Professional Documents
Culture Documents
Overview
Cloud Application Integration
June 2019
ABOUT INFORMATICA
A
Digital transformation changes
B our expectations: better service, faster delivery, greater
convenience, with less cost. Businesses must transform to stay relevant. The good
news? Data holds the answers.
As the world’s leader in enterprise cloud data management, we’re prepared to help you
intelligently lead—in any sector, category or niche. To provide you with the foresight to
become more agile, realize new growth opportunities or even invent new things. With
100% focus on everything data, we offer the versatility you need to succeed.
We invite you to explore all that Informatica has to offer—and unleash the power of
data to drive your next intelligent disruption. Not just once, but again and again.
2
Table of Contents
Overview ..............................................................................................................4
Connectivity ........................................................................................................16
3
Overview
The Cloud Application Integration (CAI) Service, a component of Informatica Intelligent Cloud Services
(IICS), an iPaaS, provides the means for customers to:
Functional Capabilities
The CAI service carries out a number of business functions using orchestration as the primary means to
implement request/response interactions between service consumers and providers that interact with it
in a synchronous and asynchronous manner to carry out a number of functions. These functions are
summarized as: application integration services, service implementation and management services,
and process automation services.
• Integrate applications in real time • Create business, composite and data • Implement and run business process
using orchestration, APIs and services applications
messaging to propagate data • Expose these services as REST, SOAP • Externalize process logic and business
from one data source to another or OData APIs to applications, lines of rules outside of application code
• Supplement bulk data set businesses and partners • Support business processes that span
processing with interactive API- • Make APIs discoverable applications
based data propagation
• Monitor API execution • Provide users with automated guided
• Manage and control API usage workflows with contextual and
interactive access to data
4
Application Integration Services
Application integration services are used to perform two primary functions
• Data Propagation – the propagation of data in real time that arrives via API or as data feeds of
events over messaging topic or queues
• Event Processing – the processing of event data from sources such as file arrivals
• Integrate partners - Expose APIs to partners and internal lines of business share data
• Support applications - Expose backend APIs to support a Web portal service for membership
management and payment processing
• Data services - Expose data as a service via OData allowing 3rd party system access without
having to replicate it
5
ownership within IT and for business users, made faster changes to business logic,
accelerated development and lowered the cost of the introduction of new products.
Success stories are available on the CAI community site at this location.
Informatica’s cloud application integration capabilities are ideally suited for service-oriented integration
when you need:
• Screenflow for user task automation, workflow and interactive access to data
• The ability to perform content-based routing, transformations to or from XML and non-XML
types, and decryption/encryption, signature validation and authorization amongst other
capabilities
6
The platform’s architecture makes it ideally suited for hybrid, event-driven integration such as depicted
here. This depicts the deployment of services
SOAP, REST,
JSON, XML,
OData Cloud Process
API Gateway Service
Cloud
Applications
SOAP, REST,
JSON, XML,
OData Agent Process
Server
Once deployed to the Cloud, on premises or both, requests flow via one or more processes based on
the business process application’s design and deployment definitions of the processes and
connections.
Data Services
REST APIs
Queues / Topics
API
Gateway
Data and OData Business Processes
APIs
Data
Gateway, REST, SOAP, Processes can
Manager, OData APIs be composed Data Hub
Portal,
Registry
3rd-party and
customer-facing APIs
Provide: Synchronous and Async Services
Consumes: Synchronous and Async Services
Processes consume and are consumable
The business process application, defined by a set of orchestrated business services, composite
services (themselves processes or of other implementation types), or application services carry out as a
whole the means of performing order processing as depicted here.
7
Components of the Service
IICS’s Cloud Application Integration (CAI) services lets customers expose business services at Cloud or
on-premises service endpoints that are accessible via REST (XML/JSON – the server receives either
formats, and the content-type HTTP header is used to control what the server responds with or sends),
JSON/RPC and SOAP, and as message-oriented services and consumers. This section describes the
components of CAI’s service-oriented architecture, including the Cloud Process Server, the Cloud
Secure Agent’s embedded Process Server, and the technologies and capabilities of this platform.
Process Server
Process Server is a runtime and process management engine that scales to meet the needs of the
cloud and enterprises of any size. Execution is carried out by Process Server. Process Server provides
several sophisticated features to ensure business continuity and can be deployed as a cluster in failover
mode to ensure high availability.
