Secure links between existing and new technology platforms
The Customer
Kredietbank Business Need
Support of large national and international branch network with commercial banking
operations
The Solution
Mainframes: IBM System/390 and Tandem, MVS/IMS, plus DL/I and DB2 databases
Branches: UNIX workstations/PC-LANs with OS/2
Networking: DCE running on MVS and UNIX, TCP/IP over X.25 (moving to frame relay),
software distribution and X.25 back-up by ISDN
Benefit to Customer
Ability to make information available to branches by integrating three multivendor
platforms (mainframe, PC LAN, UNIX workstations) into a unified client/server
structure--all with the robust security and system management functions essential to a
major bank |
Kredietbank--Belgium's second-largest commercial bank--values the ability to maintain
security while making mainframe data accessible across an open client/server network.
Kredietbank today has around 10,000 employees and 750 branches in Belgium and other
European countries, plus international branches in financial centres such as New York,
London, Hong Kong and Singapore. Although the bank is one of Belgium's oldest, it takes a
progressive approach to information technology, and has created a truly distributed
client/server environment with the Open Software Foundation's Distributed Computing
Environment (DCE) providing the secure connections.
"We have a large number of branches, and wanted to retain many of our existing
systems and applications in the new client/server model," says Carl Tilkin-Franssens,
Kredietbank's IT Manager. "DCE is the only available technology to enable us to link
our three major technologies together: the traditional mainframe, the emerging world of PC
LANs, and UNIX workstations."
Kredietbank was already using telecommunications in the 1970s to boost its backoffice
operations. In the 1980s, the focus shifted to the front office, and the need to give more
autonomy to the branches. "As a result, we moved to a form of distributed computing
in which local branches could service 80% of their own needs," says Carl
Tilkin-Franssens. "They only contacted the mainframe to store and forward
transactions, or to execute exceptionally large transactions."
Providing more quality to users
"Having largely achieved the goal of branch autonomy, we then began to move towards
providing our staff with a higher quality of services and information--and that's where
client/server computing comes in. Our users in the branches need to be able to access
commercial information independently of where the transaction is executed or where the
data is located," he explains. "Clearly this requires the technologies involved
to be based on open standards. DCE is open to any vendor, and the first stage in our
solution was to use DCE in the connections between the branches and the central
mainframes, which are IBM MVS and Tandem."
Because of the synergy between the various Kredietbank company systems, the bank wanted
to incorporate existing equipment as far as possible: "With the infrastructure in
place, we are now changing applications that are 10 or 15 years old to the new DCE
environment, and testing the various types of transactions--many of them running under
IMS."
Banking network
DCE - The essential administration link
A single DCE cell can service thousands of clients. It consists of a Security Server,
several Distributed File Servers (DFS services), Time Servers (to coordinate time across
the network), and Directory Services (to locate resources easily).
One area where Kredietbank expects DCE to bring dramatic improvements is in Systems and
Network Administration, says Carl Tilken-Franssens: "DCE is the essential
administration link between our mainframe, PC LAN, and UNIX platforms. The naming
conventions and security environment of DCE will have a major impact on reducing
administration effort and in imposing consistency across the network. We need the whole
DCE infrastructure services--including naming, security, and timing--to integrate the
different platforms."
One important goal was to bring the MVS mainframe into the client/server structure, and
Kredietbank has used DCE to run applications between UNIX servers and the IMS subsystem in
the MVS environment. Services provided by the DCE cell are fundamental to integrating
these different elements:
Directory and Naming Service enables resources such as clients and servers to be
found anywhere in an enterprise, without users needing to know local names.
Security Services provide Kredietbank with security tighter than is possible
with conventional passwords. DCE entrusts security not to the client or the server, but to
a "third party"--a dedicated and physically secure DCE security server. This
server controls three security processes:
- Authentication, to identify both the client and the server. This involves a
complex process of encrypted tickets, and thus avoids the exposure of sending passwords
over the network.
- Authorization, which determines whether that client has the right to access the
resources it is requesting (the server holds access control lists).
- Encryption, based on the DES encryption algorithm that enables an organization to
choose various levels of security up to full encryption with all data encoded.
These processes are hidden from users. All they see is a simple means of using one
password and one username to gain access to any data to which they are entitled, anywhere
on the network, without having to ask for access to individual networks and servers.
Other DCE services essential to integrating multi-vendor systems include Remote
Procedure Call (RPC), a synchronous communications mechanism. It simplifies
programmers' work by enabling them to treat calls between programs running on different
platforms as local procedure calls. In addition, IBM has DCE-based application support
products to give users access to existing IMS or CICS transaction programs and data from
anywhere in the open environment.
Transparency across the enteprise
In distributing data previously held on a mainframe, consistency was a major concern for
Kredietbank. DCE provides this through its Distributed File System (DFS), which is
integrated with the DCE Security and Directory services.
DFS extends transparency across the enterprise by presenting all files in the network
as a single global directory structure. DFS users can access files inside and outside of
their cell by name, wothout knowing whether the files are local or remote, or even which
server stores the files. It also greatly simplifies data administration. One large
organisation in the USA reports that it needs only one administrator for every 1,000 users
with DFS, instead of one per 100-150 users with NFS, its previous system.
Within reach: A DCE-based client/server structure
Kredietbank is now within reach of its goal: "Eventually, we will be running three
main platforms through DCE as a unified client/server system--with the mainframes playing
the role of large servers, the UNIX machines acting as clients and servers in the
branches, and the LAN servers providing applications to PC clients," says Carl
Tilken-Franssens.
"By participating with IBM in an Early Support program, we created a strong
partnership which benefits both IBM and Kredietbank. Support from IBM has been very
smooth, and we are looking forward to continuing this as we move towards completing this
major project."
DCE: Delivering the promise of client/server
"A single system image of all the organization's data and easy management of
change" are the promises of client/server computing. But as more companies follow the
trend towards downsized client/server networks, some find the promise elusive. Security,
scaleability and administration costs are three of the key issues. For example, the simple
addition of a new user can require the definition to be added to every server in the
network.
DCE cuts through these problems and helps deliver the true benefits of client/server
networks.
It consists of the following services:
- Remote procedure call (RPC), a common synchronous communications mechanism between
processes which provides strong support for large, enterprise-wide network configurations
- Directory and naming service, which enables clients to locate resources easily
- Security service, based on Kerberos from MIT (Massachusetts Institute of Technology)
using authentication, authorization, encryption
- Distributed time service, which implements a common time standard for the distributed
network
- Threads, which allow development of "multi-threaded" applications that can
dramatically improve performance
- Distributed File system (DFS), which runs on top of the DCE infrastructure to provide a
Global File System, a single directory structure.
DCE clients and servers can run on many IBM and non-IBM platforms.
How Kredietbank plans to benefit
- Centrally-held information and data will be more easily available to authorised users
anywhere in the network
- Branch staff can be more effective through being able to access commercial information
and better-quality services and facilities
- Tight security through a dedicated security server and unique user IDs
- Information is consistent at every site because DCE's global file system holds only one
logical copy of a file for the whole network
- DCE's true open systems environment offers the flexibility to incorporate the bank's
existing multi-vendor systems, and add to the network as required in the future
- Administration and mangement can be reduced because changes need only be made once at a
single point for distribution across the whole network.