Introduction
The Secure Gateway Service brings Hybrid Integration capability to your IBM Cloud environment. It provides secure connectivity from IBM Cloud to other applications and data sources running on-premise or in other clouds. A remote client is provided to enable secure connectivity.
For more, see: Getting started with Secure Gateway.
Region | API endpoint |
---|---|
US South | sgmanager.us-south.securegateway.cloud.ibm.com |
US East | sgmanager.us-east.securegateway.cloud.ibm.com |
United Kingdom | sgmanager.eu-gb.securegateway.cloud.ibm.com |
Germany | sgmanager.eu-de.securegateway.cloud.ibm.com |
Sydney | sgmanager.au-syd.securegateway.cloud.ibm.com |
Prerequisites
- Install the IBM Cloud Command Line Client.
- Login to your org and space using the CLI.
$ ibmcloud login $ ibmcloud target --cf-api <ENDPOINT> [-o <ORG>] [-s <SPACE>]
- Find Your Org ID and Space ID
$ ibmcloud iam org <ORG> --guid $ ibmcloud iam space <SPACE> --guid
- Find your UAA token
$ ibmcloud iam oauth-tokens IAM token: Bearer XXXXXXXXXXXX UAA token: Bearer TOKEN #copy this TOKEN
- When invoke some API method to configure the Secure Gateway instance, you will need to pass your UAA token to authenticate your IBM Cloud Identity. For example:
$ curl -H "Authorization: Bearer $UAATOKEN
Authentication
Beside that UAA token, you can still use your API Key to to authenticate your IBM Cloud Identity. For example:
If you pass in an API key, use apikey
for the username and the value of the API key as the password. For example, if the API key is 0a1A2b3B4c5C6d7D8e9E
in the service credentials, include the credentials in your call like this:
$ curl -u "apikey:0a1A2b3B4c5C6d7D8e9E"
Or
$ TOKEN=`echo -n "apikey:0a1A2b3B4c5C6d7D8e9E" | base64`
$ curl -H "Authorization: Basic $TOKEN"
However, for security concern, it is recommended to use the UAA token instead of the API Key.
Error handling
This API uses standard HTTP response codes to indicate whether a method completed successfully.
HTTP Error Code | Description | Recovery |
---|---|---|
200 |
Success | The request was successful. |
400 |
Bad Request | The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request. |
401 |
Unauthorized | You are not authorized to make this request. Check whether your credentials is valid or whether it is expired. |
403 |
Forbidden | The supplied authentication is not authorized. |
404 |
Not Found | The requested resource could not be found. |
409 |
Conflict | The entity is already in the requested state. |
500 |
Internal Server Error | Your request could not be processed. Wait a few minutes and try again. |
Methods
Import Service or Gateway
Import .gateway or service.config file to recreate the gateway(s) and destination(s) they were initially created from.
PUT /v1/import
Request
Custom Headers
IBM Cloud UAA Token
Query Parameters
IBM Cloud Org ID
IBM Cloud Space ID
Form Parameters
The imported .gateway or service.config file
curl -X PUT -H 'Authorization: Bearer <UAA token>' -F 'state=@{imported_file}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/import?org_id={org_id}&space_id={space_id}'
Response
The imported gateway(s) object
- gateway
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Array of currently connected clients
- destinations
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The imported destination object
- destinations
- imported
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
IBM Cloud UAA Token
Query Parameters
IBM Cloud Org ID
IBM Cloud Space ID
curl -X GET -o service.config -H 'Authorization: Bearer <UAA token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/export?org_id={org_id}&space_id={space_id}'
Response
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
- gateways
A description of this gateway
Example:
My Gateway
Whether to require the security token when connecting the client. Defaults to true
Example:
true
- destination
The name of the destination
Example:
My Destination
The host of the endpoint
Example:
example.com
For cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443
For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The server name indicator
Example:
example.com
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
The CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pem
content of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported service service.config
No Sample Response
Request
Custom Headers
IBM Cloud UAA Token
Query Parameters
IBM Cloud Org ID
IBM Cloud Space ID
Whether to only include enabled or disabled gateway(s). Should be a Boolean. If not specified all gateway(s) will be returned.
Allowable values: [
enabled
,disabled
]
curl -X GET -H 'Authorization: Bearer <UAA token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig?org_id={org_id}&space_id={space_id}'
Response
The list of the gateway(s)
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Array of currently connected clients
Access Control List of the gateway
- ACL
Array of recently disconnected clients
- recentlyDisconnected
Example:
qCTv6Onseiy_LOp
Example:
1574759677015
Example:
1579512466000
Status Code
Request was successful
No Sample Response
Request
Custom Headers
IBM Cloud UAA Token
Query Parameters
IBM Cloud Org ID
IBM Cloud Space ID
Whether you acknowledge that creating overage gateway might incur an addtional monthly cost.
