Securely API Enable Your IBM i Applications
Securely API Enable Your IBM i Applications
Take advantage of the new business opportunities and cost savings offered by API enabling your IBM i applications without compromising on security.

Session Time
62 Minutes
Overview
The business opportunities available through API enablement are growing every day. Companies are creating new revenue channels by connecting to ecommerce sites like Amazon and Shopify. They are realizing significant cost savings by automating functions like PO processing, shipment scheduling and invoice generation through direct API connections with their customers. They are rapidly expanding application features by using readily available Open Source modules. However, all that capability comes with security risks. According to the Gartner Group, by 2022 APIs will become the number one target of hackers attempting to attack IT networks. In this session, we will cover the basics of how to set your company up to take advantage of the value of APIs safely and securely.
What You’ll Learn
During this complementary webinar, we will cover topics including:

Implementing advanced authentication with OAuth

Safely using Open Source modules

Protecting your systems from DDOS (Distributed Denial of Service) attacks

Keeping your web code safe from injection attacks

Using API provider SDKs (software development kits) to implement security so your developers don’t have to do the coding
We will also leave time at the end for our experts to answer your questions on securely API enabling your IBM i applications.
Reserve your seat today!
Presenters

Dan Magid
Chief Executive Officer & IBM Champion, Eradani
Dan has spent over thirty years leading companies that help customers implement new technologies in legacy environments. Previously, Dan led worldwide software development groups that built highly successful modernization and DevOps tools and was the CEO of Aldon, the leading provider of DevOps tools to the IBM i marketplace.

Sean Cavalieri
Security Architect,
Eradani
Sean is a rising star having particular experience using modern technologies to help customers integrate IBM i applications with other modern apps. He is passionate about the opportunities customers have when they combine the investment made in their IBM apps with the amazing world of Open Source.
Video Transcript
All right. Let’s kick this off. Good morning. Good afternoon. Good evening and good night, everybody. Hello and welcome to the webinar. Secure API enablement for your IBM i applications. We hope that your imagination will be opened up to a whole new world of integrating modern technologies to connect your IBM i environment today. Our speakers are Dan Magid, known in the IBM i world because of his long history in the ISP community. He’s presented at literally hundreds of webinars, dozens of conferences, and as a regular publisher, author of articles around bridging the gap between your eye and everything new coming from the open source world. Sean Calaveri is a rising star at Eradani. He has particular experience using modern technologies to help customers securely integrate their IBM i applications with other modern apps. He is passionate about the opportunities customers have when they combine the investment made in their IBM i with the amazing world of open source. Now, before I hand this over to our speakers, as you can see from the big green light in the corner, this webinar is being recorded. So we will email a link to the webinar replay at the end of today’s session. To everybody who is registered, please feel free to share with your peers. Questions, keep them coming in. You can use the chat or you can use the Q&A or submit questions. There’s lots of different bells and whistles here to get those questions to us and we will address as many as we can. With that, Dan, I hand it over to you to kick things off. Great. Thanks, Mitch. And I just want to add just to Sean’s introduction, Sean is a great example of when you start using open source technology around your IBM i to extend your IBM i, you can hire lots and lots of people, young kids out of college who can start working on your IBM i application. So, Sean is a great example of that. All right, so let me go ahead and share my screen here. You can also now see the PowerPoint presentation. And so I’m going to talk a little bit about API security.
I’m going to start out just to give you just a real fast overview of to remind everybody the value of APIs because then I’m going to scare you with some of the security threats, some of the things that APIs, the openings that they create. And I’m going to go through the basics of API security technology. I talked to a lot of IBM i users who asked me about, well, what exactly is that? What is TLS? What is the difference between TLS and SSL? What’s OAuth? What are JSON web tokens? So I’m going to go through the basics of what all these things are, what are all the components of API security. And then we’re going to go through some actual security examples and Sean’s going to actually show you some demos of creating APIs for the IBM i using some of the technologies that I’m going to be talking about. And hopefully at the end we’ll have some time for Q&A. We’re going to be going through a whole lot of stuff really fast today. So just real quickly, business is being done via APIs today. It’s accelerating, it’s growing so fast. And so if you look at these are just some quotes from different newspapers, different sources in the IT community about how quickly APIs are taking over. That’s the way business is being done today. People are using APIs to create machine to machine connections so that they can increase their responsiveness, they can do business at lower cost, and they can do business more quickly. This just shows you the growth of API collections and this is just at the Postman site which is a place where people put the APIs that they’re creating and test their APIs. You can just see that the growth of APIs is growing, but that’s not nearly as fast as the actual number of API messages. That’s growing even faster. This is the number of APIs, but the number of API messages are in the trillions. And so we want to help you enable that. And there are lots and lots of things you can do with APIs. So we’ve worked with IBM i customers who are using APIs to connect to new technology to create the latest user interfaces, mobile web user interfaces. They’re using it to modernize their business process, so to automate business processes and to integrate Windows applications, Unix applications, Linux applications with their IBM i applications, or even across IBM i applications. We’re seeing customers use APIs to integrate with their business partners, so their partners, their suppliers, their customers, so they can have machine to machine connections for doing that. We’re seeing automation across the supply chain, so a lot of situations we’re seeing customers replace technologies like EDI with API technology to simplify and lower the cost of communicating with their supply chain partners. We’re seeing people find new revenue channels and new cost savings by using APIs that are being created by their business partners, so being able to list things directly on sites like Amazon and Shopify, or getting information from Google Maps so you can get information to increase the value of your own applications by using APIs that are publicly available. We’re seeing people start to add function to their core IBM i applications in new languages. So you want to create dashboards for your core applications or you want to connect to machine learning engines, you can do that using APIs to talk to the languages like Python or JavaScript or PHP that are designed to do that kind of work. And then also to modernize, it’s a way of using free components from the open source community. So there are literally thousands and thousands and thousands, actually millions, of open source components that you can choose from to add to your IBM i application. So there are lots and lots of things you can do with that.
