Skip to main content

Self-Service::Stand-Alone Single Channel application pattern::Product mappings=z/OS

Overview

With this stand-alone topology, requests from the Internet must first pass through a firewall to get into the internal network. In this case the firewall provides the basic protection of the internal network against intrusion and therefore acts as both a protocol and domain firewall.

The presentation logic of the application is provided by a single Web application server node. The business logic is implemented on the Web application server. User information, needed for authentication and authorization, is stored in the directory and security services node, also located behind the firewall in the internal network.

Stand-Alone Single Channel::Product mapping=z/OS

Stand-Alone Single Channel application pattern: Product mapping - z/OS User Domain Name Server Web Application Server Database Directory and Security Services Public Key Infrastructure Protocol Firewall
Design Last Updated: 2-25-2004
(Click a node to get a detailed explanation.)

By using a Web server redirector node, we can place the majority of the business logic in the internal network, placing it behind two firewalls. The redirector is implemented using the IBM HTTP Server and WebSphere Application Server Web server plug-in. The redirector serves static HTML pages and forwards requests for dynamic content to a WebSphere application server using the HTTP protocol.

With this Product mapping, you only need one logical partition on a z/OS server. Both presentation and business logic are executed on that system image. In this Product mapping, the system image is implemented with z/OS 1.4.

Since we are using a single system image, all nodes reside in the internal network. A single firewall is used to perform both the protocol and domain firewall functions. There is no DMZ represented. Since z/OS provides very effective program and hardware isolation, it is feasible to use the z/OS Firewall Technologies that come with z/OS either on the same system image, or on a separate system image.

The Web application server is required to provide both the Web server node functions and the application server node functions. The Web application server is implemented using IBM WebSphere Application Server for z/OS V5.0 and is configured with the HTTP Transport Handler.

The HTTP Transport Handler is lightweight HTTP management code that provides a significant performance advantage. The Transport Handler runs in the control region of the WebSphere application server instance, dispatching requests to the EJB containers that provide the Web application business logic. The performance comes at a price, however. Much of the traditional support found in Web servers (for instance, the ability to recognize different browsers) does not exist in the Transport Handler. This is because enterprises are relegating the traditional Web request handling to servers closer to the edge of the enterprise. Because the handler can expect that the customer request has been filtered by some other server, it does not need the extra code. In this case, the protocol firewall filters the requests to block malformed requests from reaching the Transport Handler.

Authentication and authorization in the z/OS environment are handled using Resource Access Control Facility (RACF®) or a combination of RACF and LDAP. For smaller environments, RACF alone is sufficient but with a large number of users, the combination of RACF and LDAP are recommended. At the application level, authorization is done using the J2EE security model (role mapping). WebSphere uses the WebSphere Trust Associator Interceptor (TAI) for policy definition and to perform lookups on the RACF.

In this Runtime pattern, scalability can be extended with the use of a sysplex configuration. Horizontal scalability can be achieved by using multiple application servers instances on up to 32 system images.

What's Next

Next, Review guidelines and related links or review another product mapping:

Close [x]

User Node

The user node is most frequently a personal computing device (PC) supporting a commercial browser, for example, Netscape Navigator and Internet Explorer. The browser is expected to support SSL and some level of DHTML. Increasingly, designers need to also consider that this node might be a pervasive computing device, such as a Personal Digital Assistant (PDA).

Close [x]

Domain Name Server (DNS) Node

The DNS Node assists in determining the physical network address associated with the symbolic address (URL) of the requested information. The Domain Name Server Node provides the technology platform to provide host to IP address mapping, that is, to allow for the translation of names (referred to as URLs) into IP addresses and vice versa.

Additional Resources

  • (in English) ESS

Close [x]

Web Application Server

A Web application server node is an application server that includes an HTTP server (also known as a Web server) and is typically designed for access by HTTP clients and to host both presentation and business logic.

The Web application server node is a functional extension of the informational (publishing-based) Web server. It provides the technology platform and contains the components to support access to both public and user specific information by users employing Web browser technology. For the latter, the node provides robust services to allow users to communicate with shared applications and databases. In this way, it acts as an interface to business functions, such as banking, lending, and HR systems.

The node can contain these data types:

  • HTML text pages, images, multimedia content to be downloaded to the client browser
  • JavaServer Pages
  • Application program libraries, such as Java applets for dynamic download to client Workstations

See Also

Additional Resources

  • (in English) ESS

Close [x]

Database server node

This Node's function is to provide persistent data storage and retrieval in support of the user to-online buying transactional interaction.

Customer related data that is stored is relevant to the specific business interaction, for example, the shopping cart and shipping address information. Some sites are registering users and storing customer profile data such as address, clothing sizes, preferences, and gift wish lists that others can access when buying presents. Most sites today do not store credit card information on this server for security reasons.

Also stored here is the product and catalog information used to dynamically build HTML pages for presentation during the shopping process.

The mode of DB access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the DB accesses into a single or very few calls. This can be achieved using coding and invoking Stored Procedure Calls on the database. Typically many commerce servers share only one database server in a high volume site, so the technology to implement this node must be able to scale vertically.

Close [x]

Directory and security services node

The directory and security services node supplies information on the location, capabilities, and attributes (including user ID/password pairs and certificates) of resources and users known to this Web application system. This node can supply information for various security services (authentication and authorization) and can also perform the actual security processing, for example, to verify certificates. The authentication in most current designs validates the access to the Web application server part of the Web server, but this node also authenticates for access to the database server.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Public Key Infrastructure (PKI)

PKI is a system for verifying the authenticity of each party involved in an Internet transaction, protecting against fraud or sabotage, and for nonrepudiation purposes to help consumers and retailers protect themselves against denial of transactions. Trusted third-party organizations called certificate authorities issue digital certificates -- attachments to electronic messages -- that specify key components of the user's identity. During an Internet transaction, signed, encrypted messages are automatically routed to the certificate authority, where the certificates are verified before the transaction can proceed. PKI can be embedded in software applications, or offered as a service or a product. e-business leaders agree that PKIs are critical for transaction security and integrity, and the software industry is moving to adopt open standards for their use.

Close [x]

Domain firewall node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers (the Protocol Firewall)
  • application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Domain Firewall is typically implemented as a dedicated server Node.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Protocol Firewall Node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers, (the Protocol Firewall)
  • Application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Protocol Firewall is typically implemented as an IP Router.

See Also

Additional Resources

  • (in English) ESS