Hybrid Integration

Access your on-premises applications securely using the webMethods.io Integration platform.
You can now pass data easily from a Workflow or FlowService to an on-premises application and get processed data back to the Workflow or FlowService.

Overview

Hybrid connectivity allows you to establish a secure connection between webMethods.io Integration and your server behind the firewall. As a result, you can consume data from your on-premises applications and use those applications in your Workflow or FlowService.

This section describes how to configure Integration Server as an on-premises server for use with webMethods.io Integration. It contains information for administrators who configure and manage on-premises Integration Servers and for application developers who want to create services that will be accessed through webMethods.io Integration.

On-Premises Integration Server

An on-premises Integration Server is any Integration Server that is configured to share service metadata and enables the execution of those services by integrations defined in webMethods.io Integration. The service metadata uploaded from an on-premises Integration Server provides the accounts and applications required to create integrations in webMethods.io Integration.

webMethods.io Integration has environments and each environment has a different endpoint. You can configure one on-premises Integration Server to an environment. On-premises Integration Server version 9.12 or later with the latest fix will work with webMethods.io Integration for hybrid connectivity.

Note: The maximum size limit for hybrid messages that can be transported between on-premises webMethods Integration Server and webMethods.io Integration is 20 MB (20971520 bytes).

Integration Server Administrator

The Integration Server Administrator is an HTML-based utility to administer the webMethods Integration Server. It allows you to monitor server activity, manage user accounts, make performance adjustments, and set operating parameters. You can run the Integration Server Administrator from any browser-equipped workstation on your network. The Integration Server Administrator is a browser-based application that uses services to accomplish its work.

webMethods Cloud Settings

The Settings page under webMethods Cloud in Integration Server Administrator allows you to specify the login and location details of webMethods.io Integration.

Under Settings, specify the user name for the user account on webMethods.io Integration, the password identified in the user account for the user name, and the URL of webMethods.io Integration with which to share accounts and applications created on the on-premises Integration Server.
The URL is of the following format: https://sub-domain.domain-name, for example, https://sample.prod-int-aws-us.webmethods.io.

If you click Update Settings, Integration Server connects to webMethods.io Integration specified in the webMethods Cloud URL and downloads the configuration information that is required to receive any incoming requests.

Note: If you are using hybrid connectivity and when you update the on-premises settings for the first time after the webMethods.io Integration v3.0 upgrade, restart the on-premises webMethods Integration Server. After restart, upload the on-premises account to resume hybrid connectivity. This is applicable for all the on-premises Integration Servers connecting to webMethods.io Integration.
If you have allowed the Cloud Universal Messaging (UM) hostname in the firewall, you have to also allow the new UM hostname along with the old one. Click here for information on the IP addresses.

webMethods Cloud Accounts

When you create an on-premises account on the on-premises Integration Server, you specify the connection parameters that the on-premises Integration Server uses to access webMethods.io Integration for which you defined the settings. You enable accounts on the on-premises Integration Server to allow them to serve any requests that originate from webMethods.io Integration.

If an account is disabled on the on-premises Integration Server, any requests sent from webMethods.io Integration will time out depending on the time specified in the Request Timeout field in Account Settings.

You can upload accounts in two ways, as part of an application, or individually, separate from applications. In order to upload an account as part of an application, you must first create the account and then associate it with the application when you upload it to webMethods.io Integration.

Upload accounts separately from applications in the event when you need to override the settings of a previously uploaded account. You might do this if you associate an account while uploading an application to webMethods.io Integration and later change the account details. This way, you can change the account details without having to upload the entire application.

To create an account on an on-premises Integration Server, in the webMethods Cloud menu in Integration Server Administrator, click Accounts > Create On-Premise Account.

Complete the following fields:

Uploading on-premises accounts to webMethods.io Integration

After an account is created, you upload it to webMethods.io Integration so that it can be used to execute services on the on-premises Integration Server. If you change or edit the account after it is uploaded to webMethods.io Integration, you must upload it again for the changes to become effective. If you want to upload the account as part of an application, use the procedure described in the Uploading Applications section.
To upload accounts to webMethods.io Integration, in the webMethods Cloud menu in Integration Server Administrator, click Accounts.


Click one of the following icons in the Upload column for the account you want to upload.

: New or has been edited since the last time it was uploaded to webMethods.io Integration. For a new account, this icon indicates that the account has not been uploaded to webMethods.io Integration. For an account that already exists on webMethods.io Integration, this icon indicates that the account on the on-premises Integration Server is not synchronized with the one on webMethods.io Integration.
: Synchronized with the account that has already been uploaded to webMethods.io Integration.

