Gen EDGE

 View Only
Expand all | Collapse all

Security (encryption of critical data from offhost to host)

  • 1.  Security (encryption of critical data from offhost to host)

    Posted Sep 02, 2016 10:34 AM

    Hi Everyone,

     

    This is related to an application created using the CA:GEN tool V8.0. It has a Desktop Component (GUI Screens - generated in c language) and it connects to Mainframes using CICS Multi Socket listener, where it interacts with DB2 Tables and VSAM files using the CA GEN converted COBOL modules. To connect to the server, we have CA GEN product installed on the Desktop called as Client Manager which helps to configure the various details such as Server IP name along with Port Number to which it needs to, and User ID/Password details for mainframe etc.

    We would like to understand: 

     

    • How the crucial data (such as USERID, Passwords, Customer Data) is encrypted/decrypted over the network in this solution?
    • Are there any standard in-built functions available on Client and Server side to encrypt/decrypt the data?
    • If not, how this solution is deployed for various client as security of data over the network is of pure importance for every client? Is each client having their own algorithms or there are some other alternatives available for implementing the standard security process by CA.


    Any help on this would be appreciated. 

     

    Thanks,

    Vikas Garg



  • 2.  Re: Security (encryption of critical data from offhost to host)

    Posted Sep 02, 2016 11:11 AM

    Hi Vikas, we had similar question to encript data between Client and Server. There are Exits for encryption/decription on Client side (WREXITN Exit in "C" respectively, for Client Manager must be one as well) as well on Server side (TIRSLEXT Exit for CICS Multi socket listener in Assembler).

    But If you Need an algorithm doing this and the algorythm itself is not secured as well this is not a secure solution because it can be hacked. We tried to do it with certificate Exchange but there is no Support in Gen C/S using TCP and CFB. So we desisted from such a solution. Instead of Gen Exits we choosed Tunneling. So hole CFB data is encrypted, not only the credentials. Certificates can be exchanged. On Client side you can use a tunnel Software tool for that and on mainframe this function is integrated in the z/OS communication server component (AT-TLS). We have no Performance issues measured using a tunnel.



  • 3.  Re: Security (encryption of critical data from offhost to host)

    Posted Sep 06, 2016 12:57 AM

    Hi Christos,

     

    I really appreciate your reply and looks like you have looked for an enhancement specific to your application. In my thought, I would have assumed a support from CA to be provided for such security. The product is might be getting used by many companies all over the world and it should provide a way to securely transmit the data over the network which should meet international standards (without the need for everyone else to write their own algorithm for doing the encryption/decryptions). 

     

    Is there any place on this community where we could raise this enhancement request for this product?



  • 4.  Re: Security (encryption of critical data from offhost to host)

    Posted Sep 07, 2016 07:33 AM

    Enhancement requests and the like are submitted in the form of Ideas here in the Edge community group. They are then voted on by the community.  CA uses that data to determine if there is enough interest in a particular item for them to consider it in a future release.

     

    Someone correct me if I am wrong on this.



  • 5.  Re: Security (encryption of critical data from offhost to host)



  • 6.  Re: Security (encryption of critical data from offhost to host)

    Posted Sep 29, 2016 05:47 AM

    Thanks Darce.I have posted this as an idea in the idea community (link below). Please see if like the idea and you are happy to vote for it. 

     

    Inclusion of Encryption algorithm in the CA GEN Product - F27588 



  • 7.  Re: Security (encryption of critical data from offhost to host)

    Posted Oct 04, 2016 07:08 AM

    Hi Christos,

     

    We are currently also investigating the possible use of tunneling for encryption of our CA:Gen traffic between the ClientManager en Mainframe. IBM, Cisco and AT&T is involved, but could not deliver a plausible solution yet.

     

    I'm interested in hearing more specifics of your solution.

    - Which software are you using on the client side.

    - Is this software running in the background or does the user need to start a VPN client.

    - Is it necessary to imlpement user certificates on the mainframe.

    - What needs to be done on the mainframe to activate the connenction.

    - How many users / applications are you tunneling in this way.

    - Do you have any information on the effect of this traffic on your CPU performance on mainframe?

     

    You can contact me at Werner.Spreeuwenberg@nn-group.com.

     

    Regards - Werner Spreeuwenberg



  • 8.  Re: Security (encryption of critical data from offhost to host)

    Posted Oct 05, 2016 04:52 AM

    Hi Werner

    Regarding your questions:

    - Which software are you using on the client side.

    A: we are using open source Software stunnel. But you can choose any other tunnel Software.

    - Is this software running in the background or does the user need to start a VPN client.

    A: The stunnel Software is not running in Background. But we have the stunnel Client integrated into the applications start window summarizing the Gen clients. So user has not explicitly something to do.

    - Is it necessary to imlpement user certificates on the mainframe.

    A: No. You can do it if you like but than you have to manage Client certificates on mainframe respectively on RACF. That is a lot of Managing work.

    - What needs to be done on the mainframe to activate the connenction.

    A: Please ask your mainframe System progammer and look up the IBM manuals. At least you have to implement  the Server certificates in AT-TLS and activate secure tunnel Connection for specific ports you want to use for that.

    - How many users / applications are you tunneling in this way.

    A: About 1000 users for about a half douzen Gen Client applications.

    - Do you have any information on the effect of this traffic on your CPU performance on mainframe?

    A: Yes, there is no effect  We could not find any Problems on traffic increase, Performance or CPU usage.
    In Performance tests we measured less then 0.1 second additional answer time per Client/Server call instead of without secure Connection. For us is this good enough because it does not affects end users.

     

    Regards, Christos



  • 9.  Re: Security (encryption of critical data from offhost to host)

    Posted Oct 05, 2016 05:23 AM

    Thanks Christos.



  • 10.  Re: Security (encryption of critical data from offhost to host)

    Posted Oct 05, 2016 05:36 AM

    Additional hint on your question what to do on mainframe:

    Define These secure ports for your CICS regions and start a separate Gen socket listener on each CICS listening on This secure port. You can run more than one TCP listener on each CICS. So you can run your application with and without tunnel on same CICS. This may help to build up and test your solution as well could help to migrate process.  



  • 11.  Re: Security (encryption of critical data from offhost to host)

    Posted Nov 30, 2016 02:57 AM

    Hi Christos,

    I need to get additional information on the mainframe part. Can you contact me on werner.spreeuwenberg@nn-group.com ? Regards - Werner



  • 12.  Re: Security (encryption of critical data from offhost to host)

    Posted Oct 28, 2016 03:17 AM

    I need to know the exact actions that needs to implemented on Mainframe for the AT-TLS part. If someone has these details, please contact me via werner.spreeuwenberg@nn-group.com.

    Regards - Werner