Embed Size (px)
Citation preview
1
ZZZS (Social Insurance Slovenia)Customer implementation of zBX and XI50z
Peter Brabec
WebSphere System Z Brand Leader & DataPower Ambassador
Session: TSE-1203
2
Please Note
IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal at IBM's sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3
Agenda
Customer – ZZZS (Zavod Za Zdravstveno Zavarovanje Slovenije) background
– Application architecture overview
Solution description– Before / After
– Migration plannig
Challenges– Security
– Networking
Why did we do it that way ? DataPower XI50z Overview
4
ZZZS background
ZZZS (Zavod Za Zdravstveno Zavarovanje Slovenije) is the National Health Institute of Slovenia
– Provides compulsory health insurance.
– Owns and hosts social security data of the people of Slovenia
– Accessed by health professionals and selected partner organizations
– One central side, 10 regional units and 45 branch offices
– Requirements
• Perfect security of your data and information system
• Availability 24 hours/day, 7 days a week
• Reliable operation
2 mio zavarovanih oseb
2.100 izvajalcev zdravstvenih
storitev
ZZZS
5
Social Insurance and healthcare applications
Information material
– How get the compulsory health insurance
– Choose a personal doctor
– Apply for medical services abroad
Individual Status Information
– Basic (compulsory) health insurance
– Additional (private) health insurance
– History of issued medical aids
– Prescribed medication history
– Selected doctors
6
Komponente sistema
Portal and B2B Application Components
WebSphere Portal
DataPower XI50z
Tivoli Directory Server as User Registry
DB2 database
Application Software on z/OS
SOAP over http(s), MQ, FTP
7
Information technology today is limited by the technology and architecture configurations available
Information technology today is limited by the technology and architecture configurations available
DS Servers
LAN Servers
SSL/XMLAppliances
CachingAppliances
RoutersSwitches
FirewallServers
File/Print ServersBusiness Intelligence
Servers
Security/Directory Servers
Web Servers
Application Servers
System z
Information technology today: Limitations
Business processes and the applications that support them are becoming more service oriented, modular in their construction, and integrated.
The components of these services are implemented on a variety of architectures and hosted on heterogeneous IT infrastructures.
Approaches to managing these infrastructures along the lines of platform architecture boundaries cannot optimize: alignment of IT with business objectives; responsiveness to change; resource utilization; business resiliency; or overall cost of ownership.
Customers need a better approach: The ability to manage the IT infrastructure and Business Application as an integrated whole in a much simplified manner.
8
RoutersSwitches
FirewallServers
Web Servers
Information technology tomorrow
Customers need better approach: The ability to manage the IT infrastructure and Business Application as an integrated whole – not managed in ISLANDs.
Reduce the scope of security vulnerability in the network: many hops collapsed to fewer hops and possibly only one hop
One flat layer-2 network infrastructure
Co-locating Distributed, Heterogeneous Platforms with the zEnterprise and Placing them in an Ensemble to Manage in a Unified Manner, to create Synergies and Operational Management Opportunities, and to Simplify the formerly complex
Network and Security Infrastructure.
Co-locating Distributed, Heterogeneous Platforms with the zEnterprise and Placing them in an Ensemble to Manage in a Unified Manner, to create Synergies and Operational Management Opportunities, and to Simplify the formerly complex
Network and Security Infrastructure.
HMCHMC
9
Before
z/Series, z/OS
http
CISCO Content services switch
Data PowerXS40
Replication of user data, certtificates, services and Web content,
Web Application Portal
(Websphere)
-
-
• User Registration and Role mgmt.• User access control• Session management• User interface to services and content• User ID mapping service• Statistics batch processing• Administration application
PortalReg. & reposit.
(DB2)
• Service registry• Web content• Roles• Statistics and logs
.
Backend Application
(CICS)
Centraldatabase
(DB2)
cics ecihttps httphttps
Firewall
Anonymoususer
https
https
https
Entry point (VT)
(Websphere)• On-line system functions• Technical audit logs and errors• Preparation of access and errors statistics
-
jdbc
soap
soap
http http
C1
C2https
P1
P2
•Termination of a TLS Session•Certificate validation
•Basic validation•Validation against CRL•Validation of issuing CA
•Extracting some DN fields from X.509 and embed it into https header
-
Portal administration
system
User Identity identification
Administrator
https
Data VT (DB2)
jdbcsnmp
snmp
snmp
Central System Management- Incident management
- Security event management- Ststistics, reporting,
snmp
Authenticateduser
Fire
wal
l
Fire
wal
l
Select P1/P2 based on URL:• Schema validation•DN -> insert LTPA token (https header) as user identifier • Web service for
mapping DN to tax ID• LDAP Query• signature verfification
User registry(Tivoli Directory Server)
• User Registry• Access rights
• Auditing and error mgmt.• Preparation of access and errors statistics
for on-line
Internal application • User registry, status and access rights• Podatki o certifikatih CA•Services registry• Web content mgmt.
