Predicting Tech: Is This The True Rush To The Cloud?

A few thoughts on cloud with an hour left at work on a Friday.

Hosted services aren’t new. Virtualization isn’t new. The practice of hosting applications grew out of advancements in virtualization technology. Remember it was mainframes that began offering “virtualized partitions” – what we know of today as logical partitions, or what were called LPARs in the 1960s. This technology eventually moved to the distributed world and allowed single physical boxes to host multiple, isolated environments or clients. Thus was born the first hosted applications, or what we can consider early cloud solutions.

Today the technology has advanced far beyond these simple examples. Hardware’s virtualized. So are applications. Memory, IO and network connectivity are not only virtualized, but now also managed (either by the hardware, the operating system or third-party software) to involve real-time redundancy and failover to produce nearly 100% uptime availability.

Thus we see old factory buildings and warehouses being repurposed as datacenters. Add in some redundant power, cooling and network connections and anyone can set up and host a cloud server farm. Seems like the rush has arrived, right?

Not so fast. There is a bullrush to move everything possible into the cloud. For the public at large, it’s a great way to store and access music, share photos, run productivity applications like Salesforce and Word and stream video. For a business, it’s a great way to add functionality without increased overhead. You don’t need a cross-company hardware upgrade or extra seat to support a new bit of enterprise software. The software is hosted, it runs through a browser and the cloud services provider handles backup, availability and most support (which you’ll want to confirm and evaluate, of course).

Yet for all the hype, the true rush-to-cloud hasn’t yet begun. Remember, when you move any portion of business or functionality into the cloud, you’re inevitably going to face bandwidth issues like massive upload queues, taxed servers, partial data loss or decay and all the other headaches that come from relying on someone else to deliver functionality that used to reside in-house. Total solutions have not yet arrived, but are on the way.

That’s why I argue that the true cloud rush probably won’t come until sometime in late-2015/early-2016.

What do you think? And why? Sound off in the comments section below.

Want to know more about how to move into the cloud? Contact TxMQ: (716) 636-0070 or [email protected].

Use Asset Management To Control Costs And Create A More Secure Enterprise Environment

Enterprise environments, by nature, are often cluttered with all sorts of licensed, previously licensed and probably some unlicensed applications and tools in various states of use. Think: Does your business maintain an install and uninstall record of all software? How well did your IT department document that project 2 years ago where you brought in all those contractors and software tools you haven’t used since? Did the project closeout include the uninstallation and/or decommissioning of no-longer-needed hardware and software? Based on what we’ve seen in the marketplace, the answers are not always, not well and not at all.
While this is an area that sits squarely under the umbrella of asset management, it also touches on compliance, and process and control.
Gaps in these areas create two very real problems.
1. An audit from a software vendor, say IBM, that reveals unpaid licensed software can generate large and unforeseen charges – especially if your company has grown substantially since the original install date.
2. Hackers are expert at exploiting the sorts of weaknesses these lapses can create. Oftentimes, the hacks come from within the organization, not from the outside.
There are a number of tools to help companies with asset management.
IBM’s License Metric Tool, or ILMT, is a free IBM-specific tool under its new Tivoli-based IBM Endpoint Manager. (The prior version of ILMT was server-based.) ILMT acts like a ferret: Install it, let it out of its cage and it will start digging to find every IBM product running on the servers (there is a bit more to the installation than this, but the author hopes you understand the analogy). Analysts can then easily map the findings to understand locations, history, activity and license agreements.
ILMT is free, hence its limitation: It can only detect and report IBM-related ware. A buy-up to the Software Use Analysis (SUA) tool, which also runs under the IBM Endpoint Manager, can detect non-IBM ware. That means you can quickly and easily map Oracle, Microsoft and other commonly licensed software – whether active, inactive or hidden.
A recent Gartner Report evaluated the new IBM Endpoint Manager for ILMT and SUA against competitors, identified it as a “Leader” and noted:
“Endpoint Manager’s primary differentiator is that the tool’s intelligence is on the endpoint, rather than the server. This allows the agent to actively discover a deviation from policy and execute remediation, rather than rely on a predefined schedule of system scans and subsequent server-side reporting. This enables organizations to maintain higher degrees of configuration compliance. The product’s endpoint-oriented control, along with its relay server architecture, results in a relatively small server footprint to support the Endpoint Manager environment, and makes it a good fit for highly distributed environments.”
But the report cautioned: “Uptake of OS deployment remains low. Organizations cite a lack of documentation and known best practices to use this module effectively. Certain patches (e.g., Microsoft nonsecurity) often require manual configuration prior to deployment. IBM’s packaging, bundling options and pricing of its various management functionality are complex and can be challenging for users to understand.”
As an IBM Premier Partner, TxMQ is uniquely qualified to help your business acquire, install, run and act on the results of IBM Endpoint Manager for ILMT and/or SUA.
To get started, contact TxMQ vice president and middleware specialist Mile Roty: (716) 636-0070 x226, [email protected], LinkedIn.com/In/MilesRoty.
Photo courtesy of Sean MacEntee.

