API landscape overview

API Landscape Overview

This section describe general overview of API landscape (API Platform). First, it describes a simplified picture then drills down into details. The idea is to describe what elements the API Platform consists of, where they are located, how the trafic goes and what is the purpose of all elements. As Iptor os focusing on cloud solutions, this article is only describing the API Platform for Cloud customers. To see differences between cloud and on-prem solution read article “Two API Streams”.

General overview of API Landscape in Cloud

The picture above describes a general overveiw of API landscape in Cloud. To expose API, Iptor uses the following elements:

  • Backend The IBM i server with installed DC1 and RPG programs which acts as API
  • API Bridge The middle layer which converts HTTP requests into RPG program calls
  • API Documentation (The documentation server which serves OpenAPI documentation files. These files can be read/injected to API Bridge and API Gateway. Additionally, API documentation may be shared with end users/developers from Developer portal).
  • API Gateway (The service layer which controls access and usage of API, counts requests, redirrect traffic etc)
  • Developer portal (The Web Portal where developers can discover API delivered by Iptor)
  • Security layer which contains: Reverse proxies, Firewalls, Keycloak authentication

Additional elements in API landscape are:

  • Aperio Client which plays role of publishing simple Mobile application
  • API Mock server which can be used by developers to explore and test APIs

Backend

Backend

By Backend we mean IBM i with installed DC1 software where RPG programs act as API. To write RPG API programs developers need to use the toolset from Aperio Backend library (IAF100AP). Aperio Backend library plays also a role in communication between API Bridge and IBM i.

Middle Layer

Middle Layer

The middle layer consists of a number of elements installed on OpenShift. The central point of API labdscape is API Bridge. This element is responsible for communication between “internet” and IBM i. API Bridge “translates” HTTP requests to RPG calls on IBM i, then the data returned by RPG program is converted back to HTTP response. All API RPG programs located on the backend must be documented in API documentation using industry standard format (OpenAPI). This documentation is injected into API Bridge. By this, API Bridge knows how to translate HTTP to RPG and RPG to HTTP. To work correctly, API Bridge requires OpenAPI specification with description of all API RPG programs. To help developers discover or test API programs we deliver API mock server. This Server pretend to be IBM i and produces fake responses. More information You can find here. Very important role in API Landscape plays Keycloak. Keycloak is an authentication server. All API requests comming to API Bridge are verified in Keycloak. Evey API must contain HTTP header “Authorization”. This value must contain word “Bearer " followed by token issued by an authentication server. In our case it is Keycloak. This value is checked by API Bridge and verified by Keyclok. More information about Keycloak you can find here.

Authorization = "Bearer {token fronm keycloak}"

There can be more security elements like Firewall or reverse proxy which limit access to API Bridge. The access to API Bridge is limited only to API Gateway. So, the trafic from API consumer goes trough API Gateway then trough security layer then through API Bridge to Backend.

API Management (Gateway + Developer Portal)

The first element which is exposed/shown to the end user is API Gateway. Its role is to measure and monitor API traffic and redirect API calls to correct API Bridges. It exposes the description of APIs to the developers and gives developers possibility to play with APIs by providing Mock server or allow to run API requests dirrectly from a web page. API Gateway secures the traffic by blocking unauthorized calls. Requests are authorized by Keycloak (for now). API Gateway can provide subscription keys which must be send together with each API call, etc… More information you can find here.