This characteristic fundamentally differs from the traditional legacy security infrastructure, which knows directly who and what is using it from end to end. Mainframe applications, and the systems they reside on, typically track and control use of their data themselves. This dissimilar method for securing mainframe applications can complicate the building of an enterprise SOA.

Five Options for Mainframe Access Using Services

Before creating services that front-end legacy applications, you should assess the importance of tracking and guarding the use of the legacy components exposed as services. If that importance is high, then you must determine the accepted method of tracking and protection.

From the mainframe perspective, all application users are, at some level, users of mainframe sessions. It’s a relationship that lasts for the duration of the legacy application’s use. By having a strong authentication method to grant use of a session, the mainframe and legacy application can track the exact who, what, and when of any legacy interaction. The business operations that depend on these applications typically count on this trust relationship and the guarded methods for use.

Let’s now discuss five general options for allowing services access to the mainframe. With each approach, you’ll see a technical description, accompanying diagram, advantages, disadvantages, and appropriate use.

1. Open/stateless with no locking: The most basic approach is to create stateless services that access and drive a legacy application for the client or user. These services create their own session to the host, and then make themselves externally available for use. The mainframe application talks indirectly to the client application via these stateless services over existing open lines without regard to the location of the client. This approach is a simple extension of the legacy application, with no changes made to the legacy application or the network. It assumes the same safe network environment that most legacy applications were built with (see Figure 1).


Advantage: This method is non-invasive and lets you reuse valuable assets without rewriting or rebuilding host code, which can be risky. It has the lowest level of change to system and application access, so you can enjoy rapid ROI.

Disadvantage: Because the lines are open and unencrypted, a safe network is assumed. Because the legacy interactions are stateless with no tracking, the application-client communications are anonymous.

Appropriate use: This method is suitable for tasks where security is implicit by the nature of the data and the current network layout. While it supports quick use of legacy application assets that don’t need extended session state, its use can’t be taken beyond the existing safe network zone in IT. It’s often used in a protected or “glass house” environment, where all users with network access are known and have their credentials.

6 Pages