Entry point (VT)for on-line
(unauthenticated) (Websphere)
• On-line system functions• Technical audit logs and errors• Preparation of access and errors statistics
jdbcsnmp Data
DB
10
After Model XI50z Integration Appliance
– Web application firewall
– XML Firewall
– Mutliprotocol Gateway
Perform Authentication Map User Tokens LTPA
– Lookup RACF (LDAP)
– User Token LTPA
– Integration with Oracle and DB2
IBM zBX IBM System z
z/OS LPAR
ZZZS Back End Systems
(IBM: CICS, DB2, WMQ, etc.)
Application Firewall
(IBM WebSphere DataPower
XI50z)
z/OS LPAR
ZZZS HIC Entry Point
(IBM: WAS ND, CTG, DB2, etc.)
Network Layer
Firewall
(CISCO Content Switch –
SSL termination)
IDPS
FIREWALL
SOAPRequest(Internet)
WSSec*
Private Data Network
11
Migration Planning
New Portal Application had to be in production in March 2012
“9003” DataPower XS40 devices are out of support
First installation in the world
Is System Z is strategic ?
– TCO and F4P studies
– Projected Capacity upgrade
– Use zBX for other applications ?
Functional RequirementsFunctional RequirementsFunctional RequirementsFunctional RequirementsSecurity RequirementsSecurity RequirementsSecurity RequirementsSecurity Requirements
BudgetBudgetBudgetBudget TimelineTimelineTimelineTimeline
12
Security requirements
Registration– Users should be able to register to use on-line services and then apply to use specific services
– Solution needs to support up to 2 million users with acceptable performance. Approx. 250k users are expected to register to use the new services provided by this solution. This number is expected to grow to 500K over the 3 years following implementation.
– Non-registered users are limited to using basic services only (for example, verify if a ZZZS social security number has insurance)
Authentication– Users should be able to authenticate with a certificate that has been issued by one of the
existing certificate authorities
• CA 1 (digital certificates on professional cards and health cards)
• CA 2 (qualified digital certificates of this issuer that are issued on a professional card or other forms)
• CA 3 (qualified digital certificates)
• CA 4 (qualified digital certificates)
• CA 5 (qualified digital certificates)
– It is necessary to provide support for the verification of digital certificates and verification of the lists of invalid digital certificates (CRL lists by issuers) in the system
13
Security requirements (cont…)
Authorization
– For registered users, authorization may be defined for the entire Web application or for a specific set of tasks within the application.
– For services available to anonymous users, it is necessary to ensure adequate open access to all users of the Internet
Data confidentiality and integrity
– Data confidentiality must be ensured for all communication to end users – including anonymous users
– Personal data must be accessible only to data owners and health professionals who need this data
– One user must be prevented from seeing or changing the confidential data of another user
14
Security requirements (cont…)
Auditing– Audit trail required for all requests.
– Infrastructure auditing must be done at all stages: DP, Portal and VT (currently it is implemented at DP (storing log on z/OS) and VT. It is expected to implement application auditing for additional flexibility.
– Auditing of message flow should be performed at the Entry Point (VT)
• Content and timing of request coming to Entry point
• Transaction occurring at Entry Point
• Content and timing of request leaving Entry point
– “Business auditing” should be performed at the backend systems (CICS)
• Who is performing what transaction on what data and when
– Unauthorized users should not be able to remove nor change audit log records
Service availability– The system must be protected against denial of service attacks
– Deployment of malicious destructive code must be prevented
Performance– Maximum end-to-end round trip time should not exceed 5 seconds in min 85% of transactions
16
Security issues to consider
Where to place a Firewall– IP-Filtering, Packet Filtering
– Content Inspection
– Web Application Firewall
– XML Firewall
Organizational challenges– IP Security & IDPS is part of
Networking group
– zEnterprise is part of System Z Team
– DataPower is part of application team
Security concerns– zEnterprise HW (IEDN / INMN)
– “direct” Mainframe access
System Architecture which is consistent with the existing security architecture.
IBM zBX IBM System z
z/OS LPAR
ZZZS Back End Systems
(IBM: CICS, DB2, WMQ, etc.)
Application Firewall
(IBM WebSphere DataPower
XI50z)
z/OS LPAR
ZZZS HIC Entry Point
(IBM: WAS ND, CTG, DB2, etc.)
