© 2014 IBM Corporation CICS Transaction Gateway Version 9.1 Rob Jones – CICS Strategy, Mobile and Transaction Gateway 12 September 2014
Jun 14, 2015
© 2014 IBM Corporation
CICS Transaction GatewayVersion 9.1
Rob Jones – CICS Strategy, Mobile and Transaction Gateway
12 September 2014
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
2
Disclaimer
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
3
Content
Introducing CICS TG product suite
What’s new in CICS Transaction Gateway V9.1?
• Mobile
• Connectivity
• Security
• Foundation
Reference resources
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
4
The CICS TG Product Suite
Transactional access to your key business assets
CICS TS for z/OS CICS TS for z/OS CICS TS for VSE CICS TS for VSE TXSeries TXSeries CICS TS for i CICS TS for i
Capabilities your developers need
C / C++ COBOLJEEJavaMicrosoft .NET
FrameworkMobile
Scalable integration with your systems
CICS TG for z/OS
CICS TG for Multiplatforms
CICS TG Desktop Edition
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
5
IBM WebSphere Application Server Liberty profile / JCA support
CICS TG JCA resource adapters work with WAS Liberty profile
WAS Liberty profile V8.5.5.2 introduced the new Java EE Connector Architecture (JCA) repository feature
–Compatible with resource adapters up to JCA 1.6 spec (JEE6)
CICS TG for z/OS + CICS TG for Multiplatforms releases include resource adapters at the following spec levels:
JCA 1.6 CICS TG V8.1/V9.0/V9.1JCA 1.5 CICS TG V8.0
See CICS TG developer blogs for further info https://ibm.biz/cicstg-insights
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
6
CICS Transaction Gateway V9.1Mobile integration, robust connectivity, and strong security options
Release themesRelease themes
ConnectivityConnectivity
SecuritySecurity
FoundationFoundation
MobileMobile
eGA September 5th 2014 GA September 12th 2014
ibm.biz/cicstg91announce
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
Mobile enablement - Highlights
Mobile
Mobile enablement for all CICS TS family and TXSeries products• Transform JSON / language structures
COBOL, C or PL/1• Based on WS BIND files• z/OS Connect-compatible• Dynamic routing of mobile workload• Full monitoring and statistics, CICS PA
support
Mobile
Mobile enablement for all CICS TS family and TXSeries products• Transform JSON / language structures
COBOL, C or PL/1• Based on WS BIND files• z/OS Connect-compatible• Dynamic routing of mobile workload• Full monitoring and statistics, CICS PA
support
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
8
Systems of Engagement meet Systems of Record
API Management API Management
DataPower DataPower
Cloud and API Economy
CICS TG
CICS on Multiplatforms
Linux on System zLinux on System z
Worklight Worklight
WebSphere Application Server WebSphere Application Server
z/OSz/OS
DB2 DB2
MQ MQ
CICS TS CICS TS
Available as Value Unit Editions
z/O
S
Con
nect
z/O
S
Con
nect IMS IMS
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
9
CICS mobile enablement – overview
PROGX
HTTP(S)JSON
transform
JSON data
CallCICS
The “transformation engine” includes Web Service provider Data transform services CICS integration
CICS program
Binarydata
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
10
CICS mobile enablement – tooling and run timeBottom-up example
PROGX
HTTPJSON
transform
JSON data
CallCICS
CICS program
Binarydata
copybook
WS BINDfor
PROGX
“JSON assistants” (or RD/z) generate the data binding file and
JSON schema
Offline process
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
11
CICS mobile enablement - options
Product Feature Strengths
CICS Transaction Server for z/OS
V4.2/5.1 Mobile Feature packV5.2 JSON web services
Proximity to data Integrated with CICS admin
CICS Transaction Gateway products
V9.1 JSON web services CICS TS family + TXSeries Choice of platforms including
cloud e.g. SoftLayer
WebSphere Application Server for z/OS
V8.5.5.2 Liberty profile repository feature, z/OS Connect
Multiple z/OS subsystems CICS, IMS, Batch
Service management + APIM integration
JSON transform
JSON Binary
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
12
Mobile enablement today - optionsJSON
transformJSON
Product Vehicle Strengths
CICS TS for z/OS V4.2/5.1 Mobile Feature packV5.2 JSON web services
Proximity to data Integrated with CICS admin
CICS TG products V9.1 JSON web services CICS TS family + TXSeries Choice of platforms including
cloud e.g. SoftLayer
WAS for z/OS V8.5.5.2 Liberty repository feature z/OS Connect
Multiple z/OS subsystems CICS, IMS, Batch
Service management + APIM integration
Each of these solutions share common code for both tooling and run time to transform data between JSON and binary representations.
Data transformation for CICS programs is based around “WS BIND” files. They represent the SOR data structure and enable the run-time transformation for JSON web services.
