IBM Bluemix Secure gateway / public access - ibm-cloud

Should I be able to setup secure gateway to be able to connect to my on-prem SQL server DB, using SQL Server Management Studio on my laptop from home (not on prem)?

You don't "have to" use the secure gateway in order for your application on the cloud to see your local db. You could simply give your application the public ip (and port) of the local machine and they should work fine.
It is however a good practise to use the Secure Gateway service as it can ensure the security of the local-to-cloud communication. Make sure to have a look at the documentation to learn how the service works - https://console.ng.bluemix.net/docs/services/SecureGateway/secure_gateway.html

Related

Connect to DNS names trough SSL and manually specify IP of the DNS record (Local DNS poisoning/Spoofing)

I'm currently working on a script that will test the health of an ADFS service. The ADFS service uses the same domain name (split brain DNS) for both intranet access, as well as for public DNS (for internet connections through the proxy servers). If I'm logged into an intranet device and I attempt to perform an SSL connection to the ADFS service, my device will use the intranet IP of the service. If I do the same from a device that is not in the intranet, I will connect to the public facing IP.
I want my script to test the health of both the internal and external service, but I haven't found a way to perform an SSL connection to a certain hostname/fqdn, and use an specific IP depending on the test I'm trying to perform (intranet vs extranet). Connecting directly to the internal/external IP address is not an option, since the ip addresses are not part of the SSL cert subject alternative names.
One option I found Is to create a PS Session to a remote host that has public DNS servers configured, and execute my Extranet test through that PS Session, but Ideally, I would like to run both tests from one single server.
I'm trying to find an option that works in the context of my PowerShell session only, I don't want to change the DNS settings of the server or the global DNS cache since that will result in problems on the server, because it depends on that ADFS service for other services to work.
Any help will be appreciated
I could not find a way to achieve exactly what I asked, so instead, what I did was to deploy a small Rest API in Azure which calls my ADFS service. When I call that Rest API, ADFS receives the query from the Internet, allowing me to achieve test the health of my ADFS service from the internet.

Google Cloud SQL - PostgreSQL database connection from QGIS for third parties

I have a Google Cloud SQL PostgreSQL database in which I can connect by using SSL and by entering my IP address in allowed connection settings. However, I do not want to list all the IP addresses that is going to connect to this database (because I do not know all the IP addresses). I have around 15 people which I want them to login to my database using QGIS and they should be able to change the data as this is a research. Security is not a big issue as this database will be online for a very short period of time. What connection method can you suggest? The users are not very proficient so I need to setup everything.
I hope you're doing fine.
I would like to suggest to set the connections with the Cloud SQL proxy as it will provide the security needed without using ssl or the need of authorize any network. so basically the set up is to:
Enable the API
Install the proxy client on your local machine
Determine how you will authenticate the proxy
If required by your authentication method, create a service account
Also you can find the steps on "Connecting to Cloud SQL from external applications"
Hope this works for you as I have never used it with QGIS but I believe that as you are using a proxy it won't be hard from there to use it with QGIS as if you connected to a local server.

Cloud Connector problem. Cloud To On-Premise

I created in SAP Logon OData Service and Registed it.
I cheked it and it works good. Now, I want to create cloud connector using the link which I got when tested my Odata Service. It looks like:
http://mylink.com:1234/sap/opu/odata/sap/***_SRV/.
In cloud connector setting I put:
Internal host:mylink.com
Internal port:1234.
But, everytime when I try to check my connection in Cloud Connector it show to me Not Reachable.
Can anybody advice to me something about that and explain to me the reasons of it?
Thanks a lot.
Cloud connector requires two different addresses:
Internal Host and port: this should be the real network address of your on premise system. Typically the SAP Netweaver Gateway where the service URL is in. The address must be reachable from the Cloud Connector server
Virtual Host and port: this should be a non real (virtual) address. It’s a must that this address match the URL address of a destination configured in SAP Cloud Platform.
Moreover, apart from the on premise configuration you must enable which URL paths are allowed to be accessed from the cloud
Check whether your cloud connector and SAP LogOn OData service are in the same network. Then only the SAP cloud connector can reach your on-premise system through a secure channel.

want to connect local DB2 database with IBM bluemix App

Corporate AS400 server having Application and database DB2 running. currently there is no reporting tool for this application.
Planning to create new application on IBM bluemix with PHP. how can I connect secure DB2 database with IBM bluemix API.
As commented by mustaccio, you have tagged your question with secure-gateway - have you seen the Bluemix secure gateway documentation?
About Secure Gateway
Last updated: 6 December 2016
The Secure Gateway service provides you with a secure way to access
your on-premises or cloud data from your Bluemix® application through
a secure passage.
How Secure Gateway works
As displayed in the following diagram, the
service works by using a client to connect to your Bluemix
organization. Next, you add the service to your Bluemix organization.
Then, by using the Secure Gateway UI or REST API you can begin
creating your gateway by connecting to your client and creating a
destination point to your on-premises or cloud data. To increase
security, you can add application-side Transport Layer Security (TLS),
which encrypts the data that travels from your app to the client. You
can extend this security with client-side TLS, which encrypts the data
from the client to the on-premises or cloud data. When you complete
your gateway configuration, you can monitor the behavior of your
gateways and destinations in the Secure Gateway Dashboard.
Source: https://console.ng.bluemix.net/docs/services/SecureGateway/sg_overview.html#sg_overview
The Secure Gateway documentation describes all the steps you need to follow to connect a Bluemix application to an internal service.

For the Bluemix Secure Gateway service, how does the data center's network need to be configured?

I am going to use Secure Gateway service in Bluemix and I have some questions about how I should make it work.
Systems in my data center's intranet access the Internet through a proxy (with no authentication). Can Secure Gateway connect to Bluemix via a proxy?
Does it connect to Bluemix via HTTPS protocol?
The network admins asked me: What are the IPs (or the IP range) of Bluemix, any idea?
Thank you very much.
A Secure Gateway instance runs in two parts, as shown in "Reaching enterprise backend with Bluemix Secure Gateway via console": the gateway and the gateway client. The gateway runs in Bluemix, the gateway client runs in the data center containing one or more systems of record to connect to. The gateway client needs network access to the Bluemix data center (typically via the Internet) and to the systems of record (via the data center's internal network). The gateway client initiates the connection, so it needs to know Bluemix's address, but Bluemix doesn't need to know the gateway client's address.
To answer your questions specifically:
A proxy isn't supported. The gateway and its client need direct access to each other.
The connection uses HTTPS for SSL encryption. The transport level security (TLS) options can be used to add authentication.
Bluemix's IP addresses aren't published.
For point 3:
The client connects outbound to the cloud services. Once the SecGW is connected, all additional Destination connects flow through that connection, no additional firewall or iptables rules are needed. If they have a rule in-place so that the on-premises machine where the SecureGateway client is installed can use the outbound port 443 (HTTPS) to make connections, that is all they need.