How to Configure the Secure Gateway
Introduction
This document explains how to configure a Platform Agent to be the Redwood secure gateway which enables connections to applications and environments that are not directly managed by a Platform Agent. The secure gateway is only available to Redwood SaaS customers.
Secure gateway is a function performed by a Platform Agent.
Secure Gateway Overview
The secure gateway is a function performed by a Redwood Platform Agent that has been configured to act as a proxy for communications between a managed application and a customer's Redwood SaaS environment. The secure gateway communicates with the customer's Redwood SaaS environment through a dedicated, encrypted connection via exchange of credentials known only to the customer specific environment. Figure 1 shows the Redwood SaaS architecture when secure gateway is deployed.
Figure 1: Redwood SaaS Architecture with secure gateway
Examples of where the secure gateway will be used include automation for:
- SAP systems
- Oracle EBS applications
- IBM iSeries (AS400)
- Web Services call
- BusinessObjects
- PeopleSoft
- Database connection via JDBC
- SMTP connection (E-Mail)
If connections to other environments are required, please contact Redwood for advice. As can be seen in the diagram, connections from other OS platform agents are independent from the secure gateway and each other. This provides flexibility and contributes to fault tolerance (see section 3.1 below). The secure gateway connection is initiated from the platform agent that is configured to act as the communication proxy instance. This connection is an established HTTPS secured TCP connection. This way no open incoming ports in the customer firewall are required to setup the connections directly from Redwood Cloud to the required applications.
The general process for configuring the secure gateway is as follows:
- Decide where to host the secure gateway
- Download and Install the Platform Agent
- Configure Process Server(s) for secure gateway
- Restart the preferred secure gateway Process Server candidate
- Configure application connections
The following sections describe these steps in more detail.
Decide Where to Host the Secure Gateway
The secure gateway establishes secure communication between managed applications and customer's dedicated Redwood SaaS environments. This includes passing instructions to the managed applications on which processes are to execute, as well as passing progress and completion status data from the applications back to the Redwood Central Server. It is, therefore, important to locate any Platform Agent that is a secure gateway candidate on a server that is:
- Located inside the corporate firewall
- Able to communicate through the internal network with the applications to be managed
- Able to connect to your Redwood *.cloud environment (verify your URL after connecting to an environment)
- Reliable fast network (low latency)
It is highly advised to have 2 dedicated agents, without other roles, who can act as secure gateway.
Fault Tolerance Considerations
The secure gateway is designed to be highly available. At any time only one Platform Agent acts as the secure gateway, but if it becomes unavailable any other Platform Agent designated a secure gateway candidate will automatically take over the role seamlessly. For this reason, it is recommended that at least two Platform Agents are deployed onto suitable servers to ensure fault tolerance during operations. Note also that you do not need to dedicate an agent for secure gateway purposes. All existing Platform Agents can be configured to perform the role of the secure gateway as long as the earlier mentioned points are taken into account.
DMZ Setup
Secure gateways in a DMZ need to be able to connect to the central Redwood server on port 443
and to all remote systems (ERP, REST/SOAP, JDBC, IBM i, SMTP...) on the configured ports. See the remote-system specific documentation for the default ports.
Download and Install the Platform Agent
Installing the Platform Agent(s) for secure gateway purposes is done in exactly the same way as when installing agents for general use. Detailed instructions on how to do this can be found in the 'Supported platforms' and 'Install Platform Agents' guides available in the Help section of the Redwood Cloud portal. These documents provide information on the permissions required on the local server and pre-requisites for connecting Platform Agents across the Internet to the Redwood cloud.
note
The secure gateway is only supported to run on Platform Agents on Linux x86 and Windows.
Redwood recommends using Linux x86 64-bit for hosting the secure gateway, as a best practice. Follow the instructions in the Install Platform Agents guide to set up each agent that you wish to be a candidate secure gateway. Once installed each Platform Agent will be registered with a 'Process Server' in the customer specific Redwood Cloud environment. The Process Server name will be the same as the hostname on which the agent is installed to make identification easy, and it is the Process Server name that is used when referring to secure gateway connections in the Redwood user interface.
