The Internet, System 390, and Serious e-Business Trimming Clients and Tiers Down to Size Bill Carico, President ACTS Corporation Rt. 2 Box 188 Kingsland, TX 78639 Phone: 915-388-3525 Fax: 915-388-6127 E-mail: bcarico@actscorp.com   Version: 1.2.1 Published March 1997 Ó Copyright 1997, ACTS Corporation Notice: Names of products and companies used herein are trademarks or registered trademarks of their respective holders. Preface and Executive Summary:  As the worlds of business computing and cyberspace collide, companies are realizing there is a vast difference between business tools and cyber toys. Stated another way, there is a big difference between spending a day at the beach versus making your living at sea. Just as oceanic oil exploration is different from surfing the ocean's waves, so setting up for e-business (electronic commerce) is different from browsing the Internet or sending e-mail.  Executives Are Wondering  Companies must take a hard look at which hardware platforms and software suites are best suited to handle their e-business workload. With the rapid rate of change and the rapid introduction of new technology, it may appear difficult to predict where the Internet is going. The endless news reports about web TV, network computers, the remake of Microsoft Network, and the capacity woes of America Online, have executives everywhere wondering where it will all lead. This paper will attempt to answer such questions from the vantage point of that large enterprise or organization with even larger-scale computing needs, and examine how IBM has positioned the S/390 family of servers to attract new applications from the emerging Internet/intranet application spectrum.   In a Nutshell  In a nutshell, enhancements to IBM's S/390 family facilitate server consolidation of distributed platforms, the primary benefits of which are derived by eliminating tiers (i.e. separate application server, security server, data server) from a multi-tier architecture, and eliminating steps during development of web applications. This will not only appeal to the S/390 install base, but also attract new customers to S/390 who are concerned about issues like scalability, availability, and security, to name a few.  Scope  For the sake of brevity, this paper reviews S/390 as a web server primarily from the vantage point of OS/390 customers, though many of the general comments about S/390 may also apply in whole or in part to VM/ESA (VM). Additional information about VM is included in Appendix A.  Definitive Issues  To anticipate market trends sometimes it is best not to focus on the tools, but rather the business processes enabled by the tools. As far as the Internet is concerned, the definitive issues will be the economics of the Internet more so than the underlying technology. Internet technology will work its way out, eventually, while the economics dictate the exact nature, direction, and timing of the changes. So at a higher level, this paper will offer insights as to how the economics of the Internet must change to accommodate the demands of e-business, hopefully offering some clarity as companies undertake to plan their own Information Technology (IT) strategies.   The Internet, System/390, and Serious e-Business Trimming Clients and Tiers Down to Size  Introduction  E-business is about getting to market faster, reaching further, globally expanding the business base, while simplifying the point of contact with customers, partners, and suppliers. Much like traditional business applications, e-business is about using information technology to streamline how a company interacts with its marketplace.  Cyberspace commerce is definitely on the rise, but it has a long ways to go before it achieves "premier marketplace" status. Yet forward-thinking companies are prudently and aggressively staking their claim as Internet e-business opportunities present themselves.  Poor IT Track Record  Similarly, IT organizations around the globe are seldom known for providing premier service in developing new applications. Worse, many have the reputation of being non-responsive, even obstructionist. Companies with a poor track record of IT accomplishment have every reason to be concerned as they venture onto the Internet.   Regardless of the track record, companies should take note that a high percentage of business data and operational systems already reside on their IBM, Amdahl, or Hitachi Data Systems (HDS) mainframes. As a matter of fact, IBM boldly claims that as much as 2/3 of the world's business data resides on System/390 (S/390) mainframes. Thus, customers are wise in asking "Is S/390 relevant to my Internet/intranet plans?" The question is important because getting at that business data is important. This question is not just coming from IBM's S/390 install base, but also from various companies running their businesses on UNIX who want to conduct serious business over the thus-far unreliable Internet.   Positioning S/390  IBM's goals for S/390 as it relates to the Internet can be summarized in two parts. First, for the S/390 install base, IBM has adapted Internet-based technology to run on S/390 where a vast amount of business applications and data already reside. Second, they want to attract new customers to S/390 who are using traditional UNIX-based systems. The success of both strategies largely depends on IBM's ability to establish S/390 as a viable web server platform. Turning S/390 into a growth platform relies on the latter goal, and a close-up look at one large retailer using UNIX reveals why S/390's prospects are promising.   Planning Ahead  "You can't do commerce on something you can't rely on," states Bill Finefield, referring to the Internet. Mr. Finefield is CIO at the Navy Exchange Service Command (NEXCOM), a large customer of both Hewlett Packard (HP) and Oracle. "My sources tell me that on average one Internet brown-out occurs daily east of the Mississippi river!" NEXCOM is a $1.7 billion retailer serving the personnel and retirees of the US Navy. Finefield's comments convey his skepticism that NEXCOM can generate a high-volume of sales from Internet commerce anytime soon, but he knows it's wise to plan ahead. NEXCOM's initial e-business goal is to put a catalog online.  