bluemix-secure-gateway
The Secure Gateway SDK for Bluemix contains a set of javascript wrapper APIs for Secure Gateway REST calls to
the Bluemix Secure Gateway service.
Usage
To be used in conjunction with the Secure Gateway for Bluemix accounts and other services.
Developing
You can develop javascript applications with this SDK, nodejs is required.
Initialization
The SDK can be initialized with the following command:
var sdk = require('bluemix-secure-gateway');
Once the SDK has been initialized, we can set the defaults for an environment. Default options that can be set include:
basepath
- The basepath of the Secure Gateway Service REST API.
Region | basepath |
---|
US South (Default) | sgmanager.ng.bluemix.net |
US East | sgmanager.us-east.bluemix.net |
United Kingdom | sgmanager.eu-gb.bluemix.net |
Germany | sgmanager.eu-de.bluemix.net |
Sydney | sgmanager.au-syd.bluemix.net |
orgID
- The Bluemix Organization ID for the Secure Gateway Service being accessed. This is only required if creating or listing gateways.spaceID
- The Bluemix Space ID for the Secure Gateway Service being accessed. This is only required if creating, describing, or listing gateways.username
- A Bluemix username which is in the Org and Space provided. This is only needed if creating, describing, or listing gateways.password
- The Bluemix password associated with the Bluemix username provided.token
- An authentication token retrieved from Bluemix SSO. This can be used in place of the username and password and must be associated with the Org and Space provided.
var env = sdk.defaults ({
'username': <Bluemix user name>,
'password': <Bluemix password>
})
Creating and Managing Gateways
Creating a Gateway
env.createGateway(options, function(error, gateway))
Options:
desc
- (Required) A description of this gateway. Must be a String.enf_tok_sec
- Whether to require the security token when connecting the client. Must be a boolean. Defaults to true.token_exp
- Number of days until the associated security token expires. Defaults to 90 (enter 0 for never expiring).
On success, a gateway object is returned. Use the destination functions on this gateway to manage the destinations under this gateway.
Describing a Gateway
env.getGateway(options, function(error, gateway))
Options:
id
- The Gateway ID, this is accessible from the Secure Gateway UI or the list callsecurityToken
- The Gateway Security Token
Returns a gateway object on success.
Listing Gateways
env.listGateways (options, function(error, array))
Options:
type
- (optional) Either enabled
or disabled
.
Returns an array of all gateways associated with the org and space on success.
Regenerating Gateway Authorization
gateway.regenAuthorization(function(error, gateway))
Returns the updated gateway object.
Updating a Gateway
gateway.updateGateway(options, function(error, gateway))
Options:
desc
- Updated description of the gatewayenabled
- Enable or disable the gateway. Should be a Booleanenf_tok_sec
- Whether to require the security token when connecting the client. Must be a boolean.regen_token
- Whether to regenerate the associated security token. Defaults to false. Must be a boolean.token_exp
- Number of days until the associated security token expires. Defaults to 90. Ignored if regen_token is false or not provided.
Deleting a Gateway
gateway.deleteGateway(function(error))
Deletes the gateway and returns an error if one occurred.
Creating and Managing Destinations
Creating and managing destinations is done by calling the functions below on the gateway object returned from the gateway functions.
Creating a Destination
gateway.createDestination(options, function(error, destination))
Options:
desc
- (Required) A description of the destination. This must a be a String.ip
- (Required) The hostname or ip of the destination.port
- (Required) The port of the destinationclientPort
- This will be a cloud destination. This is the port the client will listen on for an incoming connection.protocol
- The protocol of the destination, one of TCP, UDP, TLS, HTTP, or HTTPS. The default is TCP.TLS
- One of serverside, mutualauth, or none. Defaults to none. Is only compatible with the TLS protocol.sni
- Server name for the SNI (Server Name Indication) TLS extensions.enable_client_tls
- Enable TLS for the final outbound connection to the destination. Expected to be a Boolean. Defaults to false.client_tls
- Either mutualauth or none. Is only compatible with enable_client_tls true. Defaults to none.private
- Whether iptable rules will be enforced on the cloud host:port connection point. Not supported for cloud destinations. Must be a boolean. Defaults to false.
