Modern JT400 Proxy

The main question is how to use other software products utilizing JT400 to access IBM i when there is no direct access to the IBM i. Let's go straight to the answer "What is Modern JT400 Proxy?"!

It is an improved version of JT400 TunnelProxyServer allowing to use JT400 through HTTP/HTTPs protocol with advanced security features as API key or YubiKey support.

If you are in the IBM i world, then you might be familiar with the powerful and versatile JT400 Java library which allows you to develop almost any software to handle tasks on IBM i. One of the implemented features is "ProxyServer" which is a standalone proxy service for JT400. Alternative approach is to use the mentioned TunnelProxyServer as a Java Servlet.

Both features might be very usable when you have a Cloud related product whose base principle is to isolate IBM i from direct access. However, these features are not without limitations...

Standalone proxy service requires a special port to be opened, tricky TLS setup etc. while TunnelProxyServer is tied to specific URL address and does not support additional URL query parameters which is very important in our case.

Green Screens Service for IBM i is not just a 5250 terminal server. It is much more than that, especially with a set of new features available within the latest V5 release. Green Screens V5 brings modular design with a set of standalone or better to say lightly integrated modules and services within the Green Screens Core system. Signal IM service integration is one of them we recently wrote about.

Many of those extra modules are written in a modern way bringing API's through WebSocket, Rest, Quark Engine etc. allowing to call services even from browser. That opens a lot of integration possibilities to 5250 web terminal services. All those services are protected with API keys which are core API protection mechanisms. That is the reason why the standard JT400 TunnelProxyServer was not enough, so we decided to create an improved version that can use Green Screens Features.

This new improved version is not only about adding proxy URL query support and API key access control. Internal mechanism uses modern asynchronous thread optimized Java Servlets, custom URL, API key controlled access and standalone simple client module which extends the current JT400 library enabling new features.

Existing standalone programs utilizing JT400 requires minimal changes such as adding our JT400 Extra lib and a few lines of code changes to allow programs to connect to the IBM i through Green Screens Terminal Services in HTTP/HTTPs mode and with API key protection mechanism.

Here is a simple code example...

import com.ibm.as400.access.AS400;
import com.ibm.as400.access.SystemValue;
import io.greenscreens.util.StringUtil;

public class Test {

	private static final String SERVICE = "https://localhost";
	private static final String API_KEY = "2dc75d88-38be-4449-8543-f3487312e10b";
	
	public static void main(String[] args) throws Exception {

		final AS400 as400 = Proxy400.getSystem(SERVICE, API_KEY);
		if (StringUtil.isEmpty(as400.getUserId())) {
			as400.setUserId("QSEOFR");
			as400.setPassword("qsecofr123");
		}

		SystemValue sysval = new SystemValue(as400, "QSRLNBR");
		System.out.println(sysval.getValue());
		
		as400.disconnectAllServices();
	}

}

API key is registered through Green Screens Terminal Service Admin console and attached to specific IP address (caller IP). Wildcards within IP address are also supported allowing to use one API key across a defined network range. API key itself might be pre-configured with IBM i user and password so that end product uses only API Key without need to use IBM i credentials.

As one can see from the code, the only real difference to the original is to use the Proxy400 factory to create a proper AS400 object instance. Optionally, add your own credentials or if API key is not defined with default ones.

As the proxy service fully supports HTTPs protocol, connection can be additionally protected with client side SSL certificates which also opens the possibility to use Security Keys such as YubiKey or Titan Key to unlock access to the service. This raises security on a higher level as Java apps now can not only connect through Https proxy, but access can be controlled with security keys.