Following on from Simon Stone’s excellent article Expose your integrations to your organization as REST APIs using IBM Integration Bus and IBM API Connect , I describe step-by-step how to push configurations for REST APIs from IIB to an API Connect service hosted on Bluemix and receive requests via a Secure Gateway service which is also hosted on Bluemix.

The diagram below illustrates how REST requests can be sent from a client to IBM API Connect hosted in Bluemix and forwarded to IIB via a Secure Gateway. 4. The Secure Gateway service creates a secure tunnel between Bluemix and an on-premise installation like IIB.

sanjay1

Add API Connect and Secure Gateway services to your Bluemix space
I will describe the steps starting from an empty Bluemix space. Open https://console.ng.bluemix.net/ in your browser and log in.

Search for API Connect and then click on the API Connect icon. Once it opens, scroll to the bottom and click Create.

sanjay2

sanjay3

The API Connect service is now provisioned in your Bluemix space.

Now search for Secure Gateway and click on its icon. Once it opens, scroll to the bottom and click Create.

sanjay4

sanjay50

You now have a Secure Gateway service provisioned on your Bluemix space! You should see 2 services shown in your space, one for API Connect and one for Secure Gateway.

sanjay6

Configure Secure Gateway
Now click on Secure Gateway. You see:

sanjay7

Click on Add Gateway:

sanjay8

Enter a name for your gateway and click Connect It

sanjay9

Install the Secure Gateway client
Click on the download link for the windows installer:

sanjay10

You should see the installer start.

sanjay11

sanjay12

sanjay13

On the fourth page in the install wizard, you are asked to enter values for the Gateway Id and Security tokens:

sanjay14

You need to copy the Gateway Id and Security tokens from the service details:

sanjay15

sanjay16

Now click Install and then click Close after it completes successfully.

sanjay17

sanjay18

Back in the Secure Gateway service, click on Add Destinations

sanjay19

Enter the name of your Integration Node as the Destination Name and provide your hostname and port, then click on Add Destination

sanjay20

The Destination is added. You can click on I’m Done.

sanjay21

The gateway is shown with a red cross until you have configured the client.

sanjay22

Configure the Secure Gateway Client
You need to configure the Secure Gateway client now so that the Secure Gateway can be used.

Create an ACL file and add the permissions for your host and port. For this demo, I have allowed all ports.

sanjay23

sanjay25

Edit this file:

C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client\securegw_service.config

Change:

sanjay26

so that it points to your ACL file:

sanjay27

Open this folder in Windows Explorer:

C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client

Double click on secgw.cmd to run it.

Enter y to use the config file

sanjay28

You now see your gateway has gone green

sanjay29

Push REST APIs to API Connect on Bluemix
Before you push REST APIS to your API Connect service in Bluemix we need to make a note of the cloud hostname.

Click on the gateway. Then click on the settings button for your destination.

sanjay30

You need to make a note of the cloud host and port.

sanjay31

If you open your API Connect Service, you will see a Sandbox catalog.

The hostname of your API Connect service is in the URL:

sanjay32

Now we can push REST APIs to the API Connect Service on Bluemix and test them though Secure Gateway. In the IIB Web UI, select your Integration Service and click on ‘Push REST APIs to IBM API Connect’

sanjay33

Enter eu.apiconnect.ibmcloud.com and your use id and password for logging onto Bluemix. Click on Connect to IBM API Connect. You should see it connects successfully.

sanjay34

You should see your API Connect organization listed.

Add the name of the product that you want to create and specify Sandbox as the catalog.

Click Next.

sanjay35

Select the REST APIs that you want to push.

Click Next.

sanjay36

Enter the Cloud hostname and port that you copied from before from the Secure Gateway Destination details.