Binary
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
13
Statement of direction (from ENUS214-263, July 1st, 2014)
IBM intends to deliver WebSphere Liberty z/OS Connect (z/OS Connect) as a common program component of CICS TG.
ibm.biz/cicstg91announce
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
14
Terminology: RESTful vs non-RESTful web services
CICS TG (and CICS TS) support two styles JSON web servicesBoth can be invoked using a HTTP/HTTPS connection
Non-RESTful or request/response
The target CICS program is unaware that it is to be invoked as a web service. It is designed to be invoked by EXEC CICS PROGRAM LINK, or ECI
Either COMMAREA or Channel/container data interfaces are available
RESTful
The target CICS program is aware that it is to be invoked as a web service
HTTP method (GET, POST etc.) & headers are required program inputs
Only the Channel/container data interface is available
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
15
Mixed workloads in CICS TG – z/OS example
z/OSApplication machine
CICS
JEEapplication
server
JCA ResourceAdapters
Gatewaydaemon
ProtocolHandler
IPICJCA
ResourceAdapter
EXCI module
IPIC
WebSphere Application Server
Remote clients Local clients
ProtocolHandlerProtocolHandlerProtocolHandlerProtocolHandler
Java clients
ECI v2 C clients
.NET Framework-based
clients
.NET Framework-based
clients
JSON web services
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – Overview
Significant new capabilities for CICS TG
New style of remote client and data representation–No client-side IBM code required–Active data transformation within the Gateway daemon–Service-enablement for any release of CICS server –Exploit the high availability and instrumentation features of CICS TG
Top-down style service enablement –Generate COBOL, C, PL/1 language structures from a JSON schema–Non-RESTful can be used with COMMAREA of channel programs–RESTful must use channel programs (and therefore IPIC)
Bottom-up style service enablement–Generate JSON schema from COBOL, C, PL/1 language structures–Target program is not REST-aware, so JSON web service is non-
RESTful; COMMAREA or channel programs supported
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – Solution characteristics
Mix, route or isolate mobile workloads
Create Gateway daemons dedicated to purely to web services–Isolation might be desirable for business, systems management or
technical purposes
Add web services along side “traditional” CICS TG workloads–Optionally route web service requests to dedicated CICS servers
Mobile pricing initiative for z/OS ENUS214-223
Workloads on z/OS originating from mobile applications through CICS TG is eligible for the IBM Mobile Workload Pricing for z/OS
SMF 70, 89 and 110 records are required together an agreed profile of identifiable elements within the overall workload
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
18
JSON Web Services – CICS TG solution architecture
WebSphere Liberty z/OS Connect-compatible
Interoperable with IBM Worklight
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – Overview
Powered by Liberty, compatible with z/OS Connect and CICS TS JSON web services support
Based upon proven technologies–Uses a “private” embedded WebSphere Liberty profile within the
Gateway daemon for the HTTP server–Uses common data transformation components at run-time from CICS
TS for z/OS (mobile feature pack / JSON web services)–JSON WS bind files are interoperable with CICS TS, CICS TG V9.1
and z/OS Connect solutions
The JSON web services assistant is included with CICS TG V9.1 products
–Uses common tooling components with a simplified interface for CICS TG
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – Configuration overview
Simple 1-2-3 configuration in production, development or test
CICS TG configuration requires minimal changes
#1 Obtain the required transformation resources
Use existing WS BIND files, or create them using the provided tools –use your preferred development environment
#2 Specify the network entry point
Add a new HTTP and/or HTTPS protocol handler definition–Consider HTTP thread pool default value of 100
#3 Create each web service with a minimum of two attributes!
Add a WEBSERVICE definition–Requires only the location of the WS BIND file, and a URI–Default values for other 4 attributes are reasonable
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – New protocol handlers
New protocol handlers for HTTP and HTTPS
Define at most ONE each of HTTP and HTTPS protocol handlers
Both are compatible with TCPIP port sharing capabilities:–SHAREPORT–SHAREPORTWLM with Gateway daemon health reporting–Sysplex Distributor
New configuration sub-sections HTTP, HTTPS within the GATEWAY section
No timeout values to define–Defined at the web service level
No user security attributes to define–Common SSL resources, CICS connections define authentication
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services - The new http thread pool
New pool of “listener” threads
New pool of “listener” threads–Logically equivalent to Connection Manager threads–Shared between HTTP and HTTPS protocol handlers–Defined in the GATEWAY section by new keyword, maxhttpconnect
maxhttpconnect=100
Define at most ONE each of HTTP and HTTPS protocol handlers
The HTTP thread pool is shared between the HTTP and HTTPS protocol handlers
–As Connection Manager threads are shared between the tcp and ssl protocol handlers, if both are defined
The Worker thread pool is shared by ALL protocol handlers
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
Configuring JSON web services - The new protocol handlers
The HTTP protocol handler
Simpler syntax compared to tcp, ssl protocol handlers, e.g.SUBSECTION HTTP port=2080 bind=my.server.hostnameENDSUBSECTION
High Availability / Horizontal scaling–Compatible with z/OS TCPIP port sharing capabilities
• SHAREPORT• SHAREPORTWLM with Gateway daemon health reporting• Sysplex Distributor
