April 1, 2015 | Written by: Binh Nguyen
Share this post:
Cloud based applications often need access to backend enterprise data or services, for example, a system of records. On Bluemix, it is simplified with the Secure Gateway service where a secured tunnel can be established between a Bluemix organization and the enterprise backend network, allowing applications on Bluemix access to the backend network’s data and services. This article explains how to do this using the console user interface; Erick Griffin’s article Reaching Enterprise Backend with Bluemix Secure Gateway via SDK API explains how to do it programmatically.
For this blog, we will set up a hypothetical company, ACME, who wants to expose some data from their System of Records (SoR) into Bluemix to enable their cloud-based applications to access it. For simplicity, in this scenario, we will expose the entire instance of a MySQL server from ACME’s backend.
To follow along, you will need access to a backend service such as MySQL, DB2, or a Web API. The key is that the service will return some data so that we can verify that the Secure Gateway can access it. You also need to install Docker on a machine that has access to the backend service.
We begin by adding the Secure Gateway service to our space without binding it to an application. This can be done by clicking on CATALOG in Bluemix and searching for “Secure Gateway”. Click on the Secure Gateway icon and create an instance of it in our space. We will see the configuration panel shown below:
This is where we will create a gateway to our backend system of records. Click on Add Gateway and fill out the name, then click on Connect It. We’ll have to install Docker and run the Docker command given in the next screen. This is done on ACME’s backend side. Since we are using Ubuntu 14.04, Docker is pre-installed (most recent versions of Linux have Docker already, or one may install it from Docker Hub), so we only need to run the Docker command.
bnvm1:~$ sudo docker run -it bluemix/secure-gateway-client Ko3dVF94AqY_prod_ng
Unable to find image 'bluemix/secure-gateway-client' locally
Pulling repository bluemix/secure-gateway-client 05263bc39e4c:
Download complete 511136ea3c5a:
Download complete ef6633cb7347:
Download complete 85db2b4c7f72:
Download complete e138216143ae:
Download complete 4f5104d1e5c8:
Download complete a1175a4f6e2d:
Download complete IBM Bluemix Secure Gateway Client version 1.0
The Docker command automatically downloads the Bluemix Secure Gateway Client from Docker Hub and runs it.
When the Docker command has run successfully, we’ll see the status on the gateway show as connected:
Now we have a secure tunnel from Bluemix to our ACME backend network where Docker is running. The next step is to create a destination to expose our MySQL instance.
Click on Add Destination (the third step), and fill out the destination name, IP address or fully qualified domain name(FQDN), and port to our ACME MySQL instance. Select No TLS for this destination:
Once the destination is added, the cloud host and port are given. These represent the Bluemix endpoint of the secured tunnel to our MySQL destination on the ACME network.
The host is
cap-sg-prod-5.integration.ibmcloud.com, and the port is 15011. Cloud-based applications using this destination will be able to access the ACME MySQL server like a direct connection using this host and port. For example, we can set up a DbVisualizer connection:
We have three options for destination security: No TLS, TLS: Server Side, and TLS: Mutual Auth. What we select here will affect how applications connect to the destination on Bluemix. No TLS will allow the application to connect to the destination without using the TLS protocol. In production, we should consider TLS Mutual Auth so that no one else can connect to the destination without the key and certificate.
In the next blog entry Securing Destinations with TLS in Bluemix Secure Gateway, we will change the security to TLS: Mutual Auth and show how to code up an application to connect with MySQL through the Secure Gateway.