Compuware Delivers Topaz on AWS to Mainstream the Mainframe

By Rich Ptak

Figure 1 – Topaz on AWS      Image Courtesy of Compuware, Inc.

It’s time for Compuware’s quarterly mainframe product announcements. This time Compuware kicks off its 12th quarter (3 years) of new and enhanced product releases by partnering with Amazon. The duo upends mainframe DevOps and mainframe IT by combining efforts to deliver web access to the Topaz DevOps software suite on AWS. See Figure 1.

In an industry first, Compuware provides cloud access to modern mainframe development via Topaz. Developers can enjoy the same user experience on the cloud as if Topaz was locally installed while fully leveraging all the security, performance, flexibility, reliability, scalability and accessibility features of the AWS platform.

Topaz on AWS leverages Amazon AppStream[1] 2.0 technology, a fully managed, secure application streaming service that allows applications to be streamed from  AWS to devices running a web browser. Now, all of Topaz’s rich capabilities and more are accessible anywhere through the most popular web interfaces including IE/Edge, Chrome and Firefox. The power of Topaz is accessible regardless of the device used, be it a Windows, Mac or Chromebook desktop system.

Compuware’s patent-pending technology provides an intuitive, streamlined configuration menu that leverages AWS best practices, and makes it easy for systems administrators to quickly and easily configure their Topaz on AWS infrastructure, customized to their specific needs, in a few simple steps.

Enterprises can scale the number of development environments up or down depending on their needs. Developers have fast access to new features and functionality that Compuware makes available every 90 days without administrators having to distribute, load, recompile, modify and test multiple individual systems or installations. Efforts to modernize mainframe operations and capabilities happen faster with fewer delays and without requiring the involvement of critical IT staff.

Compuware and Amazon have created a highly performant, secure and fluid developer experience. Once developers launch Topaz on AWS, they can access datasets and data files, analyze applications, make code changes and manage other mainframe tasks using the Topaz suite of tools as if the user environment was locally installed.

Some architectural benefits of AWS

An important feature is that this implementation fully leverages all of the unique enterprise product strengths of the AWS cloud architecture. These include:

• ·         Security – individual secure deployment applied and management on a per account basis – with built-in automated security management services to review policies and monitor compliance with security best practices.
• ·         Cost optimization – automated optimization assures least-cost-to-user and most cost-effective resource management. Periodic reviews and auto-scaling combine to optimize the operating environment as workload volumes and capacity requirements fluctuate.
• ·         Reliability – AWS management services work to ensure systems are architected to meet operational thresholds to avoid when possible, and quickly recover from inevitable failures to meet business and customer service demands.
• ·         Operational excellence – Amazon maintains cloud centers located around the world to assure service response and support.
• ·         Performance efficiency – optimizes system services for maximum performance using available resources, enabling optimal utilization of IT staff and computing resources through automation, cloud-based services and management.

The pricing is right

All of this comes with no new charges from Compuware. The standard Compuware Topaz licensing charge covers the use of Topaz on-premise, in the cloud or in a mixed environment. If you already have a Topaz license, all you need to do is add an Amazon account with AWS cloud services designed to meet the requirements of your specific enterprise operating environment and workload. As mentioned earlier, Amazon AppStream 2.0 services include an automated function to help users find the right optimized pricing model and configuration for their workload and resource needs. These include highly flexible on-demand pricing, spot-discrete fixed price and reserved instances for dedicated predictable workloads, and combinations. We recommend you review the details with an AWS advisor or check here[2] for more information.

What else is new?

Compuware’s quarterly announcements are never about just one thing. This time is no exception. In addition to the major announcement, Compuware has additional improvements and new product enhancements and capabilities to deliver.  

First up is a collaboration with CloudBees Jenkins Enterprise. Leveraging Compuware ISPW and/or Compuware Topaz for Total Test in conjunction with CloudBees Jenkins Enterprise, allows large enterprises to streamline DevOps on their mainframes and orchestrate DevOps across all platforms. Compuware will co-host a webcast with CloudBees on October 25, which will identify opportunities and help educate users on the latest in mainframe DevOps processes.

Figure 2 Webhook Notifications  (Courtesy Compuware, Inc.)

Next is the addition that extends ISPW so that it can stream information and notifications to web apps through Webhook notifications. Webhooks were designed to allow third-parties, such as developers and apps, to make changes to web APIs using callbacks. See Figure 2. This is how ISPW can communicate with Jenkins and other CI services to trigger actions. In effect, it allows ISPW to integrate with other deployment tools and drive continuous integration processes. Activities can be communicated by DevOps teams as they happen in real time to such tools as Slack and Hipchat.

A bit of risk?

Choosing public cloud service delivery of the Topaz suite may appear to be risky or even premature to some potential users. Considerations that come to mind are those surrounding issues pertaining to security, reliability, privacy, infrastructure control and, unfortunately, more and more government imposed legal and legislative constraints and mandates. Most of these issues have been and will continue to be hashed over and argued about in the press. They remain and should remain issues of, at a minimum, keen awareness. Our conversation with Compuware has convinced us that they are working in lockstep with Amazon to reduce the risk and vulnerabilities as much as possible.

Potential customers should identify potential issues and resolve what needs to be done before making the move to the cloud. Others may find cloud-based but maintained and operated in-house on-premise to be the right solution.

The first step to be taken is to perform due diligence to identify and assess potential risks and vulnerabilities. Then, these can be balanced against the significant potential benefits in the form of client/customer satisfaction, staff satisfaction and cost savings that can result from improved operations, increased efficiencies and simplified infrastructure management. Examine what Compuware and Amazon have done to mitigate the risks. We believe that many will find the decision to move this development activity to the cloud makes sense.  

The Final Word

Compuware continues to deliver solutions aimed at “Mainstreaming the Mainframe.” Their strategy depends upon their ability to identify and overcome structural and operational issues that make mainframe utilization and COBOL code maintenance a complex, slow and intimidating task, especially for those new to the mainframe.

Compuware has delivered significant, game-changing products each quarter for the last 3-years. They have not only improved, simplified and sped up mainframe operations and management, but they have also introduced capabilities that were never thought possible or are radically changing mainframe operations. They appear to us to be on track to continue that success. Congratulations to them. Good luck as they move forward. We recommend examining their latest offering.

---

[1]  More information here: http://docs.aws.amazon.com/appstream/latest/developerguide/appstream-intro.html

[2] The AWS pricing information is at: https://aws.amazon.com/pricing/?nc2=h_ql_pr

Launching a Secure Environment: Applying IBM’s LinuxONE Encryption

By Bill Moran and Rich Ptak

Courtesy of IBM

The other day we attended an excellent presentation by Dr. Rheinhardt Buengden of IBM Germany on applying the encryption in LinuxONE[1]. He provided extensive technical detail on installing and implementing a secure IBM LinuxONE Emperor II system (or one of the other IBM Linux mainframe system). It was a highly informative session.

First, nothing that we learned contradicts our earlier blog[2] on IBM’s announcement. We continue to believe that LinuxONE combined with its associated hardware represents the best commercial alternative for security on the Linux market. But, we did get some greater insight into implementing a high-security system.

 We now have a much better appreciation of the level of effort necessary to achieve a secure operating environment. As one might expect, much of the work revolves around having to choose among the many options in Linux. But, it also requires effort fit the new system into the way business is currently organized and done. To accomplish this requires significant skills in Linux and security methods as well as a detailed knowledge of the company’s current processes.

 We provide some specifics here. There are certain to be others. First, consider the interactions between the security key management and the existing disaster recovery mechanism. Some types of keys are system specific and will not work on another system. Careful planning is necessary to identify and handle inconsistencies and conflicts[3]. The LinuxONE system can automatically recover from an abnormal situation but only if the preparation work has been done.  Similarly, backup and archive policies will need a review for similar inconsistencies. The whole issue of key management will need careful study and decisions made in choosing among the various types of keys that can be implemented. Several types of keys are available; each type has its own different properties, advantages, etc.

There are choices to be made over how to handle the encryption applied to files, file systems and disks. Understanding the relative advantages and choosing the best one requires knowledge of the Linux facilities and their interactions with the security facilities. Failure here could result in an intruder being able to access the most sensitive information in the clear; fatally compromising all system security.

The last topic concerns the Linux kernel. Typically, the Linux kernel included security APIs that invoke certain software functions. LinuxONE hardware will speed up these functions. For this to work, the Linux kernel must be updated with code that supports the LinuxONE hardware. IBM has submitted a fix for inclusion in a future Linux kernel release.

This points to a bigger, more significant problem. LinuxONE relies on some Open source modules such as Open SSL, all such dependencies need to be monitored and updated or modified as necessary if security is to be maintained. We mention this point because the Equifax security breach has been tied to a lack of maintenance to open source module. The lesson is that maintenance for all modules in the system must be carefully monitored and applied. Open source code updates cannot and should not be ignored.

In sum, we think that anyone planning an installation of a LinuxONE system should understand the magnitude of the task they are undertaking and plan accordingly.

For a security project of this scope, seriously consider establishing a security subcommittee of the Board of Directors. This group needs to learn enough to ask the hard questions and supervise security audits of the organization’s activities.

A review of the presentation would benefit any group interested in security. And, be most helpful for groups considering purchase of the new LinuxONE system.  However, nothing will substitute for a knowledgeable and active staff handling the installation and operation of a LinuxONE system. Senior management support is critical. We hope our notes here make that clear.

---

[1] Here is the URL for the presentation: http://www.vm.ibm.com/education/lvc/LVC0927.mp4

[2] Read our comments: https://tinyurl.com/pa-IBM-LinuxONE-Emperor-II

[3] Details on this topic are beyond our current scope. See Dr. Buengden’s discussion on the topic 

IBM LinuxONE Emperor II ™, IBM’s Newest Mainframe Linux solution

By Bill Moran and Rich Ptak

IBM LinuxONE Emperor II

Introduction

On September 12^th, IBM announced the IBM LinuxONE Emperor II™, a new, dedicated Linux mainframe with significant upgrades from its z13-based predecessor, IBM LinuxONE Emperor. IBM positions Emperor II as “the world’s premier Linux system for highly secured data serving, engineered for performance and scale.” IBM chose the LinuxONE Emperor II “to anchor IBM’s Blockchain Platform cloud service.” We discuss features and provide some thoughts on evaluating the system for your own environment.

Performance Features

Emperor II is a z14-based Linux-only mainframe system designed as a highly reliable and scalable platform for secure data-driven workloads. Key performance improvements include:

·         A 2-3 x performance boost over the z13-based Emperor.

·         IBM described 2.6 x performance advantage over comparable x86 systems for Java work, a result of IBM moving some CPU intensive Java operations into hardware.

·         Powerful I/O processing capability with up to 640 cores devoted to I/O operations, a benefit for I/O limited applications.

·         Emperor II can operate at near 100% utilization with very low performance degradation. Typical competing systems can achieve 50% or 60% utilization before experiencing significant performance degradation.

IBM’s LinuxONE Emperor II is an impressive, powerful, high performance system. Do keep in mind that all performance numbers are application/environment dependent. Therefore, if performance is critical, do your own testing. Vendor numbers can only provide broad guidelines to potential performance improvement.

Security Features

IBM LinuxONE Emperor I enjoyed significant market acceptance for a variety of workloads. Recognizing the escalating interests in security and high-volume data computing, IBM initiated a large engineering effort to enhance and extend already legendary mainframe system security. The z14-based Emperor II takes security to a completely new level.

IBM states that the system represents the most advanced level of security commercially available today. We believe there exists some justification for the claim. Here’s why.

·         A major block to large-scale encryption has been the extraordinary time and effort needed for encryption/decryption. IBM dramatically[1] decreased both by using an on-chip cryptographic processor (CPACF). This allows users to implement pervasive, end-to-end encryption of all data throughout (and beyond) the system. If a hacker breaks in anywhere in the chain, they only get access to encrypted data, useless without the ability to decrypt. 

·         Hardware protected decryption keys. A hardware-assist feature assures keys are never available in memory in the clear. There is no way for a user, hacker or even an administrator to unlock or make the keys visible and useable.

·         All data can be automatically encrypted and remain so, at-rest, in-motion and during processing – end-to-end – from system to user.

·         Encryption security is implemented with no application changes. Security solutions that require any changes (applications) or actions by developer/user/programmer have been a stumbling block for encryption (and other) security approaches.

