The 10 Question Framework for High Performance, Secure IBM i APIs

The 10 Question Framework for High Performance, Secure IBM i APIs

Webinar Icons Time

Session Time

60 Minutes



A recent report by Rapid concluded that 64% of small companies used up to 10 internal APIs and 40% of large companies used up to 250 or more internal APIs in 2022. And the trend is growing in 2023. The explosion of the API economy is making it increasingly difficult to compete without a robust API strategy for both providing API access to your applications and data, and for using APIs to add capabilities to your systems.

IBM i users are finding that creating, using, and protecting APIs involves much more than simply creating an HTTP endpoint for accessing programs and data. APIs as a doorway to your systems can be complex to design and implement. They must make your systems easy to access while protecting your valuable data and applications from attacks.

You’ll Learn

This webinar will focus on how to create real-world, production ready APIs that provide rich function while protecting your systems from harm. You will leave with a 10-question design framework that allows you to:

  1. Build High Performance APIs
  2. Access APIs From Your IBM i Applications
  3. Comprehensively Secure Your APIs
  4. Manage and Monitor Your APIs

Video Transcript

All right, everyone. It’s the top of the hour. Let’s get started. Thanks for joining us today. And the reason we’re here is in today’s digital age, application programming interfaces or APIs, as they’re known to become an integral part of modern software development. APIs enable different applications to communicate with each other seamlessly and provide a standardized way for developers to access both data and services. However, building APIs can be a complex and challenging process, particularly when working with the IBM i. There are some things that you need to consider in particular when doing that. And that’s why we’ve developed a 10 question framework to guide you through the IBM i API development process. In this webinar, we’re going to walk you through the 10 questions you need to ask when developing an API for IBM i. We will touch on topics such as security, performance, scalability, and we’ll provide practical advice and real world examples to help you build robust and reliable APIs. Now, whether you’re a seasoned developer or you’re new to IBM i API development, this webinar will provide you with valuable, actionable tips to help you streamline your development process. We’ve put together an API planning worksheet that walks you through the 10 question framework. Dan’s going to go over in just a minute. And if you’re new to building modern APIs, the last page, page three of the worksheet provides links to free training videos on key technologies that you’ll need to learn as you continue in your API development journey. We’re going to send out an email about this afterwards, but you can download the worksheet now if you’d like to at So all lowercase, all one word Now, I encourage you to ask questions as you think of them so you don’t forget them. We are going to do a Q&A period at the end and answer those. If we run out of time, we will, of course, follow up on email with you and try to answer the question the best we can. You can ask questions by clicking on the Q&A button in the Zoom toolbar. I’m pointing down, but that’s where my toolbar is. Yours might be up or on the side. But if you go to the Zoom toolbar, there’s a Q&A button that lets you type in your questions at any time. And now I’d like to introduce you to Dan Maggett. Many of you already know Dan. Dan is a co-founder and CEO of Eradani and has been a key figure in the IBM i landscape for many years. Many of you may know Dan as the former CEO of Aldon, the company that provided the IBM i change management software many of you have used and you might still be using today. So, Dan, let’s do a quick sound check. Are you there? I am here. Can you hear me and can you see the slide? Yes and yes. That’s great. Excellent. So, I’m now going to turn it over to you and let you go through the 10-question framework for high-performance secure IBM i APIs.

Terrific. Thanks, Mike. And for those of you who have been in webinars that I’ve done before, as Mike said, I’m going to walk you through things, probably an understatement. I’m probably going to run you through this. I have a tendency to go fast and talk fast. So, yes, indeed, we are recording this webinar. So, if you want to go back and review things, you’ll be able to go view the recording later on. We’ll also be sending you a copy of the slides that you can review. So, with that, let’s go ahead and get into it. So, why are we doing this webinar? Why do you want to invest an hour of your time in what we’re going to be talking about today? And the reason we decided to do this webinar is we’re getting a lot of questions. These are coming in to us on a daily basis because we’re involved in this whole API enablement thing. We’re getting questions from IBM i users like, gee, I want to API enable my IBM i, but how do I get started? What is it that I need to know and what is it that I need to do? Or we’ve been hearing this more and more recently. My business partner says that in order to participate in the supply chain, I have to support their API strategy and their APIs are very complicated. How do I get started with using those? Or I’m setting up APIs around my IBM i, but people are now starting to access my database tables and I can’t reorganize files. I can’t reboot the machine. I can’t do things because there are these connections going into my system that I’m not in control of. So, how do I control those? And of course, everybody is hearing about the potential dangers of putting up APIs. You’re opening a doorway to your system. How do I keep my IBM i safe? You know, there was just a couple of weeks ago, one of the major, major products that IBM i users use was found to have some vulnerabilities that had to be closed up because they were exposing IBM i users. So, how do you keep the system safe? How do I ensure I can handle the volume? You know, once you put an API out there and you let people know it’s available, you might find that your customers want to use it and they start to hit you with lots and lots of API calls. So, how do I manage the volume and ensure I’m providing appropriate response? Another thing we’ve been hearing from customers is I want to replace my batch-based EDI system with an online real-time API system. How do I do that? And how do I do it if I have to still translate those EDI documents? And then maybe I’m receiving very complex payloads in JSON. You know, I go out and do a Google call and from Google Maps, I get these complex JSON payloads. How do I get the data I need out of that complex JSON? And then, again, how do I make this easy? Is there a way to make this easier? Something you can do to help me make this easy? And, you know, when we talk to people about this sort of easy thing, a lot of times when people think about API creation, they think about, you know, gee, I can right-click on, you know, go into IBM i, you know, RDI, right-click on a file and say generate an API endpoint. You get an HTTP endpoint for a table or you get an HTTP endpoint for a program. And that’s something, you know, if I can show you here, if I’m in Eradani Connect, so what I’ve just done is I’ve moved over to the Eradani Connect workbench and everything you see I’m going to do here, you can actually do from the command line if you want to. But I can say, gee, I want to create an API endpoint and I’ve got a table out here. So over here, I’ve got on my IBM i and I’ve got a little table out here that’s got four records in it. It’s got, you know, some customer information, you know, their ID, amount due. So it’s a little table on my IBM i. And say, gee, I’d like to create an API to access that table. And if I go over here to my browser, I can go in and say, well, let me go out to that table. So I’ve got a, you know, a route out to that. So if I hit that right now, it’s going to come back and say, wait, there’s nothing there. There’s no API there. So what I’m going to do is I’m going to just create one. So I can go in here and say, OK, I want to go out and I want to create an inbound API. And an inbound API, we say inbound API, we mean an API that you’re standing up around something on your IBM i. So you’re saying I want to create access to a table or I want to create access to a program. So all I need to do is come in here and say, I want to give it an endpoint. We’ll call it customers and it’s a get and it’s going to be a query. And we’re just going to do a real simple one here to select everything from that table, from DMAGED.customers. And I’m going to just call this customers all. So that’s my the API I’m going to create. And so that’s basically all I do as I go in and I fill in the form. So here’s what I want to do. I hit generate and it’s now generating the code to call that API. So down here, I can watch it as it’s generating the code. So it’s generating all of the routing code, all the security code, everything is being generated now for me. And so now I’m going to go ahead and compile that. So it’s finished generating the code. I’m going to build the code. So over here, I can watch it. It’s actually building the code now for me. And now it’s finished building the code. Now I’m going to start up my API server. And I’m going to go back over to my browser and refresh it. And so now I get that data. So it’s pulled back the data and it’s gone out and queried the IBM i. It’s gotten data back in IBM i format and it’s turned it into JSON data. 

