Learn how to configure a connection between IBM App Connect on IBM Cloud and a private network, through either the IBM Secure Gateway or an IBM App Connect Agent, to reach your apps on a private network (for example, your company network or a private cloud).

• To interact with on-premises SAP ERP systems via the RFC interface, you need to set up an App Connect Agent connection in IBM App Connect on IBM Cloud. The App Connect Agent is an IBM App Connect Enterprise integration server that’s configured with an agenta.json configuration file. App Connect Agent connections are managed on the Manage > Private network connections page in IBM App Connect on IBM Cloud.

  For instructions to set up an App Connect Agent connection for SAP RFC, see How to use IBM App Connect with SAP (via RFC).

• To interact with other on-premises applications and systems, such as IBM MQ, Db2 databases, or SAP (via OData), you need to set up an App Connect Secure Gateway connection in IBM App Connect. App Connect Agent connections are created and managed from the Networks page (accessed through the Manage > Private network connections page).

  The instructions to set up an App Connect Secure Gateway connection are given below:

Setting up the secure gateway isn’t hard, but to complete the task, you might need help from an administrator who has authority to configure security for the private network.

You can install the IBM Secure Gateway Client from a number of places in App Connect, as outlined below.

#Enter the gateway ids separated by single spacesGATEWAY_ID=existing_id new_appconnect_id#Config file for Secure Gateway Client, to start as a Windows Service.#PLEASE AVOID ANY RESIDUAL WHITE SPACES#Enter the security tokens separated by --SECTOKEN=existing_token--new_appconnect_token#Enter the ACL files separated by --ACL_FILE=prodacl.txt

First, find or create everything you need:

• A computer (personal computer or server) on which you can install the IBM Secure Gateway Client. In this tutorial, the steps assume that you are installing on a Windows computer.

  Note:

  • Flows that connect to applications on the private network will work only when the Secure Gateway Client is running. If you shut down the Secure Gateway Client (or the computer on which the Secure Gateway Client is running), applications on the private network cannot be reached by App Connect. For a persistent connection (for example, in production environments), it’s recommended that you install the Secure Gateway Client on a server that is permanently available rather than on a personal computer.
  • You cannot install the Secure Gateway Client on a mobile phone or tablet.
  • Currently, App Connect supports only TLS connectivity between App Connect and the Secure Gateway Client, and supports only TCP between the Secure Gateway Client and on-premises applications and systems. As a workaround, you can use an external secure gateway service where you can use TLS configurations for the Secure Gateway Client to communicate with the on-premises endpoint. However, you then have to use TCP between App connect and your external secure gateway instance.

Then, download and install the Secure Gateway Client:

1. From the computer where you want to install the Secure Gateway Client, log in to App Connect.

   You can download and install the Secure Gateway Client before you create a flow or while creating an account for an application that is on a private network.

2. Complete either of the following steps:
   • Before you create a flow:
     1. From the App Connect menu
        
        , click Manage > Private network connections. On the Private networks connections page, click the Networks link.
     2. From the Networks page, click Connect a network.
   • While you are creating an account for an application that is on a private network:
     1. From the Applications tab on the App Connect Catalog page, locate the application you want to connect to.
     2. If this is your first account for that app, click the Connect button. If you’ve previously created an account for the app, select Add a new account from the Account drop-down list.

        You’ll see a set of fields for connecting to the account, including a Network name field.

     3. From the Network name field, select the Create a new network option.
        

     Tip: You can also create an account and new network while creating a flow. Select the application that you want to connect, and the event or action you want to use, and then add an account for that app.

   The “Connect your network” page opens, from where you can download and configure the Secure Gateway Client. The operating system of your computer should be automatically detected, but you can change the operating system if it is incorrect.

3. Follow the instructions to download the Secure Gateway Client installer.
4. Enter a name for the private network, for example MyComputer, and click Submit. Values for the Gateway ID and Security Token are generated and displayed on the screen.
5. Double-click the Secure Gateway Client installer and follow the installation instructions. Use the following notes as guidance:
   • For this tutorial, don’t select the option to run the Secure Gateway Client as a service. Note: You might want to run the Secure Gateway Client as a service when you are installing for a production deployment.
   • Complete the Gateway Id and Security token fields by copying and pasting the values from the App Connect network connection page.
   • Leave all other fields as default.
   

   By default, the Secure Gateway Client files are installed to C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client directory. You can choose to install the files to a different directory.

Finally, start and configure the Secure Gateway Client:

1. Start the Secure Gateway Client as follows:
   1. Run the following command from the directory to which you installed the Secure Gateway Client files:

      secgw.cmd

      Tip: On Windows, the default location of the secgw.cmd file is C:\Program Files (x86)\Secure Gateway Client\ibm\securegateway\client. You can also start the Secure Gateway Client from the Windows Start menu by clicking Start > All Programs > IBM > Secure Gateway Client > Secure Gateway Client.

   2. In the command window that opens, type y to launch the Client.
      

      You’ll see messages in the command window indicating the Secure Gateway Client is running. The Secure Gateway Client dashboard is also launched in your default browser, and you can browse the access control list (ACL), the logs, and other connection information. (If necessary, refresh your browser tab to view the dashboard.)

      

2. From the dashboard, configure the Secure Gateway Client to enable access to defined hosts and ports. In this tutorial, we are going to set the Access Control List to All:
   1. Click the Access Control List button in the Secure Gateway Client dashboard.
      

   2. Type All into the first box under Allow access and then click the + icon.
      

      Note:

      • You might be presented with some warning messages at this point. Setting ACL to All enables App Connect to connect to any host (on any port) that is accessible from the computer that is running the Secure Gateway Client and this might not be appropriate for your production environment. See the examples in the SampleACLFile.txt file in the Secure Gateway Client installation directory for methods of restricting the access to specific hosts and port numbers.
      • You can verify your ACL setting by typing show acl in the Secure Gateway Client command window. For an ACL setting of All, you should see the following details:
        

3. In the App Connect network connection page, click Test + Connect. The Networks page is displayed with your new network listed.
   

You’ve configured a Secure Gateway connection (Network) to a private network so that App Connect can connect to applications that are running on the network. When you create a flow, you can select this connection from the Network option when you configure the account details for an application that is on the private network; for example, an on-premises application such as SAP (via OData). You can also select the network connection when you define a custom application. For more information about the IBM Secure Gateway, see IBM Secure Gateway.