When you upload the account, Integration Server Administrator displays a status line that indicates whether the account has been uploaded successfully. The status line is displayed at the top of the screen. Integration Server Administrator also updates the Last Uploaded Time field to indicate the time that the account was uploaded and displays the icon to indicate that the account on webMethods.io Integration is synchronized with the one on the on-premises Integration Server.

If an account gets disabled during an upload, Integration Server uploads the account successfully and notifies you to enable the account to serve any requests originating from webMethods.io Integration. When accounts are disabled, webMethods.io Integration cannot execute services on the on-premises Integration Server. After the account is enabled, Integration Server automatically establishes connectivity with webMethods.io Integration at start up and is ready to serve any requests originating from webMethods.io Integration. If you have not enabled an account while creating it, you can enable the account by going to Accounts and clicking No to enable the account under the Enabled column.

When you no longer need an account, you can delete it. Deleting an account from the on-premises Integration Server also deletes the account from webMethods.io Integration. If the account is in use by any of the integrations in webMethods.io Integration, the delete operation fails. To delete an on-premises account, click Accounts and then click the delete icon.

Monitoring on-premises listeners for accounts

Each enabled account has an active listener on the on-premises Integration Server. The listener listens for requests from webMethods.io Integration to execute services on the on-premises Integration Server. To ensure that each enabled account has an active listener, Integration Server uses a monitoring thread that executes at a specified interval. If the monitoring thread finds a listener that is not running, the monitoring thread attempts to start the listener.

Additionally, the monitoring thread looks for listeners that have not processed any requests in a specified period of time and recreates the listeners that have been idle for too long. Integration Server stops and restarts all the on-premises account listeners when you click Update Settings on the webMethods Cloud > Settings page. The monitoring thread exists only if the on-premises Integration Server has at least one enabled account.

webMethods Cloud Applications

A group of services that you share with webMethods.io Integration is called an application. On-premises applications are created on the on-premises Integration Server and uploaded to webMethods.io Integration. webMethods.io Integration executes any service hosted by an on-premises Integration Server.

When you share services in an application, you are sharing the metadata for the service. For Integration Server services, the metadata you share is the service name, service signature, display name, and service comments. You can then create integrations in webMethods.io Integration that invoke services defined in the applications. When webMethods.io Integration executes a service, the on-premises Integration Server returns all the results to webMethods.io Integration. You can batch the results to limit the number of results returned to webMethods.io Integration.

After you create applications, you upload them to webMethods.io Integration. If the application changes on the on-premises Integration Server, you must upload the application again for the changes to be replicated on webMethods.io Integration.

When you upload applications to webMethods.io Integration, you associate one or more accounts that the application can use to access services on the on-premises Integration Server. If the account associated with an application changes, you can upload the account to webMethods.io Integration without having to upload the application.

Defining on-premises applications to share with webMethods.io Integration

To define an on-premises application to share with webMethods.io Integration, in the webMethods Cloud menu, click Applications > Define webMethods Cloud Application and under webMethods Cloud Application, complete the following fields.

Uploading on-premises applications

After you define an on-premises application, you must upload the application to webMethods.io Integration before using it. To upload an application, open the Integration Server Administrator and in the webMethods Cloud menu, click Applications.

Click one of the following icons in the row that corresponds to the application you want to upload in the Upload column.

: New or has been edited since the last time it was uploaded to webMethods.io Integration. For a new application, this icon indicates that the application has not been uploaded to webMethods.io Integration. For an application that already exists on webMethods.io Integration, this icon indicates that the application on the on-premises Integration Server is not synchronized with the one on webMethods.io Integration.
: Synchronized with the application that has already been uploaded to webMethods.io Integration.

When the Upload Application screen appears, in the Select Accounts area, select one or more accounts to associate with the application and then click Upload.

When you upload the on-premises application, the on-premises Integration Server uploads the application to webMethods.io Integration, replacing the existing on-premises connector. It updates the Last Uploaded Time column of the webMethods Cloud Applications screen to indicate that the on-premises connector on webMethods.io Integration is synchronized with the one on the on-premises Integration Server. It also shares the service name, service signature, display name, and service comments with webMethods.io Integration.

If the application has been uploaded earlier, uploading the application again overwrites the existing on-premises connector. Further, if any account associated with an application is disabled during an upload, Integration Server uploads the application successfully and notifies you to enable the account to serve any requests.

