In-Depth

E-Commerce and the Mainframe

• 10/01/1998

Fortune 1000 IS managers are in no hurry to send their big iron to the scrapheap; there’s just too much valuable information there. The challenge is to make that information remotely available to employees, vendors and customers in a managed fashion, without jeopardizing security.

A huge installed base of applications and an extremely robust, secure operating environment have ensured the mainframe’s survival in the face of seemingly inexpensive, microprocessor-based alternatives. Over the years, a host of mainframe-based 3270-oriented applications have been created that generate revenue and profits through online transactions, control inventory and distribution, and do, in fact, generally run the company.

For example, First Union Corporation is the nation’s sixth largest banking company and fifth largest based on market capitalization. Although First Union serves customers in a number of states, many important banking records continue to reside on centrally located mainframe databases. To make these records readily available to employees, the bank is presently deploying Cisco Channel Attach routers, which mediate between IBM Systems Network Architecture (SNA) mainframes and Transmission Control Protocol/Internet Protocol (TCP/IP) networks, with a TCP/IP stack and associated management software, to transfer files as needed to the UNIX servers which support its internal network. However, beyond merely providing connectivity, First Union is concerned with proactive management of its TCP/IP communications. They want to know, for example, if a bandwidth problem is about to occur. They also want their help-desk people to be able to determine what broke, drill down into the problem, and initiate remedial action while giving their engineers the tools necessary to gather and apply deeper diagnostics.

With the widespread use of the Internet and the World Wide Web, the mainframe is evolving from an information island surrounded by 3270 terminals to an applications and network super-server on an open, standards-based network. The process began in the late 1980s, when businesses began to open up mainframe/SNA network applications and databases to their TCP/IP-based client/server networks. With TCP/IP networks, businesses reduced costs and gave more users access to mainframe-resident applications and data. The result is that content is divorced from infrastructure. That is, any type of client can have transparent access to resources on any type of server as long as both support a Web interface.

The latest evolutionary developments are based on exploiting the Web’s capacity for e-commerce. International Data Corporation (IDC) says business-to-business Internet commerce is expected to grow from $7.4 billion in 1997 to $33.7 billion in 2002. Much of this new electronic commerce activity requires access to MVS or OS/390 servers, since this is where the critical data continues to reside. This in turn introduces new management and security concerns because company data will now be accessible from beyond the organization’s internal firewalls.

Opening MVS applications to client/server networks requires providing the appropriate protocol stacks (software that handles network control and data packet assembly and disassembly) on either the SNA side or the UNIX/Wintel side of the network.

Initially, companies tended to put SNA-protocol stacks on clients, thus avoiding any changes to the mainframe – from the mainframe’s point of view, everything looked like a 3270 terminal. (Today there are also Web gateway products that convert 3270 screens to HTML for desktop connectivity, but these products have a rather narrow application range.)

However, the approach of turning clients that were designed for TCP/IP into SNA clients resulted in increased management headaches, because every IP client needed its own SNA stack. In addition, converting TCP/IP outbound packets from IP clients to SNA LU6.2 packets resulted in larger packets than pure TCP/IP, and this increased the load on network bandwidth.

Putting both an SNA stack and a single TCP/IP stack on the mainframe turns out to be a more manageable approach, and does not present a particularly burdensome additional processing load for the mainframe. In fact, in some cases, it is possible to offload part of the problem, checksum calculations for example, to the TCP/IP router.

However, the true virtue of using TCP/IP stacks on mainframes is that it is an open standard. With open standards, companies can choose among products from multiple vendors, who compete on the basis of product support, performance and price. For example, in its latest release Interlink’s TCPaccess stack product provides more real-time management, multi-threaded pipes for higher throughput, plus the option of using the Open Shortest Path First (OSPF)-routing protocol which re-routes broken connections within 30 seconds and virtually eliminates lost sessions. When combined with Cisco’s IOS software, the new release takes advantage of Cisco routers by implementing Cisco’s weighted fair queuing (WFQ) and large-block transfer features, and allows the routers to offload TCP/IP checksum calculations from the mainframe.

