EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist [email protected]
Jan 18, 2016
EL 10 - From IoT to Mainframe, secured and allMobile Integration with z Systems
Aymeric Affouard
IT Specialist
IBM z Systems: A first class platform for mobile
2
IBM z Systems: A first class platform for mobile
3
CICS
Scenarios
z/OS Connect
1
z/OS Connect1
BlueMix5
5 BlueMix integration
DataPower
MobileFirst app
3
3 DataPower
MobileFirstServer
Linux on z
MobileFirst app
2
2 MobileFirst Platform
API
4 API Management
4
Scenario 1 : I want to expose my mainframe applications as RESTful services so they can be discovered and used by new mobile and cloud-based applications.
Scenario 3 : I need to secure the mobile transaction from the device to the mainframe.Scenario 4 : I want to expose my enterprise services to business partners and developers.Scenario 5 : I want to integrate cloud-based applications with mainframe applications in a hybrid cloud environment.
Scenario 2 : I need to develop mobile applications that access mainframe applications, quickly and effeciently.
IBM z Systems: A first class platform for mobile
4
CICS
5 Mobile Scenarios on z : From CICS to Internet of Things
z/OS Connect
1
z/OS Connect1
BlueMix 5
5 BlueMix integration
DataPower
MobileFirst app
3
3 DataPower
MobileFirstServer
Linux on z
MobileFirst app
2
2 MobileFirst Platform
API
4 API Management
4
SoR
SoE
IBM z Systems: A first class platform for mobile
5
z/OS
3270 Client
VSAM File (EXMPCAT)
CICSDFH0XGUI
Inquiry itemInquire Catalog
Place Order
DFH0XCMNz/OS Connect
WebSphere Liberty
inquireCataloginquireSingleplaceOrder
Server.xml
inquireCataloginquireSingleplaceOrder
https/json
Demo 1 – RESTful service enablement
IBM z Systems: A first class platform for mobile
6
z/OS
VSAM File (EXMPCAT)
CICS
Inquiry itemInquire Catalog
Place Order
z/OS Connect
DFH0XCMN
Mobile Client
MobileFirst Server Adapter
Shopping Cart and geo-location features are added using MobileFirst Platform. Features do not currently exist in the CICS application.
Demo 2 – Mobile enablement
Linux on z
IBM z Systems: A first class platform for mobile
7
z/OS
VSAM File (EXMPCAT)
CICS
Inquiry itemInquire Catalog
Place Order
z/OS Connect
DFH0XCMN
Mobile Client
MobileFirst Server
-Adapter
Demo 2 – Mobile enablement : enhance your application
Linux on z
Linux on z
Mongo DB
thumbnails
images
IBM z Systems: A first class platform for mobile
8
CICS
Scenario 3 :
Business to Consumer
z/OS ConnectDataPower
MobileFirst app
3
3 DataPower
MobileFirstServer
Linux on zScenario 3 : I need to secure the mobile transaction from the device to the mainframe.
IBM z Systems: A first class platform for mobile
e.g. REST (JSON/XML)over HTTPS
MobileFirst Server, WAS ND
e.g. REST or SOAPover HTTP(S)or messaging
CICSIMSDB2
Other servers, Web Apps, other services
DataPower Gateway Appliance
• Security, Control, Integration & Optimization of mobile workload
• Enforcement point for centralized security policies
• Authentication, Authorization, LTPA, SAML, OAuth 2.0, Audit
• Threat protection for XML and JSON
• Message validation and filtering
• Centralized management and monitoring point
• Traffic control / Rate limiting
• Integration with MobileFirst Server
• Available as a physical or virtual appliance
DataPower Mobile Security Features
IBM z Systems: A first class platform for mobile
AAA
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom
Authenticate
ExtractResource
URLSOAP OperationHTTP OperationCustom
LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
OAuth 2.0LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
10
DataPower AAA
IBM z Systems: A first class platform for mobile
11
Jumbo JSON Payload
• Label - Value Pairs• Label String Length (characters)• Value String Length (characters)• Number Length (characters)
• Threat Protection• Maximum nesting depth (levels)• Maximum document size (bytes)
Label String
Nesting Depth of 3
Value StringNumber
DocumentSize
DataPower JSON protection
IBM z Systems: A first class platform for mobile
12
DataPower traffic control and rate limiting
IBM z Systems: A first class platform for mobile
MFP
1. User logs into mobile app using "distributed" user ID and password
