Learn how to configure a private network in IBM App Connect, with the IBM Secure Gateway to reach your apps on a private network (for example, your company network or a private cloud).

Setting up the secure gateway isn’t hard, but to complete the task, you might need help from an administrator who has authority to configure security for the private network.

You can install the IBM Secure Gateway Client from a number of places in App Connect, as outlined below.

Note:

If you already have a Secure Gateway client installed and running, you do not need to install the client again for a new Network in App Connect. You can edit the config file for that client and add the Gateway ID and Security Token values provided on the App Connect “Connect your network” page.

For example, in C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client\securegw_service.config add the values provided for a new network:

#Enter the gateway ids separated by single spaces
GATEWAY_ID=existing_id new_appconnect_id

#Config file for Secure Gateway Client, to start as a Windows Service.
#PLEASE AVOID ANY RESIDUAL WHITE SPACES

#Enter the security tokens separated by --
SECTOKEN=existing_token--new_appconnect_token

#Enter the ACL files separated by --
ACL_FILE=prodacl.txt

In this example, both connections/networks use the same ACL, prodacl.txt, but you could configure a separate ACL file for each connection/network.

After you restart the Secure Gateway client, you should see the new Network connected in App Connect (eg click “Test+Connect” on the “Connect your network” page or refresh the Networks page).

First, find or create everything you need:

  • A computer (personal computer or server) on which you can install the IBM Secure Gateway Client. In this tutorial, the steps assume that you are installing on a Windows computer.

    Note:

    • Flows that connect to applications on the private network will work only when the Secure Gateway Client is running. If you shut down the Secure Gateway Client (or the computer on which the Secure Gateway Client is running), applications on the private network cannot be reached by App Connect. For a persistent connection (for example, in production environments), it’s recommended that you install the Secure Gateway Client on a server that is permanently available rather than on a personal computer.
    • You cannot install the Secure Gateway Client on a mobile phone or tablet.

Then, download and install the Secure Gateway Client:

  1. From the computer where you want to install the Secure Gateway Client, log in to App Connect.

    You can download and install the Secure Gateway Client before you create a flow or while creating an account for an application that is on a private network.

  2. Complete either of the following steps:
    • Before you create a flow:
      1. From the App Connect menu App Connect menu icon, click Manage > Networks.
      2. From the Networks page, click Connect a network.
    • While you are creating an account for an application that is on a private network:
      1. From the Applications tab on the App Connect Catalog page, locate the application you want to connect to.
      2. If this is your first account for that app, click the Connect button. If you’ve previously created an account for the app, select Add a new account from the Account drop-down list.

        You’ll see a set of fields for connecting to the account, including a Network name field.

      3. From the Network name field, select the Create a new network option.

        Create a new network

      Tip: You can also create an account and new network while creating a flow. Select the application that you want to connect, and the event or action you want to use, and then add an account for that app.

    The “Connect your network” page opens, from where you can download and configure the Secure Gateway Client. The operating system of your computer should be automatically detected, but you can change the operating system if it is incorrect.

  3. Follow the instructions to download the Secure Gateway Client installer.
  4. Enter a name for the private network, for example MyComputer, and click Submit. Values for the Gateway ID and Security Token are generated and displayed on the screen.
  5. Double-click the Secure Gateway Client installer and follow the installation instructions. Use the following notes as guidance:
    • For this tutorial, don’t select the option to run the Secure Gateway Client as a service. Note: You might want to run the Secure Gateway Client as a service when you are installing for a production deployment.
    • Complete the Gateway Id and Security token fields by copying and pasting the values from the App Connect network connection page.
    • Leave all other fields as default.

    secgway2

    By default, the Secure Gateway Client files are installed to C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client directory. You can choose to install the files to a different directory.

Finally, start and configure the Secure Gateway Client:

  1. Start the Secure Gateway Client as follows:
    1. Run the following command from the directory to which you installed the Secure Gateway Client files:

      secgw.cmd

      Tip: On Windows, the default location of the secgw.cmd file is C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client. You can also start the Secure Gateway Client from the Windows Start menu by clicking Start > All Programs > IBM > Secure Gateway Client > Secure Gateway Client.

    2. In the command window that opens, type y to launch the Client.

      Secure Gateway Client command window

      You’ll see messages in the command window indicating the Secure Gateway Client is running. The Secure Gateway Client dashboard is also launched in your default browser, and you can browse the access control list (ACL), the logs, and other connection information. (If necessary, refresh your browser tab to view the dashboard.)

      browserconsole

  2. From the dashboard, configure the Secure Gateway Client to enable access to defined hosts and ports. In this tutorial, we are going to set the Access Control List to All:
    1. Click the Access Control List button in the Secure Gateway Client dashboard.

      aclbutton

    2. Type All into the first box under Allow access and then click the + icon.

      allowaccess

      Note:

      • You might be presented with some warning messages at this point. Setting ACL to All enables App Connect to connect to any host (on any port) that is accessible from the computer that is running the Secure Gateway Client and this might not be appropriate for your production environment. See the examples in the SampleACLFile.txt file in the Secure Gateway Client installation directory for methods of restricting the access to specific hosts and port numbers.
      • You can verify your ACL setting by typing show acl in the Secure Gateway Client command window. For an ACL setting of All, you should see the following details:

        Secure Gateway Client - show ACL

  3. In the App Connect network connection page, click Test + Connect. The Networks page is displayed with your new network listed.

    networks

You’ve configured a private network so that App Connect can connect to applications that are running on the network. When you create a flow, you can select this network connection when you configure the account details for an application that is on the private network; for example, an on-premises application such as SAP. You can also select the network connection when you define a custom application. For more information about the IBM Secure Gateway, see IBM Secure Gateway.

4 comments on"Configuring a private network for IBM App Connect on IBM Cloud"

  1. Hi,

    I already have Secure Gateway client running in my on-prem server and has established a connection with the Scure gateway server. In that case how can I reuse the same connection to create a private network – currently the gateway ID and key fields are not editable in the “Connect your network” page

    regards,
    Arun

    • Ian_Larner May 22, 2019

      @Arun Hi,
      If you already have a Secure Gateway client, you can edit the config file for that client and add the Gateway ID and Security Token values provided on the App Connect “Connect your network” page.

      I’ve added a note about this to the top of this doc page (you might need to refresh the page to see the note).After you restart the Secure Gateway client, you should see the new Network connected in App Connect (eg click “Test+Connect” on the “Connect your network” page or refresh the Networks page).

      Regards,
      Ian

  2. When running ‘secgw.cmd’, I’m getting “UNABLE_TO_GET_ISSUER_CERT_LOCALLY”. Any ideas what went wrong?

    • Ian_Larner June 11, 2018

      Hi David,
      I just reinstalled the secure gateway, and did not see this error.

      That message seems most likely related to a nodejs issue with your proxy and an unknown CA. From Nodejs 4 introduces UNABLE_TO_GET_ISSUER_CERT_LOCALLY error for users behind company firewalls #3742 “The error itself just means that a TLS certificate in the chain is signed by an unknown CA, presumably the cert your proxy uses.”

      The issue report shows several workarounds like: $ export NODE_EXTRA_CA_CERTS=[your CA certificate file path]

      If you need more help with this, please open a ticket through IBM Cloud unified support; see Access IBM Support for more information.

      Regards, Ian

Join The Discussion

Your email address will not be published. Required fields are marked *