So, as you can see from this chart, people are doing this. I mean, many, many, many, many companies are adding APIs to their applications. So according to this chart, 85% of companies, it’s a strategic part of their digital transformation efforts. So that’s a little bit about why you want to do APIs. Now let’s talk a little bit about some of the threats. So the problem is, is that as we make these connections available, the potential is that malicious actors can use those connections to try to get at our back end system. So you see from Gartner by 2022, APIs will be the most frequent attack vector on systems. And over here from this SALT Security, their annual API security trends report, you can see that the number of malicious attacks are growing faster than the number of actual API calls. So the fact that there are lots and lots of people, including state actors, that are trying to get at those APIs as a way to get into your system. 91% of enterprise professionals have said they’ve had an API security incident in 2020. And this is one that’s particularly concerning, is that 70% of organizations say that they’ve experienced an attack like that from the inside, from the inside of their network. And I talked to a lot of IBM i users who feel safe because they don’t allow their IBM i to talk outside the network. But now we’re seeing that actually a lot of these attacks are coming from the inside. In fact, according to Gartner, the majority of attacks in the coming years will be coming from inside it. And it’s not that you have a malicious person inside your organization, necessarily. It’s that you have a machine that’s been compromised in your network. So somebody has compromised a machine and now there’s somebody using that person’s credentials to get into your machine. So what we want to talk about is how do you take advantage of all the value, all the things that APIs can do for you, but do it safely. And that’s one of the things that Eradani Connect is designed to do. We’re designed to help you create that layer around your IBM i that not only makes it easy to connect either into your IBM i from the outside or out to the open source world from your IBM i, but to also do that in a secure way. So let’s go through some of the basics of the technology. These are some of the basic terms to understand about what’s happening under the covers in a security environment. And I’m going to go through those.
So way back in the day when Tim Berners-Lee first created the Hypertext Transfer Protocol, it was really just a protocol to allow the sharing of documents over the internet and it was really sharing of documents among academics. So they would share their papers and send the information back and forth and nobody really cared who read it. So there was no real concern about the security of that because they weren’t doing anything that particularly needed security. But as the web started to grow and after we got graphical browsers and people started to use the web for many other things, including commerce, and we started to have private information and credit card information and payment information, people suddenly said, well, you know what, this doesn’t work, we need to secure this. So Netscape actually created the first version of SSL, which is the Secure Sockets Layer Security, as a way of securing the environment. And then they created HTTPS, which is HTTPS Secure, which would secure that environment so that the information you would be transferring would not be available for people to see and nobody could tamper with those messages. So it was to make that communication secure. So SSL and the idea of SSL and its follow on TLS is A, to make sure nobody reads your message. B, to make sure that no one has tampered with that message, the message hasn’t been changed. And C, for all you Avengers fans, is to make sure that they are who they say they are, that somebody is not spoofing their identity, but you know exactly who they are. So I also get this question a lot, which is, is there a difference between TLS and SSL? And yes, the answer is there is a difference. SSL was actually the original thing that was created by Netscape and they actually never released 1.0 of SSL because it was so old and it had so many bugs in it. But they did then release a couple of versions of SSL, but even at SSL 3.0, it was still very vulnerable. That was then replaced with TLS, with Transport Layer Security. And TLS 1.0 also had issues, mainly because TLS 1.0 supported an SSL environment where you could actually communicate as if you were communicating across SSL. So 1.0 has known vulnerabilities, just like SSL does. So if you really want to be out of the environment where you have known vulnerabilities, you want to get to TLS 1.2, which is where most organizations are. Now the latest version is TLS 1.3. The problem for IBM i users is that you need to be on 7.4 to get support for TLS 1.3, but that is the latest version. Now that actually brings up a really important point about this stuff, is that the bad people out there are actually trying to break these all the time. And you really, really, really do want to stay up to date with the latest version of this stuff. And one of the problems of relying on IBM to do that is IBM only has the mechanism of sending you new releases and PTFs and you have to wait until you upgrade to a new release to get the latest version when you really want to be using those latest versions as they come out. I’m going to talk a little bit more about this, but this is one of the reasons why you want to move that web services layer out into a technology like JavaScript, so that you always have the latest versions of these security technologies. So you want to make sure that you are always staying up to date. And that’s one of the things that Eradani Connect does. So what we do is we maintain that environment so that we ensure that you’re always using the latest version of TLS. You always have the up to date version of all the cipher suites that are part of that and you don’t have to worry about getting out of date and you don’t have to wait for the IBM i releases or until you’re actually ready to upgrade before you get that latest version of TLS. If you don’t have the latest version, when people try to reach you or when you try to reach out, you might get a message like this that says this is not a safe connection. And by the way, you can go to any website and you can click on the left side here and it will tell you the security status of that particular site. So you can get in a situation where you simply can’t connect to somebody’s API if you don’t have the right version of the latest version of TLS. So again, let’s get back to ensure no one has read your message, ensure no one has tampered with it, ensure they are who they say they are. Now this is an issue we’ve been dealing with with messages forever. This is how we used to do it way, way, way, way back in the day to make sure a message has not been tampered with. You’d actually put a wax seal on it and the wax seal would make sure that that message hadn’t been tampered with. And then the wax seal would have a very artistic design that was unique to the person who was sending it you know that was his signature on that. And so you knew it was coming from the king because it had his wax stamp on it. So that’s the same thing we’re trying to do. We’re trying to do exactly the same kind of thing to say, I want you to know who this is coming from and I want to make sure you know that it has not been tampered with and it has not been read by somebody else. So how do you make sure no one has read your message? Well, in the electronic world today, instead of using wax stamps we encrypt things and encryption, it can be very, very simple. And I want to differentiate a little bit between encoding and encryption. The real difference between encoding and encryption is that encryption has a secret that only the people involved in the communication know. Encoding is simply a way of transforming one thing to a different way of formatting that thing. So for example, in 2001 A Space Odyssey, for those of you who are old enough to remember the movie, there was a computer named HAL. Well the plain text of HAL was actually IBM, and they had an encryption algorithm that said, subtract one letter in the alphabet from each of these, and that will give you this cipher text, the encoded name, which is HAL. So if I knew the algorithm, and I knew the secret was to move one character back, so my secret here is one, if I know that that’s the secret, I can decrypt the name HAL and get it back to IBM. Now obviously that’s a really simple encryption algorithm which would be very easy to figure out to break. So there’s another one that’s been used for a long time that’s a little bit more complex. It’s called the book algorithm, and that is the algorithm is I’m going to give you a page number, I’m going to give you a word number and a letter number. And then I will give you here’s the cipher text, you know, page three, word seven, letter five. But what’s the secret here? The secret is what book is it? If you don’t know what book it is, you cannot read that code. There’s nothing you can do with it if you don’t know what the book is. So in this situation I have a secret, and the secret is it’s since I have a brand new grandson. It’s the Sneetches. And so here is the page of text so that’s page three of the Sneetches. And I don’t know if you can see these underlines but I can see that the first letter is I, the second letter is B, and the third letter is M. And according to this cipher, I can then read that the plain text of this is IBM. So I’ve got an algorithm, and I have a secret and that’s really important to know that both things are required for encryption, an algorithm and then a secret that the people who are involved in the communication understand, which is different than encoding. A lot of IBM i customers say that they’re doing Base64 encoding to send their messages. Base64 encoding is not encryption. The reason it’s not encryption is because everybody knows the algorithm. So you can send something in Base64 and it will be encoded, it will not look like the plain text, but everybody knows how to decrypt that, everybody knows how to decode it and put it back into its original state so there’s no secret. It’s encoding, it’s not encryption.
So, there are a couple of different kinds of encryption. This is private key encryption, which is sort of what we’ve been talking about, that is there’s a secret. So the sender has the plain text data, they use the secret to encrypt the data, they send the cipher data, and then the recipient uses the secret to decrypt it. Now the important thing is they both have to know the secret. So they have the shared secret that they both know, so that they can send something and then they can receive it so they can encrypt it and they can decrypt it. So that’s private key encryption that allows me to send information encrypted, where each of us has the secret key that only we know. So there’s a problem there though, and that is, how do we share the key? So when you start getting into these environments where we’re sending out lots and lots of communication with lots and lots of different people, and we need to create an encrypted environment. How do I send out the key in a way that won’t be discovered? I can’t encrypt the key because you can’t read it, so I have to be able to send it to you in some way that allows you to get that key and then we can start to have this encrypted conversation. So I’ve got this, I’ve solved the problem of encrypting the data, but I haven’t figured out how do I get you the key so you can read it? And that’s where public key or asymmetrical encryption comes into play. So this is a real world example to maybe give you a sense of what asymmetrical public key encryption is. What it means is it means that everybody has the public key. Everybody knows the public key, but only the person who’s going to read the message has what’s called the private key. So everybody can encrypt with the public key, but only the person who’s going to read the message is going to have the ability to unlock it. And so in this situation we’ve used mailboxes like this forever, which is that everybody can put letters into the mailbox. We can all put letters into the mailbox and they have this mechanism that won’t let you reach in and pull that message out. But the only person who can get the messages out of the mailbox is somebody who has the key. So a USPS employee is the only one who has the private key that says, okay, I can get the data out of here. And that’s really how public private key communication works. You can think of it as a situation where you have two different keys for a lock, and one of the keys can only turn from right to left, and the other one can only turn from left to right. So I’m going to encrypt some information to send to you. I want to communicate with you. So you’ve given me a public key that allows me to encrypt information. So I encrypt that information and lock it, and then you use your private key, which only can go the other direction, to unlock it. So everybody can lock it, but only you with the private key can unlock it. And this would be an example of doing that with an actual electronic communication.
So Alice has given me her public key. Alice gives Bob her public key to say, okay, here’s your key to encrypt, and everybody has it. Everybody has access to that public key. Bob encrypts it using the public key, but only Alice can decrypt it using her private key. So that’s how you then send the key. This is how you would send, this is how you would then encrypt the key, the private key that you’re going to use to have your communication. And in TLS, we’re using both. So we use both symmetrical and asymmetrical encryption. So we use asymmetrical encryption for the initial handshake, that is to get connected, and then to send the private key, and then we generate four symmetric, four private keys that we then use during that session. Now, as soon as the session ends, you’re going to have to, you lose, those keys go away, and you’re going to have to do another handshake. But you generate these four symmetric session keys. And you don’t really need to worry too much about this, but you’ve got a key that allows the client to encrypt messages, it allows the server to encrypt messages. And then this is really important. It also then allows the client and the server to write a MAC, a message authentication code. The message authentication code is a hash that’s applied to the message. So you take the message, you apply the hash to it, it creates this value, you send the message, the receiver applies that same hash to see, is this actually the message that was sent? So they can decide, it uniquely identifies that message, so they can see that that message hasn’t been tampered with at the end. The other thing you want to do in doing this, you want to stay aligned with what IBM is doing for supporting all of this new technology. And I just sat in actually at the end of July on a presentation that Steve Will gave. Steve is the, for those of you who don’t know, Steve is the chief architect of the IBM i in Rochester. So he basically runs all the architectural people, the whole architectural staff in Rochester for IBM i. And in his presentation, he had a slide about the attributes of next gen IBM i applications. And this is what he said about them. They’re going to be designed to quickly respond to business needs. So they’re going to encapsulate processes and data so they’re going to be more componentized, and they’re going to blend technology using the best fit for purpose. Use the right technology for each thing you want to do. And they’re going to be designed to easily allow you to incorporate new technology into what you’re doing, even if that tech is not your tech, it’s not in-house tech technology. So this is what he gave as an example. So on the IBM i side, we’ve got the world’s best relational database management system in DB2 for the IBM i. So you can use that for your database management system. RPG and COBOL are great languages for writing core business applications, core business transaction functions. The system itself has the lowest total cost of ownership. It’s reliable, it’s secure, it’s efficient, and you want to protect your investment that you’ve made in all those applications. Then you want to add to that all of the open source technology that IBM is creating for the IBM i. So you want to use the open source because it’s enterprise ready. The open source stuff is being used by literally thousands and thousands and thousands of companies around the world, including the biggest banks, insurance companies, the biggest companies in the world are using this to run their environments. Microservices and APIs are designed to be built in these open source technology. In JavaScript, that’s the reason it exists. It’s designed for building API environments for building microservices. There are DevOps tools that allow you to manage everything across the entire environment. Internet of Things, web technologies, these are just all things that open source is particularly aligned with. It’s a pathway to innovation because there are millions of developers who are building things that you can integrate into your applications, so you don’t have to build all the technology to take advantage of the latest innovations. So again, this is IBM’s strategy around this is to create this blended environment where you’re using the right tool for the job. So the idea is, what is it you’re trying to do? Make sure you’re using the right tool for the job. You don’t need to try to do everything in RPG. So why JavaScript for web services? Well, one, as I said, it’s built for web services, and JSON, which is the lingua franca of the web service environment, it’s the messaging technology that everybody is using for sending information across the Internet, is JavaScript object notation. So in every other language, you have to parse JSON to understand what it is. So if you get a JSON message, you have to go through a process to figure out what it is. In JavaScript, you don’t, because JSON is just a JavaScript object. It knows out of the box what it is. It knows where the fields are. It knows what information is included in it. So it understands JSON because JSON is JavaScript. And there are almost 2 million modules available and more being created every day in JavaScript. And you can just, if you’re working in a JavaScript environment with your web services, you can just plug those in. And that includes things like the latest authentication technologies, the latest API connectors, the latest in Cypher suites, all that stuff can just be plugged into a JavaScript environment and you don’t have to build it. And JavaScript is also designed to run asynchronously, which is how the web runs. So you put out a web service call. If it’s not available, you don’t want to lose that call or have to wait. You can just wait, you can have the web services call wait, and you can go on and do whatever else you need to do on your system. And then when that web service becomes available, those web service calls can run. So JavaScript is very, very easy to learn. I talk to RPG programmers and say, if you can learn RPG, if you can learn, go from OPM RPG to ILE RPG, if you can go from using logical files and physical files to using tables and views, you can learn a little bit of JavaScript to do the web services. It’s really, it’s very, very easy to do. And you know, I know the people in the IBM i world are used to using open source or use pre-built components. I mean, I’ve talked to many, many IBM i users who are doing API work and they’re using libraries that were created by Scott Clement. Scott is a great guy and created some really good stuff for the IBM i, but wouldn’t it be great to be in an environment where you have thousands and thousands of Scott Clements all creating open source modules that you can just grab, plug into your applications and use. And that’s really what the JavaScript world is about.