Tracking IoT Conversations: Where The Material Meets The Ethereal

There’s been a marked increase in chatter about the coming IoT – the “internet of things” – with some important revelations and developments this week and last about the quick ramp-up of this emerging and potentially $19T space.
When you track the conversation, there’s an important distinction in voice. On the one hand we have the makers of the things (those ones who manufacture the objects). On the other we have the connectors of the things (those who write the software to network the objects). The one hand is the material, the other the ethereal.
A strong voice within the maker space is German industrial powerhouse Robert Bosch, Inc. The company’s chairman of the board of management Volkmar Denner recently gave an interview to the German newspaper Welt am Sonntag. Denner was asked about Google and whether Google (aided by its $3B acquisition of Nest) will grow to dominate the interconnectivity of everyday physical objects like garage-door openers, bicycles, thermostats, cars and power tools, just as it dominates search, user video and a major chunk of mobile. Here’s a snippet from the interview:
Welt am Sonntag: Google has also acquired the connected device company Nest, so it is making inroads into the world of physical objects. Will Google dominate the internet of things??
Denner: In my view, it’s still not been decided who will play the most important part in the internet of things – IT companies or companies that truly understand the objects themselves. It’s often forgotten that Bosch already produces software that is integrated into objects. This is an area we have a better handle on than the dedicated IT software houses. In the connected world, Bosch benefits from a combination of both hardware and software expertise – coupled with our broad technical base and the depth of our knowledge of the sector.
Welt am Sonntag: So is Google being overvalued?
Denner: I have great respect for Google. But what’s essential here is to have expertise in physical objects. And we are currently seeing that IT companies are in fact still struggling to get to grips with the world of objects. It’s no easy task to reliably manufacture good, high-quality objects.
Denner’s comments set a nice springboard for this week’s news that Bosch Automotive – the corporation’s largest business segment, which represents 66% of Bosch’s annual $6.3B revenue – partnered with IBM to create a brand new engineering platform for auto-component connectivity. A joint press release announced the partnership and noted: “Driven by innovation in consumer electronics technology, the automotive sector is under immense evolutionary pressure. Today’s vehicles are more connected than ever – containing as many as 100 computerized controllers and 10 million lines of software code. As vehicle complexity continues to rise, automotive suppliers must address pressures to reduce costs and to innovate quickly, while also managing the intense challenge of delivering vehicle quality.”
So here’s a situation where Bosch and IBM created a partnership to co-develop the material and the ethereal from day-1 planning through process and into production – the exact combination Denner says is critical to succeed within the new now of the IoT. It’s an important distinction, again because in the emerging world of the IoT, connectivity must be a germinal, not latent thought. The influence of Steve Jobs is obvious.
Maybe this will be the ultimate legacy of Steve Jobs, who first championed the marriage of OS and hardware in Apple 1.0, then later developed the holy trinity of integrated OS, hardware and industrial design in Apple 2.0. A legacy whereby the equal interplay of connectivity, materials and design will revolutionize and guide the 21st century of manufacturing, the same way Ford’s assembly line revolutionized and guided the 20th century.
All of which then sets up important commentary from the application-side of the discussion. I recommend you take the time to read Dr. Hossein Eslambolchi’s 3-part series on the internet of things.
Dr. Eslambolchi argues for an application-aware network (AAN) model to connect the world’s physical objects and sets up his argument by stating: “Once a century, a new industry revolutionizes the way we live. This century, that industry is the internet of everything (IoT).” He later says: “Comparable to how the introduction of hosting services dramatically changed the web, the AAN will generate a similar shift in how companies view networking. I do believe every company is beginning to change the game for customers by turning the network ‘inside out’ – creating a user-centered, application-driven network. This is unlike the model of the 20th century with the network being the core and application at the edge. I like to think of this as rotating the direction of thinking from application outward to networks that support it in both wireless and wireline businesses across the globe.”
There’s a good bit of futurespeak there, but Dr. Eslambolchi points to the inescapable fact that the application layer has grown immensely in size and response, and right now, manufacturers large and small can gain easy access into the IoT through the application layer.
If you’re coming at the conversation from the material side, application awareness and access might seem a bit complicated. The good news is that low-cost, high-value tools are available right now to connect web-enabled physical objects.
Let’s say you’re a manufacturer of a web-enabled object, or have plans to launch a web-enabled object like a garage-door opener, a fishing reel, a bicycle or a pedometer. An Application Programming Interface (API) is the logical networking choice right now. More and more companies are developing and exposing APIs. One reason is that public-facing production can be quite simple through a custom API that interfaces with any number of different platforms including phones, pads, desktop browsers and even social-media notification systems.
TxMQ typically recommends IBM API Management Suite for API exposure and management. It sits on top of IBM’s DataPower Appliances and not only handles the management of any API(s) you wish to expose, but adds a security layer as well.
Here’s a plain-language example. Let’s say you’ve just released a web-enabled garage-door opener. You’ve developed a use case whereby a homeowner is to be notified if the door opens any time between user-designated hours. You could craft a custom API to interface with mobile phones. You expose and manage the API, again with a security layer, entirely through the IBM API Management Suite. The solution allows you to offer smoother, more stable customer interface at the same time you slice development and monitoring costs within the smart-object market. And the big payoff comes during the next design cycle, when connectivity becomes your baseline principle – not an afterthought.
It’s one example among potential millions, but illustrates how small and large businesses need to connect their existing products starting today, and forward-engineer the interconnectivity of their products starting tomorrow.
Interested in learning more about the IBM API Management Suite and TxMQ’s custom API solutions? Visit TxMQ.com or send a confidential email to [email protected].
Click this link to read a previous TxMQ blog, authored last year by recruiter Corey Switzer-Kruss, about the IoT and the fourth industrial revolution.
(Photo courtesy of Flickr contributor GM)