There are other advantages to using TCP/IP stacks on the mainframe, rather than SNA stacks on clients: clients need no special software or hardware – they have TCP/IP support built-in – and running TCP/IP end-to-end means that the network runs at TCP/IP efficiency levels. Initially, TCP/IP on the mainframe was addressed by point products provided by companies. In time, even IBM itself was offering a TCP/IP stack.

A simple stack was adequate when all mainframe access took place behind the company’s firewall. However, e-commerce requires a more comprehensive approach. There must be a provision for managing and updating the system’s hardware and software configurations, as well as providing visibility and control over system performance. IS managers need to know response and download times, and be informed of user complaints and status of remedial action.

In real time, operators should be able to call up the latest statistics on the number of active connections, connections/hour, connection rate/port/hour, security violations, ping times for defined hosts and round-trip times for defined hosts. For capacity planning, the IS manager should be able to create and access reports providing historical information on connections to specific ports or specific applications.

Further, whenever there is a major component failure or a security violation, an alert must be logged and sent to the systems operator and retained for administration. Rather than simply presenting cryptic alert messages, the system should tell the operator exactly what has happened and what to do next. If the security software allows the IS or security department to customize this information so that it is specific to the installation, this is the best of all possible worlds.

In addition, security is an overriding concern, especially where the mainframe, which is after all the heart of the company, is concerned. Security issues include not only establishing and managing firewalls inside the company’s main facilities and at remote locations, but extending secure access to vendors and customers without compromising internal security. General security management involves regular updating of passwords and encryption keys, authorizing new users and purging ex-users from the system, and dealing with attempts to hack the system. The latter requires the ability to detect hacking attempts, to maintain logs and to analyze hacking attempts in order to detect patterns and sources.

Including these capabilities makes for a product that is more comprehensive than a manager and translator for various levels of protocols in the OSI model. To make these functions manageable and to give businesses more opportunity to customize their selection of capabilities, Interlink initiated a strategy called e-Access. The core suite of software products under the e-Access umbrella includes the latest release of the TCP/IP stack itself, plus a network printer manager, an X.25 product that enables legacy MVS applications that rely on the X.25 protocol to communicate in a TCP/IP environment; and most significantly, a system management tool called e-Control, that provides a Problem Diagnosis Assistant, an Administration and Configuration Assistant, and a Performance and Capacity Planning Assistant. In the data center, e-Control replaces the usual point-product patchwork with a complementary set of software elements that offer full control and management under a consistent user interface.

In addition, there are currently two e-Access security products. One empowers the existing MVS SAF security facilities to become the TCP/IP access firewall. Access is permitted or denied on the basis of the client’s IP address. This security can be integrated with third-party hardware- or software-based encryption. The other security product provides enterprise-wide, "my-eyes-to-your-eyes" data protection, with password and encryption protection, as well as host authentication.

Finally, there are several e-Access support products, such as a toolkit that contains a set of automated CICS transactions, plus a set of application program interface services; and a tool that allows users to launch a CICS transaction from within a Windows application, passing and receiving the data from the remote transaction. Other e-Access support products include one that enables the IMS Open Transaction Management Access (OTMA) and TCP/IP applications to cooperate in a client/server environment avoiding the need to go through ACF/VTAM. It includes ActiveX support for developing applications on Windows-based systems. Another is a high-capacity, flexible native Advanced Program to Program Communications (APPC, also known as LU6.2) interface to TCP/IP. It operates in MVS and links SNA APPC applications, such as IMS and CICS, and TCP/IP socket applications.

Interlink’s e-Access is not the only vision for electronic commerce on existing mainframes. IBM’s UNIX Systems Services (which it formerly called OpenEdition Services) is their most recent effort to open the MVS environment to the TCP/IP client/server world. However, not all IS managers are eager to trade in a successful strategy until the alternative has demonstrated its value.

The future will see more tightly integrated solution sets that combine management, control and security under a consistent rubric. As has been the case to date, there will be no sudden break with the past, just further evidence of a controlled move into a future that takes advantage of new processes while it retains the tried-and-true.

ABOUT THE AUTHOR: