You can open your IBM i (AS/400) applications to new channels — without sacrificing security.
So, you finally decided to pull the trigger (or convinced your bosses to) and your digital transformation is underway. Now you’ll be able to open your IBM i applications and deliver the modern digital services your staff and customers are demanding. These demands may include access to data when away from the office, mobile applications to allow customers to use your services directly, or better ways to connect to cloud based partner applications. The promise of “access from anywhere” is like a dream come true!
But, what about security?
The more you think about it, the more you may start to worry that “access
from anywhere” could actually be a nightmare. But it doesn’t have to be.
You just have to think it through during implementation – you may even find that your current processes and procedures are already a solid foundation.
For example, IBM i applications are traditionally secure because they force users to log in for each session. Some companies might have added web services with XML strong typing. The issue is many companies want to complete digital transformation with modern JSON based APIs. If the solution chosen is designed right, you can keep your current login procedure but add some modern security built for the web. Also, if the implementation of the JSON API is Java based, then strong type checking is included.
Security starts with the login and authorization, so managing user registration and identities is critical. A service like Users Account and Authorization (UAA) Server, the identity management service for Cloud Foundry, is an OAuth2 provider that issues tokens for client apps to use when they act on behalf of Cloud Foundry users, to authenticate their credentials.
The open oAuth protocol is a proven winner, purpose-built to allow secure
authorization in a standard method from web, mobile and desktop
applications. UAA is powered by OAuth 2.0, the next evolution of the protocol
What makes OAuth 2.0 such a good fit is that it focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. OpenLegacy REST API projects provide active OAuth 2.0 support out of the box. Registration of clients is possible from the management console or optionally open for public client registration.
Now without getting too technical, UAA’s architecture intercepts requests at the gateway level and separates logic into different microservices. From a security standpoint, the benefit is that each request only pulls a small amount of data that the specific microservice needs. So, in the case of any compromise, the requester doesn’t get access to the whole system – only to the specific data that microservice requests.
The system of record remains your IBM i system, and a UAA service job would then become the central repository for all your microservice authentication needs. So, attacks would have to go through two levels of authentication.
For our clients, the microservice-based OpenLegacy platform offers SSO (Single Sign-On) on the gateway to query the UAA about requests and relays tokens downstream to all other microservices. This is a critical difference from other solutions, in that OpenLegacy calls the client’s system directly from the API. This allows the authentication to go through our clients’ currently-used systems.
In terms of timing, implementation is straightforward, and the service is ready to go right out of the box, so you should see minimal downtime to your existing system. In addition to the ease of use of SSO, there are a number of other benefits you’ll see almost immediately:
- Safer user authentication with centralized identity management
- The ability to delegate access to services
- Simpler user account management
- Easier token management through client application registration
As you see, you can open your IBM i applications to new channels and keep your systems secure. With just a little bit of foresight and planning, you can rest easy when it comes to “access from anywhere.” OpenLegacy offers a default implementation to manage clients and users and easily plug and play the solution in a microservice or any other location.