ZZZS (Social Insurance Slovenia) Customer implementation of zBX and XI50z

1,256 views
1,155 views

Published on

Prezentacja 3 Mistrzowski Mainframe

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,256
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • File Name Here.ppt
  • With this visual you see what has led to the revolutionary introduction of the zEnterprise and the zBX with its non-z hardware blades into the System z family. We need to simplify the management of all the complex processes that comprise an IT installation by integrating and centralizing the functions that are needed to support an enterprise. At the same time, we need to extend the superior security, high availability, and performance features of IBM® System z® to business processes that run on distributed platforms.
  • With this visual you see what has led to the revolutionary introduction of the zEnterprise and the zBX with its non-z hardware blades into the System z family. We need to simplify the management of all the complex processes that comprise an IT installation by integrating and centralizing the functions that are needed to support an enterprise. At the same time, we need to extend the superior security, high availability, and performance features of IBM® System z® to business processes that run on distributed platforms.
  • File Name Here.ppt File Name Here.ppt
  • This option shows the first option (Option 1) for providing external network access to the IBM blades (zBX). Here external network traffic enters the node via the OSD and uses a zCPC Operating System (in this example z/OS) as the internal IP router for the IEDN. Traffic using this path might be for Sysplex Distributor or other workloads. z/OS can use IP filters to control which traffic is permitted to access the IEDN.
  • This next option (Option 2) shows external network traffic entering the node going directly to the zBX via the Top of Rack (TOR) switch. Here the customer uses their existing external IP router and (possibly an external load balancing solution). Most likely the same IP firewall solution would protect the entire zEnterprise. This path would be used for traffic that is directed at the blades which may or may not access the zCPC as the 2 nd tier (e.g. DB server). This chart also illustrates that both external network paths would most likely be used.
  • File Name Here.ppt File Name Here.ppt 02/10/10 03:37
  • File Name Here.ppt
  • File Name Here.ppt
  • ZZZS (Social Insurance Slovenia) Customer implementation of zBX and XI50z

    1. 1. ZZZS (Social Insurance Slovenia) Customer implementation of zBX and XI50z Peter Brabec WebSphere System Z Brand Leader & DataPower Ambassador Session: TSE-12031
    2. 2. Please Note IBMs statements regarding its plans, directions, and intent are subject to change or withdrawal at IBMs sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the users job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.2
    3. 3. Agenda  Customer – ZZZS (Zavod Za Zdravstveno Zavarovanje Slovenije) background – Application architecture overview  Solution description – Before / After – Migration plannig  Challenges – Security – Networking  Why did we do it that way ?  DataPower XI50z Overview3
    4. 4. ZZZS background  ZZZS (Zavod Za Zdravstveno Zavarovanje Slovenije) is the National Health Institute of Slovenia – Provides compulsory health insurance. – Owns and hosts social security data of the people of Slovenia – Accessed by health professionals and selected partner organizations – One central side, 10 regional units and 45 branch offices – Requirements • Perfect security of your data and information system • Availability 24 hours/day, 7 days a week • Reliable operation ZZZS 2 mio 2.100 izvajalcev zavarovanih oseb zdravstvenih storitev4
    5. 5. Social Insurance and healthcare applications  Information material – How get the compulsory health insurance – Choose a personal doctor – Apply for medical services abroad  Individual Status Information – Basic (compulsory) health insurance – Additional (private) health insurance – History of issued medical aids – Prescribed medication history – Selected doctors5
    6. 6. Portal and B2B Application Components  Komponente sistema WebSphere Portal  DataPower XI50z  Tivoli Directory Server as User Registry  DB2 database  Application Software on z/OS  SOAP over http(s), MQ, FTP6
