Skip to content

Introduction

The STREAM Connect Agent is an add-on product for STREAM Cloud that enables customers to securely connect locally operated on-premise systems such as SAP, ERP, or other line-of-business systems to STREAM Cloud without complex network configuration. Setup and management are handled through STREAM Cloud. Runtime operation in the customer environment is intentionally kept as simple as possible.

Kroki

Core Principles

The STREAM Connect Agent is built around three core principles:

  • Security: End-to-end encryption with centralized key management. Sensitive configurations are stored encrypted in the database and transmitted only through the encrypted tunnel.
  • Reliability: A persistently authenticated tunnel to the cloud with automatic reconnection. Configuration changes are buffered so they are not lost even during network interruptions.
  • Simplicity: The agent runs with minimal configuration in the customer environment. Management is centralized through STREAM Cloud without manual network setup.

Enrollment & Identity

The enrollment process is designed to be simple and secure:

  1. Create agent: You create an agent in the STREAM Cloud UI and generate an enrollment token.
  2. Register agent: The agent is deployed in your environment and receives the enrollment token.
  3. Generate key pair: The agent generates a key pair locally. The private key is never stored locally in plaintext.
  4. Establish trust: The agent sends its public key to the cloud. A trust relationship is established once via the token.
  5. Ready for operation: After successful enrollment, the agent can communicate with external systems and the cloud.

The private key is stored centrally in the cloud and used only when needed for encryption operations. This protects your identity even if the agent environment is compromised.

Secure Communication

The agent uses a persistent encrypted tunnel to the cloud with the following properties:

  • Encrypted connection: All data is transmitted in encrypted form, with unique keys per connection session for additional security.
  • Automatic reconnection: If the network connection is interrupted, the agent automatically restores the connection. State is buffered persistently.
  • Bidirectional data flows:
    • Cloud → Agent: Configuration changes and instructions are actively transmitted from the cloud to the agent.
    • Agent → Cloud: The agent can retrieve or receive data from your local systems and send it to the cloud.
  • Message buffering: Configuration changes are buffered. If the agent is offline, they are delivered automatically as soon as it reconnects.

This architecture ensures that no data is lost even during connectivity issues or cloud maintenance, and that the agent comes back online on its own.

Configuration & Plugin Management

External systems are configured through plugins. These configurations follow this approach:

  • Encrypted storage: Plugin configurations, such as connection details and credentials, are stored end-to-end encrypted in the cloud database.
  • Secure distribution: Configuration changes are transmitted in encrypted form through the tunnel to the agent. The agent decrypts and applies them.
  • Signature verification: The agent verifies the signature of all received configurations to ensure they have not been tampered with.
  • No local plaintext: Sensitive data such as passwords or access keys are not stored in plaintext on the agent or the local system.

This makes it possible to manage integrations securely without requiring IT administrators to have direct access to sensitive credentials.

Monitoring & Operations

STREAM Cloud provides comprehensive monitoring and operational control:

  • Connection status: You can see the current status of the agent connection, including online or offline state, IP address, availability, and latency.
  • Authentication failures: The system logs authentication attempts and warns about suspicious activity.
  • Identity management: You can manage agents, review their enrollment method, and revoke their identity if necessary.
  • Automatic recovery: The agent monitors itself and automatically restores the connection when a temporary issue occurs.

With these tools, you can operate your agents securely and efficiently without having to access the local environment directly.