Securing a hybrid cloud App Connect application
This blog demonstrates how to connect IBM App Connect on IBM Cloud and IBM Connect Enterprise (ACE) using callable flows.
OVERVIEW
In a hybrid cloud environment, a logical integration application is divided between ACE (on-prem) and IBM App Connect on IBM Cloud. Your integration flows communicate by using a Switch server and connectivity agent. The Switch server is a purposed built integration server which routes data. It is managed by the IBM App Connect on IBM Cloud. The connectivity agent contains the certificates that your integration flows require to communicate securely with the Switch server. A connectivity agent must be running in the IBM App Connect Enterprise integration server where you have deployed your on-premises message flows.
The Switch server is already created in IBM App Connect on IBM Cloud. You must download an agent configuration file from the cloud and use it to configure the on-premises connectivity agent. Your callable flows use this agent to communicate with each other securely, through the Switch server.
HYBRID CLOUD SCENARIOS
We are going to demonstrate two hybrid cloud deployment scenarios.
- Scenario 1 is a message flow in IBM App Connect on IBM Cloud calls a message flow in ACE on-prem, and
- Scenario 2 is a message flow in ACE on-prem calls a message flow in IBM App Connect on IBM Cloud.
PREREQUISITES
If you are planning to follow the instructions in this blog, make sure you have completed the prerequisites described below.
- IBM Cloud account with IBM App Connect service
- IBM App Connect Enterprise (ACE) on-premises installation
- Create an integration server on the on-prem ACE installation
Option 1 – Independant integration server Work directory is created in the workspace from which you created the integration server.
Option 2 – Node managed integration server Work directory is created under the work path of the parent node.
- A Salesforce business or Developer Edition account
CONFIGURE APP CONNECT ON IBM CLOUD FOR ACE CALLABLE FLOWS
If you have already configured callable flows between App Connect on IBM Cloud and the integration server in your on-premises App Connect Enterprise, you can skip this step. It is a one-time configuration.
Select Callable Flows on IBM App Connect and click Connect Callable flows.
In the “Set up an agent” dialog box, click on the Download the configuration button to get the agentx.json file.
Below is an example of the downloaded agentx.json.
Follow instructions on the “Set up an agent” dialog box for installing the agent into your on-premises ACE work directory: workdirectory/config/iibswitch/agentx.
When this agentx.json file is made available with on-prem installation (in work directory of your integration server), it enables secure network connectivity.
Now on your on-premises ACE software, start the integration server with –work-dir parameter
IntegrationServer --name myIntegrationServer --work-dir c:\mywrk\myaceworkdir
Click the “Test your agent” button on the “Set up an agent” dialog box. It should show at least one agent connected.
SCENARIO 1 – SECURELY INVOKE AN ON-PREMISES ACE FLOW FROM APP CONNECT ON IBM CLOUD
CREATE AND DEPLOY AN ACE CALLABLE FLOW
Use the App Connect Enterprise Toolkit (Enterprise Toolkit) to develop and deploy a simple callable flow into an on-premises ACE integration server so that the flow is visible in App Connect on IBM Cloud.
After deploying the flow, switch back to App Connect Designer, and in the “Callable flows” view, you should now see the new flow. Note the name should match the Endpoint name specified when creating the flow.
CONFIGURE THE FLOW IN APP CONNECT ON IBM CLOUD
Create a new flow from the App Connect dashboard by selecting “Flows for an API”.
Add a sample model “ACEBridge” with two properties as below.
Add a Get operation which can be invoked from a test client. Here the request URI is ../ACEBridge/callable?aName=SampleString&aMessage=SampleString
Click on View flow and configure the on-cloud flow as below. Select the appropriate Application name and Endpoint details from the previous step.
Start the flow from the App Connect dashboard.
From the Manage tab, copy the endpoint URL for your API and append that with the request URI. Use this URL to invoke the API from a test client.
Sample URL– https://ced00368.us-south.apigw.appdomain.cloud/cnON1P/ACEBridge/callable?aName=CallableFlow&aMessage=Logging
TEST THE HYBRID INTEGRATION FLOW
1. Test the happy path, success response.
2. Disable local internet, test failure (network outage)
3. Enable internet, test recovery – reconnected
Stale connection test successful
4. Test the happy path, success response
5. Restart on-premise node
6. Test the happy path, success response
7. Restart on-premise integration server
8. Test the happy path, success response
SCENARIO 2 – SECURELY INVOKE AN APP CONNECT FLOW ON IBM CLOUD FROM AN ON-PREMISES ACE FLOW
DEPLOY THE ACE FLOW PROVIDED
Rather than create the integration project from scratch, we import the project interchange file used to develop this tutorial.
The ACE flow implements a REST API and uses a CallableFlowInvoke node to call the event-driven flow that is running in App Connect on IBM Cloud.
The downloaded project contains a BAR file called LeadXML2ACoIC.bar, which contains the callable flow, ready to be deployed. Deploy the BAR file to your on-prem integration server.
Use the deployed URL cal the REST API, for example http://localhost:7800/leadsxml/v2/leads
CONFIGURE THE CALLABLE FLOW
On the App Connect dashboard create a new Event-driven flow.
Add an action to update or create a Salesforce lead. You will need a developer salesforce account to create/update leads.
The flow name “Call to update-create SF lead” needs to match the application name that the on-prem ACE flow uses to be able to invoke this callable flow.
Start the flow from App connect dashboard.
Switch to the “Callable flows” view; you should now see the new callable flow provided by App Connect on IBM Cloud. Note the Application name should match the name specified when creating the flow.
TEST THE INTEGRATION SOLUTION
We can test the integration solution using an HTTP client such as cURL or Postman. Call the REST API to add a new lead and to update Salesforce. The REST API invokes the ACE flow to interact with the on-premises application and to call the flow in App Connect on IBM Cloud to interact with Salesforce.
When testing using cURL, the command on Windows needs to escape the double quotes.
For example:
`curl -X POST http://localhost:7800/leadsxml/v2/leads -d "{\"FirstName\" : \"John\",\"LastName\" : \"Smith\",\"Email\" : \"j.smith@email.com\",\"Company\": \"jsmith.com\"}" -H "Content-Type: application/json" -vvv`
Here’s what the success response looks like, with field populated by Salesforce.
If you view the on-premises application (C:\temp\leadsxml.txt) you should see the new lead entry appended.
Also, on the App Connect dashboard, if you look at the tile for flow, you can see when the flow last ran successfully.
TEST THE HYBRID INTEGRATION FLOW
1. Test the happy path, success response
2. Disable internet, test failure (network outage)
3. Enable internet, test recovery – reconnected
Stale connection test successful
4. Test the happy path, success response
5. Restart on-prem node
6. Test the happy path, success response
7. Restart on-premise integration server
8. Test the happy path, success response
CONCLUSION
The callable flows technique can be used between IBM App Connect Enterprise and IBM App Connect on IBM Cloud, and between integration servers in IBM App Connect Enterprise configured to use the on-cloud Switch server.
FURTHER READING
- Configuring Secure Connectivity Cloud And On-Premises
- Callable message flows
- Sharing Processing cloud and on-premises
- Secure connectivity cloud and on-premises systems
- Preparing the environment to split processing
Get in contact to book a workshop to see how Syntegrity can help you.
Anuja Patil is a Senior Integration Specialist with Syntegrity Solutions with a wide range of experience in integration, microservices, automation and hybrid cloud.