So I’ve gotten this JSON data structure. So basically tell it, here’s the thing I want to API enable. And it’s created that API for me automatically. But again, is that all there is to it? That seems really easy. I create that API endpoint, but there’s a whole lot more going on under the covers of things that you have to do when you create these APIs. So yeah, I’ve got the HTTP call, but I’ve also got to authenticate that person. I’ve got to make sure, is this somebody who’s allowed to use my API? And then if they’re allowed to use it, what is it that they’re authorized to do? Can they see the entire table? Or maybe I want to limit them to just certain columns and certain rows of the table. How do I transform that incoming JSON data into IBM i data structures that the IBM i can use? And on the way back, how do I transform it back? How do I handle errors? So something comes in and it’s bad data. How do I make sure that I handle that error gracefully and give messages back that actually are meaningful? How do I log things? So if I have to troubleshoot my APIs, how do I make sure that I’m logging everything so I can see what’s happening? And if I’m talking to people like Salesforce or Amazon or Google, they actually have what are called software development kits or SDKs, where they’ve actually encapsulated a whole lot of the code for calling their APIs in like JavaScript code or Python code. And you need to use that if you want to call their APIs. So how do I integrate that into my code? And then the other thing that people typically underestimate is, what is the business logic I want to add in the API layer? Think about API enablement as access to a table or access to a program. But maybe there are things that you want to do in the API, business logic you want to execute. And I’m going to talk about these topics in a little more detail. So there’s a lot of things that can go on. So the 10-question framework is really fleshing out the details of those things. So first, we always say, start with the use case. What is it you want to do? Because this is going to drive the value to the business. So I’ll get to the business users about, what is it you would like to connect to? Where would you find value in the business? So identify the use cases and what’s their value. And then, what is the business process? So what are the steps we’re going to actually have to go through in order to implement that use case, that business process? And then, how am I going to secure it? How do I make sure I’m going to keep my system safe? And then, what are the response time requirements? What’s the volume going to be? How do I manage that? And then, what kind of data am I going to have to deal with? Is it a SOAP service with XML data? Is it a REST service with JSON data? Is it a comma delimited files? Is it null terminated strings? How do I get that? And then, what do I have to turn it into? Am I turning it into DDS? Am I turning it into data structures on the IBM i? So how am I going to handle the data? And then, what business logic is in the API? Is there business logic I need to add to that API layer in order to make sure that the IBM i is getting what it needs? And then, do I want to take advantage of some of the advanced API technology? Most people think of APIs today as REST APIs. And REST is great. It’s very flexible. It’s very powerful. It’s easy to use. And it’s very popular. But it’s also kind of slow. And if I really need to handle high volumes, I might want to use a PubSub system like Kafka or Google PubSub or Microsoft Azure PubSub. So I might want to add in additional technologies that can make this faster and more resilient. And then, once I implement APIs, now I have a lot of people coming in and executing them on my system. How do I manage that? How do I keep track of who’s calling me and how much volume we’re getting? And are we responding in an appropriate time frame? And if something goes wrong, how do I troubleshoot that? So I need to manage the API operations. And then, how do I manage the development and deployment of APIs? So I’m going to start creating APIs. I want to have a test environment. I want to have a production environment. I need to be able to move those things through the appropriate stages. And maybe I’ve got JavaScript code or Python code or PHP code, as well as RPG code or COBOL code that I’m developing as part of this API process. How do I manage those things? And then, where do I go to get help? So if I’m having trouble, this API process can be complex. And there can be a lot of moving parts. How do I get help if I need help with implementing and managing my APIs? And as Mike said at the end, we’re going to give you a questionnaire that, actually, you can use as a worksheet for going through these questions. 

