IBM MQ is renowned for its enterprise qualities and this presentation will show you how this is taken to the next level
when running on IBM's enterprise platform, z/OS. Learn how its integration with the z/OS platform provides the perfect
solution for your enterprise needs, whether that's through its unique shared queue HA capability or its integration to
the latest z/OS security capabilities.
4. IBM MQ Advanced for z/OS Value Unit Edition
IBM MQ Advanced
Message Security for z/OS
IBM MQ for z/OS
The richest set of z/OS messaging capabilities in a single, simple to deploy offering
Connector Pack
IBM MQ Managed
File Transfer for z/OS
IBM MQ Advanced for z/OS Value Unit Edition V9.0.3 onwards
Provides end-to-end encryption of message contents to protect
sensitive data from all forms of intrusion, attack or accidental
disclosure, and with no need for application change
Provides reliable, secure and auditable file transfer that reduces the
need for manual processes, and management tools that help
reduce wasted time when dealing with failure analysis
Enables the secure, reliable exchange of business data across
applications, systems and services on-premises, in the Cloud, or
in Hybrid environments
Enables applications and systems to participate in a Blockchain
network via MQ, performing CRUD operations on Hyperledger
Fabric Blockchain running in IBM Cloud or running locally
4
7. 9 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$4M
Average cost of a data
breach in 2016 2
Likelihood of an organization
having a data breach in the
next 24 months 1
26%
“It’s no longer
a matter of if,
but when …”
Health
Insurance
Portability and
Accountability
Act (HIPAA)
European Union
General Data
Protection Regulation
(GDPR)
Payment Card Industry Data
Security Standard (PCI-DSS)
1, 2 Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/
How do you address data protection and compliance?
8
13. Blockchain: holds details of
all vehicles for country
Manufacturer
adds vehicles
Recycle/Scrap
removes vehicles
Dealer: Registers
vehicle, updates
ownership
Importer: adds
vehicles
Tax
Records
Tax Due
process
Send
Reminder
process
Reminder
Excise Authority`
Query current
Owner
Modified Hybrid Business Process
MQ
Blockchain requires connectivity for data sharing
Parties in the business network need to exchange data often held in Systems of Record
Enable a range of different
applications and systems to
send updates to a Blockchain
network
Ensure data integrity following
changes to shared assets
Transport critical business data
securely and reliably
…sound familiar?
Requirements…
16
14. IBM MQ
Bridge for
Blockchain
IBM MQ
Connect to Blockchain with MQ Advanced for z/OS VUE
Deploy IBM MQ Bridge for Blockchain to enable applications and systems to participate
Bridge allows an MQ application to connect to Hyperledger Fabric
Blockchain running in IBM Cloud or running locally
Utilise request-reply MQ messages to query information from
Blockchain (e.g. what is the value of the balance on this account)
Use MQ to drive Create, Read, Update and Delete operations on
Blockchain-managed assets
No need to understand the ledger-specific APIs, configuration or
controls
Connection to Queue Manager
---------------------------
Queue Manager : [MQ21]
Bridge Input Queue : [SYSTEM.BLOCKCHAIN.INPUT.QUEUE]
Bridge User Identity Queue : [SYSTEM.BLOCKCHAIN.IDENTITY.QUEUE]
MQ Channel : [SYSTEM.DEF.SVRCONN]
MQ Conname : [host1.example.com(3714)]
Blockchain - User Identification
--------------------------------
Blockchain Userid : [WebAppAdmin]
Enrollment Secret : []******
Blockchain - Organisation Identification
----------------------------------------
Organisation Name : [PeerOrg1]
Certificate Authority servers : [ldn1-zbc5a.2.secure.blockchain.ibm.com:14511] 17
18. IBM MQ – resiliency capabilities
21
A layered set of capabilities to build robust and highly available connectivity
LOGGING ARCHIVING CLUSTERING
DATA
SHARING
SHARED
QUEUES
DATA RECOVERY
SERVICE
HIGH AVAILABILITY
SERVICE & DATA
HIGH AVAILABILITY
IBM MQ records all significant
changes to persistent data in a
recovery log
Enables data recovery after a
hardware or software failure
MQ for z/OS: Dual logging offers
further protection against data
loss
MQ for z/OS: Logs automatically
archived to secondary storage
(tape or DASD)
Clusters of queue
managers provide WLM
and high availability of
messaging resources
resilient to individual
server failures
Gold standard for resilience on MQ for z/OS: Queue
Sharing Groups
Queue managers can be members of a queue sharing
group with resources held in coupling facilities. Pull
workload balancing and automatic peer recovery
through shared data access
High availability of individual distributed platform
queue managers provided by:
• Multi-instance queue managers using shared
file system
• Data replication using appliance HA or RDQM
• HA clusters managed using hardware
DATA
REPLICATION
23. Pervasive encryption with IBM z Systems
Enabled through full-stack platform integration
1 Statement of Direction* in the z/OS Announcement Letter (10/4/2016) - http://ibm.co/2ldwKoC
2 IBM z/OS Version 2 Release 3 Preview Announcement Letter (2/21/2017) -
http://ibm.co/2l43ctN
Broadly protect Linux® file systems and z/OS data sets1 using policy
controlled encryption that is transparent to applications and databasesData at Rest
Integrated Crypto
Hardware
Hardware accelerated encryption on every core – CPACF performance improvements of up to 7x
Next Gen Crypto Express6S – up to 2x faster than prior generation
Protect z/OS Coupling Facility2 data end-to-end, using
encryption that’s transparent to applications
Clustering
Protect network traffic using standards based encryption from end to end, including encryption
readiness technology2 to ensure that z/OS systems meet approved encryption criteria
Network
Secure deployment of software appliances including tamper protection during installation and
runtime, restricted administrator access, and encryption of data and code in-flight and at-rest
Secure Service
Container
The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure
management of keys and certificates with a variety of cryptographic devices and key stores.
