Customer
For an up to date internal documentation please look here: Loop: Bridge Guide
Hard- and Software Requirements
|
Bridge |
|
|
|
|
|
Hardware |
|
Highly dependent on the expected load |
|
|
|
|
|
|
|
Software |
|
|
|
|
|
Operating System |
Windows or Linux |
|
|
|
Software |
Java 11 (up to date version, preferably https://adoptium.net/de/temurin/releases/?os=any&arch=any&version=11) |
|
|
Network |
|
|
|
|
|
Inbound Ports |
None |
|
|
|
Outbound Ports |
443 (Lobster Data Platform, API Server) 8444 (Bridge Gateway Server) |
|
Gateway |
|
|
|
|
|
Hardware |
|
Highly dependent on the expected load |
|
|
Software |
|
|
|
|
|
Operating System |
Windows or Linux |
|
|
|
Software |
Java 11 (up to date version, preferably https://adoptium.net/de/temurin/releases/?os=any&arch=any&version=11) |
|
|
Network |
|
|
|
|
|
Inbound Ports |
443 (Lobster Data Platform) 8444 (Bridge) |
|
|
|
Outbound Ports |
443 (API Server) * (Lobster Data Platform) |
Introduction
Lobster Bridge is engineered to securely transmit data from on-premises installations and databases to cloud environments.
It enables organisations to use cloud capabilities without exposing internal resources to external security risks.
encrypted and used for AS2 and MFT and ETL/ELT in case of callback URLS. This kind of traffic runs directly from Lobster Bridge to the external system, not through the tunnel.
Terms:
Bridge
The software, that runs on a remote system. The Bridge creates a secure tunnel to the Bridge Gateway and which provides the following features:
access to databases, the Platform can use remote databases, which the Bridge can access
file transfers via AS2,
ETL/ELT Pipelines like on the Platform
No Bridge endpoint is publicly exposed or declared, effectively minimizing external attack surfaces. Every request undergoes strict authentication, validation, and encryption using TLS protocols, guaranteeing the confidentiality and integrity of all data exchanges. No inbound connections are needed on the Bridge system, all communication from external to the Bridge flows through the tunnel.
Bridge Gateway
The Gateway is the server, which both, a Bridge and a Platform, can reach. Bridge and Gateway communicate over a tunnel connection. Depending on the use case, the communication from the Bridge to the Platform runs through the tunnel or directly from the Bridge to the Platform. The Bridge itself can only be reached through the tunnel.
There is an official Lobster Bridge Gateway, which is used by default, if that is not wanted, Private Gateways within the customers network can be also used. A private Bridge Gateway is a standard Lobster DMZ server which can be configured to run as Gateway in addition to the normal function.
Lobster Data Platform
The Lobster Data Platform.
Request Handling and Secure Data Flow
The secure communication process within Lobster Bridge follows a clearly defined request-response pattern:
Bridge initiates tunnel connection to Bridge Gateway Server
Request Initiation: Cloud environment securely initiates HTTPS requests via tunnel
Secure Reception: On-premises Lobster Bridge securely receives and authenticates these HTTPS requests.
Local Data Query Execution: Queries against databases or services are securely executed locally within the protected on-premises environment.
Encrypted Response: Responses are securely transmitted back to the cloud environment using encrypted HTTPS communication channels, completing the secure data exchange loop.
Bridge Registry
The bridge registry is considered the part of the API server where bridge configurations are stored.
Certificates:
Both, platform and bridge, have their own public certificate and private key. The private key never leaves the system on which it was created, the certificate is uploaded to the bridge registry. To avoid misunderstandings terms like "local" and "remote" are avoided because they depend on the point of view. So they are called bridge certificate and platform certificate.
If you configure AS2, the partner certificate is always the public certificate of the respective remote system. So in case of the platform it would be the bridge certificate and vice versa.
Configuration and Installation
Creating a bridge configuration in the platform
technical
Platform (Cloud)
registers new bridge configuration at the registry with id and secret
creates the own certificate + private key in the process and uploads the public certificate part to the registry, both are also stored locally.
can download the bridge certificate from the registry
Bridge (Customer)
user enters the bridge id and secret, these credentials are used to get access to the bridge configuration on the api server
checks if the bridge exists on the registry and reads gateway host address (for later use, when it could be possible to provide more than one gateway for specific customers, load balancing purposes, ...)
reads the platform public certificate from the bridge registry
creates the bridge certificate and private key, uploads the public certificate part to the registry, both is also stored locally
starts the tunnel to the gateway host
For every bridge the specific bridge configuration must be created in the corresponding platform.
user
Navigate to Configuration → Connections → Bridge Connections.
