Presentation is loading. Please wait.

Presentation is loading. Please wait.

EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist

Published byDale Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist"— Presentation transcript:

1 EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist aymeric.affouard@fr.ibm.com

2 IBM z Systems: A first class platform for mobile 2

3 3 CICS Scenarios z/OS Connect 1 1 BlueMix 5 5 BlueMix integration DataPower MobileFirst app 3 3 DataPower MobileFirst Server Linux on z MobileFirst Server Linux on z MobileFirst app 2 2 MobileFirst Platform API 4 API Management 4 Scenario 1 : I want to expose my mainframe applications as RESTful services so they can be discovered and used by new mobile and cloud-based applications. Scenario 3 : I need to secure the mobile transaction from the device to the mainframe. Scenario 4 : I want to expose my enterprise services to business partners and developers. Scenario 5 : I want to integrate cloud-based applications with mainframe applications in a hybrid cloud environment. Scenario 2 : I need to develop mobile applications that access mainframe applications, quickly and effeciently.

4 IBM z Systems: A first class platform for mobile 4 CICS 5 Mobile Scenarios on z : From CICS to Internet of Things z/OS Connect 1 1 BlueMix 5 5 BlueMix integration DataPower MobileFirst app 3 3 DataPower MobileFirst Server Linux on z MobileFirst Server Linux on z MobileFirst app 2 2 MobileFirst Platform API 4 API Management 4 SoR SoE

5 IBM z Systems: A first class platform for mobile 5 z/OS 3270 Client VSAM File (EXMPCAT) CICS DFH0XGUI Inquiry item Inquire Catalog Place Order DFH0XCMN z/OS Connect WebSphere Liberty inquireCatalog inquireSingle placeOrder Server.xml inquireCatalog inquireSingle placeOrder https/json Demo 1 – RESTful service enablement

6 IBM z Systems: A first class platform for mobile 6 z/OS VSAM File (EXMPCAT) CICS Inquiry item Inquire Catalog Place Order z/OS Connect DFH0XCMN Mobile Client MobileFirst Server Adapter Shopping Cart and geo-location features are added using MobileFirst Platform. Features do not currently exist in the CICS application. Demo 2 – Mobile enablement Linux on z

7 IBM z Systems: A first class platform for mobile 7 z/OS VSAM File (EXMPCAT) CICS Inquiry item Inquire Catalog Place Order z/OS Connect DFH0XCMN Mobile Client MobileFirst Server - Adapter Demo 2 – Mobile enablement : enhance your application Linux on z VSAM File (EXMPCAT) Mongo DB thumbnails images

8 IBM z Systems: A first class platform for mobile 8 CICS Scenario 3 : Business to Consumer z/OS Connect DataPower MobileFirst app 3 3 DataPower MobileFirst Server Linux on z MobileFirst Server Linux on z Scenario 3 : I need to secure the mobile transaction from the device to the mainframe.

9 IBM z Systems: A first class platform for mobile e.g. REST (JSON/XML) over HTTPS MobileFirst Server, WAS ND e.g. REST or SOAP over HTTP(S) or messaging CICS IMS DB2 Other servers, Web Apps, other services DataPower Gateway Appliance Security, Control, Integration & Optimization of mobile workload Enforcement point for centralized security policies Authentication, Authorization, LTPA, SAML, OAuth 2.0, Audit Threat protection for XML and JSON Message validation and filtering Centralized management and monitoring point Traffic control / Rate limiting Integration with MobileFirst Server Available as a physical or virtual appliance DataPower Mobile Security Features

10 IBM z Systems: A first class platform for mobile AAA Extract Identity HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509 SAML Assertion IP Address LTPA Token Custom Authenticate Extract Resource URL SOAP Operation HTTP Operation Custom LDAP System/z NSS (RACF, SAF) Tivoli Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom Authorize Audit & Post-Process Map Identity Map Resource OAuth 2.0 LDAP ActiveDirectory System/z NSS Tivoli Access Manager SAML XACML Custom Add WS-Security Generate z/OS ICRX Token Generate Kerberos Generate SAML Generate LTPA Map Tivoli Federated Identity External Access Control Server or Onboard Identity Management Store input output 10 DataPower AAA

11 IBM z Systems: A first class platform for mobile 11 Jumbo JSON Payload Label - Value Pairs Label String Length (characters) Value String Length (characters) Number Length (characters) Threat Protection Maximum nesting depth (levels) Maximum document size (bytes) Label String Nesting Depth of 3 Value String Number Document Size DataPower JSON protection

12 IBM z Systems: A first class platform for mobile 12 DataPower traffic control and rate limiting

13 IBM z Systems: A first class platform for mobile MFP 1.User logs into mobile app using "distributed" user ID and password 2.IDG authenticates user in LDAP, forwards ID in LTPA token to MFP Server 3.MFP Server validates LTPA token and forwards it with request to z/OS Connect 4.z/OS Connect validates LTPA token and maps distributed user id to RACF user id (1:1 mapping for employees, many:1 mapping for customers) 5.RACF user ID is used for authorization checking 6.RACF user ID passed to CICS over WOLA, CICS checks user authority phone IDG userID/pwd HTTPS/JSON LDAP HTTPS/JSON Identity in token HTTPS/JSON identity in token z/OS Connect device, app authenticity z/OS RACF CICS 1 2 3 4 5 SSL Mainframe 6 LTPA token Demo 3 – security flow B2C COMAREA mapped identity

