Le Mainframe à l’heure de l’API Economy17 novembre 2016|IBM Client Center, Bois Colombes
Z
Gouverner, Agréger, Sécuriser vos APIs
Aymeric AffouardDigital Transformation Specialist
API Economy Value Chain
Existing Enterprise IT
Investments
Exposed
as APIs
Self Service Consumed by
Developers
To Develop Innovative Apps
Delivering
Differentiated B2C, B2B, B2E
Experiences
Consumer Provider
{ }
API Economy Actors
API Developer
• How do I create APIs?• How do I manage security?• How do I test my APIs?
App Developer
• Where do I access APIs?• How do I understand the APIs?• How do I measure success?
API Product Manager
• How can I rapidly release & update my APIs?• How do I publicize my API?• How do I measure success?
API Economy Value Chain
Existing Enterprise IT
Investments
Exposed
as APIs
Self Service Consumed by
Developers
To Develop Innovative Apps
Delivering
Differentiated B2C, B2B, B2E
Experiences
Consumer Provider
{ }
App Developer
APIProduct Mgr
APIDeveloper
What is API Connect?An integrated creation, runtime, management, and security
foundation for enterprise grade API’s and Microservices to
power modern digital applications
What does API Connect provide?• Automated, visual and coding options for creating APIs
• Node.js and Java support for creating Microservices
• Integrated enterprise grade clustering, management and security
for Node.js and Java
• Lifecycle and governance for APIs, Products and Plans
• Access control over API’s, API Plans and API Products
• Advanced API usage analytics
• Customizable, self service developer portal for publishing APIs
• Policy enforcement, security and control
Create Run
ManageSecure
Simplified & Comprehensive API foundation
Consumer (Systems of Engagement)
SecureAPI Policy Enforcement
Enterprise Security Traffic control & mediation
Workload optimizationMonitoring/Analytics Collection
ManageAPI Discovery
API, Plan, Product, Policy CreationAPI, Plan, Product Version & Lifecycle
ManagementSelf-service App Developer Portal
API Monitoring & Analytics
Subscription & Community Management
Create & Run (Node / Java)
Develop & Compose Microservices
Connect Microservices to data
sourcesBuild, deploy, scale
MicroservicesMonitor & debug MicroservicesUnified Node & Java Runtime
Mgmt
z System / Legacy Apps
Cloud Service
Application Server
ESB / Middleware
Data Store
Provider (Systems of Record)
API Gateway
AP
IC m
an
ag
ed
Mic
roserv
ices T
raff
ic
API Traffic
Deployment Options:
Bluemix Public, Bluemix Dedicated
On Premise or Customer Cloud
Where does API Connect fit?
App Developer
• Authenticate App or User
• Verify access rights
• Enforce API security flow
• Modify API interface
API ManagerDeveloper Portal
API Connect components
API Gateway
API Gateway
• Create a user account
• Browse the catalog of APIs
• Test APIs
• Subscribe to API plans
• Rate/Comment on APIs
• Define organizations
• Create Assemble flow for existing APIs
• Configure API Gateway
• Manage Subscriptions
• Monitor usage
Security or
Compute Policies
zCEE APIs
CICS
App Developer
API Gateway Description Recommendation
Micro Gateway Node.js in Liberty
Collective
Internal consumption of API
Collocation with runtimes
Inherit of platform cryptography
accelerations
IBM DataPower Gateway –
Virtual Appliance
Virtual image running
on a hypervisor
Enterprise API gateway
IBM DataPower Gateway –
Physical Appliance
Physical box API for consumption by external (e.g.