Note: Applications uploaded from the on-premises Integration Server are listed in the Connectors > On-Premises Connectors page in webMethods.io Integration.



When you no longer want to share on-premises applications with webMethods.io Integration, you can delete them. Deleting an application from the on-premises Integration Server also deletes the application and its corresponding operations from webMethods.io Integration.

After creating an application, you can edit the application details. If you edit an application, you must upload the application for the changes to take effect on webMethods.io Integration. The updated application is not available for use until you upload it.

Sharing metadata on an on-premises Integration Server

You can create on-premises applications on the on-premises Integration Server to share services with webMethods.io Integration.

Points to note while sharing services through an application

Connecting to webMethods.io Integration through a Proxy

If your on-premises Integration Server is to connect to webMethods.io Integration through an Internet proxy, you may need to perform additional configurations which fall into the following categories:

  1. Creating a proxy server alias.
  2. Adding proxy-related Java system properties to the Java Virtual Machine in which the on-premises Integration Server runs.
  3. Configuring the Internet proxy for use with the on-premises Integration Server and webMethods.io Integration.

Creating a Proxy Server Alias

If your company requires the use of a proxy server to establish outbound connections to applications located in the cloud, you need to configure a proxy server alias for your on-premises Integration Server. A proxy server alias identifies the proxy server and the port on the proxy server through which you want to route requests and any credentials needed to access the proxy server.

Configure a proxy server alias using the Settings > Proxy Servers page in Integration Server Administrator.

When creating a proxy server alias for use for connection to webMethods.io Integration, do the following:

Updating JVM Configuration Settings for Proxies

Depending on your networking and security requirements, you may need to set Java system properties related to proxy servers. As the connection between the on-premises Integration Server and webMethods.io Integration is over HTTPS, you need to set some or all of the following:

As the proxy property values need to be set for the Java Virtual Machine (JVM) in which Integration Server runs, you update the custom_wrapper.conf file to ensure the proxy parameter values are supplied when the JVM launches.

Specifically, you add a wrapper.java.additional.n property that specifies the property name and value that you want to pass to Integration Server, where n is a unique sequence number. The property name must be preceded by -D.

For example, the wrapper.java.additional properties in the custom_wrapper.conf file might look similar to the following:

wrapper.java.additional.204=-Dhttps.proxyHost=YOUR_PROXY_HOST
wrapper.java.additional.205=-Dhttps.proxyPort=YOUR_PROXY_PORT
wrapper.java.additional.206=-Dhttps.proxyUser=YOUR_PROXY_USER
wrapper.java.additional.207=-Dhttps.proxyPassword=YOUR_PROXY_PASSWORD
wrapper.java.additional.208=-Dhttp.nonProxyHosts=localhost|127.0.0.1
wrapper.java.additional.209=-DHPROXY=YOUR_PROXY_HOST:YOUR_PROXY_PORT
wrapper.java.additional.210=-DHAUTH=YOUR_PROXY_USER:YOUR_PROXY_PASSWORD

For instructions about passing the Java system properties to Integration Server and the JVM used by Integration Server, see the webMethods Integration Server Administrator’s Guide.

To pass system properties to Microservices Runtime, you must update the JAVA_CUSTOM_OPTS property in Integration Server_directory /bin/server.bat(sh).

For more information about passing system properties to Microservices Runtime, see the Developing Microservices with webMethods Microservices Runtime document.

If Integration Server uses Java SE Development Kit 8, Update 111 or later and the Internet proxy is configured to enforce HTTPS Basic authentication, you may need to add the following system properties to custom_wrapper.conf:

Configuring the Internet Proxy

When using a proxy server for outbound requests from the on-premises Integration Server to webMethods.io Integration, you may need to configure the following on the proxy server:

Allowed IP addresses and troubleshooting tips

The webMethods.io Integration platform is available on two Cloud Vendors - Amazon Web Services (AWS) and Microsoft Azure. Based on the vendor and the associated region selected by you at the time of creating your webMethods.io Integration tenant, you need to allow relevant IP addresses to establish the connectivity between webMethods.io Integration and your on-premises Integration Servers.

The following table describes the IP categories to be allowed and the ports to open for cloud connectivity. Locate the region your tenant belongs to and allow the relevant IP addresses.

