Connectware Technical Overview

Jari Krützfeldt 2018-09-21

Prerequisites

This lesson requires basic knowledge of

Introduction

The Cybus Connectware is a general and extensible on-premise data gateway that connects different devices, provides data for local systems and cloud based back-ends and makes data exchange transparent and secure. The components of the Connectware include a data broker, a device mapper for shopfloor connectivity, a management and security layer, as well as a runtime environment for microservices which allows the integration into IT environments, running local preprocessing (e.g. anonymization, filtering, reasonability and signatures) and implementing a buffering strategy in case of cloud connection loss.

Connectware Overview

The Connectware connects to the different devices by dedicated connectors (e.g. OPC UA, Modbus-TCP) that run as part of the Device Mapper in the Connectware. By its microservice and API architecture the Connectware supports the option of adding connectors to other devices as well. And being a modern enterprise-grade IT solution based on Docker, the Connectware is suitable to run on either a data center infrastructure or standalone computers.

Connectware Overview

Let's get started with an overview of the Connectware architecture and its components. The Connectware has a microservice architecture in which the single modules work together to form a microservice cluster - creating the Cybus Connectware. The microservice architecture based on Docker containers uses these integrated modules instead of one large application. Using the microservice approach has several benefits, including the ability to easily scale individual modules and/or the entire application. It also allows the possibility to use third party applications, different databases and even different programming languages in one application. Furthermore the microservice architecture makes the extension of the Connectware functionality a straightforward task by simply integrating additional dockerized modules, so called Services, either from a Service vendor or by developing own Services based on individual needs.

Connectware Architecture

In the following we will explore the Connectware architecture more closely by following an example in which we will add the needed software components to the Connectware one by one. We will start with a shopfloor full of data and a cloud to which we want to forward our data to - but no means of a connection between them. So the question is how are we transferring our data out of the factory, into the cloud, in a controllable, extendible and secure way?

Architecture 1

Establishing a connection

First of all we need to start by establishing a connection between our shopfloor and the cloud application. See the following image to get an overview over the components that we will add in this section to archive this goal.

Architecture 2

Data Broker

In order to manage and use any of our data, we need to add one central place to the Connectware in which we can easily access the data - we could call it a data focal point. This single data hub gives us easy access as well as easy control over all data since all data needs to pass through this central hub. Of course this also means we need to have a Data Broker that is stable, maintainable, scalable, reliable and secure. Further we need to choose a transmission protocol that is widely used and accepted and able to handle large data flows.

The solution is to use MQTT, a standard, lightweight publish-subscribe messaging protocol on top of TCP/IP that is widely used in IoT and industrial applications. The Connectware uses a high-performance, distributed MQTT broker which scales horizontally and vertically to support a high number of concurrent publishers and consumers while maintaining low latency and fault tolerance.

So the MQTT Data Broker is the central data hub through which all data passes. Let's now start connecting our shopfloor to the Data Broker!

Device Mapper

How do we get our data from different machines talking different protocols to the Connectware Data Broker? That’s where the Device Mapper comes into play. The Device Mapper uses a mapping scheme that translates various protocols to a unified MQTT/JSON API and handles the device connection management. Each device represents a specific connection to the shopfloor which maps datapoints from various protocols to MQTT. Data mappings are defined in a text-based, human and machine readable YAML file called Device Commissioning File. To learn more about the configuration and usage of devices see the Device Basics Lesson lesson.

Now the MQTT Data Broker is fed directly by our devices from the shopfloor via the Device Mapper. The next step is to forward the data to our application.

Single Entry Point

The Connectware, which is run on-premise, needs to forward data to local as well as cloud applications. Therefore we need to have an access point through which the Connectware can talk to the outside. Here again, it is a good practice to have one place that all the data needs to pass instead of multiple open connections that all need to be monitored. The Connectware makes use of a Single Entry Point (or more technical Reverse Proxy) which bundles all incoming and outgoing connections to one point and forwards data to whom ever they need to be routed. Thus, to the outside the Entry Point abstracts the different microservices to one single access point. The same applies to the microservices from inside the Connectware that only need to know one point to talk to when wanting to connect to the outside and forward data. Using a dedicated and high performance Reverse Proxy one can easily control all connections at this point, making a secure internet access easily possible.

Adding Logic - The Services Cluster

At this point we are collecting data from our shopfloor and are able to forward this data to applications outside of the Connectware. The Connectware itself however is very well capable of applying logic to the data before forwarding it. Preprocessing the data directly on-premise and for example leaving sensitive data out from being forwarded to the cloud is just one use-case of many. This preprocessing logic is were Services are used.

Architecture 3

What is a Service?

While the Connectware allows to individually perform all settings (like managing grantees, setting permissions, starting containerized applications, etc.) the idea of Services is to bundle all these activities into a single point of configuration and execution. Services are usually built for a specific task and context. They bundle required Docker containers with user/permission management in a easy to handle and shareable package.

How are they configured?

The Service configuration is done via a Service Commissioning File - a YAML based text file similar to the Device Commissioning File. The installation process is simply done by feeding the Commissioning File to the Connectware, upon this action the Connectware will review and display all the configurations that the specific Service wants to create or consume and one can decide whether or not to grant this permission to the Service (think Google Maps wants to know your location) . If all permissions are agreed to then the Service will be deployed. This practice puts you in charge of your data and keeps sensitive data from leaving the factory borders.

How are they deployed?

The Connectware deploys a Service within the Connectware to a Service Cluster an encapsulated Docker based runtime for external applications orchestrated by the Connectware's Service Management. It downloads the required Docker containers, ensures that the applications are integrated into the Connectware, that the applications have suitable data access, that the applications have the right permissions for accessing required data, and of course ensures that applications cannot access data unless specifically allowed.

Service Uses

Services can have a wide variety of different uses on the Connectware, from data storage, preprocessing and applying logic to data on-premise prior to e.g. forwarding it to external applications. Services can also serve front-ends (visualizations, dashboards, etc) that can be used to access and control Services from the outside.

To learn more about the configuration and usage of Services see the Service Basics lesson.

Adding Control - The Management Cluster

We are now very far in our journey of getting data out of our shopfloor. We have a Data Broker which is able to receive and forward shopfloor data and we have a runtime in which we can individually process the data. Now let's add management and security to it!

Architecture 4

What does the Management Cluster do?

The Management Cluster is concerned with managing the Connectware by providing the following:

  • Data overview
  • Supervising orchestration of services and devices
  • Managing access control and identities
  • Providing logging capabilities.

How does it do it?

Managing the Connectware is done through a modern web application through which the entire software can be configured. Here you can manage users, manage active services, manage active devices through a graphical user interface. All features of web interface can also be accessed through a REST API.

Once an client is ready to read or write data tasks like client authentication (through tokens, certificates and pre-shared passwords) and access control (who is allowed to read and write to what) are handled here. Access control is established via a simple, yet powerful control layer that handles read and write access on API endpoints and on the MQTT data broker. If required Identity management can also be coupled here to directory services like Active Directory.

The Connectware also has a dedicated log database for all system components and Service applications events. The logs can be viewed and queried via the web application. The log messages can also easily be integrated into external log management systems like ElasticSearch or Splunk.

Summary

We started out with an overview over what the Cybus Connectware is and how it's microservice architecture is beneficial. Then we tried to answer the question of how we can actually use the Connectware to connect our shopfloor to various applications. We could transform our initial connection problem into a sustainable and extensible solution.

Architecture 5

Now we know why the Connectware is such an easy to use and secure tool to connect any device to any application and maintaining full data sovereignty.

Going further

This lesson gave overview over the basic Connectware architecture and functionality. In the following lessons we will dive way deeper into the Connectware and it's components, explaining how to connect devices, how to use and build Services yourself, how to manage the Connectware and much more! Lessons, beside the ones mentioned in this lesson, are: