Reaching enterprise backend with Bluemix Secure Gateway via console

Cloud based applications often need access to backend enterprise data or services, for example, a system of records. On Bluemix, it is simplified with the Secure Gateway service where a secured tunnel can be established between a Bluemix organization and the enterprise backend network, allowing applications on Bluemix access to the backend network’s data and services. This article explains how to do this using the console user interface; Erick Griffin’s article Reaching Enterprise Backend with Bluemix Secure Gateway via SDK API explains how to do it programmatically.

For this blog, we will set up a hypothetical company, ACME, who wants to expose some data from their System of Records (SoR) into Bluemix to enable their cloud-based applications to access it. For simplicity, in this scenario, we will expose the entire instance of a MySQL server from ACME’s backend.

Secure Gateway scenario

To follow along, you will need access to a backend service such as MySQL, DB2, or a Web API. The key is that the service will return some data so that we can verify that the Secure Gateway can access it. You also need to install Docker on a machine that has access to the backend service.

We begin by adding the Secure Gateway service to our space without binding it to an application. This can be done by clicking on CATALOG in Bluemix and searching for “Secure Gateway”. Click on the Secure Gateway icon and create an instance of it in our space. We will see the configuration panel shown below:

Add Gateway

This is where we will create a gateway to our backend system of records. Click on Add Gateway and fill out the name, then click on Connect It. We’ll have to install Docker and run the Docker command given in the next screen. This is done on ACME’s backend side. Since we are using Ubuntu 14.04, Docker is pre-installed (most recent versions of Linux have Docker already, or one may install it from Docker Hub), so we only need to run the Docker command.

bnvm1:~$ sudo docker run -it bluemix/secure-gateway-client Ko3dVF94AqY_prod_ng 
Unable to find image 'bluemix/secure-gateway-client' locally 
Pulling repository bluemix/secure-gateway-client 05263bc39e4c: 
Download complete 511136ea3c5a: 
Download complete ef6633cb7347: 
Download complete 85db2b4c7f72: 
Download complete e138216143ae: 
Download complete 4f5104d1e5c8: 
Download complete a1175a4f6e2d: 
Download complete IBM Bluemix Secure Gateway Client version 1.0

The Docker command automatically downloads the Bluemix Secure Gateway Client from Docker Hub and runs it.


When the Docker command has run successfully, we’ll see the status on the gateway show as connected:


Now we have a secure tunnel from Bluemix to our ACME backend network where Docker is running. The next step is to create a destination to expose our MySQL instance.

Click on Add Destination (the third step), and fill out the destination name, IP address or fully qualified domain name(FQDN), and port to our ACME MySQL instance. Select No TLS for this destination:

Add Destination

Once the destination is added, the cloud host and port are given. These represent the Bluemix endpoint of the secured tunnel to our MySQL destination on the ACME network.

Create Destination

The host is, and the port is 15011. Cloud-based applications using this destination will be able to access the ACME MySQL server like a direct connection using this host and port. For example, we can set up a DbVisualizer connection:

Database Connection

We have three options for destination security: No TLS, TLS: Server Side, and TLS: Mutual Auth. What we select here will affect how applications connect to the destination on Bluemix. No TLS will allow the application to connect to the destination without using the TLS protocol. In production, we should consider TLS Mutual Auth so that no one else can connect to the destination without the key and certificate.

In the next blog entry Securing Destinations with TLS in Bluemix Secure Gateway, we will change the security to TLS: Mutual Auth and show how to code up an application to connect with MySQL through the Secure Gateway.

Share this post:

Share on LinkedIn

Add Comment

Leave a Reply

Your email address will not be published.Required fields are marked *


Should the MySQL instance be running inside of a docker on prem or it could be running locally on some VM and then just type the docker command in the command line to create the security connection?


Messaoud Benantar

This article is supposed to be a step by step description but its steps seem disconnected. You need to always state what side of the Gateway you are executing something. Need to be methodic and don’t lose what side the reader is standing.


James Yu

I got the following error after key in the docker command as follows, any idea ?

[root@localhost ~]# docker run -it bluemix/secure-gateway-client o4aPEW4hnuG_prod_ng
IBM Bluemix Secure Gateway Client version 1.0.3

[2016-11-27 23:40:43.890] [ERROR] The response code is: 401. The configuration ID was either not recognized or is incorrect

More How-tos Stories

A complete guide on getting started with RabbitMQ

What is Message Queueing and RabbitMQ? How can you use the RabbitMQ web based management interface? What different message patterns do RabbitMQ support? What are queues, exchanges and bindings? This free RabbitMQ e-book is a complete guide on how to get started with RabbitMQ.

Mobile Apps Offline and Online – Part 3

In the dynamic and ever-changing realm of mobile, context is critical to the success of your applications. Users may be at home sitting on the couch, or they could be on top of a mountain with very limited connectivity. There’s no way to predict where someone will be when they’re using your app, and as many of us painfully know already, there is never a case when you are always online on your mobile devices. Well, this doesn’t always have to be a problem. Regardless of whether your app is online or offline, it is important that your app does what it needs to do – solve a problem and provide value. This three-part tutorial will walk through the creation of a sample application called GeoPix, which leverages IBM MobileFirst on IBM Bluemix to capture data and image attachments locally (even offline) and replicate those changes to an online data store so that the user experience is never compromised.

Getting Started with PubNub on IBM Bluemix

Earlier this year, PubNub announced a new partnership with IBM to bring their realtime data streaming and messaging capabilities to Bluemix, IBM’s cloud development platform, making it easy to launch IoT, Web, and Mobile apps built on real-time communication that scale globally. This blog post shows you how to get started with the IBM Bluemix platform.