WIXLIB

GEEK GUIDE Hybrid Cloud Security with z Systemsby IBM to the Linux 2.2.13 kernel. Some of those initialpatches included object-code-only modules, but thiseventually would be replaced by open-source modules.By the year 2000, a fully formed product was beingdistributed by IBM around this architecture.In 2001, these patches were adapted to the thenexperimental 2.4. It did not take long for commercialLinux distributors to introduce support for z Systems intheir respective Linux distributions. For example, in 2002,Red Hat redistributed this kernel as part of Red Hat Linux7. With wider visibility and support, the codebase wouldcontinue to mature. During the past two decades, thedistribution has taken on different identities, each with itsown name, but today, we refer to it simply as Linux on z.Fast-forward to the present, and Linux on z is completelyfree and open-source software licensed under the GNUGeneral Public License (GPL).Note: the z Systems architecture is designed to run multipleoperating systems, including the z/OS and Linux on z.Virtualization at Its Finest: LinuxONE re-defineslarge-scale Linux deployment where virtualization is arequirement and supports a variety of Linux distributionsincluding Red Hat Enterprise Linux (RHEL), SUSE LinuxEnterprise Server (SLES) and Canonical’s Ubuntu.LinuxONE is a responsive service delivery platform capableof provisioning new virtual Linux servers in seconds.LinuxONE Emperor can scale up to 8,000 virtualmachines (or VMs) or tens of thousands of containers in asingle footprint. This is significantly more than any otherLinux system on any other existing hardware platform.12

GEEK GUIDE Hybrid Cloud Security with z SystemsFIGURE 3. A Sample of z System Hypervisor ConfigurationThese virtualization capabilities are delivered by theProcessor Resource and System Manager (PR/SM) Type-1hypervisor and also the well known KVM and IBMz/VM Type-2 hypervisors. On z Systems, the PR/SM runson bare metal and carves out what is referred to as LogicalPartitions (LPARs) to host single instances of operatingsystems (more on this below). In the second layer ofvirtualization, KVM and z/VM are more flexible, in thatit can host multiple instances of operating systems, allcapable of sharing its resources in that same LPAR.13

GEEK GUIDE Hybrid Cloud Security with z SystemsThe best part of LinuxONE is that it brings alevel of familiarity to developers and usersalready employing Linux technologies.Simplified Application Deployment: IBM has nativelyenabled key open-source and industry-proven softwarefor LinuxONE including Apache Spark, Docker, Node.js,MariaDB, MongoDB, PostgreSQL, OpenStack, Chef andmore, all of which work seamlessly at greater performanceon z Systems and requiring no additional skills tomaintain. On a fully loaded z13 system, IBM benchmarkspublished spectacular results while performing 30 billionRepresentational State Transfer (RESTful) transactions a dayusing Node.js and MongoDB on Docker containers.The best part of LinuxONE is that it brings a level offamiliarity to developers and users already employingLinux technologies. The LinuxONE ecosystem enablesorganizations and DevOps specialists to port and/ormigrate their applications with little to no effort orconcern—and, they can do so in an environment thatis known for its 100% uptime and completely reliablehandling of transactions.High Availability: Although the z Systems hardwareboasts fault tolerance and high availability, further ensuringthat the 100% uptime requirement is met, the software alsohas its own fair share of tricks up its sleeve. In LinuxONE,the majority of this heavy lifting can be accomplished with14

GEEK GUIDE Hybrid Cloud Security with z SystemsKVM. The KVM hypervisor has been optimized for the zarchitecture and continues to provide the standard Linux,KVM and OpenStack interfaces for management operations.At the software layer, the goal of configuring for highavailability is to provide continuous and uninterruptedservice for sometimes critical business applications, allwhile masking both planned and unplanned outages.These include failures that may be a result of systemcrashes, network failures, storage issues and more.Downtime can cost a company time and resources andpotentially a loss in business. The requirement for thisis to identify any and all single points of failure andeliminate them by configuring redundant instances,sometimes even balancing the workload across thesesame redundant instances via a concept typicallyreferred to as Multipath. High-availability technologiesare designed to detect failures automatically and recoverfrom them immediately.As mentioned earlier, a typical configuration usuallyconsists of one or more z hosts sharing resources to theKVM host partition (that is, the LPAR). On z Systems,each KVM instance is hosted in the LPAR, and each KVMinstance hosts one or more Linux guests from that sameLPAR. Virtualized as a separate computer, the LPAR is asubset of a computer’s hardware resources. When one ormore guest virtual machines or a z host suffers from afailure, the virtual machine(s) immediately become activeon the same or an accompanying z host.Remember, LinuxONE will inherit the full z SystemsRAS, hardware/firmware recovery, error checking (in15

