Optimizing Mainframe Applications for Reuse: Can You Really Gain Flexibility Without Sacrificing Security?
5. High-speed stateful services: For applications that reside entirely in CICS, there’s a hybrid option that’s worth exploring, as CICS accounts for most mainframe applications today. With CICS, it’s possible to create wrappered services that don’t have host sessions behind them. They instead create a direct link to the CICS application—one that retains control over all application logic and flow. This approach relies on products that leverage a route to CICS applications through the IBM Link3270 bridge. With this access method, direct mainframe authentication is possible but not required; you can bypass security or, depending on the level of security needed, create a routine that requires authorization from RACF and the application itself. Although these authentication routines are the same as in approach 4 (with logging, usage, and visibility handled directly by the mainframe), you skip the session creation and associated authentication processes. Instead, you build your services to create a direct mainframe-authenticated link to the CICS application, from scratch, for each service operation. With this direct-access approach, when a client application (such as a Website) calls a service, mainframe security parameters can be passed as part of the service operation. Then the service can create a direct, authenticated link with the destination CICS application, perform the service interactions, disconnect, and terminate the link (see Figure 5).
Advantage: This method eliminates the costs of creating host sessions for stateful purposes that have a short life. You can use it for stateless services—with many of the same performance benefits. It also can remove any middle-tier component, so you can simplify the locking down of communications with SSL. Typically, such a process would result in high overhead and slow configuration, but with this hybrid access approach available to the service, the whole interaction is faster and less mainframe-intensive than a standard host session-based stateless service.
Disadvantage: There are two concerns with using direct application link as the access method for services. First, the host application must be entirely in CICS. Although it can span CICS regions or even mainframes, all application components the service directly interacts with need to be in CICS. The second concern is the requirement to add a third-party product into one or more of the CICS regions. Because this method uses a CICS host-based component, it can complicate the approval process for implementation. (However, like the services using host session-based communications, it doesn’t require any modification to the host applications themselves.)
Appropriate use: Suppose a bank has a network of Automated Teller Machines (ATMs). This setting calls for a combination of speed and security. When users hit the keys on an ATM, they expect to instantly get back data; long response times are out of the question. High-speed, stateful services provide that speed. For optimum security, the mainframe demands full insight into the user’s identity, with the program requiring an ID plus a PIN.
Finding the Right Solution
To find the correct solution for your IT environment, you need to explore the available access options while keeping security a top consideration. Here’s a recap:
• If you’re a system administrator working in a trusted IT environment, open/ stateless access with no locking will be adequate.
• If you’re extending mainframe access beyond the glass house, you can have a secure deployment by simply locking down your mainframe conversations with SSL.
• If strategic operations are involved, you’re better off tracking service interaction with service logging in place.
• If you need direct mainframe visibility into users and their actions, stateful access with specific host sessions will work for you.
• If your environment is CICS-dominated and you have access to the infrastructure, you can eliminate actual sessions and instead consider fully stateful, sessionless mainframe access.
The most secure approach will emerge when you perform a thorough analysis of your business demands and your particular IT architecture; then, match those requirements with a solution that gives you no more—and no less—functionality than you really need.
Guidelines for Division of Labor
As you sort through these five access options, keep the skills of your technical staff in mind. Almost every IT enterprise has an inherent skillset divide that leads to questions about how and where services are created, the ownership of the resulting services, and, perhaps most important, who is responsible for keeping the services in line with current business needs.
This divide centers on the skills of those who maintain legacy host applications vs. those who work with mid-tier components. Before handing off services built from mainframe assets, be sure to have a plan for division of labor. IT specialists must parse the host application in such a way that mid-tier specialists aren’t given services too granular for their needs. This could have security ramifications; there are few reasons for Web developers to need direct access to general ledger information on the mainframe.
Don’t put change control of critical host business logic in the hands of mid-tier specialists who don’t have the needed context to maintain it. Instead, consider having COBOL specialists retain control of services that require host changes and keep the services up-to-date. Mid-tier control can cover use of the services such as orchestration, security, policy needs, and other SOA-specific concerns.
When mid-tier specialists get business objects generated at the right level, they’ll know how to use them. When ownership stays in the hands of mainframe experts, you don’t have to worry about keeping the services maintained.
When dealing with sensitive mainframe data and logic, a non-invasive methodology is critical to your short-and long-term success. Changing valuable host code or associated business processes could result in catastrophic business losses. Any of the approaches discussed here can be non-invasively performed.
Your present mainframe security is another factor. If you have a security system that’s working for you, that’s the one you should use for authentication in any access scenario. Bypassing your mainframe security is a practice that should never be taken lightly. In addition to working with your current security programs, any application integration method should support federal regulations, including the Federal Information Processing Standard (FIPS), a guideline used to authenticate cryptographic modules.
So, when optimizing mainframe applications for reuse with modern technologies, can you really gain flexibility without sacrificing security? The answer is yes. But let the buyer beware. The business operations controlled by your mainframe have never been more critical.
The best application integration approaches have options for both stateless and stateful access, letting you decide what would work best in your individual IT environment. In fact, modernizing your mainframe applications isn’t as hard as some IT professionals might assume. The key is to do it in a way that protects the integrity of your valuable mainframe assets.