So let’s talk about use cases and values. So the first thing you start with is this. And it’s really interesting. I actually keyed into chat DPT. I said, what are the 10 things you need to think about when creating APIs? And it came up with basically the same list that I have here. And the first thing it says is you need to know what are the use cases. Why are you doing this? And I had a really interesting conversation with an IT director at a transportation company. And she said to me, when I was talking to her about APIs, she said, look, we’re not just simply trying to create connections. We are trying to transform our business. We want the IBM i to play in the greater ecosystem of all the different platforms that we have and that our partners have so that we don’t look like an outlier. We want to be an active participant in that environment. We also want to be able to recruit the next generation of developers by using the latest technologies and APIs allow us to integrate new technology with our IBM i. We want to be able to change the perception of our company that we look like a leading edge modern company. We want to be able to get our enhancements, our product features out faster. And we want to be able to use things like open source to do that. We want to be able to do more of our transaction processing in the API layer because that will speed up the process and reduce the load on our IBM i. And we want to be able to connect with partner organizations so we can we can generate new channels for revenue. So it’s not just connecting things. It is actually transforming how we do business in our IT environment and in our general business environment. So when you look at the use case, what are you trying to do? Are you trying to generate more revenue, find new sources of revenue? Are you trying to improve customer service by being more responsive and providing a better user experience? Are you trying to automate business processes and reduce cost and speed transaction processing? So what are the things that you’re trying to do in creating these APIs? And this is just I’ve got a couple of examples here of real customer situations, things that customers have done. This was an API enablement project with an insurance company where they had a real estate company call them and say, hey, we we’d really like to be able to give customers a real time insurance quote for a property when they’re looking at properties on our website. Can you make that happen? Is it? Well, you know, if you send us information about the property, we can send you back a quote. And so what they did is they API enabled their quoting process on the IBM i so that the real estate company could send an address. The problem was that they couldn’t generate a quote with just an address. They actually needed the latitude and longitude of that property. So they had the inbound API where they API enabled the quoting process. But then the IBM i had to go make a call out to Google Maps. So it had to get an API called the Google Maps to get the latitude and longitude. Once it got the latitude and longitude, they actually then had to make a call out to FEMA because they needed some FEMA data in order to do a quote. That information came back to the IBM i. The quoting process then ran on the IBM i. And then they returned Jason data to the web browser so that it could display the actual insurance quote. And they had to do all of that in sub two second response time. So they had to give the user very, very fast response. So people weren’t sitting there waiting for the response. So they’ve got inbound APIs and they’ve got outbound calls to API. So both things are happening in this one business process. We had another customer, they were a manufacturer and they had a bunch of retail stores that sold their products and that retail stores would call in orders. And they had to call into their call center, which was open from eight to five, five days a week. The problem was is the stores were open on weekends and on evenings. And so they were missing out on opportunities. So the API enabled their order entry process and they were able to take orders 24/7/365. And they called us the first morning they had brought this up. They brought it up on a Saturday morning and they said in the first couple hours that we were open, we got $10,000 in new orders that we would not have gotten had we not been up and available. They would have had to go to some other supplier to get those products. So they were able to increase their revenue immediately by API enabling their system. Then this was a customer that they had an issue. They were a manufacturer and their customer said, we need to schedule our warehouse workers to be at the loading dock when the truck arrives. Can you tell us when the truck is going to be here? And the problem they had is their customer service people didn’t know where the truck was. They would have to call the transportation provider, ask where the truck was. They’d have to wait to get a response. And the whole round trip was taking about a half a day, which wasn’t very useful to their customers. So what they did is they API enabled the order system on their IBM i so a customer could go in and inquire into their active orders, see which ones were being shipped. And then they gave them a track shipment button that allowed them to hit track shipment, which then kicked off an outbound API call from their IBM i to their transportation provider, which actually in this case, interestingly enough, the transportation provider was also an IBM i user who had API enabled their system so that they could then get back the current location of the truck. So they would get the current location of the truck, do a call out to Google Maps and give the customer an actual map of here’s where the truck is right now. And this is a GTA. So they would get the information back to the customer. So now the customer had instantaneous response to their question of where is my shipment? So better customer experience and they reduced the volume of calls coming into their customer support center. And then this was a customer that wanted to use open source modules with their IBM i application. They were a payroll provider and they had all these government forms that were PDF documents and they wanted to get information from their IBM i into those PDF documents. And there was an open source module that would take IBM i data and integrate it into PDF or would take data from a database table and integrate it into these kind of electronic PDF documents. So they simply API enabled that module and they were able to send it the IBM i data and it would then integrate that data into those documents and store them on their IBM i. And then we have lots of customers. This is a really common use case where customers call us and they say, I want to add text messaging into my application. I want to be able to send text messages on events. So from the IBM i. So again, you can API enable that process so the IBM i can simply do a quick call out to an API and it can send them the phone number and this will automatically then generate text messages going out to the customers. So, or you can actually have it going the other way where text messages are sent back to you and you get data that you can integrate in your IBM i. We actually have a video on our website showing how to do this.

So I’ve got the use cases figured out what it is that I want to do. I want to then say for that use case, what are the steps in the business process? What are the things that I need to do? And as you can see from those use cases, there’s typically more than simply standing up an API around a table. So for example, this was a transportation, a trucking company we were working with and they wanted to provide their customer service people with the ability to look at what are the current rates for a particular route. So if a customer called in and wanted a rate book, they had some information to help them figure out what should the rate be for this particular route. So they wanted to create that kind of an interface, but there were a lot of steps in that business process in order to make that happen. So first they had to authenticate, say, who is this person? Are they allowed to give us rate requests? And then the person who’s actually looking up the information, are they one of the authorized users because they were using an outside service to get those rate quotes and the outside service charged them for each request that they made. So they wanted to check to see, is this somebody who’s actually allowed to do this? And once it had done that, it would say, OK, you’re OK, you can do this. That person could then say, give it an order number. The system would then call to the IBM i and get the origin and destination for that order. It would then send that information to the rate system to get back the quotes. It would also then send a request out to Google Maps to get a map. And then it would display the information about the order and the information about the current rates for that route. And it would, if they hit a button, they would actually get to see the Google Map. They’d actually see the map of the route. So you can create that kind of a business process. But notice there are many steps to that process. So it’s not just simply API enabling a table or a program, but actually API enabling a business process. And that’s really what people typically want to do, is API enable a business process. We had another customer that wanted to automate their EDI process, and they were getting EDI files to an FTP server. And so they had a series of steps they needed to go through so that they could get that EDI document and then process it with an open source module that would map that data into the files on their IBM i. So again, multiple processes to get there, but they were able to replace their EDI software with now an open source module to do the same kind of a process. So you figured out what’s the use case, what are the steps in the business process, what are the security requirements? How do I make sure that this is going to be safe, that I’m not exposing my system? And everybody’s probably familiar with these kinds of ideas, but these are just some quotes about what’s happening. APIs are basically a doorway to your system. You’re saying, hey, I’ve got an interface to get into my system. How do you make sure that you know who’s coming through that door and what is it that they’re allowed to do? And this is not just people coming in from the outside. One of the things that people often overlook is that a lot of the attacks on systems today are coming from compromised machines that are already inside your network. So it’s not coming from the outside, but somebody who’s actually inside your network and their machine’s been compromised and the attacks are initiated from there. So you want to make sure you’re securing these doorways. And one of the places you can go to find out really good information about this is the Open Worldwide Application Security Project. And again, these links will be in the materials we’re going to send to you afterwards. But if you go out there, you can see the OS Foundation has all kinds of information about security for your applications. And if you go to the top 10 list, they’ll show you what are the current top 10 vulnerabilities that you need to be thinking about. And if you go to any of these links, they’ll tell you about that vulnerability and they’ll tell you how to remediate that vulnerability. So there’s a lot of good information here on this site to help you see what do you need to do about that. Gee, I’ve got broken access control. People are getting into my system or my cryptography is not working or somebody is trying to do a SQL injection attack on my site. So they’ll tell you how do you protect yourself from those kinds of vulnerabilities. And it is an issue for IBM iUsers because when we go out to the IBM i community, we often see that people are using what’s called basic authentication. And that’s because most of the tools in the IBM i typically rely on basic authentication. Basic authentication is you’re sending in an IBM i user ID and password on every API call. And because you don’t want to make the user keep re-signing on, you’re storing those credentials somewhere. So on the client machine somewhere or in the browser. So you’ve got the credentials stored and those are native IBM i credentials. So there are really three problems there. One is you’re constantly sending the credentials up and down the wire, which is a potential place they can get discovered. The other is you’re storing those credentials somewhere, maybe somewhere that’s not even under your control where they could get discovered. And the other is, is you’re giving people native access to your IBM i. So because of those vulnerabilities, a lot of people are moving away from basic authentication and doing modern authentication using things like encrypted token-based security. So using things like JWTs, so that you sign on once with it with a credential, but it’s not your IBM iUser ID and password. Maybe it’s an email address and a password. You send that in, you get an encrypted token back. And from then on, all the communication is done with encrypted tokens. You’re not sending user IDs and passwords back. And by the way, support for all of these things are built into our Eradani Connect system. So when you generate an API with Eradani Connect, you can have it automatically generate the code for things like OAuth, if you want to do third party authorization or single sign on things like Active Directory or Kerberos or SAML. So you don’t have to write the code to do those things. Just for a sense on basic authentication, almost everybody is deprecating basic authentication. So Google, Microsoft, MuleSoft, Apigee, the big API vendors are all saying, we don’t support basic authentication anymore because it just has too many vulnerabilities. You can also use APIs to add multi-factor authentication. So if you want to, before somebody gets into your system, you want them to answer a message on their mobile device or through an email, you can set that up so that there’s multi-factor authentication. And you can use API to create that. And we have many customers who have done that. And the other thing for security that you want to make sure to do is check the data that’s coming in. So you’ve done all the security things you need to do, but you need to check the data because somebody can send in bad data. And if you’re not sanitizing that data, they can actually send an executable code through your website. So for example, let’s say you’ve got a field that says, do an inquiry into my inventory system so that they can get inventory information. You can say that a hacker can put executable code in there. And if you’re not looking at what’s coming in, they can actually change your SQL to their SQL and do something like delete this table or encrypt all the data in this table. So they can actually inject that into your system. So that’s a SQL injection attack. It’s a very common attack. So it’s something you want to look for and make sure you’re checking that data that’s coming in. And then you can also use your implementation strategy for further securing the system. So you can say, I want to implement the system right on my IBM i. So I want my API server on my IBM i, which means I’m connecting my IBM i to the internet, but I’m going to control what IP addresses can come in, or I’m going to block IP addresses, or I’m going to make sure that only certain people can get into my system. So I’m going to control at this point, who actually is coming to my IBM i. Or I can say, you know what, actually, no, I don’t want to connect my IBM i to the internet. I want to put my API server on a Windows or a Linux machine that’s outside the firewall or in the DMZ, or maybe to a whole series of machines so I can handle high traffic. In any case, you always want to make sure that those connections are being done using TLS 1.2 or later, so that you have closed all the vulnerabilities. If you’re using something before that, like SSL or something, TLS 1.1, there are known vulnerabilities. You want to make sure you’re not using those kinds of connection technologies. And by the way, if you want more information about security on our website, we have a webinar that goes deep into security for APIs. So the next thing you want to do, now I’ve got my use case, I’ve got my business process, I’ve figured out what kind of security I want to implement. What are the anticipated volumes? And you could have a lot of volumes. So we’ve got customers with very, very high volumes of transactions coming in. Or you may have just response time requirements, where it’s not a lot of volume, but you just need to make sure you’re responding very, very quickly. So we have the customer, the trucking company getting a million rate requests a day, or the retail chain, they told us on Black Friday, their transactions peaked at 80,000 transactions a second. So you can get very high volumes. And then we have this distributor that said, well, we’ve got 80 warehouses, and when we get an order, we want to check all 80 warehouses to see where we can fill that order from. But we need to provide that with two-second response, because our customer service people are on the phone. So we only get a few of those an hour, but they have to be very, very fast when they happen. So you want to make sure you’re meeting those response time and those volume requirements. So you take a look at what you think you’re going to be getting. So this is just some things we’ve had with some of our customers. We have with a single instance of Eradani Connect, we’re handling 120 to 150 calls a second. Now, it can horizontally scale, so you can have many of those. So we can handle even higher volumes. And we can do it that fast, because we do all the data transformations in JavaScript. So they’re basically instantaneous. We don’t have to do any kind of put it into a clob and read it from the clob and use Yagile to parse it and then search for the data. It’s just an instantaneous transformation of the data. We use connection pooling, so that if a request is using a connection, the next request can use a different connection. So you can handle multiple simultaneous requests. It can do asynchronous operations, so you can send out lots and lots of requests. You don’t have to wait for one to finish before the next one starts. And if a request fails, it can automatically retry for you. And it’s doing all the data transformations and all the data transfers using IBM in-memory data queues. So you don’t have to worry about all that writing to the database and reading from the database. It’s all very, very high speed. And if you really need to ramp up performance, you can integrate things like the Eradani Connect has its Kafka support so that you can use Kafka. And I’m going to go into more detail about Kafka in a minute. But you can use Kafka to really ramp up your performance. We have a customer we’re with now that on a single Kafka server is handling 8,000 calls per second. So you can get to the billions of calls per day if you need to get that kind of volume. And then high speed can be not just the number of calls you’re getting, but how big is the data load you’re getting? And this is actually something we did with IBM. Our team actually built IBM’s Cloud Connector product, their cloud storage solutions for IBM i, where we’re taking backups and actually sending backups up to AWS or the IBM cloud. And so you need to be able to take very, very large files and be able to transfer them relatively quickly. And so we have built in technology to make those sort of very large file transfers happen very fast.

