Connecting Securely to On-Premise Backends from MobileFirst on IBM Bluemix containers

Note: This procedure is no longer applicable. Use the VPN service for MobileFirst Platform Foundation 7.1 on Containers. For instructions for MobileFirst server running on Liberty buildpacks and Mobile Foundation Bluemix service (which also runs on Liberty buildpack), pl refer to this blog post


With the IBM MobileFirst Platform Foundation 7.1 release there is an option to run the MobileFirst Platform Foundation Server on the IBM Container service on IBM Bluemix. This option enables you to build docker images of your IBM MobileFirst Foundation runtimes and then run them on the IBM Container Service. The advantage here is that you do not need to roll your own infrastructure. In this blog post we will deal with the problem of connectivity with on-premise backends. This is a common use case for an enterprise to have its MFP adapters connect to backends that are hosted on-premise. We will use the Mutual Authentication feature provided by the Secure Gateway service to ensure that the traffic between the Secure Gateway client which runs on-premise and the Secure Gateway cloud endpoint is encrypted and thus safe from man in the middle attacks.


The archive file should have been downloaded and extracted into a directory say ibm-mfpf-container- Users should also be familiar with deploying their MobileFirst Platform Foundation projects on the IBM container service and have all the pre-requisites installed on the system where they are going to run the secure gateway client. If they are not, then they should read the article linked below


Connecting to On-Premise

In order to support communication over TLS from an adapter to Secure Gateway we would need to use a TLS proxy. In this post we will use stunnel an opensource TLS proxy to connect to the public endpoint exposed by the Secure Gateway service on IBM Bluemix. We will install this proxy inside the docker container and it will listen for unencrypted calls at a particular local port. The EIS connectivity driver can then make calls to this local port on the docker container which are then transmitted by stunnel over TLS to the secure gateway public endpoint. This is shown in the figure below