Updating a Destination
gateway.updateDestination(options, function(error, destination))
Options:
id
- (Required) ID of the destination to updatedesc
- A description of the destination. This must a be a String.enabled
- Enable or disable the destination. Should be a Boolean.ip
- The hostname or ip of the destination.port
- The port of the destination.clientPort
- The port the client will listen on for an incoming connection for cloud destinations. If sent to an on-premises destination, an error will be returned.protocol
- The protocol of the destination, one of TCP, UDP, TLS, HTTP, or HTTPS. The default is TCP.TLS
- One of serverside, mutualauth, or none. Defaults to none. Is only compatible with the TLS protocol.sni
- Server name for the SNI (Server Name Indication) TLS extensions.enable_client_tls
- Enable TLS between the client and the final destination. Expected to be a Boolean.client_tls
- Either mutualauth or none. Is only compatible with enable_client_tls true.private
- Whether iptable rules will be enforced on the cloud host:port connection point. Not supported for cloud destinations.
Listing Destinations
gateway.listDestinations(options, function(error, array_of_destinations))
Options:
enabled
- Whether to only include enabled or disabled destinations. Should be a Boolean. If not specified all destinations will be returned.
Returns all destinations associated with the gateway
Describing A Destination
gateway.getDestination(options, function(error, destination))
Options:
id
- ID of the destination to be retrieved
Deleting a Destination
gateway.deleteDestination(options, function(error))
Options:
id
- ID of the destination to be deleted
Uploading Destination Certificates
gateway.uploadDestinationCert(options, function(err, destination))
Options:
id
- ID of the destination these certificates belong to.server_cert_filepath
- Filepath of the server cert to be uploadedclient_cert_filepath
- Single filepath or an array of up to 6 filepaths of the client certs to be uploadeddest_cert_filepath
- Filepath of the certificate the client should use to identify itself for TLS purposesdest_key_filepath
- Filepath of the key the client should use to identify itself for TLS purposes
Downloading Destination Certs and Keys
gateway.downloadDestinationCerts(options, function(err[, array_of_objects]))
Options:
id
- ID of the destination whose certs are to be downloadedfilepath
- Filepath where the zip file should be saved. If none provided, response will be an array of objects {name, contents} instead of a zip
Downloading Specific Destination Certificates
gateway.downloadCertsByName(options, function(err[, array_of_objects]))
Options:
id
- ID of the destination these certificates belong to.filenames
- String of filenames separated by spaces or an array of filenamesfilepath
- Filepath where the zip file should be saved. If none provided, response will be an array of objects {name, contents} instead of a zip
Deleting Destination Certificates
gateway.deleteDestinationCerts(options, function(err, destination))
Options:
id
- ID of the destination these certificates belong to.filenames
- String of filenames separated by spaces or an array of filenames
Auto Generating Destination Certificate/Private Key
gateway.generateDestinationCerts(options, function(err))
Options:
id
- ID of the destination to generate cert and key forclient
- Whether the generated cert and key are for destination-side TLS Mutual Auth (determined by destination properties enable_client_tls
and client_tls
) or for server side TLS Mutual Auth (determined by destination properties protocol
and TLS
). False will generate for server side TLS Mutual Auth, true will generate for destination-side TLS Mutual Auth. Should be a boolean. Default to false.
This generates a cert and key for a TLS: Mutual Auth destination on either destination side or server side.
Adding an IP Table Rule
gateway.addIPTableRule(destination_id, options, function(err))
Destination must be set to private in order to add and enforce iptable rules. If you want to set multiple rules at once, you can send an array of options.
