External automation services security considerations

You can use business automations (automations) that are external to Cloud Pak for Business Automation. Before you create and call these external automations, review the following security considerations.

There are two phases to be aware of when you think about external automation services in relation to security. There’s a development or authoring phase, where you discover an external automation service, connect to the external endpoint, and add that service from an automation or business application (application) that you’re authoring. Then, there’s the runtime or production phase, where the automation or application that you authored is deployed and running in a staging or production environment, calling that external automation service to provide some sort of automation capability.

Authoring phase

The external automation service, which is created outside Cloud Pak for Business Automation, uses a separate user registry.
When you publish your external automation service in Business Automation Studio, which is what allows you to add that automation service to your application for example, you create a connection to the server where the external automation is running. The connection requires the credentials that are specific to that external server.
Note: By default, these credentials are shared by everyone within Cloud Pak for Business Automation who needs to access the specific external automation service. Consider creating a unique client user in the external system to manage this shared access.
Here’s a basic example. You are authoring your application in Cloud Pak for Business Automation. Your app calls an external automation service from IBM Business Automation Workflow. It is the automation service engine that calls the external system. The call is made with the shared credentials that were provided when you published the external automation service in Business Automation Studio.

Production phase

To use your automations or application in a production environment, you deploy them to IBM Business Automation Navigator. IBM Business Automation Navigator is part of Cloud Pak for Business Automation.
In the basic example, your application is deployed to an application engine, and that application engine is communicating with an automation service engine. The automation service engine is responsible for automations that are created in Cloud Pak for Business Automation and connections to external automation services.
During authoring, you configured a application that calls an external service, which would use the shared credentials for the external automation service.
If the shared credentials change on the external system, you must update those credentials in Business Automation Navigator. Otherwise, you might encounter connection errors. This also applies when you update the endpoint and credentials for staging or production environments. For more information, see Managing external automation services.