In Search of Scalability  Beyond reliability Finefield is also concerned about scalability, because unknown capacity demands go hand-in-hand with doing business on the net. Many retirees from the Navy live in middle America where no Navy Exchange outlets exist, so the Internet holds great promise to unite buyer and seller in cyberspace. A successful e-business strategy could greatly enhance NEXCOM's global reach and ultimate profitability. Because NEXCOM's audience is restrictive, customers must be validated and provided with a secure method for placing orders. This will require integration with existing systems, so the challenge is to knit together all the separate pieces into a cohesive system.  Avoiding Dead-Ends  Considering their emerging data warehouse and plans for Internet commerce, Finefield said NEXCOM certainly wants to avoid any unexpected dead-ends within their existing technology infrastructure. Thus he has his staff looking at technology needs into the 21st century. They are currently preoccupied trying to measure the scalability limits of Hewlett Packard's UNIX (HP-UX), Oracle database software running on HP 9000 T520, and future generation HP processors in their ability to handle NEXCOM's emerging applications. An over-crowded development plate weighted-down further by Year 2000 work means there's not much room for missteps or false starts, much less room for an expensive mid-stream migration to a new server architecture if NEXCOM were to unexpectedly hit the ceiling of their current environment. Therefore Finefield is looking longer term, and wants to know if workload demands will force them onto a larger server, such as IBM's S/390, that can deliver the scalability assurances that NEXCOM insists on.  Responsible Leadership  Mr. Finefield is quick to point out that a responsible CIO is a technologist who demands that business value drive the use of technology, and resists rushing into unproven yet popular technology fashion-trends. He also knows from first-hand experience that all computer architectures are not created equal. In a former job as Administrator at a US Department of Defense (DOD) regional site, Finefield stated, "We reduced one application's run-time by 75% by moving it from a large UNIX-based server to a low-end Amdahl mainframe running UTS [Amdahl's version of UNIX], equipped with only a fraction of the processor horsepower, but with more I/O bandwidth than the former platform."  The Price of Popularity  Finefield's concerns are certainly legitimate as companies are faced with the unknown capacity demands of new web applications. A popular web-site can quickly experience traffic congestion as numbers of users soar, leading to a huge appetite for web-server capacity and bandwidth on both Local Area Networks (LANs) and Wide Area Networks (WANs).   In addition, users who benefit from a successful application typically demand more and more new web applications, which, in turn, feeds the need for more content and more data sources. Stated another way, if e-business takes off, the network pipes must be scalable, and the web application server must be scalable to handle traffic and/or content explosion. As America Online can testify from over subscribing their resources to the point where users couldn't access their service, it can be very damaging to have capacity and availability problems that are highly visible to customers.   Reversing Server Proliferation  S/390-based systems and products will play a key role as cyberspace becomes less of a free-for-all and begins to take on the characteristics of a viable commercial marketplace. Companies are learning that the piecemeal approach to IT leads to the proliferation of many brands and numbers of servers (infrastructure variation), while creating islands of automation with low overall value to the organization.  Recentralization  Infrastructure variation is the toughest cost-driver to manage, so companies are re-centralizing controls and consolidating servers in an attempt to deal with IT chaos. An IDC survey of 50 Canadian companies confirmed twice as many companies centralizing servers as decentralizing servers.  While large companies may get by for a while using distributed computing solutions on a small scale under light to moderate workloads, as workload grows, distributed systems ultimately become scattered systems and either hit their scalability ceiling, or become unmanageable. At this juncture customers inevitably begin what ACTS calls the "re-centralization phase" of their distributed systems project - typically a salvage operation of a poor design. Many disappointed companies who underestimated the complexity of a distributed computing environment have shed many tears over their multi-tier systems. While they may have appeared fashionable at the time, too many systems proved not to be functional, and common show-stoppers were limited scalability, higher-than-expected costs, and inability to manage.   Server Versatility  Long Term Phenomenon  Consequently, IBM mainframe sales have thrived at the time many were predicting its demise. A 1996 study from Trish Information Services, of Hayward CA surveyed 100 mainframe shops with at least 200 MIPS of installed capacity and found that 87% plan to add more mainframe capacity; and 79% expect renewed demand to be a long term phenomenon.     Modern S/390  A closer examination reveals the modern S/390 is a versatile server well positioned at the crossroads of many converging technologies. Boiling it all down, by reducing the amount of distributed data, and keeping data and applications closer together to reduce data movement, using S/390 as a web server allows customers to leverage their existing investment in applications and data as they add Internet/intranet applications to their portfolios. This means that Internet web browsers can access CICS, DB2, IMS, VSAM, and DL/1. For example, DB2WWW allows direct access to DB2 databases from the web or from intranets.   In addition, S/390 is an application server capable of running UNIX and Windows NT server applications alongside traditional core-business applications. It supports Object-Oriented program development. S/390 is a multi-protocol network server capable of managing all levels of network access from desktop to data center across both public and private networks. Also, MQSeries provides a native gateway to the Internet that allows for simplified message transmission. S/390 is also a data server and a video server, handling databases, data marts, data warehouses, and supporting audio and graphics as data types.   