WebSphere MQ v7.5 Security Concerns

Content contributed by Allan Bartleywood – Sr. MQ Subject Matter Expert
WebSphere MQ v7.5 security concerns seemed to be a resounding issue. We heard a lot of concerns regarding it while we were at the IBM Impact 2014 conference last week.

I do not believe it’s actually a concern for security when your organization is doing an upgrade to version 7.5, but more a concern as to whether your organization already has security enabled within your MQ environment.

At a lot of the organizations that I’ve consulted with, I’ve noticed that there is a lack of security actually implemented within the MQ environment.  WebSphere MQ has always had security implemented that was focused at the operating system level where it was running.

With this latest WebSphere MQ v7.5, security concerns, features have been added to meet today’s demands. This includes support for Advanced Message Security where the queue manager actually encrypts and decrypts Messages as they go through the environment on a put an get of an application.

You can actually configure the queue manager down to individual queues so that only certain queues will have messages encrypted.

This feature is providing the capability for messages to now meet compliance requirements like HIPAA and PCI Compliance. While data is in transit, it is in encrypted by the messaging transport without any special requirements being added to the applications.

This will, of course, mean that from the time a message put onto queue to the time a message just gotten off the queue, it has been included. Further security enhancements are provided to ensure that only certain applications will get the message decrypted from a given queue.

Now all of these features are out of the box with no added installs and compatibility issues being encountered.

Going back to whether organizations are actually implementing suitable levels of security within their messaging environment is another matter. What is quite often seen it is that administration and application usage of MQ is left open, that is it has not been unable at all.

This is normally due to a conscious decision or simply a lack of knowledge of the capabilities of the product; or a lack of understanding of the security policies and implications relating to the data that is being sent over the messaging environment.

