Mathieu CARBONNEAUX OSUAGWU
Senior Infrastructure Solutions Architect

Introduction and evolution of large-scale monitoring tools

I introduced Zabbix at SFR to replace Cacti for SNMP monitoring of network equipment. In this context, I collaborated with Zabbix publisher to develop major features that were integrated into version 2.3: Low Level Discovery (LLD), provisioning API, and JMX proxy.

In 2017, I participated in migrating monitoring tools to a modern Prometheus/Thanos/Grafana stack for metrics.

In parallel, I implemented massive use of ELK (Elasticsearch/Logstash/Kibana) for storing and analyzing hosting infrastructure logs.

In 2020, I designed and deployed a data lake based on ClickHouse (much more efficient than ELK for our volume), coupled with Kafka for real-time ingestion and Grafana for visualization. This platform currently stores all production logs, over 300 TB of data (compressed to 35 TB), enabling historical and real-time analysis of the entire SI.

• Introduction of Zabbix and contribution to v2.3 development
• Migration Cacti → Zabbix → Prometheus/Thanos → ClickHouse
• Implementation of 300+ TB data lake on ClickHouse/Kafka
• Complete observability stack (metrics, logs, traces)

SI standardization and architectural guidance

Standardization and guidance for SOA (Service Oriented Architecture): definition of SOAP and REST standards, API governance.

Architect of the Web hosting platform: design of complete architecture (load balancing, reverse proxy, WAF, high availability).

Participation in defining network standards for implementing our new Datacenters (BGP, ECMP, multi-tier architecture).

Refactoring of major SFR projects: V&S (Sales & Services), BIOS (Back office), SIGC (Commercial Management Information System).

Standardization of programming language usage and evangelization of Open Source for production monitoring.

Evangelization of key technologies: SNMP for network monitoring, Linux instead of proprietary Unix (Solaris/AIX/HP-UX), virtualization (2006), then containerization and Kubernetes (2020).

Major infrastructure projects

2020: implementation of a security data lake centralizing all SFR SI security logs (Firewalls, Routers, Switches, Reverse Proxy, VPN) on a ClickHouse cluster fed by Kafka.

2021: design of a new hosting architecture based on Kubernetes (Talos/Cilium), HAProxy, and an internal operator to manage SFR hosting industrially, including a multi-tier load balancer with DSR based on eBPF/Cilium and Maglev consistent hashing.

2023: implementation of SFR Landing Zone on Google Cloud Platform, including dedicated connection to GCP and SSO integration with our Keycloak. Team support in Landing Zone design, particularly on MLOps platform design aspects.

In parallel: connection of Salesforce to Keycloak SSO for centralized authentication.

Research and innovation

Currently, I am training in artificial intelligence to implement anti-DDoS mechanisms on our web hosting infrastructure based on Machine Learning. The 300+ TB security data lake was designed in anticipation of this research work.

• SOA/API Architect and SI standardization
• 300+ TB Security Data Lake (ClickHouse/Kafka)
• Multi-tier Load Balancer (eBPF/Cilium/Maglev)
• GCP Landing Zone with MLOps
• Evangelization of Open Source, Linux, Virtualization, Kubernetes
• Major projects refactoring
• R&D anti-DDoS with ML/AI

Design and evolution of SFR API Gateway

I designed and developed SFR's API Gateway (and participated in SOA evangelization at SFR), initially based on IBM DataPower.

2014: Complete redevelopment of SOAP API Gateway on open source solution (Apache/mod_perl) with in-house development to meet SFR's specific needs and reduce licensing costs.

2015: Major evolution of API Gateway to also support REST, enabling progressive transition from SOAP to REST services.

2017: Complete redesign of API Gateway on event-driven technology (Zeus Traffic Manager / Ivanti vTM), bringing better performance and scalability.

This API Gateway today manages all integration flows between SFR SI systems, with several thousand exposed services and more than 110 billion requests per year.

• Initial SFR API Gateway design (2006)
• 15+ years of continuous evolution
• Migration IBM DataPower → Open Source
• SOAP and REST support
• Event-driven architecture
• Management of thousands of services

LDAP directory management and SSO/IAM solutions evolution

I took charge of SFR's LDAP directory engineering with successive evolutions: Netscape Directory Server → iPlanet → Oracle Directory Server → Fedora Directory Server (389 DS).

2010: Implementation of first SFR SSO based on CA SiteMinder.

2012-2019: Development of proprietary SSO solution replacing SiteMinder, using certificates on workstations as second authentication factor (Arcot WebFort / CA Advanced Authentication).

2020: Migration to modern architecture based on SAML2 and OpenID Connect standards, with Keycloak as central Identity Provider. This solution unifies authentication for all SFR applications (web, mobile, partners) and supports multi-factor authentication (MFA) with different methods: TOTP, HOTP, WebAuthn, FIDO keys (YubiKey), Passkeys.

2023: SSO integration with Google Cloud Platform and Salesforce.

Today, this SSO/IAM platform authenticates several thousand users (employees, customers, partners) and manages hundreds of applications and over 110 billion requests per years.

• LDAP directory management (Netscape → 389 DS)
• SSO SiteMinder → Proprietary solution → Keycloak
• SAML2 / OpenID Connect
• MFA: TOTP, WebAuthn, FIDO, Passkeys
• GCP and Salesforce integration
• Several tens of thousands of users

Architecture and evolution of web hosting infrastructure

I managed SFR's web hosting infrastructure, first on iPlanet Web Server under Solaris, then I designed the first Apache Linux stack at SFR, marking the beginning of migration to Open Source.

I then participated in implementing reverse proxy and load balancer infrastructures in front of web servers: Deny All (rWeb), Zeus ZXTM (Ivanti vTM), F5 BIG-IP, Alteon, HAProxy.

On this occasion, I started working with network teams on Switch, Firewall, Router (BGP), VPN, and Proxy equipment of SFR SI, acquiring deep expertise in carrier-grade network architecture.

2021: Design of a new hosting architecture based on Kubernetes (Talos/Cilium), HAProxy, and a custom Kubernetes operator to manage SFR hosting industrially. This architecture includes a multi-tier load balancer using:

• ECMP routing with BGP for router-level distribution
• L4 load balancing with DSR (Direct Server Return) based on eBPF/XDP (Cilium) and Maglev consistent hashing
• L7 load balancing with HAProxy for TLS termination and application routing

This solution protects access to our applications from Internet and our VPN/Leased Lines interconnections with partners, offering high availability, scalability, and robustness to infrastructure changes.

• Design of first Apache Linux stack at SFR
• High availability hosting architecture
• Multi-tier Load Balancer (BGP/ECMP/eBPF/Cilium/HAProxy)
• DSR with Maglev consistent hashing
• Custom Kubernetes operator
• Carrier-grade network expertise (BGP, VPN, Firewall)
• Technologies: Talos, Cilium, F5, Zeus vTM, Deny All, Alteon

System engineering and industrialization

I ensured engineering of Unix AIX and Linux systems, including industrialization, building installation masters, and software packaging. I introduced Linux in SFR SI, progressively enabling replacement of proprietary Unix (Solaris, AIX, HP-UX) with Open Source solutions.

I collaborated with colleagues on Solaris and HP-UX to standardize software packaging across different Unix platforms (RPM, LPP, SD, pkg).

Technologies used:

• Packaging: RPM (Linux), LPP (AIX), SD (HP-UX), pkg (Solaris)
• Automated installation: Kickstart (Red Hat/CentOS), AutoYaST (SUSE Linux), NIM (AIX), VMware Templating, Foreman
• Infrastructure: TFTP/DHCP/Bootp/PXE for automated deployment

2006: Participation in evangelization of virtualization and generalization of Linux usage (instead of Unix Solaris/AIX/HP-UX) and virtualized Windows within SFR SI.

2020: Participation in evangelization of containers (Docker) and Kubernetes, marking a new major transformation of SFR infrastructure.

• Introduction of Linux at SFR (2004)
• Virtualization evangelization (2006)
• Containers/Kubernetes evangelization (2020)
• Multi-platform industrialization and packaging
• Deployment automation (Kickstart, AutoYaST, NIM, Foreman)
• Proprietary Unix → Open Source Linux migration

Expertise in transactional systems and message-oriented middleware

I worked as a transactional systems expert, ensuring engineering, administration, and L3/L4 support of SFR's transactional platforms (Tuxedo and IBM TXSeries/Encina).