On-Premise Connectivity

Steps to connect to On premise with Mutual Auth

  1. Login to the IBM Bluemix PAAS Platform.
  2. Open the Bluemix Dashboard and click on the Use Services or APIs button.
  3. Go to the integration section and select secure gateway.
  4. Let the App be left unbound and select the standard plan.
  5. Click the use button and the secure gateway dashboard is opened.
  6. Click on the ‘Add Gateway’ button. This will bring up the Add Gateway screen.
  7. Enter a name for the gateway say ‘testGateway’. Leave the enforce security token on client checkbox unchecked.
  8. Click on Connect it.
  9. You will be displayed a docker run command like docker run -it ibmcom/secure-gateway-client nPtTLWKrrKC_prod_ng. Copy and paste the command exactly as its shown to you and run it on the on premise system.
  10. This will result in a docker image being downloaded from the repository and its then run. Wait until you get the following message: The Secure Gateway tunnel is connected
  11. Click on “Add Destinations” and you are shown a Create Destinations section. Enter any name as the destination name . Enter the IP address of the on premise system you want to connect to along with the port. Choose the protocol to be TLS: Mutual Auth. Eg of IP address and port can be and 3306 where the IP address is the IP address in the on-premise network and port is the port on which the EIS is listening.
  12. Click the + button to add the destination.
  13. Click on the Info icon on the destination tile and you get the cloud host and port which you need to save somewhere for future use.
  14. Click on the settings button, on the top right corner of the destination tile, and select download keys to download the keys for mutual authentication. These keys need to be extracted to a directory called certs. We will use them later.
  15. Change the dockerfile present in the ibm-mfpf-container- directory to install a tunneling proxy called stunnel. We will need this tunnel to connect to the secure gateway over TLS. Stunnel will then expose an unsecured host and port locally which we will then use to connect to the onpremise Enterprise Information System like database ldap etc. Use the docker file attached below to replace the one in your mfpf-server directory.
    FROM ubuntu:14.04
    <p>RUN apt-get update \
        && apt-get install -y wget \
    # Install stunnel
        && apt-get install stunnel -y \
        && apt-get install -y curl supervisor openssh-server \
        && rm -rf /var/lib/apt/lists/*</p>
    <p># Install JRE
    ADD dependencies/ibm-java-jre-7.1-2.10-x86_64-archive.bin /tmp/java.bin
    RUN chmod +x /tmp/java.bin
    RUN /tmp/java.bin -i silent -DUSER_INSTALL_DIR=/opt/ibm/java \
        && rm /tmp/java.bin
    ENV JAVA_HOME /opt/ibm/java
    COPY dependencies/license-check /opt/ibm/docker/</p>
    <p># Install WebSphere Liberty
    ADD dependencies/wlp-runtime- /tmp/wlp-runtime.jar
    RUN /opt/ibm/java/jre/bin/java -jar /tmp/wlp-runtime.jar --acceptLicense /opt/ibm \
        && rm /tmp/wlp-runtime.jar
    ENV PATH /opt/ibm/wlp/bin:$PATH</p>
    <p># Create 'worklight' profile
    RUN /opt/ibm/wlp/bin/server create worklight \
        && rm -rf /opt/ibm/wlp/usr/servers/.classCache \
        && rm -rf /opt/ibm/wlp/usr/servers/worklight/apps/* \
        && mkdir -p /opt/ibm/wlp/usr/extension/lib \
        && mkdir -p /opt/ibm/MobileFirst/licenses </p>
    <p># SSH
    RUN mkdir -p /var/run/sshd &&\
        mkdir -p /root/.ssh/ &&\
        mkdir -p /root/sshkey/ &&\
        touch /root/.ssh/authorized_keys &&\
        sed -i 's/session \+required \+pam_loginuid\.so/session optional' /etc/pam.d/sshd &&\
        sed -i 's/.*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config &&\
        sed -i 's/.*UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config &&\
        sed -i 's/.*ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config</p>
    <p>COPY mfpf-libs/*.war /opt/ibm/wlp/usr/servers/worklight/apps/
    COPY mfpf-libs/*.jar /opt/ibm/wlp/usr/shared/resources/lib/
    COPY mfpf-libs/oauthtai/ /opt/ibm/wlp/usr/extension/lib/
    COPY server/env /opt/ibm/wlp/usr/servers/worklight/
    COPY server/config/logs/50-default.conf /etc/rsyslog.d/
    COPY server/config/logs/rsyslog.conf /etc/supervisor/conf.d/
    COPY server/bin/liberty-run /opt/ibm/wlp/bin/
    COPY server/bin/mfp-init /opt/ibm/wlp/bin/
    COPY server/bin/ /opt/ibm/wlp/bin/
    COPY server/bin/liberty.conf /etc/supervisor/conf.d/
    COPY server/bin/sshd.conf /etc/supervisor/conf.d/
    COPY server/bin/run_supervisord /root/bin/
    COPY server/bin/supervisord.conf /etc/supervisor/
    COPY licenses/ /opt/ibm/MobileFirst/licenses</p>
    <p># Set password length and expiry for compliance with Vulnerability Advisor
    RUN sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
    RUN sed -i 's/sha512/sha512  minlen=8/' /etc/pam.d/common-password</p>
    <p>COPY usr/security /opt/ibm/wlp/usr/servers/worklight/resources/security/
    COPY usr/env /opt/ibm/wlp/usr/servers/worklight/
    COPY usr/ssh /root/sshkey/
    COPY usr/wxs /opt/ibm/wlp/</p>
    <p>RUN chmod u+x /opt/ibm/docker/license-check \
        && chmod u+x /opt/ibm/wlp/bin/liberty-run \
        && chmod u+x /opt/ibm/wlp/bin/mfp-init \
        && chmod +x /root/bin/run_supervisord \
        && mkdir /var/log/rsyslog \
        && chown syslog /var/log/rsyslog</p>
    <p>COPY usr/config/*.xml /opt/ibm/wlp/usr/servers/worklight/configDropins/overrides/</p>
    <p>ENV LICENSE accept</p>
    <p>## create a certs directory for stunnel certificates and config
    RUN mkdir /opt/ibm/certs</p>
    <p>## copy certificates and config
    COPY stunnel/certificates/ /opt/ibm/certs</p>
    <p>COPY stunnel/certificates/stunnel.conf /etc/stunnel/stunnel.conf</p>
    <p>COPY stunnel/certificates/stunnel4 /etc/default/stunnel4</p>
    <p>ENTRYPOINT ["/bin/sh", "-c" ]
    CMD ["/root/bin/run_supervisord"]
  16. Create an ibm-mfpf-container- /stunnel/certificates directory and drop the keys and certificates downloaded in step 14 inside this directory.
  17. Create an stunnel.conf file inside the same directory as #17. This file should have the following contents
        cert = /opt/ibm/certs/DBWZqgsdcui_k8t_cert.pem
        client = yes
        key = /opt/ibm/certs/DBWZqgsdcui_k8t_key.pem
        accept =
        connect =
        CApath = /opt/ibm/certs
  18. The cert and key values correspond to the path of the client certs that were generated by Secure Gateway in step 14 and will be of the format shown above i.e. ends with _cert.pem and _key.pem.
  19. The CApath points to the directory containing the server certificates namely secureGatewayCert.pem, DigiCertTrustedRoot.pem and DigiCertCA2.pem i.e. /opt/ibm/certs.
  20. The connect property should have the value that you got in step 13, i.e. the cloud host and port eg
  21. The accept property should have the unsecured host and port name to which your adapter or any other code running in the docker container will connect to. The stunnel proxy will then listen at that port for unsecured requests from the MobileFirst Platform Foundation server. The client property should be yes.
  22. Modify the mfp-init file in ibm-mfpf-container- /server/bin to contain the command to start the secure tunnel i.e. service stunnel4 start.
  23. Ensure that in the MobileFirst adapter configuration or any other artifact that you are using to connect to the on premise EIS, you use the hostname and port specified in accept property in step 17 i.e. and 4409.

You can now follow the steps to build, deploy and run your container on Bluemix as mentioned in

Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on January 31, 2017