Internet

Enhanced Definition

From a z/OS perspective, the Internet represents the global, publicly accessible network infrastructure that enables IBM mainframe systems and their applications to communicate with external systems, users, and cloud services using standard TCP/IP protocols. It facilitates the extension of mainframe capabilities beyond the traditional enterprise data center, allowing for modern web-based access, data exchange, and integration.

Key Characteristics

- TCP/IP Foundation: On z/OS, all Internet connectivity is built upon the TCP/IP protocol stack, managed by the z/OS Communications Server, which provides the necessary networking services.
- OSA Adapters: Physical connectivity to the Internet is typically achieved through Open Systems Adapter (OSA) cards, which are integrated network interface controllers (NICs) providing high-speed Ethernet connections.
- Standard Protocol Support: z/OS supports a wide array of Internet protocols, including HTTP/HTTPS, FTP/SFTP, SMTP, DNS, SNMP, and SSH, enabling seamless interaction with diverse external systems.
- Security Integration: Internet-facing z/OS systems leverage robust security features, including z/OS Security Server (RACF), IPSec, AT-TLS (Application Transparent Transport Layer Security), and firewall capabilities within z/OS Communications Server.
- High Availability and Scalability: Mainframe Internet connections benefit from z/OS's inherent high availability, workload management, and scalability, ensuring reliable and performant access to external resources.

Use Cases

- Web Serving: Hosting web applications directly on z/OS using components like CICS Web Support, z/OS HTTP Server, or WebSphere Application Server for z/OS to serve web pages and APIs to Internet users.
- Data Exchange and File Transfer: Securely transferring files to and from external partners or cloud storage using FTP, SFTP, or custom applications leveraging TCP/IP sockets.
- Email Services: Sending and receiving emails directly from z/OS applications using SMTP for notifications, reports, or integration with enterprise email systems.
- API Integration: Enabling z/OS applications (e.g., CICS, IMS, DB2) to consume or expose RESTful or SOAP APIs over the Internet, facilitating integration with cloud services, mobile apps, and partner systems.
- Remote Access and Management: Providing secure remote access for administrators and developers via SSH or TN3270 over TLS to manage z/OS systems from anywhere.

Related Concepts

The Internet relies heavily on the z/OS Communications Server to provide the TCP/IP stack and network services that enable connectivity. Hardware like OSA adapters are the physical gateway. Applications such as CICS, IMS, DB2, and MQ utilize this Internet connectivity to extend their reach beyond the mainframe's traditional boundaries. Security mechanisms like RACF, AT-TLS, and IPSec are critical for protecting z/OS data and resources when exposed to the Internet.

Best Practices:

Implement AT-TLS: Always use AT-TLS to encrypt all sensitive TCP/IP traffic to and from the Internet, ensuring data confidentiality and integrity without requiring application changes.
Strict Firewall Rules: Configure z/OS Communications Server firewall functions or external network firewalls with the principle of least privilege, allowing only necessary ports and protocols for Internet-facing services.
Regular Security Audits: Conduct frequent security audits and penetration tests on Internet-facing z/OS applications and configurations to identify and remediate vulnerabilities.
Leverage z/OS Security Server: Utilize RACF or equivalent security managers for robust authentication, authorization, and auditing of all Internet-initiated access to z/OS resources.
Monitor Network Activity: Implement comprehensive monitoring of TCP/IP stack activity, OSA port usage, and application-level traffic to detect unusual patterns or potential security incidents.