Optimizing Mainframe Applications for Reuse: Can You Really Gain Flexibility Without Sacrificing Security?
Advantage: This method provides fast, flexible use of established stateless services and provides an accounting of how the services were used. Logging of stateless access also lets you capture who invoked the services and what the services provided.
Disadvantage: If SOA governance and mid-tier service logging aren’t trusted or reliable for flow and authentication, the mainframe can’t always be sure who’s gaining access.
Appropriate use: This method is most appropriate when the data made available by the services can justify the risk associated with mid-tier tracking of mainframe resource usage. Both government regulations and auditing procedures typically require a log analysis, so this is a good, basic business practice for various uses. However. for many vital functions, such as general ledger or other accounting operations, a proxy log from the mid-tier may not be considered adequate.
A major U.S. newspaper is successfully using this stateless-interaction approach to implement a new SOA-based, self-service classified and business advertising system. Credentialed users can interact with services that interact with the designated mainframe application to initiate and pay for ads. Security is considered good, as the users are known, the lines are locked down with SSL, and all interactions are recorded at the service level.
4. Stateful session-based services: In some IT settings, the mainframe application needs to directly control its user access. When that’s the case, you need to provide a service that identifies users and their level of security. For example, in a customer-service application, first-level customer care access to customer data might be unique to the user’s credentials on the host application; the data presented by the mainframe application is specific to their login ID. For situations such as this, you can set up access services that obtain a host session using the client’s credentials. To invoke those services, users must provide a specific set of data to have the service initiate a unique host session that lasts for the duration of the service invocation. You can set it up to have the service pass the user identity and password—for both RACF and, if needed, the destination application used by the service operation.
Once the mainframe and the application verify those credentials, the service runs as normal using the authenticated session. When the user’s series of service operations is complete, the service terminates the host session and waits for its next use. This approach provides the mainframe and application complete control over access and direct visibility into users throughout the duration of the service (see Figure 4).
Advantage: Stateful access lets you leverage anything in your enterprise with the same security you had before enabling SOA. Because it uses the mainframe’s existing security infrastructure to manage host sessions, you mitigate access risk.
Disadvantage: Although stateful connections can directly leverage the host resources, they consume a proportionally higher mainframe resource use for every service invocation. In a scenario where the mainframe may need to accommodate 1,000 simultaneous client requests, it would need to create and maintain 1,000 host sessions, each lasting the duration of the calling client’s interactions. This is significantly different from stateless models that can handle similar workloads with just a few host sessions. Also, slow initial response times can result from the need to create unique session states—waiting for execution of the built-in security steps and instantiation of the host session for the service to use.
Appropriate use: This approach works best when the mainframe application needs direct control over its resource use or when sequential activities by the service are unique to the client’s identity. For example, an IT enterprise on a college campus is successfully using this method for class registration. When a student needs to use the registration application, a security routine launches, the service asks for the user name and password, and then, using these credentials, creates a unique host session—one with a specific view of the student’s data. The mainframe application requires a one-to-one match between user and action taken during the session. In essence, this approach makes the service client an extension of the host application.