14 IBM z Systems: A first class platform for mobile LTPA token 2 rrdEpygdM90rger4wa8rYqg30/vlG7Jtm/dqibAGH0r6EsK5Y26iNKkClKP4Xou3qrm9c6CXW8ka2h/f1zQN6Wir/OzWVLsuUWie UJCjLTtN+2FKuI3VFIzbiL6JTGAMYfECZc3I1QKrec+YJleUVJwKzerz80XSziLL3m2ijjibv8gffkPyWbUydAa7RBCjclZrcRPtGZh +M/qiq56Kwp0NQs6CELhTF7pwXmotbs5giMHDqYOL74uwnGT++6aiSdrQIk86IqX11mKgPTdKgj728JpgxIwmovomUlyCRfNB ayN/GkcN43ur1sn+JXuamIpMNGP6vnxPy48l8HOrgNnQtcHov2lTa7au6yU2HPA= Algorithm:[AES] Full token string: [expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr%1427732517000%r3k0gqCXd Jrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge40HXGwoSWACqUq oG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=] Token is for:[expire:1427732517000$u:user\:WASLTPARealm/uid=JeanLeclerc,ou=employees,o=mop,c=fr] Token expires at:[2015-03-30-18:21:57 CEST] Token signature:[r3k0gqCXdJrfv3U9RDwywaEGjUl/QLYgLquIpu0VMhday+fSQ08ivBr1WWZDzu/cSh/UyitBz59D0tuvlFdxKyvZl/gKge 40HXGwoSWACqUqoG3ecjrimovW2RktF9+jeSpwUUOqJ4UFkziZtk3sSOmOHhaG/82+HQlRQMZMj0o=]

15 IBM z Systems: A first class platform for mobile O=mop,C=fr OU=employees UID=JeanLeclerc UID=AliceNevers OU=customers UID=MarieDupond UID=PierreDuclos OU=partner1 UID=ArthurLeroy UID=JulieLaforest OU=partner2 UID=RoryWilliams UID=RoseMoubinou Mapping Example : DN: UID=JeanLeclerc,OU=employees,O=mop,C=fr EMPLOY1 EMPLOY2 CUSTOM PARTNE1 PARTNE2

16 IBM z Systems: A first class platform for mobile 16 Demo 4 - IBM API Management Mobile apps SOAP Service z/OS Connect API API Management Web apps System z CICS IMS Other SOAP Service REST Service 2. Create APIs Cloud / Bluemix apps Development Time Run Time API 1. Discover services 3. Consume APIs API Developer

17 IBM z Systems: A first class platform for mobile API Provider Organizations User Application Developer portal https://10.3.20.96/mopiccmobile/sb API Manager https://10.3.20.96/apimanager Cloud Management Console https://10.3.20.96/cmc/ Gateway Server https://10.7.1.9 Developer Organizations z/OS Connect CICS Demo 4 - APIM components

18 Hybrid Solution with Bluemix: Cast Iron Live On Premise Bluemix FWFW FWFW DMZFWDMZFW DMZFWDMZFW DataPower (Appliance) with Cloud Service Gateway DataPower (Appliance) with Cloud Service Gateway Integration Service App Pu bli c IP End Point DB2 (+z) Oracle End Point DB2 (+z) Oracle End Point HTTPSHTTPS H T T P S* On Premise Bluemix Desti natio n Secure Gateway Client (Docker Cont., DataPower ) Secure Gateway Client (Docker Cont., DataPower ) Secure Gateway App FWFW FWFW FWFW FWFW

19 Secure Gateway  When you need a secure way to connect Bluemix™ applications to remote locations on-premises or in the cloud, use the Secure Gateway service.  The Secure Gateway provides secure connectivity and establishes a tunnel between your Bluemix organization and the remote location that you want to connect to.  Security:  TLS (Transport Layer Security) No TLS –No authentication is provided. Your application can communicate directly to the gateway without requiring any certificates. TLS Server Side –TLS is enabled and the server provides a certificate to prove its authority. You need to accept the server certificate into your application trust store. TLS Mutual Authentication –The server provides a set of certificates. However, you also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.  ACL  DoS Attack prevention system  Future Enhancements: Private destinations (source IP rules), etc.

20 Secure Gateway On Premise Bluemix Hostname:Port Destination Secure Gateway Client (Docker Cont., DataPower) Secure Gateway Client (Docker Cont., DataPower) Secure Gateway App FWFW FWFW FWFW FWFW

21 z/OS Connect CICS DataPower Demo 5 – Bluemix application

22 Z/OS Connect We didn’t changed one single bit on the CICS application From 3270 to z/OS Connect to Mobile App to Bluemix to IoT

23 THANK YOU

Download ppt "EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Stonesoft Roadmap WHAT FEATURES WILL COME IN 2013-2014.

Stonesoft Roadmap WHAT FEATURES WILL COME IN
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Implementing and Administering AD FS

Implementing and Administering AD FS
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Product and Technology News Georg Bommer, Inter-Networking AG (Switzerland)

Product and Technology News Georg Bommer, Inter-Networking AG (Switzerland)
T Sponsors Sameer Chabungbam Principal Program Manager, Microsoft Connector API Apps BizTalk Summit 2015 – London ExCeL London | April 13th & 14th.

T Sponsors Sameer Chabungbam Principal Program Manager, Microsoft Connector API Apps BizTalk Summit 2015 – London ExCeL London | April 13th & 14th.
T Sponsors Paul Larsen Principal Program Manager, Microsoft Integrating cloud with existing IBM Systems BizTalk Summit 2015 – London ExCeL London | April.

T Sponsors Paul Larsen Principal Program Manager, Microsoft Integrating cloud with existing IBM Systems BizTalk Summit 2015 – London ExCeL London | April.
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2012 IBM Corporation IBM Israel Software Lab (ILSL( Daniel Yellin, Director March 2013.

© 2012 IBM Corporation IBM Israel Software Lab (ILSL( Daniel Yellin, Director March 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google