IBM eNetwork Software
Secure links between existing and new technology platforms
The Customer
Kredietbank

Business Need
Support of large national and international branch network with commercial banking operations

The Solution
Mainframes: IBM System/390 and Tandem, MVS/IMS, plus DL/I and DB2 databases
Branches: UNIX workstations/PC-LANs with OS/2
Networking: DCE running on MVS and UNIX, TCP/IP over X.25 (moving to frame relay), software distribution and X.25 back-up by ISDN

Benefit to Customer
Ability to make information available to branches by integrating three multivendor platforms (mainframe, PC LAN, UNIX workstations) into a unified client/server structure--all with the robust security and system management functions essential to a major bank

Kredietbank--Belgium's second-largest commercial bank--values the ability to maintain security while making mainframe data accessible across an open client/server network. Kredietbank today has around 10,000 employees and 750 branches in Belgium and other European countries, plus international branches in financial centres such as New York, London, Hong Kong and Singapore. Although the bank is one of Belgium's oldest, it takes a progressive approach to information technology, and has created a truly distributed client/server environment with the Open Software Foundation's Distributed Computing Environment (DCE) providing the secure connections.

"We have a large number of branches, and wanted to retain many of our existing systems and applications in the new client/server model," says Carl Tilkin-Franssens, Kredietbank's IT Manager. "DCE is the only available technology to enable us to link our three major technologies together: the traditional mainframe, the emerging world of PC LANs, and UNIX workstations."

Kredietbank was already using telecommunications in the 1970s to boost its backoffice operations. In the 1980s, the focus shifted to the front office, and the need to give more autonomy to the branches. "As a result, we moved to a form of distributed computing in which local branches could service 80% of their own needs," says Carl Tilkin-Franssens. "They only contacted the mainframe to store and forward transactions, or to execute exceptionally large transactions."

Providing more quality to users
"Having largely achieved the goal of branch autonomy, we then began to move towards providing our staff with a higher quality of services and information--and that's where client/server computing comes in. Our users in the branches need to be able to access commercial information independently of where the transaction is executed or where the data is located," he explains. "Clearly this requires the technologies involved to be based on open standards. DCE is open to any vendor, and the first stage in our solution was to use DCE in the connections between the branches and the central mainframes, which are IBM MVS and Tandem."

Because of the synergy between the various Kredietbank company systems, the bank wanted to incorporate existing equipment as far as possible: "With the infrastructure in place, we are now changing applications that are 10 or 15 years old to the new DCE environment, and testing the various types of transactions--many of them running under IMS."

Banking network

DCE - The essential administration link
A single DCE cell can service thousands of clients. It consists of a Security Server, several Distributed File Servers (DFS services), Time Servers (to coordinate time across the network), and Directory Services (to locate resources easily).

One area where Kredietbank expects DCE to bring dramatic improvements is in Systems and Network Administration, says Carl Tilken-Franssens: "DCE is the essential administration link between our mainframe, PC LAN, and UNIX platforms. The naming conventions and security environment of DCE will have a major impact on reducing administration effort and in imposing consistency across the network. We need the whole DCE infrastructure services--including naming, security, and timing--to integrate the different platforms."

One important goal was to bring the MVS mainframe into the client/server structure, and Kredietbank has used DCE to run applications between UNIX servers and the IMS subsystem in the MVS environment. Services provided by the DCE cell are fundamental to integrating these different elements:

Directory and Naming Service enables resources such as clients and servers to be found anywhere in an enterprise, without users needing to know local names.

Security Services provide Kredietbank with security tighter than is possible with conventional passwords. DCE entrusts security not to the client or the server, but to a "third party"--a dedicated and physically secure DCE security server. This server controls three security processes:

  • Authentication, to identify both the client and the server. This involves a complex process of encrypted tickets, and thus avoids the exposure of sending passwords over the network.
  • Authorization, which determines whether that client has the right to access the resources it is requesting (the server holds access control lists).
  • Encryption, based on the DES encryption algorithm that enables an organization to choose various levels of security up to full encryption with all data encoded.

These processes are hidden from users. All they see is a simple means of using one password and one username to gain access to any data to which they are entitled, anywhere on the network, without having to ask for access to individual networks and servers.

Other DCE services essential to integrating multi-vendor systems include Remote Procedure Call (RPC), a synchronous communications mechanism. It simplifies programmers' work by enabling them to treat calls between programs running on different platforms as local procedure calls. In addition, IBM has DCE-based application support products to give users access to existing IMS or CICS transaction programs and data from anywhere in the open environment.

Transparency across the enteprise
In distributing data previously held on a mainframe, consistency was a major concern for Kredietbank. DCE provides this through its Distributed File System (DFS), which is integrated with the DCE Security and Directory services.

DFS extends transparency across the enterprise by presenting all files in the network as a single global directory structure. DFS users can access files inside and outside of their cell by name, wothout knowing whether the files are local or remote, or even which server stores the files. It also greatly simplifies data administration. One large organisation in the USA reports that it needs only one administrator for every 1,000 users with DFS, instead of one per 100-150 users with NFS, its previous system.

Within reach: A DCE-based client/server structure
Kredietbank is now within reach of its goal: "Eventually, we will be running three main platforms through DCE as a unified client/server system--with the mainframes playing the role of large servers, the UNIX machines acting as clients and servers in the branches, and the LAN servers providing applications to PC clients," says Carl Tilken-Franssens.

"By participating with IBM in an Early Support program, we created a strong partnership which benefits both IBM and Kredietbank. Support from IBM has been very smooth, and we are looking forward to continuing this as we move towards completing this major project."

DCE: Delivering the promise of client/server
"A single system image of all the organization's data and easy management of change" are the promises of client/server computing. But as more companies follow the trend towards downsized client/server networks, some find the promise elusive. Security, scaleability and administration costs are three of the key issues. For example, the simple addition of a new user can require the definition to be added to every server in the network.

DCE cuts through these problems and helps deliver the true benefits of client/server networks.

It consists of the following services:

  • Remote procedure call (RPC), a common synchronous communications mechanism between processes which provides strong support for large, enterprise-wide network configurations
  • Directory and naming service, which enables clients to locate resources easily
  • Security service, based on Kerberos from MIT (Massachusetts Institute of Technology) using authentication, authorization, encryption
  • Distributed time service, which implements a common time standard for the distributed network
  • Threads, which allow development of "multi-threaded" applications that can dramatically improve performance
  • Distributed File system (DFS), which runs on top of the DCE infrastructure to provide a Global File System, a single directory structure.

DCE clients and servers can run on many IBM and non-IBM platforms.

How Kredietbank plans to benefit

  • Centrally-held information and data will be more easily available to authorised users anywhere in the network
  • Branch staff can be more effective through being able to access commercial information and better-quality services and facilities
  • Tight security through a dedicated security server and unique user IDs
  • Information is consistent at every site because DCE's global file system holds only one logical copy of a file for the whole network
  • DCE's true open systems environment offers the flexibility to incorporate the bank's existing multi-vendor systems, and add to the network as required in the future
  • Administration and mangement can be reduced because changes need only be made once at a single point for distribution across the whole network.
 
1998 IBM Corporation