Introduction
The Secure Gateway Service brings Hybrid Integration capability to your IBM Cloud environment. It provides secure connectivity from IBM Cloud to other applications and data sources running on-premise or in other clouds. A remote client is provided to enable secure connectivity.
For more, see: Getting started with Secure Gateway.
IMPORTANT: If you Secure Gateway Service has not been upgraded to version 2 and is still in version 1, please see the documentation here
| Region | API endpoint |
|---|---|
| US South | sgmanager.us-south.securegateway.cloud.ibm.com |
| US East | sgmanager.us-east.securegateway.cloud.ibm.com |
| United Kingdom | sgmanager.eu-gb.securegateway.cloud.ibm.com |
| Germany | sgmanager.eu-de.securegateway.cloud.ibm.com |
| Sydney | sgmanager.au-syd.securegateway.cloud.ibm.com |
Prerequisites
Secure Gateway was migrated to Resource group, and it is no longer based on Cloud Foundry org/space. In order to interact with current Secure Gateway, api key and resource group are required.
-
How to get API key: Apikey is required to get the IAM authentication, please follow the steps to obtain an api key:
- Sign in to IBM Cloud and select Manage>Access (IAM)>API Keys
- Create an API key for your own personal identity, copy the key value, and save it in a secure place. After you leave the page, you will no longer be able to access this value.
-
How to get Resource Group: Resource Group is required in several API calls. To get your Resource Group ID, please choose any method below:
-
Using IBM Cloud UI: Please sign in to IBM Cloud and select Manage>Account>Resource Group and it should display your resource group information.
-
Using IBM Cloud CLI:
- Get resource Group
ibmcloud resource groups- Show details of a resource group:
ibmcloud resource group NAME [--id] -
For more information about resource groups, please refer here
Authentication
Use the API key you created with the IAM identity token API to generate an IAM token. For example:
curl -X POST 'https://iam.cloud.ibm.com/identity/token' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=<your iam api key>'
For details on the API syntax, see here.
Error handling
This API uses standard HTTP response codes to indicate whether a method completed successfully.
| HTTP Error Code | Description | Recovery |
|---|---|---|
200 |
Success | The request was successful. |
400 |
Bad Request | The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request. |
401 |
Unauthorized | You are not authorized to make this request. Check whether your credentials is valid or whether it is expired. |
403 |
Forbidden | The supplied authentication is not authorized. |
404 |
Not Found | The requested resource could not be found. |
409 |
Conflict | The entity is already in the requested state. |
500 |
Internal Server Error | Your request could not be processed. Wait a few minutes and try again. |
Methods
Import Service or Gateway
Import .gateway or service.config file to recreate the gateway(s) and destination(s) they were initially created from.
PUT /v1/import
Request
Custom Headers
IBM Cloud IAM Token
Query Parameters
IBM Cloud Resource Group ID
Form Parameters
The imported .gateway or service.config file
curl -X PUT -H 'Authorization: Bearer <IAM token>' -F 'state=@{imported_file}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/import?resource_group={resource_group}'
Response
The imported gateway(s) object
- gateway
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZArray of currently connected clients
- destinations
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The imported destination object
- destinations
- imported
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
IBM Cloud IAM Token
Query Parameters
IBM Cloud Resource Group ID
curl -X GET -o service.config -H 'Authorization: Bearer <IAM token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/export?resource_group={resource_group}'
Response
IBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68- gateways
A description of this gateway
Example:
My GatewayWhether to require the security token when connecting the client. Defaults to true
Example:
true- destination
The name of the destination
Example:
My DestinationThe host of the endpoint
Example:
example.comFor cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueThe cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe server name indicator
Example:
example.comWhether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueThe CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pemcontent of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported service service.config
No Sample Response
Request
Custom Headers
IBM Cloud IAM Token
Query Parameters
IBM Cloud Resource Group ID
Whether to only include enabled or disabled gateway(s). Should be a Boolean. If not specified all gateway(s) will be returned.
