The Mainframe Magna Carta
The promise and reality of the IBM Mainframe Charter and Statements of Integrity
11/20/2013 1:01:01 AM |
By Gabe Goldberg
As a break from reading industry trade magazines or the z/Architecture Principles of Operation manual (now more than 1,000 pages!), mainframers might briefly peruse a few key IBM documents that continue to set rules and expectations for their platform of choice. Regarding one of them, the CertificationPath website
“Which of the following is true about IBM’s Mainframe Charter?”
It then lists several plausible answers. However, if your best guess would have been that the Mainframe Charter evolved from the better-known Magna Carta (Latin for Great Charter), forced upon England’s King John during the pre-mainframe era (also known as the Dark Ages), read on.
In brief, the Mainframe Charter recaps why and how, for almost 50 years, successive IBM system generations have built and improved upon the initial System/360. It promises:
• Provide leadership in innovation
• Maintain the System z position as the benchmark for flexible, efficient and responsive platform
• Improve System z autonomic and self-managing capabilities
• Enhance the value proposition and lower the cost of System z computing
• Extend on-demand characteristics of System z servers
• Increase accounting for allocation and use of System z resources
Foster a Community
• Support programs fostering vitality in the System z community
• Provide skills and expertise to assist customers
• Leverage key open standards and common structures
Practice Makes Perfect
In practice, these three principles have yielded impressive results. For example, in terms of innovation, the mainframe has seen:
• zEnterprise hybrid computing
• z/VM technology enabled for Open Stack support, Live Guest Relocation, HiperDispatch and 1TB memory
• zEnterprise Analytics System 9700/9710, IBM DB2 Analytics Accelerator, DB2 11 for z/OS for integrating insights from Hadoop Big Data
• Mobile capabilities through IBM Worklight for mobile development and runtime environment, CICS JSON support, Endpoint Manager, Cognos Mobile
• Security innovations such as Crypto Express4S (PKCS#11 and EMV support), EAL 5+ security certification, Trusted Key Entry, and Enterprise Key Management Foundation Solution
Likewise, the mainframe delivers value to the tune of:
• Improved specialty engine price/performance of 20 percent (zEnterprise EC12) to 27 percent (zEnterprise BC12)
• Doubled ratio for zIIPs/zAAPs to general purpose engines
• Maintained competitive software rating for zBC12 and zEC12 from previous technologies, improving price/performance 20-27 percent for distributed software
• Discounted existing z/OS and z/VSE software curves an average 5 percent
• Competitively priced new functions, including IBM System z Advanced Workload Analysis Reporter (IBM zAware), Flash Express, zEnterprise Data Compression (zEDC) and RDMA (Remote Director Memory Access) over Converged Ethernet (RoCE)
• The Solution Edition strategy aggressively prices hardware/software/maintenance bundles for new workloads and applications
• Maintained pricing for 50 MIPS midrange entry-level pricing as on previous 26 MIPS entry across the IBM system stack
• Consolidated 62 percent more Linux workload on zBC12 than previous zEnterprise 114
And in terms of the mainframe community, recent trends include:
• Expanding the ISV community with new investments in innovation centers for test/development on the latest System z hardware
• The third-party solution portfolio growth to 7,400-plus applications with more than 380 new and upgraded applications across z/OS and Linux
• Adding 55 ISV partners in the first half of 2013
• The IBM Academic Initiative System z reached its 10th anniversary with almost 1,100 schools in 67 countries, a jobs board and Enterprise Computing Community based at Marist College
• Stable and growing social media communities and trade publications
• User groups such as SHARE, customer councils such as zBLC (with more than 40 clients) and a zNew Customer Council
Opinions diverge strikingly regarding the charter, however. Some see it as soothing nerves of data centers concerned about mainframe longevity; one even used it to fend off the efforts of a new CIO to do away with the mainframe. Others in the trenches think it makes no difference.
Beyond the Charter, Commitment to System Integrity
While the Mainframe Charter promises ongoing system innovation, value and community, Statements of Integrity provide real-world assurance that critical z/OS and z/VM exposures are promptly remedied. Barry Schrager, founder and first project manager of SHARE's Security Project
, notes that system integrity is the foundation for z/OS stability and security.
The MVS System Integrity Statement, issued in 1973 and updated for OS/390 and z/OS, has stood for four decades as a symbol of IBM's confidence in and commitment to z/OS.
This document—reaffirmed for z/OS Version 2—mandates design, development and support practices that prevent unauthorized application programs, subsystems and users from bypassing z/OS security. That is, they must not be able to illicitly or covertly tinker with key z/OS system processes and resources. More specifically, z/OS system integrity prevents programs not authorized by an installation control mechanism from circumventing or disabling store or fetch protection, accessing resources protected by the z/OS Security Server (RACF), or obtaining control in an authorized state.
When z/OS system integrity problems are reported, IBM resolves them. IBM's long-term commitment to system integrity—unique in the industry—underlies z/OS industry leadership in system security and protects customer systems, data, transactions and applications from accidental or malicious modification.
Similarly protected, z/VM design and coding guidelines aim to maintain system integrity in z/VM development. But since perfect integrity can't be certified, IBM accepts APARs describing exposures to z/VM system integrity, or problems encountered when VM software not authorized by customer control introduces an exposure to system integrity. IBM continues enhancing z/VM integrity and responds promptly to identified exposures.
The z/VM system integrity definition specifies that unless authorized by a customer control mechanism, a program running in a VM cannot:
• Circumvent or disable control programs’ real or auxiliary storage protection
• Access resources (e.g., VMs, minidisks and terminals) protected by an external security manager (ESM), such as RACF
• Access control program password-protected resources
• Obtain control in real supervisor state or with privilege-class authority or directory capabilities greater than those assigned
• Compromise any guest OS, that itself has system integrity, through any z/VM control program facility
An example of proper/prompt VM integrity problem resolution was—many years ago—my reporting that under IBM's then-popular VM OfficeVision product, sharing a document could execute arbitrary system commands in a recipient’s VM. The simple solution was changing the Document Composition Facility’s default to not execute commands embedded in documents.
for System z Security/Integrity APAR information helps z/VM and z/OS customers track security and system integrity fixes and provides an Associated Common Vulnerability Scoring System (CVSS) V2 ratings for new APARs. Though not covered by a statement of integrity, z/VSE security is addressed here
While opinions vary on these venerable but current documents, they have value: IBM business partners report customers occasionally requesting them and using them for leverage with management, contrasting other vendors that are less explicit. Former IBMer Bob Rogers notes that he never fails to mention the integrity statement as something unique and wonderful about the mainframe platform.
Gabe Goldberg has developed, worked with and written about technology for decades. He can be contacted at firstname.lastname@example.org.