The Real Issue  In light of S/390's capabilities, examine closely the motives of anyone who would suggest that a move to client/server or a move to the web means a move away from the mainframe. Recognizing that the S/390 mainframe is a modern and legitimate server, now the only real issue can be discussed: what type (size/architecture/cost) of server best suits the requirements of the application?  IBM's Big Secret  Chris Ouellette, a technology director of a leading insurance and financial services company in Boston, likes to refer to an S/390 web server as IBM's big secret. "Trying to sell S/390 as a web server inside a company is hard to do because S/390 gets so little publicity. On the other hand, at every turn people hear 'Microsoft this...' and 'Microsoft that...' It's easier to adopt Microsoft products because they clearly dominate mind-share," says Mr. Ouellette. In his former job at Harvard University, he developed a web site on S/390 (www.systems.harvard.edu) to provide information on the management of networks and systems owned by university departments. "It's really a no-brainer to turn S/390 into a web server when the data is already there, because the product is so straightforward. It's a very simple process to bring data into a web screen. IBM just needs to get the word out better," he added.    Following the Trends  Intranets  In corporate circles, short term attention has been focused on building "intranets" - which are basically internal computer networks that run Internet web software. According to a February 1997 report, "Intranets in the Enterprise" from Xephon, Ltd. of Berkshire, England, 1997 will be a year of explosive growth for the intranet market. Based on the 228 responses from IBEX, Xephon's worldwide panel of large computer users, a whopping 73% expect to have an intranet running by the end of 1997. Indeed, two-fifths of all respondents already have one in place, with Windows NT in use on 3 out of 5 existing intranet servers.     Clear Progression  Longer term, the next step for companies is to figure out how to avoid the perils and cash in on the economic promise of the public Internet. As web applications are introduced, a clear progression exists, though timing differs greatly by company and industry. For example, simple web sites make company information available for browsing. The next step is to add function where customers can interact with the web site, obtain service, and offer feedback. The step beyond that is to handle electronic commerce and support key business processes, something very few companies have been able to master.   Using the Internet    A 1996 Ernst & Young/InformationWeek Information Security Survey reported the most popular uses of the Internet are for sending e-mail, doing file transfers, and web browsing. Of the 1320 participants surveyed, one-third of the respondents indicated they are using the Internet for the external exchange of important business correspondence or information. The skeptic reports this number as "only one-third" while the promoter reports this number as "already one-third."    Hold Your Cyber-Horses  Any visitor to the web will come across Internet-based electronic commerce applications here and there - e.g. order a book, purchase a ticket, track a package, buy some stock, even buy a car. Yet thus far the only companies making serious money from the Internet gold rush are those selling tools to prospectors. A 1996 Deloitte & Touche Consulting Group poll of 1442 CIO's worldwide reported less than one in twenty do business on the Internet now and one in eight plan to do so in the future. Respondents pointed to security concerns, limited development resources, and having no solid business justification as reasons for holding back.  Before e-business becomes mainstream, Internet servers and applications must evolve to satisfy stringent business requirements for availability, satisfactory and consistent response time, security, reliability, and quality, all the while limiting a company's liability. This is a rather demanding set of requirements that will not be addressed overnight, and could take years to establish depending on the industry.   Trimming the Client  Also impacting time to market will be the platform and tools a company chooses to set up shop on the web. Economics are once again shifting in favor of centralized design, as indicated in the following article: Computerworld, 10/28/96, Kim Nash: "Intranets trip over client/server apps"   "Looking for an application to convert to an intranet? Those old-time mainframe programs may be better candidates than newfangled client/server systems. Mainframes are getting a new lease on life as intranet servers...Client/server...doesn't fit well in the intranet world for the following reasons: - there is too much application logic on the client side - platform specific coding isn't easily translated - client/server tools vendors lag in adding web features to their products. Moreover, the model that made client/server appealing - moving chunks of application logic from big mainframes to desk tops and using smaller, cheaper, server machines - doesn't cut it in an intranet world, several users said." This article highlights important economic realities that people are gradually starting to discover. Where budgets are lean and resources are in short supply, CIO's are returning to the proven age-old model of server-centric and thin-client computing.  Bloatware  This trend is being fueled by at least three major realizations. First, as PC applications have matured and stabilized, upgrades may provide only a marginal amount of additional function. Therefore users are seeking relief from a vicious cycle - running larger applications that require faster processors that run larger applications that require faster processors...and so on. The unflattering term "bloatware" is used to describe bulging PC operating systems and application software that consume disk, memory, and processor resources but offer little or no value in return.   Second, corporations are seeking relief from support costs. Wherever PCs are used in large quantities, the incremental costs of managing numerous different software applications resident on thousands of PCs has proven expensive and unmanageable.  