    7. 7. Information technology today: Limitations Information technology today is limited by the technology and architecture configurations available Web Servers Security/Directory System z SSL/XML Servers Appliances Application Servers Routers Switches File/Print Business Intelligence Servers Servers DS Servers Caching Firewall Appliances Servers LAN Servers  Business processes and the applications that support them are becoming more service oriented, modular in their construction, and integrated.  The components of these services are implemented on a variety of architectures and hosted on heterogeneous IT infrastructures.  Approaches to managing these infrastructures along the lines of platform architecture boundaries cannot optimize: alignment of IT with business objectives; responsiveness to change; resource utilization; business resiliency; or overall cost of ownership.  Customers need a better approach: The ability to manage the IT infrastructure and Business Application as an integrated whole in a much simplified manner.7
    8. 8. Information technology tomorrow Co-locating Distributed, Heterogeneous Platforms with the zEnterprise and Placing them in an Ensemble to Manage in a Unified Manner, to create Synergies and Operational Management Opportunities, and to Simplify the formerly complex Network and Security Infrastructure. HMC Web Servers One flat layer-2 network infrastructure Routers Switches Firewall Servers  Customers need better approach: The ability to manage the IT infrastructure and Business Application as an integrated whole – not managed in ISLANDs.  Reduce the scope of security vulnerability in the network: many hops collapsed to fewer hops and possibly only one hop8
    9. 9. Before Administrator CISCO Data z/Series, z/OS htt Content Power ps services XS40 snmp Web Application Entry point (VT) Backend Application switch Portal for on-line (Websphere) F C1 P1 • User Registration and Role (Websphere) • On-line system functions (CICS) • Auditing and error mgmt. mgmt. • Technical audit logs and cics eci • Preparation of access and i Anonymous https https https http http soap errors errors statistics Firewall • User access control Firewall user - • Session management • Preparation of access and r • User interface to services and content errors statistics snmp Data VT (DB2) C2 P2 • User ID mapping service jdbc https e https https http http • Statistics batch processing • Administration application - Central database Authenticated Entry point (VT) user•Termination of a TLS Session w User Identity snmp soap for on-line jdbc (DB2) (unauthenticated)•Certificate validation •Basic validationa identification User registry Portal Reg. & reposit. - (Websphere) • On-line system functions Portal (Tivoli Directory l •Validation against CRL •Validation of issuing CA Select P1/P2 based on Server) (DB2) • Technical audit logs and administration URL:•Extracting some DN fields from X.509 • Schema validation • Service registry errors system - l • User Registry • Web content • Preparation of access andand embed it into https header •DN -> insert LTPA • Access rights • Roles errors statistics Internal application token (https header) as . • Statistics and logs Data • User registry, status and user identifier • Web service for snmp jdbc DB access rights mapping DN to tax ID • Podatki o certifikatih CA • LDAP Query •Services registry • signature verfification • Web content mgmt. Replication of user data, certtificates, services and Web content , Central System Management snmp - Incident management - Security event management - Ststistics, reporting ,9
    10. 10. After  Model XI50z Integration Appliance – Web application firewall – XML Firewall – Mutliprotocol Gateway  Perform Authentication  Map User Tokens LTPA – Lookup RACF (LDAP) – User Token LTPA – Integration with Oracle and DB2 IBM zBX IBM System z Network z/OS LPAR F Layer Application z/OS LPAR SOAP I Firewall Firewall Request R I (Internet) ZZZS Back End E D ZZZS HIC Entry W (CISCO P (IBM Systems WSSec* Point A Content S WebSphere L Switch – DataPower (IBM: CICS, L (IBM: WAS ND, SSL XI50z) DB2, WMQ, etc.) CTG, DB2, etc.) termination )10 Private Data Network
    11. 11. Migration Planning  New Portal Application had to be in production in March 2012  “9003” DataPower XS40 devices are out of support  First installation in the world  Is System Z is strategic ? – TCO and F4P studies – Projected Capacity upgrade – Use zBX for other applications ? Budget Timeline Security Requirements Functional Requirements11
