Configuring environment connections

To connect to an IBM Sterling Order Management System environment, such as to manage an application or to deploy changes, you must first connect to a jump host.

You cannot access any IBM Sterling Order Management System environment directly. After you connect to the jump host, you can connect to the environment application servers. You can also use this tunnel to transfer decrypted traffic over a network through an encrypted channel. The jump host connection process provides you with the ability to bypass firewalls that can prohibit or filter some internet services.
Note: If you do not connect to jump host for 90 days, the password expires. Therefore, ensure to connect to the jump host periodically.

A jump host is an IBM® SoftLayer® Secure Shell (SSH) server and virtual private network (VPN) landing point for an environment. Jump hosts are an alternative to SSH tunneling through a gateway to directly access a server. An SSH tunnel is used to connect to the jump host and then from the jump host to the IBM Sterling Order Management System environment application virtual local area network (VLAN) and application server. This process consists of an encrypted tunnel that is created through an SSH protocol connection.

Note: Connecting to your jump host can impact your ability to run a development machine test server or other application that uses the same port number as your jump host connection. The web request ports that your test server or other applications require can be used for connecting to the jump host. After you connect to your jump host, all of your localhost requests can route to the IBM Sterling Order Management System servers and unavailable for your test server or other application. To use your test server or another application that require a port that is used for your jump host connection, you must first disconnect from the jump host.

You can configure and use the Cygwin interface to establish connections to your IBM Sterling Order Management System environments to access files, application consoles and tools, databases, and the IBM UrbanCode® Deploy Selfserv tool.

Before you begin

Ensure that you complete the following tasks:
  • Create an account with IBM Cloud® DevOps Services.
  • Register your IP address with IBM to have your IP address added to the allowlist for accessing the environment that you need to access.
  • Download and install the Cygwin utility. You can uses this utility to connect to the jump host and configure the SSH tunnels for accessing IBM Sterling Order Management System environments and the IBM UrbanCode Deploy Selfserv tool. For more information about installing Cygwin, go to the Cygwin URL. When you are installing the tool, ensure that you select to download and install the OpenSSH package within the Net category.
  • Create your public and private SSH keys and provide the public key to IBM for any environment that you need to configure a connection.

    The process to connect to a jump host requires the use of SSH public and private keys. SSH Keys provide you with ability to identify yourself to an SSH server with SSH public and private keys cryptography and challenge-response authentication. SSH keys are a way to identify trusted computers, without the need to involve passwords. If you use an SSH agent, you can use SSH keys to connect to one or more servers, without needing to enter your password for each server.

  • Request the jump host connection and application server access and connection details from IBM through a service request ticket. To configure the port forwarding, you require the following application server details for each environment application server:
    • Server name
    • Destination port number
    • Server host name IP address

Procedure

  1. Configure the SSH tunnels.
    As part of your onboarding process, you are provided with a template configuration file to set up your SSH tunnel connections. Update this template file to use your user ID.
    The following code snippets show the structure of the configuration file. Each section within the file defines the configuration for a target environment host. The following section defines the global variables that are applied to every environment. Update the value for the IdentifyFile property to specify your private SSH key file location.
    Host *
      ServerAliveInterval 60
      StrictHostKeyChecking no
      IdentityFile ~/.ssh/<private key>
    The next section in the file configures your jump host connection. Update the values, such as the HostName IP address to be the value for the jump host that you were provided by IBM.
    Host myhost
    HostName xxx.xx.xxx.xxx
    Port 20220
    ForwardAgent yes
    The following section configures the connection settings for each environment. Update the values for each property, such as Host and HostName, for your environments. Replace any instance of <userID> with your user ID.
    
    Host <clientID>environment
    HostName <clientID>-environmentcoc.ibmcloud.com
    LocalForward 80 
    LocalForward 443 
    ProxyCommand ssh <userID> nc %h %p 2> /dev/null
    
    Note: For your development environment, you can change the local port for your Db2 database. The remote port is always 50000, but the local port value is made unique, and to avoid potential local port conflicts you can change the value any port not in use.
  2. Configure the SSH Agent so that you need to enter your passphrase only once during each session.
    1. Go to the cygwin_installdir/home/userID directory, where cygwin_installdir is the directory where you installed the utility.
    2. Open the .bashrc file for editing.
    3. Append the following code to the file.
      This code is used to detect whether the agent is running. If the agent is not running, the code causes the agent to start.
      # If no SSH agent is already running, start one now. Re-use sockets so we never
      # have to start more than one session.
      
      export SSH_AUTH_SOCK=/home/userID/.ssh-socket
      
      ssh-add -l >/dev/null 2>&1
      if [ $? = 2 ]; then
         # No ssh-agent running
         rm -rf $SSH_AUTH_SOCK
         # >| allows output redirection to over-write files if no clobber is set
         ssh-agent -a $SSH_AUTH_SOCK >| /tmp/.ssh-script
         source /tmp/.ssh-script
         echo $SSH_AGENT_PID >| ~/.ssh-agent-pid
         rm /tmp/.ssh-script
      fi
  3. Run the SSH Agent.
    1. Open the Cygwin Terminal utility.
    2. Run the following command.

      $ ssh-add <path_to_private_key_file> where <path_to_private_key_file> is fully qualified path to your private key file.