Two Peas in a Pod — Endevor and the Zowe API Mediation Layer
{Ecosystem} On April 27, 2022, Open Mainframe Project’s Zowe V2 LTS was officially welcomed into the world. As well as being a significant milestone in the continuing evolution of the Zowe project, it was also an opportunity for all those Zowe V1 vendors and community extenders to restate their commitment to Zowe by confirming Zowe V2 conformance.
One of the first vendor solutions to gain their Zowe V2 conformance badge for both the Zowe CLI plugin and REST API was Endevor. Of course, with over 75 conformant extensions for Zowe V1, plus 42 and counting for Zowe V2, Endevor is just one of many vendor solutions to recognize the importance of Zowe. However, as the leading mainframe software change management tool, the Endevor extensions for Zowe have significant reach, bringing new value to a large portion of the mainframe development community. In this blog post, I want to explore why you should integrate with the Zowe API Mediation Layer, as a DevOps Engineer looking to modernize your Endevor experience.
Rose Sakach wrote a blog post on the Endevor Zowe CLI plugin and the innovative automation, pipeline, code scanning and testing opportunities it enables. Vaughn Marshall, in his blog post Setting up Endevor for Zowe CLI, wrote about how to get started with the Endevor Zowe CLI plugin and also recommended integration with the Zowe API Mediation Layer. Both these articles are well worth checking out if you haven’t already.
Let’s recap the general benefits of the Zowe API Mediation Layer. Gregory MacKinnon wrote a blog post on how the Zowe API Mediation Layer “provides a scalable, highly-available single access point for clients to find and consume system-oriented REST APIs in a controlled, secure, and easy-to-use way.” APIs that allow CLIs and other client applications access to infrastructure services on the mainframe are at the heart of Zowe. The Zowe API Mediation Layer’s role is to manage infrastructure APIs originating from z/OS. In the same way that Kubernetes or AWS is tightly coupled with a mediation layer to manage the APIs they offer for operational purposes, so too the Zowe API Mediation Layer is intended to provide gated, performant access to z/OS services, such as the Zowe-conformant Endevor REST API.
It achieves this in a number of ways. Firstly, by acting as a single point of access. It exposes only one port, acting as a reverse proxy which minimizes the attack surface on z/OS. Secondly, it enables Zowe Single Sign On (SSO) use cases and scenarios. An API user logs in once, and can use the returned token to access multiple REST services behind the Zowe API Mediation Layer gateway.
Thirdly, it provides enterprise grade security by supporting basic authentication, certificates and tokens, in addition to multi-factor authentication. Finally, it includes an API Catalog that provides an interface to view all onboarded APIs, including Swagger documentation and code snippets, in a user-friendly manner.
It’s also worth noting that the Zowe API Mediation Layer is not just geared towards exploiting the available Zowe-conformant APIs built by Broadcom, IBM and others. It can also be used to mediate home grown, internally-developed infrastructure APIs.
Now that we understand the benefits, let’s look at some actual scenarios where Endevor and the Zowe API Mediation Layer work hand in glove. There are a number of Endevor tools that are built on the Zowe-conformant Endevor REST API, such as the Endevor Plug-in for Zowe CLI, Endevor Bridge for Git and the Explorer for Endevor VS Code Extension. Having the Endevor REST API onboarded to the Zowe API Mediation Layer makes your REST API details such as availability status and reference documentation available through the API Catalog.
If you choose to run multiple instances of the Endevor REST API to ensure high availability, the API ML can provide workload balancing and increased API throughput. This also helps from a maintenance perspective, in that you can also achieve zero downtime when deploying a new version of the Endevor REST API.
If you’re keen on seeing usage data for the Endevor REST API then you’ll want the API Audit Log for Zowe API Mediation Layer. This is a Brightside exclusive extension to Zowe API Mediation Layer that provides unified auditing logs. Once installed, you can use a log analytics utility to view request data and authentication information for the Endevor REST API. It’s optimized for use with the Elasticsearch, Kibana and Logstash (ELK) stack as the means for displaying data. As such, you can use ready-to-use dashboard templates for data visualization with either a new or existing ELK stack.
When it comes to security, the Zowe API Mediation Layer has different authentication options for onboarded services. As an Endevor Bridge for Git administrator this gives you additional flexibility in securing your configuration, in particular if you need to adhere to a certain authentication method required by your internal security policy. For example, using x509 client certificates that remove the need for storing mainframe credentials in Bridge for Git. Or using personal access tokens where the Bridge for Git administrator does not want to generate and manage client certificates for each user. These tokens offer access to specific services for a specific time. Just like client certificates, these tokens enable access to Bridge for Git without needing the mainframe credentials of a user.
Client certificates via the Zowe API Mediation Layer also come into play where Endevor tooling is part of a CI/CD pipeline. As an example, let’s imagine that you are using the Zowe CLI to drive interaction with z/OS in order to have build, deploy and test automation for your mainframe application. Your goal is to include this automation in a continuous integration pipeline so that you can be sure your tests pass after each code change.
In order for the pipeline to run, mainframe credentials are required for access to various services, including Endevor via the CLI plugin. CI orchestration tools can help with the handling of sensitive data. Alternatively, the Zowe CLI supports the use of certificates for logging into the Zowe API Mediation Layer. If your pipeline includes a Zowe CLI that is integrated with the Zowe API Mediation Layer, you can simply replace user names and passwords with client certificates, thereby ensuring this highly sensitive information is not at risk of compromise. As David Janda points out in his blog post, certificates are far more secure than passwords and are typically longer living, removing the need to manually update credentials on a regular basis in your pipeline.
All the examples above show how onboarding the Endevor REST API with the Zowe API Mediation Layer will make your Endevor environment:
- More resilient with high availability, load balancing and increased API throughput
- More closely monitored thanks to the API Audit Log extension
- More secure with token and certificate based authentication
All Zowe releases are available at zowe.org/download. The Zowe API Mediation Layer can be found in the ‘Server Side Component Installer’ and can be installed as SMP/E, convenience build, Portable Software Instance (PSWI) or a container image for running unix components under k8s orchestration.
You’ll find the Broadcom distribution of Zowe at support.broadcom.com in the ‘My Downloads’ area if you are an Endevor customer. Alternatively, if you’re not an Endevor or Brightside customer, you can also access a Broadcom distribution of Zowe here.
If you enjoyed this blog check out more Zowe blogs here. Or, ask a question and join the conversation on the Open Mainframe Project Slack Channel #zowe-apiml, #zowe-cli, #zowe-dev, #zowe-user, or #zowe-onboarding.
Zowe is owned and managed by the Open Mainframe Project, which is a Linux Foundation project.
Thanks to Vaughn Marshall for his invaluable input to this blog.