Configuring Process Servers for the Secure Gateway
To configure the secure gateway, you need at least one Platform Agent Process Server and the user must have been assigned to the Cloud Administrator role. Go to Environment > Process Servers and Edit the Process Server you want to use. Then check Secure Gateway Candidate as seen in Figure 2, then save and restart the Process Server by choosing Restart from the context-menu.
Figure 2: Checking Secure Gateway Candidate while editing a Process Server
- At least one Process Server designated for secure gateway use needs to be restarted before any can be selected for use by the Redwood system as the secure gateway.
- If multiple secure gateway candidate process servers, then the first to be restarted will become the secure gateway.
- If only one Process Server has been designated as a secure gateway candidate, it will only become the secure gateway after being restarted.
- If more than one process server has been designated as a secure gateway candidate then only the one to be the primary candidate needs to be restarted, after which it will become the secure gateway. Fault tolerance will be achieved automatically if the primary Process Server enters any state other than "running" (the other Process Servers do not need to be restarted).
- Cloud Administrator role is required to set this checkbox. This role can be configured per environment in the cloud portal and allows separation between product administrators and cloud administrators (same rights as normal administrators + ability to change cloud related settings). This role has already been described in the Managing Users and Roles document.
Identifying the Current Secure Gateway
At any time only one secure gateway candidate Process Server will be used as the secure gateway. By adding the Secure Gateway Candidate and secure gateway tabs in the Process Server view you can see which Process Server(s) are secure gateway candidates and which Process Server is the active secure gateway. Only 1 can be active. See Figure 3 for an example. Another way to confirm this is by looking at the 'System Information' for the relevant Process Servers as follows:
- Select the 'Environment' navigation bar group then select 'Process Servers'.
- Select the first Process Server you want to check.
- Expand 'System Information'.
- The IPForwarderURL highlighted below will only exist on the Process Server selected by the Redwood Central Server as the secure gateway. See the example at the bottom of Figure 3.
Figure 3: Process Server list view with secure gateway and candidates. Bottom shows IPForwardURL
When IP forwarding has been acknowledged as successfully configured from secure gateway (based in the customer environment) to the Process Server (in the Redwood Cloud) an operator message will confirm this, with the 'Sender Object' being the Process Server defined as the secure gateway:
Figure 4: Operator Message confirming successful IP forwarding
Configure Application Connections
Once the secure gateway has been configured you can set up connections to the various applications and environments that you will manage through it by creating the appropriate type of 'Process Server'. The methods used to connect to the different environments to be managed via the secure gateway are application specific and are described in other documents. Please refer to the Redwood portal Help section, follow a training or contact Redwood support for detailed instructions. In general Process Server creation happens via the Wizard when you create one from the Process Server screen:
Figure 5: New Process Server - Application selection
Redwood will automatically determine if it a direct connection can be used (Platform Agent) or if the secure gateway needs to be used (any other Process Server).
Secure Gateway Alerting
When the secure gateway connection between the proxy-processor
in the central Redwood server and the current platform agent running as the client side of the secure websocket fails, then the server tries to start another proxy-processor
.
However this is only possible if we have another secure gateway candidate that is regarded as configured, meaning that there is a connection available.
If however the proxy-processor
fails to establish a secure connection with this candidate after 4 minutes, then the proxy-processor
exits and another secure gateway candidate is tried.
If there are no further configured secure gateway candidates to try, then the following occurs:
- The System_Secure_Gateway event is raised. This is an internal event only for use by the secure gateway. This event is raised provided that secure gateway alerts are configured.
- An alert message is sent to a pre-configured URL informing SaaS that the secure gateway is down. The header and body that should be in the message are configurable.
Once the situation is resolved and the secure gateway connection is operational again:
- The System_Secure_Gateway event is cleared.
- An alert message is sent to a pre-configured URL informing SaaS that the secure gateway is up.
Configuration
The following Redwood registry entries:
/configuration/jcs/Security/gateway/alert
alertapitoken
- token stringalerturl
- URL stringenabled
booleaninformondown
- booleaninformonup
- boolean
See Also
cloudTopic