Are you running Linux Workload on System z partition ? If yes, then how much time did you spent to bring up the workload. The answer should be not in quick time(~days, ~week). Isn't it ?
Usually to bring up a workload, you should have followed this way,
- First install Linux on z partition
- Manually install the middle ware(DB2, Oracle, Websphere, Apache..etc) and application executables(such as .war, .rar etc)
- Configure the middle ware and applications
- Run the application and now it is ready
It is not over yet, when you want to upgrade the application to a new version to support new features/functionalities, the associated components(Linux OS, middle ware) sometimes have to be upgraded in order to provide new support and avoid the incompatibility issues. So the upgrade has to start right from OS, middle ware and applications.
So how to improve the User experience here? The answer is build and deploy as a Software Appliance and to be more specific as IBM z Systems Appliance.
IBM z Systems Appliance
It is an integration of Operating System, Middle ware and Software components that work autonomously and provides core services and infrastructure focusing on consumability and security.
Secure Service Container Framework (SSC)
Secure Service Container is an infrastructure to build, deploy and manage IBM z Systems Appliance i.e. provides the base infrastructure needed to create an integrated Software solution: operating system, middleware, SDK and firmware support. The appliances built using SSC will be hosted on a special partition called SSC partition.
- Provides simplified mechanism for fast deployment and management of packaged solutions
- Provides tamper protection during Appliance installation and runtime
- Ensure confidentiality of data and code running within the Appliance – both at flight and at rest
- Management provided via Remote APIs (RESTful) and web interfaces
- Enables Appliances to be delivered via distribution channels
SSC Security Protection
- No System admin access.
- Once the appliance image is built, OS access (ssh) is not possible.
- Only Remote APIs available
- Memory access disabled
- Encrypted disk
- Debug data (dumps) encrypted
- Strong isolation between container instances i.e. Based on LinuxONE EAL5+ protection profile
How a Software Appliance is loaded inside SSC
1. Firmware bootloader is loaded in memory
2. Firmware loads the software bootloader from disk
- Check integrity of software bootloader
- Decrypt software bootloader
3. Software bootloader activate encrypted disks
- Key stored in software bootloader (encrypted)
- Encryption/decryption done on the flight when accessing appliance code & data
4. Appliance designed to be managed by remote APIs only
- REST APIs to configure Linux and apps
- No ssh (allowed only in dev mode)
Managing SSC based Software Appliance inside SSC partition
SSC provides the below infrastructure management functions for an appliance so that the appliance team can focus only on the application development and leverage SSC's inbuilt capabilities for appliance management.
- Life cycle
Finally, Secure Service Container saves the deployment and life cycle management of an appliance when compared to the manual way of installing the application and its dependencies individually on Linux on z partition. And most importantly SSC security features ensures that the appliance image cannot be tampered and loaded at any given point in time and the appliance code, data is protected/confidential at both flight & at rest.
Disclaimer: The contents published here are my understanding of Secure Service Container and its internals and does not represent IBM's view or strategy about the product.