It is not uncommon to see administrators using client connections to queue managers over the server connection channel with no authentication at all. It is also not uncommon to see the queue manager with channel authority disabled.

So are the security concerns about upgrading to version 7.5 related to a lack of understanding and knowledge of what the security capabilities are within 7.5 and pressure being put on IT for tighter security compliance, rather than whether 7.5 is capable of delivering services to these tighter security compliance requirements.

There are also situations where IT sees the requirement for better security compliance but the business doesn’t understand what is compliance are.

If you’re having WebSphere MQ v7.5 security concerns, please feel free to reach out to Wendy at TxMQ, [email protected] and let us answer your questions and guide your upgrade so all the proper security features are in place.

(Photo: Compliments of Still Burning)

Case Study: Middleware Gap Analysis

Prepared By: Allan Bartleywood, TxMQ Subject Matter Expert, Senior Consultant and Architect, MQ

Project Description

“Regional Bank A” has a technical infrastructure supporting application integration through the use of an Enterprise Service Bus (“ESB”) serving as mediator between application endpoints and other backend systems. This tier consists of several of the IBM WebSphere products including WebSphere MQ, WTX and Message Broker.
Working together, these products provide data transformation and routing so that data exchange occurs in native-application formats in near-real-time conditions, with data transformation occurring primarily in WebSphere Message Broker with connectivity to WTX for EDI format map transformation following pre-packaged EDI standards. Message flows are created by “Regional Bank A” projects for defining routing and data delivery rules for new or changed applications.
This environment requires regular, ongoing development support as well as quarterly software maintenance for regular applying of software patches related to Linux and Microsoft Windows operating-system software.

Overview of Findings

The recent reviews conducted by the performing consultant include the infrastructure components indicated in subsection
1. In review of infrastructure best practices for the financial services industry, the following findings were noted:
2.1 Monitoring Optimization for Performance Management & Capacity Planning
Generally speaking, there is significant opportunity to improve the monitoring approach to attain monitoring and management objectives in a way that is considerably more cost-effective than what is presently being practiced.
2.2 Infrastructure Security Strategy Following Pre-Regulatory Standards
Of notice with regard to companies operating in the financial services industry, the security-regulatory environment has changed significantly in the past 10 years. The reported number of breaches in 2012 was astoundingly high at more than 1,000 occurrences. With such voracity of hacking efforts focused on financial services companies, it is imperative that security vulnerabilities be addressed as a priority, and that highest standards and practices are implemented to ensure against such attacks.
The areas identified for improvement are reviewed in the Security subsection below. There are several major components that must be addressed for “Regional Bank A” in the very near future.
2.3 Standards & Best Practices
Within the WebSphere product portfolio, there are several IBM standards and recommendations for installation, configuration and performance tuning for the infrastructure stack. In particular, the standards around the middleware-messaging components (“MQ”) were found to be inconsistent and in need of configuration management. Additionally, Java applications brokered on WebSphere Application Server were found to be running on Java Virtual Machines (“JVM”) that were not configured according to best practices across the board.
This type of situation generally occurs when multiple people are involved with installation and configuration activities, without the guidance and oversight of a middleware architect who would generally ensure that such standards are applied and documented across the topology. More observations and recommendations are shared in the subsections below.
2.4 Software Distribution and Deployment Automation
A review of “Regional Bank A’s” application-release process – i.e., how changes are made to the middleware environment – found the current process to be very informal. Because the environment is small, the implementation of automation at this time will provide significant process improvement and thus positioning “Regional Bank A” for growth. Without this automation, the ongoing cost of development efforts will continue to increase without accompanying levels of development output, due to increasing the complexity of changes and the effort required to manage so many moving parts. This area has been identified as a strategic area of investment for “Regional Bank A” organization and application-growth enablement.