So now I’ve got my performance characteristics. I’ve got my security. I’ve got my use case and my business process. What kind of data is going to be coming in? And what do I have to turn it into? So what we find is that a lot of our customers are still accessing SOAP services. So they still have to use XML data. Or they’ve got REST services and they’re using JSON data. Or they’re simply getting CSV files. They’re getting files of data that they have to process or null terminated strings. Or they’re replacing their EDI. So they’re still getting EDI documents that need to translate. So what are the documents you’re getting? And then what do you need to turn them into? So I want to take that stuff and take that very unstructured data and then turn it into structured data that the IBM i understands. So COBOL data structures, RPG data structures. So as I move things back and forth, I need to handle the differences between those things. So if I get an adjacent data stream, I get a number that has five characters, but I’ve got a 10 character field. I need to know that I have to put in the leading zero. Or if I’m sending that 10 character field out, but there are only five digits in it, I need to trim off the leading zeros for the JSON data. So as I move from one technology to the other, I need to be able to do those transformations. So I need to understand what are the things that are going to be coming in. And they may be different. I may have multiple kinds of files coming in and translate those from one to the other. And then, again, this is something that we see a lot of customers underestimating, which is what additional business logic is going to be required? What else am I going to have to add to the API layer? And this is just an example of that is that we had that customer that was handling a million rate requests. They had originally was a trucking company that was getting a few hundred rate requests a day. But then they signed up to do business with some partners like Amazon and eBay and some other partners and some 3PLs. And so suddenly they were getting a huge number of rate requests. And what they found was 90% of those rate requests were coming from customers who were asking about cities they didn’t serve. So they didn’t serve the origin or they didn’t serve the destination. So 90% of the rate requests were things that they didn’t even want to respond to. And yet everyone was going through to their IDMI. So they added business logic to their API server to check those rate requests and say, do we serve that origin and that destination? Is that a route we serve? If not, don’t bother sending that to the IDMI. Just send it back and say, no, we don’t serve those cities. So they were able to offload all that processing from the IBM i and put it directly in the API server. And there are lots and lots of things you can do in that API layer so that you don’t have to send things to the IBM i that it doesn’t actually need to look at. And then maybe you want to connect to some of these outside providers. You want to connect to Salesforce. You want to connect to ServiceNow. You want to connect to Venmo or to Square, some of the payment processors or to government agencies or to Google Maps for traffic information or to some of these e-commerce sites. So maybe you want to connect to them. And as I mentioned before, a lot of them create these SDKs, these software development kits that you can use that do a lot of the work for you. So if you call Amazon, for example, directly, you want to call their APIs directly, you actually have to write the authentication code supporting their unique way of doing authentication. You have to create the message serialization, the sending process, the receiving process. You have to create all the error handling. You have to log all the stuff that’s going on. And you have to maintain it as they make changes to their API, which they’re doing pretty much on a daily basis. If you use their SDK, they have built all of this for you. So the authentication code is built for you. They do all the maintenance for you. All the message serialization is done for you. That’s all done for you. The problem we have in the IBM i world is that these SDKs are written in things like JavaScript or Python. They’re not written in RPG. So you need to have a JavaScript layer in order to use those SDKs. And again, in Eradani Connect, we create that for you so you can just drop these SDKs in and you can use them. And if you look at Amazon, it even tells you, unless you have a really good reason not to, you should always use the AWS SDKs because making REST API calls directly from your code can be cumbersome. So it’s really hard to do. So something you want to be able to do is say, if I’m going to connect to them, do they have an SDK and can I use it? And then what API scaffolding, what is the underlying technology you want to use in building your API environment? So what are some of the architectural things you want to think about in creating your API? And this is a slide some of you may have seen in other presentations I give. It’s a slide from Steve Will. Steve is the chief architect of the IBM i in the lab in Rochester. And he talks about the future of IBM development. It’s a blended environment. So it’s a blended environment of your RPG, your COBOL, your CL, your DB2 code, things that are running your core business. And you’re going to continue to maintain that and enhance that for years to come. But you’re going to mix that with these new technologies that IBM is coming out with and supporting for the IBM i so that you can work together and use the best tool for the job. And you see over here on the open source side, we’re talking about API development on the open source side because it’s really where all the activity in API development is going on. It’s going on in open source languages. And you can do them both on the IBM i. And this is just a chart of the languages by popularity. You can see that JavaScript by far is the most popular language it’s been for a long time. And if you look at this TypeScript line, TypeScript is actually just a version of JavaScript. It’s growing really, really fast. So the JavaScript lead is actually growing. So JavaScript becomes a really, really good technology to use if you really want to take advantage of all the power of APIs and all the performance that’s available. So why use JavaScript? Because it’s very high performance, because you can do transformations very fast. And I’m going to show you an example of this in just a second, how fast you can do transformations in JavaScript. And it’s built for web services. It’s popular, so it’s easy to find resources. As I talked about before, the SDKs are typically in JavaScript. And there’s lots and lots of pre-built components that you can use if you’re using JavaScript. In fact, there’s something like 2 and a half million components on the NPM server that are JavaScript components that you can just download and use. So let’s take a look at an example. So I’m going to create an example here where I’m going to stand up an API that’s going to allow you to call into an IBM i to get information about an order. And then we’re going to get that order back. We’re going to get that data back in JSON data. Then what I’m going to do is I’m going to say, OK, now I’m an IBM i user, and I actually want to call an API that returns a complex JSON data structure. Can you generate the code that would allow me to call that? So I want to call Google Maps, and it gives me this very complex JSON data structure. Can you generate the code for calling that API?

