Skill Level: Intermediate

This recipe describes how to connect to on-prem DB2 and LDAP via Secure Gateway from IBM WebSphere Application Server running on IBM Cloud.


  • Secure Gateway service instance on IBM Cloud




  • IBM Cloud web console account: https://console.bluemix.net
  • IBM WebSphere Application Server instance on IBM Cloud with openVPN (Virtual Private Network)
  • IBM DB2 server
  • IBM Security Directory Server

Please refer the links below for fulfilling the prerequisites:








  1. Create Secure Gateway Service and Add Gateway

    Login IBM Cloud web console.
    Click on Catalog tab and select Integration.
    On Integration page, select Secure Gateway.




    On Secure Gateway page, select Create (based on the pricing plan selected). 

    Note: Some plan may only allows 1 client to connect with 1 gateway, in this case, please try one client destination at a time instead of creating 2 subsequent destinations together as directed in the steps below.

    On the created service, select Add (‘+’) to add gateway (a gateway is used to establish the connectivity between Secure Gateway client and Secure Gateway servers).

    Enter gateway name and click on Add Gateway.

    Note: “Require security token …” checkbox is checked, which indicates when setting up security gateway client at later step will need to include security token in the configuration. Also, when the default 90-day token expiration is reached, the gateway service will not be available and it’s needed to regenerate the token to reenable the service.


    At any time, on the console, click ‘View docs‘ (from upper right corner 3-vertical dots icon) for more information on the configuration.


  2. Connect Secure Gateway Client

    After the gateway is added, the page is displayed with next action to add a Secure Gateway client (to establish the connection between the on-premises network and a gateway on the Secure Gateway servers). 
    Before proceeding with adding the client, click on the Setting icon on the gateway, record Gateway ID and Security Token for later use.




    Click on the Connect Client icon




    Next page connect client panel titled with “How would you like to connect this new gateway?” is displayed along with the installation instruction.
    Note: On this page, the Gateway ID and Security Token are re-displayed.





    Select the preferred method (for example, default ‘IBM Installer’) and operating system (for example, RHEL 6+) for the Software Installer and clcik on arrow icon to download.¬† At any time, on the console, click ‘View docs‘ (from upper right corner 3-vertical dots icon) for more information on the configuration.





    From ‘View docs’, on ‘Adding a Client’ page, the link ‘click here to see how to install it’ provides details on the instruction to install for each operarting system.








  3. Install Secure Gateway Client on the selected operating system

    As an example, if RedHat is the selected operating system from Software Installers list above, to install the security gateway client, on the VM command line, run the following ‘rpm’ command:

    rpm -ivhf ibm-securegateway-client-1.8.0fp2+client_x86_64.rpm –force

    Note: After issuing the ‘rpm’ command, several prompts are displayed to request for responses, but if the response is not entered in time, the command proceeds. It’s ok to proceed without entering the responses.¬† The subsequent steps below will cover additional cnfiguration by editing¬†/etc/ibm/sgenvironment.conf which is generated from the installation.
    Edit /etc/ibm/sgenvironment.conf for further configuration on the client.

    update gateway id with the information retrieved from above Add Gateway step:  GATEWAY_ID=
    update security token with the information retrieved from above Add Gateway step:  SECTOKEN=
    update access control file location with /etc/ibm/ibm-securegateway-client.acl (which will be created next): ACL_FILE=
    Save /etc/ibm/sgenvironment.conf

    Create ACL (Access Control List) file (/etc/ibm/ibm-securegateway-client.acl) and edit with the lines for connection to the on-prem LDAP and DB2 (by replacing with corresponding host/port) (to allow Secure Gateway Client to access the on-prem resources):

    acl allow db2host.domain.name:db2instance-port
    acl allow ldaphost.domain.name:ldap-port


    Restart Secure Gateway client
    Note: The command to stop/start client may be slightly different among operating systems, please check the output of installing security gateway client for the line similar to the following:
    [postinst] WARNING: Use the following command: /bin/sudo /bin/systemctl start securegateway_client

    /bin/sudo /bin/systemctl stop securegateway_client
    /bin/sudo /bin/systemctl start securegateway_client

    Note: Restarting the client here is to ensure the client is installed without problem.  After the destination is created in the follow-on steps, another restart will be required to sync up the actual connection.

  4. Add Destinations (Resource Definition) to DB2 and LDAP

    After the security gateway client is installed and configured on the seleted operating system VM, from IBM Cloud console, on the Secure Gateway service instance page, it then indicates the client is added with ‘Clients (1)’ displayed.¬†¬†

    Next, select ‘Destinations‘ link and click on ‘+‘ icon to create the destination in connecting to on-prem resources (DB2, LDAP) with unique public endpoint provided by Secure Gateway.¬† Each ‘+’ icon is to add one destination; to add the follow-on destination, click ‘+’ again after the first one is added.

    On Add Destination panel,

    select Advanced Setup
    select On-Premises Destination
    select TCP from drop-down
    select ‘None‘ under TSL optoins – > Rsource Authentication

    Enter the values to the following fields:

    Destination name       (with your preferred name, for example, DB2-destination)
    Resource Hostname   (with your db2host.domain.name)
    Resource Port            (with your db2instance-port)


    Click Add Destination after updating the panel.




    Repeat the same step above to add destination for LDAP server and replace the values with LDAP host/port.

    Enter the values to the following fields:

    Destination name       (with your preferred name, for example, LDAP-destination)
    Resource Hostname   (with your ldaphost.domain.name)
    Resource Port            (with your ldap-port)



    After the 2 destinations are added, the ‘Destination’ count is listed as 2.¬† But note that the 2 destinations are not actively connected (‘Connections: 0’ is displayed on the console page), since the consumer side (IBM WebSphere Application Server) is not yet ready to connect it.





    Make a note of IBM Cloud host/port from each of the 2 destinations:

    From the above IBM Cloud console, on the icon of each destination, click on setting icon and the properties of destination is displayed.

    Record now (or revisit the page) for the Cloud ‘Host: Port’¬† (e.g. #####.integration.ibmcloud.com:<number>)¬† (The host/port will be used later in IBM WebSphere Application Server configuration from admin console.)

  5. Restart Secure Gateway client to sync up with the newly created destinations

    On the selected operating system VM where Secure Gateway client is installed, from command line, run the following commands

    /bin/sudo /bin/systemctl stop securegateway_client
    /bin/sudo /bin/systemctl start securegateway_client


    Check logs (for example, client_console_<date>.log) under /var/log/securegateway for the lines similar to the following, to confirm the connection is accepted:

    The ACL batch file process accepts acl allow db2host.domain.name:db2instance-port

    The ACL batch file process accepts acl allow ldaphost.domain.name:ldap-port


    From IBM Cloud console, on the gateway service page, verify the 2-circle connected icon is as green color which indicates the Secure Gateway service is enabled with 2 destinations defined.

  6. Open Cloud Ports with iptables command

    To allow the IBM WebSphere Application Server instance to access IBM Cloud ports, on the VM hosting the instance, run the following iptables command to open up the cloud ports:

    iptables -I OUTPUT -p tcp –dport <cloud port from DB2-destination> -j ACCEPT

    iptables -I OUTPUT -p tcp –dport¬†<cloud port from LDAP-destination> -j ACCEPT

  7. Configure DB2 Data Source with Cloud Host & Port

    Login IBM WebSphere Application Server Admin Console.

    Configure Resources Data Source with the IBM Cloud host and port (retrieved from above DB2-destination):



    Save the configuration.


    Verify connection by data source ‘Test Connection’ from admin console:




    The result should be successful connection.

  8. Configure LDAP with Cloud Host & Port

    On IBM WebSphere Application Server Admin Console, configure Global security under your selected realm definition to update the LDAP setting with the IBM Cloud host and port (retrieved from above LDAP-destination):




    Save the configuration.


    Note: While saving the configuration, the connection to the LDAP with updated host and port is immediately being attempted.


    The result should be successful connection.

  9. Restart IBM WebSphere Application Server to refresh the configuration update

    Restart the WebSphere Application Server and login admin console with LDAP user.

    Run your application accessing the DB2 backend.

    The result should be the same as it were connected from all on-prem environment.




    By Mei-hsiang Chang

Join The Discussion