Click on ‘Push to IBM API Connect’

sanjay38

You will see messages confirming that the Product has been created, the APIs have been added to it and the Product has been staged.

sanjay39

If you look at the APIs in your draft workspace now, you will see that the APIs are shown:

sanjay40

If you select a REST API and click on Source, you can see that the target-url in the swagger definition for the REST API has the hostname and port of the Secure Gateway. When the API is invoked, the request will be directed to that host and port and then the Secure Gateway will route it to the destination that was added. This is shown in the screenshot below:

sanjay41

Test the REST APIs
You can try out the REST API by clicking on it and then clicking on Assemble.

Select the Catalog and Product, click on Republish product and then click Next.

sanjay42

Select the Operation and invoke it.

sanjay43

The request is sent to IIB through the Secure Gateway and a response is sent back!

sanjay44

Summary
In this article I have described how to push configurations for multiple REST APIs from IIB to an API Connect service on Bluemix. I have used the Secure Gateway service and client to proxy requests that are sent to the IIB on-premise system. This seamless integration between IBM Integration Bus and IBM API Connect allows you to easily create, deploy and manage your REST APIs for your organization.

You may also be interested in:

18 comments on"Pushing REST APIs to IBM API Connect provisioned on Bluemix and accessing them through a Secure Gateway service"

  1. Unable to connect to IBM API Connect at host ‘eu.apiconnect.ibmcloud.com’ port ‘443’ I get exactly what the article does. But I can not connect any API Connect using IIB.

    • @JuanGaray Hi,
      Thanks for the feedback. I’ve passed it on the IIB Level 2 support, to see if they can help (and given them a link to your comment in IBM Developer Answers).
      Regards, Ian

  2. Sanjay

    Am facing issue while pushing the API from IIB Web UI to API Connect hosted on my IBM Cloud account. When I try pushing, am getting the following error message

    “Unable to connect to IBM API Connect at host ‘au.apiconnect.ibmcloud.com’ port ‘443’”

    Tried to check if am able to access the server on that port through telnet and was able to successfully.

    Have followed the steps provided by you, but still facing the issue.

    Appreciate if you could help me in this regards.

    Thanks

  3. HI Sanjay.
    i am facing below issue while doing the testing from API Connect. Please can you help here ?

    Failed to create the destination for Secure Gateway. Unable to reach Secure Gateway service.

    • SanjayNagchowdhury September 01, 2017

      Hi,
      You should check that you have specified the correct port that IIB is listening on.

      Thanks

      Sanjay

  4. SumanGarrepalli February 14, 2017

    Hello Sanjay,

    This article was very helpful.
    I was able to deploy REST API (from IIB) onto IBM Bluemix. Tested successfully.

    Observations:
    1. After setting up Bluemix API Connect and Secure Gateway as per the article. However while deploying REST API through Integration Toolkit (v10), I have not seen any option to override host name and port ith cloud host configurations. Once deployment was successful, I had to manually edit target-URL pointing to Secured Gateway.

    2. From Integration toolkit, deployment of REST API to API Connect did not happen in the first go. I had to try couple of times same steps, it was successful. I could not find any relevant logs.

    3. I saw the below in Secured Gateway logs. Whats the recommended acl command?
    2/13/2017, 11:42:35 PM [WARN] : A valid acl allow command of ‘:’ without a hostname or port has been entered, this is not recommended!
    2/13/2017, 11:42:35 PM [WARN] : The Access Control List has been disabled, the ACL Deny All flag is set to: false

    • SanjayNagchowdhury February 14, 2017

      1. After setting up Bluemix API Connect and Secure Gateway as per the article. However while deploying REST API through Integration Toolkit (v10), I have not seen any option to override host name and port ith cloud host configurations. Once deployment was successful, I had to manually edit target-URL pointing to Secured Gateway.

      ANSWER: yes you are correct, there is no way to modify the target-URL when pushing an API via the toolkit. The functionality to push an API from the toolkit to API Connect is stabilised and the preferred option is to use either the WebUI or the ‘mqsipushapis’ command line utility. Note: When using the toolkit to push API’s, only API Management v4 is supported (pushing API’s to API Connect v5 is not possible using the toolkit).