–CICS TG for Multiplatforms implementations• Multiple instances can interoperate as a group using external IP
port sharing solutions
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
Configuring JSON web services - The new protocol handlers
The HTTPS protocol handler
Shared Gateway daemon SSL resources and configuration–Common key ring with SSL protocol handler, IPIC SSL connections–Common NIST SP800-131A settings –Supports secure HTTP connections up to TLS 1.2, hardware crypto
Common attributes with the HTTP protocol handler, plus –client authentication, defaults to off–cipher suite specification, defaults to all available
Common syntax with the HTTP protocol handler, e.g.SUBSECTION HTTPS port=2080 bind=my.server.hostname ClientAuth=on CipherSuites=CipherSuite1,CipherSuite2ENDSUBSECTION
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
25
JSON web services - the JSON web services assistant
Proven data transformation technologies and tooling
JSON web services assistant uses shared components–CICS TS JSON web services (mobile feature pack)–WebSphere Liberty z/OS Connect
Generates language structure mappings in WS BIND files, and JSON schemas
The WS BIND files are used to transform data between JSON and binary representations, for COMMAREA and Channel programs
Enhancements for CICS TG allow interoperability with all CICS TS-family and TXSeries products
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
26
JSON web services - The JSON web services assistant
JCL samples for z/OS in the PDS, hlq.SCTGSAMP
CTGLS2JS - Generates a web service binding file and JSON schemas from a language structure for a non-RESTful (request/response) CICS program
CTGJS2LS - Generates a web service binding file and language structures from a JSON schema for non-RESTful (request/response) CICS program
CTGJS2R - Generates a web service binding file and a language structure from a JSON schema for RESTful CICS programs
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
27
JSON web services - The JSON web services assistant
“Scriptable” command line utility for Multiplatforms (also in the SDK)
New command ctgassist with sample option files for MAPPING-MODES:
LS2JS - Generates a web service binding file and JSON schemas from a language structure for a non-RESTful (request/response model) application
JS2LS - Generates a web service binding file and language structures from a JSON schema to use in your application programs.
Options:• LS-REQUEST/LS-RESPONSE - for non-RESTful (request/response
model) applications• LS-RESTFUL - for RESTful applications
TARGET-CICS-PLATFORM specifies target CICS platformzOS/AIX/HP-UX/Solaris/IBM-I/VSE/LinuxI/Windows–floating point convention, big/little endian encoding etc.
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
The new WEBSERVICE section
Each JSON Web Service requires a single WEBSERVICE section
–Defined in the CICS TG configuration file, e.g.
SECTION WEBSERVICE = inqcust Uri = customers/inquire bindfile = LGICUS01.wsbind server = CICSAOR1 timeout = 30 transactionid = BIZ1 defaultmirror = YENDSECTION
JSON web services – defining a specific service
Symbolic name for WSHTTP uri mappingData transform ws-bindTarget CICS serverMaximum wait timeMirror EIB TRNID valueAttach default or ‘MYMI’
HTTP client uri mapping
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
29
Exploiting Dynamic Server Selection with JSON web services
Separate JSON web service workload to dedicated regions, and exploit the Gateway daemon’s high availability features
SECTION WEBSERVICE = inqcust Uri = customers/inquire bindfile = LGICUS01.wsbind server = MOBIAORS timeout = 30 transactionid = MYMI defaultmirror = YENDSECTION
SECTION DSSGROUP = MOBIAORS Servers = MOBIAOR1,MOBLAOR2 Algorithm = RoundRobin
ENDSECTION
Create a DSSGROUP representing the CICS servers dedicated to serving the mobile workload, using FailOver or RoundRobin algorithms
Configure the WEBSERVICE to use the DSSGROUP
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services - Security with Basic Authentication
Authentication and identity assertion for JSON web services
HTTP(S) client includes an Authorization Request Header
User name and password details are set on the ECI request
Authentication then depends upon the target CICS connection protocol:–IPIC: IPConn defined with USERAUTH=VERIFY or If the target CICS
uses client authentication, defaults to off–EXCI: Gateway daemon env-var AUTHUSERPASSWORD=YES–TCPIP: CICS ECI TCPIPService defined with ATTACHSEC=VERIFY
Identity assertion is also possible (i.e. no password required) –IPIC: IPConn defined with USERAUTH=IDENTIFY–EXCI: CONNECTION defined with ATTACHSEC=IDENTIFY
HTTPS combined with Basic Authentication is a likely implementation
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services - Run-time errors
ECI vs HTTP errors with JSON web services
JSON Web Services support utilize an internal HTTP server within the Gateway daemon
All responses map to standard HTTP return codes, e.g.:
–200: Everything is OK –403: Security error – e.g. authentication failure–404: Not found – e.g. bad URI–500: Server error – e.g. unknown CICS server
• Possibly a defect if combined with ECI_ERR_SYSTEM_ERROR–503: Service unavailable – CICS server unavailable
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – Run-time errors encoded as JSON
ECI vs HTTP errors with JSON web services
Further details are encapsulated in the JSON response data as a fault string with reason codes
For example, an ECI_ERR_NO_CICS results in an HTTP 503 error (Service Unavailable), together with:{ "Fault":{ "detail":{ "Description":"Communication with the target CICS server could not be established"
"CICSServer":"<server name>" }, "faultstring":"ECI_ERR_NO_CICS" }}
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
32 new statistics for JSON Web Services
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
34
CICS TG plug-in V3.0 for CICS Explorer V5.2 or z/OS Explorer V2.1
New Web Services view
