Introduction

One of the classic shortcomings of client/server and web technologies is security. Since client/server and web connections typically operate over non-secure networks, all data for these connections is vulnerable to eavesdropping. Passwords and other sensitive data in client/server and web connections can easily be captured by unauthorized third parties and then used to further compromise security.

To solve this problem, Netscape Communication Corp. with help from RSA data Security Inc. developed the Secure Sockets Layer (SSL) protocol to enable secure communications over non-secure networks. The SSL protocol encrypts data in such a way that an unauthorized third party cannot possibly decrypt and read it.

The Janus Network Security option implements the SSL protocol inside Model 204 making it possible for Model 204 to participate in secure client/server and web applications. The Janus Network Security option provides strong (128-bit) encryption support for Janus Web Server.

Encryption

Data encryption is a fundamental feature of SSL and is always enabled for connections to Janus Network Security enabled ports. Janus employs the industry standard RSA public-key/private-key encryption algorithm and the RC4 bulk cipher algorithm. These ensure that even if a third party can monitor the entire session between a client and a Janus Network Security server it cannot decrypt the data exchanged over that session. Encryption protects the Model 204 login id's and passwords as well as any other sensitive data that might be passed between a client and Model 204. The encryption and decryption are completely invisible to both developers and end-users except in the visual cues provided by browsers to flag that the communication is secure: Netscape's browser for instance displays a blue line at the top of a secure page and a closed "key" icon instead of a broken key at the bottom of the browser window.

Authentication

The authentication component of SSL provides assurance that the machine to which a client connects is, in fact, the Model 204 server rather than a "spoofing" machine. Authentication is implemented via certificates which are digital ids generated by the Model 204 server and "signed" by a recognized certifying authority. One such certifying authority is Verisign which has given Sirius Software's Janus Network Security feature its seal of approval by including it on it's list of approved SSL server implementations. The Janus Network Security feature supports server certificates and provides an application that can be used to generate server certificates as needed.

Efficiency

It almost goes without saying for any Sirius Software product that it is implemented to consume as few mainframe resources as possible. This is especially important for the computationally expensive public-key/private-key algorithm. In fact, Sirius Software's SSL implementation is the only IBM mainframe assembler implementation of the SSL algorithms and as such, generally delivers better performance by a factor of 4 or greater over other mainframe implementations -- this performance benefit reflecting the relative efficiency of assembler over C.

Running Secure Model 204 Web Servers

While portions of a web site will require SSL protection often the majority of a site's pages will not. There are costs associated with serving pages via an SSL port; the CPU cost of encryption, the extra network traffic for requesting and receiving logons and the fact that encrypted pages are not cached, all result in safer but slower server interaction. Because of these costs it's worth running both a secure and a non-secure port and serving only secure information over the SSL port. Fortunately the Janus command set makes this process simple. Typically, two ports are defined --

   JANUS DEFINE NORMAL 80 WEBSERV 10 UPCASE TIMEOUT 180
   JANUS DEFINE SSL   443 WEBSERV 10 SSL CERTS server.certificate.id

Then it's a simple matter to redirect URL references to secured information to the secured port using REDIRECT logic:

   JANUS WEB NORMAL REDIRECT /ACCOUNTING/* -
                      https://www.yoursite.com/accounting/*

The above REDIRECT is active on the NORMAL port and sends all requests for URLs containing the word ACCOUNTING to the SSL port. This simple directive ensures that accounting information is only transfered over secure connections and enforces logon/password security is always invoked. Another obvious security implementation is to simply not code a web rule for the accounting system on the non-SSL port. This results in non-SSL references to a secured system getting a "URL Not Found" error.

Simple web "rules" like this allow centralized control over the enforcement of security, and eliminate the need for application developers to concern themselves with security issues.

Summary

Janus Web Server makes it possible to bring Model 204 into full participation in a web environment with all its benefits to end-users. Janus Network Security provides the security needed to enable commercial-strength web applications to be written in Model 204 User Language.

Janus Web Server requires Janus TCP/IP Base and will work with all supported version of M204 on MVS and VM operating systems. Janus TCP/IP Base provides support for IBM's, Interlink's (TCPAccess) and Gulf Computer's (Knet) mainframe TCP/IP packages.