Allowable values: [
enabled,disabled]
curl -X GET -H 'Authorization: Bearer <IAM token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig?resource_group={resource_group}'
Response
The list of the gateway(s)
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZArray of currently connected clients
Access Control List of the gateway
- ACL
Array of recently disconnected clients
- recentlyDisconnected
Example:
qCTv6Onseiy_LOpExample:
1574759677015
Example:
1579512466000
Status Code
Request was successful
No Sample Response
Request
Custom Headers
IBM Cloud IAM Token
Query Parameters
IBM Cloud Resource Group ID
Whether you acknowledge that creating overage gateway might incur an addtional monthly cost.
A description of this gateway
A description of this gateway
Example:
My GatewayWhether to require the security token when connecting the client. Defaults to true
Example:
trueWhether the gateway is actived. Defaults to true
Example:
trueNumber of days until the newly generated token expires. Defaults to 90. Enter 0 for a token that does not expire. Ignored if regen_token is false or not provided
Possible values: 0 ≤ value ≤ 90
Example:
44
curl -X POST -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "desc": "My Gateway", "enf_tok_sec" : true, "token_exp" : 55 }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig?resource_group={resource_group}'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZArray of currently connected clients
Example:
1579512466000
Status Code
Request was successful
No Sample Response
Configure the activities of the gateway(s)
Configure the activities of the existing gateway(s)
PUT /v1/setActivity
Request
Custom Headers
IBM Cloud IAM Token
Query Parameters
IBM Cloud Resource Group ID
The list of activities
The list of actived gateway id
The list of inactived gateway id
curl -X PUT -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "setActive": [ "ZgNBtYKCG66_prod_ng" ], "setInactive": [ "qCTv6Onseiy_prod_ng" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/setActivity?resource_group={resource_group}'
Response
The list of the deactivated gateway(s)
- deactivated
- gateway_id
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
The list of the activated gateway(s)
- activated
- gateway_id
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245Z
The list of the gateway id which did not change the state
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZArray of currently connected clients
Access Control List of the gateway
- ACL
Array of recently disconnected clients
- recentlyDisconnected
Example:
qCTv6Onseiy_LOpExample:
1574759677015
Status Code
Request was successful
No Sample Response
Update the enabled/description properties of a gateway configuration
Update the enabled and description properties of the gateway configuration, or regenerate the security token
PUT /v1/sgconfig/{gatewayID}Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
New description for the gateway
A description of this gateway
Example:
My GatewayWhether to require the security token when connecting the client. Defaults to true
Example:
trueWhether to regenerate the associated security token. Defaults to false
Example:
trueWhether enable or disable the gateway
Example:
trueNumber of days until the newly generated token expires. Defaults to 90. Enter 0 for a token that does not expire. Ignored if regen_token is false or not provided
Possible values: 0 ≤ value ≤ 90
Example:
44
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "desc": "My New Gateway", "enabled": true, "enf_tok_sec": true, "regen_token": true, "token_exp": 44 }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZExample:
1579512466000
Status Code
Request was successful
No Sample Response
Regenerate the legacy cert/key pair associated with this gateway
Regenerate the legacy cert/key pair associated with this gateway which used by the old Secure Gateway client
PUT /v1/sgconfig/{gatewayID}/genAuthRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X PUT -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/genAuth'
Response
Unique identifier for this gateway
Example:
qCTv6Onseiy_prod_ngResource Group ID associated with this gateway
Example:
19087c5c5aea4f1f95dabaf54b1dff68Description of the gateway
Example:
My GatewaySecure Gateway Hostname of the gateway
Example:
cap-sg-prd-1.securegateway.appdomain.cloudEnabled/Disabled
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDWhether the gateway is actived
Example:
trueThe gateway's security token
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWd1cmF0aW9uX2lkIjoiemtrWmQ0bFhzWXdfcHJvZF9hdS1zeWQiLCJyZWdpb24iOiJhdS1zeWQiLCJpYXQiOjE1NzQ4NDU2NDcsImV4cCI6MTU4MjYyMTY0N30.DRffsC20sEqlkicrjaGREdjYSvMoDyS02H_ZqKJ8cD8Whether the security token is being enforced on client connection
Example:
trueTimestamp of creation of gateway
Example:
2019-11-27T09:07:27.245ZTimestamp of latest modification of gateway
Example:
2019-11-27T09:07:27.245ZArray of currently connected clients
- authorization
the name of the legacy cert
Example:
qCTv6Onseiy_prod_ng_CERT-vk05the name of the legacy key
Example:
qCTv6Onseiy_prod_ng_KEY-tYC8
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' -o gateway_id.gateway 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/export'
Response
A description of this gateway
Example:
My GatewayWhether to require the security token when connecting the client. Defaults to true
Example:
true- destination
The name of the destination
Example:
My DestinationThe host of the endpoint
Example:
