Motswedi JMR enters world of z/OS security, connectivity, port management for TCP/IP

By JMR Software
Johannesburg, 19 Jan 2004

Experience shows that change is the only constant in the world of IP network management. Nothing stays the same for very long. Network managers continually seek better ways of monitoring network performance, enhancing network security, eliminating network outages, replacing obsolete hardware, etc.

William Data Systems (WDS), the UK based partner of Motswedi JMR, is aware of these demands and, for more than 10 years, has specialised in the design and development of software to support and manage network environments on IBM`s z/OS based Enterprise Server platform. In this time, WDS products have achieved global acceptance and have been implemented by leading financial, governmental and manufacturing organizations around the world.

The current WDS product range, marketed locally by Motswedi JMR, consists of:

* EXIGENCE - the product for which WDS was created and the first utility to enable network trace management and provide real-time expert trace analysis that could confidently be put into the hands of help desk personnel.

* IMPLEX - the market-leading IP performance monitor and the benchmark product against which true, real-time IP monitors are measured. Motswedi JMR has already successfully implemented Implex at a leading South African bank.

* FTPalert - which provides industrial strength security, traffic management and automation for client and server-side FTP activity.

* RouteView - which automates the process of VTAM path table generation and verification.

The WDS product set is now being extended with the release of APIAS, a new and powerful network security and connectivity tool that offers support in four key areas of network management:

APIAS for SSL - Enables the simple implementation of Secure Sockets Layer (SSL) for all applications-securing data and guaranteeing an authenticated connection for both client and server-essential when transacting business across the Internet.

APIAS for secure Enterprise Extender - Supports secure implementation of Enterprise Extender for organisations that are compelled, or that choose, to run their SNA applications over a TCP/IP backbone.

APIAS for TN3270 - Enhances TN3270 connection management by applying SAF protection based upon real IP address. TN3270 users can be routed directly into applications via sign-on panels and/or application selection lists, and detailed audit logging is also available.

APIAS Connection Management - Simplifies management of all TCP connections and increases the scope of SAF protection for all TCP services both on z/OS and other platforms. Let`s consider the value of each of these components to the user.

Motswedi JMR has already approached a number of potential APIAS users in SA. According to Leon Theron, sales director of Motswedi JMR, the reaction to this announcement has been extremely enthusiastic.


Security is one of the key concerns for installations using TCP/IP on z/OS systems. The migration from apparently more secure SNA environment to TCP/IP, combined with the growth of Internet services based on z/OS, is increasing the demand for secure communications, especially in legacy applications. Firewalls and the Internet Security Protocol (IPSec) provide a partial answer. However, they do not necessarily protect applications or application data. To solve this problem, Netscape developed the Secure Sockets Layer (SSL) protocol to protect individual applications by implementing user authentication and encryption at the transport layer.

SSL is important because it ensures:

* Client authentication - the server is able to authenticate the client.

* Server authentication - the client is able to authenticate the server.

* Message authentication - applications know data has not been changed.

* Message confidentiality - applications know data has not been read.

Unfortunately, the APIs for SSL implementation only support z/OS applications written in C/C++ and Java. As a result, organisations are faced with high-cost, re-development programs to e-enable and secure their legacy applications.

APIAS for SSL overcomes this problem via a simple configuration file interface that allows:

* Legacy applications to be SSL-enabled without costly re-writes.

* Data packets to be encrypted over a TCP/IP backbone.

* Client and server identities to be authenticated prior to data exchange.

* SSL connections to be accepted from any SSL client on any platform.

* SSL connections to be built to any SSL server on any platform.

* APIAS to act as an SSL gateway for any application on any platform.

* Full support for z/OS digital certificate management.

This means that:

* Any existing legacy applications can be SSL-enabled with no coding changes being required.

* Applications are protected using industry standard application security.

* No development costs are incurred to achieve the above features.

* SSL-enablement can be achieved rapidly.