Key
Management
****Data in Use Protect MQ data while it is in memory within z/OS, while it is at rest, while it is inflight using MQ
Advanced for z/OS VUE based end-to-end encryption that’s transparent to applications
1
0
1
26
24. z14 Integrated Cryptographic Hardware
CP Assist for Cryptographic Functions
(CPACF)
Hardware accelerated encryption on every
microprocessor core
Performance improvements of up to 7x for
selective encryption modes
Crypto Express6S
Next generation PCIe Hardware Security
Module (HSM)
Performance improvements up to 2x
Industry leading FIPS 140-2 Level 4
Certification Design
Why is it valuable:
More performance = lower latency + less CPU
overhead for encryption operations
Highest level of protection available for encryption
keys
Industry exclusive “protected key” encryption
27
32. Notices and disclaimers
continued
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products about this
publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions
on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any
third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM expressly disclaims all
warranties, expressed or implied, including but not limited to, the
implied warranties of merchantability and fitness for a purpose.
The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com and [names of other referenced IBM
products and services used in the presentation] are trademarks of
International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark
information" at: www.ibm.com/legal/copytrade.shtml.
.
37
Brief details of what makes up MQ Advanced for z/OS VUE and then look at some details of the components – why people should be interested in Adv VUE
IBM MQ for z/OS VUE connects virtually everything, from a simple pair of applications to providing connectivity for the most complex business environments.
A single part at a single price for the richest set of z/OS messaging server capabilities
I am going to start at the bottom and work way up
MQ VUE – the rock solid message offering that has been the transport foundation for many of the worlds biggest companies for 20+ years.
The underlying base messaging offering be it the MQ MLC offering or the MQ VUE has certain characteristics and capabilities that it brings to customers.
Firstly – it will allow virtually any type of application to connect together. Separation of the messaging or connection logic from the real application logic allows customers to respond to changes quickly and join together disparate applications more efficiently.
Security – Base MQ has a range of security options for making sure the right users are allowed to do the right set operations to our messaging resources as well as encryption while passing data over QM channels. MQ’s security can be further enhanced by adding Advanced Message Security on top of the base MQ offering – but we will discuss that in some more detail later
Reliable – MQ is in use by many of the biggest institutions in the world. It is proven in terms of its reliability and ability to keep customer message data safe with various recovery features to allow a customer peace of mind.
Flexibility – The separation of Messaging logic from business logic means that existing MQ configurations can be updated and re-deployed without having to change code in existing and working MQ applications.
Scalable – MQ has numerous capabilities to allow the MQ infrastructure to change in order to deal with end of day, end of month or seasonal peaks
And finally it is Robust – It is a product that has lived on the front line for running all sorts of business critical applications, many many billions of messages with financial and other high value data passing through MQ infrastructure everyday with little or no unplanned system downtime.
MQ AMS on z/OS – provides end 2 end encryption to defend a customer from inadvertent or malicious hacking and exposure of data. It provides the ability to protect your sensitive data with no need for application change.
MQ MFT on z/OS – provides rock solid file transfer on top of your MQ infrastructure. MFT reduces the need for manual processes and provides management tools that help to save time in day to day operations as well in failure scenarios
Connector Pack – A new component initially focused on connectivity into Blockchain. CRUD operations performed on IBM Blockchain service running in Bluemix or Hyperledger Fabric running locally
Asynchronous messaging with assured once and once only delivery, best in class for performance and reliability. Natural fit for z/OS platform due to tight integration with key subsystems, transactionality to maintain data integrity and end-to-end security trusted to look after the data as it transitions between producer and consumer.
Connectivity – it will allow virtually any type of application to connect together. Separation of the messaging or connection logic from the real application logic allows customers to respond to changes quickly and join together disparate applications more efficiently.