example.comFor cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueThe cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe server name indicator
Example:
example.comWhether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueThe CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pemcontent of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported .gateway file
No Sample Response
Configure the activities of the destination(s)
Configure the activities of the destination(s)
PUT /v1/sgconfig/{gatewayID}/setActivityRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The list of activities
The list of actived destination id
The list of inactived destination id
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "setActive": [ "<destination_id>}" ], "setInactive": [ "<destination_id>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/setActivity'
Response
The list of the deactivated destination(s)
- deactivated
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The list of the activated destination(s)
- activated
- destination_id
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
The list of the destination id which did not change the state
Status Code
Request was successful
No Sample Response
Delete a list of destination(s)
Delete a list of destination(s) associated with given gateway ID
DELETE /v1/sgconfig/{gatewayID}/bulkDestinationsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The list of deleted destination
The list of delated destination id
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "destinations": [ "<destination_id>", "<destination_id>" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/bulkDestinations'
Get a list of destination information
Get a list of destination(s) associated with given gateway ID
GET /v1/sgconfig/{gatewayID}/destinationsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
Whether to only include enabled or disabled destination(s). Should be a Boolean. If not specified all destination(s) will be returned.
Allowable values: [
enabled,disabled]
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
A description of this destination
The name of the destination
Example:
My DestinationThe host of the endpoint
Example:
example.comFor cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443The protocol in the caller app side
Allowable values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSWhether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Allowable values: [
none,mutualauth]Example:
mutualauthThe cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Allowable values: [
none,serverside,mutualauth]Example:
mutualauthFor on-premise destination only, the port which Secure Gateway client listen on
For on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
- ipRules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Whether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueThe server name indicator
Example:
example.comWhether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueThe CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pemcontent of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
curl -X POST -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "desc": "My Destination", "ip": "example.com", "port": "443", "protocol": "HTTPS", "enable_client_tls": true, "client_tls": "mutualauth", "tls": "mutualauth" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Form Parameters
The imported .destination file
curl -X PUT -H 'Authorization: Bearer <security token>' -F 'state=@{imported_file}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/import'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Export the destination
Export the destination
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}/exportRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X GET -H 'Authorization: Bearer <security token>' -o gateway_id.gateway 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/export'
Response
The name of the destination
Example:
My DestinationThe host of the endpoint
Example:
example.comFor cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueThe cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe server name indicator
Example:
example.comWhether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueThe CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pemcontent of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Status Code
The exported .destination file
No Sample Response
Get a destination's information
Get a destination's information
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
A description of this destination
The name of the destination
Example:
My DestinationThe host of the endpoint
Example:
example.comFor cloud destination only, the port which Secure Gateway server listen on cloud
Example:
443For on-premise destination only, the port which Secure Gateway client listen on
The protocol in the caller app side
Allowable values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor on-premise destination only, whether restrict cloud access to this destination with iptable rules
IP table
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Allowable values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueThe cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Allowable values: [
none,serverside,mutualauth]Example:
mutualauthThe server name indicator
Example:
example.comWhether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
true- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
The timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueThe CA which Secure Gateway trust when sending the connection to endpoint.
