Reaching enterprise backend with Bluemix Secure Gateway via console

Share this post:

Cloud based applications often need access to backend enterprise data or services, for example, a system of records. On Bluemix, it is simplified with the Secure Gateway service where a secured tunnel can be established between a Bluemix organization and the enterprise backend network, allowing applications on Bluemix access to the backend network’s data and services. This article explains how to do this using the console user interface; Erick Griffin’s article Reaching Enterprise Backend with Bluemix Secure Gateway via SDK API explains how to do it programmatically.

For this blog, we will set up a hypothetical company, ACME, who wants to expose some data from their System of Records (SoR) into Bluemix to enable their cloud-based applications to access it. For simplicity, in this scenario, we will expose the entire instance of a MySQL server from ACME’s backend.

Secure Gateway scenario

To follow along, you will need access to a backend service such as MySQL, DB2, or a Web API. The key is that the service will return some data so that we can verify that the Secure Gateway can access it. You also need to install Docker on a machine that has access to the backend service.

We begin by adding the Secure Gateway service to our space without binding it to an application. This can be done by clicking on CATALOG in Bluemix and searching for “Secure Gateway”. Click on the Secure Gateway icon and create an instance of it in our space. We will see the configuration panel shown below:

Add Gateway

This is where we will create a gateway to our backend system of records. Click on Add Gateway and fill out the name, then click on Connect It. We’ll have to install Docker and run the Docker command given in the next screen. This is done on ACME’s backend side. Since we are using Ubuntu 14.04, Docker is pre-installed (most recent versions of Linux have Docker already, or one may install it from Docker Hub), so we only need to run the Docker command.

bnvm1:~$ sudo docker run -it bluemix/secure-gateway-client Ko3dVF94AqY_prod_ng 
Unable to find image 'bluemix/secure-gateway-client' locally 
Pulling repository bluemix/secure-gateway-client 05263bc39e4c: 
Download complete 511136ea3c5a: 
Download complete ef6633cb7347: 
Download complete 85db2b4c7f72: 
Download complete e138216143ae: 
Download complete 4f5104d1e5c8: 
Download complete a1175a4f6e2d: 
Download complete IBM Bluemix Secure Gateway Client version 1.0

The Docker command automatically downloads the Bluemix Secure Gateway Client from Docker Hub and runs it.


When the Docker command has run successfully, we’ll see the status on the gateway show as connected:


Now we have a secure tunnel from Bluemix to our ACME backend network where Docker is running. The next step is to create a destination to expose our MySQL instance.

Click on Add Destination (the third step), and fill out the destination name, IP address or fully qualified domain name(FQDN), and port to our ACME MySQL instance. Select No TLS for this destination:

Add Destination

Once the destination is added, the cloud host and port are given. These represent the Bluemix endpoint of the secured tunnel to our MySQL destination on the ACME network.

Create Destination

The host is, and the port is 15011. Cloud-based applications using this destination will be able to access the ACME MySQL server like a direct connection using this host and port. For example, we can set up a DbVisualizer connection:

Database Connection

We have three options for destination security: No TLS, TLS: Server Side, and TLS: Mutual Auth. What we select here will affect how applications connect to the destination on Bluemix. No TLS will allow the application to connect to the destination without using the TLS protocol. In production, we should consider TLS Mutual Auth so that no one else can connect to the destination without the key and certificate.

In the next blog entry Securing Destinations with TLS in Bluemix Secure Gateway, we will change the security to TLS: Mutual Auth and show how to code up an application to connect with MySQL through the Secure Gateway.

Add Comment

Leave a Reply

Your email address will not be published.Required fields are marked *


Should the MySQL instance be running inside of a docker on prem or it could be running locally on some VM and then just type the docker command in the command line to create the security connection?


Messaoud Benantar

This article is supposed to be a step by step description but its steps seem disconnected. You need to always state what side of the Gateway you are executing something. Need to be methodic and don’t lose what side the reader is standing.


James Yu

I got the following error after key in the docker command as follows, any idea ?

[root@localhost ~]# docker run -it bluemix/secure-gateway-client o4aPEW4hnuG_prod_ng
IBM Bluemix Secure Gateway Client version 1.0.3

[2016-11-27 23:40:43.890] [ERROR] The response code is: 401. The configuration ID was either not recognized or is incorrect

More How-tos Stories

Geospatial developer tools, global maps, and data. Getting Started with Esri ArcGIS

Late last year, Esri announced a new partnership with IBM to bring our geospatial developer tools, global maps, and data capabilities to Bluemix, making it easy to build and deploy geo-spatially enabled and extended IoT, Web, and Mobile apps. This blog post shows you how to get started with Esri’s ArcGIS Developer Plans on the Bluemix platform.

Continue reading

Getting started with AT&T IoT Data Plans on Bluemix

Last year we announced our IoT partnership with IBM to bring our IoT Platform capabilities to Bluemix, IBM’s cloud development platform. Our goal is to make it easy to launch IoT apps quickly, reliably, and at scale. We have previously introduced the AT&T M2X Data Service and the AT&T Flow Designer tool to Bluemix, and now we are launching IoT Data Plans: enterprise-grade SIMs that share a pool of prepaid data at low rates. This blog post shows you how to get started with AT&T’s IoT Data Plans on the Bluemix platform.

Continue reading

Performance and scalability case study of an Online Banking Application

This post summarizes the performance and scalability characteristics of an online banking (OLB) application deployed on IBM Bluemix cloud platform. The performance case study was conducted on both Bluemix Dedicated and Local platforms. The main focus of this work is to understand the capabilities of the Bluemix platform and demonstrate that it can meet the performance and scalability requirements of an OLB application at peak load.

Continue reading