APIAS
Frequently asked questions for APIAS
This page cotains the answers to a number of common questions asked by customers when considering APIAS as a solution to their Enterprise Extender problems. Click on any of the questions below for further information.
- Q1. What is APIAS?
- Q2. What is Enterprise Extender?
- Q3. Why is Enterprise Extender important?
- Q4. How does Enterprise Extender work?
- Q5. What are Enterprise Extender's limitations?
- Q6. Why do I need APIAS?
- Q7. If I use APIAS, does my business partner have to?
- Q8. How many connections can I support with one APIAS?
- Q9. How does the encryption work?
- Q10. Where do I obtain digital certificates?
- Q11. Can I use different digital certificates for different connections?
- Q12. How does APIAS/EE compare to Communications Controller for Linux?
- Q13. Where does APIAS run?
- Q14. How do you configure APIAS?
- Q15. Can APIAS be configured dynamically?
- Q16. How does encryption affect CPU usage?
- Q17. Do I have to convert my subarea network to APPN?
- Q18. What hardware do I need to implement APIAS?
- Q19. Is there any support/education available?
- Q20. Who do I contact for comments/suggestions about this document?
Q1. What is APIAS?
APIAS is a software product that enables businesses to secure the deployment of Enterprise Extender (EE) and so preserve their investment in SNA applications and TCP/IP networking devices.
Return to top
Q2. What is Enterprise Extender?
Enterprise Extender is an innovative and elegant solution to the problem of how to move SNA data across an IP network without having to re-write applications.
Return to top
Q3. Why is Enterprise Extender important?
IBMs z/OS platforms provide an ideal environment for TCP/IP-based e-business applications.
However, the cost of converting legacy SNA applications to TCP/IP can be prohibitive and, in many cases, conversion may be technically unachievable because source code is missing or the skill sets for specific applications are no longer available.
In addition, following IBM's decision to withdraw the 37x5 from marketing in 2002, and the anticipated withdrawal of support in 2010, users of the 37x5/SNI Communications Controllers will be reviewing how to provide a secure, TCP/IP-based alternative to SNI for inter-company networking.
Enterprise Extender is important because it is IBM's recommended solution for both these problems and can, potentially, help users realise significant technical, operational and commercial benefits.
Return to top
Q4. How does Enterprise Extender work?
Enterprise Extender enables SNA data to be transmitted over an IP network by efficiently encapsulating SNA High Performance Routing (HPR) frames in UDP/IP datagram's. By "wrapping" the SNA payload in this way, the SNA data can be carried over an IP backbone without changing either the SNA applications or the IP hardware.
Return to top
Q5. What are Enterprise Extender's limitations?
Users who are considering deploying Enterprise Extender (EE) should be aware of a number of limitations:
| Problem: | EE uses the UDP protocol for reasons of performance. However, UDP is inherently insecure and will almost certainly be "blocked" by an installation's security policies. |
| Solution: | APIAS solves this problem by converting the UDP packets to TCP, without altering the encapsulated payload content. Using this solution, the UDP traffic flows between the local applications only ("EE" and APIAS) and is, therefore, secured in "open" network situations. |
| Problem: | EE has no authentication process; neither end-point of an EE connection can be identified with confidence making such connections vulnerable to "spoofing" (where users can pretend to be someone other than themselves). |
| Solution: | APIAS solves this problem by using the industry standard digital certification process which is deployed by IBM as part of the z/OS operating system. By installing APIAS at each end of a connection, certificates can be exchanged to verify that users are who they claim to be before the connection is established. This exchange of certificates creates very little overhead at connection establishment time and causes no overhead during data transfer. |
| Problem: | Since UDP does not support the industry standard SSL (Secure Sockets Layer) encryption process, EE passes un-encrypted traffic which may well be traversing insecure networks such as the Internet. |
| Solution: | APIAS solves this problem by combining both the above processes (i.e. UDP to TCP conversion and digital certification) and adding an encryption process based on keys held inside the digital certificates. The encryption process used by APIAS is the process provided by IBM as part of the z/OS system. |
| Problem: | EE can only communicate with one stack per LPAR which is an unacceptable restriction for installations where, perhaps for reasons of network traffic-isolation or security, multiple stacks are deployed. |
| Solution: | Whatever the reason for a multi-stack environment, the potential for Enterprise Extender, in this situation, is limited as the EE process can only communicate with one TCPIP stack at a time. APIAS, which serves as a proxy-server in this situation, resolves this problem by enabling EE to connect to other TCPIP stacks. |
Return to top
Q6. Why do I need APIAS?
For Enterprise Extender users, APIAS addresses all of the limitations of EE in a scalable, cost-effective way. The simplicity of APIAS places it way ahead of any other alternative, while the flexibility and security that it offers is second to none.
Return to top
Q7. If I use APIAS, does my business partner have to?
If APIAS is being used to secure Enterprise Extender communications traffic between two end-points then a copy of APIAS must be installed at each end of the link.
Return to top
Q8. How many connections can I support with one APIAS?
