1

IBM Secure Service Container for IBM Cloud Private

Norsk Dataförening

Februari 7th , 2018

2

Agenda

IBM Cloud Private (ICP) overview

Secure Service Container (SSC) Overview

z/OS Cloud Broker for ICP

IBM Cloud / © 2018 IBM Corporation3

AppMod use case “unlocked” by Private Cloud

Cloud NativeTraditional

Cloud

ServicesTraditional

Cloud

Native

AppMod

Private

Cloud

before

now

4

IBM Cloud Private overview

IBM Cloud Private: Overview

IBM Cloud Private – Key Attributes

Kubernetes based container orchestration platform

Cloud Foundry runtimes to support business logic

DevOps & tools to build your own Microservices

Extend for Watson, IoT, Weather Company APIs

Integrated stack, Continuous Delivery for

releases

App Catalog for IBM, OSS, imported & custom apps; runtimes and integration

services

Build & manage APIs to integrate services and data

Runs on existing IaaS, Infrastructure automation

Containerized IBM Middleware, Data Stores & Analytics (WAS, MQ, IIB,

DB2, Cloudant, DSX)

Reference Architectures, best practices & prescriptive guidance to run workloads

Self-managed with new IBM S&S model

Core operational services, open source monitoring,

logs & security tools

Automated provisioning

Integrate with existing service management

Innovation Integration Investment Protection

Management and Compliance

Enterprise grade. Open by design.© 2018 IBM Corporation 6

7

Microservices & Cloud Native Apps

Infrastructure oriented:

⚫ coming from servers, now virtualized

⚫ several applications per server

⚫ isolation

Service oriented:

⚫ application-centric

⚫ solution decomposed

⚫ DevOps

⚫ Microservices (app. Logic)

A quick review of what is different from a virtual machine ?

Virtual machine separation between

tenants

Virtualization management for

infrastructure Isolation

Containers within one tenant

Container efficiency

Docker management and ecosystem

IBM Cloud Private – What it Takes

• Bring your own IaaS

• ICP only needs Linux VMs (RHEL/SLES/Ubuntu) and has no other pre-req

• Hypervisor agnostic

• No special Z skills needed

• ICP installation is easier than other vendors offering similar product

• or choose Secure Service Container Appliance

© 2018 IBM Corporation

10

IBM Cloud Private – Major Components

11

So Much Open Source … Why Not Build my own then ?

Elk Galera

Jenkins

Open Liberty

LDAP

Njinx

Web Terminal Mongo DB

Redis

RabbitMQ

• Over 50 OS Services and

Technologies to stitch together

• Many to Many Interfaces to

maintain

• Regular changes to versions and

APIs (at least every 2 to 3 months)

• HA/DR ,Security & management

frameworks for production at

scale need to be developed

• Need to participate in OS

communities for support

• Almost Impossible to get a

consistent support Model and

handle dependencies

IBM is heavily invested in OS and a major contributor to the OS communities

Why IBM Cloud Private

• Rapid development and deployment:

– Minutes or hours vs. days or weeks, huge catalogue of OS and IBM Services , advanced Analytics and Machine learning options …

– Non-disruptive upgrade of platform integrated with enterprise network, storage, security, performance and production needs

– Enablement of new and existing developers & integration with existing Dev/Sec/Ops tools

• Investment leverage:

– Infrastructure choice and complete portability

– Leverage existing applications and skills while reducing TCO

– Open community-based platforms for choice and flexibility, on- and off-premises

– No Vendor lock in !

• Application modernization:

– Modernization and optimization across multi-cloud environments – Develop Once, deploy anywhere

– Reduced risk by running applications on enterprise-grade software & data platforms optimized for cloud

• Differentiated enterprise integration:

– Set of new services available on-premises, complemented with public cloud services (Watson)

– Integration of applications with services for operational simplicity and reduced cost

– Integrated cloud management solutions to automatically provision and govern multi -cloud environments with speed and control , Coupled with IBM’s expertise & Services 1212

• Multiarch now fully implemented in Docker since

version 1.12 and beyond

• Manifest List has pointers to each of the

architecture specific containers that have been

compiled for an application

• Docker Engines and Registry sort out which

image to send based on Manifest list and arch

tags

• Docker user experience (CLI, REST API) is

identical across platforms

• Docker Calling Convention identical across

platforms if you use the manifest name instead

of the container name

• Developers need to start using this now to see

the benefits

Multi-architecture Enablement in Docker

Containers are great but … can lead into lack of control & chaos

Regain control with Containers and Kubernetes

• Organize and Govern the Container Chaos

Kubernetes – (Κυβερνήτης - Captain in Greek)

What do Kubernetes really offer ?

Secret and

configuration

management

Horizontal Scaling

Service Discovery

and Load

Balancing

Self Healing

Intelligent

Scheduling

Automated rollout

and rollback

Automatically places containers based on their resource requirements and other constraints, while not

sacrificing availability. Mix critical and best-effort workloads in order to drive up utilization and save

even more resources.

Restarts containers that fail, replaces and reschedules containers when nodes die, kills containers

that don't respond to your user-defined health check, and doesn't advertise them to clients until they

are ready to serve.

Scale your application up and down with a simple command, with a UI, or automatically based on

CPU usage.

No need to modify your application to use an unfamiliar service discovery mechanism. Kubernetes

gives containers their own IP addresses and a single DNS name for a set of containers, and can load-

balance across them.

Kubernetes progressively rolls out changes to your application, while monitoring application health to

ensure it doesn't kill all your instances at the same time. If something goes wrong, Kubernetes will

rollback the change for you. Take advantage of a growing ecosystem of deployment solutions.

Deploy and update secrets and application configuration without rebuilding your image and without

exposing secrets in your stack configuration.

17

IBM Cloud Private – Basic Architecture

18

IBM Cloud Private – Catalog

Helm Chart – a package manager for k8s that allows for seamless deployment of containers through a set of commands,

helm deploy, helm rollback, helm upgrade, helm delete

19

IBM Cloud Private – Detailed Architecture

21

IBM Cloud Private – Cloud Automation Manager

IBM Software and Open Source Ecosystem for ICP on Linux on IBM Z / LinuxONE

Application Category Software Supported

Data Services

IBM Db2 Direct Advanced Edition 11.1 with Data Server Manager

IBM Db2 Advanced Enterprise Server Ed. 11.1 with Data Server Manager

IBM Db2 Warehouse Enterprise 2.0

MongoDB (open source)

PostgreSQL (open source)

MariaDB (open source)

Data Science and Business Analytics

IBM Data Science Experience Local 1.1

Toolchains & Runtimes

IBM Urban Code Deploy

Microclimate 18.03 (free tooling; no committed date)

Jenkins (open source)

IBM WebSphere Liberty 17.0.0.4, 18.0.0.x

[IBM SDK for] Node.js V6, V8

Open Liberty (open source)

Swift runtime (open source)

Modernization Tools IBM Transformation Advisor 1.5.1 (free tooling)

MessagingIBM MQ Advanced 9.0 & v.next

Rabbit MQ (open source)

Digital Business Automation IBM Operational Decision Manager 8.9.2

Roadmap includes Commercial Editions available for purchase unless otherwise noted as (i.e. open source)Catalog content is not distributed with IBM Cloud Private. Content is distributed separately, licensed under separate terms and conditions.

ICP workloads planned to be supported on Linux on IBM Z / LinuxONE by end of 2018*

Descriptions of applications supported on IBM Cloud Private v3.1.1

Get IBM software @ Passport Advantage

ICP Cloud Native [ICp 3.1 Managed-to-Z]

• Core services (minimum required for worker node)

• Kubernetes, Helm Catalog, Node.js. WAS Liberty

Operating Systems Supported

• RHEL

• Ubuntu

• SLES Worker nodes for ICP

• x86 Management nodes

• Current: user to get Docker package from SuSE

*All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

NOTE: This is a current snapshot of available workloads; the list of supported workloads will continue to grow over time

22

A heterogeneous environment across Intel, Power, IBM Z and public cloud

• Uses 100% unmodified upstream

Kubernetes

• Zero vendor lock-in

• Includes zOS deployment options

I• IBM Cloud Private (ICP) is an untethered Platform as a Service that combines the speed, agility and flexibility of the

public cloud, with the security and performance guarantees of an on-premises cloud.

• ICP provides a core platform runtime based on Kubernetes and common services like logging, metering, auditing, user

access control etc. along with a rich catalog of IBM and open-source products.

DB2

z/OS

IBM Z / LinuxONE

z/VM

CICS

z/OSMF

KVM

zOS

Connect

ICP Master

ICP

VMWare etc.PowerVM etc.

Power Intel

Linux Linux LinuxLinux Linux

service

Public

Cloud

serviceserviceserviceservice service

Value of ICP and Containers on z

• Unique modernization tooling specialized for z

• Consumable Security with Secure Service Container technology

• Performance at Scale

• Extreme Virtualization and Container Density

The world’s premier Linux system for

highly secured data serving

Engineered for performance and

scale

ICP on z enables a cost effective Cloud Consumption Model for Secure and Scalable Data and Application Serving in your cloud

© 2018 IBM Corporation

Throughput at SLA test results

27IBM Z Spotlight 19July2018 / IBM CPO / © 2018 IBM Corporation

Production SLA calculated to be:

500 virtual users

30 ms response time

At production-level SLA:

IBM Z / LinuxONE generated 4.6x more throughput

than the x86 servers

IBM Z / LinuxONE used 6 CPUs compared to 9 on x86

– or 33% less CPUs

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

x86 IBM Z / LinuxONE

Thro

ughput

(tp

s)

16,186

3,488

4.6x

This is an IBM internal study of IBM Cloud Private solution designed to replicate a typical IBM customer workload usage in the marketplace. The results were obtained under laboratory conditions, and not in an actual customer environment. IBM's internal workload studies are not benchmark applications, nor are they based on any benchmark standard. As such, customer

applications, differences in the stack deployed, and other systems variations or testing conditions may produce different results and may vary based on actual configuration, applications, specific queries and other variables in a production environment. Prices, where applicable, are based on published US list prices for both IBM and competitor, and the cost calculation compares

the cost per request for the 3yr life of the machine. 3 year total cost of acquisition comparisons are based on similar expected hardware, software, service & support offerings

Try IBM Cloud Private today!

282828

Guided and Proof of

Technology demos

Free Community Edition!

https://www.ibm.com/cloud/garage/dte/tutorial/ibm-cloud-private-hosted-trial

29

Secure Service Container Technology Overview

Secure Service Container for IBM Cloud Private

30

Value PropositionEnable organizations to manage Hybrid Cloud IT

infrastructure without visibility to end user applications and customer data

❑ Protects data and applications against misuse of privileged HW/OS admin credentials – for internal & external threats

❑ Simplified solution deployment via Secure Service Container appliance foundation

❑ Supports the IBM Cloud Private / container management tooling used across IBM Systems platforms (IBM Z / LinuxONE, POWER, x86)

Offering Availability and Co-Requisites❑ Announce: October 2nd, 2018 || GA: Mid – 4Q2018*❑ IBM Cloud Private for IBM Z / IBM LinuxONE❑ HW FC 0104: Competitive Linux OS Entitlement and Support❑ Application Development: Docker / Kubernetes & Helm charts

Securely hosts IBM Cloud Private Docker / Kubernetes (k8s) based solutions on IBM Z or LinuxONE Private and Hybrid

cloud deployments

*All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

What is the IBM Secure Service Container?

▪ IBM Secure Service Container

provides the base infrastructure for

an integration of operating system,

middleware and software

components into an appliance, which

works autonomously and provides

core services and infrastructure

focusing on consumability and

security.