I also worked closely with database administrators (Informix, Oracle) and on IBM MQSeries, due to the strong link between:

• Transactional databases
• MQSeries (which is transactional)
• OLTP (XA two-phase commit protocol)

This expertise in distributed transactions and XA protocols allowed me to deeply understand critical transactional architectures that are at the heart of billing and customer management systems for telecom operators.

2017: Participation in building our Kafka infrastructure to progressively replace MQSeries on new projects, bringing modern Pub/Sub model and better horizontal scalability.

• L3/L4 support Tuxedo and TXSeries/Encina
• Distributed transactions expertise (XA, 2PC)
• MQSeries administration
• Close collaboration with DBAs (Informix, Oracle)
• MQSeries → Kafka migration
• Critical billing systems

Support and Technical Expertise Mission for DCE/Encina within CEGETEL's Technical Direction

• Technical support for development, integration teams, and LEVEL 3 and 4 production support on products: DCE, TXSeries/Encina
• Also support for products associated with DCE and ENCINA usage: MQSeries 5.x, BBA, UNIX Sun Solaris 2.5/2.6/2.7/2.8, UNIX HP-UX 10.2 and 11, UNIX AIX 4.2 and 4.3, Windows NT, Oracle 7/8/8i, Informix 7.23, CFT 2.2.x
• Operation of DCE and TXSeries/Encina environment in development, integration and production: approximately 30 Encina cells distributed across 40 machines
• Installation and configuration, packaging of new platforms
• Attended official IBM training on IBM TXSeries/Encina and IBM DCE (2 weeks)

Technical Environment: DCE IBM 2.1/2.2/3.1 on AIX 4.x Solaris 2.x and Windows NT, DCE Transarc 1.1 on Solaris 2.x, DCE Gradient 2.0.6a on Windows NT, DCE 1.5 on HP-UX, Encina 2.5 Transarc on AIX/Solaris/HP-UX, TXSeries/Encina v4.3 on AIX and Solaris, BBA, CFT 2.2.x on AIX/Solaris/HP-UX, Oracle v7/v8/v8i on Solaris/AIX/HP-UX, Informix v7.23 on AIX, MQSeries v5.x on AIX/Solaris/HP-UX/OS390, Windows NT 4.0, C/C++, Java, HTML, Perl, PHP, KSH, TCL, Apache, Samba.

• L3/L4 support DCE and TXSeries/Encina
• Operation of 30 Encina cells across 40 machines
• Official IBM training (2 weeks)
• Multi-platform: AIX, Solaris, HP-UX, Windows NT
• Expertise MQSeries, Oracle, Informix

Outsourcing of 6ème sens project development (Bouygues Télécom's multi-service WAP/WEB portal at ATOS Origin)

• Organization of platform outsourcing
• Hardware selection and purchase to set up platform at ATOS
• Platform installation and configuration

Technical Environment: Microsoft Windows 2000, Visual Studio, COM/DCOM, MSMQ, SQL Server.

• Outsourcing Bouygues 6ème sens WAP portal
• COM/DCOM and MSMQ architecture
• Complete infrastructure setup

Technical study on SIMP (Payment Methods Information System)

• Technical study to improve SIMP performance
• AIX, Encina, Oracle and Informix administration
• Development in C/C++, Unix Shell
• Migration study from Encina 2.5/Informix and AIX 4.2 to TXSeries v4.3/Oracle 8i and AIX v4.3

Technical Environment: AMC Designer, Informix, Visual C++, C++ Builder, Encina, ESQL/C, AIX, BBA, MQSeries, CM2, VADQR, CHPN, SCCS, TITAN and BBA FT.

• SIMP performance optimization
• Migration Encina/Informix → TXSeries/Oracle
• Multi-platform administration
• Payment system architecture

Development of CEGETEL's SRPP Dual SLOT evolution (recharge management via IVR by Bank Card and Voucher)

• Study to improve project's n-tier architecture
• AIX, Informix and MQSeries administration for development platform
• Development in C/C++, Unix Shell
• Development in ESQL/C
• Multi-user SCCS setup

Technical Environment: Informix, ESQL/C, AIX, BBA, MQSeries, CM2, SCCS, TITAN and BBA FT.