When deployed within the Cloud Application Integration Service, Process Server is used to securely
partition users into discrete tenants, or IICS Organizations. With this multi-tenant architecture, each
IICS Organization (or tenant) shares hardware and software resources but has its own private and
secure access to CAI’s Process Server.
Process Server has been built to support non-stop operation of composite business applications. You
can:
Process Console is used carry out these functions and configure Process Server.
Process Console
The Process Console provides a central location from which to manage and configure Process Server
instances and its deployed resources whether in the Cloud or embedded within the Secure Agent.
Process Console provides means to schedule processes and deploy new or updated processes.
Process Console provides tenants the means to perform root cause analysis if a process exception
occurs and take corrective actions. Process rewind – a process exception management feature -- offers
the ability to visually rewind a process to a specific activity and redo the work without having to invoke
any of the built-in compensation logic, giving organizations unprecedented flexibility in managing and
running in-flight processes.
Process Designer
Cloud users demand an easy to use web interface for creating their integrations and automating
processes. Process Designer provides unparalleled ease of use for citizen developers to create and
deploy processes to the Cloud’s and Secure Agent’s Process Server. Process Designer is intended to
be used by a technical power user – an automation designer - who may or may not be a developer but
knows the business processes and services used to accomplish them. This designer is designed to be
easy to use yet powerful and expressive to create any business process. The core design tenet: simple
things should be simple, hard things possible.
A key guiding principle behind the Process Designer is ease of use. This is exemplified by feature that
frees the user from the tedium of having to lay out process activities by hand. Instead, steps are
automatically linked together for the user. Users can select from a variety of step types such as
Decisions, Service steps, Parallel Paths and iteration constructs to accomplish their process. If a user,
for example, creates a Decision step with multiple possibilities, branches will then automatically be
created for those possibilities. The same is true of Parallel Path steps, which creates parallel branches
on the canvas that correlate with the desired parallel activities to be performed. When done, the user
simply saves and publishes the process definition, and the service is automatically created, deployed
and ready to be invoked as a REST (XML/JSON), a JSON/RPC and a SOAP service. No other vendor
has this type of capability or can claim this level of ease of use.
Creating a Service Definition to invoke from a process is as simple as using a form to specify
input/output parameters, endpoint information, test connection information, and then saving and
publishing the service connection. Once saved, the service definition is automatically incorporated as
part of the services that can be used in the process and others that want to consume this definition.
Swagger, WSDL/XML Schema and OData introspection documents are automatically created for users.
9
To satisfy data integration orchestration needs, a specialized version of Process Designer is offered
that provides the means to orchestrate Data Synchronization, Mapping Configuration Templates and
others. Customers benefits from the ability not only to serialize and handle errors in a resilient manner
but also to process for example data ingestion in parallel or conditionally.
Process Developer
Development teams must often work on multiple projects including Java, service-based development
and orchestration. They shouldn’t have to necessarily adopt a new development tool each time they
switch between projects. For this purpose, Informatica also offers Process Developer, a rich Eclipse-
based IDE intended for developers that incorporates the BPMN and BPEL standards. Its optimized and
easy-to-use features make it easy for developers to create business process applications quickly. And
because these applications are based on industry standards, enterprises' business logic is freed from
proprietary orchestration engines. Process Developer can help you in the following ways:
• Makes it easy for architects and developers to work collaboratively with business analysts. It
achieves this by offering as a notation BPMN for modeling and implementing business
processes. Process Designer makes use of BPMN notation also.
• Exposes the full power of BPMN, enabling designers to control every aspect of the diagram.
Process Developer promotes modeling best practices while being significantly easier to use.
Structured activities can be dragged and dropped from a palette onto the canvas, significantly
reducing the amount of time required to model a BPEL process.
• It allows users to perform service discovery and provides the ability to manage service
references to help users deal with changes of service definitions.
• It orchestrates services defined using WSDL interfaces. Or, it allows designers to start with
XML schema or XML fragments if this is all that is available to start with.
• It incorporates non-web service-based assets through a Web Services Definition Language
(WSDL) interface façade, enabling designers to leverage existing JMS, REST (XML/JSON),
JSON/RPC and Java-based assets. As such, these are used as if they were services, each
having a distinctive binding.