- clientCerts
The name of the cert
Example:
endpointCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The CA which Secure Gateway trust when receiving the connection from the caller application.
- serverCert
The name of the cert
Example:
callingAppCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
The cert and key which Secure Gateway client provide to identify itself for connecting to the endpoint
- destCerts
- dest_cert
The name of the cert
Example:
SGCert.pemcontent of the cert
Example:
-----BEGIN CERTIFICATE-----\r\n<the_content_of_the_cert>-----END CERTIFICATE-----\r\n
- dest_key
The name of the key
Example:
SGPrivateKey.pemcontent of the kry
Example:
-----BEGIN PRIVATE KEY-----\n<the_content_of_the_key>\n-----END PRIVATE KEY-----\n
Enable or disable the destination.
Example:
trueWhether auto-regenerate the cert.server_cert/key or not
Whether auto-regenerate the cert.dest_cert/key or not
curl -X PUT -H 'Authorization: Bearer <security token>' -d '{ "desc": "My Destination" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Delete a destination
Delete a destination
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}Request
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
curl -X DELETE -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}'
Download certs for the destination
Download certs for the destination
GET /v1/sgconfig/{gatewayID}/destinations/{destinationID}/certRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether the result need to be packed as zip file. Default to false
curl -X GET -H 'Authorization: Bearer <security token>' -o cert.zip 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Upload a cert for the destination
Upload a cert for the destination
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/certRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Form Parameters
The CA which Secure Gateway trust when receiving the connection from the caller application. Up to one cert cloud be uploaded
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint. If uploading dest_key as well, this field is required. Up to one cert cloud be uploaded
The key for the dest_cert. If uploading dest_cert as well, this field is required. Up to one key cloud be uploaded
The CA which Secure Gateway trust when sending the connection to endpoint. Up to six certs cloud be uploaded
curl -X PUT -H 'Authorization: Bearer <security token>' -F 'cert=@{server_cert}' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Delete certs for the destination
Delete certs for the destination
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}/certRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
A list of names of the deleted certs
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "filename": [ "{cert_name}" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/cert'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Regenerate cert and key for the destination
Regenerates cert and key for Mutual Auth protocol
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/genCertsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
The type of the cert which will be regenerated
true- Regenerate the cert cert.dest_cert/key- omitted - Regenerate the cert cert.server_dest_cert/key
curl -X PUT -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/genCerts'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Add an IP Table rule to a private destination.
Destination must be private to add IP Table rules Adds an IP Table ACCEPT rule to a private destination. Users accessing the destination from an IP and port described by this rule will not be rejected. The rule can contain a hostname, IP, or IP range and a port or port range. Adding the IP rule with the same app id, the previous one will be replaced
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/ipTableRuleRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
The added Ip rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
curl -X PUT -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "spt": "<source_port>", "src": "<source_ip>", "app": "<source_uid>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/ipTableRule'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Remove an IP Table rule from a private destination.
Remove an IP Table ACCEPT rule from a private destination. Users accessing the destination from an IP and Port described by this rule will now be rejected. Use the describe destination call to view current IP Table Rules.