Cut & paste data from the CICS TG perspective
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
35
JSON web services - New request monitoring attributes
Request monitoring capabilities have been extended to include unique attributes of JSON web service requests
The request monitoring exit method, eventFired,receives a Map, with attributes defined by enumerated data type: com.ibm.ctg.monitoring.RequestData
New attributes are provided for JSON web service requests:
HttpPayload – payload of mobile requestsHttpVerb – GET|POST|PUT|DELETEHttpPath – The URI being invokedHttpStatusCode – The return code sent to the client
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
36
JSON web services – Knowledge Center scenario (z/OS & Multiplatforms)Get started by following the scenario SC11
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
CICS Performance Analyzer integration
New Web Services Workload report in CICS PA V5.2
A high-level overview of Web Services workload in terms of –response time–request volumes–data transfer
Broken down by Gateway daemon instance
Provides insight into usage patterns throughout a daily, weekly or monthly cycle
–Reveal longer term trends with historical data–Spot unusual events with response time spikes
APAR PI20963
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
38
Modern connectivity - highlights
Connectivity
Connection management • For 24x7 continuous operation
Exploits IPIC heartbeat support• Improved availability across larger
TCP/IP networks
Local-mode IPIC fail over with WAS V8
Client side port override
Connectivity
Connection management • For 24x7 continuous operation
Exploits IPIC heartbeat support• Improved availability across larger
TCP/IP networks
Local-mode IPIC fail over with WAS V8
Client side port override
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
39
IPIC heartbeat exploitation
Pro-active and continuous verification of connectivity status
Increases reliability of IPIC connections over WANs–Reduces time to discover network issues
Avoids problem of connection being silently dropped by firewall
Communication while connection is idle
Default setting is to send heartbeat every 30 seconds
If response not received from target system–Connection is closed
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
40
IPIC connection management
Gateway daemon system management for IPIC connections
Ability to stop and start IPIC connections–First time capability for CICS TG on z/OS, not possible with EXCI
Selected and controlled quiesce of workload for a specific CICS server–Carry out planned maintenance on selected CICS regions –Avoids the need to shut down the Gateway daemon
Allows for DSS group resilience–Take a connection out of use before stopping CICS–DSS algorithms continue to distribute work to alternative CICS servers
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
41
IPIC connection management – operations (z/OS)
New SERVER action for z/OS console commands
/F <jobname>,APPL=SERVER,STOP=<SERVER>
–Normal close of connection–Allows for in-progress transactions to complete–No new transactions can be started
/F <jobname>,APPL=SERVER,STOP=<SERVER>,IMM
–Immediate stop of an IPIC connection–In-progress transactions receive an error
/F <jobname>,APPL=SERVER,START=<SERVER>
–Start an IPIC server connection that is currently stopped
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
42
IPIC connection management – operations (Multiplatforms)
New SERVER action for ctgadmin
ctgadmin –a server -stop=<SERVER>
–Normal close of connection–Allows in-progress transactions to complete–No new transactions can be started
ctgadmin –a server -stop=<SERVER>,immediate|imm
–Immediate stop of an IPIC connection–In-progress transactions receive an error
ctgadmin –a server -start=<SERVER>
–Start an IPIC server connection that is currently stopped
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
43
IPIC connection management – status visibility
New statistic for specific IPIC connection status
CSx_CSTATUS–Represents the current status of specific IPIC connection “x”
Possible values for CSx_CSTATUS:
NOTSTARTED Initial state of the connection
STARTING Connection is in the process of being established
AVAILABLE Connection is established, Gateway accepts requests
UNAVAILABLE Connection has failed, Gateway rejects requests
STOPPING Connection is closing, Gateway rejects new requests
STOPPEDConnection is closed, the Gateway rejects requests
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
44
Fail over for Local mode IPIC with WAS V8
Automatic fail over between WAS connection factories
Only available for the V9.1 ECI resource adapter using IPIC local mode
ConfigurationWebSphere Application Server V8, or later, provides the facility to
specify an alternative, standby connection factory (by JNDI name) through custom property, alternateResourceJNDIName
Fail overIn the event of communication failure with the primary CICS server
connection, new transactions are automatically (and transparently) routed to use the alternative connection factory
RecoveryWhen the primary CICS server connection recovers, new transactions
are automatically routed to use the primary connection factory
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
45
Java application - client port override
Facilitates implementation of firewall pass-through rules
Client-server applications using TCP/IP connections typically specify a target port number when connecting to the server
e.g. Web browsers connect to a web server using port 80, by default
During connection establishment, an ephemeral port number is also allocated by the client TCP/IP stack
Ephemeral port numbers are typically unpredictable, and unregarded
CICS TG V9.1 Java base classes allow remote mode client applications (using TCP or SSL) to override the local port number
This allows the use of firewall rules which grant access on the basis of the local port of the connecting application.