Third, more and more companies are no longer willing to have the high-paid professionals who use PCs waste their precious time installing, fiddling, piddling and tweaking PC hardware and software. At the same time, PC users have recognized that numerous aspects of PC use are non-productive distractions.  Thin Clients  Therefore, many companies are adopting thin clients to avoid the spending-intensive strategy that is necessary to support fat clients. A thin client can be an X-terminal, a Network Computer (see below), a non-programmable terminal, and perhaps a sealed (stripped-down) PC. Any user not fully utilizing the PC or workstation, which can represent a high percentage of users in some companies, becomes a great candidate for using a thin client.  In summary, savings using thin clients are realized by escaping from the bloatware merry-go-round of continual software migrations and hardware upgrades, drastically reducing administrative and support costs, and by freeing users to concentrate on more productive tasks.   The Universal Client  Consequently, hope for an economic breakthrough is once again being re-kindled by the vision of any web-client accessing any web-server. If web-based products become the building blocks for new applications, it simplifies the hardware and software needed on the client device. It follows that the selection of Internet browser software becomes more strategic than choosing the desktop hardware and operating system to run it on. Even more so, the desktop only has to be able to run the browser, and can become more streamlined, letting the web-server take on an extended role.  The universal client has been dreamed about for some time, primarily because of the administrative nightmare trying to manage the quantity of and diversity among desktop systems. The universal client runs software that makes access to business information consistent across all clients, whether fat or thin.  Network Computers  A universal client simplifies the complex by eliminating the debate over desktop standards, and the hope is that browsers can become the universal client. Thus far the notion has sent a shock wave throughout the industry. IBM, Oracle, Sun Microsystems, and many others are, or will be, offering a Network Computer (NC) that is basically designed to run browser software, and support a graphical display monitor.  Microsoft recanted its public disdain about the NC, by joining with Intel 10/28/96 to announce a specification, or reference platform, for a stripped-down PC called NetPC. Sun has already expanded its plans, and will enable its Java programming to run on the PC's DOS. This will allow older 486 PCs to be rejuvenated and used as NCs.   Economic Advantages  The NC's economic advantages are gained by providing a maintenance-free client, reducing the cost of system administration and end-user operational involvement. Network computers rely on scaled-down operating systems that can be downloaded from a server, if necessary. The network servers provide all of an NC's systems management and storage management needs.  Without a floppy disk, CD-ROM, and hard drive, NC hardware can cost less than 1/2 of the initial investment for a PC. That's just for starters. Savings will continue to accrue as the NC cuts on going maintenance and management costs, which can run as high as 80% of the total cost of PC ownership. In many companies, the economic case for thin clients will make their use inevitable. The transition will only be slowed by cultural and political factors. Wherever management is calling the shots, like in a McDonalds restaurant where the tools have been designed for the task, NCs will be quickly embraced (McDonalds employees use information technology, and it is not multi-media PC's).  More Predictions  Contrary to this prediction is a finding in the aforementioned Xephon IBEX survey, that seven in ten sites surveyed expressed no intention of using network computers (NCs) rather than PCs. In fact, only 8% envision NCs replacing PCs in the long term. What is not known is whether these people have done a legitimate evaluation of the NC and rejected it, or whether the response is from lack of familiarity, or worse, echoing the views of those opposed to the NC.   On the consumer side, NCs will compete against the Internet set-tops that are arriving on the scene rather than PCs. Internet response time doesn't compete with corporate intranets, so consumers are very likely to choose PCs over NCs. Consumers also have other options. Video game consoles can double as set-top boxes that will let families surf the Web on TV over phone lines or cable. TV makers are building wide-screen TVs that double as high-resolution monitors. In addition, electronics companies are readying a new generation of personal digital assistants that will provide low-cost, mobile access to the Internet. Corporate users could use such devices to tap company databases.  Tier Trimming  Some may accept the notion that the firewall is on a separate box from the web server which is a separate box from the proxy server, etc. Such practices, which come from the worlds of UNIX and Windows NT where servers are often dedicated to a given application or task, are fueling the server-consolidation trend. Unless security requirements preclude it, (see security discussion below), people should challenge the reasoning of those who would choose to use an SNA gateway, such as Microsoft's SNA Server or any other SNA gateway for that matter, as a go-between for communications with the mainframe. Simply stated, if the alternative is to connect directly with the mainframe, why not eliminate a go-between altogether? A direct connection eliminates the cost of a gateway, reduces the path length which improves performance, and reduces the number of points of failure which improves reliability and availability. The logic is similar to that used by air travelers, who prefer to fly non-stop to their destination rather than choosing travel routes that require a change of planes at intermediate stops. As the S/390 Web Server gains acceptance, look for more and more companies to be shedding tiers. A thorough economic comparison generally favors fewer tiers of servers rather than more.   