Chapter 21 Quiz: API-First COBOL
Question 1
What is the primary role of z/OS Connect EE in a mainframe API architecture?
A) It replaces CICS as the transaction processing monitor B) It translates between REST/JSON and mainframe-native protocols (COMMAREA, MQ, SQL) C) It provides a COBOL compiler that generates REST endpoints D) It migrates COBOL programs to Java microservices
Answer: B
z/OS Connect EE sits between API consumers and backend mainframe systems (CICS, IMS, DB2, MQ), handling the translation between REST/JSON on the outside and mainframe-native data structures on the inside. The COBOL programs themselves don't change.
Question 2
A COBOL field defined as PIC S9(15)V99 COMP-3 is being mapped to a JSON response. Which JSON type should you use to preserve full precision?
A) number
B) integer
C) string with a documented decimal format
D) boolean
Answer: C
COMP-3 packed decimal with 17 significant digits exceeds the precision of IEEE 754 double-precision floating-point (which JSON number uses). Mapping to string with a documented format preserves full precision. This is critical for financial amounts.
Question 3
In the z/OS Connect architecture, what is a Service Archive (.sar)?
A) A backup copy of the COBOL source code B) A deployable unit containing the mapping between JSON structures and backend data structures C) A compressed archive of CICS transaction logs D) A RACF security profile for API access
Answer: B
The Service Archive (.sar) bundles the data mapping (COBOL copybook to JSON), the backend connection configuration, and metadata about the target program and transaction. It's the deployable unit that z/OS Connect uses to route and transform API requests.
Question 4
Which of the following is a valid reason to NOT convert a mainframe integration from file transfer to API?
A) The file transfer has been running for 20 years without issues B) The integration processes 10 million records with complex transformations in a single batch run C) The downstream system's developers prefer file-based integration D) The mainframe team doesn't know how to build APIs
Answer: B
High-volume batch processing with complex transformations is a legitimate use case where APIs (one record at a time) would be impractical. The correct approach is batch processing that's initiated and monitored via API. Longevity alone (A), developer preference (C), and skills gaps (D) are not valid technical reasons.
Question 5
What is the maximum size of a CICS COMMAREA?
A) 32,763 bytes B) 64 KB C) 1 MB D) There is no limit
Answer: A
CICS COMMAREAs are limited to 32,763 bytes. For APIs that need to return more data, use channels and containers instead. z/OS Connect supports both approaches.
Question 6
In the Zowe API Mediation Layer, what is the purpose of the Discovery Service?
A) It discovers COBOL copybooks and generates API specifications automatically B) It provides a service registry where z/OS Connect instances register and deregister C) It scans the network for unauthorized API consumers D) It discovers mainframe resources available for API exposure
Answer: B
The Discovery Service is a Eureka-based service registry. z/OS Connect instances register themselves when they start and deregister when they stop. The API Gateway queries the Discovery Service to find healthy backend instances for routing.
Question 7
When designing an OpenAPI specification for a COBOL-backed API, a COBOL OCCURS 50 TIMES clause should map to:
A) 50 separate JSON fields
B) A JSON array with maxItems: 50
C) A JSON string containing comma-separated values
D) A nested JSON object with 50 properties
Answer: B
COBOL OCCURS clauses map to JSON arrays. The maxItems constraint in the OpenAPI schema matches the OCCURS limit, ensuring consumers know the maximum array size.
Question 8
A consumer sends an API request that causes the backend COBOL program to abend with ASRA. What should the API layer return?
A) 500 Internal Server Error with the abend code and program offset
B) 500 Internal Server Error with a generic message and a correlation ID
C) 200 OK with an error field in the response body
D) 400 Bad Request because the consumer caused the error
Answer: B
Error responses must not leak internal details (abend codes, program names, memory offsets) as this is a security vulnerability. Return a generic error message with a correlation ID that lets the operations team trace the issue in internal logs.
Question 9
Which API versioning strategy is recommended for mainframe APIs?
A) URL path versioning (/api/v1/accounts)
B) Header versioning (Accept: application/vnd.v2+json)
C) Query parameter versioning (/api/accounts?version=2)
D) No versioning — just change the API in place
Answer: A
URL path versioning is the clearest and most practical approach. Each version has its own OpenAPI spec, service archive, and routing configuration. It's easy for consumers to implement, easy for operations to monitor, and easy for the gateway to route.
Question 10
In the OAuth 2.0 flow for mainframe APIs, what does the SAFCredentialMapper in z/OS Connect do?
A) Maps RACF user IDs to OAuth tokens B) Maps OAuth identities to RACF user IDs for mainframe authorization C) Encrypts COBOL data before sending it over the network D) Maps CICS transaction IDs to HTTP methods
Answer: B
The SAFCredentialMapper bridges the OAuth world and the RACF world. It takes the identity from a validated OAuth token and maps it to a RACF user ID, so the CICS program executes under appropriate mainframe security context.
Question 11
What is the correct HTTP response for an asynchronous API operation (like a fund transfer) that has been accepted but not yet completed?
