z/OS

z/OS

z/OS

IBM z/OS is a widely-used mainframe operating system designed for a stable, secure and highly available environment for running mission-critical applications.

 View Only

Leveraging the strengths of the mainframe

By Ashley Peterson posted Tue October 12, 2021 04:14 PM

  

Author Bio: Roberto Luis de Hoz, Head of IBM Z at HSBC Bank Argentina
"I started my career very young at the age of 19 and studying at CAECE University (Bachelor in Computing Systems), in various consulting firms in different functions, which nobody wanted to do, surveys, documentation ... then at 20 I was programming Basic in 5110/20. Until in 1981 I met, luckily, the best platform: Mainframe, and worked at the Caja Nacional de Ahorro y Seguro as a Cobol programmer.  In 2004 I led the IT Architecture area, until in 2006 the bank was bought by HSBC. Until 2012 I worked in Architecture and designing the solution for the merger of both BNL-HSBC Banks, migration from Altamira to Fidelity, migration from VSE to MVS, and training IT HSBC staff in the new environment. As of 2012 I am in charge of the best Team: IBM Z (Mainframe), with several hardware and software changes and great local and global challenges."

HSBC logo
Everything within the Mainframe : z/OS Connect, API RestFul
IBM Z, commonly known as Mainframe, is a reliable IT platform traditionally running banking and finance applications supporting massive customer data and online transactional power. For the present case, in Argentina it hosts, among others, the core banking system. Enabling a RESTFul API in the Mainframe platform greatly improves the ease of connectivity and integration to strategic business applications hosted by a strong and performant IT environment. z/OS Connect Enterprise Edition by IBM is a tool designed to provide a fast, secure and reliable connector to reach any z/OS asset. An API, or application programming interface, is a set of rules that define how applications or devices can communicate with each other. A RESTful API achieves this using the widespread HTTP protocol in a flexible way. The HTTP protocol, popularized by the Internet, divides applications in ‘clients’ and ‘servers’. Clients make requests, servers replies them. REST, or representational state transfer, requires the client to include all the information the server needs for processing a request. This saves the server of the need to store server-side session information, enabling a relatively high level of flexibility and freedom for developers and ‘lightweighting’ the application for better performance. This flexibility is just one reason why REST APIs have emerged as a common method for connecting components and applications in what is known as a ‘microservices architecture’. z/OS Connect EE provides a standard way to identify z/OS applications and using REST technology. Where these assets run is specified in the z/OS Connect EE configuration, relieving clients applications in the enterprise, mobile, cloud and web worlds of the need to understand the details about how to reach them and how to convert payloads to and from the formats that the applications require.


Objectives and New Architecture Highlights
The deployment of z/OS Connect EE in a CICSPLEX architecture offers the following benefits compared to the legacy architecture:

  • Enables a modern way of connection to Mainframe applications
    • Ease of use
    • Becoming the Industry Standard
    • Known to ‘non Mainframe’ developers
    • Synchronous replies to client requests
  • Simplifies the integration to the Core Infrastructure
  • Improves response times[1]
  • Decreases Development and Deploy times
  • Introduce in the Mainframe environment the use of Microservices
  • Increases reusability
  • Improves scalability
  • Improves availability:
    • Reduced Points of Failure
    • Redundancy in all components:
      • z/OS Connect EE nodes
      • z/OS Connect EE nodes and CICS TOR regions connections
      • CICS regions
  • Improves Security
    • Stronger encryption
    • Simpler authentication
    • HTTPS protocol
  • TLSv1.2
  • Client authentication through PKI and X.509 client certificates
  • Is agnostic for application logic

RESTFul and CICSPLEX Architecture
1.     Scope: The current stage of RESTFul API enablement included two of the most significant transactions:

  • The most used core banking application transaction
  • One of the most resources (processor and I/O) consuming transaction.

The transaction were migrated to the new architecture in Production environment.

2.     Teamwork: The success of the project was fruit of the spirit of collaboration and synergy among all teams involved.

  • SWD Middleware
  • SWD Core Banking
  • Cyber Security Infrastructure
  • IBM Support
  • ITID Enterprise Services IBM Z

 3.     A New Tool for API Design: The z/OS Connect EE API Toolkit was set up and used to create the RESTful APIs. It is an Eclipse-based workstation installed into IBM Explorer for z/OS.

4.      Synergy with CICSPLEX architecture: The new architecture was integrated with CICSPLEX. z/OS Connect EE technology makes better use of CICSPLEX technology. These achieves:

  • High availability
  • Scalability
  • Work balance
5.     Improved Security: Connectivity to the Mainframe web API is run under HTTPS protocol, encrypted with TLSv1.2. z/OS Connect EE servers are authenticated with Public Key Infrastructure (PKI), making use of digital certificates signed by our own CA. Since the z/OS Connect EE servers and the CICS regions run in the same SYSPLEXS.

Client Authentication for Production, UAT and SAT environments
In these environments the client is authenticated through digital certificates and PKI. The certificates are signed by our own CA again. This reduces human manipulation of secrets and avoids password hardcoding in application code.

During a request to the API the client application presents its digital certificate which is validated by z/OS Connect EE. If validation is successful Security Server RACF maps the certificate to a RACF defined user id. Then, inside Mainframe environment, authorizations are conducted as usual, benefitting from RACF proven security and audit management features.

Client Authentication for Development environment: In Development exists two different kind of APIs, making use of different port numbers:

  • API for integration tests: client authentication is done in the same way as described above for the other environments, with PKI.
  • API for unit tests: for simplicity’s sake client authentication is set up in basic mode, through user id and password. This authentication schema is usually conducted through the z/OS Connect EE API Toolkit.


Conclusion
The transactional architecture simplification project is due to a major CPU build in the main CICS region. This was because our main transactions were not compatible with the CICSPlex Architecture and used the MQ as a connector, plus other connectivity components, which make, look like transactional Synchronism. With the simplification of Architecture using as a connector from customers or Middleware to z/OS Connect, we transform the transactions into APis, eliminate fault points and achieve a native sync communication.

The observed optimization in CPU consumption and workload distribution is the result of the synergy of the API enablement through z/OS Connect and the adoption of the CICSPlex architecture combined with a better use of WLM features with respect to CPU, CICS and transactions within the CICS prioritization and workload management.

With z/OS Connect the response time were significant decrease (around 40% and 42% less). This is achieved in the “transport layer” of the connection between Middleware servers and the core banking backend, thus reflects the “net time” directly affected by the change in the connectivity architecture.

The other lines show the “total time”, and are important because show the user perception of the change.  Additionally we can take advantage of reutilization of the Z asset, and think in Z as an “open platform”.

This important project was critical for the bank because it is a new way to access assets within IBM Z. It would not have been possible without the help of Gustavo Vitaliani and Gabriel Santoro, both leaders of system programmers.

0 comments
27 views

Permalink

https://community.ibm.com/community/user/blogs/ashley-peterson/2021/10/12/leveraging-the-strengths-of-the-mainframe-convinci