Private Bridge Gateway


It is possible to run your own private Bridge Gateway. You can use a DMZ Server for this with some additional configuration.
startup_dmz.xml

gatewayBaseEndpoint: This is the URL, the platform sends its requests to bridges.

gatewayHost: This is the URL, the Bridge connects to establish a tunnel.


startup_dmz.xml
<Call name="addApplication">
<Arg>
<New class="de.lobster.scm.dmz.bridge.BridgeGatewayServerApp">
<Set name="logLevel">ALL</Set>
<Set name="tunnelServer">
<New class="de.lobster.scm.dmz.transport.NioTunnelServer">
<Set name="tunnelBindAddress">0.0.0.0</Set>
<Set name="tunnelPort">8444</Set>
</New>
</Set>
 
<!-- Endpoint must match the http server to be accessible from the platform instance -->
<!-- SSL must be configured and enabled in etc/admin.xml -->
<Set name="httpServerName">Administrative Server</Set>
<Set name="gatewayBaseEndpoint">https://dmz.fancy-customer.de:9000/bridge/</Set>
<Set name="gatewayHost">dmz.fancy-customer.de:8444</Set>
 
</New>
</Arg>
</Call>

  1. DMZ Server shall be used as Bridge Gateway

    1. configure startup_dmz.xml with gatewayHost and gatewayBaseEndpoint

    1. when DMZ server starts:

      • lookup in gateway registry with installattion id as the reference

      • if gateway registry entry exists, check if host configuration has changed and update if needed

      • if no gateway registry entry exists, new entry is created, including new uuid as gateway id

        • DMZ Server registers new gateway to a gateway registry on the api server with every start, if it does not already exists

          • Gateway URL (from DMZ Config)

          • Gateway UUID (generated automatically)

          • InstId - from license of dmz (1:1 DMZ-Gateway)

      • the uuid is saved (persisted?) as runtime variable inside of the dmz/gateway server

  2. Creating new Bridge Registry Entry on platform

    1. (Inner) Platform checks, if the own DMZ server(s) are configured as Bridge Gateways (platform gets info from all DMZ server via message service and gets possible gateway information from each DMZ server, gets uuids, hostinfo, etc. of all gateway servers)

    2. if no own gateway server is found only the public bridge gateway is presented

    3. if also own gateways are found, these are presented in a combobox for example (including hostname) and one gateway is to be selected. while creating the bridge registry entry, the id of the gateway is stored as reference. no gateway hostnames or gateway urls are stored inside the bridge registry entry. BUT all gateway info is still stored inside the platform database (to prevent unnecessary access to the API server)

  3. Bridge connects to Gateway server

    1. Bridge asks permission with bridge id and bridge secret. Gateway server checks with API server if credentials are valid AND if the gateway id in the bridge registry is the own id

  4. Platform connects to Gateway server

    1. Tunnel and other mechanisms remain unchanged (configuration data is either stored anyway or read in realtime out of the bridge configuration entry)

  • Customer Gateway/DMZ Server: Bridge endpoints should use the http Server "Administrative Server" (only reachable from inner platform)

  • 2. Bridge Registration:

    • Platform must query the Bridge Gateway ID via message from it's DMZ Server(s)

    • Offer Combox of Gateway if more than the public gateway (public has a unique id)

    • Selected platform ID must be part of the register request

  • The Gateway should have an "status" endpoint, which should return HTTP 200 to show, that it is ok


Bridge registry: stores the gateway ID. The gateway endpoint and tunnel data are read from the gateway registry,. If no gateway ID exists, the endpoint url and tunnel data are taken from the bridge gateway record (fallback)