A) 200 OK with the final result
B) 201 Created with the new resource
C) 202 Accepted with a Location header pointing to a status endpoint
D) 204 No Content
Answer: C
202 Accepted indicates the request has been accepted for processing but is not yet complete. The Location header provides the URL where the consumer can check the operation's status. This is the standard pattern for bridging synchronous APIs with asynchronous backend processing.
Question 12
A rate limiting policy returns 429 Too Many Requests. Which HTTP header should accompany this response?
A) Content-Type
B) Retry-After
C) X-Rate-Limit-Reset
D) Both B and C
Answer: D
Retry-After is the standard HTTP header indicating when the consumer can retry. X-Rate-Limit-Reset is a common extension that provides the same information in epoch seconds. Including both maximizes consumer compatibility.
Question 13
Which of the following changes to a published API is NOT a breaking change?
A) Adding a new required field to the request body
B) Adding a new optional field to the response body
C) Changing the type of an existing field from integer to string
D) Removing a field from the response body
Answer: B
Adding a new optional field to the response is additive and non-breaking — existing consumers simply ignore the new field. Adding required request fields (A), changing types (C), and removing response fields (D) are all breaking changes that require a new API version.
Question 14
Why should mainframe APIs use dedicated RACF user IDs for API consumers rather than mapping to individual human user IDs?
A) RACF doesn't support individual user IDs B) API consumers represent systems or roles, not individual humans, and need consistent, auditable permissions scoped to API operations C) Individual user IDs are slower to authenticate D) RACF user IDs are free but human user IDs cost money
Answer: B
API consumers are systems, not people. Dedicated RACF IDs allow you to define and audit permissions specific to API operations, follow the principle of least privilege, and avoid the complexity of mapping thousands of individual users to mainframe identities.
Question 15
In a high-availability API gateway topology, why do you need multiple z/OS Connect instances registered with the discovery service?
A) Each instance serves a different version of the API B) If one instance becomes unavailable, the gateway routes to the remaining healthy instances without consumer impact C) Multiple instances are required for API versioning D) The discovery service requires at least three instances to function
Answer: B
Multiple registered instances provide failover. When one instance becomes unavailable (LPAR maintenance, z/OS Connect restart), the discovery service updates the gateway's routing table, and traffic automatically routes to remaining healthy instances. This is fundamental to the HA architecture.
Question 16
What is the correct approach when a COBOL copybook uses REDEFINES and you need to represent both interpretations in JSON?
A) Pick one interpretation and ignore the other
B) Use a discriminated union with a type field and oneOf in the OpenAPI schema
C) Represent the raw bytes as a Base64-encoded string
D) Create two identical API endpoints, one for each interpretation
Answer: B
A discriminated union uses a type field (like accountType: "P" or "B") to determine which schema applies. The OpenAPI oneOf keyword documents both schemas with a discriminator. This is the cleanest way to handle REDEFINES in a JSON API.
Question 17
What HTTP header should a deprecated API include in its responses to warn consumers?
A) Warning: 299 - "This API is deprecated"
B) Deprecation: true and Sunset: <date>
C) X-API-Status: deprecated
D) Cache-Control: no-store
Answer: B
The Deprecation header (RFC 8594) signals that the API is deprecated. The Sunset header provides the date when the API will be retired. Together, they give consumers programmatic notice to migrate.
Question 18
When configuring the API gateway timeout for a COBOL backend with a p99 latency of 2,500ms, which timeout value is most appropriate?
A) 2,500ms (matches p99 exactly) B) 5,000ms (2x the p99) C) 500ms (below p50 for fast failure) D) 60,000ms (maximum possible)
Answer: B
Setting the timeout at 2x the p99 latency allows for normal variation while still catching genuinely stuck requests. Matching p99 exactly (A) would timeout 1% of healthy requests. Too short (C) would timeout most requests. Too long (D) wastes resources on stuck connections.
Question 19
What is the API requester pattern in z/OS Connect?
A) A pattern where consumers request API access through a portal B) A pattern where mainframe COBOL programs consume external REST APIs through z/OS Connect C) A pattern where the gateway requests authentication tokens D) A pattern where the discovery service requests health checks
Answer: B
The API requester pattern is the reverse of the typical flow. Instead of exposing mainframe services as APIs, z/OS Connect enables COBOL programs to call external REST APIs. z/OS Connect handles the JSON-to-COBOL data mapping, so the COBOL program works with native data structures.
Question 20
Which combination of authentication methods provides the strongest security for a system-to-system API that initiates financial transactions?
A) API key only B) OAuth 2.0 with client credentials grant C) OAuth 2.0 with client credentials grant plus mutual TLS (mTLS) D) Basic authentication over HTTPS
Answer: C
For high-risk system-to-system calls (like financial transactions), OAuth 2.0 provides identity and authorization while mTLS provides mutual authentication at the transport layer. The client must present a valid certificate AND a valid OAuth token, creating defense in depth. API keys alone (A) and basic auth (D) are insufficient. OAuth alone (B) is good but adding mTLS provides additional assurance of the client's identity.