As today’s applications rely on Web Services technology to conduct transactions such as back-office financial trades, significant security considerations and challenges emerge. Web Services help organizations work together by automating business processes at incredible speeds. It’s up to IT executives and managers to recognize new information security threats posed by Web Services-enabled activity and put appropriate measures in place to maintain order and control.
J2EE, .NET, Web-based, and legacy applications assume that authentication has filtered out the bad guys. However, these applications aren’t ready to detect new breeds of malicious application activity. Web Services layered on top of legacy applications will immediately expose underlying application logic vulnerabilities, probably raising the security exposure to a new level. Data-level validation steps in client/server architectures exist primarily in the user interface logic. This type of security is no longer relevant in Web Services-oriented architectures and must be updated. Packet-filters at the network level were never designed to recognize and diagnose the behavior of Web Services consumers.
The need to guard Web Services-oriented systems from malicious activity is real. Information assurance measures for both threat protection and trust management must be considered. Threat protection focuses on protecting information content from vulnerability to attacks. Trust management deals with whether someone can be trusted to perform a particular action on a specific object.
Development Environment Products
Security is a big issue for SOAs and Web Services. Assuming security can be managed, what development products can help create GUI interfaces and Web Services from existing mainframe applications?
- GT Software’s Ivory Web Services architecture provides a potential solution. Ivory enables development of a Web Services architecture that enables legacy mainframe applications to communicate with open systems platforms, including J2EE and .NET. It consists of Ivory Studio and Ivory Server. Ivory Studio creates and publishes Web Services from existing mainframe assets; Ivory Server consists of a powerful SOAP processor (SOAP defines the conventions for invoking code using XML over HTTP), a rules engine for application flow processing, and a central repository for Web Services Description Language (WSDL) discovery. Ivory Server exploits the CICS Transaction Server TCP/IP service processing routines, which eliminates the need for middle tier servers. Combined, Ivory Studio and Server create and execute Web Services and generate WSDL without the need to write new programs.
- IONA’s Artix Mainframe is intended for enterprises with large IMS or CICS applications. Artix provides an environment for mainframe developers to expose IMS and CICS COMMAREA transactions as Web Services in a larger SOA. These reusable Web Services are accessible to virtually any other developer or application, which means mainframe transactions can be combined and reused in new enterprise applications operating on other platforms. Artix Mainframe uses existing mainframe security facilities to authenticate and authorize access to mainframe-based services. It runs as a native mainframe process, which gives systems programmers control over its administration.
- HostBridge Technology’s HostBridge provides a development environment that lets Java or .NET programs access CICS screens. Existing CICS programs can also be used through a callable interface. HostBridge Extended includes process automation and access to additional data sources (e.g., DB2, VSAM, DL1/IMS, and others) and MQSeries.
- IBM’s SOAP support is available for CICS Transaction Server on z/OS, VSE/ESA, and z/VSE. This feature lets a SOAP client application running on any platform call a program running under CICS. There are no changes required to existing applications to make Web Services out of them.
What About Microsoft?
HIS 2004 is Microsoft’s mainframe integration server software that enables applications, data, and systems hosted in midrange and mainframe environments to be integrated into Windows networks and applications. The latest version of HIS 2004 is intended to assist in the integration of Windows-based applications with IBM mainframe systems such as CICS and IMS, and midrange OS/400-based systems. HIS 2004 allows access to VSAM files, DB2 databases, and stored procedures. It also features a gateway from Microsoft Message Queuing (MSMQ) to WebSphere MQ.
Here are some HIS 2004 functions and features:
- Networking: IP Data Link Control (IP-DLC) Link Service supports SNA over IP routing so HIS 2004 computers can connect directly to z900 mainframes via high-speed IP networks. This means enterprises won’t need to remotely administer branch cluster controllers, use expensive Data Link Switching (DLSw)-capable routers, or maintain front-end processors.
- Applications: HIS 2004 connects legacy applications with .NET applications. The Transaction Integrator works with managed .NET code to initiate the execution of mainframe applications from a .NET application with the results returned as .NET object types. Host processes can also initiate the execution of .NET applications with little or no changes. (Managed .NET code is produced by Visual Studio .NET language compilers for C++, Visual Basic, C# and J#. The term managed implies .NET’s ability to manage dynamic storage allocations, all but eliminating storage orphans when programs complete.) To ease use of CICS, IMS, and RPG with .NET, HIS 2004 includes extensions to Visual Studio that let a developer create a Transaction Integrator Project (TI Project) with wizards that show how to create a .NET component that wraps the logic necessary to access the mainframe application. From within a TI Project, COBOL or RPG data structures can be imported and then accessed directly as .NET object types.
- Data: HIS 2004 includes a managed provider for DB2 and an OLEDB provider (DRDA AR) over which the Open Database Connectivity (ODBC), OLEDB, and managed data providers communicate with a remote DB2 database server. The DB2 provider doesn’t require that DB2 Connect be installed on the client system. A wizard is included to make it easy to create connection strings for accessing mainframe data; a new data access tool reads and writes both DB2 and VSAM directly during the development process.
- .NET Framework support: HIS 2004 provides a common design environment using Microsoft Visual Studio .NET. The TI Project type includes multiple views (host, COM, .NET) as well as import/export wizards for COBOL and RPG host source code. Developers can create object-oriented, distributed applications, including rapid development and managed code.
- Security: Security integration has features for Enterprise Single Sign On (ESSO) and password synchronization across host and Windows networks. The HIS SSO service provides enterprise user authentication that’s automatically synchronized with Windows Active Directory and can also be synchronized with security systems such as RACF via third-party adapters. For example, ePS Adapter for z/OS from Proginet performs password synchronization with RACF, ACF2, and Top Secret as well as ePS Adapter for OS/400 for OS/400 synchronization.
The Bottom Line
With the new TI, HIS 2004 becomes of potential interest for host users— including those committed to the J2EE platform—looking at Web Services to support SOA projects. For these users, HIS can be viewed as a “black box” that exposes Web Services interfaces and J2EE developers potentially won’t have to become proficient with .NET.
HIS has some limitations such as it doesn’t support integration with non-IBM proprietary platforms such as Unix. Its value proposition is being lost in the marketing noise generated by its competitors. Several Independent Software Vendors (ISVs)—including NEON Software, Farabi Technology, NetManage, and WRQ—provide addons to HIS 2004.
Some contend that .NET is too closely tied to Windows. Certainly, for those organizations using Unix or Linux to front-end their mainframes, .NET has a way to go before it becomes an integral part of large enterprise-integration projects. Gartner’s Mark Driver put it this way: “While .NET will remain closely tied to Windows in the near term, it may take on a more platform-independent form within the coming decade. It’s inevitable that .NET will move beyond Windows. If Microsoft doesn’t do it, someone else will, through reverse-engineering or cloning the platform.”
The mainframe remains vibrant. What’s changing are the development environments and the variety of robust integration strategies. Today, these are centralizing around Web Services technologies. Gradually, developers and vendors alike will be forced to adopt a more fluid SOA approach. What won’t change is the pivotal role of the mainframe.