Secure Tunnel

A Secure Tunnel provides endpoint-to-endpoint connections across a hybrid network without opening firewall rules in an enterprise network. It allows access between different networks through TCP over HTTPS technology.

It can be applied in many use scenarios, such as MCMP, Runbooks, Infrastructure Automation, Slack Connection for AIOps, Instana, and Turbonomic.

The traffic through these connections is encrypted with HTTPS. A Secure Tunnel can control access to resources between different networks, with more granular control, and collect all the operations and traffic logins in audit records.

It is not necessary to modify any access rules and firewall configuration between existing infrastructure if you use a Secure Tunnel. It is like a traditional VPN, bridging two networks between the Secure Tunnel server and the Secure Tunnel Connector.

To learn more about Secure Tunnel, see the following sections:

Terminology

To manage a connection, you need to understand the following concepts:

  • Secure Tunnel a group of microservices that include the following services:

    • UI Server
      • Used to provide the static resources of the Secure Tunnel console and to handle some UI logic.
    • API Server
      • Verifies and processes the user's operation request that comes from the Secure Tunnel console. Then, it operates the Secure Tunnel Custom Resources(CRs) according to the request.
    • Controller
      • Used to monitor updates to the Secure Tunnel Custom Resources(CRs) and to take actions according to the CR updates.
    • Tunnel Connection
      • The configuration data for bridging two networks.
    • Application mapping
      • The configuration data used to control:
        • which applications on the network of the Secure Tunnel side can be accessed by the Secure Tunnel Connector side.
        • which applications on the network of the Secure Tunnel Connector side can be accessed by the Secure Tunnel side.
      • The Tunnel Connection worker and Secure Tunnel Connector use this data <!---what data?---> to control the access to applications.
    • Tunnel Connection worker
      • The instance of the Tunnel Connection, one Tunnel Connection is created on one or more Tunnel Connection worker pods. It is also the server side of a TCP-over-HTTPS tunnel. Based on the OSS project.
    • Secure Tunnel Connector
      • The other side of a TCP over HTTP tunnel, it is installed on the peer network of the Secure Tunnel to bridge the network where the Secure Tunnel is installed. It is based on theOSS project.

Architecture

High-level design
Figure. High-level design

Features

  • Like a traditional VPN, Secure Tunnel can bridge two or more networks. Unlike VPN, it provides more fine-grained resource control.

  • Lightweight, easy to install and use, and can be used anywhere.

  • Authentication and authorization with the IBM Cloud Pak Automation console or Red Hat OpenShift Container Platform OAuth and RBAC system.

  • Provides two user interfaces

    • Secure Tunnel console: A customer can configure a Secure Tunnel Connection and control which applications can be accessed by the peer network from the console UI.
    • Command line: An automation script can configure a Secure Tunnel Connection and control which applications can be accessed by the peer network by using the kubectl or oc command line tools to operate the CRs of the Secure Tunnel.

  • The connection is encrypted with mTLS.

  • Based on OSS project.

High-Level Design

  • Secure Tunnel can be installed to an Red Hat OpenShift Container Platform from the Operator Hub of the Red Hat OpenShift Container Platform console.
  • Secure Tunnel Connector can be installed to an OCP, Kubernetes (such as IBM Kubernetes Service) or host machine (VM or physical machine).
  • It can bridge the network on the Secure Tunnel side and the network on the Secure Tunnel Connector side through a WebSocket connection between the Secure Tunnel and Secure Tunnel Connector with mTLS authentication.

Then, you can use the Secure Tunnel console or command line tools to control:

  • which applications on the network of the Secure Tunnel side can be accessed by the Secure Tunnel Connector side.
  • which applications on the network of the Secure Tunnel Connector side can be accessed by the Secure Tunnel side.

Security

The following security measures make Secure Tunnel a safe tool to use.

  • Authentication

    • IBM Cloud Pak for Watson AIOps console accesses the Tunnel Connection worker with JWT authentication token.
    • The Connector is authenticated with Mutual Transport Layer Security (mTLS).

  • Access control

    • Only IBM Cloud Pak for Watson AIOps console users with the Automation Adminstrator or Administrator role can use Secure Tunnel.
    • For more information about users and roles, see Managing user access control.

  • Data encryption in communication

    • All traffic from out-cluster (Connector or console) is transported by HTTPS.
    • All application mapping traffics are encrypted by TCP over HTTPS.

  • Auditing

    • All configuration changes (tunnel connection or application mapping) are stored in the log system for auditing. For more information, see Configuring tunnel audit logs.
    • All connections are stored in the log system for usage metrics and auditing.

Certificate expiration and renewal

If you renew the Secure Tunnel TLS certificate or it expires and the IBM Certificate Manager renews it, then the Secure Tunnel worker server automatically reloads the renewed certificate. However, the Secure Tunnel connector does not automatically reload the renewed certificate. You must download a new Secure Tunnel connector installation script, and then uninstall and reinstall the Secure Tunnel connector. For more information, see the instructions in Install the Secure Tunnel Connector.

How to use Secure Tunnel