mobile, web, IoT, 3rd party) or
business partner apps in the DMZ
API Gateway choices
MicroGateway
API Gateway Policies
DataPower
API Connect Essentials (Free) Professional Enterprise
Built For Developer Department;
Single project
Departments &
Cross-enterprise
Gateways included
MicroGateway MicroGateway
DataPower Virtual
MicroGateway
Upgrades available DataPower Virtual
DataPower Physical
DataPower Virtual
DataPower Physical DataPower Physical
• All editions of API Connect provide integration with DataPower as the API Gateway
• API Connect Enterprise includes DataPower Gateway Virtual Edition to provide
comprehensive API Gateway security, traffic management, mediation & optimization
functionality for enterprise deployments
• Is the upgrade path for existing IBM API Management v4 clients
• API Connect Essentials and Professional are powered by a programmable MicroGateway that
empowers developers and supports single departmental/small projects starting their API
journey
• Option to utilize DataPower Gateway to meet advanced, enterprise-grade API Gateway
needs
API Connect offerings
Services on IMS
Systems of RecordSystems of Engagement
Management +
Runtime gateway enforcement
• Discover z/OS Connect REST APIs
• Secure access to z/OS Connect REST APIs • Provide self-service & social experience to API consumers on a built-in developer portal
• Enforce runtime rate limits, and throttle impact to z/OS systems
• Manage API subscribers with API lifecycle & Analyze API usage
Developer portal API analytics
API Connect with z/OS Connect
Services on DB2
Services on CICS
12 © 2016 IBM Corporation12 © 2016 IBM Corporation
Demonstration 1API Connect
Manage and Secure z/OS Connect API
z/OS Connect
CICSCICS
z/OS
SGClient
SGClient
AAAAAAAPIGWAPIGW
DataPower :1. Secure Gateway Client
2. AAA
3. API Gateway
Demo architecture
Web App
z Systems
LDAP1. Control access to the API (define rate limits)
2. Secure the API (authorize client applications)
3. Transform JSON messages
API ManagerDeveloper Portal
API Connect components
API Gateway
API Gateway
Create Assemble Flow
and Publish
1
2
Retrieve API
Swagger definition
3
[Publish]
Configure API Gateway
4
[Publish]
Make API available
zCEE APIs
From the API Manager an existing API can be
discovered, secured and managed.
CICS
App Developer
Secure and manage API
The API is designed with parameters at the API level and at the Product level.
API Design view
Product Design view
z/OS Connect response API Connect response
Change JSON object names in request message
Change JSON structure of response message
Modify API interface (Part 1 of 2) The Assemble Flow allows us to modify the API interface. For example the JSON structure
and names of JSON objects can be changed in JSON request and response messages.
API Connect request z/OS Connect request
API Gateway: modify API (Part 2 of 2)
1
If “Order” operation
then Map JSON;
otherwise proceed
to next step.
2
Send modified
request to z/OS
Connect EE API
3
Change JSON
structure of
response message
18 © 2016 IBM Corporation18 © 2016 IBM Corporation
Summary
API Connect componentsAPI Gateway: DataPower Gateway
API Management NodeDeveloper Portal
CICS
API GatewayDataPower
App Developer
API Management NodeDeveloper Portal
CICS
Collective Controller
Collective MemberNode.js
Web Router
Micro Gateway
Liberty Collective
Linux on z
API Connect componentsAPI Gateway: Micro Gateway
App Developer
Node.js: under the cover
22
WebSphere Application Server Family
Light weight production runtime
for rapid web and cloud-based
application development and
deployment
• Fast and easy download
(<100MB footprint)
• 1 Minute install and deploy
• Ideal runtime for
Microservices
• Start in less than 5 secondes
Flexible, secure Java server runtime
environment for enterprise
applications, provides advanced
performance, redundancy and
programming models
• Security and support for
single, mid-sized to large scale
server deployments
• Web tier clustering over
multiple applications server
instances
• IHS load balancing up to 25
servers
• Includes Java Message Service;