Okay, so now we’re going to jump into a quick demo. So I’m going to turn things over to Sean and Sean is going to actually show you how to add TLA. He’s going to show you, actually, he’s going to create a web service call. He’s going to create a web service call from scratch. So he’s going to go right from scratch and it’s going to take less than five minutes. He’s going to build the web service call from scratch. He’s going to create a JavaScript program, and he’s going to do it with one command. So it’s going to actually create the JavaScript framework. So you can see that this is just an automated process. He’s going to add all the code necessary for calling a web service, and he’s going to do that simply by downloading a module and using a module called Axios, which is a pre-built component that has all the stuff you need in order to call APIs. And then, with a little bit of magic, he’s going to show you with a single keystroke that he can add TLS support. So you can add all the TLS, all that complex stuff I talked about, the handshakes, the encryption, all of that. He’s going to show you how you can add that with just a single keystroke. So, Sean, I’m going to turn that over to you. Okay, thank you. So I’m going to go ahead and share my screen here. And if you look on the right side here, I’m going to be demonstrating making a secure HTTP call to open weather service and just get some simple weather information about where I am right now. I’m in Oakland, California. So I’m going to click API and get into some documentation, and I’m going to be making a call to this API right here on open weather map. So then on the left side of my screen is a completely empty project, there is nothing here, and from scratch I’m going to, as Dan said, assemble a web service call program. The first thing I’m going to do is just initialize a Node project, simple as that, npm init. This is just some default stuff here, it’s not, I don’t need to change anything there for this project. And that creates a package.json file, which this just holds the main information for a Node.js JavaScript project. Now the only other thing that I’m going to need for this project is what Dan mentioned, it’s called Axios, it’s a module that’s an HTTP client and makes it very easy to make these calls out. So down in this terminal on the bottom here, I’m going to do npm install Axios. Simple as that, I’m going to hit enter. You’ll see that loads. And there, there’s now a dependency section in this package thing that lists that Axios is now required. You’ll even see down at the bottom, found zero vulnerabilities. You can always run in a Node project npm audit, and you’ll be able to see if there are any known vulnerabilities in any of the packages you download and you can easily fix them. So now I’ve got this installed, and now I just need to create a file to work with. So I’m just going to create a file called index. And in this file is just going to be about two lines of code, just to make a web service call. The first thing is going to be making a variable that I can actually access Axios with. So const Axios and I’m going to require what I installed, Axios. And now I have access to all the functions and parameters that I installed with that package. So for the entirety of this web service call all I need to do is use the built in function Axios.git. And that just makes a git HTTP request using Axios. The first parameter is going to be the endpoint that I want to hit so it’s going to be HTTP colon slash RAS and then if you notice here on the right, this is the path I want. So there you go, that’s the endpoint. And then I just need to give some parameters. And also on this right side of the screen here parameters queue, that’ll be the city for where I want to get so I’ll just get information about Oakland. I need an app ID, which just verifies who I am with open weather map which I’m actually going to paste that in because that’s just an API key right there. And I’m also going to define my units. Use imperial units. Because otherwise I will get Kelvin by default and that’s not very easy to work with.
So that’s pretty much the basis I need for making a call right there. That’s Axios. It’s making an HTTP call using those parameters, I just need to receive the response. So I’m just going to handle this with a little response here. So when this asynchronous call returns. This will be called, this is a function it gets a response object, and I just want to log what’s in that response object. So in that response I want to get the data out of it. And I’ll get the main data because I know the structure of what will be responded. And then down in the terminal at the bottom, I’m going to run this program node index.js that’s how you want JavaScript. It’ll make a call out, and this is what I get back the temperature. 80 degrees, this is in Fahrenheit, look outside blue skies that looks to be accurate. And if you get all of this information nice and simple. I’m also going to add one more log, just to see what protocol we are using about what Dan talked about earlier. So if I look at the request part of this response object. Let’s go, I want the agent. And I want the protocol. And I log this one this command again. Now the bottom you’ll see this is an HTTP call is just a standard hypertext protocol, none of the security that Dan was mentioning earlier. And if I want to add that it’s as simple as putting an s right here. Now I’m making an HTTPS call, Axios will recognize that and handle everything we need for TLS doing the handshake exchanging keys. And if I run this again. You can just verify that response confirms that we are now using HTTPS. And that is everything you need to just simply make a JavaScript call out to a web API. So I will hand this back to Dan. Thanks, Sean. Let me go ahead and share again here.
Okay, yeah so again so Sean was able to create the JavaScript program with a single command. He used Axios to do all the logging to format the call. So all of the functions to actually call out the API was in that Axios module and then just by putting the s, he was able to use all the pre built Axios functions that allow it to support HTTPS so all the TLS stuff, all the stuff that I’ve talked about. Yeah, so now we know how to get that encrypted messaging going to ensure that nobody can read our messages. So now the next thing we’ll talk a little bit about our JSON web tokens and OAuth. So, JSON web tokens and auth are ways of identifying who you are. So, in the sort of standard IBM i tools there’s a whole lot of stuff you need to do in order to implement this. And what we’ve tried to do in Eradani is really shorten that path and make this easier to deal with so you don’t have to do things like deal with the digital certificate manager to manage this process. So, we’ve tried to make this very very easy. The other thing I have found is a lot of IBM i users who are creating API’s are using basic authentication because that’s sort of what the tools, the native IBM i tools support out of the box. The problem is that basic authentication is fundamentally insecure. It requires that the credentials be saved oftentimes they’re saved in the browser, so anybody who can get into the browser can discover those credentials. It encodes but does not encrypt the credentials out of the box. It, it often automatically sends the authorization the problem with that is that opens you up to these cross browser attacks where somebody can get inside the browser session and use your credentials in order to attack the system. And it’s often used with native IBM i credentials so you’re actually sending IBM i user ID and password which is giving the user, actual native access to the IBM i which may not be what you want to do maybe what you want to do is is authorize the user, and then perform actions on their behalf, not as them on your IBM i this is especially true if you’re giving access to customers and partners and people are not actually internal users in your system. So these are just some examples that almost every major organization is deprecating basic off so Microsoft, Google, you know, all the big API providers are all deprecating basic off because of its fundamental security problems. So people are moving into other technologies to make things to keep things secure in JWT is another one of the ways we’re doing that. In Eradani Connect, you could support basic authentication but we don’t recommend it and we make it very easy to use JSON Web Tokens and OAuth to use the latest technologies for those communication sessions. So what is a JSON Web Token? So JSON Web Token is really just a, it’s a packet it’s a standardized container for information to identify who you are, and what you can do. It’s an authentication piece, something that says that this message hasn’t been tampered with so the JSON Web Token simply says, here’s what I am. Here’s who you are. This is what you can do. And here’s some proof that this message is what I say it should be. So this is kind of JWT in the real world. I’m a student at school and I have to go out into the hallway and so I have a pass and so in my pass it says what I can do it has my name so it says who I am. Here’s what I’m allowed to do. And then there’s, there’s a third party authenticator there’s the teacher who says yes, this is valid. And that pass is different than the whole pass which says that I just have the