So what I’m going to do is I’m going to flip back over to the Eradani Connect Workbench here. So here we are at the Workbench. And I’m just going to stop the server here, and we’ll close this window and say, OK, I want to go ahead and create an API for this program. So here’s my program. And we can see this program takes a couple of inputs. It takes a customer number and an order number, and it returns a dimension data structure with the order information. And this is actually a real example. This was a customer of ours who let us use this as demo code, but it’s their real order information. And we’ve changed all the names of everything. But this is a real program that people use for getting order information. So first thing we need to do is we need to have a map of this data so that we can do that transformation between the RPG data structure that we’re going to get from running this program and the JSON data that we have to provide to the person calling this API. So somebody is calling this API, and they need to get that back as JSON data. They want to put it into a web page, or they need to integrate it into their system. So they need that mapping. And here is that mapping of that data. And I’m going to show you a little bit about how you get these mappings. But here is the mapping of the data. So I can see all the files, all the fields in it. Here’s the width is a packed decimal, 10-character length, three decimals of precision. So I can see all the information about the different fields that I’m going to be getting from this call. So what I’m going to do is I’m going to say, Eradani, I’d like to create an API around that. So I want to create an API for calling that program. So just like we saw before, same thing. I’ve got a form to fill in here. I say the route is going to be API slash demo slash orders. So I want to get orders this time. It’s a get to a program. And I’m going to create this thing called get orders. So I’m getting my orders, the name of my function. And I’m going to go ahead now and generate that. So again, it’s generating all the code now for that API so that I can execute that API. So now it’s finished building code. It’s finished creating the code. I’m going to now go ahead and build it. So I’m now going to compile that code. So I said, here’s the program that I want to get access to. Go ahead and generate for me an API. It generated the API. It’s now gone ahead and built the code for that API. Now I’m going to start my API server. Let’s see what happened here. Oh, hang on for one second. Let me just, looks like I created that before. Let me just. OK, so now it’s generated the code. Sorry, I guess I generated it earlier today and forgot to delete it. So it said it already existed. So now I’m going to go ahead and create that and build the code. And now I’m going to start my API server. OK, so now it’s started the API server. OK, so now I’m going to go in and actually execute that. So we’re going to go out to that location. And instead of customers, this time I’m going to go to that endpoint orders. And I’m not going to put in any data with it yet this time. So notice it comes back. This is that data sanitization I talked about. It comes back and it says, you gave me bad data. You didn’t give me customer ID, which is a required field. And you didn’t give me order ID, which is a required field. So that’s part of the code that’s being generated. It’s getting that for you automatically. So now what I’m going to do is I’m actually going to give it those parameters. And notice what I get back is this very complex JSON structure. So it went out, it did a query out to that orders API that I created. And then it took the RPG data structure, turned it into JSON. Here’s the JSON that I got back. So now I’ve got the JSON code. So if I’m a user of it, I can use that. But now I want to show you, you know, I said I’d show you how easy it is to deal with JSON data in JavaScript. I’m going to copy all that JSON data. And because JavaScript is so popular, every one of your browsers actually has a little JavaScript environment included. So I’m going to just take that and I’m going to copy it right here into my JavaScript environment. And that just did it. So it just took all that JSON and separated it out into fields. So it extracted all the fields. So if I go in here and look at this, I can actually see I’ve got that structure here of that load that I got back from the IBM i. And you can see there are arrays within arrays within arrays. And I can drill down through that and I can see all the fields and I can go into any one of those fields and I can see the actual data here that I’m getting back. So all of that was done. There was no parsing. There was, you know, no sort of Yaddle stuff, none of that. All the fields here are available for me to use. So if I’m a user of this API, I can just go and get the fields that I want. It’s all right here for me and I can simply add them to my processing. So it’s very, very easy to get the stuff if you’re using JavaScript for your JSON data. Now, let’s say, so now I’m going to take this data. So I’m going to take this JSON data. So what we just did was we created an API around an IBM i program that gave us back this complex JSON data structure that I could use if I’m somebody who’s actually accessing your IBM i. Now let’s say I’m the IBM i user and I want to access an API that sends me back a complex JSON data string like this. So I’ve got this JSON data load. So I’m going to start with the JSON and say, okay, well, here’s the JSON I get back. Can you generate code that will call this API for me? So what I’m going to do is I’m going to take that same JSON and I’m going to go back over here to my generator. You know, let me just close these. So we’ve got some space here and I’m going to create a new file and I’m going to call that getorders.json. And I’m going to paste in that JSON payload. So I just, I just pasted in all of that JSON code and I’m going to save that. And then I’m going to go to this and I’m going to go back to, to Eradani. I’m going to say, Eradani, will you generate an interface for me to that JSON payload? 

