To connect to an IBM
Sterling Order Management System environment, such as to manage an
application or to deploy changes, you must first connect to a jump host.
You cannot access any
IBM
Sterling Order Management System environment directly. After you connect
to the jump host, you can connect to the environment application servers. You can also use this
tunnel to transfer decrypted traffic over a network through an encrypted channel. The jump host
connection process provides you with the ability to bypass firewalls that can prohibit or filter
some internet services.
Note: If you do not connect to jump host for 90 days, the
password expires. Therefore, ensure to connect to the jump host periodically.
A jump host is an
IBM®
SoftLayer®
Secure Shell (SSH) server and virtual private
network (VPN) landing point for an environment. Jump hosts are an alternative to SSH tunneling
through a gateway to directly access a server. An SSH tunnel is used to connect to the jump host and
then from the jump host to the IBM
Sterling Order Management System environment application virtual
local area network (VLAN) and application server. This process consists of an encrypted tunnel that
is created through an SSH protocol connection.
Note: Connecting to your jump host can impact your ability to run a development machine test server
or other application that uses the same port number as your jump host connection. The web request
ports that your test server or other applications require can be used for connecting to the jump
host. After you connect to your jump host, all of your localhost requests can route to the IBM
Sterling Order Management System servers and unavailable for your test server or other application. To use
your test server or another application that require a port that is used for your jump host
connection, you must first disconnect from the jump host.
You can configure and use the Cygwin interface to establish connections to your IBM
Sterling Order Management System environments to access files, application consoles and tools, databases,
and the
IBM
UrbanCode® Deploy Selfserv
tool.
Before you begin
Ensure that you complete the following tasks:
- Create an account with
IBM Cloud® DevOps
Services.
- Register your IP address with IBM to have your IP address added to the allowlist for accessing
the environment that you need to access.
- Download and install the Cygwin utility. You can uses this utility to connect to the jump host
and configure the SSH tunnels for accessing IBM
Sterling Order Management System environments and the
IBM
UrbanCode Deploy Selfserv
tool. For more information about installing Cygwin, go to the Cygwin URL. When you are
installing the tool, ensure that you select to download and install the OpenSSH package within the
Net category.
- Create your public and private SSH keys and provide the public key to IBM for any environment
that you need to configure a connection.
The process to connect to a jump host requires the use
of SSH public and private keys. SSH Keys provide you with ability to identify yourself to an SSH
server with SSH public and private keys cryptography and challenge-response authentication. SSH keys
are a way to identify trusted computers, without the need to involve passwords. If you use an SSH
agent, you can use SSH keys to connect to one or more servers, without needing to enter your
password for each server.
- Request the jump host connection and application server access and connection details from IBM
through a service request ticket. To configure the port forwarding, you require the following
application server details for each environment application server:
- Server name
- Destination port number
- Server host name IP address
Procedure
-
Configure the SSH tunnels.
As part of your onboarding process, you are provided with a template configuration file to set
up your SSH tunnel connections. Update this template file to use your user ID.
The following code
snippets show the structure of the configuration file. Each section within the file defines the
configuration for a target environment host. The following section defines the global variables that
are applied to every environment. Update the value for the
IdentifyFile
property to
specify your private SSH key file location.
Host *
ServerAliveInterval 60
StrictHostKeyChecking no
IdentityFile ~/.ssh/<private key>
The
next section in the file configures your jump host connection. Update the values, such as the
HostName
IP address to be the value for the jump host that you were provided by
IBM.
Host myhost
HostName xxx.xx.xxx.xxx
Port 20220
ForwardAgent yes
The following section configures the connection settings for each environment. Update the values
for each property, such as
Host
and
HostName
, for your
environments. Replace any instance of
<userID>
with your user ID.
Host <clientID>environment
HostName <clientID>-environmentcoc.ibmcloud.com
LocalForward 80
LocalForward 443
ProxyCommand ssh <userID> nc %h %p 2> /dev/null
Note: For your development environment, you can change the local port for your
Db2 database. The remote port is always 50000, but the local port value is made unique, and to avoid
potential local port conflicts you can change the value any port not in use.
-
Configure the SSH Agent so that you need to enter your passphrase only once during each
session.
-
Go to the
cygwin_installdir/home/userID directory,
where cygwin_installdir is the directory where you installed
the utility.
-
Open the .bashrc file for editing.
-
Append the following code to the file.
This code is used to detect whether the agent is running. If the agent is not running, the
code causes the agent to
start.
# If no SSH agent is already running, start one now. Re-use sockets so we never
# have to start more than one session.
export SSH_AUTH_SOCK=/home/userID/.ssh-socket
ssh-add -l >/dev/null 2>&1
if [ $? = 2 ]; then
# No ssh-agent running
rm -rf $SSH_AUTH_SOCK
# >| allows output redirection to over-write files if no clobber is set
ssh-agent -a $SSH_AUTH_SOCK >| /tmp/.ssh-script
source /tmp/.ssh-script
echo $SSH_AGENT_PID >| ~/.ssh-agent-pid
rm /tmp/.ssh-script
fi
-
Run the SSH Agent.
-
Open the Cygwin Terminal utility.
-
Run the following command.
$ ssh-add <path_to_private_key_file> where
<path_to_private_key_file> is fully qualified path to your private key
file.