right to be wandering around in the hallway and this is again identifying who I am. So, it’s this container that says, here’s who you are. And this is what you’re allowed to do. And here’s an authentication that this message hasn’t been tampered with, that this is a real message. Here’s an example of an actual JWT so it has these three components: the header, the payload, and the signature. The header says here’s what I am: I’m a JSON Web Token. Here’s the algorithm I’m using for my, for my encryption. This is the algorithm I’m using for my hash. Here’s the payload and the payload is something you create you can identify things like what is the role of this user, identifying what it is they’re allowed to do or you can have the individual functions that they’re allowed to perform so you can put information into the payload of the JWT. And then of course the signature for that says this is this message hasn’t been tampered with. And again the process works in a browser environment. So you post you say okay, I want to access something, the server then gives me the JWT with the secret that sends that back to the browser, the browser then sends the JWT so now I’m communicating using that token not using user ID and passwords. So I’m not constantly sending user IDs and passwords up and down the lines where they can be discovered. And then I get the information back from the server so from that time forward I’m using this JSON Web Token and these things can be expired so they can only last for a particular period of time and then you have to to re-sign in. So, then the question becomes, how do I know that you are who you say you are. And again in the real world we have a sort of an example of that with real IDs. So if, if I have TSA PreCheck when I’m traveling, I can have a boarding pass that says I have TSA PreCheck to get on the plane, but I can’t do it unless I have an ID to go along with it not only do I have to have an ID but today I have to have a real ID, which is an ID that has been verified by the federal government to say yes I am who I say I am, and I have to provide both things so I have to, I have to have the thing that says here, this is what I’m allowed to do, here’s my authorizations, and this third party certification that I am who I say I am. And that’s something you see on the web all the time, probably seen screens like this where you can either create an account to access a particular website, or you can sign on with Facebook or sign in with Google. And what that does is it allows you to use your Google credentials or your Facebook credentials for signing on rather than creating new credentials for this particular website. This is just an example of Trello which uses that kind of technology. Because you go into sign in, and you don’t then sign into that site you actually sign into Google, and Google says, Okay, is this person who they say they are. Yes, they are who they say they are, they then give an access token to that client. That client then sends the access token to the server, the resource server the server goes back to Google and says is this a valid token, Google comes back and says yes that’s a valid token and then I get my data back so I’m actually using Google as the third party to say, Yes, you are who you say you are. And there are lots and lots of third party organizations that you can use to get that sort of outside verification that you are who you say you are. And if you go to any website you can actually go in and look and see who is it that’s attesting to this, this person, this is who they say they are. So that helps you avoid things like where people spoof a website and pretend to be Bank of America when they’re really not Bank of America. And what’s great is the framework for doing all this again is all built for you, so you don’t have to write this stuff. It’s already built you can download the OAuth 2 code, plug it right into your web service code, and you now have support for OAuth as part of for this whole process of going out and getting certification that the person who’s attempting to talk to you is who they say they are and this code is being downloaded 42,000 times a week so this is highly vetted, highly secure, highly reliable code that you can simply plug in if you’re going to do this if you were doing this from RPG natively, you would have to write this yourself. And even if somebody wrote it for you, you’d have to rely on them to maintain it because this is constantly changing. What’s great is this is being maintained by literally hundreds of programmers around the world, keeping this up to date for you so you always have the latest version you always have the latest security patches, so you can use the code that’s built and this is what IBM is recommending that you work in this blended environment where you’re using technology for what it’s designed to do.
And again, that’s in Aradani Connect that’s the environment we support we support the environment where you’re using the technology for what it’s designed to do so all of your, your, your back end code all of your, your RPG code your COBOL code that’s all connected you continue to maintain that and use that for your business applications, but you can easily plug into this new technology to take advantage of the latest components. And one of the things that’s important there is you can also easily import vendor supplied software development kits now why that’s important is when you want to connect to an API from a vendor oftentimes it’s a very complex process that they have complex authentication rules and in identification rules that you have to implement in your, your code to make that work. What’s great is that many of the vendors have already written that code for you. And if you’re doing this in a language like JavaScript or Java and open source language, you can simply import the SDK that they’ve already created which can be thousands of lines of code that they’ve already built for you. So that’s for Amazon if you want to access all the Amazon Web Services, they’ve already created that code for you if you’re trying to do it directly from RPG, you have to write all that code, they don’t have an SDK and RPG. So if you’re doing it from RPG directly you have to write all that code. So the idea is if you’re doing it in an open source language, you can simply use their SDK that they’ve already created it and imported it. And Amazon themselves says, making REST API calls directly from your code is cumbersome, unless you have a good reason not to, you should always use our SDKs, you should always use the code we’ve created for you. So another reason why, again, IBM is pushing this idea that you use the right, the right technology for each thing you’re trying to do. Okay, so now Sean is going to jump on again and do a demo for you about building a web service call and using JSON Web Token. Yep, so I will share my screen again. And I hope you can see this on the left you’ve got some routes. And on the, on the right, you’ve got a postman where we will be sending the API requests from. So I’m posting on the right first. I’m making an API request to the route just localhost because I’m running a server on my machine. And I’m saying to the off route. So this is like, simple, very similar postman is like putting this in the browser but I’m making a post HTTP request here. And I want to authenticate myself with the server. So I’m resending a username and password as you see here, and trying to get back one of those JSON Web Tokens which I can then use for future requests to APIs. And if you go over to the left side of my screen, you’ll see where the Eradani connect server is actually setting up the routes that it receives. So we’re looking at slash off. So you can see that down here. And I’m actually going to jump to the file where that is defined. So inside slash off, there’s just a simple just slash route that’s only slash off. There’s also another route that would be slash off slash verify JSON Web Token. So the first thing that’s going to happen is I’m going to say, just send a call or slash off. This code is going to validate that I sent a username and password. And then it’s going to run a user.login with that username and password and generate a JWT. So over on here, on postman on the right, I’m going to hit actually first, I got to start the server. So now that that started up over here on the right I’m going to hit send. And I’m going to get back a token. And this has all the parts that Dan mentioned earlier with it’s got my information my role all encoded in it and signed securely. So if I want to then verify this token works. I’m going to make a call out now to the slash off slash verify JWT. And if I put in this token. Actually first I’ll demonstrate with no token what happens. I send this, gets authentication failed, it cannot verify. But if I put in this token. Valid true, which you can see on my code on the left. If this require all succeeds, it will spend responds with valid true. So what exactly is happening with generating that token. So I’m going to go and look actually at the packages that I’m doing that signing. The server was generating the token for me. It uses this sign function. And if you look down here this sign function takes in the data being coded which can be username permissions, taking the key and some options. This key is the important bit that makes the security.
