Le Mainframe à l’heure de l’API Economy17 novembre 2016|IBM Client Center, Bois Colombes

Z

Gouverner, Agréger, Sécuriser vos APIs

Aymeric AffouardDigital Transformation Specialist

aymeric.affouard@fr.ibm.com

API Economy Value Chain

Existing Enterprise IT

Investments

Exposed

as APIs

Self Service Consumed by

Developers

To Develop Innovative Apps

Delivering

Differentiated B2C, B2B, B2E

Experiences

Consumer Provider

{ }

API Economy Actors

API Developer

• How do I create APIs?• How do I manage security?• How do I test my APIs?

App Developer

• Where do I access APIs?• How do I understand the APIs?• How do I measure success?

API Product Manager

• How can I rapidly release & update my APIs?• How do I publicize my API?• How do I measure success?

API Economy Value Chain

Existing Enterprise IT

Investments

Exposed

as APIs

Self Service Consumed by

Developers

To Develop Innovative Apps

Delivering

Differentiated B2C, B2B, B2E

Experiences

Consumer Provider

{ }

App Developer

APIProduct Mgr

APIDeveloper

What is API Connect?An integrated creation, runtime, management, and security

foundation for enterprise grade API’s and Microservices to

power modern digital applications

What does API Connect provide?• Automated, visual and coding options for creating APIs

• Node.js and Java support for creating Microservices

• Integrated enterprise grade clustering, management and security

for Node.js and Java

• Lifecycle and governance for APIs, Products and Plans

• Access control over API’s, API Plans and API Products

• Advanced API usage analytics

• Customizable, self service developer portal for publishing APIs

• Policy enforcement, security and control

Create Run

ManageSecure

Simplified & Comprehensive API foundation

Consumer (Systems of Engagement)

SecureAPI Policy Enforcement

Enterprise Security Traffic control & mediation

Workload optimizationMonitoring/Analytics Collection

ManageAPI Discovery

API, Plan, Product, Policy CreationAPI, Plan, Product Version & Lifecycle

ManagementSelf-service App Developer Portal

API Monitoring & Analytics

Subscription & Community Management

Create & Run (Node / Java)

Develop & Compose Microservices

Connect Microservices to data

sourcesBuild, deploy, scale

MicroservicesMonitor & debug MicroservicesUnified Node & Java Runtime

Mgmt

z System / Legacy Apps

Cloud Service

Application Server

ESB / Middleware

Data Store

Provider (Systems of Record)

API Gateway

AP

IC m

an

ag

ed

Mic

roserv

ices T

raff

ic

API Traffic

Deployment Options:

Bluemix Public, Bluemix Dedicated

On Premise or Customer Cloud

Where does API Connect fit?

App Developer

• Authenticate App or User

• Verify access rights

• Enforce API security flow

• Modify API interface

API ManagerDeveloper Portal

API Connect components

API Gateway

API Gateway

• Create a user account

• Browse the catalog of APIs

• Test APIs

• Subscribe to API plans

• Rate/Comment on APIs

• Define organizations

• Create Assemble flow for existing APIs

• Configure API Gateway

• Manage Subscriptions

• Monitor usage

Security or

Compute Policies

zCEE APIs

CICS

App Developer

API Gateway Description Recommendation

Micro Gateway Node.js in Liberty

Collective

Internal consumption of API

Collocation with runtimes

Inherit of platform cryptography

accelerations

IBM DataPower Gateway –

Virtual Appliance

Virtual image running

on a hypervisor

Enterprise API gateway

IBM DataPower Gateway –

Physical Appliance

Physical box API for consumption by external (e.g.

mobile, web, IoT, 3rd party) or

business partner apps in the DMZ

API Gateway choices

MicroGateway

API Gateway Policies

DataPower

API Connect Essentials (Free) Professional Enterprise

Built For Developer Department;

Single project

Departments &

Cross-enterprise

Gateways included

MicroGateway MicroGateway

DataPower Virtual

MicroGateway

Upgrades available DataPower Virtual

DataPower Physical

DataPower Virtual

DataPower Physical DataPower Physical

• All editions of API Connect provide integration with DataPower as the API Gateway

