1

I'm comfortable with the basics of Bluemix Secure Gateway, but I can't see a good way to set up what must surely be a common scenario.

My requirements are:

  • Existing internal service is provided over TLS, and must remain so. It doesn't check client certs, it's just a conventional https:// ReST API.
  • External end of the Secure Gateway pipe must check client certificates, to only allow certain known clients to connect.

The second point is achieved by choosing the TLS Mutual Auth option when setting up the destination in the Secure Gateway UI. However, this creates a TLS connection from the client app (actually just a browser at this point) to the internal end of the Secure Gateway pipe. What comes out the end of that pipe, towards the internal service, is plain HTTP in the clear. The internal service rightly rejects this, as it's expecting HTTPS.

I can make a working connection by configuring the Secure Gateway with no TLS, and then I get a TLS connection from the client browser all the way to the internal server, but the problem here is that the Bluemix pipe is wide open for anybody on the Internet to throw things at the internal server, and although we all know that the "trusted internal network" ought to be a myth, the fact is that this thing was never set up to be Internet-facing. I want to block anyone except my known client at the outer end of the Bluemix pipe.

I think what I need is a way for the internal end of the pipe, running in the docker image, to start a second TLS session with the internal server. Seems like an obviously necessary feature, but I can't find any reference to it in the docs. Or is there some other way I've missed?

Kamaganahally Jaganatha
  • 347
  • 4
  • 14
Pete Verdon
  • 335
  • 1
  • 10

2 Answers2

1

Since posting this, I've got in touch with one of the Bluemix developers (I'm an IBMer - this option may not be available to everyone :-) ). The answer is that it is not currently supported, but will be Real Soon Now.

I daresay there would be ways to hook openssl s_client or similar into the stream, but the supported version is close enough for that not to be worth the complexity, for me.

Pete Verdon
  • 335
  • 1
  • 10
  • 2
    Please use the edit link on your question to add additional information. The Post Answer button should be used only for complete answers to the question. – Craig S. Anderson May 15 '15 at 04:54
  • 1
    Shrug; I'd argue that this *is* a complete answer to the question. The answer is "you can't do it now, you will be able to soon". – Pete Verdon May 15 '15 at 10:55
1

Pete's answer is correct, but since it was down voted I will reiterate and add some info.

Currently you cannot connect to a TLS backend unless you use the No TLS option as you suggested. Soon, you will be able to accomplish this with the set up you are describing, a destination configured with TLS: Mutual Auth and TLS from the client to the final destination.

If you really want to accomplish this now, you can set up a tunnel on your client side to convert the TCP connection to a TLS connection. An example of how to set up a tunnel like this in node.js is in the tutorial linked below, but you would be creating this tunnel on the client side instead. Create your destination with the host/port of your tunnel, and then have the tunnel connect to your REST API.

https://developer.ibm.com/bluemix/2015/04/17/securing-destinations-tls-bluemix-secure-gateway/

Edit: Client side TLS has now been added. The docs for this feature can be found here: https://www.ng.bluemix.net/docs/services/SecureGateway/index-gentopic3.html#sg_011

Alex Yurkowski
  • 1,676
  • 1
  • 12
  • 26