Reaching enterprise backend with Bluemix Secure Gateway via console

Share this post:

Cloud based applications often need access to backend enterprise data or services, for example, a system of records. On Bluemix, it is simplified with the Secure Gateway service where a secured tunnel can be established between a Bluemix organization and the enterprise backend network, allowing applications on Bluemix access to the backend network’s data and services. This article explains how to do this using the console user interface; Erick Griffin’s article Reaching Enterprise Backend with Bluemix Secure Gateway via SDK API explains how to do it programmatically.

For this blog, we will set up a hypothetical company, ACME, who wants to expose some data from their System of Records (SoR) into Bluemix to enable their cloud-based applications to access it. For simplicity, in this scenario, we will expose the entire instance of a MySQL server from ACME’s backend.

Secure Gateway scenario

To follow along, you will need access to a backend service such as MySQL, DB2, or a Web API. The key is that the service will return some data so that we can verify that the Secure Gateway can access it. You also need to install Docker on a machine that has access to the backend service.

We begin by adding the Secure Gateway service to our space without binding it to an application. This can be done by clicking on CATALOG in Bluemix and searching for “Secure Gateway”. Click on the Secure Gateway icon and create an instance of it in our space. We will see the configuration panel shown below:

Add Gateway

This is where we will create a gateway to our backend system of records. Click on Add Gateway and fill out the name, then click on Connect It. We’ll have to install Docker and run the Docker command given in the next screen. This is done on ACME’s backend side. Since we are using Ubuntu 14.04, Docker is pre-installed (most recent versions of Linux have Docker already, or one may install it from Docker Hub), so we only need to run the Docker command.

bnvm1:~$ sudo docker run -it bluemix/secure-gateway-client Ko3dVF94AqY_prod_ng 
Unable to find image 'bluemix/secure-gateway-client' locally 
Pulling repository bluemix/secure-gateway-client 05263bc39e4c: 
Download complete 511136ea3c5a: 
Download complete ef6633cb7347: 
Download complete 85db2b4c7f72: 
Download complete e138216143ae: 
Download complete 4f5104d1e5c8: 
Download complete a1175a4f6e2d: 
Download complete IBM Bluemix Secure Gateway Client version 1.0

The Docker command automatically downloads the Bluemix Secure Gateway Client from Docker Hub and runs it.


When the Docker command has run successfully, we’ll see the status on the gateway show as connected:


Now we have a secure tunnel from Bluemix to our ACME backend network where Docker is running. The next step is to create a destination to expose our MySQL instance.

Click on Add Destination (the third step), and fill out the destination name, IP address or fully qualified domain name(FQDN), and port to our ACME MySQL instance. Select No TLS for this destination:

Add Destination

Once the destination is added, the cloud host and port are given. These represent the Bluemix endpoint of the secured tunnel to our MySQL destination on the ACME network.

Create Destination

The host is, and the port is 15011. Cloud-based applications using this destination will be able to access the ACME MySQL server like a direct connection using this host and port. For example, we can set up a DbVisualizer connection:

Database Connection

We have three options for destination security: No TLS, TLS: Server Side, and TLS: Mutual Auth. What we select here will affect how applications connect to the destination on Bluemix. No TLS will allow the application to connect to the destination without using the TLS protocol. In production, we should consider TLS Mutual Auth so that no one else can connect to the destination without the key and certificate.

In the next blog entry Securing Destinations with TLS in Bluemix Secure Gateway, we will change the security to TLS: Mutual Auth and show how to code up an application to connect with MySQL through the Secure Gateway.

Add Comment

Leave a Reply

Your email address will not be published.Required fields are marked *


Should the MySQL instance be running inside of a docker on prem or it could be running locally on some VM and then just type the docker command in the command line to create the security connection?


Messaoud Benantar

This article is supposed to be a step by step description but its steps seem disconnected. You need to always state what side of the Gateway you are executing something. Need to be methodic and don’t lose what side the reader is standing.


James Yu

I got the following error after key in the docker command as follows, any idea ?

[root@localhost ~]# docker run -it bluemix/secure-gateway-client o4aPEW4hnuG_prod_ng
IBM Bluemix Secure Gateway Client version 1.0.3

[2016-11-27 23:40:43.890] [ERROR] The response code is: 401. The configuration ID was either not recognized or is incorrect


Arun Alla

How to get the IPs of the bluemix secure gateway servers?

We have our datapower device is in DMZ and we need to open a firewall.

More How-tos Stories

Setting Access Control Policies for IBM Cloud Object Storage

As your organization explores more digital initiatives, including cloud and mobile, the importance of identity and access management (IAM) is paramount. Nearly all IT decision makers we talk with agree that IAM is essential to the success of their company’s cloud adoption and it is seen as a key enabler for mobility, analytics and IoT initiatives.

Continue reading

Home automation powered by Cloud Functions, Raspberry Pi, Twilio and Watson

Over the past few years, we’ve seen a significant rise in popularity for intelligent personal assistants, such as Apple’s Siri, Amazon Alexa, and Google Assistant. Though they initially appeared to be little more than a novelty, they’ve evolved to become rather useful as a convenient interface to interact with service APIs and IoT connected devices.

Continue reading

New tutorials to get you started with the IBM Cloud

Looking to build your next project on the IBM Cloud and not sure where to start?

Continue reading