SecurityEasy to

Deploy

Easy to

Manage

31IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

Values of Secure Service Container

SecurityEasy toDeploy

Easy toManage

Values: Easy to deploy

− Deployment of a solution instead ofdifferent components

− Deployment without Operating Systemskills needed

− Deployment without solution skills needed

− Only 10 minutes needed to deploy the solution

− Deployment via a web installer

→ enable IBM Z for the cloud

SecurityEasy toDeploy

Easy toManage

Values: Easy to manage

− Management of the appliance without Operating System skills

− Limited variance of settings

− RESTful APIs for automation

− UI for better user experience

SecurityEasy toDeploy

Easy toManage

Values: Security

− System Admins don’t need to be trusted

− The solution leverages security featureswithout code changes

− The Secure Service Container only boots untampered appliances

− Data and code is encrypted in flight and at rest

− The System Admin can not access the memory or processor state

− No direct host or OS level interaction

− Only well-defined interfaces into and out of the appliance

− EAL5+ LPAR isolation for near ‘air gap’ separation of appliance environments on a single server footprint

Easy toDeploy

Easy toManage

Security

Values

− Protection from misuse of privileged user

credentials

− The solution leverages security features

without code changes

− Secure Service Container only boots

untampered appliances

− Data and code is encrypted in flight and at rest

− System Admin can not access the memory or

processor state

− EAL5+ LPAR isolation for near ‘air-gap’

separation of appliance environments on a

single server footprint

− No direct host or OS level interaction

− Only well-defined interfaces into and out of the appliance

Easy to

Deploy

Easy to

Manage

Security

36

IBM Secure Service Container Appliance Concept

Management Backend

Base Operating System

Application Interfaces

Solution / Application

Ma

na

ge

me

nt

UI

/ R

ES

T A

PIIBM Secure Service Container

Appliance

© 2018 IBM Corporation 37

IBM Secure Service Container Docker Enablement

Management Backend

Base Operating System

Application Interfaces

Docker Enablement

Ma

na

ge

me

nt

UI

/ R

ES

T A

PIIBM Secure Service Container

Appliance

IBM Secure Service Container: VM Isolation of Containers

40

Secure Service Container for IBM Cloud Private Solution Components

FULL STACK SOLUTION

A software appliance based on the IBM Secure Service Container framework that can host dockerized workloads with focus on superior data security in the cloud and on-premise.

Hosts ICP Kubernetes (k8s) worker and proxy node clusters to host containerized applications and delivers delivering VM level isolation to the applications

Deploys the ICP worker and proxy nodes (and later Master Node for IBM Z) into the VMs of the Secure Service Container for ICP Isolated VM image

CLI TOOL

ISOLATED VM FOR ICP

HOSTING APPLIANCE

IBM SECURE SERVICE CONTAINER FOR IBM CLOUD PRIVATE

IBM Cloud Private (ICP)

IBM Z or LinuxONE Server

Sa

aS

Pa

aS

Iaa

S

Middleware / Services

IBM

Off

ere

d

Mid

dle

wa

re

an

d S

erv

ice

s

IBM Secure Service Container for IBM Cloud Private

FC 0104 Container Hosting Foundation

3rd

pa

rty

IS

V

Ap

pli

ca

tio

ns

Cu

sto

me

r H

om

eg

row

n

Ap

pli

ca

tio

ns

41

Differentiation: Security and Deployment

Encrypted Diagnostic Data (ex: Debug Dump Logs)• First Failure Data Capture – data required to fix problem• Dump targets host kernel data (log message buffers, etc.)• Dump data encrypted – only accessible by service teams• Alternative to memory display alter – minimal access to customer data

Avoid management of low level execution environment• Appliance encapsulates operating system, virtualization layer,

management UI, REST API interface components • Agile CI/CD update flow of Secure Service Container for ICP

platform for feature enhancements, security fixes (CVEs), etc. • Avoid lifecycle management of individual components

Hybrid & Private Cloud Administrators• Focus on deployment of k8s cluster to ICP worker / proxy nodes

as infrastructure for containerized workloads

Solution Developers• Focus on building containerized applications

Software Appliance Form Factor for Simplified Deployment and Management

Protection from Misuse of Privileged Hardware & Operating System Credentials

ApplianceAutomatic File System Encryption (LUKS) – Data at Rest• Encryption keys stored within appliance, not accessible• Key Management via appliance life cycle export/import• Docker container data connected to disk also encrypted

Storage Admin

Operating SystemAdmin

System / Hardware Admin

Network Admin

Automatic Network Encryption (TLS) – Data in Flight• Encrypted management REST API interfaces (i.e. storage,

network configuration data, dumps, etc.)