• It simulates processes locally or by using remote debugging, allowing designer to save
simulations and test data, which can then be used to generate unit tests and test suites to
perform scenario testing.
• It uses wizard-based deployment to execute new orchestrations and updates to the Cloud
Process Server or the Secure Agent’s Embedded Process Server.
10
Communication between the Secure Agent and IICS is carried out through a Secure Channel that the
agent initiates. This is depicted here as an example of how the Secure Agent facilitates data integration
between a local database and Salesforce CRM and Force.com.
The Secure Agent that is used for data integration is the same as the one used for service and
application integration. When licensed, Process Server is automatically installed on the Secure Agent.
The Process Server deployed to the Secure Agent is built on the same technology that runs in the cloud
service in multi-tenant mode. This provides customers the ability to deploy process contributions to the
cloud or Secure Agents.
Communication between the Secure Agent and IICS is carried out through the Secure Channel that the
agent initiates. This is depicted here as an example of how the SA facilitates data integration between a
local database and Salesforce CRM and/or Force.com.
11
Customer that license the Cloud Application Integration Service are provided with the ability to deploy
processes to CAI in the Cloud and on Premise to a Secure Agent’s Embedded Process Server. The
Secure Agent is the same used for data integration than that used for service integration. The only
difference is the addition of the “Process Server” package that gets downloaded automatically by the
secure agent when CAI is licensed as depicted here.
The Secure Agent can be installed in different configurations. For data integration payloads, a Cloud
Runtime Environment is offered to process data integration payloads by infrastructure managed by
Informatica. When hosted by customers, agents can be grouped as Agent Groups to process in round-
robin manner data and application integration workloads across agents of a group. Customers can also
12
cluster Process Server instances of an Agent Group to provide a high-availability and fault-tolerant
configuration. Clustering should be considered when processing long-running processes. This typically
calls for automatically failing over process instance to another node in the event of a failure of a node.
Deployment
Process and connections definitions are deployed to Process Server on Cloud and on premises on the
Secure Agent. When deployed to an agent, they are deployed to all agents that are members of an
“Agent Group” or these definitions are deployed to specific agents. Certain definitions intended to be
global get deployed to Cloud and Secure Agent instances.
The following screenshots depicts the selection of where definitions are deployed and run on, thus the
use of the term “Run On”.
13
“Run On” simply implies where something is deployed and will execute. The CAI service uses this
deployment information to communicate to the agent.
Calls from the CAI service to the Process Server on the Secure Agent can only be carried out via the
Cloud Process Server through a mutually authenticated session to ensure fully-secured access to on
premise systems. A mutual authenticated session is established using mutual TLS for securing the
channel. This provides a means of ensuring that subprocess/process/service calls are initiated within
Informatica’s trusted domain of services.
When a process or a connection on the agent needs to be accessed by a Cloud Process Server
process instance the communication is carried out on behalf of a Cloud process via a mutually
authenticated server-to-server session. The caller is impersonated such that it can be authenticated on
the services being called.
14
Cloud Process Server Connectivity:
• Web Services: REST, SOAP, OData
SOAP (XML)
REST (JSON, XML)
OData Cloud Process
API
Gateway Service
Cloud
Multi-tenant Applications
Service
Cloud-based Design,
Deployment and
Management
API and Application
Integration
Single-tenant
Service Applications
SOAP (XML) Agent Process Server Connectivity:
REST (JSON, XML) • Web Services: REST, SOAP, OData
OData Agent Process
• Database: JDBC and the Data Access Service
Server • Messaging: AMQP, JMS, Kafka, RabbitMQ, AWS
Data SNS/ SQS, Azure Service Bus / Event Hub,
Salesforce Platform Events
• Content Listeners: File, FTP, AWS S3
• Java Pojo Invocation
• Shell Service
• SAP BAPI and other connectors
Services and
Microservices
Invoking Cloud-based SaaS services (for example, Salesforce or NetSuite) employs the security
mechanism offered by that service such as a HTTP Basic Authentication, JWT (JSON Web Token)-
based authentication, OAuth v2, or SOAP endpoint’s WS-Security username token (among others). The
Service Connector framework is open and can be used to authenticate to proprietary schemes (e.g.