    12. 12. Security requirements  Registration – Users should be able to register to use on-line services and then apply to use specific services – Solution needs to support up to 2 million users with acceptable performance. Approx. 250k users are expected to register to use the new services provided by this solution. This number is expected to grow to 500K over the 3 years following implementation. – Non-registered users are limited to using basic services only (for example, verify if a ZZZS social security number has insurance)  Authentication – Users should be able to authenticate with a certificate that has been issued by one of the existing certificate authorities • CA 1 (digital certificates on professional cards and health cards) • CA 2 (qualified digital certificates of this issuer that are issued on a professional card or other forms) • CA 3 (qualified digital certificates) • CA 4 (qualified digital certificates) • CA 5 (qualified digital certificates) – It is necessary to provide support for the verification of digital certificates and verification of the lists of invalid digital certificates (CRL lists by issuers) in the system12
    13. 13. Security requirements (cont…)  Authorization – For registered users, authorization may be defined for the entire Web application or for a specific set of tasks within the application. – For services available to anonymous users, it is necessary to ensure adequate open access to all users of the Internet  Data confidentiality and integrity – Data confidentiality must be ensured for all communication to end users – including anonymous users – Personal data must be accessible only to data owners and health professionals who need this data – One user must be prevented from seeing or changing the confidential data of another user13
    14. 14. Security requirements (cont…)  Auditing – Audit trail required for all requests. – Infrastructure auditing must be done at all stages: DP, Portal and VT (currently it is implemented at DP (storing log on z/OS) and VT. It is expected to implement application auditing for additional flexibility. – Auditing of message flow should be performed at the Entry Point (VT) • Content and timing of request coming to Entry point • Transaction occurring at Entry Point • Content and timing of request leaving Entry point – “Business auditing” should be performed at the backend systems (CICS) • Who is performing what transaction on what data and when – Unauthorized users should not be able to remove nor change audit log records  Service availability – The system must be protected against denial of service attacks – Deployment of malicious destructive code must be prevented  Performance – Maximum end-to-end round trip time should not exceed 5 seconds in min 85% of transactions14
    15. 15. Security solution assumptions  ZZZS will accept any digital certificate that has been issued by one of the 5 CAs  CSS terminates the TLS session of the client  WebSphere Portal Server will be installed on z/OS  User registry is LDAP on z/OS (using DB2 (TDBM)).  Service that returns tax number from any digital certificate is used.  Entry point provides a service for mapping tax number and insurance number.  Health professional RACF ID consists of single character plus ZZZS ID. Note that this is only the case for health professionals and not for registered users of the portal.  The system must be built on modern, standardized and widely used technologies.  Key technologies and standards on which the system will be built include: – http(s) protocol for transmission of data over the Internet network – HTML for formatting the contents of web applications – X.500 directory user management. – TLS to ensure secure communications between users and providers of services  SNMP messages are emitted from different components to identity potential error situations, including extended response times, security threats and other alerts.15
    16. 16. Security issues to consider  Where to place a Firewall System Architecture which is – IP-Filtering, Packet Filtering consistent with the existing – Content Inspection security architecture. – Web Application Firewall – XML Firewall  Organizational challenges IBM zBX IBM System z – IP Security & IDPS is part of Network z/OS LPAR F Layer Application z/OS LPAR Networking group SOAP I Firewall Firewall Request R I ZZZS Back End – zEnterprise is part of System Z (Internet) E W (CISCO D P (IBM ZZZS HIC Entry Systems WSSec* Point Team A Content S WebSphere L Switch – DataPower (IBM: CICS, L (IBM: WAS ND, – DataPower is part of application SSL XI50z) CTG, DB2, etc.) DB2, WMQ, etc.) termination) team  Security concerns – zEnterprise HW (IEDN / INMN) Private Data Network – “direct” Mainframe access16