Such reasoning prevailed at the Texas State Comptrollers Office. With numerous AIX web servers on RS/6000s already in place, they have established OS/390 as yet another web server "basically to eliminate a tier of the traditional three-tier architecture," notes Ralph Hutchins, System Analyst and one of the project's leaders. "We have approximately 2 Terabytes of DB2 data on our Hitachi Data System's Skyline box, so we are beta testing IBM's Net.Data product for OS/390 and will use the DB2 Gateway to web-enable SQL access for the databases." When asked what has been the biggest difficulty so far, Mr. Hutchins replied, "The culture shock for died-in-the-wool system programmers to work with UNIX."  Trimming Three Tiers  Stephane Boisvert, S/390 Network Computing and Applications Sales Manager for IBM Canada Ltd., frequently reviews plans for new web-based applications with customers. "One bank was considering a 5-tier architecture - a browser to a gateway to a web server to an application server to their S/390 IMS-based banking system," says Mr. Boisvert. He explains that IBM is attempting to educate customers that a successful web application will quickly take on a life of its own, attract a large number of users, who in turn will create demand for increasing amounts of data. The question he posed to the bank was, "Why not reduce points of failure and improve performance by eliminating three tiers?" A two-tier design, i.e. browser to S/390 server, moves data closer to the application and eliminates data movement between servers. "We challenged them to consider one other important point," says Mr. Boisvert, "that a successful home banking application will eventually be expanded to offer new services, and need access to alternative sources of information, the majority of which already resides on S/390."    Managing the Environment  As e-business becomes serious business, web servers must be transformed because companies simply will not put customer confidence and satisfaction at risk. Availability will quickly become the number one issue for e-business web sites, because when the server is down, customers will be forced to stay away. If performance is bad, customers will choose to stay away. Security is only relevant when customers are connected and want to conduct business.   Availability  When comparing web-servers, any technology cost/benefit analysis should account for the cost of outages in terms of lost business productivity. S/390 offers near-continuous availability. IBM reports Mean-Time-Between-Failure of 12 years for water-cooled ES/9000 mainframes, and 20 years for 2nd generation CMOS mainframes. HDS Skyline falls between these two points and is rapidly improving, having only been out one year. Beyond that, multiple S/390's and compatible machines can also be configured into a parallel sysplex, offering continuous availability. Also, data integrity, near-immediate recoverability, and contingency plans for disaster recovery are also standard service deliverables for the S/390 platform.   Performance  Performance is a multi-faceted dynamic. It not only means rapid response time, but scalability as well. The ability to scale to handle large loads is critical when the masses show up at a web site. Making the proper allowance for these factors greatly improves the chances for success. Planning capacity for new web-based business applications can turn into guesswork. The lack of measures, coupled with the lack of discipline that characterizes the at-large web user, means companies have no choice but to keep appropriate capacity in reserve to have a fighting chance of maintaining service levels necessary to keep web-customers happy during peak loads. If the user load is unpredictable and if there is no way to anticipate access patterns, traditional approaches to capacity planning are rendered useless. Large companies who do capacity planning and who heretofore have carefully timed their server upgrades must rethink their approach. IBM learned this first-hand during the Deep-Blue chess match, and again at the Olympics.  Integration  Also note that sophisticated business systems must be integrated properly. Those few IT failures that do get exposed suggest there are a lot of IT people who are talking shortcuts that ultimately lead to disaster. For example, one company spent millions of dollars trying to convert a warehousing, order management system from an antiquated Unisys mainframe to SAP's leading-edge integrated financial, distribution, manufacturing, cost accounting, logistics, sales, and human resources software running on HP and Oracle. Auditors later discovered that after just a few weeks using the new system, incorrect orders and excess shipments cost the company $15.5 million that could not be recovered.   What is the Moral of the Story?  When putting together effective business applications, it's not enough just to amass the correct building blocks - some assembly is required! Successful companies steadfastly adhere to the best-practices for system development and integration that have evolved over the last 30 years. These disciplines must also be adhered to when setting up for e-business, and experienced professionals should be assigned to develop web sites and applications.   Security Exposures  Any web server technology cost/benefit analysis should identify the risk/cost when computer security is violated. According to the Ernst & Young and InformationWeek study mentioned previously, inadvertent errors were the most frequently occurring cause of losses, followed by availability, internal and external malicious acts. Disruptive and/or financial losses from computer viruses plagued almost two-thirds of all organizations. The Internet brings new security risks that must also be addressed.  Firewalls  Firewalls are mechanisms that can be set up to restrict transaction and data flow between private networks or intranets and the public Internet. Firewalls can vary significantly from one vendor to the next in terms of feature/function.  Ironically, one of the biggest drawbacks to using S/390 as a web server stems from one of S/390's biggest advantages - that it is such a robust server capable of running a wide variety of applications. When public Internet web applications are added to S/390, all other TCP/IP-based applications using the same TCP/IP stack cannot be protected by a firewall. Security compromise is by no means a given, but a new exposure now exists from the standpoint that Internet traffic is now co-mingled with other traffic using the same TCP/IP stack. This means that hackers can attempt whatever known techniques they use to invade TCP/IP sites. This doesn't mean such attempts can penetrate security on S/390, but it does mean companies can likely expect unwelcome hackers.  