Options:
src
- IP to allow to connect. If no src or src_range provided, all IPs will be allowed for this rule.src_range
- Range of IPs (using the form 1.1.1.1-2.2.2.2
) to allow (src and src_range cannot be sent in the same object).spt
- Port or range of ports to allow (using the form 5000:5005
for a range). If none provided, all ports will be allowed for this rule.app
- Desired ID to associate with the rule. If used, any other rule given the same ID will overwrite this one
Removing an IP Table Rule
gateway.removeIPTableRule(destination_id, options, function(err))
Destination must be set to private in order to add and enforce iptable rules. Rules may be removed all at once or one at a time (via individual calls). If removing individually, these values should match exactly what was provided when adding them.
Options:
src
- IP to match for removal.src_range
- Range of IPs (using the form 1.1.1.1-2.2.2.2
) to allow match for removal (src and src_range cannot be sent in the same object).spt
- Port or range of ports to match for removal (using the form 5000:5005
for a range).all
- Must be a boolean. If true, will remove all iptable rules associed with the destination. Defaults to false.
Importing and Exporting
Exporting a Service
env.exportService([filepath,] function(error[, gateways]))
Exports the gateways and their destinations as a JSON object. If a filepath is provided, a <filepath>/service.config
file will be written containing the response (NOTE: this will overwrite any existing file with the same name). Otherwise, the response will be returned as the second argument of the callback. The downloaded file can be used with the env.importService
function to recreate the gateways and destinations.
Importing a Service
env.importService(filepath, function(error, array))
Filepath is the path to the service.config file from an exported service. This imports the gateways and their destinations into the org/space specified in the defaults. On success, an array of gateway objects will be returned.
Exporting a Gateway
gateway.exportGateway([filepath,] function(error[, gateway]))
Exports the gateway and its destinations as a JSON object. If a filepath is provided, a <filepath>/<gateway_id>.gateway
file will be written containing the response (NOTE: this will overwrite any existing file with the same name). Otherwise, the response will be returned as the second argument of the callback. The downloaded file can be used with the env.importGateway
function to recreate the gateway and destinations.
Importing a Gateway
env.importGateway(filepath, function(error, gateway))
Filepath is the path to the *.gateway file from an exported gateway. This imports the gateway and its destinations into the org/space specified in the defaults. On success, a gateway object will be returned.
Exporting a Destination
gateway.exportDestination(options, function(error[, destination]))
Exports the destination as a JSON object. If a filepath is provided, a <filepath>/<destiantion_id>.destination
file will be written containing the response (NOTE: this will overwrite any existing file with the same name). Otherwise, the response will be returned as the second argument of the callback. The downloaded file can be used with the gateway.importDestination
function to recreate the destination.
Options:
id
- (Required) ID of the destination to export.filepath
- Location to write the <id>.destination
file.
Importing a Destination
gateway.importDestination(filepath, function(error, destination))
Filepath is the path to the *.destination file from an exported destination. This imports the destination into the gateway. On success, the imported destination will be returned as a JSON object.
Managing Clients
Getting Connected Clients
gateway.getClientList(function(err, client_id_array))
Returns an array of objects {id, version} that are currently connected to the gateway.
Getting Client status
gateway.getClientStatus(client_id, function(err, status))
Returns Connected
or Disconnected
for the specified client ID.
Disconnecting Clients
Note: This is only supported for clients >= v1.4.2
gateway.disconnectClients(client_id_array, function(err))
Getting Recently Disconnected Clients
gateway.getDisconnectedClients(function(err, client_id_array))
Returns an array of objects {id, disconnectedAt} containing up to the last 10 clients that disconnected from the gateway.
Getting Client Logs
gateway.getClientLogs([options,] function(err, logs))
Returns an object keyed by the clientID that contains a warnings object and an errors object. Each of these objects contain log messages keyed by timestamp (e.g., {warnings: {<timestamp>:<message>}}
)
Options:
clientID
- Specific client ID to return the logs fortype
- Either warn
or error
, only that type of log will be returned
Client Installer Information
Getting Client Installer Information
env.getInstallerList(function(err, array_of_descriptions))
Returns an array of objects {description, url} for each installer we currently offer.