APIAS for secure enterprise extender

The decision by IBM to withdraw the 3745 Communications Controller has forced many installations to consider how they might replace secure SNI/leased line connections. One obvious solution is to deploy Enterprise Extender. This enables SNA traffic to be encapsulated and routed over an IP network (for example, the Internet). However, it does not offer the same level of security as a leased-line connection because:

* The Enterprise Extender UDP data packets are unencrypted.

* The Internet provides no built-in security.

* Users have no control over the path taken when sending information from point A to point B over the Internet.

APIAS for secure Enterprise Extender fully secures EE data traffic across the Internet by:

* SSL-encrypting Enterprise Extender payloads.

* Authenticating Enterprise Extender connections with digital certificates.

* Encapsulating the UDP payload in encrypted TCP packets.

This means that:

* Users can confidently provide a secure alternative to Leased Line/3745 connections across public networks.

* Significant licence cost savings may be realized by displacing redundant or obsolete network hardware and software.

APIAS for TN3270

Many z/OS applications communicate using the TN3270 protocol (Telnet). However, many of the traditional, reliable management tools for the delivery and control of data associated with SNA are not present in TCP/IP. For example:

* There is no audit of TN3270E connections in native TCP/IP, making it difficult to see which user has accessed what applications and when.

* Routing users to applications based upon their location is difficult. For example, there may be a requirement for a user in the office to have access to one set of applications but to restrict the same user to a limited set when he or she is working remotely.

* Routing users to applications based upon their workstation ID is difficult.

APIAS for TN3270 solves these problems by enabling:

* Access to be restricted based on a combination of SAF profile and IP address.

* Access to be controlled by one or more configurable sign-on panels.

* Access to be controlled by a configurable application selection panel.

* A full audit trail and optional SMF records to be produced detailing the users` connect and disconnect date and time, their IP address, LU name and application to which they were connected.

This means that:

* Application availability is improved by automatically re-routing users to available applications.

* Application performance is improved by load-balancing services across LPARS/servers.

* Data centre protection is enhanced by preventing denial of service attacks.

* Transparency of network utilisation is enhanced through improved auditing of users and connections.

APIAS connection management

APIAS Connection Management simplifies management of all TCP connections and increases the scope of SAF protection for all TCP services both on z/OS and other platforms. APIAS Connection Management facilities for TCP applications enable:

* TCP/UDP users to connect to a "virtual port," not a "real port".

* The real port to be on a different:


* Platform (could be z/VM and/or Linux)

* Virtual port mapping to real port based upon:

* Origin IP address

* Availability of real port

* Availability of alternative real port(s)

This feature allows the simple implementation of:

* Round Robin load balancing of connections

* Capping maximum users allowed per application

* Timeout on idle

* SAF protection for non-z/OS applications.

These facilities greatly simplify routing table and firewall definitions and overcome dual-VPN limitations. Liam Hammond, co-founder and managing director of William Data Systems summed up the WDS strategy for future product enhancement and development:

"Our aim is to build and develop a range of products that address the major issues in the networking world with special attention to the requirements of z/OS and its users. This has been the key to our success. By really understanding the impact that z/OS and the network have on each other, we have delivered products that have set the standard for others."


Motswedi JMR

Motswedi JMR came to be in September 2003 when Motswedi acquired a controlling interest in JMR Software. Established in 1987 with its roots in contracting and software development, JMR Software specialised in the delivery of custom-developed applications for mainframe, client server, and Internet-based systems, and has made major contributions in a wide range of fields including banking and insurance.

The new company is based on the successful track record of these two companies in the IT market. The two components of the new company have complementing sets of skills and abilities so that Motswedi JMR will soon become one of the major participants in the IT industry in SA: for many years Motswedi has successfully designed IT strategies, policies and architectures; the acquisition of JMR Software now provides the capacity to execute and implement these strategies and policies.

Editorial contacts

Leon Theron
Motswedi JMR
(011) 484 5070