No Operating System Access• No direct Host or OS level interaction - SSH Disabled• Prevent user traditionally with host OS access from having

visibility to application or customer data

Infrastructure management organizations can manage the physical IT infrastructure without having visibility to their end users’ applications and

customer data

On IBM CloudOn-

Premises

⚫ IBM z/VSE ® Network

Appliance (VNA)

⚫ The IBM z Advanced Workload

Analysis Reporter (IBM zAware)

Software Appliance

⚫ IBM Secure Service Container

for IBM Cloud Private

⚫ IBM Blockchain Platform

⚫ IBM Cloud Hyper Protect DbaaS**

⚫ IBM Cloud Hyper Protect

Containers***

⚫ IBM Cloud Hyper Protect Crypto

Services**

* upcoming solution ** experimental service *** early program

Offerings & SSC(as of 5th of October 2018)

IBM Db2 Analytics AcceleratorDelivers high-speed processing for complex Db2 queries to support business-critical reporting and analytic workloads

https://www.idug.org/p/bl/et/blogaid=767

”Docker enablement”

Why run Secure Service Container

Integrated Crypto Hardware

In-core hardware-accelerated encryption that is 2x – 7x as fast as x86

True Random Number Generator (TRNG)

PCIe Hardware Security Module (IBM Crypto Express6S) designed to meet FIPS 140-2 Level 4

Broadly protect Linux file systems using policy controlled encryption that is transparent to applications and databasesData Encryption

Protect network traffic using standards-based encryption from end-to-end

Hardware-accelerated network encryption algorithms (e.g. SSL/TLS, VPN/IPSec, etc.)

Network Encryption

The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates

Key Encryption & Management

Protects against falsifying or altering time informationTime Source Security

Workload Isolation Tamper-proof firmware also provides highest level of multitenant workload isolation

44IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

z/OS Cloud Broker for ICP

A heterogeneous environment across Intel, Power, IBM Z and public cloud

• Uses 100% unmodified upstream

Kubernetes

• Zero vendor lock-in

• Includes zOS deployment options

I• IBM Cloud Private (ICP) is an untethered Platform as a Service that combines the speed, agility and flexibility of the

public cloud, with the security and performance guarantees of an on-premises cloud.

• ICP provides a core platform runtime based on Kubernetes and common services like logging, metering, auditing, user

access control etc. along with a rich catalog of IBM and open-source products.

DB2

z/OS

IBM Z / LinuxONE

z/VM

CICS

z/OSMF

KVM

zOS

Connect

ICP Master

ICP

VMWare etc.PowerVM etc.

Power Intel

Linux Linux LinuxLinux Linux

service

Public

Cloud

serviceserviceserviceservice service

Provisioning

© Copyright IBM Corporation 2018

z/OSMF

{rest}

AP

I

IBM Cloud Private

Helm charts

Db2 subsystem IMSDb2 Schema CICS

Tomcat Jenkins Liberty other…

TemplateTemplate

cics54_DEMOPLX

workflowsvariables

JCLs

REXX

rest-callz/OS

Cloud

Brokerimport

TemplateAny rest clientCloud portalDevOps pipeline

provision

Linux or Linux on Power OpenShift (optional)

provision

provision

z/OS Cloud Connect Planned Subsystem Support

Services Description

DB2 Services to provision/de-provision DB2 subsystems, schemas, and databases + snapshot / restore

(new)

CICS Services to provision/de-provision CICS regions

IMS Services to provision/de-provision IMS TM/DB systems and IMS FastPath databases

MQ Services to provision/de--provision MQ Queue Manager subsystem and load messages

WAS WLP server provisioning (with option to connect to Db2 data source with type 2 or type 4

connectivity)

z/OS Connect Services to provision/de-provision z/OS Connect (new)

51IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

52IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

Questions?

