XTM Composer architecture

Overview

XTM Composer is a micro-orchestration tool that manages connectors/collectors/injectors for Filigran platforms (OpenCTI and OpenAEV). Written in Rust for performance and reliability, it acts as a bridge between the platforms and container orchestration systems.

Global mechanism

Core architecture flow

┌─────────────┐     REST/GraphQL     ┌──────────────┐
│   OpenCTI   │◄────────────────────►│              │
│   Platform  │                      │  XTM         │     Container API
└─────────────┘                      │  Composer    │◄─────────────────────►┌─────────────┐
                                     │              │                       │ Orchestrator│
┌─────────────┐                      │              │                       │ (K8s/Docker)│
│   OpenAEV   │◄────────────────────►│              │                       └─────────────┘
│   Platform  │     REST/GraphQL     └──────────────┘
└─────────────┘

Main components

1. Engine Module (src/engine/)
2. Manages lifecycle of orchestration and health monitoring
3. Creates separate async tasks for each platform (OpenCTI/OpenAEV)

4. Handles graceful shutdown via system signals

5. API Module (src/api/)

6. Abstracts platform communication through ComposerApi trait
7. Handles GraphQL queries/mutations for OpenCTI

8. Manages container configuration retrieval and status updates

9. Orchestrator Module (src/orchestrator/)

10. Implements Orchestrator trait for different container systems
11. Supports Kubernetes, Docker, and Portainer

12. Handles container lifecycle operations

13. Config Module (src/config/)

14. Manages application settings from YAML files
15. Supports environment-specific configurations
16. Handles credentials and encryption keys

Terminology

XTM Composer orchestrates different types of containerized components depending on the platform:

• OpenCTI: Deploys Connectors as containers (import, export, stream)
• OpenAEV: Deploys Collectors and Injectors as containers

Each component is deployed and managed as a container:

Platform	Component Types	Deployed As
OpenCTI	Connectors	Container
OpenAEV	Collectors/Injectors	Container

This abstraction allows the composer to use the same orchestration logic regardless of the platform-specific terminology.

Execution flow

1. Initialization
2. Load configuration from config/default.yaml and environment
3. Initialize RSA private key for configuration decryption

4. Set up logging system

5. Platform Registration

6. Connect to platform (OpenCTI/OpenAEV)
7. Register composer instance with unique manager ID

8. Verify API compatibility

9. Main Orchestration Loop

10. Execute every execute_schedule seconds (default: 30s)
11. Pull connector configurations
12. Reconcile desired vs actual state
13. Apply necessary changes

Pull mechanism

Configuration retrieval (Connectors/Collectors/Injectors)

The composer periodically pulls container configurations from the platform:

// Executed every 30 seconds by default
async fn orchestrate() {
    // 1. Fetch all container configurations from platform
    // (connectors for OpenCTI, collectors/injectors for OpenAEV)
    let connectors = api.connectors().await; // Generic method name

    // 2. For each container configuration
    for connector in connectors {
        // 3. Check if container exists in orchestrator
        let container = orchestrator.get(connector).await;

        // 4. Reconcile state
        match container {
            Some(c) => orchestrate_existing(c, connector),
            None => orchestrate_missing(connector)
        }
    }
}

Container configuration structure

Each container configuration (running a connector/collector/injector) contains: - ID: Unique identifier - Name: Human-readable name - Image: Docker image to deploy - Contract Hash: Version identifier for configuration - Status: Current and requested states - Configuration: Key-value pairs (potentially encrypted)

State synchronization

The composer maintains two-way synchronization:

1. Platform → Composer (Pull)
2. Fetch latest component definitions (connectors/collectors/injectors)
3. Retrieve requested status changes

4. Get configuration updates

5. Composer → Platform (Push)

6. Report actual container status
7. Send container logs
8. Update health metrics

Update mechanism

Container lifecycle management

The update mechanism handles several scenarios:

1. Deployment (Missing Container)

// Container doesn't exist but component is defined in platform
// (connector for OpenCTI, collector/injector for OpenAEV)
async fn orchestrate_missing(connector) {
    orchestrator.deploy(connector).await;
    api.patch_status(connector.id, ConnectorStatus::Stopped).await;
}

2. Status Alignment

// Align requested status with actual state
match (requested_status, current_status) {
    (RequestedStatus::Starting, ConnectorStatus::Stopped) => {
        orchestrator.start(container).await;
    }
    (RequestedStatus::Stopping, ConnectorStatus::Started) => {
        orchestrator.stop(container).await;
    }
}

3. Configuration Updates

// Check if configuration hash changed
if requested_hash != current_hash {
    orchestrator.refresh(connector).await;  // Recreate with new config
}

4. Health Monitoring

• Tracks container restart count
• Detects reboot loops (>3 restarts in <5 minutes)
• Reports health metrics every 30 seconds for running containers

5. Log Collection

• Collects container logs every logs_schedule minutes
• Sends logs to platform for centralized monitoring
• Maintains log history for debugging

Cleanup process

The composer automatically removes orphaned containers:

// Remove containers not defined in platform
// (connectors for OpenCTI, collectors/injectors for OpenAEV)
for container in orchestrator.list().await {
    if !platform_connectors.contains(container.id) {
        orchestrator.remove(container).await;
    }
}

Configuration encryption

Hybrid encryption scheme

XTM Composer uses RSA/AES hybrid encryption for sensitive configuration:

Platform                    Composer
────────                    ────────
1. Generate AES key
2. Encrypt config with AES
3. Encrypt AES key with RSA public key
4. Send: [Version|Encrypted AES Key|Encrypted Data]
                            │
                            ▼
                    5. Decrypt AES key with RSA private key
                    6. Decrypt config with AES key
                    7. Use plaintext configuration

Encryption format

Encrypted values are Base64-encoded with structure:

[1 byte: Version][512 bytes: RSA-encrypted AES key+IV][N bytes: AES-encrypted data]

Key management

1. RSA Private Key
2. Loaded at startup from file or environment variable
3. PKCS#8 PEM format required

4. Used to decrypt AES keys

5. AES Encryption

6. AES-256-GCM for data encryption
7. Random key and IV per configuration value
8. Provides authenticated encryption

Security properties

• Confidentiality: Sensitive data encrypted at rest and in transit
• Key Isolation: Each configuration value has unique AES key
• Forward Secrecy: Compromised AES key doesn't affect other values
• Authentication: GCM mode provides data integrity

Performance considerations

1. Async/Await: All I/O operations are asynchronous
2. Periodic Execution: Configurable intervals prevent API flooding
3. Batch Processing: Multiple connectors processed in single cycle
4. Resource Efficiency: Rust's zero-cost abstractions minimize overhead
5. Error Recovery: Graceful handling of failures with retry logic

Fault tolerance

• Health Checks: Regular ping to platform ensures connectivity
• Version Detection: Re-registers on platform upgrade
• Reboot Loop Detection: Prevents infinite restart cycles
• Graceful Shutdown: Handles system signals properly
• State Persistence: Platform maintains desired state