• API Connect Enterprise includes DataPower Gateway Virtual Edition to provide

comprehensive API Gateway security, traffic management, mediation & optimization

functionality for enterprise deployments

• Is the upgrade path for existing IBM API Management v4 clients

• API Connect Essentials and Professional are powered by a programmable MicroGateway that

empowers developers and supports single departmental/small projects starting their API

journey

• Option to utilize DataPower Gateway to meet advanced, enterprise-grade API Gateway

needs

API Connect offerings

Services on IMS

Systems of RecordSystems of Engagement

Management +

Runtime gateway enforcement

• Discover z/OS Connect REST APIs

• Secure access to z/OS Connect REST APIs • Provide self-service & social experience to API consumers on a built-in developer portal

• Enforce runtime rate limits, and throttle impact to z/OS systems

• Manage API subscribers with API lifecycle & Analyze API usage

Developer portal API analytics

API Connect with z/OS Connect

Services on DB2

Services on CICS

12 © 2016 IBM Corporation12 © 2016 IBM Corporation

Demonstration 1API Connect

Manage and Secure z/OS Connect API

z/OS Connect

CICSCICS

z/OS

SGClient

SGClient

AAAAAAAPIGWAPIGW

DataPower :1. Secure Gateway Client

2. AAA

3. API Gateway

Demo architecture

Web App

z Systems

LDAP1. Control access to the API (define rate limits)

2. Secure the API (authorize client applications)

3. Transform JSON messages

API ManagerDeveloper Portal

API Connect components

API Gateway

API Gateway

Create Assemble Flow

and Publish

1

2

Retrieve API

Swagger definition

3

[Publish]

Configure API Gateway

4

[Publish]

Make API available

zCEE APIs

From the API Manager an existing API can be

discovered, secured and managed.

CICS

App Developer

Secure and manage API

The API is designed with parameters at the API level and at the Product level.

API Design view

Product Design view

z/OS Connect response API Connect response

Change JSON object names in request message

Change JSON structure of response message

Modify API interface (Part 1 of 2) The Assemble Flow allows us to modify the API interface. For example the JSON structure

and names of JSON objects can be changed in JSON request and response messages.

API Connect request z/OS Connect request

API Gateway: modify API (Part 2 of 2)

1

If “Order” operation

then Map JSON;

otherwise proceed

to next step.

2

Send modified

request to z/OS

Connect EE API

3

Change JSON

structure of

response message

18 © 2016 IBM Corporation18 © 2016 IBM Corporation

Summary

API Connect componentsAPI Gateway: DataPower Gateway

API Management NodeDeveloper Portal

CICS

API GatewayDataPower

App Developer

API Management NodeDeveloper Portal

CICS

Collective Controller

Collective MemberNode.js

Web Router

Micro Gateway

Liberty Collective

Linux on z

API Connect componentsAPI Gateway: Micro Gateway

App Developer

Node.js: under the cover

22

WebSphere Application Server Family

Light weight production runtime

for rapid web and cloud-based

application development and

deployment

• Fast and easy download

(<100MB footprint)

• 1 Minute install and deploy

• Ideal runtime for

Microservices

• Start in less than 5 secondes

Flexible, secure Java server runtime

environment for enterprise

applications, provides advanced

performance, redundancy and

programming models

• Security and support for

single, mid-sized to large scale

server deployments

• Web tier clustering over

multiple applications server

instances

• IHS load balancing up to 25

servers

• Includes Java Message Service;

JDBC; Java Batch; Full EJB, and

more

Advanced runtime environment for

large-scale and mission critical

application deployments, offers

near continuous availability and

Intelligent Management

capabilities

• Unlimited server allowance for

IHS load balancing

• Centralized Management for

Massive Scalability (thousands

of servers)

• Ful Integration with Open and

z/OS platforms

• Full Caching Support (Session

& Application)

• Dynamic Routing provides a service that keeps the plug-in routing information up-to-date with the routing topology

• Auto Scaling provides automated control over all participating clusters and their members

