EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist [email protected].

EL 10 - From IoT to Mainframe, secured and allMobile Integration with z Systems

Aymeric Affouard

IT Specialist

[email protected]

IBM z Systems: A first class platform for mobile

2


3

CICS

Scenarios

z/OS Connect

1

z/OS Connect1

BlueMix5

5 BlueMix integration

DataPower

MobileFirst app

3

3 DataPower

MobileFirstServer

Linux on z

MobileFirst app

2

2 MobileFirst Platform

API

4 API Management

4

Scenario 1 : I want to expose my mainframe applications as RESTful services so they can be discovered and used by new mobile and cloud-based applications.

Scenario 3 : I need to secure the mobile transaction from the device to the mainframe.Scenario 4 : I want to expose my enterprise services to business partners and developers.Scenario 5 : I want to integrate cloud-based applications with mainframe applications in a hybrid cloud environment.

Scenario 2 : I need to develop mobile applications that access mainframe applications, quickly and effeciently.


4

CICS

5 Mobile Scenarios on z : From CICS to Internet of Things

z/OS Connect

1

z/OS Connect1

BlueMix 5

5 BlueMix integration

DataPower

MobileFirst app

3

3 DataPower

MobileFirstServer

Linux on z

MobileFirst app

2

2 MobileFirst Platform

API

4 API Management

4

SoR

SoE


5

z/OS

3270 Client

VSAM File (EXMPCAT)

CICSDFH0XGUI

Inquiry itemInquire Catalog

Place Order

DFH0XCMNz/OS Connect

WebSphere Liberty

inquireCataloginquireSingleplaceOrder

Server.xml

inquireCataloginquireSingleplaceOrder

https/json

Demo 1 – RESTful service enablement


6

z/OS

VSAM File (EXMPCAT)

CICS


Place Order

z/OS Connect

DFH0XCMN

Mobile Client

MobileFirst Server Adapter

Shopping Cart and geo-location features are added using MobileFirst Platform. Features do not currently exist in the CICS application.

Demo 2 – Mobile enablement

Linux on z


7

z/OS

VSAM File (EXMPCAT)

CICS


Place Order

z/OS Connect

DFH0XCMN

Mobile Client

MobileFirst Server

-Adapter

Demo 2 – Mobile enablement : enhance your application

Linux on z

Linux on z

Mongo DB

thumbnails

images


8

CICS

Scenario 3 :

Business to Consumer

z/OS ConnectDataPower

MobileFirst app

3

3 DataPower

MobileFirstServer

Linux on zScenario 3 : I need to secure the mobile transaction from the device to the mainframe.


e.g. REST (JSON/XML)over HTTPS

MobileFirst Server, WAS ND

e.g. REST or SOAPover HTTP(S)or messaging

CICSIMSDB2

Other servers, Web Apps, other services

DataPower Gateway Appliance

• Security, Control, Integration & Optimization of mobile workload

• Enforcement point for centralized security policies

• Authentication, Authorization, LTPA, SAML, OAuth 2.0, Audit

• Threat protection for XML and JSON

• Message validation and filtering

• Centralized management and monitoring point

• Traffic control / Rate limiting

• Integration with MobileFirst Server

• Available as a physical or virtual appliance

DataPower Mobile Security Features


AAA

ExtractIdentity

HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom

Authenticate

ExtractResource

URLSOAP OperationHTTP OperationCustom

LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom

Authorize Audit &Post-Process

MapIdentity

MapResource

OAuth 2.0LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom

Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

input output

10

DataPower AAA


11

Jumbo JSON Payload

• Label - Value Pairs• Label String Length (characters)• Value String Length (characters)• Number Length (characters)

• Threat Protection• Maximum nesting depth (levels)• Maximum document size (bytes)

Label String

Nesting Depth of 3

Value StringNumber

DocumentSize

DataPower JSON protection


12

DataPower traffic control and rate limiting


MFP

1. User logs into mobile app using "distributed" user ID and password

2. IDG authenticates user in LDAP, forwards ID in LTPA token to MFP Server

3. MFP Server validates LTPA token and forwards it with request to z/OS Connect

4. z/OS Connect validates LTPA token and maps distributed user id to RACF user id (1:1 mapping for employees, many:1 mapping for customers)

