# Government/Travel Enterprise Agent The government/travel enterprise agent is a system that allows an organization to connect to users, verify health credentials and travel information, and issue travel credentials. It is comprised of three main components: * ACA-Py * Controller * UI ## Aries Cloud Agent Python (ACA-Py) As the name states, the Aries agent that utilizes Indy and Aries standards is ACA-Py. Cardea/Indicio code interacts with ACA-Py, but we almost never have to work directly with the Python code. The Indicio Python team and the Aries community make upgrades and updates to ACA-Py that we can take advantage of. Because of our close involvement with the community, we have been able to regularly make feature requests and prioritize our development needs. ## Controller (API) The controller is the API for the system--it communicates with ACA-Py using HTTP API calls and webhooks and with the UI using a Websocket connection (and a few HTTP APIs). We will be developing the controller's HTTP API further in the future. **The controller code is written using Node.js and Express.js running on an Nginx server. PostgreSQL is used for the database.** Some notable npm packages include: * Axios for HTTP calls * bcryptjs for password encryption * db-migrate for database migrations * sequelize as a database ORM * nodemailer for some simple account emails * passport for managing logins * ws for Websockets Most of the interaction between the controller and the UI utilizes Websockets because it is a relatively chatty interface and this eliminates the overhead to connecting over and over. ## UI The controller is responsible for presenting information and the actions available on the system in a user-friendly way. Presently the UI allows the user to manage invitations, contacts, credentials, users, and settings. **The UI is written using React.js and interacts with the controller via Websockets (and a handful of HTTP API calls).** Some notable npm packages include: * Axios for HTTP calls * React Router * Styled Components ## Enterprise Agent / ACA-Py Flow In the diagram below, the UI is off to the left, the controller is the four columns in the middle, and ACA-Py is off to the right ```plantuml participant "UI/App.js" as UI participant websockets.js participant agentLogic participant adminAPI participant agentWebhooks.js participant "ACA-Py" as Agent UI -> websockets.js: via WebSocket connection\n(controllerSocket) websockets.js -> agentLogic agentLogic -> adminAPI adminAPI -> Agent: via standard HTTP API calls note over Agent: ACAPY uses its local database\nand DIDComm to issue\ncredentials, verify\npresentations, etc. Agent -> agentWebhooks.js: via standard HTTP API calls agentWebhooks.js -> agentLogic: via adminMessage calls,\nusually at the end of\neach route agentLogic -> UI: via WebSocket connection\nsendMessage or sendMessageToAll ``` ## Security The Government/Travel Enterprise Agent includes some basic important security features. ### API Integration * OAuth * Client certificates * IP whitelisting (for API) ### HTTPS We utilize TLS 1.2 for connections between the controller and UI. ssl_protocols: TLSv1.2; ssl_ciphers: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ### DIDCOMM DIDCOMM is used by ACA-PY for communicating with the controller and mobile/holder agents. DIDCOMM is encrypted and secure, even if the connection it travels over is not.