advantageous in terms of total cost of ownership (TCO).

Challenges and issues addressed

The migration required building a new environment and introducing a different deployment and operating model.

The biggest challenge was that AM remained a live production system throughout the migration, integrated with 19 applications, and these applications had to continue functioning after the transition without major revisions to their integrations. During the migration, it was also necessary to:

• preserve the original realm configuration and the continuity of ESB services such as SMS Service and Mail Service;
• ensure uninterrupted operation of registered technical accounts for integrated systems;
• preserve the audit log format, including compatibility with storage in CEF format;
• ensure migration repeatability, including the possibility of switching between the new and old solution if any integrated applications showed issues.

Our approach to the solution

To manage the transition, a comprehensive migration plan was developed based on task automation and the Infrastructure as Code (IaC) approach.

The entire process was validated in the DEV environment to ensure correct functionality. During the process, performance tests were updated, and assistance was provided for upgrades in higher environments (TEST, PREP, and PROD).

The implementation also included performance and penetration testing in accordance with ČSOB Stavební standards.

“The supplier’s staff were always available by phone, willing to work outside standard business hours, and their technical expertise was very high. They proactively proposed new solutions and were very willing to share the necessary know-how with the client’s staff, including in other IT areas.”

— Pavel Jiránek, Head of IT Operations, ČSOB Stavební

Results

• The migration to a supported system was successfully completed, ensuring service continuity for both applications and audit processes.
• Costs and workload were significantly reduced thanks to automation and the ability to repeat the migration process easily.
• Service availability was practically unaffected by the migration, and the integrated applications required no modifications.
• Both the security and throughput of the system increased.
• The introduced IaC and CaC approaches proved successful and prepared the solution for future operation in a containerized environment.

Following the successful migration, the old environment was decommissioned.

“We created an additional security layer for access to target systems that meets the highest security standards and can be extended to a wide range of other IT systems. The project also included the addition of 2FA authentication.”

— Pavel Jiránek, Head of IT Operations, ČSOB Stavební