5. RACF user ID is used for authorization checking

6. RACF user ID passed to CICS over WOLA , CICS checks user authority

phone IDG

userID/pwdHTTPS/JSON

LDAP

HTTPS/JSONIdentity in token

HTTPS/JSONidentity in token

z/OSConnect

device, app authenticity

z/OS

RACF

CICS

1

23

45

SSL SSL SSL

Mainframe

6

LTPA tokenDemo 3 – security flow B2C

COMAREAmapped identity


LTPA token 2rrdEpygdM90rger4wa8rYqg30/vlG7Jtm/dqibAGH0r6EsK5Y26iNKkClKP4Xou3qrm9c6CXW8ka2h/f1zQN6Wir/OzWVLsuUWieUJCjLTtN+2FKuI3VFIzbiL6JTGAMYfECZc3I1QKrec+YJleUVJwKzerz80XSziLL3m2ijjibv8gffkPyWbUydAa7RBCjclZrcRPtGZh+M/qiq56Kwp0NQs6CELhTF7pwXmotbs5giMHDqYOL74uwnGT++6aiSdrQIk86IqX11mKgPTdKgj728JpgxIwmovomUlyCRfNBayN/GkcN43ur1sn+JXuamIpMNGP6vnxPy48l8HOrgNnQtcHov2lTa7au6yU2HPA=

Algorithm:[AES]

Full token string:

[expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr%1427732517000%r3k0gqCXdJrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge40HXGwoSWACqUqoG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=]

Token is for:[expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr]

Token expires at:[2015-03-30-18:21:57 CEST]

Token signature:[r3k0gqCXdJrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge40HXGwoSWACqUqoG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=]


O=

mo

p,C

=fr

OU=employees

UID=JeanLeclerc

UID=AliceNevers

OU=customers

UID=MarieDupond

UID=PierreDuclos

OU=partner1

UID=ArthurLeroy

UID=JulieLaforest

OU=partner2

UID=RoryWilliams

UID=RoseMoubinou

Mapping Example :

DN: UID=JeanLeclerc,OU=employees,O=mop,C=fr

EMPLOY1

EMPLOY2

CUSTOM

PARTNE1

PARTNE2


16

Demo 4 - IBM API Management

Mobile apps

SOAP Service

z/OS Connect

API

API

API Management

Web apps

System z

CICS

IMS

OtherSOAP

ServiceSOAP Service

REST ServiceREST

ServiceREST Service

2. Create APIs

Cloud / Bluemix apps

Development Time

Run TimeAPI

1. Discover services

3. Consume APIs

API Developer


API Provider Organizations

UserApplication

Developer portalhttps://10.3.20.96/mopiccmobile/sb

API Managerhttps://10.3.20.96/apimanager

Cloud Management Consolehttps://10.3.20.96/cmc/

Gateway Serverhttps://10.7.1.9

Developer Organizations

z/OS Connect CICS

Demo 4 - APIM components

https://10.3.20.96/mopiccmobile/sb

https://10.3.20.96/apimanager

https://10.3.20.96/cmc/

https://10.7.1.9/

Hybrid Solution with Bluemix:

Cast Iron Live

On PremiseBluemix

FW

DMZ

FW

DataPower (Appliance)with Cloud

Service Gateway

Integration

ServiceAppPu

blic IP

End PointDB2 (+z)

Oracle

End Point

HTTPS

HTTPS*

On PremiseBluemixDestination

Secure Gateway

Client(Docker Cont.,

DataPower)

Secure Gatewa

y

AppFW

FWApp

Secure Gateway

When you need a secure way to connect Bluemix™ applications to remote locations on-premises or in the cloud, use the Secure Gateway service.

The Secure Gateway provides secure connectivity and establishes a tunnel between your Bluemix organization and the remote location that you want to connect to.

Security: TLS (Transport Layer Security)

• No TLS – No authentication is provided. Your application can communicate directly to the gateway without

requiring any certificates. • TLS Server Side

– TLS is enabled and the server provides a certificate to prove its authority. You need to accept the server certificate into your application trust store.

• TLS Mutual Authentication– The server provides a set of certificates.

However, you also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.

ACL DoS Attack prevention system Future Enhancements: Private destinations (source IP rules) , etc.

Secure Gateway

On PremiseBluemix

Hostname:Port

Destination

Secure Gateway

Client(Docker Cont.,

DataPower)

Secure Gateway

AppFW

FWApp

z/OS Connect

CICS

DataPower

Demo 5 – Bluemix application

Z/O

S Co

nnec

t

We didn’t changed one single bit on theCICS application

From 3270 to z/OS Connect to Mobile App to Bluemix to IoT

THANK YOU

EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist [email protected].

Documents

mobile applications

mobile transaction

mobile 3cics5 mobile

ibm z systems

class platform

mobile enablement linux

mainframe applications

mobilefirst serveravailable