So let’s look at this key. This is, this is what a private key looks like; it’s a massive mess. This stays on the server perpetually; it is not accessible from outside. So when a token is signed with this key, it can again be verified by that key, but that cannot be spoofed by anyone outside so it is guaranteed that that token that this is being verified came from this IBM server. So you’re up below there’s the verify function that does the symmetry for this which it verifies, it takes a token and key and confirms. So when I got the token from the server I was assigned a token. When I went to verify it, the server verified the token, saw that was correct, signed by its key and everything worked out so a term that this token was valid. And I can then use that token to make calls out to any other API’s the server knows that I am authenticated. That’s demonstrating the JWT’s and I’ll pass this back to Dan. Thanks, Sean. Let me share again. Okay, great. And so the last thing we’re going to talk about so we’ve looked at getting TLS support in we’ve looked at using JWT’s last thing we’re looking at is multi factor authentication multi factor authentication is simply a additional security layer to make sure that you can verify that the person is who they say they are multi factor authentication basically means you have to have more than one of these of these factors and the factors are something that only the user knows something that only the user has and something that is the user. So that would be something the user knows might be like a password or, you know, secret question answers to secret questions, something user has might be their, their mobile device, and something that is the user might be their fingerprint or their, their retinal scan. So you have multiple factors that you use to identify the person and multi factor authentication according to Microsoft study can reduce identity based security breaches by almost 100% by 99.9% dramatically reduce the number of security breaches that are because somebody was spoofing who they were. So we have a lot of MFA suppliers, people who provide the code to do this thing. And one of the objectives for Eradani is to make it really really easy to plug into whatever your company standard is for doing multi factor authentication and allow your IBM i to participate, just like everything else so you can do multi factor authentication on your IBM i just as you would do for any other platform. So, Sean is going to go ahead and give you a quick demo of multi factor, of adding multi factor authentication to support an API call. Yeah, so back on the screen here he was, this looks very similar to the last demo. If you look on the left side of the screen you’ll notice there’s just one difference, which is this requires MFA off. And that’ll just be when you go, this is the authentication route again. When you go to authenticate and get your token. There was an extra step where you have to verify using MFA. And in this case that is using duo, which will send a ping to my phone which will send in a second I will have to confirm on my phone. And then verify who I am by a second method of thinking that I have my phone before getting the token back to me that I can use later. So on the right side and making the exact same call as I made the first time last time to this off route. And when I start this server. I can make a call over here on the right. I hit send. And notice that’s still waiting, it hasn’t had a response come back yet. So if I hit approve on my phone here, I don’t know how easy it is. My virtual background is kind of hiding it, you may want to turn off your background. Yeah, I think I tricked it a little bit there but you can see a green and red. And if I hit approve on my phone. Then the token comes through. I got a notification. I clicked on it and opened the duo app. I clicked a checkmark. And I got this token back and this token works the same way as the token. Last time it holds my information but it just required that extra layer of security to get to it. Now I’m going to test out this token but this time. I’m actually going to use it in a route that can get some data. So again I’m making a call to not off. I’m making a call to the API’s and an SQL call to get a list of customers. So if I put in this new token that I just got right there. So I have a token, I’m making a call to customers. I’m verified. Now, let’s make that call. You’ll see, I get through here, but even though I’m authenticated, I’ve shown my username and password. I verified with my phone two factor. This server knows what I am. I still haven’t actually reached the IBM i, because I didn’t send the correct data. Even though I know who I am, that server still does not trust me nor should it to send the correct data. And it tells me even. I didn’t provide a min balance due for the customers nor max balance due. So if I go and add these parameters, I’m just going to ULL encode them so I had a question mark and set min balance due equal to five. And I’ll also set max balance due equal to. Let’s try hello, see what happens if I give it a little bit of interesting data. From the back. Oh, it still won’t let me through that’s still an invalid value. So try one more time. Give this the actual correct data once it wants two integers, or actually you can take floats but it takes a min balance due, max balance due. I send that call. And boom, I get back customers where the balance is between five and eight. So, that was authenticating me with the token and validating the data that I sent. So if you look back on the left side of the screen, you’ll see how that data that I sent was validated, where I looked in the query, it checked that there was a min balance due parameter it checked that it exists, this is what failed the first time, it checked if it’s numeric, which is what failed the second time when I sent hello, and I didn’t test it but also verifies the numbers of a correct length between one and 10. And if all that goes wrong, the log message you’ll get in the server will tell you exactly what went wrong. So this app verifies that you log in with the username and password securely, you’re verified with something you have on your phone so even if those passwords were stolen, you still need the phone to get in. And the app verifies the data you send correctly to make sure this is a completely secure API call.
