Macro 4, along with our parent company UNICOM Global, has enjoyed a long-lasting relationship with IBM. We’ve worked in partnership together for decades, developing trusted tools for developers and operators. Now the mainframe has reached its 60th birthday and it’s still going strong. In fact it’s still used by 71% of Fortune 500 companies and showing no signs of retirement yet. Its adaptability is remarkable and to have reached this milestone is a fantastic achievement.
In this post I want to describe how one of Macro 4’s core products, the Tubes mainframe session manager, has evolved during much of that time to keep pace with advancements in mainframe technology.
How it all began
Our story started in a world before the internet and even before Microsoft Windows – something that most new IT workers cannot even begin to comprehend.
IBM pioneered techniques such as virtualisation and multithreading and mainframes have been using them since the 60s, honing and refining them to ensure computing resources and capabilities are used as efficiently as possible. These are among the many reasons why the mainframe platform continues to power most of the many billions of transactions in major commercial and public sector organisations today.
Tubes was launched in 1982 when it ran under VM – an operating system that is still pivotal today as z/VM. VM (which stands for Virtual Machine) was released by IBM at this time reputedly after IBM’s developers wrote it as an internal tool to assist them with their daily tasks, indicating that virtualization was part of IBM’s DNA long before the likes of VMWare. The adoption of VM by the mainframe community meant that users needed to access more than a single session concurrently – and they needed to be able to jump around between those sessions without losing where they were (remember you didn’t have Windows or the Internet in those days). Session management and Tubes was born from this primary need.
Tubes VM, which later became Tubes VTAM, went from strength to strength with a major new architecture being released in the late 80s. That architecture remains central to Tubes today, with security considerations at its core.
The introduction of RACF
IBM had released RACF (a crucial security technology that controls who can access mainframe resources and how they can do it) in 1976 and many companies that were using MVS (as it was named then – now z/OS of course) were adopting it as their security model. ACF2, an alternative security product from Computer Associates (now Broadcom), has been around for just as long and there has been a philosophical debate on the merits of these two or others in the mainframe security arena.
Tubes of course embraced such key advances in mainframe security. I was personally involved in writing Assembler exits for Tubes to interface to these security packages in the early 90s when most enterprises used them to fully secure their mainframes. So, security has been second nature to the mainframe platform for most of its history too.
The emergence of TCP/IP
TCP/IP was widely adopted by the mainframe in the 90s, allowing mainframe systems to connect more seamlessly with a variety of different networks and systems, including opening the door to connectivity via the internet. Since Tubes was now able to connect via TCP/IP as well as VTAM, Tubes VTAM became a little misleading as a product name. Which is why at this point the product was rebranded to just Tubes.
With the rapid adoption of the internet, at around the turn of the millennium, mainframe engineers were very aware of the risk of ‘opening up’ IBM mainframes to the outside world, particularly given the importance of the data that the platform holds. Keeping mainframes locked away might not have seemed in line with modern computer technology, but there was horror that the rise of the internet meant all of that security enhanced over many years could be so easily breached.
Security remains paramount
Security breaches are more commonplace today and there is an acceptance that they can and will happen - something that would have been shocking a few decades ago. What is not talked about enough is that the mainframe has remained unassailable throughout this millennium when it comes to security.
Mainframers can be viewed as doomsayers when they ask their standard questions about security. Zero trust may be a relatively new concept for distributed systems, but it is effectively what mainframes have been doing for decades.
The fact that mainframers are never prepared to throw caution to the wind is part of the reason why they can be (wrongly in my opinion) seen as putting obstacles in the way of progress. In reality, they are like the elders in the corner who need to be respected for their experience - because they have almost certainly thought through the pitfalls before! On the mainframe everything has always been audited; and everything has always been locked down, so only people who needed access to applications or parts of them were given access.
However, just because people didn’t understand mainframe technology and because it came with an older interface, newcomers to the platform tended to think that it should just be thrown away.
The adoption of modern interfaces
IBM have continued to adapt though and adopted more modern interfaces to the mainframe such as Eclipse and ZOWE, both of which stem from innovative ideas in similar ways to when VM was born all those years ago. Tubes has continued to adapt too, with interfaces for those frameworks available since the late 2000s.
Still CEOs who are trying to make their mark are sometimes intimidated by that complicated thing that sits in the corner quietly doing its job. It costs a lot so surely there’s a better way they say!
However, there are numerous examples of organisations that have attempted to replace the mainframe and realised too late that it was a mistake. The system that replaced the mainframe ended up costing more both in terms of money and power consumption and took up more space in the data centre (remember that even if you go to the cloud, there is still physical hardware on earth somewhere until the day when we can put data centres on Mars). Often that system actually required more people to run it and didn’t recover as quickly or as well. Of course, the CEO who made the decision to move, is probably long gone when the next incumbent has to admit their failure. There have even been cases when organisations have had to roll back to the mainframe from those distributed systems.
Enterprises are learning the hard way that a hybrid approach is probably best.
Introducing browser-based access
Of course, the elephant in the room is that the raw interface is viewed as dated. The 3270 is different which means it doesn’t adapt well to a browser. A number of ISVs are creating browser products instead of or in addition to providing an interface to their session managers.
With Tubes, however, we believe that to ensure all of that key mainframe security functionality is maintained, it is best to provide the browser interface as part of the session manager. However, we’re not just screen scraping - which could mean one browser tab into the session manager or multiple logins to separate out the browser tabs, each leading to an application.
Instead, using just one Tubes login (secured by RACF or ACF2 of course with Multi-Factor Authentication on top for additional protection), you get to the list of mainframe applications you’re authorized to use - and access each of them from a different browser tab. This is just the way you would access applications on the mainframe natively, but you’re in your browser now, so it is familiar to the newcomers to the platform. It doesn’t matter that there’s an old interface – nobody is forcing you to use it. After all, on UNIX, there is still a TTY interface if people wanted to use that instead of a GUI.
AI makes its mark
Another negative argument that people make about the mainframe is that it’s not observable. In fact, what they really mean here is that it’s not observable in the same way. Remember, different isn’t bad – we all want diversity! There are lots of ways to get your SMF records from your mainframe into a more user friendly format. The answer is not to dump that data into a data lake off the mainframe, leaving the security of the data lake to others. IBM are leading the way with the provision of governance around their AI engines and LLMs to ensure that mainframe data continues to be protected. After all, the mainframes of the world probably know as much or perhaps more about me than my close friends - so I’d like to be able to continue to trust them.
As with every other adaptation of the mainframe, the Tubes application is poised to adapt in line with that – watch this space for secure, non-hallucinogenic AI capabilities coming soon.
Here’s to another 60 years of the world’s enterprise data and transactions remaining in safe reliable hands.