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
46
Secure connectivity
Security
SSL for .NET applications
Full NIST SP800-131A compliance
TLS 1.2 secure connections for• Java JCA .NET APIs to the Gateway• Gateway to CICS with IPIC
connections
SAF certificate & key ring integration
Security
SSL for .NET applications
Full NIST SP800-131A compliance
TLS 1.2 secure connections for• Java JCA .NET APIs to the Gateway• Gateway to CICS with IPIC
connections
SAF certificate & key ring integration
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
47
Secure connectivity – SSL for .NET Framework-based applications
Gatewaydaemon
CICSRemote
modeJava/JEE
apps
Secure connectivity for 3-tier solutions–Allows secure connectivity with all of the features offered by the
Gateway daemon e.g. Dynamic Server Selection–Allows identity assertion (+ID Propagation with WAS) in 3-tier solutions–The CICS TG API for .NET now also provides SSL connectivity
Previously only with SupportPac CA76
CICS TGssl
Remote modeC/C++ apps
Remote mode.NET apps
CICS TGtcp
IPICtcp
IPICssl
New in V9.1CICS TG
tcp
DSS
CICS TGssl
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
48
NIST SP800-131A and TLS 1.2
NIST SP800-131A compliance brings TLS 1.2 connectivity
US Government requirement for all new federal projects–“Raises the floor” in terms of cryptographic strength in the wider set of
possible cipher suites
CICS TG V9.0 added support for “transition” mode SP800-131A–included TLS 1.0, dropped SSL protocols up to SSL v3
CICS TG V9.1 adds support for “strict” mode SP800-131A, which demands TLS 1.2 protocol
–Requires CICS TS V5.1 APAR PM97207, or CICS TS V5.2 (for IPIC)
Back migrated to CICS TG V9.0–CICS TG for z/OS V9.0 APAR PM98779–CICS TG for Multiplatforms V9.0.0.2 (V9.0 fix pack 2)–CICS TG Desktop Edition V9.0.0.2 (V9.0 fix pack 2)
CTGSTART_OPTS=-j-Dcom.ibm.jsse2.sp800-131=strict | transition
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
49
SAF-based certificate mapping for SSL client authentication
CICS TG for z/OS V9.1 adds SAF-based certificate mapping
CICS TG for z/OS V9.1 makes SAF-based client authentication much easier
–Removes the need to use security exits for Java / JCA–Allows .NET-Framework based applications to implement SSL client
authentication–Enables management of access through standard z/OS ESM controls
Secure, remote-mode (3-tier) connectivity is now available for:–Java applications, servlet or applets using the CICS TG Java base
classes–JEE enterprise applications using the CICS TG JCA resource adapters–.NET Framework-based applications using the CICS TG.NET
assembly (V9.1 / CA76)
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
50
SAF key ring support for CICS TG resource adapters
SAF-based key rings with WebSphere Application Server for z/OS
V9.1 allows use of prefix “ESM:” on the value of the keyRingClass parameterESM:<key ring name>
CICS ECI resource adapters previously only supported Java key stores when deployed to WebSphere Application Server for z/OS
–Central management of security artefacts through your ESM–Exploits established capabilities, audit requirements and processes
associated with your z/OS ESM products–Removes the “exception case” which previously required a Java key
store on the z/OS UNIX file system, beyond the scope of the ESM
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
Foundation
Foundation
Exploit zEC12/POWER8 with SDK 7.1
Virtualized CICS servers with IBM RTW
OSGi support for Java base classes
CICS TG SDK all-in-one package
Channel data for request monitoring
API support for latest Windows
Knowledge Center
Foundation
Exploit zEC12/POWER8 with SDK 7.1
Virtualized CICS servers with IBM RTW
OSGi support for Java base classes
CICS TG SDK all-in-one package
Channel data for request monitoring
API support for latest Windows
Knowledge Center
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
52
z/OS Java SDK 7 on zEC12: 16-Way Performance Aggregate HW and SDK Improvement z9 Java 5 SR5 to zEC12 Java 7SR3
52 (Controlled measurement environment, results may vary)
~12x aggregate hardware and software improvement comparing Java5SR5 on z9 to Java7SR3 on zEC12LP=Large Pages for Java heap CR= Java compressed references
Java7SR3 using -Xaggressive + Flash Express pageable 1Meg large pages
z/OS Multi-Threaded 64 bit Java Workload 16-Way ~12x Improvement in Hardware and Software
0
20
40
60
80
100
120
140
160
1 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
Threads
No
rma
lize
d T
hro
ug
hp
ut
zEC12 SDK 7 SR3Aggressive + LP Code Cache zEC12 SDK 7 SR1
z196 SDK 7 SR1
z196 SDK 6 SR8
z10 SDK 6 SR4
z10 SDK 6 GM NO (CR or Heap LP)
z9 Java 5 SR5 NO (CR or Heap LP)
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
