Tips for the configuration of SDKs

After working through a few different scenarios, I though to share a learning … which I believe is covered … but maybe not in a simple format that makes it easy to understand.

@TheLumberjack … it would be great if you can clarify the following… as its something that I have found through comparing different examples… across different SDKs


When you need to use an intercept, you need to use a tunneller. This is because the tunneller is what is used to intercept the traffic.

Intercepts are required for integration in situations where app integration is not possible.

If you run the SDK examples on your desktop, this is already catered for. You will have already enrolled the user using the Desktop Edge, which acts as a tunneller.

If you want to run the SDK on a remote server, you need to use a different tunnelling application. The recommended app is ziti-edge-tunnel, which is a newer version of the ziti-tunnel app that is bundled with the ziti binaries.

I won’t go through all of the steps to install it, but running it is very simple.

./ziti-edge-tunnel run -i /mnt/v/temp/httpbin-identity.json


In case where you have the SDKs embedded at the application level, you no longer need an intercept. Instead, you can simply call a service.

One example of this is the golang curlz. In the example below private-httpbin is the name of the service. In such cases, as an intercept is not required, it does not need to be configured.

./curlz http://private-httpbin:2000/json

Database connections

A great example to work through is the JDBC postgres example below. This is a bit different because of how the intercept works. Rather than being an http end point… it is a database host.

In this case, you don’t need to use a tunneller… even though it requires an intercept. This is because of zitified JDBC driver.

what I understand is that you can make a native call in Java without the JDBC driver using sockets. I think you can work it out if you just follow through the code, but its a bit out of my expertise

PS… my next challenge is to replicate the zitified JDBC example in Python… I have realised that you can simply load up the JDBC driver in Python… and run it that way… though I like to make things more complex… and want to see how far I can get with using sockets. There is already half of it done with the existing Python samples… and will be working through this over the next few days.

Socket connections

This is something I am really yet to explore… and will be starting off with the Python socket db connection as mentioned above

all further comments are welcome :slight_smile:


I would not quite agree with the way you worded things around “intercepts”. If you change that word to “tunneling apps” - then I’d agree. Tunneling apps are required in situations when SDK integration is not possible. That’s correct.

The SDK examples have nothing to do with running on your desktop, they are not ‘catered for’. The desktop edge’s don’t come into play whatsoever.

The ziti-edge-tunnel has nothing to do with “SDK on a remote server” either. It’s more like, “if you want to run a tunneling app on a linux machine, you should use ziti-edge-tunnel”.


This is pretty much true but SDK’s and intercepts don’t really have a relationship like that. SDKs take “intercept.v1” configurations and then decide ‘what’ to do with them. Tunneling apps will take these intercept.v1 configs and then add ‘intercepts’ to your machine so that the tunneling app can intercept traffic, but that’s a special application of configurations by an SDK in a tunneling app. In some SDKs (like python, and java) there are “seamless” modes where you can use a hostname from within the program using the OpenZiti SDK and then that SDK can “intercept” the hostname but only from within that application. So, I guess in a way it’s more about the scope of the intercept. Also not every SDK works this way.

“Simply call a service” - is always available to SDK users. This is a common thing we expect people would use OpenZiti. It’s basically a replacement for standard, insecure underlay sockets.

Database connections

The postgres example you reference uses the “seamless” mode I referred to above. It’s not different at all. The java sdk is finding the intercept.v1 configs from the services it has access to and then using the hostname to find/dial the proper service.

You never need to use a tunneller with an SDK app but it’s not because of a zitified JDBC driver - in this case it’s how the java sdk works. You shouldn’t have any issues using the python sdk in the same way.

Socket connections

good luck. nearly all our examples other than python/java will be ‘socket style’ examples.

1 Like