GEEK GUIDE Hybrid Cloud Security with z Systemsmessage logs for inconsistencies and anomalies),near-real-time diagnostics (to help identify and correctpotential problems) and so on. With systems such asthese, the majority of the time, hardware failures will beunnoticeable to the operating system and its applications.Hybrid Cloud: Setting a New StandardA new phenomenon to the cloud computing industry,the hybrid cloud provides a mixture of on-premises,private and public cloud services, with transparent andseamless access across all platforms. In the case of IBM,this seamless connectivity across all implementations isfacilitated by OpenStack and enabled by the IBM Bluemix.OpenStack: If you haven’t heard of it already, youdefinitely are behind the times. OpenStack is anApache-licensed open-source framework designed tobuild and manage both public and private clouds. Itsinterrelated components control hardware pools ofprocessing, storage and networking resources thatall can be managed through a Web-based dashboard,a set of command-line utilities or through a RESTfulApplication Program Interface (API). The primary goalof OpenStack was to create a single and universalframework to deploy and manage various technologiesin the data center dynamically. Originally started in2010, the project has since grown exponentially andhas attracted a large number of supporters and users,and if you haven’t realized it by now, this includes IBM.OpenStack is integrated into the IBM Cloud Managerand is offered for KVM and z/VM for z Systems.16

GEEK GUIDE Hybrid Cloud Security with z SystemsVMs hosted on z Systems can be managedwith VMware through the same OpenStackAPI. This makes it an ideal solution topre-existing VMware shops, where theydo not need to maintain a separate andparallel management environment.All components of OpenStack are designed anddeployed around a modular architecture, which simplifiesconfiguration and management. Each major componentfocuses on one particular grouping of technologies. Forinstance, all virtual machines are managed under thecompute component referred to by the codename, Nova;all block level storage, Cinder; Object Storage, Swift;networking, Neutron; and the list goes on.VMs hosted on z Systems can be managed withVMware through the same OpenStack API. This makes itan ideal solution to pre-existing VMware shops, wherethey do not need to maintain a separate and parallelmanagement environment.Although OpenStack exports and publishes itsown unique API, the project does strive to maintaincompatibility with competing APIs, which includeAmazon’s Elastic Cloud 2 (EC2) and Swift3 (S3), and alsothe Google Compute Engine (GCE). The idea is to allowdevelopers to migrate their technologies from competingecosystems into OpenStack with little effort.17

GEEK GUIDE Hybrid Cloud Security with z SystemsIBM Bluemix: It should come as no surprise that moreand more leading companies are moving IT workloadsfrom local data centers into the cloud. Why wouldn’tthey? It reduces overall costs (hardware, power, laborand so on), simplifies infrastructure management,enables elasticity and allows digital ecosystems to growor shrink dynamically to accommodate the demand.And, the best part is companies still are able to maintaina certain degree of control over what’s consideredtheirs. At the end of the day, this shift toward thecloud provides adaptability. Workload trends arenever constant and always are subject to change. Andalthough most cloud deployments offer a fair share ofresources and adaptability, not all are created equal.This is where IBM begins to shine with its hybrid cloud,placing a greater emphasis on security.Bluemix is the IBM Platform as a Service (PaaS)solution running in the cloud and hosted by IBMSoftLayer Infrastructure as a Service (IaaS) offering. Itcan be a lot to take in, I know. Bluemix’s objective is toenable developers to build and deploy applications easilyby re-using existing components and services, resultingin the reduction of custom code. This is just a fancy wayof saying that it caters to DevOps. Bluemix supportsseveral programming languages, including Java, Node.js,Go, PHP, Python, Ruby Sinatra and Ruby on Rails.Security, Security, Security: Bluemix securely sendsrequests to/from z Systems through secured connections.These are accomplished through a series of options:the IBM DataPower Gateway, Secure Connectors and the18

GEEK GUIDE Hybrid Cloud Security with z SystemsIBM Secure Gateway for Bluemix.Available in both physical and digital forms, theDataPower Gateway features high availability, failoverload balancing, message security, data conversionand so on. It has been optimized to process XML andRESTful Web services more efficiently. It also enhancescloud and on-premises security through its own built-incryptography engine. The DataPower Gateway can bemanaged by an API.Secure Connectors establish a protected line ofcommunication between the cloud-hosted Bluemixapplications and on-premises systems. Secure Connectorscome in two forms: the Standard (Cast Iron) Connectorand via the DataPower Gateway. The most simple is theStandard Connector. It is software-based and acts as anintermediary between a Bluemix application active in thecloud and the back-end z System. The secure connectionis established from the Bluemix application, which thenconnects to the on-premises system securely. Rememberthat API I spoke of earlier for the DataPower Gateway?This is where it truly can come into play. Throughthis API, the DataPower Gateway can be more than astandalone appliance and act as a connector endpoint.Based on bidirectional Web sockets, the IBM SecureGateway for Bluemix is a Bluemix service that createssecure tunnels between Bluemix applications in thecloud and back-end resources. Aside from secureconnectivity, this service also provides traffic monitoringand local endpoint mapping to on-premises applicationsand data resources. These features all can be managed19