A description of this gateway
A description of this gateway
Example:
My Gateway
Whether to require the security token when connecting the client. Defaults to true
Example:
true
Whether the gateway is actived. Defaults to true
Example:
true
Number of days until the newly generated token expires. Defaults to 90. Enter 0 for a token that does not expire. Ignored if regen_token is false or not provided
Possible values: 0 ≤ value ≤ 90
Example:
44
curl -X POST -H 'Authorization: Bearer <UAA token>' -H 'Content-Type: application/json' -d '{ "desc": "My Gateway", "enf_tok_sec" : true, "token_exp" : 55 }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig?org_id={org_id}&space_id={space_id}&acknowledgeOverage=true'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Array of currently connected clients
Example:
1579512466000
Status Code
Request was successful
No Sample Response
Configure the activities of the gateway(s)
Configure the activities of the existing gateway(s)
PUT /v1/setActivity
Request
Custom Headers
IBM Cloud UAA Token
Query Parameters
IBM Cloud Org ID
IBM Cloud Space ID
The list of activities
The list of actived gateway id
The list of inactived gateway id
curl -X PUT -H 'Authorization: Bearer <UAA token>' -H 'Content-Type: application/json' -d '{ "setActive": [ "ZgNBtYKCG66_prod_ng" ], "setInactive": [ "qCTv6Onseiy_prod_ng" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/setActivity?org_id={org_id}&space_id={space_id}'
Response
The list of the deactivated gateway(s)
- deactivated
- gateway_id
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
The list of the activated gateway(s)
- activated
- gateway_id
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
The list of the gateway id which did not change the state
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Array of currently connected clients
Access Control List of the gateway
- ACL
Array of recently disconnected clients
- recentlyDisconnected
Example:
qCTv6Onseiy_LOp
Example:
1574759677015
Status Code
Request was successful
No Sample Response
Update the enabled/description properties of a gateway configuration
Update the enabled and description properties of the gateway configuration, or regenerate the security token
PUT /v1/sgconfig/{gatewayID}
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
New description for the gateway
A description of this gateway
Example:
My Gateway
Whether to require the security token when connecting the client. Defaults to true
Example:
true
Whether to regenerate the associated security token. Defaults to false
Example:
true
Whether enable or disable the gateway
Example:
true
Number of days until the newly generated token expires. Defaults to 90. Enter 0 for a token that does not expire. Ignored if regen_token is false or not provided
Possible values: 0 ≤ value ≤ 90
Example:
44
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "desc": "My New Gateway", "enabled": true, "enf_tok_sec": true, "regen_token": true, "token_exp": 44 }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Example:
1579512466000
Status Code
Request was successful
No Sample Response
Regenerate the legacy cert/key pair associated with this gateway
Regenerate the legacy cert/key pair associated with this gateway which used by the old Secure Gateway client
PUT /v1/sgconfig/{gatewayID}/genAuth
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X PUT -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/genAuth'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ng
Org ID associated with this gateway
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
Space ID associated with this gateway
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
Description of the gateway
Example:
My Gateway
Secure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
Enabled/Disabled
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
Whether the gateway is actived
Example:
true
The gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8
Whether the security token is being enforced on client connection
Example:
true
Timestamp of creation of gateway
Example:
2019-11-27T09:07:27.245Z
Timestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
Array of currently connected clients
- authorization
the name of the legacy cert
Example:
qCTv6Onseiy_prod_ng_CERT-vk05
the name of the legacy key
Example:
qCTv6Onseiy_prod_ng_KEY-tYC8
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' -o gateway_id.gateway 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/export'
Response
A description of this gateway
Example:
My Gateway
Whether to require the security token when connecting the client. Defaults to true
Example:
true
- destination
The name of the destination
Example:
My Destination
The host of the endpoint
Example:
example.com
For cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443
For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The server name indicator
Example:
example.com
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
The CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pem
content of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported .gateway file
No Sample Response
Configure the activities of the destination(s)
Configure the activities of the destination(s)
PUT /v1/sgconfig/{gatewayID}/setActivity
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The list of activities
The list of actived destination id
The list of inactived destination id
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "setActive": [ "<destination_id>}" ], "setInactive": [ "<destination_id>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/setActivity'
Response
The list of the deactivated destination(s)
- deactivated
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The list of the activated destination(s)
- activated
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The list of the destination id which did not change the state
Status Code
Request was successful
No Sample Response
Delete a list of destination(s)
Delete a list of destination(s) associated with given gateway ID
DELETE /v1/sgconfig/{gatewayID}/bulkDestinations
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The list of deleted destination
The list of delated destination id
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "destinations": [ "<destination_id>", "<destination_id>" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/bulkDestinations'
Get a list of destination information
Get a list of destination(s) associated with given gateway ID
GET /v1/sgconfig/{gatewayID}/destinations
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
Whether to only include enabled or disabled destination(s). Should be a Boolean. If not specified all destination(s) will be returned.