Network Layer
Firewall
(CISCO Content Switch –
SSL termination)
IDPS
FIREWALL
SOAPRequest(Internet)
WSSec*
Private Data Network
17
Networking issues to consider
Where to connect the external network
– Option 1: „External“ network via Top-of-Rack-Switch
– Option 2: „External“ network via Sysplex Distributor LPAR
How many VLAN connections do I need inside zEnterprise
– Security versus manageability
– Data versus Management connections
DataPower Management
– One connection via INMN for Firmware upgrades through HMC
– Separate DataPower Management LAN on the IEDN for DataPower GUI
• Administrative and development access to the DataPower XI50z control panel
• This connection will connect to the ZZZ internal infrastructure
18
TOR
OSD OSX OSM
External Network Access Option 1 – System z (LP) IP Router
LP1z/OS
LP2z/OS
LP3z/OS
LP4z/OS
LP5 z/VM
VS1 VS2 VS3 VS4
OSD OSX OSM
BC1
ESM ESM
BC2
ESM ESM
BC3
ESM ESMESM ESM ESM ESM ESM ESM
TOR TORTORCustomer external data network
Customer external data network
HMCHMC
z/VM virtual switch
Route via OSD and one or more z/OS images
zEnterprise node
zBX
z196
IPRouter
SEFirewall
19
TOR
OSD OSX OSM
External Network AccessOption 2 – External IP Router
LP1z/OS
LP2z/OS
LP3z/OS
LP4z/OS
LP5 z/VM
VS1 VS2 VS3 VS4
OSD OSX OSM
BC1
ESM ESM
BC2
ESM ESM
BC3
ESM ESMESM ESM ESM ESM ESM ESM
TOR TORTORCustomer external data network
Customer external data network
HMCHMC
z/VM virtual switch
And to System z LPARs
Extend IEDN to external router and route via TOR
zEnterprise node
zBX
z196
SEFirewall
20
ZZZS Networking setup
XI50zIEDN
ZZZ NetworkDMZ
XI50z
VLAN 56
VLAN 01
z/OS
zEnterprise
ZZZ Intranet
Sysplex
VLAN01
Current OSA Connection
VLAN 56 Front-End LANVLAN 01 Management LANVLAN 02 Data LAN
OSX
VLAN 02
IPSec Filtering
MAC Filtering
The DMZ will be connected to a Router/Firewall.
– There is a secured Front-End VLAN created on the IEDN that will interconnect the router/firewall to the DataPower XI50z.
– The only connections that will be allowed are those coming from the DMZ zone.
– There will also not be any ability to access the web/xml/ssh/telnet command consoles within this VLAN or the back-end zOS system.
Data VLAN from DataPower to the back end systems on z/OS
– No other access allowed on this VLAN
– Eliminates any need to encrypt data between DataPower and Application services
Added IP filtering for higher level of security– Using IPSec Policy Filters that are part of the zOS
Communication server base code over the OSX devices on their z/OS stacks
– Locks down any services the DataPower XI50z should not have access to on their z/OS environment
21
DataPower XS40 to XI50z smooth migration
Migration items
Configuration review/update (deprecated function calls etc.)
Configuration export
Configuration import (using deployment policy)
Keys & certs
Development & QA
Development domainsQA domainsTest keys & certs
Production
QA domainKeys and certs
QA domainKeys and certs
22
Why XI50z instead of stand-alone XI52
One HW Environment
– Less complexity
– Increased security
• End-to-End encryption
– Better performance
• reduction of transaction latency time
• faster response times by “co-location”
– Future use of zBX
Integrated Maintenance
– DataPower Firmware upgrades handled by IBM
– Integration tested Firmware and driver levels
– Consolidated view on the HMC
Reduction of MLC through offload of z functionalities
23
Collateral material
IBM zEnterprise Network Security White Paper: ftp://public.dhe.ibm.com/common/ssi/sa/wh/n/zsw03167usen/ZSW03167USEN.PDF
Security for Ensemble Networking with the IBM zEnterprise System Frequently Asked Questions: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/4b9ce6c0c12cac82862577c8000bea73/$FILE/FAQ%20ZSQ03053-USEN-00_10222010.pdf
IBM zEnterprise System: Network Virtualization, Management, and Security (Part 1: Overview): http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/8a8a1e78ab60ff0b862577c8000be738/$FILE/ZSP03439USEN_01.pdf
IBM zEnterprise System: Network Virtualization, Management, and Security (Part 2: Detail): http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/8a8a1e78ab60ff0b862577c8000be738/$FILE/ZSP03433_05.pdf
"Payment Card Industry Compliance For Large Computing Systems" White Paper, Examining the Application of Payment Card Industry Compliance Standards in Mainframe Environments: http://www.atsec.com/us/pci-lcs.html
24
Backup
DataPower XI50z Overview
25
We love your Feedback!
Don’t forget to submit your Impact session and speaker feedback! Your feedback is very important to us, we use it to improve our conference for you next year.
Go to impactsmartsite.com from your mobile device
From the Impact 2012 Online Conference Guide:
– Select Agenda
– Navigate to the session you want to give feedback on
– Select the session or speaker feedback links
– Submit your feedback
26
© IBM Corporation 2012. All Rights Reserved.
IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
Copyright and Trademarks
