NOTE: This is continuation of Advanced IBM i JT400 networking.
In this chapter we will write about advanced JT400 Proxy usage with the help of Green Screens Server.
If you are not familiar with the Green Screens Server for IBM i product, one of the ideas / concepts is to use it as an isolation layer between online end users and IBM server in the background. Especially if the IBM i server is used in the cloud.
Green Screen Server can be run inside DMZ while IBM i server can be behind the firewall. In case of hackers attacks, attacks will happen only at the Green Screen Server without affecting IBM i.
For Green Screens Server to fully operate as an isolation layer, having an ultra fast web based 5250 terminal is only part of the story. Other commonly used services quite often used in separate client software are relying on JT400 including AS400JDBCDatabaseDriver and AS400JDBCDataSource and many more. To use them in a safe manner, different channels were required.
Not any more. Green Screens Server V6 brings an embedded proxy tunnel directly into the web server without need to use JT400Proxy Server. Utilizing modern +JEE9 Jakarta based servlets with ASYNC support.
To achieve that we needed to update the JT400 library to expose internal class but also a few small changes were added to support custom URL paths which in original code are fixed values not always practical in a custom environment.
Why is this so important?
Green Screens Server supports API token based access per installed service used to control access based on IP address. Additionally, service credentials to access to the IBM i server are supported without sharing credentials to the external service or user.
JT400 can use that feature with absolutely minimal code changes. But, before digging into examples...
Green Screens embedded Proxy Service have 2 URL endpoints (tunnel and token).
Tunnel endpoint is an URL used for the JT400 library to connect to the background IBM i system with access controlled by API key (controlled by IP address). While internally full web server based TLS/SSL encryption is supported along "asynchronous" thread safe +JEE9 servlet processing.
Let's look at the simple example to connect to the IBM i behind DMZ and Green Screens Server.
final String proxy = "https://gsserver.greenscreens.ltd/service.proxy/tunnel?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868";
final AS400 as400 = new AS400("ibmserver");
as400.setProxyServer(proxy);Token endpoint is an URL used to retrieve ProfileTokenCredential generated at the Green Screens Side and can be used independently for direct connection to the IBM i (if required) or through Green Screens Server Proxy tunnel.
Here is a simple pseudo-code example to generate IBM i access token without knowing username or password using Green Screens Server Proxy Service, API key, and token endpoint.
NOTE: Functions FactoryProxy400.getToken and FactoryProxy400.getCredential are part of Green Screens Client library not published yet.
final String tokenURL = "https://localhost/service.proxy/token?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868&proxy=false";
final AS400 system = new AS400("ibmserver");
final ObjectNode node = FactoryProxy400.getToken(tokenURL);
final ProfileTokenCredential credential = FactoryProxy400.getCredential(node);
credential.setSystem(system);
system.setProfileToken(credential);Above example is for retrieving a token to access to the IBM i server directly. To connect through Green Screens Server Proxy Service, code change is minimal.
final String proxy = "https://gsserver.greenscreens.ltd/service.proxy/tunnel?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868";
// --> notice proxy=true change
final String tokenURL = "https://localhost/service.proxy/token?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868&proxy=true";
final AS400 system = new AS400("ibmserver");
final ObjectNode node = FactoryProxy400.getToken(tokenURL);
final ProfileTokenCredential credential = FactoryProxy400.getCredential(node);
credential.setSystem(system);
system.setProfileToken(credential);
system.setProxy(proxy); // <--- redirect though proxyOnce AS400 instance is created, all other type of JT400 connections through encrypted tunnel are available including JT400JDBCDataSource, JT400JDBCDatabaseDriver, JT400FTP, JT400JPing.
To use above proxied connection for JDBC driver, to open a database SQL connection
final AS400JDBCDriver driver = new AS400JDBCDriver();
final Connection conn = driver.connect(as400);To use JT400 Database Driver with Driver manager
// preload driver
Class.forName("com.ibm.as400.access.AS400JDBCDriver");
final String proxy = "https://gsserver.greenscreens.ltd/service.proxy/tunnel?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868";
final String jdbcUrl = String.format("jdbc:as400://ibmserver;proxy server=%s", proxy);
final Connection conn = DriverManager.getConnection(jdbcUrl, "demo", "demo");To use JT400 JDBC DataSource
final String proxy = "https://gsserver.greenscreens.ltd/service.proxy/tunnel?key=88c4bdf1-eb92-423f-8a18-8ee0ba4c6868";
final AS400JDBCDataSource ds = new AS400JDBCDataSource("ibmserver");
ds.setProxyServer(proxy);
ds.setUser("demo");
ds.setPassword("demo".toCharArray());
final Connection conn = ds.getConnection();Latest JT400 library with Green Screens combined changes can be found at our GitHub repository.
And if you have any comments or want to participate - original request for change to add a custom URL path and query parameters to the ProxyClient can be found here.