In this article I will demonstrate how to create a sample Hybrid app running in IBM Bluemix but getting data from behind a company firewall.
A couple of years ago the prevailing message from vendors was “move to the cloud !!!”. The thing the vendors found though, was that the companies do not necessarily want to move their “data” to the cloud. It is either too complicated, expensive, unnecessary or they just do not flat out trust their data to the cloud. All that said though they are interested in the ability to securely expose their data to the outside world without exposing any of their internal systems. This has been achieved for years using a DMZ style firewall architecture which exposes only the web server but not the database server to the outside world.
In the Cloud world this concept is called a Hybrid model – cloud app, on premises data. In this article I want to show one way which IBM has approached this in Bluemix.
I wish I had listened to Ryan Baxter, last year at MWLUG 2014. I heard him talk about this concept and I serious thought to myself – who would want to do that. Being ahead of your time, happens to the best of us. Anyway you can see how Ryan set up his environment at that time using Cast Iron here. This is an excellent video and gives a nice overview of cast iron – that said, it is not the way I am going to do it and not the way IBM wants you to do it any more. So enjoy but come back….
I found most of the information I am going to write about today in this video…https://www.youtube.com/watch?v=pY-FRwGQ_8Y&feature=youtu.be
(For more information on getting started with your first Bluemix application check out this NotesIn9 video)
Within my Bluemix application I created a simple node application (xominoKnox) and then added the “Secure Gateway” Service.
I then created a Jazz Hub Git site and then cloned the repository locally (See this post for more information on that)
Creating the secure gateway
So the way that the gateway works is this:
- Create and configure the Bluemix end of the gateway
- Install the gateway code on the machine within the firewall
- Open the connection from inside the firewall
- Configure the connection to access data behind the firewall
- Use the connection
So let’s go through those steps one by one and explain what is going on.
1. Create and configure the Bluemix end of the gateway
Click on the Secure Gateway Service from within your Dashboard app view and you will see the configuration screen to create your first Gateway
Click Add Gateway and then you will be prompted to name your Gateway connection
Click Connect it and you will then be presented with the status screen – Not Connected
2. Install the gateway code on the machine within the firewall
The computer that you install the gateway on, inside your firewall, does not have to be the destination machine, it does however have to have access to the destination machine. Currently (April 2015) you will need to install a docker container on the machine and then inside of that the bluemix-secure-gateway can be installed. For those people without docker already, go here to get it installed.
NOTE FOR WINDOWS USERS: I had serious issues getting this installed due to the Oracle Virtual Box which has to be installed along with it. If you find that the Virtual box does not install – use this regedit hack to fix it. https://www.virtualbox.org/ticket/11349
This fixed it for me. Follow these step by step:
- Uninstall Virtualbox
- Uninstall Any Virtual Box Network Adaptors from Device Manager
- Go into the registry at: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network
- Change “MaxFilters” from 8 to 20 (decimal)”
- Reboot your PC
- Install VirtualBox 4.3.X (Run as Administrator)
3. Open the connection from inside the firewall
Once you have docker installed and running (Boot2Docker for windows), copy the commend below into your docker window and run it.
You will see the Connected message appear on your Secure Gateway dashboard and the tunnel connected message in the docker window.
The gateway is set up and a secure tunnel from Bluemix to my laptop (behind my office firewall) is set up.
To be clear at this point the outside world cannot access the Copper/xomino server running on my laptop from the outside world. It is just running on my laptop as normal within my development environment.
4. Configure the connection to access data behind the firewall
Next we have to create a destination (behind the firewall). Understand that the docker window is by default bridged and therefore does not know that it is running on my local computer (127.0.0.1).The IP address I have given Bluemix is the IP address of the laptop on my network.
As you can see from the image above a Cloud Host and port has been assigned. If you do this a number of times you will see that the port changes.
You will also note that I chose not to use No TLS in the connection. This means that this is NOT PRODUCTION ready. We really need to secure this so that only my application can call that URL. More on that later – but for the sake of this article/demo I am leaving it simple.
5. Use the connection
If we connect to the URL shown in the image above we can see a Domino server !!!
If we go to a specific page on that server we see this. Not much to look at I grant you, more on that in a later article.
But if we go to the gateway path – and add the “/xomino/ainx.nsf/testForm?readform” to the end of the URL – we get the exact same thing, from the exact same server, just displayed in a cloud app.
And that is very cool! Especially as it only took about 3 hours to figure this out 🙂
As we have seen in this article, it is relatively simple to set up a secure connection from a computer behind a firewall, and Bluemix. The example show it not yet fully secure though as anyone could call the URL and get web page from my server.
In a future article we will look at securing the connection and what else we are able to do with it.