Learn how to configure a private network in IBM App Connect, with the IBM Secure Gateway to reach your apps on a private network (for example, your company network or a private cloud).

Setting up the secure gateway isn’t hard, but to complete the task, you might need help from an administrator who has authority to configure security for the private network.

You can install the IBM Secure Gateway Client from a number of places in App Connect, as outlined below.

First, find or create everything you need:

  • A computer (personal computer or server) on which you can install the IBM Secure Gateway Client. In this tutorial, the steps assume that you are installing on a Windows computer.


    • Flows that connect to applications on the private network will work only when the Secure Gateway Client is running. If you shut down the Secure Gateway Client (or the computer on which the Secure Gateway Client is running), applications on the private network cannot be reached by App Connect. For a persistent connection (for example, in production environments), it’s recommended that you install the Secure Gateway Client on a server that is permanently available rather than on a personal computer.
    • You cannot install the Secure Gateway Client on a mobile phone or tablet.

Then, download and install the Secure Gateway Client:

  1. From the computer where you want to install the Secure Gateway Client, log in to App Connect.

    You can download and install the Secure Gateway Client before you create a flow or while creating an account for an application that is on a private network.

  2. Complete either of the following steps:
    • Before you create a flow:
      1. From the App Connect menu App Connect menu icon, click Manage > Networks.
      2. From the Networks page, click Connect a network.
    • While you are creating an account for an application that is on a private network:
      1. From the Applications tab on the App Connect Catalog page, locate the application you want to connect to.
      2. If this is your first account for that app, click the Connect button. If you’ve previously created an account for the app, select Add a new account from the Account drop-down list.

        You’ll see a set of fields for connecting to the account, including a Network name field.

      3. From the Network name field, select the Create a new network option.

        Create a new network

      Tip: You can also create an account and new network while creating a flow. Select the application that you want to connect, and the event or action you want to use, and then add an account for that app.

    The “Connect your network” page opens, from where you can download and configure the Secure Gateway Client. The operating system of your computer should be automatically detected, but you can change the operating system if it is incorrect.

  3. Follow the instructions to download the Secure Gateway Client installer.
  4. Enter a name for the private network, for example MyComputer, and click Submit. Values for the Gateway ID and Security Token are generated and displayed on the screen.
  5. Double-click the Secure Gateway Client installer and follow the installation instructions. Use the following notes as guidance:
    • For this tutorial, don’t select the option to run the Secure Gateway Client as a service. Note: You might want to run the Secure Gateway Client as a service when you are installing for a production deployment.
    • Complete the Gateway Id and Security token fields by copying and pasting the values from the App Connect network connection page.
    • Leave all other fields as default.


    By default, the Secure Gateway Client files are installed to C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client directory. You can choose to install the files to a different directory.

Finally, start and configure the Secure Gateway Client:

  1. Start the Secure Gateway Client as follows:
    1. Run the following command from the directory to which you installed the Secure Gateway Client files:


      Tip: On Windows, the default location of the secgw.cmd file is C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client. You can also start the Secure Gateway Client from the Windows Start menu by clicking Start > All Programs > IBM > Secure Gateway Client > Secure Gateway Client.

    2. In the command window that opens, type y to launch the Client.

      Secure Gateway Client command window

      You’ll see messages in the command window indicating the Secure Gateway Client is running. The Secure Gateway Client dashboard is also launched in your default browser, and you can browse the access control list (ACL), the logs, and other connection information. (If necessary, refresh your browser tab to view the dashboard.)


  2. From the dashboard, configure the Secure Gateway Client to enable access to defined hosts and ports. In this tutorial, we are going to set the Access Control List to All:
    1. Click the Access Control List button in the Secure Gateway Client dashboard.


    2. Type All into the first box under Allow access and then click the + icon.



      • You might be presented with some warning messages at this point. Setting ACL to All enables App Connect to connect to any host (on any port) that is accessible from the computer that is running the Secure Gateway Client and this might not be appropriate for your production environment. See the examples in the SampleACLFile.txt file in the Secure Gateway Client installation directory for methods of restricting the access to specific hosts and port numbers.
      • You can verify your ACL setting by typing show acl in the Secure Gateway Client command window. For an ACL setting of All, you should see the following details:

        Secure Gateway Client - show ACL

  3. In the App Connect network connection page, click Test + Connect. The Networks page is displayed with your new network listed.


You’ve configured a private network so that App Connect can connect to applications that are running on the network. When you create a flow, you can select this network connection when you configure the account details for an application that is on the private network; for example, an on-premises application such as SAP. You can also select the network connection when you define a custom application. For more information about the IBM Secure Gateway, see IBM Secure Gateway.

2 comments on"Configuring a private network for IBM App Connect on IBM Cloud"

  1. When running ‘secgw.cmd’, I’m getting “UNABLE_TO_GET_ISSUER_CERT_LOCALLY”. Any ideas what went wrong?

    • Ian_Larner June 11, 2018

      Hi David,
      I just reinstalled the secure gateway, and did not see this error.

      That message seems most likely related to a nodejs issue with your proxy and an unknown CA. From Nodejs 4 introduces UNABLE_TO_GET_ISSUER_CERT_LOCALLY error for users behind company firewalls #3742 “The error itself just means that a TLS certificate in the chain is signed by an unknown CA, presumably the cert your proxy uses.”

      The issue report shows several workarounds like: $ export NODE_EXTRA_CA_CERTS=[your CA certificate file path]

      If you need more help with this, please open a ticket through IBM Cloud unified support; see Access IBM Support for more information.

      Regards, Ian

Join The Discussion

Your email address will not be published. Required fields are marked *