53
IBM SDK, Java Technology Edition, Version 7 Release 1
CICS TG V9.1 is based upon IBM SDK V7R1 except HP-UX and Solaris (V7R0)
SDK 7.1 exploits POWER8 and System z hardware; System z highlights include:
Expand zEC12/zBC12 exploitation– More TX, instruction scheduler, traps, branch preload
Runtime instrumentation exploitation– zEDC (compression hardware) exploitation through java/util/zip– Integration of SMC-R giving for exploitation of RoCE network hardware
Improved native data binding - Data Access Accelerator– Integrated with JZOS native record binding framework
Increased general performance/throughput– Up-to 19% improvement to throughput (ODM workload)– Up-to 2.4x savings in CPU-time for record parsing batch application
Improved WLM capabilities, SAF and cryptography support
Announcement ENUS213-498
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
54
Continuous integration testing – isolated testing
Ability to “virtualize” CICS back-end enabling isolated, automated regression testing
The Gateway intercept plug-in is available in:–CICS TG V9.1 products–SupportPac CA5F (based on V8.0 Java/JCA API run-time components)
Provides Java/JCA applications with an optional “intercept” plug-in–Allows developers to perform meaningful tests prior to promoting code
changes–Dynamic pass-through on a request-by-request basis
RIT V8.0.1.1 plug-in allows use of “real” recorded data to simulate CICS responses
RIT(s)
CICSCICS TG
TGJAR/RAR
Client calling transaction
interceptplug-in
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
55
Request monitoring capability to access channel payload data
Access to Channel/container data in request monitoring exits– CICS TG V9.0 provided channel payload meta-data
• Channel name, per-container name, type and size– CICS TG V9.1 delivers a “data peak” function for channels
• Read-only (equivalent to COMMAREA data access)– Overhead is proportional to the amount of data requested
Sample com.ibm.ctg.samples.requestexit.BasicMonitor updated:Channel = SAMPLECHANNEL INPUTDATA(CHAR) = 9 characters First 9 characters: 'test code' INPUTDATACCSID(CHAR) = 8 characters First 8 characters: ' 437' OUTPUTMESSAGE(CHAR) = 88 characters First 32 characters: 'Input data was: test code' INPUTDATALENGTH(BIT) = 4 bytes First 4 bytes: 00000009 '????' CICSDATETIME(CHAR) = 19 characters First 19 characters: '20/02/2014 15:40:52'
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
56
Support for OSGi (Open Service Gateway initiative) applications
OSGi applications get CICS TG Java base classes
Modern Java run time environments implement the OSGi specification–OSGi frameworks include Eclipse Equinox, Apache Felix
For new OSGi Java applications, or existing Java applications migrating to OSGi, all dependencies must also be “OSGi-friendly”
–The existing CICS TG Java base classes (ctgclient.jar) are not
CICS TG V9.1 provides a new OSGi bundle for the Java base classes
Enables CICS TG base classes to be used from OSGi application servers –e.g. WebSphere Application Server Liberty profile
The OSGi bundle is included ONLY in the new CICS TG SDK archives
api\java\runtime\com.ibm.ctg.client-1.0.0.jar
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
57
Introducing the CICS TG SDK
Application developers get everything in one package
CICS TG products support APIs for multiple programming languages, applications servers and platforms
Application development and build resources ..–Are installed in various locations within the CICS TG products
• Can be specific build resources• Can be dual-purpose run-time and build resources
–Documentation packaged separately, or in Knowledge Center
CICS TG V9.1 introduces the CICS TG SDK
Each CICS TG product includes an SDK package containing all resources
–E.g. sdk/CICS_TG_for_Multiplatforms_9.1_SDK.zip–Fully redistributable, includes binaries for all supported platforms
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
58
Request monitoring capability to distinguish client type and version
Monitor full details of individual applications in request monitoring
Identify back-level clients applications, and audit your application mix
The RequestData map include new fields–ClientType can be Java, ECIv2, CLR, JSON–ClientVersion can be 6.1, 7.0, …, up to 9.1–ClientProtocol can be TCP, SSL, HTTP, HTTPS–V9.0 added details of the client IP address
Sample com.ibm.ctg.samples.requestexit.BasicMonitor updated:ClientType = JavaClientVersion = 9.1ClientProtocol = TCP
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
59
API support for latest Windows platforms
Additional Run-time support for the latest Microsoft operating systems and compilers
Windows 8.1 – 32-bit (x86) and 64-bit (x64) Intel