So now it’s done that. Remember we talked about that mapping of the thing. So it did now, it’s created this getorders. It’s created that YAML file that describes the data. So here I can see, here’s what the data is. So I can see all my data mapping. So I can see all the information from that JSON payload of what I’m getting. And now I can generate the RPG code and the JavaScript code necessary to call this API. Now you notice here, it’s got some field names here that I can fill in. I can create whatever names I want for some of these things, but I’ve already done that here. So I’m going to go ahead now and say, go ahead now and generate an outbound call. So generate something that will call this API with this JSON payload. And I’m going to say the command name is, we’ll call it demo.orders.get. And the function name, which is the, the, the JavaScript is going to be get, I’m going to call that getorders. And then I’m going to call the RPG program get ORDRPG. And then I’m going to say, okay, now go ahead. Let’s generate that. So now it’s actually generating the, the RPG code and the JavaScript code necessary to call that, that the API. And so, so that information then comes, if I go over here, I can now see all the code that was generated. So I can see the RPG codes and see all code that was generated. And then a bunch of JavaScript code that was generated. And if I go in here and look at it, I can look at the program that was generated. And here’s the program that was generated by the system. So this is an RPG code that was RPG program that was generated for me. And the important part of this is down here where it says, okay, call Eradani connect send request to send out the data that I need to send to call that API. And then the Eradani receive result, which is give me the data that comes back. Again, this can be an asynchronous process where I can send out tons and tons of requests and then just read the data as it comes back. But it’s generated all that code for me. And I can, if I want to simply include this as a slash copy member into an existing RPG program. So if I need to do this call as part of an RPG program, I can just include this code. And I now have the code to call that API. And this is the JavaScript code. This is the JavaScript code that it created in order to call the API. So again, it’s generated that code for you. So what I did is I started with the JSON payload, I automatically generated a data map of that. From that, I generated the RPG code and the JavaScript code to call that API. That’s just an example of being able to do that kind of calling. So where I can call in, get information from the IBM i and get it back as JSON data or create an IBM i outbound call using Eradani connect. So with Eradani connect, you don’t have to write all the code to do all these things. It builds the authentication code, the authorization code. It builds the transformation code, the error handling code, the data sanitization code, the logging, the monitoring. You can drop in SDK. So all of that’s built for you. And you can reuse it. Once you create these APIs, they can be used for multiple purposes. You can use the same API for a modern user interface or for connecting to your partners or for connecting to your end users. You can use those same API over and over and over again. So they’re reusable. And as you make changes to them, you can simply regenerate the API calls. And then you can, of course, add your own business logic if you want to. And then you can add some additional advanced technology options if you want to. So you can say, you know what, I actually do want to add instead of making these procedural APIs where I go through a business process and then say, OK, now call an API. I instead want an event driven thing. So when an FTP file hits my FTP server, go ahead and execute my API. So wait for that to happen. But as soon as it happens, execute the API. Or when a customer hits a certain volume of orders, send me a request. Or if inventory isn’t available, send something out to me. So I can publish messages. And then everybody who subscribes to those messages will see those messages, which means I don’t have to write a whole bunch of custom interfaces. So for example, if I’ve got an e-commerce site where I’m showing my items and people are entering orders through that e-commerce site, if I want to check inventory, I might have to write a custom integration to my inventory system, and then another integration to my pricing system, and another integration to credit availability, and another integration to my shipping partner to get shipping information. So I’m writing a bunch of individual integrations with this PubSub kind of event driven environment. Instead, what you do is you simply post a message to what’s called the broker. The broker then sends the message to everybody who subscribes to it. So it sends it to the inventory system, to the pricing system, to the credit system, to the shipping partner. So I don’t have to write individual integrations. They simply subscribe to the messages. And every time I post a message to the broker, everybody who subscribes gets that message. So any authorized user who has subscribed will get that message and can process that message. So I don’t have to write a bunch of individual integrations. And if you want more about sort of how Kafka works, we’re actually doing a session at the RPGDB2 Summit. I think it’s on March 16th. We’re doing a session on Kafka and the IBM i. And so we’re going to go into some real detail about this PubSub environment. So if you want to see that, you can go to systems developers and actually sign up for our session on Kafka and the IBM i. And this is just a real world example of a company. They’re a logistics company and they have a yard where they have all of their trailers and all their containers. And the problem they had is truckers were coming to the yard and didn’t know where their containers were or where their trailers were. So they had to drive up and down the aisles to try to find things. And so what they did is they put RFID tags on all the containers and trailers, which simply post messages to the Amazon simple notification service. The yard system subscribes to those messages. So every time those messages get updates, it gets an update. And then truckers subscribe to the simple queue service where the yard system is posting current locations of the trailers. And so the truckers always know exactly where their container is so they no longer have to look around for it. They actually have the current location when they arrived at the yard. So just one real world example of using that kind of pub sub environment. Now, once I stand up these APIs, I need to be able to manage them and track the activity. 