AWS authentication). Invoking services on premises is performed via a secure channel between a
process instance running in IICS’s CAI Process Server and an agent-based Process Server. Calls from
IICS to the Secure Agent can only be carried out via the Cloud Process Server through a mutually
authenticated session to ensure fully-secured access to on premise systems.
REST (XML/JSON) or JSON/RPC services exposed by customers are secured using HTTPS Basic-
Auth or handled by third party OAuth providers. As is the case for Cloud-based deployments, the
Service Connector framework is open and can be used to authenticate to proprietary schemes (e.g.
AWS authentication). SOAP services exposed by customers are secured using Basic-Auth at the
HTTPS layer. Additional forms of authentication are available via WS-Security in the form of WS-
Security tokens. The Username, X.509, and SAML token formats are supported.
Based on its process definition, the Cloud Process Server receives and invokes service consumers and
providers deployed to the Cloud. It also processes requests destined to on-premises service providers
and responds synchronously to these using the HTTPS over TLS connection established by the service
consumer.
Cloud to Secure Agent communication is performed using a Secure Channel created by the Secure
Agent’s Channel Service. Calls from IICS to the Secure Agent can only be carried out by IICS through a
mutually authenticated session.
Customers deploy process definitions and manage process instances from the Cloud Application
Integration Process Console. Process administrators log in as a tenant and are granted access to
tenant-specific data and configuration information. The same console used to access process
definitions running in the cloud is used to access process definitions running on Secure Agents.
15
Access to the Process Console provides customers access to transient data flowing through IICS. This
provides customers access to variable data (for example, inputs and outputs to the process and
services calls) of running process instances and completed or faulted process instances.
Process Console access to deploy process definitions or access to process instances are secured by
an Informatica Intelligent Cloud Services (IICS) username and password that customers manage in the
IICS user and group store. SAML support is also offered.
• Synchronous request/reply
• One-way fire and forget
• Asynchronous request/reply
• Publish and subscribe
• Reliable SOAP message delivery with WS-Reliable Messaging
Connectivity
Customers making use of Process Designer benefit from rich connectivity options ranging from:
Service Connectors
• Allowing customers to build REST (XML/JSON, JSON/RPC or SOAP service integration using
a simple form. If the service offers a WSDL or Swagger interface document, the Service
Connector can be created by importing the interface document.
• Allowing customers to import and configure a pre-built business and data service definitions as
reusable assets.
• We make available over 250 samples on GitHub for customers to get started with
• Provides customers with JDBC, OData, SAP BAPI, Workday and NetSuite capable of a variety
of CRUD operations. Most customers employ Service Connectors for use with Workday and
NetSuite for added flexibility.
Messaging Services
• Built-in JMS, AMQP, AWS SNS/SQS messaging services for queue and topic processing,
Salesforce Outbound Messaging/Platform Events/Push Topic, Azure Service Bus, Azure Event
Hub, Kafka
16
• File listeners that contain data sets or discrete events that arrive on the file system, AWS S3,
FTP/s, and the ability to generate and transfer file content to these targets.
• Built with Process Developer by developers, Service Steps (also known as Automated Steps)
create reusable services directly consumable by Process Designer. These make it possible to
expose native Java integration amongst others uses.
Built-in Services
OData Provider
• A built-in OData Provider depicted here that enables OData access to internal data sources
such as those available via JDBC and Salesforce. This makes it possible for OData clients
such as Salesforce Lightning Connect and OData clients to access OData streams over the
Web and on premises.
17
Transport Level Security
The following ciphers are currently enabled exclusively for TLS usage. SSL is not allowed.
Within the repository, a BPEL process encrypts the field values subject to encryption using a Tenant
key before the field is persisted to the DB.
When publishing artifacts to agents, the connection information is sent down to the agent. To do this,
the publish process first reads connection information (stored as XML) from the DB. For any field
marked as encrypted, the publish process decrypts the field using a Tenant key and sends the
decrypted xml information to the Agent over TLS 1.2. When received by the Agent, the field is re-
encrypted (applying same procedure) before it is persisted to local storage. The ICS (Agent) crypto
components are used for this purpose.
When exporting connections, any encrypted data is removed from the exported documents. After
importing the connection artifact, the customer will need to provide credentials.