Now I’ll pass that back to Dan. Great. Thanks, Sean. Share. Okay, great. Thanks, Sean. So, now, in doing all the things we’ve showed you today it’s not our objective that you would actually learn how to write the JavaScript what we wanted to give you a sense is that it’s it’s not complicated that you can you can build this stuff very easily. The underlying technology is very sophisticated can be very very complex, but you can build the support in it very very easily using the combination of Eradani Connect in JavaScript and connect that up to your IBM i application so you can do all of these different kinds of things we talked about at the beginning, using API’s and you can do that securely. And there are several things that we’re providing an Eradani Connect to make this work for you so one is out of the out of the box TLS support so you’re always up to date. Out of the box OAuth support, and we also support about 500 other potential frameworks for doing authorization authentication. It’s easy to add MFA if you want to add MFA support. We make that very very easy. You can plug in using the way we set the technology up, you can grab open source modules and add them to your environment, very very quickly and add them to your IBM i applications, very very quickly and very very easy. And you can use all the out of the box SDKs that vendors are providing. And that’s in addition to a bunch of the other things that we do that we really aren’t talking about in this webinar but just other stuff that Eradani Connect is doing as part of helping support this API environment. And what’s great is it’s just simple plug in support for all the security so it’s stuff you can just, you can plug it into your environment you can use whatever security methodologies work for your enterprise. And then in addition to that you have access to Eradani expert services which is we have people who this is all they do is they work on APIs and connecting IBM i to the API economy, that’s, that’s all we focus on, and they’re available to help you build APIs to help you integrate APIs in your environment to train your people and how to use API so there’s lots and lots of things that we can do for you to help you set up this API environment. So that’s basically all I have to cover today in today’s webinar. I’m going to turn it back over to Mitch. Mitch, do we have any questions. We have one question but Dan you, you know, I want to point out your, your, your talk about blended technology recommendations from IBM using open source and microservices with the eye. That was terrific. Sean your demonstration I love the part on Axios but I think my favorite was your duo MFA demonstration with your own cell phone. Great job both of you.
We only have one question that’s come in so far but if anybody else wants to type it in and here comes another. Alright, so we just got another one. Who wants to answer this I believe Dave, Dan, Sean you can all see the text. This is about vulnerabilities. Yeah, Dave, you want to take that and npm zero vulnerabilities. And those are, it’s the community that finds the vulnerabilities and they are reported. And then that gets posted to npm. And then the npm is the registry where you upload all the JavaScript modules. And then that npm audit command, it goes out and reviews all the, the modules that you have installed which is typically over 1000 different modules just to do even simple things. And then scan some all looking for any vulnerabilities GitHub also does the same thing so if you have any projects any repositories hosted on GitHub. You can constantly scan your repositories looking for any JavaScript modules that might have known, that have any known vulnerabilities if they do, then GitHub even creates a pull request for you so that you can automatically update your, your repository. And one of the benefits of using a language that’s in such widespread use is that one, vulnerabilities are found very quickly, because it’s used by so, so many, so many people. And, and then they’re, they’re fixed very quickly, and then a lot of the other tools out there have support for just built-in support for JavaScript and the modules. Right. Thank you, Dave, thanks for answering that. I see another one, any issues handling and security piece and .net or Java. I’ll give that to David, you can say the house if you don’t answer the two, the two big things for me there are the performance, because we’re running the JavaScript locally right on the, on the IBM i, and also just ease of use it’s so much easier to write code as Sean just demoed how easy it is in JavaScript. I think it’s one of the main reasons for JavaScript’s wide use and its popularity right now is it’s just very easy to learn and use, and there’s examples all over the web. So it’s much easier to to write a quick solution in JavaScript and it would be in Java or C sharp, say, for example. Fantastic. I see one last question on the list. Ron will answer yours and text. Do you provide a way to automate building API’s? Okay. Let me see if I do that demo on the fly, demos yeah hey hang on for a second let me see if I can show something around that. Okay so so you see the Eradani dashboard here the API dashboard. What I’ve got here is a list of libraries on my IBM i. And I can go in, I can go look through the list of libraries, I can find a library that I’m interested in, a table or a program or a view or something that I wanted to add an API around. So I’m going to hit this button that says add API so I want to add an API that allows me to access the data in this particular table but again I can do that with programs with views, whatever. So I create that API. Now, just to show you that right now, if I go to this page, it’s showing me this page is trying to access that API and it’s showing me I can’t get it because the API doesn’t exist yet. So what I’m going to do now is I’m going to go ahead and start the API server, which will apply that new API just created. So let me do that. So what I’m doing now is starting the API server up and that’s going to add that API that I just created over that table. And then I’m going to run back over here and refresh this page. And now you can see it’s getting this, this is the data coming from that table in JSON format. So, basically, I selected a table, said to create the API, Eradani Connect created the API that I then accessed from this web page.
And there’s a lot more to it but just wanted to give you a quick demo of that. Oh, gotta cut you off Dan, our full hour is up. I want to thank everybody. We had dozens and dozens and dozens of people at today’s presentation. We will send out the recording afterwards, I wish you all a great afternoon and a very happy week. Thanks for participating today.
 
 