Add a new Bridge (choose any Partner).
Make a note of the password, it can not be changed and will not be shown again.
Download the bridge package with the button in the right upper corner or from the Update Center.
Installing Lobster Bridge
On your local system:
Unzip the Lobster Bridge Installation package (e.g. “Lobster_bridge_2025_05_05.zip”) at the desired location.
Edit environment variables HUB_HOME and JAVA_HOME in the corresponding configuration XML file, example below
Windows: $INSTALLATION_DIRECTORY$\bin\hubenv.bat
Linux: $INSTALLATION_DIRECTORY$/bin/hub.sh
rem Please insert LobsterBridge directory path set HUB_HOME=D:\lobster_bridgerem Please insert java home path set JAVA_HOME=D:\openjdk\jdk-11.0.26+4 Starting Lobster Bridge
Windows:
$INSTALLATION_DIRECTORY$\bin\hub.bat
Linux:
$INSTALLATION_DIRECTORY$/bin/hub.sh
When the bridge has startet, open the URL https://localhost/bridge in a browser to start the configuration wizard.
The initial login credentials are user: "admin" and password: "admin"
Now follow the steps by clicking the "Next" button in the right lower corner.
Creating the bridge admin user
Enter the bridge id and password from the platform
You can copy the bridge ID from the context menu of the bridge configuration in the platform. The password is the one you submitted while creating the bridge configuration.
Handling the tunnel certificates
Create the bridge certificate and upload the public key to the bridge registry
Download the public key from the platform certificate from the registry.
Configuring AS2 if needed
"Local AS2-ID": this has to match the "Partner Id" on the platform side
"Partner ID": this has to match the "Own Id" on the bridge side
"Partner Address": Enter the platform endpoint address for AS2 (no bridge uuid here), e.g. https://platform.lobster.cloud.com/partner/AS2Retrieve
Finishing the installation
Finish the initial configuration and log in with the created bridge user.
If you change anything in "Bridge Credentials" or "Certificate Management", restart the tunnel to the gateway server:
Gateway Tunnel connection status icon:
"red": if there is no connection to the gateway
"blue": if the connection to the gateway is established, but the platform did not initiate a tunnel connection.
"green": The gateway is connected and the platform has used the tunnel connection (JDBCTunnel, ETL, AS2 or the "Bridge connection" view is updated)
Platform
Update the bridge information on the platform
Now that the bridge configuration is created and the bridge configuration is complete, you can go back to the platform.
Navigate to “Bridge connection”, then click on “Fetch data from Bridge Registry” in the context menu of the bridge entry.
The bridge Icon should turn green after some time.
The bridge setup is now complete. The tunnel can now be used for JDBC, ETL or AS2.
Platform AS2 Configuration
To configure an AS2 Channel on the platform side, enter the following parameters in the channel settings:
"Own Id (Me towards partner)", this has to match the "Partner Id" on the bridge side
"Partner Id (Partner towards me)", this has to match the "Local AS2-ID" on the bridge side
"Partner Address": Enter the gateway tunnel endpoint address for the bridge: https://<GATEWAY>/bridge/<bridge-uuid>/<AS2Endpoint>, for example "https://bridge.lobster-cloud.com/bridge/8cd11114-a05b-4950-a7ac-a5be60692830/BusinessConnector/AS2Retrieve"
"Local certificate (encryption)": Choose the locale platform certificate for the configured bridge
"Partner certificate (encryption)" and "Partner certificate (TLS ClientAuth)": Choose the imported bridge certificate (in "Bridge connections": context menu "Fetch date from bridge registry")
"Further AS2 Settings": enable "send signed", "send encrypted", "receive signed" and "send signed"
Platform: JDBC Tunnel setup
Configure a database connection
Configure a jdbc database connection on the platform that uses the tunnel to connect to a database on the bridge side. In the platform navigate to “Configuration - Databases/Connectors”. Add a new entry and choose “Create DB Connection on Lobster Bridge”. Choose the bridge and enter the database parameter for your local database.
This creates a database entry on the bridge. The connection can be tested with the context menu “Connection test”: