Learn how to configure a connection between IBM App Connect on IBM Cloud and a private network, through either the IBM Secure Gateway or an IBM App Connect Agent, to reach your apps on a private network (for example, your company network or a private cloud).
For instructions to set up an App Connect Agent connection for SAP RFC, see How to use IBM App Connect with SAP (via RFC).
The instructions to set up an App Connect Secure Gateway connection are given below:
Setting up the secure gateway isn’t hard, but to complete the task, you might need help from an administrator who has authority to configure security for the private network.
You can install the IBM Secure Gateway Client from a number of places in App Connect, as outlined below.
Note:
If you already have a Secure Gateway client installed and running, you do not need to install the client again for a new Network in App Connect. You can edit the config file for that client and add the Gateway ID and Security Token values provided on the App Connect “Connect your network” page.
For example, in C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client\securegw_service.config
add the values provided for a new network:
#Enter the gateway ids separated by single spacesGATEWAY_ID=existing_id new_appconnect_id#Config file for Secure Gateway Client, to start as a Windows Service.#PLEASE AVOID ANY RESIDUAL WHITE SPACES#Enter the security tokens separated by --SECTOKEN=existing_token--new_appconnect_token#Enter the ACL files separated by --ACL_FILE=prodacl.txt
In this example, both connections/networks use the same ACL, prodacl.txt
, but you could configure a separate ACL file for each connection/network.
After you restart the Secure Gateway client, you should see the new Network connected in App Connect (eg click “Test+Connect” on the “Connect your network” page or refresh the Networks page).
Note:
You can download and install the Secure Gateway Client before you create a flow or while creating an account for an application that is on a private network.
You’ll see a set of fields for connecting to the account, including a Network name field.
Tip: You can also create an account and new network while creating a flow. Select the application that you want to connect, and the event or action you want to use, and then add an account for that app.
The “Connect your network” page opens, from where you can download and configure the Secure Gateway Client. The operating system of your computer should be automatically detected, but you can change the operating system if it is incorrect.
MyComputer
, and click Submit. Values for the Gateway ID and Security Token are generated and displayed on the screen.By default, the Secure Gateway Client files are installed to C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client
directory. You can choose to install the files to a different directory.
secgw.cmd
Tip: On Windows, the default location of the secgw.cmd
file is C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client
. You can also start the Secure Gateway Client from the Windows Start menu by clicking Start > All Programs > IBM > Secure Gateway Client > Secure Gateway Client.
y
to launch the Client.You’ll see messages in the command window indicating the Secure Gateway Client is running. The Secure Gateway Client dashboard is also launched in your default browser, and you can browse the access control list (ACL), the logs, and other connection information. (If necessary, refresh your browser tab to view the dashboard.)
All
:All
into the first box under Allow access and then click the + icon.Note:
All
enables App Connect to connect to any host (on any port) that is accessible from the computer that is running the Secure Gateway Client and this might not be appropriate for your production environment. See the examples in the SampleACLFile.txt
file in the Secure Gateway Client installation directory for methods of restricting the access to specific hosts and port numbers.show acl
in the Secure Gateway Client command window. For an ACL setting of All
, you should see the following details:You’ve configured a Secure Gateway connection (Network) to a private network so that App Connect can connect to applications that are running on the network. When you create a flow, you can select this connection from the Network option when you configure the account details for an application that is on the private network; for example, an on-premises application such as SAP (via OData). You can also select the network connection when you define a custom application. For more information about the IBM Secure Gateway, see IBM Secure Gateway.
4 comments on"Configuring a private network for IBM App Connect on IBM Cloud"
Hi,
I already have Secure Gateway client running in my on-prem server and has established a connection with the Scure gateway server. In that case how can I reuse the same connection to create a private network – currently the gateway ID and key fields are not editable in the “Connect your network” page
regards,
Arun
@Arun Hi,
If you already have a Secure Gateway client, you can edit the config file for that client and add the Gateway ID and Security Token values provided on the App Connect “Connect your network” page.
I’ve added a note about this to the top of this doc page (you might need to refresh the page to see the note).After you restart the Secure Gateway client, you should see the new Network connected in App Connect (eg click “Test+Connect” on the “Connect your network” page or refresh the Networks page).
Regards,
Ian
When running ‘secgw.cmd’, I’m getting “UNABLE_TO_GET_ISSUER_CERT_LOCALLY”. Any ideas what went wrong?
Hi David,
I just reinstalled the secure gateway, and did not see this error.
That message seems most likely related to a nodejs issue with your proxy and an unknown CA. From Nodejs 4 introduces UNABLE_TO_GET_ISSUER_CERT_LOCALLY error for users behind company firewalls #3742 “The error itself just means that a TLS certificate in the chain is signed by an unknown CA, presumably the cert your proxy uses.”
The issue report shows several workarounds like: $ export NODE_EXTRA_CA_CERTS=[your CA certificate file path]
If you need more help with this, please open a ticket through IBM Cloud unified support; see Access IBM Support for more information.
Regards, Ian
联系客服