References

53IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

Docker / Kubernetes (k8s) / Container Technology Guides

• Basic Docker Information: YouTube Video

• How to Build Docker Containers (run on s390x and reference

s390x images): Dockerfile and Builder

• Hands-on Kubernetes (k8s) course: Sandbox Environment

Available Docker Images for IBM Z and LinuxONE

• IBM Commercial Offerings available in Docker Images: IBM Z

Commercial

• Officially supported Docker images: Docker Store (s390x)

• Community Edition Docker images: Docker Hub (s390x)

IBM Cloud Private, Kubernetes

• IBM Cloud Private v2.1.0* Documentation

• IBM Cloud Private Components

• Managing Helm repositories

• Configuring LDAP connection

• Monitoring the platform

• IBM Cloud Private Channel Technical Enablement Guide

• IBM Cloud Private Foundational Technology Skills

• IBM Cloud Private Featured IBM Applications

• IBM Skills Gateway Kubernetes Skills References

• IBM Cloud Private v2.1.0.3 Community Edition Download

IBM Z and LinuxONE with Docker

• FAQ: Docker and IBM Z

• IBM Knowledge Center (DEV): Running Docker Containers on IBM Z

• A Developer’s Blog for Docker on IBM Z:

http://containerz.blogspot.com/

• Multi-Architecture Support for Docker Images: Blog, Video

IBM Secure Service Container

• IBM Secure Service Container User’s Guide (DEV): Secure Service

Container User’s Guide

• IBM Systems Magazine: Secure Service Containers are a Virtual

Appliance Framework for Sensitive Workloads

Glossary

54

▪ Appliance – a binary image that combines an operating system, security features, middleware, and management function

▪ CLI Tool – Command Line Interface Tool that (1) Creates ICP Cluster, including Create / Delete / Restart Cluster VMs; connects IBM Cloud Private base framework to

cluster VM (2) Enables communication between IBM Cloud Private base Framework and Secure Service Container for ICP (3) Provides lifecycle management i.e.

bundle / wrap / integrate REST API calls to be made from IBM Cloud Private base Framework going to Secure Service Container for ICP; optional if wrapper is

automated on tool, can provide IBM Cloud Private with Same feel as on x86; resides in IBM Cloud Private base framework

▪ Cluster VM – Docker image that hosts ICP worker nodes; instantiated into Secure Service Container for ICP appliance by REST API calls from the CLI tool

▪ Helm Chart – a package manager for k8s that allows for seamless deployment of containers through a set of commands, helm deploy, helm rollback, helm upgrade,

helm delete

▪ Hybrid Cluster – worker nodes exist on x86 (or POWER) and IBM Z / LinuxONE servers; note the attack vector includes the ICP master node and every worker node

on x86 belonging to that cluster

▪ IBM Cloud Private – Kubernetes-based, docker-container, open platform with PaaS and developer services; (aka ICP)

▪ ICP Cluster – an instance of managed ICP Worker, Proxy, and Master nodes. Can also be referred to as k8s cluster.

▪ ICP Installer – brings up ICP worker and ICP proxy on Secure Service Container for ICP appliance

▪ ICP Master Node – management node for IBM Cloud Private. 1 to 1 ratio to a ICP cluster. For current state of 1 ICP cluster with 1 master running on x86 or

POWER, where worker node(s) can run on Z / LinuxONE, the workers belong to the same cluster (k8s); stage 1, runs on x86 or POWER; controls deploys manages

detects issues and provides automatic correct on worker ndoes running across all tehse different platforms and systems

▪ ICP Worker Node – hosts k8s managed Docker containers of an application

▪ User with Privileged Credentials – Has elevated or privileged credentials that would traditionally give them access to data and code running in a partition, even if not

required by their job function. Secure Service Container protects against erroneous or malicious use of those privileged credentials

▪ SSH Key – Utilized by Cloud Admin as part of issued REST API calls to enable the ICP master (on x86/POWER) to start ICP worker nodes (on IBM Z / LinuxONE)

▪ Tenant – an instance of a workload

▪ Team – group of people with access to running workload, tenant, or organization

▪ User with NON-Privileged Credentials– Has visibility to the data and application running inside Secure Service Container per job function (need to know); trust that

they will not use their visibility to maliciously or erroneously access the contents of the Secure Service ContainerIBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation

NOTE: support for x86 hosted ICP master node is planned for GA; POWER hosted ICP master node is TBD and under investigation