JDBC; Java Batch; Full EJB, and
more
Advanced runtime environment for
large-scale and mission critical
application deployments, offers
near continuous availability and
Intelligent Management
capabilities
• Unlimited server allowance for
IHS load balancing
• Centralized Management for
Massive Scalability (thousands
of servers)
• Ful Integration with Open and
z/OS platforms
• Full Caching Support (Session
& Application)
• Dynamic Routing provides a service that keeps the plug-in routing information up-to-date with the routing topology
• Auto Scaling provides automated control over all participating clusters and their members
Cluster1
Member1
AppA
Member2
AppA
Web server
Intelligent
Management
enabled
WebSphere
Plug-inCluster2
Member3
AppB
Member4
AppB
Collective
Controller
Dynamic
Routing
Service
Liberty Collective
Auto
Scaling
Service
Liberty Collective Topology
24 © 2016 IBM Corporation24 © 2016 IBM Corporation
Creating APIsand �services
with API Connect
Consumer (Systems of Engagement)
SecureAPI Policy Enforcement
Enterprise Security Traffic control & mediation
Workload optimizationMonitoring/Analytics Collection
ManageAPI Discovery
API, Plan, Product, Policy CreationAPI, Plan, Product Version & Lifecycle
ManagementSelf-service App Developer Portal
API Monitoring & Analytics
Subscription & Community Management
Create & Run (Node / Java)
Develop & Compose Microservices
Connect Microservices to data
sourcesBuild, deploy, scale
MicroservicesMonitor & debug MicroservicesUnified Node & Java Runtime
Mgmt
z System / Legacy Apps
Cloud Service
Application Server
ESB / Middleware
Data Store
Provider (Systems of Record)
API Gateway
AP
IC m
an
ag
ed
Mic
roserv
ices T
raff
ic
API Traffic
Deployment Options:
Bluemix Public, Bluemix Dedicated
On Premise or Customer Cloud
Where does API Connect fit?
App Developer
System APIs:APIs that pass through data from
a system of record unchanged
Interaction APIs:Invoke one or more System
API’s or data sources, and
manipulate the returned data
with new logic
Promote reuse across new
applications
App
ESB
System API
WebService
System API
TH GS
INwww
Interaction API
System & Interaction APIs
Manage and Secure
existing or System APIs,
regardless of back end
language or technology
Create, Run, Manage and
Secure new Interaction
APIs
WebService
System API
ManageSecure
System API
ESBSystem API
IBM z
System API
Interaction API
ManageSecure
Create Run
API Connect enables Digital Applications
Secure
IBM z
System API
AP
I Co
nn
ect
……
…
Interaction API
{
"ca_cost": "002.90",
"in_stock": 91,
"ca_description": "Ball Pens Black 24pk",
"on_order": 0,
"ca_department": 10,
"ca_item_ref": 20
}
{
"ca_cost": "002.90",
"in_stock": 91,
"ca_description": "Ball Pens Black 24pk",
"on_order": 0,
"ca_department": 10,
"ca_item_ref": 20,
"image": "iVB0Rw0KGgoAAA…"
}
{
"reference": "20",
"image": "iVB0Rw0KGgoAAA…",
"id": "561cf1fa50c9085fb3…",
}
API Connect componentsAPI Gateway only
API Management NodeDeveloper Portal
CICS
API Gateway
SWAGGER
App Developer
API Connect componentsAPI Gateway + Interaction API
API Management NodeDeveloper Portal
CICS
API Gateway Interaction API
Developer Toolkit
Connectors
App Developer
LoopBack App
Offerings Essentials (No Charge) Professional / Enterprise
Connectors
•Basic Connectors:
REST, MySQL, PostgreSQL,
MongoDB, Redis, Couchbase, Cloudant, Neo4j, Kafka, z/OS Connect*, Whisk, Memory,
• Advanced Connectors for
Dev/Test
= Essentials
+
• Advanced Connectors for dev,
test or production use:
SOAP, DB2, DB2 for z/OS,
Oracle, MS SQL, SAP HANA
LoopBack connectors
In order to retrieve data from different sources, a LoopBack application uses connectors.
Some connectors are provided by IBM (see below) and others are provided by the open
source community.
* Statements regarding IBM future direction and intent are subject to change or withdrawal, and represent goals and objectives only.
© 2015 IBM Corporation33
z/OS Connect EE connector (Part 1 of 2)
• z/OS Connect EE loopback connector facilitates the integration of
z/OS Connect EE with API Connect (LoopBack application).
