Configuring a private network for IBM App Connect on IBM Cloud

Learn how to configure a connection between IBM App Connect on IBM Cloud and a private network, through either the IBM Secure Gateway or an IBM App Connect Agent, to reach your apps on a private network (for example, your company network or a private cloud).

To interact with other on-premises applications and systems, such as IBM MQ, Db2 databases, SAP (via OData), or SFTP you need to set up an App Connect Secure Gateway connection in IBM App Connect. App Connect Secure Gateway connections are created and managed from the Private network connections page (). The instructions to set up an App Connect Secure Gateway connection are given below:

Setting up the secure gateway isn't hard, but to complete the task, you might need help from an administrator who has authority to configure security for the private network and can provide some connection details for the on-premises applications and systems.

You can install the IBM Secure Gateway Client from a number of places in App Connect, as outlined below.

Note: If you already have a Secure Gateway client installed and running, you do not need to install the client again for a new Network in App Connect. You can edit the config file for that client and add the Gateway ID and Security Token values provided on the App Connect ‘Connect your network’ page.

For example, in C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client\securegw_service.config add the values provided for a new network:


#Enter the gateway ids separated by single spaces
GATEWAY_ID=existing_id new_appconnect_id

#Config file for Secure Gateway Client, to start as a Windows Service.
#PLEASE AVOID ANY RESIDUAL WHITE SPACES

#Enter the security tokens separated by --
SECTOKEN=existing_token--new_appconnect_token

#Enter the ACL files separated by --
ACL_FILE=prodacl.txt

In this example, both connections/networks use the same ACL, prodacl.txt, but you could configure a separate ACL file for each connection/network.

After you restart the Secure Gateway client, you should see the new Network connected in App Connect (for example, click Test+Connect on the Connect your network page or refresh the Private network connections page).

First, find or create everything you need:

A computer (personal computer or server) on which you can install the IBM Secure Gateway Client. In this tutorial, the steps assume that you are installing on a Windows computer.
Note:
- Flows that connect to applications on the private network will work only when the Secure Gateway Client is running. If you shut down the Secure Gateway Client (or the computer on which the Secure Gateway Client is running), applications on the private network cannot be reached by App Connect. For a persistent connection (for example, in production environments), it's recommended that you install the Secure Gateway Client on a server that is permanently available rather than on a personal computer.
- You cannot install the Secure Gateway Client on a mobile phone or tablet.
- When configuring a private network to use the IBM Secure Gateway, you must set an access control list before you can connect to applications. For more information about Access Control List (ACL) support in the Secure Gateway client, see IBM Secure Gateway - Access control list.
- If there is a firewall between the IBM Secure Gateway Client and the internet, make sure it is configured to allow connections on the ports that you want App Connect to use (for example, port 50000 for connection to Db2). Sometimes, when the rules for a firewall are updated, it can take a while for the changes to become effective, so you might need to wait a while after creating a new connection in App Connect.
- Currently, App Connect supports only TLS connectivity between App Connect and the Secure Gateway Client, and supports only TCP between the Secure Gateway Client and on-premises applications and systems. As a workaround, you can use an external secure gateway service where you can use TLS configurations for the Secure Gateway Client to communicate with the on-premises endpoint. However, you then have to use TCP between App connect and your external secure gateway instance.

Then, download and install the Secure Gateway Client:

From the computer where you want to install the Secure Gateway Client, log in to App Connect. You can download and install the Secure Gateway Client before you create a flow or while creating an account for an application that is on a private network.
Complete either of the following steps:
- Before you create a flow:
  1. To open the Private network connections page, click the Private networks connections icon
  2. From the Private network connections page, click New > Secure Gateway....
- While you are creating an account for an application that is on a private network:
  1. From the Applications tab on the App Connect Catalog page, locate the application you want to connect to.
  2. If this is your first account for that app, click the Connect button. If you've previously created an account for the app, select Add a new account from the Account drop-down list. You'll see a set of fields for connecting to the account, including a Network name field.
  3. From the Network name field, select the Create a new network option.
  Tip: You can also create an account and new network while creating a flow. Select the application that you want to connect, and the event or action you want to use, and then add an account for that app.
The Connect your network page opens, from where you can download and configure the Secure Gateway Client. The operating system of your computer should be automatically detected, but you can change the operating system if it is incorrect.
Follow the instructions to download the Secure Gateway Client installer.
Enter a name for the private network, for example MyComputer, and then click Submit. Values for the Gateway ID and Security Token are generated and displayed on the screen.
Double-click the Secure Gateway Client installer and follow the installation instructions. Use the following notes as guidance:
- For this tutorial, don't select the option to run the Secure Gateway Client as a service.
  Note: You might want to run the Secure Gateway Client as a service when you are installing for a production deployment.
- Complete the Gateway Id and Security token fields by copying and pasting the values from the App Connect network connection page.
- Leave all other fields as default.
Figure 1. Example of configuration page for Secure Gateway Client

By default, the Secure Gateway Client files are installed to C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client directory. You can choose to install the files to a different directory.

Finally, start and configure the Secure Gateway Client:

Start the Secure Gateway Client as follows:
1. Run the following command from the directory to which you installed the Secure Gateway Client files: secgw.cmd
  Note: On Windows, the default location of the secgw.cmd file is C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client. You can also start the Secure Gateway Client from the Windows Start menu by clicking Start > All Programs > IBM > Secure Gateway Client > Secure Gateway Client.
2. In the command window that opens, type y to launch the Client.
  Figure 2. Secure Gateway Client command window
  
  You'll see messages in the command window indicating the Secure Gateway Client is running. The Secure Gateway Client dashboard is also launched in your default browser, and you can browse the access control list (ACL), the logs, and other connection information. (If necessary, refresh your browser tab to view the dashboard.)
  
  Figure 3. Secure Gateway Client dashboard
  (Click image to view full size.)
From the dashboard, configure the Secure Gateway Client to enable access to defined hosts and ports. In this tutorial, we are going to set the Access Control List to All:
1. Click the Access Control List button on the Secure Gateway Client dashboard.
  Figure 4. Access Control List button on the Secure Gateway Client dashboard
  
  (Click image to view full size.)
2. Type All into the first box under Allow access and then click the + icon.
  Figure 5. Allow access section of Access Control List Management
  
  (Click image to view full size.)
  Note:
  - You might be presented with some warning messages at this point. Setting ACL to All enables App Connect to connect to any host (on any port) that is accessible from the computer that is running the Secure Gateway Client and this might not be appropriate for your production environment. See the examples in the SampleACLFile.txt file in the Secure Gateway Client installation directory for methods of restricting the access to specific hosts and port numbers.
  - You can verify your ACL setting by typing show acl in the Secure Gateway Client command window. For an ACL setting of All, you should see the following details:
    Figure 6. Secure Gateway Client - show ACL

In the App Connect Private network connections connection page, click Refresh. The page is displayed with your new Secure Gateway network listed.
Figure 7. Private network connections page showing Secure Gateway networks

(Click image to view full size.)
You've configured a Secure Gateway connection (Network) to a private network so that App Connect can connect to applications that are running on the network. When you create a flow, you can select this connection from the Network option when you configure the account details for an application that is on the private network; for example, an on-premises application such as SAP (via OData). For more information about the IBM Secure Gateway, see IBM Secure Gateway.