• N-tier recharge system architecture
• C/C++ and ESQL/C development
• SCCS setup
• Real-time payment system

Redesign of CEGETEL's payment methods system (management of control and payment by Bank Card, Voucher and Check Control)

• Design of project's n-tier architecture
• Data modeling in Merise
• AIX, Encina, Informix and MQSeries administration for development platform
• Development in C/C++, Unix Shell
• Development in ESQL/C
• Migration of file flows from TITAN FT to BBA FT
• BBA FT flows setup
• Study of GUI migration from Visual C++ to C++ Builder

Technical Environment: AMC Designer, Informix, Visual C++, C++ Builder, Encina, ESQL/C, AIX, BBA, MQSeries, CM2, VADQR, CHPN, SCCS, TITAN and BBA FT.

• Complete n-tier architecture design
• Merise modeling
• Migration TITAN FT → BBA FT
• Multi-payment method system

Studies and Expertise for CSP code migration on OS/390 (non-Y2K compliant to Cobol generated with Visual Age Generator)

• Feasibility study for 2-tier Client/Server with DB2 on OS/390, and RAD tools (C++ Builder and PowerBuilder)
• Windows NT 4.0 server setup for DRDA/SNA gateways
• DRDA DB2 client installation on Windows NT

Technical Environment: Windows NT, C++ Builder, PowerBuilder, TSO MVS, DB2 Connect, Visual Age For Smalltalk, Visual Age Generator.

• Y2K CSP/MVS migration
• Client/Server DB2 architecture
• DRDA/SNA gateways
• RAD C++ Builder and PowerBuilder

Design and management of KART Project (2-tier client/server architecture - distributed management of GSM network technical acceptance documents)

• Project management
• General project specification
• Technical assistance on all technical aspects of the project
• Data modeling in Merise
• UNIX and Oracle administration for development platform

Technical Environment: MS Project, AMC Designer, Oracle, Access, HP-UX, ProC, SQLNET, C++ Builder, OLE AUTOMATION Word, TITAN, BBA FT.

• KART project manager
• Distributed Client/Server architecture
• Merise modeling
• GSM technical document management

Design and Evolution of GSM ticket counting chain (interconnection of SFR GSM network with company PABXs)

• HP-UX and Oracle administration for development platform
• Oracle 7.2/7.3 server migration
• Windows 3.11 / NT GUI migration
• Y2K compliance

Technical Environment: AMC Designer, C and ProC Oracle, HP-UX, PowerBuilder, SQLNET, TITAN, SCCS.

• GSM/PABX ticket counting
• Oracle and Windows migration
• Y2K compliance
• Client/Server architecture

Development for SFR SIM card production management (MRP) project

• Object modeling in UML
• Data modeling in Merise
• Evolution development in C++ under Unix and Windows
• Development in SQL Windows

Technical Environment: Paradigm+, AMC Designer, AIX, C++, SQL Windows, Oracle, OCI Oracle, RPC Sun, Borland C++.

• SIM card MRP
• UML modeling
• Multi-platform C++ development
• RPC Sun and OCI Oracle

Evolution development of GSM ticket counting chain (SFR GSM network interconnection with company PABXs)

• HP-UX and Oracle administration for development platform
• Evolution development in C and Pro*C
• Data modeling in Merise
• PowerBuilder development

Technical Environment: AMC Designer, C and ProC Oracle, HP-UX, PowerBuilder, SQLNET, TITAN, SCCS.

• Ticket counting evolutions
• C and Pro*C development
• PowerBuilder and Oracle
• Merise modeling

Development for SFR distributor management project (N-tier architecture)

• C++ development
• ESQL/C development
• OTS development with Encina TP Monitor
• Object modeling in OMT
• SCCS setup

Technical Environment: Paradigm+, AMC Designer, C/C++, Encina, DCE, ESQL/C, Informix, AIX, Visual C++, SCCS.

• N-tier architecture with Encina
• OTS development
• OMT modeling
• First contact with DCE/Encina

System engineer for Training Center

• Administration of training center's network and machines
• Software testing and technology watch
• Development for companies working with training center in C/C++ under Unix with Oracle database access (Pro*C and PL/SQL)
• Administration shell development

Technical Environment: C, C++, AIX, SCO, Linux, SQL, Oracle, Access, Unix Shell, Delphi, C++ Builder, Borland C++, TCP/IP, Novell, Windows NT, Silverun CASE tool.

• Training center network administration
• C/C++ and Oracle development
• Technology watch
• Multi-platform Unix