Cloud-based Crypto
Symmetric encryption / decryption is employed in using a configurable server-side secret as the key.
There is a primary server key for use by the server for server-based encryption, and tenant-specific
keys for use with tenant data. Both utilized the same algorithm and ciphers, but the secret used to
create the key is different.
Server Secret: At the server level, the secret is based on a system property or originates from a
database-resident value.
Tenant Secrets: For each tenant the secret is generated when the tenant is created. It is a random
UUID. This tenant’s secret is then encrypted using the server key and stored in the database within the
tenant’s context (i.e. this is tenant data). On startup, this value is read by the server from the DB, it is
18
decrypted, and kept in memory to be used tenant data encryption/decryption. Tenant keys are managed
by the IICS KMS microservice.
Agent-based Crypto
For Process Server on the agent, data such as connection passwords are stored in the same manner
as it performed within the Cloud – it is the same implementation with the exception that tenant based
keys are provided by IICS.
Authentication of users is carried out by Salesforce and an SSO session is established and maintained
using Salesforce session tokens. CAI does not offer the means for a customer to authenticate to it,
rather authentication and authorization is performed by Salesforce. The session tokens obtained from
Salesforce are used in SOAP API calls. SSO and SOAP API calls depicted below are secured via
certificate-based mutual authentication (client & server) over an HTTPS session using TLS between
Salesforce and the Cloud Application Integration Service. This is a form of multi-factor authentication.
CAI integrates with Salesforce via Salesforce’s Enterprise WSDL-based service as depicted here.
19
CAI is comprised of Salesforce objects, pages and corresponding supporting classes and components.
Salesforce sections within Salesforce objects (created by end user admins) are used to contain pages
served up by CAI’s Process Server via iFrame integration with Salesforce. Screenflows managed by
Process Server are shown to the user. Web service calls that result from user interaction create and
update Salesforce record using the identity of the user running the screenflow. This is achieved via
impersonation.
CAI uses a combination of the Salesforce Session ID and a SSO token that is submitted from a
Salesforce page component. The security token is generated in Salesforce using an Apex class. The
class implements the generation of a security token that can be used to sign in to Process Server
shown above.
This class:
1. Generates an encrypted security token using the OrganizationId, UserId and current date. The
encrypted token is submitted by a Sales Guide section component. SSO is handled by posting
to the Process Server Custom SSO Provider URL with the security token appended as a URL
parameter.
2. The Custom SSO Provider service will use the token and make a call back in to SFDC and
decrypt the token using the AeVerifySalesforceUser class. If the token is valid the isValid field
is set to true and the userName and displayName fields are set.
20
Handling of Customer Data
The Cloud Application Integration service retains and destroys customer data and metadata for a
period. The CAI service holds transient data that has been provided by the customer in memory and on
disk (where it is encrypted) for process instances that are in Running or are in Completed or Faulted
state (and has not yet been purged). The CAI service purges completed instances on an hourly basis.
The retention for Completed (processes that have completed successfully) and Faulted (processes that
have completed either with an uncaught fault) processes are 24 and 72 hours respectively for Cloud-
hosted processes. Customers have the ability to control retention periods on the agent-based Process
Server.
The Cloud service’s file systems that hold transient data in databases are encrypted. These encrypted
file systems reside on management, databases servers, and the file system volumes used to host
backups.
Running instances are maintained running until they reach Completed state or are terminated by a
customer. The customer is responsible for terminating Running or Suspended processes instances as a
means of removing transient data. He/she can then delete all running process instances. Otherwise,
these will be purged on an hourly basis when Completed process instances at the end of the 24-hour
retention period.
Worldwide Headquarters 2100 Seaport Blvd., Redwood City, CA 94063, USA Phone: 650.385.5000, Toll-free in the US: 1.800.653.3871
IN09_1217_3407 www.informatica.com linkedin.com/company/informatica twitter.com/Informatica
© Copyright Informatica LLC 2019. Informatica and the Informatica logo and are trademarks or registered trademarks of Informatica LLC in the United
States and many jurisdictions throughout the world. A current list of Informatica trademarks is available on the web at
https://www.informatica.com/trademarks.html. Other company and product names may be trade names or trademarks of their respective owners. The
information in this documentation is subject to change without notice and provided “AS IS” without warranty of any kind, express or implied.
21