top of page

Secure, Standards-Based REST Middleware for IBM i — Source Available by Design

ZCOMX Features and Benefits

Built to Pass the Audit, Not Just the Demo

Every line of ZCOMX is source-available — auditors read the authentication, encryption, and routing logic directly instead of trusting a vendor's word. Every transaction is logged to a queryable audit trail, tied to the individual user who made it, not a shared service account. Programs, tables, and IFS directories are all fail-closed by default: nothing is reachable unless it's explicitly declared. This isn't a security feature bolted on after the fact — it's the architecture.

Zero Trust, Ready Today

Run ZCOMX behind a reverse proxy terminating TLS, or add AES encryption at the application layer for edge cases TLS can't reach — IoT devices, air-gapped segments. Strict identity verification on every request, every device, every time, even on your own internal network. It's not everything Zero Trust Architecture calls for, but it's the piece most middleware skips: an enforcement point that verifies identity on every single call instead of trusting the network it's on.

A Native ILE Server, Maximum Performance

ZCOMX compiles and runs as an ILE program on IBM i — no JVM, no Node runtime, no framework pulling in hundreds of transitive dependencies you can't name. Compare that to the multi-hundred-thousand-dollar middleware appliances built for the mainframe world: ZCOMX gets you the same discipline around the security boundary, without the infrastructure or licensing cost.

Expose Any Program, No Rewrites

Any IBM i program is callable as-is — OPM or ILE, RPG, COBOL, CL, C — no wrappers, no modifications to existing code. Typed calling conventions (packed decimal, zoned, binary) are supported natively, and a program with a fixed parameter layout is production-ready as a REST endpoint the same day you write the config.

Your Next API Consumer Might Be an AI Agent

ZCOMX speaks MCP (Model Context Protocol) natively — the same programs you've already exposed as REST endpoints are immediately callable by an LLM tool-calling agent, with zero additional development. Same config, same auth, same audit trail. Most IBM i shops aren't ready for this. ZCOMX already is.

IT Is Short-Staffed. We've Got Your Back.

Any HTTP client works — curl, Postman, your framework of choice — and ZCOMX speaks plain JSON, so your team builds against libraries they already know instead of learning a proprietary calling convention. That matters more every year, because the one person who still knows your RPG cold is retiring, not multiplying, and IT is stretched thin enough without adding "become an AS/400 specialist" to someone's plate.

Locking down the last hop into IBM i doesn't require that person either. ZCOMX's security boundary — which programs, tables, and directories are actually reachable — lives entirely in a configuration file. No back-end recompiles, no touching the RPG source, no waiting on the one person who understands it — just enough familiarity with general AS/400 principles to fill out a config and know what you're locking down.

Your existing AS/400 expertise still matters for keeping the applications themselves running. For building and securing the endpoint on top of them, we've got your back.

Designed for AI

Source Code an AI Can Actually Audit

ZCOMX ships with complete source code and a machine-readable agent context file (CLAUDE.md / AGENTS.md) describing its architecture, security controls, and design rationale. That means your security team isn't limited to manual code review — AI-assisted tooling can be pointed directly at the codebase for rigorous, repeatable inspection of the security posture, and at your deployment configuration to flag risky settings before they reach production.

The result: a product built to be consumed by AI where it helps you move faster (agent-callable endpoints), and built to be inspected by AI where it helps you move safer (audit and config review) — without sacrificing operational flexibility either way.

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
Pensive Man Portrait
Black Diamond
Collaborative Computer Work

Highly Customizable

One Configuration File. The Complete Security Boundary.

With ZCOMX, the configuration file isn't just a settings file — it's the total, explicit definition of everything the middleware is permitted to touch. Every program it can call, every table and IFS directory it can reach, every IP address it will accept a connection from: all declared, all in one place, all fail-closed by default. If it's not in the config, it doesn't exist as far as ZCOMX is concerned. There is no broad service account quietly carrying more authority than the application actually needs — the config is the scope.

Built to Be Reviewed, Not Just Read

That same configuration maps directly to a deployment worksheet your security team fills out and signs before go-live — which authentication scheme, which programs, which tables, which directories, and why. The worksheet is the audit record; the config is generated from it, so an auditor can compare the two side by side and confirm the running system matches what was approved. No interviews, no guessing at what a service account can reach — the boundary is a document anyone can inspect and sign off on.

Articles

This is a listing of recent articles that have appeared on LinkedIn

IBM Auditor Show Me

We built ZCOMX so the answer to every question is: 'here it is'.

You Don't Have Middleware

And you're inheriting a large attack surface from a software supply chain you didn't choose.

Why is Everybody Getting Hacked

Most people think they got hacked because they used a weak password. They didn't.

Project Aurora Changed Everything

The 2009 Cyberattack That Changed Enterprise Security Forever

Anatomy of a Breach

The biggest security myth in corporate IT? "Our AS/400 isn't internet-facing, so it's safe." ❌

They Are Already Inside the Wire

The modern way to look at security is to assume attackers have already breached the perimeter.

Why ZCOMX?

IBM i was not originally designed to sit at the edge of a modern network. Getting an HTTP request to an RPG program is a solved problem now, many times over — that was never the hard part for long. Treating that connection as an actual security boundary is, and that boundary is under new pressure. AI agents are becoming API consumers that call whatever a configuration allows, as fast as it allows it. Attack tooling probes for misconfiguration at machine speed, not a human's schedule. And the RPG and CL developers who used to be the last line of defense are retiring faster than they're being replaced.

None of that gets solved by faster connectivity. It gets solved by a boundary that doesn't depend on someone remembering to check it: fail-closed by default, and fully declared in one configuration file that a human auditor can review — and that an AI-assisted review tool can just as easily parse and verify against the codebase.

ZCOMX is our answer: source-available, config-defined, audit-ready middleware built for a decade where the traffic hitting IBM i — and the tools reviewing it — are as likely to be automated as human.

Contact us or submit this form to get a fully functional 60-day free trial.  As part of the trial, we are offering up to 2 hours of free support.

  
Email: bill.herron@zanden.com

Phone: (415) 788-9680
Zanden Telekom

1750 Taylor Street, Suite 802

San Francisco, CA  94133

Copyright © 2025 Zanden Telekom, All Rights Reserved.

bottom of page