Headline
CVE-2021-4314: GitHub - zowe/api-layer: The API Mediation Layer provides a single point of access for mainframe service REST APIs.
It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.
API Mediation Layer
Build Status
The API Mediation Layer (API ML) provides a single point of access for mainframe service REST APIs. The API ML offers enterprise, cloud-like features such as high-availability, scalability, dynamic API discovery, consistent security, a single sign-on experience, and documentation. The API ML consists of three components: the Gateway, the Discovery Service, and the API Catalog. The API ML facilitates secure communication across loosely coupled microservices through the API Gateway. The Discovery Service enables you to determine the location and status of service instances running inside the API ML ecosystem. The API Catalog provides a user-friendly, easy-to-use interface to view all discovered services, their associated APIs, and Swagger documentation.
Notes:
- For more general information for end-users, see the API ML Overview.
- To learn more about changes to the API ML, consult the CHANGELOG.
- For developers, review the developer documentation and the Contributor guidelines.
Contents
- Run API Mediation Layer locally
- Prerequisites
- Quick start
- Security
- Run integration tests
- Certificates
- Contributor guidelines
- Local configuration of services
- Onboarding Services
- More Information
- Contact Us
Run API Mediation Layer locally****Prerequisites
The following platform is required to run the API Mediation Layer:
- Java SE Development Kit 8
- https://jdk.java.net/java-se-ri/8-MR3
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
- https://www.ibm.com/developerworks/java/jdk/
The following tools are required to build and develop the API Mediation Layer:
Node.js version 10.23.3 and npm are required to be installed globally to run npm commands in project root folder.
https://nodejs.org/dist/
During build, correct node version is automatically downloaded and built with.
Quick start
Follow these steps:
Build all modules:
Install concurrently globally:
npm install -g concurrently
- Run all service on your local machine:
Alternatively, to use Docker to run the API ML, consult the Docker README.
Security
The API Mediation Layer can use dummy credentials for development purposes. For development purposes, log in using the default setting user for the username, and user as the password.
For more information, see API Mediation Layer Security.
Run integration tests
To run integration tests, follow the instructions in Integration Tests.
Certificates
For more information about how the certificates between API ML services are set up for localhost, see TLS Certificates for localhost.
Contributor guidelines
To add new functionality, follow the guidelines in Contributing.
Local configuration of services
To set local environment properties for testing on your local machine including HTTPS setup, follow the guidelines in Local Configuration.
Review IDE setup to see how to configure popular IDEs for API ML development.
Onboarding Services
For guidelines to onboard services, see Zowe Docs#Onboarding Overview.
More Information
To learn about:
Refer to:
Core Service - API Catalog
Zowe Docs
Core Service - API Catalog UI
README
Core Service - Discovery Service
Zowe Docs
Core Service - Gateway Service
Zowe Docs
Core Service - Metrics Service
README
Core Service - Metrics Service UI
README
APIML SDK - Java Enabler
Zowe Docs
APIML SDK - Micronaut Enabler
Zowe Docs
APIML SDK - Node.js Enabler
Zowe Docs
APIML SDK - Spring Enabler
Zowe Docs
APIML SDK - ZAAS Client
Zowe Docs
Sample Service - Java Enabler
README
Sample Service - Spring Enabler
README
Sample Service - Micronaut Enabler
README
Sample Service - NodeJS Enabler
README
Contact Us
Get in touch using Zowe Communication Channels. You can find us in the #zowe-api channel on Slack.