Windows Server 2012 R2 – only available on Intel x64
Microsoft Visual Studio 2013
Applies to–CICS TG for Multiplatforms –CICS TG Desktop Edition–Remote-mode applications connecting with any CICS TG product
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
60
We are listening – 10 Requests For Enhancement (RFEs) in V9.1
RFE Title
22041 Allow an ECI connection factory to use RACF keyrings
22056 Include the name of the Gateway daemon APPLID in all log messages
22086 Capability to define a local IP Port for remote mode ECI applications
24235 Failover capability between WebSphere and multiple CICS regions via CICS TG local mode
30961 Request monitoring exits to permit optional read-only access to channel payload data
30962 Provide the Gateway intercept plug-in interface for Java applications from SupportPac CA5F
32308 CICS TG support for PowerBuilder IDE
32327 SHA-2 support in CICS TS for z/OS and CICS TG products
43303 CICS TG support for OSGi bundles
45199 Allow cut / paste functionality in CICS TG Explorer plugin
Raise your requirement – tinyurl.com/rfe-cicstg
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
61 GA April 25th 2014
CICS Transaction Gateway V9.1Mobile integration, robust connectivity, and strong security options
Foundation
Exploit zEC12 hardware with SDK 7.1
Virtualized CICS servers with IBM RTW• Build test-suites for Java/JCA ECI
applications
Channel data for request monitoring
API support for latest Windows
Foundation
Exploit zEC12 hardware with SDK 7.1
Virtualized CICS servers with IBM RTW• Build test-suites for Java/JCA ECI
applications
Channel data for request monitoring
API support for latest Windows
Secure connectivity
SSL for .NET applications
Full NIST SP800-131A compliance
TLS 1.2 secure connections for• Java JCA .NET APIs to the Gateway• Gateway to CICS with IPIC
connections
Secure connectivity
SSL for .NET applications
Full NIST SP800-131A compliance
TLS 1.2 secure connections for• Java JCA .NET APIs to the Gateway• Gateway to CICS with IPIC
connections
Modern connectivity
Connection management • For 24x7 continuous operation
Exploits IPIC heartbeat support• Improved availability across larger
TCP/IP networks
Modern connectivity
Connection management • For 24x7 continuous operation
Exploits IPIC heartbeat support• Improved availability across larger
TCP/IP networks
Service enablement
Mobile integration with JSON web services• Dynamic routing of mobile workload• Shared tech with CICS TS + z/OS connect• JSON xform from COBOL, C and PL/1• Full monitoring and statistics
Service enablement
Mobile integration with JSON web services• Dynamic routing of mobile workload• Shared tech with CICS TS + z/OS connect• JSON xform from COBOL, C and PL/1• Full monitoring and statistics
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
62
Resources & Support - CICS TG V9.1
CICS TG Version 9.1 Announcement letter ENUS214-263
https://ibm.biz/cicstg91announce
CICS TG V9.1 - on-line IBM Knowledge Centers
Scenario sections provide useful example topologies with configuration details
CICS TG for z/OS V9.1http://www.ibm.com/support/knowledgecenter/SSZHJ2_9.1.0
CICS TG for Multiplatforms V9.1 andCICS TG Desktop Edition V9.1
http://www.ibm.com/support/knowledgecenter/SSZHFX_9.1.0
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
63
Resources & Support – Get social!
Read and interact with blogposts from the experts!
https://ibm.biz/cicstg_insights
Follow latest news and announcements Twitter
@IBM_CICS @IBM_System_Z @ibmmobile @UkRobJones
#cicstg #mobilemake #cics
Youtube channelCICS Hursley
FacebookIBMCICS cicstg
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
64
IBM® CICS® Modernization Solution Pack for z/OS V5.2
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
65
Resources & Support - ITSO Redbooks / Red Papers
CICS TG–The Complete Guide to CICS Transaction Gateway, Volume 1, Configuration
and Administration, SG24-8160 (Published 2Q14)–Using CICS Transaction Gateway with High Availability and
the CICS Explorer, REDP4782 –Developer Connector Applications for CICS, SG24-7714–CICS TG V7.1 Systems Monitoring, SG24-7562–CICS TG for z/OS V6.1 (XA, WAS z/OS, security), SG24-7161
CICS TS and z/OS–Event Processing with CICS, SG24-7792 (3Q2013)–CICS on System z for Architects, SG24-8067 (4Q2012)–A CPU Study of Ways into CICS, REDP4906 (1Q2013)–The Value of IBM System z and z/OS in an SOA, REDP4152– z/OS Identity Propagation, SG24-7850–Architecting Access to CICS within an SOA, SG24-5466– J2C Security on z/OS, REDP4202
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
66
More Resources & Support
Announcement Letters
Datasheets/Brochures
Redbooks
Whitepapers
Presentations
Technical Library
APAR RSS feed
and more….
