Table of Contents

System Architecture

You are here:

Polonious Architecture (AWS hosting)

All our AWS hosting option for Polonious are based on the following minimal setup. Based on client needs, additional components can be included (see Knox-grade security below).


The Polonious web application is running inside a dedicated J2EE Apache-Tomcat application container on an Amazon EC2 instance in a public subnet within a dedicated VPC. Access to the instance is secured via Amazon security groups to only allow external access on ports 443 (HTTPS) and 22 (SSH-RSA). Additional security is provided by strict IPTables and DenyHost rules. Those rules and general Linux hardening rules are controlled and updated via Puppet.

A separate RDS EC2 instance is hosting the client database and is running in a private subnet which is not directly accessible from the internet. Security groups ensure that only the application server can access the database to make queries or update data. We utilize the Amazon RDS service to power our database. PostgreSQL is our database of choice. The RDS instance is managed and auto-patched by AWS.

RDS can be configured in Multi-Availability-Zone mode at an additional cost. Multi-AZ means that all data is replicated to a secondary RDS instance within the same region. RDS automatically fails over to the replicate in case of an outage or the primary instance.

Documents which are uploaded via the Polonious user interface are transferred to a dedicated S3 bucket. Only the client’s EC2 instance has access to this client bucket (configured via security groups). Recently accessed files are cached in the local filesystem of the EC2 instance for faster access and anti-virus scanning and are removed from cache if they are not accessed within a configured time.

Core components


ComponentRecommended versionNotes

OpenJDK 8

Oracle JDK 8

Polonious is a J2EE application and requires a Java environment to be installed on the server which hosts the J2EE application server. 
Apache TomcatTomcat 8.5.xApache Tomcat is a free and open-source J2EE application container used to run the Polonious application.
pims19.2 and laterThe core Polonious applications is a WAR file. A WAR file is a Web Application Archive which is a JAR file containing all the application logic defining the Polonious web application. The WAR file is deployed to and run in the J2EE application container Tomcat.
pims-ng19.2 and laterWith 18.2, we have begun the process of creating more re-usable, robust microservices in anticipation with client sizes of 1,000+. This architecture uses Spring Boot along with the eventual use of zuul, hystrix and other Spring Cloud components. We expect a number of other microservices and capability in 19.1, we have our best engineers working on it.
Polonious Front-End19.2 and laterWith 18.2, we have begun splitting out the new User Experience into it’s own package for deployment to tomcat. This allows the MVC Javascript application to secure itself with OAuth and then use REST calls to pims-ng to get and update data.
postgresql rdbms9.6

Postgresql has been an extremely reliable database that supports Polonious Investigation Management Systems. 

It is also the standard database when deploying to RDS on Amazon Web Services.

libreoffice (as a service)4.x / 5.xLibreOffice is a free open source software which is used by the Polonious Application to generate case reports in various file formats (e.g. PDF, DOC, XLS, ODT files). Polonious has been tested with version OpenOffice 3 and 4 as well as LibreOffice 3 and 4. It is recommended to run LibreOffice as a daemon on the application server, otherwise network has to be configured to allow access to LibreOffice.
Postfix3.x and laterPolonious requires an SMTP service. We usually configure Postfix if the customer does not have an alternative requirement such as Exchange server.
IMAP ServicePolonious has a feature to parse incoming emails and load the content of those emails including attachments into the system. It analyses the sender email and email subject and if it finds a matching case record in the system, the email is attached to that case. This feature requires the application server to access an IMAP account which can be set up by Polonious for this purpose. We can also configure to load such emails from an existing email account such as exchange server given that the IMAP protocol is supported. This component is included by default.

Optional System Components & Services


Polonious Online User HelpPolonious has user help system which explains certain UI elements within the application of the software in the various screens. The help texts are stored in our Polonious User Help System. In order to use the context help from within the Polonious application, the application server needs to be able to access via HTTPS. This component is enabled by default.
Polonious User ManualOn top of the context help system, Polonious also allows user to generate the full user manual as a PDF document. This user manual generator is hosted on server so the network needs to be configured to allow HTTP access from the application server to the remote service. This component is enabled by default.
Virus Scanning (optional paid service)Polonious can be configured to perform a virus scan on any file which is stored in the document repository via the Polonious application. Kaspersky Anti­Virus for File Server and McAfee VirusScan® for UNIX Version 6.0 are currently the only supported virus scanners that integrates with Polonious. This component is not included by default. It can be selected from the order book. 
Geo-coding (optional paid service)If the mapping module is required, Polonious uses a third-party service to provide geo-coding of addresses attached to cases, updates and persons. To access the service the network needs to be configured to allow HTTP/HTTPS access to the third-party service. This feature works in combination with the Mapping module mentioned below. This component is not enabled by default.
Mapping (optional paid service)

Polonious can be configured to display case locations, person locations and other locations on a map and e.g. assign investigators from the map view. Polonious uses third-party services to download tiles and provide the mapping framework. 

If the mapping module in Polonious is enabled the network needs to be configured to allow HTTP/HTTPS access to the selected service provider. This feature works in combination with the Geo-coding module mentioned above. This component is not included by default.

Social Searches (optional paid service)Polonious provides several plugins to integrate with social media search engines to perform background checks on persons of interest. Those features require configuration of access keys provided by the third-parties per client. Also network rules need to be defined to allow access to those external services. This component is not included by default.
Single sign-on (optional)Polonious provides integration with SAML2 compliant SSO providers. This feature requires exchanging security details between the provider and polonious and network rules to be configured. 
Previous Knox-grade security
SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.