• Based on the REST loopback connector:
₋ Allows discovery of z/OS Connect EE APIs
₋ Generates a REST operations template
• Installation
npm install --save loopback-connector-zosconnectee
₋ Installs the connector and a tool called apic-zosconnectee
© 2015 IBM Corporation34
Loopback app
z/OS Connect EE LoopBack connector
z/OS Connect EE connector (Part 2 of 2)
1
Install new
data source
2
Discover z/OS
Connect EE services
1
2
Tell the connector which z/OS Connect EE
instance you want to work with
Discover APIs and chose the one
you want to work with
3
Generate a template the REST
connector will use
3 Generate template and call API operations from
Loopback app
35 © 2016 IBM Corporation35 © 2016 IBM Corporation
Demonstration 2API Connect
Create Interaction APIManage and Secure this Interaction API with
1. DataPower Gateway (Web Channel)2. Micro Gateway (Mobile Channel)
z/OS Connect
CICSCICS
CloudantCloudant
z/OS
SGClient
SGClient
AAAAAAAPIGWAPIGW
DataPower :1. Secure Gateway Client
2. AAA
3. API Gateway
IBM CC Mop zAPI Demos
Web App
Mobile App
z Systems
InteractionAPI
MicroGatewayMicroGateway
MobileFirst Server
MobileFirst Server
LDAP
1. User logs into Bluemix application using "distributed" user ID (“JeanLeclerc”)and password
Security scenario flow detail
Bluemix
userID/pwdHTTPS/JSON
LDAP
HTTPS/JSONIdentity in token
z/OSConnect
z/OS
RACF
CICS
1
COMMAREA+ mapped identity
RACMAP ID(EMPLOY1) MAP
USERDIDFILTER(NAME('UID=JeanLeclerc,OU=employees,O=mop,C=fr'))
REGISTRY(NAME('*'))
SGClient
SGClient
AAAAAAAPIGWAPIGW
24 5
73
Jean Leclerc
6
LoopBackapp
2. IDG authenticates user in LDAP and forwards distributed ID in LTPA token to API Connect
3. API Connect checks the Bluemix application client ID
4. z/OS Connect validates LTPA token and maps distributed ID to a RACF user ID
5. RACF user ID used for authorization checking i.e is the user authorized to call the API
6. Audit request (distributed and RACF ids)
7. RACF user ID passed to CICS for transaction authorization
IBM CC Mop zAPI Demos
z/OS Connect
IMSIMS
CloudantCloudant
z/OSMobile App
z Systems
Interaction
API
MicroGatewayMicroGateway
MobileFirst Server
MobileFirst Server
LDAP
Strava, …
API Connect components
API Management NodeDeveloper Portal Developer Toolkit
Collective Controller
API GatewayDataPower
Collective MemberNode.js
Web Router
Interaction API
Liberty Collective
Linux on z
REST Connector
z/OS Connect EE Connector
Cloudant Connector
CICS
App Developer
API Connect components
API Management NodeDeveloper Portal Developer Toolkit
Collective Controller
Collective MemberNode.js
Web Router
Interaction API
Liberty Collective
Linux on z
REST Connector
z/OS Connect EE Connector
Cloudant Connector
CICS
Collective Controller
Collective MemberNode.js
Web Router
Micro Gateway
Liberty Collective
Linux on z
App Developer
API Connect components
API Management NodeDeveloper Portal Developer Toolkit
Collective Controller
Collective MemberNode.js
Web Router
Interaction API
Liberty Collective
Linux on z
REST Connector
z/OS Connect EE Connector
Cloudant Connector
CICS
Micro Gateway
App Developer
More information
IBM API Connect
— http://www.ibm.com/software/products/en/api-connect
— http://www.ibm.com/support/knowledgecenter/SSMNED
— https://developer.ibm.com/apiconnect
IBM API Connect Dev Center
IBM API Connect Knowledge Center
More information – API Connect Video
Notes and Disclaimers
45
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has beenreviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
Notes and Disclaimers
46
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBMtrademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.