Manage outbound connections

Use the Certificates app to create, edit, and delete outbound connections. You can:

• Use up to 3 unique AWS PrivateLink endpoint services for each star system.

• Create up to 20 connections using TCP, HTTPS, or HTTPS over mTLS protocols for each planet.

Note:

Access to this application is managed by Guidewire Hub. For details, see Access Cloud Platform apps and services.

To manage outbound connections:

1. Select a star system.

2. From Apps, select Certificates or select it from your pinned apps.

Upload certificate bundles

To upload a certificate bundle:

1. Go to the Certificate bundles tab.

2. Select New certificate bundle.

3. Provide a name and type of the bundle.

   You can select Client KeyStore or Server TrustStore types.

4. Upload files.

   For Client KeyStore, provide client certificate and client private key.

   For Server TrustStore, provide server CA certificate created by a trusted certificate authority (CA)

   You can upload .pem or .crt files.

   You can't upload certificate chains for both Client KeyStore and Server TrustStore.

5. Select Save.

Tip:

You can check the expiration date of certificate bundles in the Certificate bundles tab.

Edit a certificate bundle

To edit a certificate bundle:

1. In the table, find the certificate bundle that you want to edit.

2. Select Edit.

3. Edit the certificate bundle as needed.

   You can't change the type of the bundle.

4. Select Save.

Check infrastructure information

Before you create an outbound connection, you need to make your endpoint services accessible to Guidewire.

In the Outbound connections, select Infrastructure information to check the following details:

• AWS Principal

  AWS principals can discover your VPC endpoint service and request a PrivateLink connection from the VPC endpoint in Guidewire Cloud. Depending on the VPC endpoint service settings, the PrivateLink connection might be automatically approved or require manual approval in your AWS account.

• Availability zones

  PrivateLink connections can be created when your network and the Guidewire network are in the same AWS region and the Availability Zones of the VPCs are the same.

• Guidewire subnet CIDRs

  PrivateLink connections can be used when your network accepts requests from Guidewire subnet CIDRs.

• Endpoint services names already used in the star system.

  The same Endpoint Service Name can be used in multiple outbound connections.

• The number of endpoint service names used for the star system and how many more you can use.

  Up to 3 Endpoint Service Name can be used in each star system.

Create an outbound connection

In Certificates, you can configure access to your applications through a private connection using AWS PrivateLink. For each planet, you can create up to 20 connections.

To create an outbound connection:

1. Select Create.

2. Provide an alias for your connection.

   An alias starts with the oc- prefix.

   An alias must be unique. Use lower case letters, digits, and hyphens (-).

   Use the configured alias when connecting to an outbound service to route the requests over PrivateLink. Otherwise, these requests will use default routing over the public Internet.

3. Select the planets with applications for which you want to configure the connection.

4. In Network, provide Endpoint Service Name.

   You can use the same Endpoint Service Name in multiple outbound connections.

5. Select Protocol.

6. Depending on the selected protocol, provide the following information:

   • Hostname

     The hostname has to be a valid domain name and contain at least one period.

   • Port

   • Server TrustStore certificates

   • Client KeyStore certificates

Use an outbound connection

To use an outbound connection, you need an HTTP client such as curl or Java RestTemplate.

When making calls to the outbound service, client apps like InsuranceSuite and Integration Apps must use the alias that was set up during the creation of the outbound connection. For example, for a PrivateLink outbound connection with the oc-my-alias alias and HTTPS protocol, client apps must use the http://oc-my-alias URL.

HTTPS and mTLS outbound connections

To make an HTTP call, use the default port (80) and the alias as the host. For example, if an outbound connection is configured with the oc-foo alias, you can send the request as:

curl http://oc-foo
curl http://oc-foo:80

These requests are automatically caught and changed to HTTPS or mTLS, based on the connection settings.

For the HTTP request, you can't specify a port number other than 80. To use a different port, provide a port number when you create an outbound connection. For details, see Create an outbound connection.

TCP outbound connections

For TCP-based protocols, use the alias as the host and specify the port number. For example:

Request	Description
oc-tcp-client tcp://oc-foo	Makes a TCP call.
oc-kafka-client kafka://oc-foo:2001	Makes a Kafka call on port 2001.

Note that the port can't be set when you create an outbound connection. To use a port different than the default one, specify the port number directly in the request.

Check an outbound connection status

As soon as you assign an outbound connection to planets in your star system, the process of applying that connection begins in the background. You can check the status of applying the connection in the Outbound connections table. The status of an outbound connection depends on the status for all the assigned planets.

An outbound connection can have one of the following statuses:

• Inactive

  An outbound connection isn't assigned to any planet.

  You can assign planets when you create a connection or edit it later.

• In progress

  An outbound connection is still being applied to at least one planet. No planet has the Failed status.

  The connection status updates as the configuration progresses.

• Active

  All the planets are successfully configured.

  The connection is active and ready to use.

• Partially failed

  An outbound connection can't be applied to at least one planet due to an error. For at least one planet, the configuration is still in progress or already active.

• Failed

  An outbound connection can't be applied to all the assigned planets due to an error.

Check an outbound connection status for a planet

To check the outbound connection status for each assigned planet:

1. Go to the Outbound connections tab.

2. In the table, find the connection that you want to check.

3. Select View details.

4. In General information, select Status.

An outbound connection can have one of the following statuses for each planet:

• In progress

  An outbound connection is still being applied.

  If your configuration is in the In progress state for more than 5 minutes, edit the outbound connection and save it without changes.

  If the issue persists, contact Guidewire for support.

• Active

  The connection for this planet is active and ready to use.

• Failed

  An outbound connection can't be applied due to an error.

Troubleshooting

The Failed status next to an outbound connection indicates that the connection can't be created due to an error.

Here are the most common issues related to PrivateLink connections:

Issue	Solution
The provided Endpoint Service Name isn't found.	Configure Endpoint Service Name in your VPC or include Guidewire subnet CIDRs in your IP allowlist. For details, see Prerequisites.
The provided Endpoint Service Name is incorrect.	Check the Endpoint Service Name of your VPC and edit the connection to correct it.
The VPC endpoint connection request is waiting for acceptance.	Accept the endpoint in your AWS account.
The VPC endpoint connection request expired or is rejected.	If the error persists, remove all outbound connections associated with this Endpoint Service Name in a given star system and recreate them if necessary.
Your VPC is in a different region than the Guidewire VPC.	PrivateLink connections can only be created when your network and the Guidewire network are in the same AWS region.
The used certificate bundle is invalid.	Verify the certificates before uploading them. For details, see Validate certificates.
The used certificate bundle is expired.	Upload valid certificates. You can check the expiration date of certificate bundles in the Certificate bundles tab.
The configuration has the Active status but the connection doesn't work.	Check the alias used for InsuranceSuite and Integration Apps.
The limit of created endpoint services is reached.	Reduce the number of unique endpoint services by using a gateway. For details, see Recommendations.
The limit of created connections is reached for a planet.	To create another connection, either delete the planet from an existing connection or remove the entire connection.
Internal error.	Contact Guidewire for support.

Edit an outbound connection

To edit an outbound connection:

1. In the table, find the outbound connection that you want to edit.

2. Select Edit.

3. Edit the settings as needed.

   You can't change the alias.

4. Select Save.

Delete an outbound connection

To delete an outbound connection:

1. Hover over the configuration that you want to delete.

2. Select Delete.

Delete a certificate bundle

To delete a certificate bundle:

1. In the table, find the bundle that you want to delete.

2. Select Delete.