Allowable values: [
enabled
,disabled
]
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
A description of this destination
The name of the destination
Example:
My Destination
The host of the endpoint
Example:
example.com
For cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443
The protocol in the caller app side
Allowable values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Allowable values: [
none
,mutualauth
]Example:
mutualauth
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Allowable values: [
none
,serverside
,mutualauth
]Example:
mutualauth
For on-premise destination only, the port which Secure Gateway client listen on
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
- ipRules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
The server name indicator
Example:
example.com
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
The CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pem
content of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
curl -X POST -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "desc": "My Destination", "ip": "example.com", "port": "443", "protocol": "HTTPS", "enable_client_tls": true, "client_tls": "mutualauth", "tls": "mutualauth" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Form Parameters
The imported .destination file
curl -X PUT -H 'Authorization: Bearer <security token>' -F 'state=@{imported_file}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/import'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Export the destination
Export the destination
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}/export
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X GET -H 'Authorization: Bearer <security token>' -o gateway_id.gateway 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/export'
Response
The name of the destination
Example:
My Destination
The host of the endpoint
Example:
example.com
For cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443
For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The server name indicator
Example:
example.com
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
The CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pem
content of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported .destination file
No Sample Response
Get a destination's information
Get a destination's information
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
A description of this destination
The name of the destination
Example:
My Destination
The host of the endpoint
Example:
example.com
For cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443
For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Allowable values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Allowable values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Allowable values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The server name indicator
Example:
example.com
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
The CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pem
content of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pem
content of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Enable or disable the destination.
Example:
true
Whether auto-regenerate the cert.server_cert/key or not
Whether auto-regenerate the cert.dest_cert/key or not
curl -X PUT -H 'Authorization: Bearer <security token>' -d '{ "desc": "My Destination" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Delete a destination
Delete a destination
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X DELETE -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Download certs for the destination
Download certs for the destination
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}/cert
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether the result need to be packed as zip file. Default to false
curl -X GET -H 'Authorization: Bearer <security token>' -o cert.zip 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Upload a cert for the destination
Upload a cert for the destination
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/cert
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Form Parameters
The CA which Secure Gateway trust when receiving the connection from the caller application. Up to one cert cloud be uploaded
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint. If uploading dest_key as well, this field is required. Up to one cert cloud be uploaded
The key for the dest_cert. If uploading dest_cert as well, this field is required. Up to one key cloud be uploaded
The CA which Secure Gateway trust when sending the connection to endpoint. Up to six certs cloud be uploaded
curl -X PUT -H 'Authorization: Bearer <security token>' -F 'cert=@{server_cert}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Delete certs for the destination
Delete certs for the destination
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}/cert
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
A list of names of the deleted certs
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "filename": [ "{cert_name}" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Regenerate cert and key for the destination
Regenerates cert and key for Mutual Auth protocol
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/genCerts
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
The type of the cert which will be regenerated
true
- Regenerate the cert cert.dest_cert/key- omitted - Regenerate the cert cert.server_dest_cert/key
curl -X PUT -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/genCerts'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Add an IP Table rule to a private destination.
Destination must be private to add IP Table rules Adds an IP Table ACCEPT rule to a private destination. Users accessing the destination from an IP and port described by this rule will not be rejected. The rule can contain a hostname, IP, or IP range and a port or port range. Adding the IP rule with the same app
id, the previous one will be replaced
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/ipTableRule
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
The added Ip rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "spt": "<source_port>", "src": "<source_ip>", "app": "<source_uid>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/ipTableRule'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Remove an IP Table rule from a private destination.
Remove an IP Table ACCEPT rule from a private destination. Users accessing the destination from an IP and Port described by this rule will now be rejected. Use the describe destination call to view current IP Table Rules.