2. IDG authenticates user in LDAP, forwards ID in LTPA token to MFP Server
3. MFP Server validates LTPA token and forwards it with request to z/OS Connect
4. z/OS Connect validates LTPA token and maps distributed user id to RACF user id (1:1 mapping for employees, many:1 mapping for customers)
5. RACF user ID is used for authorization checking
6. RACF user ID passed to CICS over WOLA , CICS checks user authority
phone IDG
userID/pwdHTTPS/JSON
LDAP
HTTPS/JSONIdentity in token
HTTPS/JSONidentity in token
z/OSConnect
device, app authenticity
z/OS
RACF
CICS
1
23
45
SSL SSL SSL
Mainframe
6
LTPA tokenDemo 3 – security flow B2C
COMAREAmapped identity
IBM z Systems: A first class platform for mobile
LTPA token 2rrdEpygdM90rger4wa8rYqg30/vlG7Jtm/dqibAGH0r6EsK5Y26iNKkClKP4Xou3qrm9c6CXW8ka2h/f1zQN6Wir/OzWVLsuUWieUJCjLTtN+2FKuI3VFIzbiL6JTGAMYfECZc3I1QKrec+YJleUVJwKzerz80XSziLL3m2ijjibv8gffkPyWbUydAa7RBCjclZrcRPtGZh+M/qiq56Kwp0NQs6CELhTF7pwXmotbs5giMHDqYOL74uwnGT++6aiSdrQIk86IqX11mKgPTdKgj728JpgxIwmovomUlyCRfNBayN/GkcN43ur1sn+JXuamIpMNGP6vnxPy48l8HOrgNnQtcHov2lTa7au6yU2HPA=
Algorithm:[AES]
Full token string:
[expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr%1427732517000%r3k0gqCXdJrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge40HXGwoSWACqUqoG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=]
Token is for:[expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr]
Token expires at:[2015-03-30-18:21:57 CEST]
Token signature:[r3k0gqCXdJrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge40HXGwoSWACqUqoG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=]
IBM z Systems: A first class platform for mobile
O=
mo
p,C
=fr
OU=employees
UID=JeanLeclerc
UID=AliceNevers
OU=customers
UID=MarieDupond
UID=PierreDuclos
OU=partner1
UID=ArthurLeroy
UID=JulieLaforest
OU=partner2
UID=RoryWilliams
UID=RoseMoubinou
Mapping Example :
DN: UID=JeanLeclerc,OU=employees,O=mop,C=fr
EMPLOY1
EMPLOY2
CUSTOM
PARTNE1
PARTNE2
IBM z Systems: A first class platform for mobile
16
Demo 4 - IBM API Management
Mobile apps
SOAP Service
z/OS Connect
API
API
API Management
Web apps
System z
CICS
IMS
OtherSOAP
ServiceSOAP Service
REST ServiceREST
ServiceREST Service
2. Create APIs
Cloud / Bluemix apps
Development Time
Run TimeAPI
1. Discover services
3. Consume APIs
API Developer
IBM z Systems: A first class platform for mobile
API Provider Organizations
UserApplication
Developer portalhttps://10.3.20.96/mopiccmobile/sb
API Managerhttps://10.3.20.96/apimanager
Cloud Management Consolehttps://10.3.20.96/cmc/
Gateway Serverhttps://10.7.1.9
Developer Organizations
z/OS Connect CICS
Demo 4 - APIM components
Hybrid Solution with Bluemix:
Cast Iron Live
On PremiseBluemix
FW
DMZ
FW
DataPower (Appliance)with Cloud
Service Gateway
Integration
ServiceAppPu
blic IP
End PointDB2 (+z)
Oracle
End Point
HTTPS
HTTPS*
On PremiseBluemixDestination
Secure Gateway
Client(Docker Cont.,
DataPower)
Secure Gatewa
y
AppFW
FWApp
Secure Gateway
When you need a secure way to connect Bluemix™ applications to remote locations on-premises or in the cloud, use the Secure Gateway service.
The Secure Gateway provides secure connectivity and establishes a tunnel between your Bluemix organization and the remote location that you want to connect to.
Security: TLS (Transport Layer Security)
• No TLS – No authentication is provided. Your application can communicate directly to the gateway without
requiring any certificates. • TLS Server Side
– TLS is enabled and the server provides a certificate to prove its authority. You need to accept the server certificate into your application trust store.
• TLS Mutual Authentication– The server provides a set of certificates.
However, you also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.
ACL DoS Attack prevention system Future Enhancements: Private destinations (source IP rules) , etc.
Secure Gateway
On PremiseBluemix
Hostname:Port
Destination
Secure Gateway
Client(Docker Cont.,
DataPower)
Secure Gateway
AppFW
FWApp
z/OS Connect
CICS
DataPower
Demo 5 – Bluemix application
Z/O
S Co
nnec
t
We didn’t changed one single bit on theCICS application
From 3270 to z/OS Connect to Mobile App to Bluemix to IoT
THANK YOU