S/390 customers can minimize or eliminate this exposure by running their Internet applications on a separate TCP/IP stack from their intranet applications, which could ultimately lead to using two separate operating systems. Running multiple operating system images obviously consumes more system resources and increases costs. The separate system could run on an entirely separate box, in a physical partition, in a Logical Partition (LPAR), or as a separate virtual machine if using VM. Such configurations keep TCP/IP traffic separate and allow firewalls to once again regulate traffic between systems.  Secure Transmission  In a similar vein, opening a private network to the public Internet puts information at risk. Once information is sent across the Internet, it is "out in the open." While some may criticize the Internet for not providing better protection when transmitting confidential information, note that the US military and government intelligence agencies have used the Internet for secure transmissions for decades. Even in private networks the transmission layers focus on information delivery, and other components deal with the broader issue of security.  These concerns stem from the fact that there is no control over how a specific information payload is routed, therefore putting that information at greater risk to unauthorized access. A technique known as tunneling is one method of securing this information. Tunneling is performed by firewall devices at the sending and receiving network nodes. The firewall at the sending node takes the information to be transmitted and encapsulates it into encrypted packets before transmission. The process is reversed by the firewall at the receiving node.   Mail Bombs  Beyond concerns about viruses and unauthorized viewing, hackers can have a serious impact on Internet performance. Simple things like mail bombs can wreak havoc. Mail bombs clog a site so as to interfere with the flow of legitimate information, in effect denying service to users at that site. Computerworld's web site featured these headlines: "New York 'net service under attack" on 09/13/96. The teaser subtitle read: "New York's oldest Internet service provider is under siege by hacker." The news brief went on to report  "New York's oldest Internet service provider is under attack by an unknown hacker and may shut down if the attack doesn't end soon. Public Access Network Corp., or Panix, has been besieged since Sept. 6 by a barrage of 'mail bombs.' Mail bombs are queries sent every few seconds to the company's mail, news and World Wide Web servers that ultimately overload the system. Because the Internet is designed to allow computers to talk to each other with little identifying information, it is virtually impossible to track such anonymous mailings. The only way to end the attack is to shut down a service altogether or enlist the help of other service providers around the country to track down the hacker." Until these concerns are addressed, business users will confine critical computing to heavily secured, time-tested internal systems and intranets.  S/390 Security  On the positive side, S/390 is virus free (ACTS knows of no one writing a virus for MVS or OS/390) and known for its bullet-proof security features. Also, it makes sense if you already have bullet-proof security, to use it. John Lardinois is a systems programmer for the State of North Dakota, where the biennial legislature is meeting this year. A web site hosted on S/390 serves up legislative documents that allows the public and state legislators to view pages using a web browser. "We chose S/390 to be the web server because of high availability and its built-in RACF security," says Mr. Lardinois. "All state government employees on the mainframe already have user IDs and passwords known to RACF, so the web server simply makes a call to validate a user. This is easier than creating a UNIX server from scratch that could handle security for several thousand users. That would have been a formidable task," he added.   "In our discussions with the Legislative Resources Council (LRC) regarding the design and implementation of their web page, I raised the support issue," said Mr. Lardinois. "LRC originally wanted us to use [another vendor's] web server on an AIX/RS6000 platform, which meant there would have been two vendors providing support. I've 'been there, done that'. Finger-pointing is the name of the game, so having a single vendor for us to turn to for support is invaluable in a crisis situation," he said.  Mr. Lardinois went on to say, "The S/390 web site was real easy to create. We got the design of the web page by the end of December, and had it working by the second week in January. OS/390 is no different from UNIX. If you already know UNIX, OS/390 is transparent."  Potential Problem Areas  In addition to the aforementioned security concerns, there are several other potential problem areas or drawbacks to using S/390 as a web server. First, TCP/IP works fine under VM, so originally IBM ported the VM code to MVS OpenEdition. The result was a poorly performing TCP/IP stack under what is now OS/390. Some later revisions improved the situation, but IBM is actually rewriting TCP/IP specifically for OS/390. TCP/IP performance under OS/390 will remain a liability until the rewritten code is released, expected with OS/390 Release 4 in September. Until then, response time may or may not be a problem depending on what percentage of the overall transaction consists of TCP/IP processing. For example, poor TCP/IP performance can be masked by strong performance in other phases of the transaction, such as on the application or data delivery side. Customers are advised to check for performance problems in this area now, as well as verify all claims after the rewrite is complete.  Second, expect S/390 as a platform to lag IBM's, and other vendor's, UNIX platforms by a few months in terms of specific web server functional capability. Many of the features now on OS/390 are actually ports from the AIX version. This will improve as people begin to recognize that OS/390 is UNIX, and more vendors write OS/390 versions of their products.  