GEEK GUIDE Hybrid Cloud Security with z Systemsfrom a dashboard. The Secure Gateway client is providedby IBM as a Docker image that can run on on-premisesLinux systems.Another method by which data residing on a z/OSsystem can be accessed securely is through a functioncalled z/OS Connect. Built on top of the Liberty Profileserver runtime application, z/OS Connect is a softwarefunction for z/OS and serves as an enabler of connectivitybetween mobile environments and back-end z/OS systems.It’s very lightweight and dynamic, and it also provides aRESTful API and accepts JSON data payloads. z/OS Connectis configurable, giving you control of what back-endprograms or applications are exposed and accessible.Application-Level Security in Bluemix: At the end ofthe day, all data should be treated as critical data, andoften it is not enough when accessing that data via asecure connection through a secure tunnel. Bluemixtakes the extra step by providing more security servicesat the application level.For instance, consider the IBM Mobile ApplicationSecurity for Bluemix. This feature helps protectapplications and data by preventing unauthorized usersand devices (this includes stolen and compromiseddevices) from accessing critical information.Another feature is the OAuth 2.0-supported IBMAdvanced Mobile Access for Bluemix, which is a protocolthat enables users to log in using identity providers likeFacebook, Google and so on. Advanced Mobile AccessOAuth tokens provision access at deployment time.Nothing is embedded into application code.20

GEEK GUIDE Hybrid Cloud Security with z SystemsA third form of application-level security offered byBluemix is the Single Sign-On (SSO), which supportsidentity sources from a Security Assertion MarkupLanguage (SAML) Enterprise user registry, a clouddirectory hosted in the IBM cloud or the same socialidentity sources using OAuth 2.0.Unleash the Next Generation of Cloud Applications:The support for open standards like XML, JSON(JavaScript Object Notation) and REST is what makesthis hybrid model truly powerful. Fortunately, for thingslike this, IBM hosts a complete API ecosystem and hastransformed the way businesses develop APIs for theirapplications accessing IBM solutions. This ecosystem ismarketed as the API Economy.For those less familiar, an API is what glues services,applications and entire systems together. Typically, an APIacts as a public persona for a company or a product byexposing business capabilities and services. An API gearedfor the cloud can be invoked from a browser, mobileapplication or any other Internet-enabled endpoint.The purpose of the API Economy is to provideplatforms, tools, resources and, most important, anentire community to enable enterprises in building andpublishing to the existing API ecosystem that can beshared with potential partners or future customers.Completing the PuzzleThe biggest selling point of the hybrid cloud usingIBM’s z Systems technologies is that it potentially canlower the total cost of ownership by as much as 60%21

GEEK GUIDE Hybrid Cloud Security with z Systemsover three years when compared to that of a traditionalpublic cloud while gaining the additional benefits ofadded security and resiliency.Virtualization is key to enabling this hybrid cloud. Itallows for minimizing the over-provisioning of resourcesand, in turn, re-using them at the end of the virtualserver lifecycle. This is another area where z Systemstruly shine, allowing users to run as many virtualmachines of whatever operating system as they require.Apart from the raw computing power, if you recall fromearlier, IBM z Systems can speed up the compression andencryption of sensitive datasets through its zEDC andCPACF co-processor features. Offloading the compressionof Apache Spark Resilient Distributed Datasets (RDDs)or Docker containers frees CPU cycles to perform otherfunctions. Couple these z Systems with IBM’s public andprivate cloud offerings and unleash their full potentialwith Bluemix. Whether you purchase from IBM or bringyour own hardware, implementing a world-class hybridcloud is at your fingertips.The best part is that all of these layers can bemanaged from the IBM Cloud Manager with OpenStack.So, if you are looking to deploy a hybrid cloud solution,IBM will cover you 100%, from end to end. n22

IBM LinuxONE Emperor and Rockhopper (Image courtesy of IBM.) GEEK GUIDE f Hybrid Cloud Security with z Systems 12 by IBM to the Linux 2.2.13 kernel. Some of those initial patches included object-code-only modules, but this eventually would be replaced by open-source modules.