      2. From Integration toolkit, deployment of REST API to API Connect did not happen in the first go. I had to try couple of times same steps, it was successful. I could not find any relevant logs.

      ANSWER: We are not aware of any issues with the push to API Connect functionality from the toolkit. If the problem persists then I would suggest that you capture service trace from AdminAgent for the broker to which the toolkit is connected and raise a PMR. (Or my preferred option would be to use the WebUI).

      3. I saw the below in Secured Gateway logs. Whats the recommended acl command?
      2/13/2017, 11:42:35 PM [WARN] : A valid acl allow command of ‘:’ without a hostname or port has been entered, this is not recommended!
      2/13/2017, 11:42:35 PM [WARN] : The Access Control List has been disabled, the ACL Deny All flag is set to: false

      ANSWER: It is difficult to recommend a set of ACL’s for your system. For the article we set a default ACL which allows access to all IP addresses and ports on your internal network which is the easiest to set up but the least secure. But for example, to allow the gateway to only allow access to the host upon which the gateway is running you could set an ACL of
      acl allow localhost:
      which means that the gateway must be running on the same host as your broker. You could restrict this even further by specifying the port number of the HTTP(S) listener of your broker if you wished. The following page explains more about how to set ACL’s and how they can be used. https://console.ng.bluemix.net/docs/services/SecureGateway/sg_010.html#sg_010

  5. When creating a detestation in the Cloud Gateway how do you secure it? The URL you have highlighted in red
    caplongsgprd-2.integraton.ibmcloud.com:15104
    is open to the public, how do you secure it so only APIC can connect to that endpoint?

  6. Abhinav Priyadarshi September 22, 2016

    Sanjay,
    Thanks for the article. Very useful.
    I am able to push the REST API into API Connect on Bluemix using secure gateway. However while testing, I am finding issues.
    No response received. Causes include a lack of CORS support on the target server, the server being unavailable, or an untrusted certificate being encountered.
    Clicking the link below will open the server in a new tab. If the browser displays a certificate issue, you may choose to accept it and return here to test again.
    https://api.us.apiconnect.ibmcloud.com/pabhinavinibmcom-cognitivebuild/sb/fundtransfer/v1/fundTransfer?account2=4491661392478208&account1=2045594740719616&transferAmount=22335530729472

    When I call the request URL above I am getting the below error in web browser.
    404Not FoundThe requested URL was not found on this server

    • SanjayNagchowdhury September 22, 2016

      Try enabling CORS:
      mqsireportproperties IB10NODE -e default -o HTTPConnector -n corsEnabled
      mqsichangeproperties IB10NODE -e default -o HTTPConnector -n corsEnabled -v true

  7. Harisankar July 01, 2016

    Hello Sanjay,

    First of all, thanks for this article..

    However i am facing some issue while doing the testing from API Connect. Below is the error which i am getting while trying to invoke it…..

    I have created the gateway service exactly as per this article and couldnt see any issue while doing the same. Was there any step which you missed to mentioned here?

    Status code:
    500 Internal Server Error
    Response time:
    1974ms
    Headers:
    content-type: application/json
    apim-debug-trans-id: 10.173.4.250-0db20512-ac11-4f6c-aa61-2bfaec5c9662
    Body:
    {
    “httpCode”: “500”,
    “httpMessage”: “Internal Server Error”,
    “moreInformation”: “Failed to establish a backside connection”
    }

    • Sanjay Nagchowdhury July 04, 2016

      Hi,
      Can you check the REST API service is deployed and can be accessed? Try bringing up the IIB WebUI and see if you can get to the swagger link for the REST API.

      Thanks

      Sanjay

      • harisankar G July 06, 2016

        Hello Sanjay,

        Thanks for the reply. My solution is working fine now. Issue was with the secure gateway client connection with host mentioned as localhost which wont work for bluemix services. So i had to explicitly mention my System ip address which made the connection to start working successfully…

        Thanks
        Hari

  8. Lee Gavin June 08, 2016

    Great article Sanjay!

Join The Discussion

Your email address will not be published. Required fields are marked *