One copy of APIAS installed on a z/OS server can service any number of remote stations as long as a copy of APIAS is also installed at each remote point. However, APIAS does not need to be implemented on all EE circuits leaving a host but only those where security considerations are paramount.
Return to top
Q9. How does the encryption work?
APIAS uses the industry standard SSL (Secure Socket Layer) technology which includes the use of digital certificates. The SSL encryption and certificate exchange processes used by APIAS are well proven and well accepted and use the encryption engine supplied by IBM. This ensures a completely secure, end-to-end transaction.
Return to top
Q10.Where do I obtain digital certificates?
A digital certificate is an electronic "passport" that authenticates a web site when doing business or other transactions on the Web. Digital Certificates can be purchased from certification authorities such as Entrust (www.entrust.com) and VeriSign (www.verisign.com) or self-generated using the IBM z/OS supplied utility (gskkyman).
Return to top
Q11. Can I use different digital certificates for different connections?
There is no problem with using different certificates for different connections and, for many users this may be the preferred method of operation.
Return to top
Q12. How does APIAS/EE compare to Communications Controller for Linux (CCL)?
CCL is a very useful tool, especially for those users (such as VSE) who do not have the option to move to Enterprise Extender. However, it is regarded, even by IBM, as a migration aid and the complexity and cost of implementation combined with a lack of clear future direction make it a very difficult option to recommend.
For those users who can move to Enterprise Extender, it makes much more sense to do so now, as this would seem to be the ultimate long-term solution.
As IBM state in their CCL FAQ document
"Q: Compare CCL with Enterprise Extender. Which alternative is a better way to migrate from SNA to an IP network?
A: EE is the better technology! EE is based on the latest SNA architectures - APPN and HPR and supports IP end-to-end, all the dynamics of APPN and the non disruptive path switch of HPR. If both you and your business partner are at an APPN/HPR-capable level and agree to use EE between you - then this is the best and the recommended way to go. CCL is for those who cannot or will not migrate to the newer and better SNA architecture levels."
Both IBM and William Data Systems have prepared more comprehensive reviews of the comparative strengths and weaknesses of Enterprise Extender and CCL. Download the documents by clicking the following links:
- The IBM document entitled 3745 Migration Paths: IBM Communication Controller for Linux on System z9 and zSeries (CCL) or Enterprise Extender (EE)?
- The William Data Systems document is Alternatives for replacing IBM's 37x5 for z/OS Users: A Comparison - CCL or Enterprise Extender
Return to top
Q13. Where does APIAS run?
APIAS can be deployed on platforms supporting Enterprise Extender under IBM's z/OS operating system. In addition, APIAS supports distributed Enterprise Extender systems running on Microsoft Windows, as far back as Windows NT, as well as current versions of Red Hat and Suse for both Linux and z/Linux. An APIAS port for Solaris is currently being built and a port for AIX will be built as demand dictates.
Return to top
How do you configure APIAS?
APIAS is configured through the APIAS 'profile' member. This is always a plain text file and is almost interchangeable on all platforms.
Under z/OS, APIAS is configured through a standard PARMLIB member that can be edited using the standard ISPF editor.
Under Windows, the 'profile' can be stored anywhere since the path to it can be specified in the execution call of APIAS. However, it is expected to be in the default APIAS folder (C:\Program Files\William Data Systems\APIAS 3.1), and is probably best left there.
Under Open Systems, the profile can, once again, be stored in any directory, depending upon installation standards, as its path can be specified at execution time.
Return to top
Q15. Can APIAS be configured dynamically?
The APIAS profile defines the configuration of APIAS on your system. A new or updated profile can be dynamically loaded into APIAS at any time while the product is active.
Return to top
Q16. How does encryption affect CPU usage?
Data encryption will, inevitably, apply a level of overhead in terms of CPU cycles. However, to minimize this, the SSL certificate exchange and encryption processes employed by APIAS (PKI - Public Key Infrastructure) are those provided by IBM as part of the z/OS operating system. This is widely accepted by all levels of industry with the possible exception of the US Federal Information Processing Standards where additional hardware encryption is required.
Return to top
Q17. Do I have to convert my subarea network to APPN?
Sub-area networks should be converted to APPN prior to implementing Enterprise Extender. However, if a user doesn't wish, or is unable, to convert then it may be possible to setup a new, single APPN network node to handle the EE connections and run that node as an ICN (Inter-Connection Node), leaving the sub-area network almost intact.
Return to top
Q18. What hardware do I need to implement APIAS?
APIAS can be implemented on a variety of platforms and requires no additional hardware (see Q13. Where does APIAS run?). In fact, implementing APIAS in conjunction with Enterprise Extender can lead to certain types of hardware, specifically 37x5 Network Controllers and dedicated leased lines, becoming redundant.
Return to top
Q19. Is there any support/education available?
Comprehensive, effective and highly responsive user support is provided for all WDS products at all stages of the product life-cycle. In addition, a range of training programs is available dependant upon user demand. These can be held at WDS offices, on customer sites or can be managed remotely via Webex over the internet.
Return to top
Who do I contact for comments/suggestions about this document?
For further clarification about any of the issues raised in these FAQ's, or about any WDS related product issues, e-mail info@willdata.com.