·         Finally, IBM has a new architecture called Secure Service Containers. These containers protect the firmware and the boot process as well as, the data and the software from any unauthorized change. A traditional weakness has been the potential for system admins to exploit their elevated system credentials or for those credentials to be exposed to internal or external threats and then used to gain access to locally running application code and data. With Secure Service Containers, the only access is via the web or an API granted to those specifically with access to this environment. This closes a hole long used by hackers gain access to critical and private data.

Other key features

Emperor II delivers enhanced vertical scalability (scale up) possibilities, i.e. it allows a collection of tightly coupled multiprocessors to communicate at very high speed using shared memory. This architecture provides a distinct advantage for applications doing sequential updates to a relational database over scale-out systems, such as most x86 systems.

A typical example would be a banking application handling customer accounts. To maintain a correct account balance, all debits and deposits must be processed sequentially. That is, in the order they were performed, e.g. earliest date and time first. An account can be “locked” to ensure accuracy, having shared memory minimizes the latency and associated delay that results from such lock management.  Attempting this via a scale-out collection of independent systems can result in a very complicated software environment and may also result in performance problems whereas, IBM’s Emperor II would have neither problem.

IBM Strategy

Enterprise concerns about data security have changed, now having dramatically increased in priority. While previously it was on everyone’s checklist, when the final purchase decision was made price and performance dominated. Now, security is a deciding factor, and IBM is positioning the Emperor II to win.

This signals a broader change in IBM’s messaging strategy. No longer is the focus on “speeds and feed” with its reliance on numbers, processing speed, price/performance, TCO, etc. to motivate a change of platform. IBM intends to drive the decision using a business case focused on platform design (architecture) targeting the solution of major business and operational problems, as IBM LinuxONE Emperor II does.

Of course, much depends upon the platforms being compared. In many cases, inherent mainframe security will be decisive. IBM’s Emperor II with LinuxONE security and its vertical scalability far exceeds anything a standard X86 platform[2] has.

While we applaud this change in strategy, it can complicate the selling task. Since IBM’s target is x86 systems, sales reps may find themselves competing with Window systems as opposed to a Linux x86 systems. A security discussion comparing LinuxONE to other systems will require a more knowledgeable sales force. Features and functions such as security, Blockchain technology, etc. will have to be explicitly linked to specific business requirements, problem resolution, etc.

One final word on security. The heavy emphasis on security also represents a risk as bad guys are likely to focus on exploiting weaknesses in applications or lax security procedures as the easiest point of vulnerability. Consumers, businesses and journalists are notoriously quick to indiscriminately point the blame to technology for failure. A successful penetration via, for example, an app accessing an Oracle database when the platform functioned perfectly – can quickly be blamed on the platform and the app overlooked. IBM effectively and economically addresses a real problem area. But, there exists much more to be done by the entire community.

Summary

IBM has done an excellent job in implementing security in this system. Anyone looking to achieve the highest level of security in a Linux environment should carefully examine the Emperor II system.  If they have not done so already, they also need to establish a security department to create and monitor organization-wide security policies.

It can’t be said that any system is truly impenetrable. This is true for reasons relating to the very real threat of internal compromise (e.g. carelessness, poor compliance practices, etc.), technological innovation as well as the subversive efforts of very, very sophisticated and clever people attempting to crack the system. We can say that we think that IBM has done an admirable job in creatively addressing a significant number and breadth of security vulnerabilities and problems. They have made it easier and economically affordable (in cost AND resource utilization) for enterprises of all sizes to use encryption techniques to secure systems and data.

We anticipate IBM’s LinuxONE Emperor II will appeal to high-end enterprises. They are familiar with mainframes and have the staff to manage them. IBM will have to work harder to win over those with less mainframe familiarity and without experienced staff. However, recent surveys indicate that efforts to modernize mainframe management and development tools along with the availability of JAVA, Linux, etc. are attracting new users to mainframes.  

Finally, the security that the system offers will be a powerful incentive for certain customers and the total package of the architecture and its features create a system that can deliver solutions to many customers that they cannot find anywhere else. Congratulations to IBM, we’ll watch and report on how this all develops.

---

[1] IBM did not provide performance or overhead numbers.

[2] By “standard” we mean that high end Oracle and HPE systems may have a scale up design that eliminates the problem that many x86 systems will encounter.