Note: Go to the Software AG Cloud Regions website and click the Show IP option for information on the list of IP addresses. Once you add these addresses to your firewall, you should be able to connect to your resources from webMethods.io Integration. If not, contact Software AG Global Support and the Software AG Cloud Operations teams with the required details.

IP address categories Description and ports to open Use cases
NAT Gateway IPs If there is a direct communication from the cloud system to your on-premises server and if you are using a REST Application to connect to your system, allow the NAT Gateway IPs. Open the port number of your on-premises servers, if your on-premises environment has exposed any server to the cloud or outside world for cloud to on-premises direct connectivity.
For example, if you are running JBoss server on port 443, expose port 443 on your data center and also allow the traffic from the NAT Gateway IPs.
  • Applicable only for direct cloud to on-premises connectivity
  • Not required for Hybrid connectivity
UM IPs and UM Load Balancer IPs Allow outbound traffic from on-premises to the cloud by allowing the cloud Universal Messaging (UM) IPs and Load Balancer (LB) IPs and also open the ports 443, 8443, 7443. Note that port 7443 is applicable for Microsoft Azure data centers only.
  • Applicable for only Hybrid connectivity where on-premises Integration Server connects to the LBs and the cloud UM servers.
Load Balancer IPs Applicable for connectivity between on-premises to cloud systems, that is, outbound traffic from on-premises to the cloud. Allow the Load balancer IPs and also open the ports 443, 8443, 7443. Note that port 7443 is applicable for Microsoft Azure data centers only.
  • Hybrid connectivity
  • Web application
  • REST API or SOAP API invocation or FlowService invocation over HTTPs
  • On-premises to cloud connectivity
Custom Domain Load Balancer IPs If you are using custom domains, allow the custom domain Load Balancer IPs and also open the ports 443, 8443, 7443. Note that port 7443 is applicable for Microsoft Azure data centers only.
  • Hybrid connectivity
  • Web application
  • REST API or SOAP API invocation or FlowService invocation over HTTPs
  • On-premises to cloud connectivity

Troubleshooting tips for hybrid connectivity

Do the following checks to troubleshoot hybrid connectivity issues:

Example

The following high-level steps explain how to upload an application and use it in a workflow:

  1. Log in to Integration Server instance.

  2. Create an account on the on-premises Integration Server.

  3. Create the application you want to run on webMethods.io Integration.

  4. Upload the application on webMethods.io Integration.

  5. Use the uploaded application in a workflow.

Login to the Integration Server instance

Login to your Integration Server instance, click the webMethods Cloud option listed on the left-side panel, and then click Settings. Enter the following details on the Settings screen. Once this is done, click Update Settings to save the settings.

Create an account on the on-premises Integration Server

An account on the on-premises Integration Server acts as a two-way communication channel for data transfer between the on-premises Integration Server and webMethods.io Integration. So, when you execute the application uploaded on webmethods.io Integration, it in turn invokes the application instance deployed on the on-premises Integration Server where the actual execution takes place. The output/response of this execution is then sent back to webMethods.io Integration.

To create a new account, go to webMethods Cloud > Accounts, and click Create On-Premise Account.

On the Create Account configuration screen, enter the following details:

Once this is done, click Test Account Settings. This will verify whether the details entered by you are valid or not. If the entered details are valid, you will get a notification message stating so. You can then click on Save Changes to save the account settings.

Create the application you want to run on webMethods.io Integration

You need to create the applications you want to execute using webMethods.io Integration on the Integration Server. Once created, these applications can then be uploaded to webMethods.io Integration where they can be used in the workflows and FlowServices.

To create an application, go to webMethods Cloud > Applications and click Define webMethods Cloud Application.

In the Define Application configuration window, enter the following details:

Once this is done, click Save Changes. This will create the specified application.

Upload the application on webMethods.io Integration

Once you have created the application, you need to upload it to webMethods.io integration in order to use it in your workflow or FlowService. When you upload an application to webMethods.io integration, the metadata of its services such as name, description, and Input/Output signature is also uploaded to the said application.

To upload the application, go to webMethods Cloud > Applications, locate the application you want to upload in the webMethods Cloud Applications list, and click on the Upload icon.

With this, you have successfully created the application in your webMethods Integration Server, which you can use in your webMethods.io integration workflows and FlowServices.

Use the uploaded application in a Workflow

Let us see how to use this application in a workflow.
Log in to webMethods.io Integration. You will find the uploaded application (onPremise_app) in the Connectors panel on the right-side of the canvas.

You can use this application like any other connector in your workflow.