Cluster1

Member1

AppA

Member2

AppA

Web server

Intelligent

Management

enabled

WebSphere

Plug-inCluster2

Member3

AppB

Member4

AppB

Collective

Controller

Dynamic

Routing

Service

Liberty Collective

Auto

Scaling

Service

Liberty Collective Topology

24 © 2016 IBM Corporation24 © 2016 IBM Corporation

Creating APIsand �services

with API Connect

Consumer (Systems of Engagement)

SecureAPI Policy Enforcement

Enterprise Security Traffic control & mediation

Workload optimizationMonitoring/Analytics Collection

ManageAPI Discovery

API, Plan, Product, Policy CreationAPI, Plan, Product Version & Lifecycle

ManagementSelf-service App Developer Portal

API Monitoring & Analytics

Subscription & Community Management

Create & Run (Node / Java)

Develop & Compose Microservices

Connect Microservices to data

sourcesBuild, deploy, scale

MicroservicesMonitor & debug MicroservicesUnified Node & Java Runtime

Mgmt

z System / Legacy Apps

Cloud Service

Application Server

ESB / Middleware

Data Store

Provider (Systems of Record)

API Gateway

AP

IC m

an

ag

ed

Mic

roserv

ices T

raff

ic

API Traffic

Deployment Options:

Bluemix Public, Bluemix Dedicated

On Premise or Customer Cloud

Where does API Connect fit?

App Developer

System APIs:APIs that pass through data from

a system of record unchanged

Interaction APIs:Invoke one or more System

API’s or data sources, and

manipulate the returned data

with new logic

Promote reuse across new

applications

App

ESB

System API

WebService

System API

TH GS

INwww

Interaction API

System & Interaction APIs

Manage and Secure

existing or System APIs,

regardless of back end

language or technology

Create, Run, Manage and

Secure new Interaction

APIs

WebService

System API

ManageSecure

System API

ESBSystem API

IBM z

System API

Interaction API

ManageSecure

Create Run

API Connect enables Digital Applications

Secure

IBM z

System API

AP

I Co

nn

ect

……

…

Interaction API

{

"ca_cost": "002.90",

"in_stock": 91,

"ca_description": "Ball Pens Black 24pk",

"on_order": 0,

"ca_department": 10,

"ca_item_ref": 20

}

{

"ca_cost": "002.90",

"in_stock": 91,

"ca_description": "Ball Pens Black 24pk",

"on_order": 0,

"ca_department": 10,

"ca_item_ref": 20,

"image": "iVB0Rw0KGgoAAA…"

}

{

"reference": "20",

"image": "iVB0Rw0KGgoAAA…",

"id": "561cf1fa50c9085fb3…",

}

API Connect componentsAPI Gateway only

API Management NodeDeveloper Portal

CICS

API Gateway

SWAGGER

App Developer

API Connect componentsAPI Gateway + Interaction API

API Management NodeDeveloper Portal

CICS

API Gateway Interaction API

Developer Toolkit

Connectors

App Developer

LoopBack App

Offerings Essentials (No Charge) Professional / Enterprise

Connectors

•Basic Connectors:

REST, MySQL, PostgreSQL,

MongoDB, Redis, Couchbase, Cloudant, Neo4j, Kafka, z/OS Connect*, Whisk, Memory,

Mail

• Advanced Connectors for

Dev/Test

= Essentials

+

• Advanced Connectors for dev,

test or production use:

SOAP, DB2, DB2 for z/OS,

Oracle, MS SQL, SAP HANA

LoopBack connectors

In order to retrieve data from different sources, a LoopBack application uses connectors.

Some connectors are provided by IBM (see below) and others are provided by the open

source community.

* Statements regarding IBM future direction and intent are subject to change or withdrawal, and represent goals and objectives only.

© 2015 IBM Corporation33

z/OS Connect EE connector (Part 1 of 2)

• z/OS Connect EE loopback connector facilitates the integration of

z/OS Connect EE with API Connect (LoopBack application).

