Secure Tunnel

A Secure Tunnel provides endpoint-to-endpoint connections across a hybrid network without opening firewall rules in an enterprise network. It allows access between different networks through TCP over HTTPS technology.

It can be applied in many use scenarios, such as MCMP, RBA, Infrastructure automation, Slack Connection for AIOps, Instana, and Turbonomic.

The traffic through these connections is encrypted with HTTPS. A Secure Tunnel can control access to resources between different networks, with more granular control, and collect all the operations and traffic logins in audit records.

It is not necessary to modify any access rules and firewall configuration between existing infrastructure if you use a Secure Tunnel. It is like a traditional VPN, bridging two networks between the Secure Tunnel server and the Secure Tunnel Connector.

To learn more about Secure Tunnel, see the following sections:


To manage a connection, you need to understand the following concepts:


High-level design


High-Level Design


The following security measures make Secure Tunnel a safe tool to use.

  1. Authentication

    • IBM Cloud Pak for Watson AIOps console accesses the Tunnel Connection worker with JWT authentication token.
  2. The Connector is authenticated with Mutual Transport Layer Security (mTLS).

  3. Access control

Only IBM Cloud Pak for Watson AIOps console users with the Automation Adminstrator or Administrator role can use Secure Tunnel.

For more information about users and roles, see Managing user access control.

  1. Data encryption in communication

    • All traffic from out-cluster (Connector or console) is transported by HTTPS.
    • All application mapping traffics are encrypted by TCP over HTTPS.
  2. Auditing

    • All configuration changes (tunnel connection or application mapping) are stored in the log system for auditing. For more information, see Configuring tunnel audit logs.
    • All connections are stored in the log system for usage metrics and auditing.

How to use Secure Tunnel

  1. To create a Secure Tunnel for an integration, see Creating Secure Tunnel Connections.

  2. To copy the application mapping URL that can be accessed by an integration, or view the configuration details and status of all tunnel connections and application mappings, see Viewing Secure Tunnel.

  3. To modify configurations for a Secure Tunnel, see Modifying Secure Tunnel.

  4. To audit Secure Tunnel operations and connections, see Auditing Secure Tunnel.