When you double-click on the application icon (onPremise_app), you can see that the configuration window is same as that of any other connector available in webMethods.io Integration.
Select the action (myService) and click Next.

You will be redirected to the action configuration screen, where you can add the relevant details to execute the action.

You can optionally test the action, and then click Done. This will take you back to the canvas. Once you have configured the rest of the workflow, save it.

Whenever you execute the workflow, webMethods.io Integration sends the request to Integration Server to execute the added application and Integration Server in turn sends back the execution response to webMethods.io Integration. This data can then be used to execute the rest of the workflow.

Note: A workflow, which contains an on-premises connector, cannot be cloned.

Invoke FlowServices for on-premises connectors

Click here to see an example on how to invoke FlowServices for on-premises connectors.

Dedicated infrastructure support for hybrid integration scenarios

Performance, scalability, and availability of on-premises connectivity for hybrid integration scenarios have been enhanced by having dedicated Software AG Universal Messaging (UM) nodes for each tenant.
A tenant can be configured with dedicated UMs based on the license. Contact Software AG Global Support for assistance in setting up the dedicated hybrid infrastructure.

Two-way SSL communication for hybrid integrations

webMethods Integration Server 10.7 and later versions support two-way SSL communication between the on-premises Integration Server and webMethods.io Integration. Integration Server, by default, supports one-way SSL communication in which the on-premises Integration Server acts as a client and validates the certificate issued by webMethods.io Integration that acts as a server.

In two-way SSL communication, both the on-premises Integration Server and webMethods.io Integration validate each other’s certificate using private keys. If you want more secure communication between two business applications, you can set up two-way SSL communication.

How to set up two-way SSL communication

Let us see how to set up two-way SSL communication between the on-premises Integration Server and webMethods.io Integration.

Note: Before you set up a two-way SSL communication, you need to download the webMethods.io Integration signed certificate and generate a keystore file. Then use the keystore file to generate a keystore alias on the on-premises Integration Server. When you set up a connection to webMethods.io Integration, you need to use these keystore details so that webMethods.io Integration can validate the certificate. Ensure that you have Integration Server 10.7 or any later version installed for two-way SSL communication.

  1. Go to webMethods.io Integration and click Profile > Settings > Client Certificate > Tenant Certificate. Download the webMethods signed certificate file in jks or pkcs12 format, which contains the private key and the certificate. You can also upload your own CA signed certificate. You can either directly generate the jks or pkcs12 file, or if you have generated a text file, use the JKS tools or utilities to generate the JKS file.

    Note: webMethods.io Integration does not support uploading self signed certificates.

  2. Go to Integration Server, add the certificate file, and specify the keystore properties in the Security > Keystore > Create Keystore Alias page. Provide the file path in the Location field and specify the keystore password. Click Submit.

    Note: The default password is changeit. You should update the password for enhanced security.

  3. In Integration Server Administrator, click webMethods Cloud > Settings and specify the details.

    Field Description
    User Name User name for an account on webMethods.io Integration.
    Password Password identified in the user account for User Name.
    webMethods Cloud URL The URL of webMethods.io Integration with which to share accounts and applications created on the on-premises Integration Server. The URL format is: https://sub-domain.domain-name, for example, https://sample.int-aws-us.webmethods.io:8443. For two-way SSL communication, add port 8443 in the URL, for example, https://sub-domain.domain-name:8443.

    Under Certificate Settings (optional), complete the fields if you want to set up a two-way SSL communication with webMethods.io Integration. If you do not configure these settings, Integration Server uses one-way SSL communication with webMethods.io Integration.

    Field Description
    Keystore Alias A user-specified, text identifier for the Integration Server keystore. This is the alias for the keystore that contains the client certificates that you want Integration Server to use when connecting to webMethods.io Integration.
    Select the same keystore alias that you have created in Integration Server.
    Key Alias The alias for the private key, which must be stored in the keystore specified by the above keystore alias. This value is automatically selected.
    Truststore Alias The alias for the truststore that contains the trusted root certificate for the CA that signed the Integration Server certificate associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship.
    Select Default_JVM_Truststore.
  4. Click Update Settings. Integration Server connects to webMethods.io Integration specified in the webMethods Cloud URL field and downloads the configuration information that is required to receive any incoming requests.

  5. Create an account in Integration Server.

  6. Create the application in Integration Server.

  7. Select the account and upload the application to webMethods.io Integration.

  8. The application is listed on the On-Premises Connectors page in webMethods.io Integration.