    17. 17. Networking issues to consider  Where to connect the external network – Option 1: „External“ network via Top-of-Rack-Switch – Option 2: „External“ network via Sysplex Distributor LPAR  How many VLAN connections do I need inside zEnterprise – Security versus manageability – Data versus Management connections  DataPower Management – One connection via INMN for Firmware upgrades through HMC – Separate DataPower Management LAN on the IEDN for DataPower GUI • Administrative and development access to the DataPower XI50z control panel • This connection will connect to the ZZZ internal infrastructure17
    18. 18. External Network Access Option 1 – System z (LP) IP Router HMC zEnterprise node Route via OSD and LP5 z/VM LP1 LP2 LP3 LP4 one or z/OS z/OS z/OS z/OS more z/OS VS1 VS2 VS3 VS4 images IP z/VM virtual Router switch SE Firewall OSD OSD OSX OSX OSM OSM z196 BC1 BC2 BC3 Customer TOR TOR TOR TOR external data network ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM zBX18
    19. 19. External Network Access Option 2 – External IP Router HMC zEnterprise node LP5 z/VM LP1 LP2 LP3 LP4 And to z/OS z/OS z/OS z/OS System z VS1 VS2 VS3 VS4 LPARs z/VM virtual switch SE Firewall OSD OSD OSX OSX OSM OSM z196 BC1 BC2 BC3 Customer TOR TOR TOR TOR external data network ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM ESM zBX Extend IEDN to external router and route via TOR19
    20. 20. ZZZS Networking setup  The DMZ will be connected to a VLAN 56 Front-End LAN Router/Firewall. ZZZ Network DMZ VLAN 01 Management LAN VLAN 02 Data LAN – There is a secured Front-End VLAN created on the IEDN that will interconnect the router/firewall to the DataPower XI50z. MAC Filtering – The only connections that will be allowed are those coming zEnterprise from the DMZ zone. VLAN – There will also not be any ability to access the 56 web/xml/ssh/telnet command consoles within this VLAN or IEDN XI50z XI50z the back-end zOS system. VLAN 01 VLAN 02  Data VLAN from DataPower to the back end VLAN01 OSX IPSec Filtering systems on z/OS Sysplex z/OS – No other access allowed on this VLAN Current OSA Connection – Eliminates any need to encrypt data between DataPower and Application services ZZZ Intranet  Added IP filtering for higher level of security – Using IPSec Policy Filters that are part of the zOS Communication server base code over the OSX devices on their z/OS stacks – Locks down any services the DataPower XI50z should not have access to on their z/OS environment20
    21. 21. DataPower XS40 to XI50z smooth migration Migration items  Configuration review/update (deprecated function calls etc.)  Configuration export  Configuration import (using deployment policy)  Keys & certs Development & QA Production Development domains QA domain QA domain QA domains Keys and certs Keys and certs Test keys & certs21
    22. 22. Why XI50z instead of stand-alone XI52  One HW Environment – Less complexity – Increased security • End-to-End encryption – Better performance • reduction of transaction latency time • faster response times by “co-location” – Future use of zBX  Integrated Maintenance – DataPower Firmware upgrades handled by IBM – Integration tested Firmware and driver levels – Consolidated view on the HMC  Reduction of MLC through offload of z functionalities22
    23. 23. Collateral material  IBM zEnterprise Network Security White Paper: ftp://public.dhe.ibm.com/common/ssi/sa/wh/n/zsw03167usen/ZSW03167USEN.PDF  Security for Ensemble Networking with the IBM zEnterprise System Frequently Asked Questions: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a  IBM zEnterprise System: Network Virtualization, Management, and Security (Part 1: Overview): http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a  IBM zEnterprise System: Network Virtualization, Management, and Security (Part 2: Detail): http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a  "Payment Card Industry Compliance For Large Computing Systems" White Paper, Examining the Application of Payment Card Industry Compliance Standards in Mainframe Environments: http://www.atsec.com/us/pci-lcs.html23
    24. 24. Backup DataPower XI50z Overview24
    25. 25. We love your Feedback!  Don’t forget to submit your Impact session and speaker feedback! Your feedback is very important to us, we use it to improve our conference for you next year.  Go to impactsmartsite.com from your mobile device  From the Impact 2012 Online Conference Guide: – Select Agenda – Navigate to the session you want to give feedback on – Select the session or speaker feedback links – Submit your feedback25
    26. 26. Copyright and Trademarks © IBM Corporation 2012. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.26

    ×