www.ibm.com/cics/ctg
CICS TG Strategy & Planning
[email protected] +44 (0)1962 818588
View existing requirements
http://tinyurl.com/CICSTG-RFE
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
67
Reference resources
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
68
Resources & Support - CICS TG articles
DeveloperWorks
“CICS Transaction Gateway and AIX workload partitions”http://www.ibm.com/developerworks/websphere/library/techarticles/1111_mawer/1111_mawer.html
“Accessing CICS from Microsoft .NET applications using CICS Transaction Gateway”http://www.ibm.com/developerworks/websphere/library/techarticles/1012_crockett/1012_crockett.html
“Exploiting the J2EE Connector Architecture: Integrating CICS and WebSphere Application Server using XA global transactions”http://www.ibm.com/developerworks/websphere/techjournal/0607_wakelin/0607_wakelin.html
“Connecting from Groovy to CICS using the CICS Transaction Gateway”http://www.ibm.com/developerworks/websphere/library/techarticles/1010_knights/1010_knights.html
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
69
Resources & Support - CICS TG articles
Whitepapers
“IBM CICS IP interconnectivity: New features in Version 4.2” ftp://public.dhe.ibm.com/software/htp/cics/pdf/CICS_TS_V4.2_Connectivity_paper_final.pdf
“Delivering quick access to CICS systems using strategic integration options” http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/topic/com.ibm.iea.cicsts/cicsts/3.1z/Resources/G224-7557-00.pdf
“Integrating WebSphere Application Server and CICS using the JCA” ftp://ftp.software.ibm.com/software/htp/cics/pdf/WSW14013-USEN-00.pdf
“Transactional integration of WebSphere Application Server and CICS with the JCA”ftp://ftp.software.ibm.com/software/htp/cics/pdf/WSW14013-USEN-00.pdf
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
70
Resources & Support - CICS TG articles
Enterprise Tech Journal (formerly zJournal)
“CICS Transaction Gateway V9.0: Handling the Demands of the Modern Enterprise” http://enterprisesystemsmedia.com/article/cics-transaction-gateway-v9.0-handling-the-demands-of-the-modern-enterprise
“CICS Transaction Gateway V8.1: What’s New and Why It Matters” http://enterprisesystemsmedia.com/article/cics-transaction-gateway-v8.1-whats-new-and-why-it-matters
“High Availability Using CICS Transaction Gateway and CICS Transaction Server” http://enterprisesystemsmedia.com/article/high-availability-using-cics-transaction-gateway-and-cics-transaction-serve
“CICS and Identity Propagation: Solving the End-to-End Security Challenge” http://enterprisesystemsmedia.com/article/cics-and-identity-propagation-solving-the-end-to-end-security-challeng
“Peering Into the IBM CICS Transaction Gateway Black Box” http://enterprisesystemsmedia.com/article/peering-into-the-ibm-cics-transaction-gateway-black-box
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
71
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available at
http://www.ibm.com/legal/copytrade.shtml
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
72
Acknowledgements
For a list of IBM trademarks see the url at: http://www.ibm.com/legal/copytrade.shtml
– Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
– Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
– UNIX is a registered trademark of The Open Group in the United States and other countries.
– Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
– Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
73
Backup
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
74
zAAP offload rates for IPIC vs EXCI / 31-bit vs 64-bit with V9.0(z10 2097-763 model E64)
CP
CP
CP
zAAP z
AAP
Source: SupportPac CP01: CICS Transaction Gateway Performance Reports
Approx 20%CP saving with IPIC
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
75
Scaling payload size (1MB increments) with IPIC and V9.0 (100 clients)(z10 2097-763 model E64)
Source: SupportPac CP01: CICS Transaction Gateway Performance Reports
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
76
CICS TG for z/OS – CICS connectivity performance options (z196)
Source: ITSO RedPaper 4906
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – New statistics
New statistics in the Protocol Handler (PH) resource group
Port numbers
PH_SPORTHTTP–HTTP protocol handler port number
PH_SPORTHTTPS–HTTPS protocol handler port number
Bind address
PH_SBINDHTTP–HTTP protocol handler bind address
PH_SBINDHTTPS–HTTPS protocol handler bind address
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – New statistics
The new WebServices (WS) statistics resource group
WS_SCOUNT, WS_SLIST, WS_ILIST, WS_LLIST–Number and list of defined web services, lists of active web services
WS_IALLREQ, WS_LALLREQ–Total number of web service requests processed
WS_IAVRESP, WS_LAVRESP–Average Web Service response times
WS_IREQDATA, WS_LREQDATA, WS_IRESPDATA, WS_LRESPDATA –Total amount of web service request and response data transferred
WS_IREQHI, WS_LREQHI, WS_SMAXHTTP–Peak and maximum concurrent Web Service requests
WS_CREQ, WS_CWAITING–Web service requests waiting for CICS, waiting for a Worker thread
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – New statistics
The new specific WebServices (WSx) statistics resource group
WSx_SURI–The HTTP uri mapping for Web Service “x”
WSx_SSERVER–The actual or logical CICS server to call for Web Service “x”
WSx_SPROGRAM–The target CICS program associated with Web Service “x”–Derived from the WS BIND file
WSx_SEIBTRNID, WSx_SMIRROR–Mirror transaction attributes for Web Service “x”
© 2014 IBM Corporation
CICS Transaction Gateway V9.1
JSON web services – New statistics
The new specific WebServices (WSx) statistics resource group
WSx_IALLREQ, WSx_LALLREQ–Number of requests for web service “x” processed
WSx_IAVRESP, WSx_LAVRESP–Average response times for web service “x”
WSx_IREQDATA, WSx_LREQDATA, WSx_IRESPDATA, WSx_LRESPDATA
–Amount of request and response data transferred for web service “x”
WSx_IREQHI, WSx_LREQHI–High water marks for concurrent requests to web service “x”
WSx_CREQ–Web service “x” requests waiting for CICS