Third, there is clearly a learning curve, perhaps culture shock is a better term, that people must deal with as they venture across the line from the S/390 world to the UNIX world, and vice versa. Implementers can expect resistance, and a higher-than-normal number of inadvertent mistakes while working with UNIX applications on S/390.  Lastly, the OpenEdition portion of OS/390 is relatively new. There have only been a few releases, and like all new products, customers discover what the developers missed. For example, one company said their Java applets wouldn't run at all, and IBM was looking into the problem. Consequently, users are wise to allow time during development to rigorously test applications.  One More Example From the Real World  Dana Corporation's Light Axle division of Ft. Wayne, IN, is a first-tier supplier to the Big Three automotive manufacturers. The company has it main business applications running on an S/390 Model 9672-R42 CMOS server under OS/390. The system supports 4,000 CICS sign-ons, and typically has 1,800 CICS users and 75 TSO users active concurrently. The system also processes a great deal of batch programs that support materials requirements planning for 10 manufacturing plants.  Early OpenEdition Adopter  As far as overall IT strategy goes, Dana Corporation once evaluated a wholesale move to UNIX, but concluded it was not practical in light of the volume of applications they have on S/390. Nonetheless, they still wanted to be able to grow into the UNIX arena, so they became an early adopter of MVS OpenEdition. "There were bumps in the road to overcome," according to Trey Bouslog, Manager of Technical Services, "such as learning to properly use ASCII to EBCDIC conversion utilities. Our biggest obstacle was simply the overall learning curve of meshing UNIX with MVS. It helped that we also use RS/6000s, because OpenEdition lines right up with AIX."  Impressing the Executives  OS/390 is installed now and has since become an intranet web server at Dana Corporation. "We had a very pressing need for executive information systems, so we developed a measurement system that allows executives to track a plant's financial performance," said Mr. Bouslog. "Executives are somewhat impressed that a 'mainframe' can participate in that arena. They are actually very pleased with the results, " he added.   Why not UNIX?  When asked why not just use another UNIX system as the intranet web-server, he replied, "The big plus is that S/390 has the I/O bandwidth needed to drive a web server. Beyond that, it was easier to use the Internet software that comes with OS/390 than buying 3 or 4 different pieces of software and trying to get them to communicate with each other. With 80% of the data already on the host, the majority residing in IDMS databases, it was also simpler to move the 20% of the data dispersed on network servers to the host. Another plus was that it all tied in well within our existing CA-Top Secret security scheme."  Mr. Bouslog briefly described how the executive information system gets at the data, explaining that the OS/390 web applications use Hypertext Markup Language (HTML) combined with Common Gateway Interface (CGI) scripts, plus the External Call Interface (EXCI) within the web server, and extract information using CICS to IDMS transactions, and the results are delivered back to the client system.  Looking Ahead  Explaining what is on the horizon, Mr. Bouslog said, "We are also looking to run Lotus Notes on S/390. Lotus Notes currently runs on standalone servers at the plant level, and the strategy is to use our central S/390 server to synchronize with outlying servers. By using S/390 as the main central server, we could easily integrate divisional data contained within Lotus Notes into our existing disaster recovery plan for the enterprise server."    Conclusions  Large corporations are cautiously sizing-up just how to become part of the universe of network accessible information, known as the world wide web, and channel it's potential into meaningful commerce that will enhance their ability to reach their target market.  Its one thing to promote business on the Internet with some fancy graphics, using many of the UNIX-based and Windows NT-based systems in place today, its another thing to use the Internet as the media where customers conduct business transactions. Today, very few companies are using the Internet for serious e-business.  Slowing Web Years New developments come rapidly in the Internet arena, so much so that practitioners proudly define a web year as 3 calendar months. Fine, but moving from brochureware to a mainstream electronic marketplace will inevitably cause the rate of change to slow significantly.   Business computer systems fall into two categories - production systems and development systems. Development systems can be changed regularly, and don't require the rigors to maintain compared to a production system. On the other hand, the majority of today's production systems are bullet-proof, large-system-based holding tanks for corporate information. Production systems just don't change that rapidly. Look for "web years" to lengthen and for the inexorable disciplines of production environments to dictate the rate of Internet innovation. Expect a move beyond brochureware to force significant changes in corporate approaches to deploying Internet-based services. The feature chase at the browser level will inevitably conform to a rate of change that can be tolerated at the production web-server level.   S/390 Web Server  IBM's S/390 is well positioned to provide the right economic strategy for many medium to large companies who are concerned about the security, resilience, and ability to handle volume that will be required of Internet/intranet applications. S/390 makes good economic sense to companies that want to leverage their existing investment in operational/production systems, have limited development resources and desire to leverage existing technical skills, support many departments or internal customers, provide access to large and growing repositories of information (data, graphics, audio, and video), and run server applications for UNIX and Windows NT alongside their traditional business systems.  