• Based on the REST loopback connector:

₋ Allows discovery of z/OS Connect EE APIs

₋ Generates a REST operations template

• Installation

npm install --save loopback-connector-zosconnectee

₋ Installs the connector and a tool called apic-zosconnectee

© 2015 IBM Corporation34

Loopback app

z/OS Connect EE LoopBack connector

z/OS Connect EE connector (Part 2 of 2)

1

Install new

data source

2

Discover z/OS

Connect EE services

1

2

Tell the connector which z/OS Connect EE

instance you want to work with

Discover APIs and chose the one

you want to work with

3

Generate a template the REST

connector will use

3 Generate template and call API operations from

Loopback app

35 © 2016 IBM Corporation35 © 2016 IBM Corporation

Demonstration 2API Connect

Create Interaction APIManage and Secure this Interaction API with

1. DataPower Gateway (Web Channel)2. Micro Gateway (Mobile Channel)

z/OS Connect

CICSCICS

CloudantCloudant

z/OS

SGClient

SGClient

AAAAAAAPIGWAPIGW

DataPower :1. Secure Gateway Client

2. AAA

3. API Gateway

IBM CC Mop zAPI Demos

Web App

Mobile App

z Systems

InteractionAPI

MicroGatewayMicroGateway

MobileFirst Server

MobileFirst Server

LDAP

1. User logs into Bluemix application using "distributed" user ID (“JeanLeclerc”)and password

Security scenario flow detail

Bluemix

userID/pwdHTTPS/JSON

LDAP

HTTPS/JSONIdentity in token

z/OSConnect

z/OS

RACF

CICS

1

COMMAREA+ mapped identity

RACMAP ID(EMPLOY1) MAP

USERDIDFILTER(NAME('UID=JeanLeclerc,OU=employees,O=mop,C=fr'))

REGISTRY(NAME('*'))

SGClient

SGClient

AAAAAAAPIGWAPIGW

24 5

73

Jean Leclerc

6

LoopBackapp

2. IDG authenticates user in LDAP and forwards distributed ID in LTPA token to API Connect

3. API Connect checks the Bluemix application client ID

4. z/OS Connect validates LTPA token and maps distributed ID to a RACF user ID

5. RACF user ID used for authorization checking i.e is the user authorized to call the API

6. Audit request (distributed and RACF ids)

7. RACF user ID passed to CICS for transaction authorization

IBM CC Mop zAPI Demos

z/OS Connect

IMSIMS

CloudantCloudant

z/OSMobile App

z Systems

Interaction

API

MicroGatewayMicroGateway

MobileFirst Server

MobileFirst Server

LDAP

Strava, …

API Connect components

API Management NodeDeveloper Portal Developer Toolkit

Collective Controller

API GatewayDataPower

Collective MemberNode.js

Web Router

Interaction API

Liberty Collective

Linux on z

REST Connector

z/OS Connect EE Connector

Cloudant Connector

CICS

App Developer

API Connect components

API Management NodeDeveloper Portal Developer Toolkit

Collective Controller

Collective MemberNode.js

Web Router

Interaction API

Liberty Collective

Linux on z

REST Connector

z/OS Connect EE Connector

Cloudant Connector

CICS

Collective Controller

Collective MemberNode.js

Web Router

Micro Gateway

Liberty Collective

Linux on z

App Developer

API Connect components

API Management NodeDeveloper Portal Developer Toolkit

Collective Controller

Collective MemberNode.js

Web Router

Interaction API

Liberty Collective

Linux on z

REST Connector

z/OS Connect EE Connector

Cloudant Connector

CICS

Micro Gateway

App Developer

More information

IBM API Connect

— http://www.ibm.com/software/products/en/api-connect

— http://www.ibm.com/support/knowledgecenter/SSMNED

— https://developer.ibm.com/apiconnect

IBM API Connect Dev Center

IBM API Connect Knowledge Center

More information – API Connect Video

Aymeric Affouard

Merci.

© 2016 IBM Corporation 44

Digital Transformation Specialistaymeric.affouard@fr.ibm.com

Notes and Disclaimers

45

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has beenreviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

Notes and Disclaimers

46

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBMtrademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.