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}/ipTableRule
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether remove all IP rule
true
- Remove all IP rule- omitted - Regenerate the cert cert.server_dest_cert/key
The deleted IP rules, if the query param is defined, this field will be ignore
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "spt": "<source_port>", "src": "<source_ip>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/ipTableRule'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvq
The Gateway ID
Example:
qCTv6Onseiy_prod_ng
The name of the destination
Example:
My Destination
The hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloud
The port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001
- connection_info
The host of the endpoint
Example:
example.com
The port of the endpoint
Example:
443
For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4
The port of the proxy
Example:
1234
The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true
Once it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pem
The CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pem
The key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none
- The cert exchange is not enabledserverside
- Secure Gateway need to provide the certmutualauth
- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none
,serverside
,mutualauth
]Example:
mutualauth
The protocol in the calling app side
Possible values: [
TCP
,UDP
,TLS
,HTTP
,HTTPS
]Example:
HTTPS
For regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
true
Whether to use TLS:MA to connect to the destination:
none
- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth
- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none
,mutualauth
]Example:
mutualauth
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
true
Whether the destination is active or not
Possible values: [
ENABLED
,DISABLED
]Example:
ENABLED
The time when the destination is created
Example:
2019-11-27T07:04:53.149Z
The last time modify the destination configurations
Example:
2019-11-27T07:04:53.149Z
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60
Whether the compression of the request data is enabled or not
Example:
true
IBM Cloud Org ID
Example:
20193766-d2dc-4a71-b2bf-134f7630d149
IBM Cloud Space ID
Example:
347e1dbc-3969-4fd8-930f-beba74b7a3ba
IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80
a source IP
Example:
1.2.3.4
a source IP range
Example:
192.0.0.1-192.0.0.5
uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Get the usage statistics for all existing gateway(s)
Get the usage statistics for all existing gateway(s)
GET /v1/stats
Get the usage statistics for the gateway
Get the usage statistics for the gateway
GET /v1/sgconfig/{gatewayID}/stats
Get list of the connected clients info
Get list of the connected clients info for a gateway
GET /v1/sgconfig/{gatewayID}/clients
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clients'
Response
The Client ID
Example:
qCTv6Onseiy_5pa
The version of the Secure Gateway client
Example:
183
The version of the Secure Gateway client include the fixpack info
Example:
183fp1
The hostname of the client env
Example:
host01
The env type of the client
Example:
ubuntu
Status Code
Request was successful
No Sample Response
Delete a single connected client
Delete a single connected client
DELETE /v1/sgconfig/{gatewayID}/clients
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The Client ID
curl -X DELETE -H 'Authorization: Bearer <security token>' -d '{ "deleteList": [ "<client_id>" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clients'
Get the client warning and error logs
Get the client warning and error logs, please note that some warnings and errors message might be missing, to get the entire client logs, please read the logs in client env
GET /v1/sgconfig/{gatewayID}/clientLogs
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
The type of the logs
Allowable values: [
warn
,error
]The Client ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clientLogs'
Get the info of the disconnected client
Get the info of the clients that disconnected from the gateway recently.
GET /v1/sgconfig/{gatewayID}/disconnectedClients
Get connection status of a client
Get connection status of a client for a gateway
GET /v1/sgconfig/{gatewayID}/clients/{clientID}
Get the list of installers we currently offer
Get the list of installers we currently offer
GET /v1/getClientList
Migrate the gateway to Satellite Connector
Migrate all destinations of this gateway to Satellite Connector
PUT /v1/sgconfig/{gatewayID}/migrate2connector
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
Whether to force to rename the destination if it cannot satisfy the Satellite Connector endpoint naming policy
The info of the Satellite Connector
The Satellite Connector ID
Example:
A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J
The IAM Token which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_iam_token
The API Key which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_api_token
curl -X PUT -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "connector_id": "A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J", "token" : "fake_iam_token" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/migrate2connector'
Response
The destination which success to be migrated
- migrated
The destination ID
Example:
qCTv6Onseiy_qVuvq
The name of the destination
Example:
My Destination
The new name of the endpoint if it is renamed by running the API with 'force=true' query parameter
Example:
My-Destination
The destination which fail to be migrated
- failed
The destination ID
Example:
qCTv6Onseiy_qVuvq
The name of the destination
Example:
My Destination
The reason of the failure
Example:
The specified name already exists
The suggested steps to resolve the failure
Example:
Endpoint name should be unique under each Connector, please rename the destination before migration
Status Code
Request was successful
No Sample Response
Migrate the destination to Satellite Connector
Migrate this destination to Satellite Connector
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/migrate2connector
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether to force to rename the destination if it cannot satisfy the Satellite Connector endpoint naming policy
The info of the Satellite Connector
The Satellite Connector ID
Example:
A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J
The IAM Token which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_iam_token
The API Key which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_api_token
curl -X PUT -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "connector_id": "A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J", "token" : "fake_iam_token" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/migrate2connector'
Response
The destination which success to be migrated
- migrated
The destination ID
Example:
qCTv6Onseiy_qVuvq
The name of the destination
Example:
My Destination
The new name of the endpoint if it is renamed by running the API with 'force=true' query parameter
Example:
My-Destination
The destination which fail to be migrated
- failed
The destination ID
Example:
qCTv6Onseiy_qVuvq
The name of the destination
Example:
My Destination
The reason of the failure
Example:
The specified name already exists
The suggested steps to resolve the failure
Example:
Endpoint name should be unique under each Connector, please rename the destination before migration
Status Code
Request was successful