DELETE /v1/sgconfig/{gatewayID}/destinations/{destinationID}/ipTableRuleRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether remove all IP rule
true- Remove all IP rule- omitted - Regenerate the cert cert.server_dest_cert/key
The deleted IP rules, if the query param is defined, this field will be ignore
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
curl -X DELETE -H 'Authorization: Bearer <security token>' -H 'Content-Type: application/json' -d '{ "spt": "<source_port>", "src": "<source_ip>" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/ipTableRule'
Response
Unique identifier for this destination
Example:
qCTv6Onseiy_qVuvqThe Gateway ID
Example:
qCTv6Onseiy_prod_ngThe name of the destination
Example:
My DestinationThe hostname which Secure Gateway server listen on for the on-prem destiantion
Example:
cap-sg-prd-1.securegateway.appdomain.cloudThe port which Secure Gateway server listen on for the on-prem destiantion
Example:
15001- connection_info
The host of the endpoint
Example:
example.comThe port of the endpoint
Example:
443For reverse destination only, the port which Secure Gateway client listen on
The server name indicator
Example:
example.com
- proxy
The host of the proxy
Example:
1.2.3.4The port of the proxy
Example:
1234The SOCKS protocol
Example:
5
Whether to access destination through a proxy, even the proxy info is defined, this field can be false
Example:
trueOnce it is generated, this field will always be defined even it is unused
- cert
The CA which Secure Gateway trust when receiving the connection from the caller application.
Example:
callingAppCert.pemThe CA which Secure Gateway trust when sending the connection to endpoint.
The cert which Secure Gateway client provide to identify itself for connecting to the endpoint
Example:
SGCert.pem
Once it is generated, this field will always be defined even it is unused
- key
The key for the cert.dest_cert
Example:
SGPrivateKey.pemThe key for the cert.server_cert, defined when the cloud authentication is auto-gen
Example:
callingAppPrivateKey.pem
The cert exchange in the calling app side:
none- The cert exchange is not enabledserverside- Secure Gateway need to provide the certmutualauth- Secure Gateway need to provide the cert, the calling app also need to provide the cert
Possible values: [
none,serverside,mutualauth]Example:
mutualauthThe protocol in the calling app side
Possible values: [
TCP,UDP,TLS,HTTP,HTTPS]Example:
HTTPSFor regular destination only, whether restrict cloud access to this destination with iptable rules
Whether to use SSL to connection to the endpoint
Example:
trueWhether to use TLS:MA to connect to the destination:
none- The Secure Gateway doesn't not need to provide the cert to connect to the destinationmutualauth- The Secure Gateway need to provide the cert to connect to the destination
Possible values: [
none,mutualauth]Example:
mutualauthWhether Secure Gateway reject any connection to the endpoint which is not authorized with the list of supplied CAs in the fields cert.client_cert
Example:
trueWhether the destination is active or not
Possible values: [
ENABLED,DISABLED]Example:
ENABLEDThe time when the destination is created
Example:
2019-11-27T07:04:53.149ZThe last time modify the destination configurations
Example:
2019-11-27T07:04:53.149ZThe timeout in the destination side
Possible values: 1 ≤ value ≤ 180
Example:
60Whether the compression of the request data is enabled or not
Example:
trueIBM Cloud Resource Group ID
Example:
19087c5c5aea4f1f95dabaf54b1dff68IP table
- ip_table_rules
a source port or source port range (range should be XXXX:XXXX)
Example:
80a source IP
Example:
1.2.3.4a source IP range
Example:
192.0.0.1-192.0.0.5uniquely identifies the app and instance for ip table rule.
Example:
myRule01
Status Code
Request was successful
No Sample Response
Get the usage statistics for all existing gateway(s)
Get the usage statistics for all existing gateway(s)
GET /v1/stats
Get the usage statistics for the gateway
Get the usage statistics for the gateway
GET /v1/sgconfig/{gatewayID}/statsGet list of the connected clients info
Get list of the connected clients info for a gateway
GET /v1/sgconfig/{gatewayID}/clientsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clients'
Response
The Client ID
Example:
qCTv6Onseiy_5paThe version of the Secure Gateway client
Example:
183The version of the Secure Gateway client include the fixpack info
Example:
183fp1The hostname of the client env
Example:
host01The env type of the client
Example:
ubuntu
Status Code
Request was successful
No Sample Response
Delete a single connected client
Delete a single connected client
DELETE /v1/sgconfig/{gatewayID}/clientsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The Client ID
curl -X DELETE -H 'Authorization: Bearer <security token>' -d '{ "deleteList": [ "<client_id>" ] }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clients'
Get the client warning and error logs
Get the client warning and error logs, please note that some warnings and errors message might be missing, to get the entire client logs, please read the logs in client env
GET /v1/sgconfig/{gatewayID}/clientLogsRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
The type of the logs
Allowable values: [
warn,error]The Client ID
curl -X GET -H 'Authorization: Bearer <security token>' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/clientLogs'
Get the info of the disconnected client
Get the info of the clients that disconnected from the gateway recently.