Security – Base MQ has a range of security options for making sure the right users are allowed to do the right set operations to our messaging resources as well as encryption while passing data over QM channels. MQ’s security can be further enhanced by adding Advanced Message Security on top of the base MQ offering
Reliable – MQ is in use by many of the biggest institutions in the world. It is proven in terms of its reliability and ability to keep customer message data safe with various recovery features to allow a customer peace of mind.
Flexibility – The separation of Messaging logic from business logic means that existing MQ configurations can be updated and re-deployed without having to change code in existing and working MQ applications.
Scalable – MQ has numerous capabilities to allow the MQ infrastructure to change in order to deal with end of day, end of month or seasonal peaks
Robust – It is a product that has lived on the front line for running all sorts of business critical applications, many many billions of messages with financial and other high value data passing through MQ infrastructure everyday with little or no unplanned system downtime.
The more enterprise becomes hyper-connected, the more potential points of vulnerability exist.
Different types of threat exist:
‘Mass-market’ attempts; Targeted attempts
Disaffected employees; Errors or poor processes
Regulatory compliance – industry specific like PCI-DSS and HIPAA, or more general personal data regulations like GDPR; Internal business directives and audits
Significant cost associated with data breaches, not limited to direct costs of lost business/fines, but also reputational and brand damage
MQ provides authentication and authorization services (exploiting LDAP or RACF) to ensure applications and users have appropriate levels of access to data.
You can also utilize event messages to identify and address unexpected activity.
Data is encrypted over the network using the latest TLS cipherspecs and PKI.
Data is encrypted at rest – MQ exploits z/OS System SSL which makes use of CPACF and CryptoExpress cards.
MQ Advanced extends this support by encrypting message data itself, this is controlled by policy without any involvement or change in the producing application.
The data is never encrypted until it reaches the consuming application with the appropriate private key – in-flight, at rest and in memory across the entire MQ network.
Performance overhead is a trade-off for greater security. The new confidentiality policy permits a configurable amount of symmetric key reuse during hops across the MQ network when sending to the same destination – it’s possible to achieve near performance parity with use of TLS alone.
Businesses and their applications use files across their infrastructure to store valuable data
Where the data is created is not always where it needs to be consumed
Files and file contents need to be moved to deliver value
FTP is “free” and ubiquitous, but does have it’s drawbacks:
Lack of file checkpoint restart logic may mean you have to start transfers from the beginning if they fail
Transfers can terminate without notification or any record of what has happened
Corrupt or partial files can be accidentally used by downstream applications
Lack of Character Set conversion can be an issue when moving data through disparate platforms
Changes to file transfers often require updates to many ftp scripts that are typically scattered across machines and require platform-specific skills to alter
It is easy to make errors and introduce inconsistency as well as being time consuming
Tracking file transfers from the start of journey to final destination is a difficult proposition
If you’ve already invested in robust, reliable messaging infrastructure, why not use it for file transfers as well.
Files can be converted into messages and sent over the MQ network. Capability for applications to consume data in file or message format
Benefits from the reliability, security, management and recovery capabilities built into MQ
Agents transport files between the local system and MQ, these can be deployed wherever they are needed
Combining MFT with AMS results in end-to-end encryption whilst transporting file data
A common topology is to create a “file hub”
MFT agents pull files from various APARs and send to a MQ Advanced VUE which handles the file processing workload
On z/OS - text files, data sets and GDGs (generation data groups - catalog successive updates or generations of related data) are supported
From it’s roots in cryptocurrency, Blockchain technology is being explored as a means of managing and disseminating information about shared assets between multiple interested parties in a business network.
Attractive because it provides provenance and immutability of changes in those assets, and enables parties to be notified and respond to change events. For this Healthcare example, network participants are patients, hospitals, insurers, banks, regulators - all involved in the process of supporting patient health and treatment programs. Different participants are notified when..
A treatment plan is elected, a patient is treated or an outcome is recorded
Insurance is required, verified or absent
Patient’s credit status is checked or changes
Regulatory checks and balances are applied
There are many potential uses in various supply chains, provenance of assets (“farm to fork”) and so on.
The Blockchain is only as useful as the data that can be supplied and retrieved. Parties contribute their data from their own systems of record. Following updates made by others in the Blockchain, these may need reflecting in their own systems also. This is a connectivity problem.
MQ is perfectly placed to act as the transport for system of record data for all the reasons previously covered – connecting a wide range of applications and systems, providing secure and reliable delivery
In this example, existing systems are handling vehicle tax processing, identifying when renewals are required and sending reminders. Other Blockchain participants can help in the process of identifying and contacting the current owner, and can be notified should the tax remain unpaid, triggering downstream processes.
MQ Advanced for z/OS VUE provides a Blockchain connector, specifically designed to make it easy for systems of record to interact with Blockchain via MQ
Supports connectivity to Hyperledger Fabric service on IBM Cloud, or instances deployed on-premises
Request-response messages can query and retrieve information from Blockchain
Applications and systems can drive CRUD operations on shared assets by sending messages to specific queues – ledger specific interfaces are handled by the connector