So one of the things that Eradani provides is a dashboard where you can see all the requests coming in. What’s the response time you’re giving? How much CPU is being used? If there have been any errors, you can drill in and see what the errors are. So you can manage all the stuff that’s happening with your APIs and the activity that’s coming in. And you can do things like rate limiting. So you can say, you know what, if somebody is giving me 100 requests a minute and suddenly it goes to 10,000 requests a minute, slow them down or throttle them. Or I only want to allow this user to have this many API calls. Or same thing on outbound. I don’t want a whole lot of outbound API calls going out, so throttle that. So I can limit how many API calls are coming in and how many are going out. And I can do that by user, by endpoint, by a lot of different criteria. I can also block IP addresses or enable IP addresses to come into the system. So I can stop people from getting to my system before they ever get to the IBM i. And then I can also do health checks where I can go out and say, you know, tell me, is the API up and running? Is it providing the kind of response time I’ve promised? So make sure that my APIs are all healthy and running. I don’t want to have to wait until somebody tells me the API is broken to know that it’s not working. And then you get detailed logs and say, here’s everything that happens. So here you can see in the log, you know, I got an API request. I read some records from the database. I executed a bunch of RPG program calls. I executed an API call to an outside API. So I can see everything that’s happening. And if something breaks, I can see exactly where it breaks and I’ll get meaningful error messages. I can also see the timing. So I can see if something, if there’s a slowdown, if something is not going fast, I can see where the slowdown is occurring. So that’s kind of managing the operations of it, but you also need to manage the development and deployment of the APIs. So again, you’re in this blended environment where I’ve got, you know, some JavaScript code, or I’ve got some Python code, or I’ve got some PHP code, and I’ve got my RPG code. How do I manage them together? And again, if we go back to Steve Will’s slide, we’re talking about DevOps being something you want to use open source tools for. And so you can manage that kind of blended environment where you’ve got your RPG code and then all of your other kinds of code, and you want to be able to manage them together. So you can do that, and you can do that using the latest tools. So you can manage everything using Git, if you want to do that, which can manage both your open source code and your IBM i code. And you can use tools like Jenkins and Azure DevOps for doing your builds and doing your deployment. So you can move things from development to test, to QA, to production with your APIs, and make sure that the changes on both sides of the house are moving in sync. So you don’t have to worry about getting out of sync between the two sides of the house. And just to give you a kind of an example of that, here is a, you know, here is a GitHub environment that has RPG code in it. So you can see a lot of things look like RPG source files, and it has non-RPG code. So it has a bunch of JavaScript code, and they’re all managed together in GitHub. So you can manage all those things together. Dan, just jumping in here, we have about four minutes left in the session. Yeah, I just got a couple of slides left, and we will be done. Great, and then we’ll have a couple- So basically, the idea is Eradani Connect gives you this central API layer around your IPMI with APIs that are secure, that are high performance, and that you can manage. And you can reuse those APIs for lots and lots of different purposes. So once you create those APIs, they become this universal reusable connector to your IPMI back end. And if you need help on any of this stuff, you’re going to get a bunch of these links for, you know, this is kind of a cool one. The SSL Labs will actually go out and hit your APIs, and they’ll tell you if you have security issues. So you can actually go out there and get a grade on how secure your API environment is. So there are lots and lots of things you can do, and there will be links in the materials we give you to go to these sites. And finally, if you need some help, we have, Eradani has people that this is all they do all day long, is they work on API enablement for the IPMI. We have tons and tons of experience doing this, and we can help you with this. So feel free to reach out to us. And Mike, that’s basically it. So, you know, the kind of the run through, very fast run through the 10 questions it asks. And again, we’re going to give you some materials to help you when you want to get back to this, or you can come back to the recording.

Great. Just packed full of great information. So you’ll have, like Dan said, you’ll have the recording, you’ll have the slide deck, and you’ll have access to the worksheet. So we’ll get that all sent out to everyone. Dan, there’s a couple of questions I think we can use the last few minutes to hit those. I think they’re good questions. Yeah, yeah, yeah. So the, so yeah, Eradani does have an API, so our Eradani Connect is an, does have embedded within an API server. So, so it is an API server that you can use for it. But there, there are lots of things it can connect to. So it can connect to a whole lot of IBM i things, but it has its own, its own server. And it’s a very lightweight, very fast server. So we don’t require things like Apache, which can be very heavyweight and it has a lot of Java code in it. So it can, it can be, it can create performance issues. So yes, it does have its own API server. We can handle, you know, any, any size JSON payloads. We have, we have multi gigabyte JSON payloads that we, we’ve had to deal with with customers so we can handle very, very, very large JSON payload. And Mike Corbo, yes, that was that. Exactly. That was your app, the, the yard management system. So I know we have some, we have some Eradani customers on the call today. I would, I would guess a few of them recognize their apps here today. And then, and yeah, and I think Josh posted to the chat, the, the Kafka session where you can go to register if you want to go see the Kafka session at the DB2 Summit. Let’s see, it looks like maybe a couple other questions have arrived since I look. Yep. So, so yes, we, so DevOps is, is not included in Eradani because we actually have customers who have lots and lots of different ways of doing change management so we can integrate with your existing change management. But we do have a DevOps module if that’s something that you’re interested in that, that Eradani provides, but it is a separate thing. And Node.js can actually, we can run, the Node.js server can run on the IBM i. It runs in the Pace environment on the IBM i, or it can run on a Windows, attached Windows or Linux or Unix server. We actually have people who are running it in the cloud because Eradani Connect is actually a Node.js application. It can be put into a Docker container and deployed as in a Kubernetes cloud. So you have a lot of choices of how to deploy it and it’s kind of up to you and you can mix and match. You can have some things on your IBM i and some things on other platforms. Fantastic. Dan, you are right on the hour, right on the mark. Perfect. Great job. Thank you everyone for attending. As we said before, everything will be sent out to you, links to all the content. If you have any questions, we’re easy to get a hold of. Dan is You can send it to and I’ll get your questions to the right place. Thank you everybody for attending and have a great rest of your day.