GET /v1/sgconfig/{gatewayID}/disconnectedClientsGet connection status of a client
Get connection status of a client for a gateway
GET /v1/sgconfig/{gatewayID}/clients/{clientID}Get the list of installers we currently offer
Get the list of installers we currently offer
GET /v1/getClientList
Migrate the gateway to Satellite Connector
Migrate all destinations of this gateway to Satellite Connector
PUT /v1/sgconfig/{gatewayID}/migrate2connectorRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
Query Parameters
Whether to force to rename the destination if it cannot satisfy the Satellite Connector endpoint naming policy
The info of the Satellite Connector
The Satellite Connector ID
Example:
A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3JThe IAM Token which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_iam_tokenThe API Key which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_api_token
curl -X PUT -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "connector_id": "A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J", "token" : "fake_iam_token" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/migrate2connector'
Response
The destination which success to be migrated
- migrated
The destination ID
Example:
qCTv6Onseiy_qVuvqThe name of the destination
Example:
My DestinationThe new name of the endpoint if it is renamed by running the API with 'force=true' query parameter
Example:
My-Destination
The destination which fail to be migrated
- failed
The destination ID
Example:
qCTv6Onseiy_qVuvqThe name of the destination
Example:
My DestinationThe reason of the failure
Example:
The specified name already existsThe suggested steps to resolve the failure
Example:
Endpoint name should be unique under each Connector, please rename the destination before migration
Status Code
Request was successful
No Sample Response
Migrate the destination to Satellite Connector
Migrate this destination to Satellite Connector
PUT /v1/sgconfig/{gatewayID}/destinations/{destinationID}/migrate2connectorRequest
Custom Headers
Expected in form Bearer JWT, where JWT is the security token
Path Parameters
The Gateway ID
The destination ID
Query Parameters
Whether to force to rename the destination if it cannot satisfy the Satellite Connector endpoint naming policy
The info of the Satellite Connector
The Satellite Connector ID
Example:
A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3JThe IAM Token which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_iam_tokenThe API Key which have access to create endpoints under the Satellite Connector. Either token or apikey need to be defined
Example:
fake_api_token
curl -X PUT -H 'Authorization: Bearer <IAM token>' -H 'Content-Type: application/json' -d '{ "connector_id": "A2FbRFtwNfatanQRLjrujBKmVmfOk7NjXYZIWAoVLNfd1PTXJ93aH3J", "token" : "fake_iam_token" }' 'https://sgmanager.us-south.securegateway.cloud.ibm.com/v1/sgconfig/{gateway_id}/destinations/{destination_id}/migrate2connector'
Response
The destination which success to be migrated
- migrated
The destination ID
Example:
qCTv6Onseiy_qVuvqThe name of the destination
Example:
My DestinationThe new name of the endpoint if it is renamed by running the API with 'force=true' query parameter
Example:
My-Destination
The destination which fail to be migrated
- failed
The destination ID
Example:
qCTv6Onseiy_qVuvqThe name of the destination
Example:
My DestinationThe reason of the failure
Example:
The specified name already existsThe suggested steps to resolve the failure
Example:
Endpoint name should be unique under each Connector, please rename the destination before migration
Status Code
Request was successful