Stake a Claim Now  Regardless of the speculation and hype, one thing appears certain: companies must stake a claim now to remain nimble and prepared to respond quickly as soon as that elusive window of opportunity opens. Getting properly positioned to compete on the Internet takes time and know-how, two very precious commodities that may be hard to find in Information Technology (IT) departments that have been ravaged by downsizing fads. Regardless, choosing the strategy, the software, and the hardware platform are all pressing decisions that will have long term implications. Netting it out, so to speak, the hardware platform a company chooses today will make a significant difference down the road.    Appendix A: What About VM?  VM is a very capable platform for running web applications. It is leaner than OS/390 and uses resources very efficiently. Especially on the smaller S/390 boxes, VM may be the better alternative. The VM marketeers at IBM are going after the office business with their web offerings, hoping to attract customers with a Network Station (under $500) running a web browser front end to OV.  IBM is relying heavily on business partners to develop web-based software for VM. For example, Beyond Software and Sterling Software have excellent products that provide Internet/Intranet access to OfficeVision (OV), (Macro4 of Sussex, England is also a web product supplier for VM). According to one heavily committed OV user, who requested anonymity, the tantalizing price per user of such a set up can run only $50/month, which means at that company it will cost less to provide OV support than phone support to a user's desk.  Customers should compare the cost of the VM alternative to others, such as using Lotus Notes servers and clients, but recognize that overall IBM is more committed to Notes.  Numerous IBM business partners are hosting their web sites on VM systems. As a general rule, customers can expect that web products appearing on OS/390 will follow on VM, and vice-versa. If IBM implements a JAVA virtual machine on VM/ESA, as has been discussed at technical conferences, that in conjunction with REXX would ease the development of web applications on VM.  In addition, IBM's VM group claims VM can serve as one of the best, most secure Internet firewalls available. Simply run one TCP/IP virtual machine connected to the internal network, and a second virtual machine connected to the public Internet. Data from the private side can be placed on a shared disk volume, and picked up by the Internet side for www viewing.   One large VM customer in the financial industry has a production web application on VM that has had millions of hits and has been visited by more than 80 countries. The technical overseer of the project noted that at first there was great internal political resistance to using VM on the web, but much of the opposition vanished when the VM application became a huge success. Now even more web applications are being developed on VM at the company.  Additional information on VM, may be found at www.vm.ibm.com. Specific Internet/intranet information can be found at www.vm.ibm.com/news/webstuff.html. Customer success stories/references/press/quotes/ are provided therein.  In the section "Who else runs VM web servers", are links to a partial list of web sites worldwide that run on VM. There is a another a list of "Powered by S/390" partners who have either S/390 Internet or Intranet. In order to be listed in the "Powered by S/390" list, companies have to be running on IBM S/390 hardware, have requested to use the powered-by logo on their page, and agreed to be in that list. As of 3/1/97, of the Internet sites listed, only the IBM S/390 Division and New Deal are MVS or OS/390, the rest are using VM.     About the Author  Bill Carico has over 20 years of experience in the computer industry. He is co-founder and president of ACTS Corporation, which specializes in consulting and education. Bill is an internationally recognized writer and speaker, and lectures frequently on strategic IT topics at courses and conferences all over the world.   Before founding ACTS Corporation, Bill worked for both Intel and IBM, giving him a unique perspective from which to understand the technical and marketing dynamics of the computer industry. His technical expertise encompasses the MVS, OS/390, PC/LAN environments, the Internet and distributed systems in general.   Bill is the primary course author of the highly acclaimed Technical Awareness Series, and author of the book Automated Operations: Accepting the Challenge. He has written numerous technical and management articles that have appeared in the trade press including Computerworld's Leadership Series and IBM's Trends in Technology Publication.   About ACTS Corporation  ACTS Corporation, has one main goal in serving our clients: to make them more successful. The proper use of technology leads to the successful use of technology, and our services and education are geared to help our clients choose and use the right technology. Why? Simply because successful Inormation Technology projects are the exception, not the rule. The industry needs more successes, and the track record shows that most organizations can use our help. Furthermore, the climate for workers in the computer industry is very stressful. Today, in both the public and private sector, people are relying more and more on IT to accomplish their objectives. Human resources are in short supply, and the complexity of technology is on the rise. Working with feelings of insecurity, uncertainty, and frustration are the norm as both management and workers wonder if their job will still be there next month. False starts, failed technology initiatives and year 2000 migration work all create additional pressures as precious financial and human resources are stressed to their limits. ACTS Corporation can help you ensure your resources are not squandered on failed IT projects. When IT projects are successful, organizations are more successful, and our clients stand a better chance of keeping their job, even getting promoted. Our track record at ACTS shows that we can make that kind of difference. For more information, please contact ACTS Corporation - Rt. 2, Box 188, Kingsland, TX 78639 Phone 915-388-3525 - Fax: 915-388-6127 - - (E-mail) mgordon@actscorp.com     Copyright © ,1997 ACTS Corporation