Headline

CVE-2021-4314: GitHub - zowe/api-layer: The API Mediation Layer provides a single point of access for mainframe service REST APIs.

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.

1 year ago

CVE

Open in Source

#mac #nodejs #js #git #java #oracle #auth #ibm #docker #ssl

API Mediation Layer

Build Status

The API Mediation Layer (API ML) provides a single point of access for mainframe service REST APIs. The API ML offers enterprise, cloud-like features such as high-availability, scalability, dynamic API discovery, consistent security, a single sign-on experience, and documentation. The API ML consists of three components: the Gateway, the Discovery Service, and the API Catalog. The API ML facilitates secure communication across loosely coupled microservices through the API Gateway. The Discovery Service enables you to determine the location and status of service instances running inside the API ML ecosystem. The API Catalog provides a user-friendly, easy-to-use interface to view all discovered services, their associated APIs, and Swagger documentation.

Notes:

For more general information for end-users, see the API ML Overview.
To learn more about changes to the API ML, consult the CHANGELOG.
For developers, review the developer documentation and the Contributor guidelines.

Contents

Run API Mediation Layer locally
- Prerequisites
- Quick start
Security
Run integration tests
Certificates
Contributor guidelines
Local configuration of services
Onboarding Services
More Information
Contact Us

Run API Mediation Layer locally****Prerequisites

The following platform is required to run the API Mediation Layer:

Java SE Development Kit 8
- https://jdk.java.net/java-se-ri/8-MR3
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
- https://www.ibm.com/developerworks/java/jdk/

The following tools are required to build and develop the API Mediation Layer:

Node.js version 10.23.3 and npm are required to be installed globally to run npm commands in project root folder.
- https://nodejs.org/dist/
- During build, correct node version is automatically downloaded and built with.

Quick start

Follow these steps:

Build all modules:
Install concurrently globally:

npm install -g concurrently

Run all service on your local machine:

Alternatively, to use Docker to run the API ML, consult the Docker README.

Security

The API Mediation Layer can use dummy credentials for development purposes. For development purposes, log in using the default setting user for the username, and user as the password.

For more information, see API Mediation Layer Security.

Run integration tests

To run integration tests, follow the instructions in Integration Tests.

Certificates

For more information about how the certificates between API ML services are set up for localhost, see TLS Certificates for localhost.

Contributor guidelines

To add new functionality, follow the guidelines in Contributing.

Local configuration of services

To set local environment properties for testing on your local machine including HTTPS setup, follow the guidelines in Local Configuration.

Review IDE setup to see how to configure popular IDEs for API ML development.

Onboarding Services

For guidelines to onboard services, see Zowe Docs#Onboarding Overview.