Monitoring Observations

For infrastructures that include an ESB, the standard monitoring approach should encompass the entire end-to-end view of the production technical components at both base server level and application level. This will capture end-to-end business transaction success or failure to complete, providing the ability to identify where specific failures are occurring. The approach should also include the ability to capture relevant data used for planning capacity, to understand and characterizing the behavior of the end-to-end system, and provide information used for middleware performance tuning.
“Regional Bank A’s” monitoring was found to be somewhat component focused with primary focus at the hardware level. Some stats are being captured at all levels, but not in a consistent way in terms of granularity or storage of information that would make the data useful for analysis.
Examples of what is being monitored today include:

  • Real-time usage by PID using TOP
  • Some collection of server stats in the O/S

The areas of suggested improvements include:

  • At Operating-System Level – Capture state and usage of each host (physical or virtual); if running virtually, it is critical that the state is known for the physical mapping to virtual.
  • At Application-Monitor Level – Critically available information depends on knowing the state (up/down/hung) of the application stack.
  • At Transaction-Monitor Level – Service management is dependent on knowing three things:
      Number of transactions completed in the SLA
    1. How many failed?
      How many were delayed?
  • It is also useful to know the service-response times, and stats concerning known bottlenecks such as page-load time, JVM utilization and metrics such as user-response time and invocation stats.
  • Proactive Monitoring – The plan for capacity high/low thresholds needs to be defined and regularly evaluated in response to events and situations where thresholds are exceeded but before an outage has actually occurred.
  • Performance Management & Capacity Planning – For effective cost management of this infrastructure, the initial implementation for the environments may be a subset of full capacity, with the intent to add to the environment as application growth occurs. To accompany this strategy, monitoring data must be captured and stored (using a data warehouse) for trending, tuning, and capacity-planning purposes.
  • “Regional Bank A” is currently not storing monitoring data for any significant length of time. Additionally, a data-maintenance strategy and centralized group to analyze and review performance data on a regular basis should be incorporated into the growth strategy.
  • Security – With recent regulatory changes, all unauthorized access of data must be reported. In order to comply, IT must have a logging strategy and log retention of security events expanded into this tier of infrastructure where application messages are currently passing through and security could be compromised.
Security Observations

The IT Security components involved with this particular infrastructure include:

  • SSL Certificate Management
  • Operating System Level Security
  • Message Security
  • Secure Connection Management
  • General Application Level Security
  • Period of Access.

4.1 SSL Certificate Management Observations
There does not appear to be a centralized authority to govern the way certificates are issued, installed and managed for “Regional Bank A.” General process around certificate management includes: certificate issuance (i.e. purchase and download), installation/configuration by administrator, tracking and renewal of expired certs, secure and re-issuance process to avoid multiple use and/or counterfeit certs.
It was observed that SSL certificates were found in various directories on the server. Moving forward, the recommendation is that certificates be stored immediately upon receipt in a secure Key Store. Certificate files should then be deleted from all other locations and system files.

Message Security Observations
  • MQM group on UNIX should not contain any members other than system IDs
  • All application IDs and people-user IDs should be placed in other group IDs that are specifically configured for their access and usage alone
  • Root should never be a member of the MQM group
  • “Minimum privilege” groups should be created and used for “read” access and configured in MQ Security to the objects required for usage
  • In outsourced IT environments, support groups should have minimum access privileges to prevent outages related to accidental operational support activity
  • Best practice is to use an MQ Change Request ID to access the MQM ID via the Unix “sudo” command for applying any changes or maintenance to MQ objects. This approach is also commonly referred to as granting access using a “Firecall” ID for specific instances when access is actually required while fully logging all activities performed by the ID during the period of access.

4.2 Application Connectivity For Message Queuing
MQ Client connectivity provides access to applications running remotely (on the application servers) with the ability to put and get from MQ queues. During the review, it was suggested that all consumers of the MQ environment should use only a single Client Channel definition. This is not recommended and falls outside of best practice for the following reasons:

  • Lack of application association on each individual connect and disconnect.
  • Security Authorization Records become extremely difficult to manage (for example, identifying who had access when an actual breach occurred).
  • Operational support resolution will require longer and possibly multiple outages to identify root cause of connection issues (applications that are long running).
  • Heightened risk of outages to larger groups of users: When a single consumer encounters a connection issue, there is higher risk that all consumers will be “kicked off” while a channel bounce is done to resolve connectivity issues.

4.3 Application Server Management Observations include:

  • WAS processes running on the servers using Root ID – this is a major security violation in financial-services industry.
  • A “wasadmin” Unix non-expiry ID should be used for the running of all WAS processes.
  • Access to the “wasadmin” ID should be managed operationally, granting a “firecall ID” in the same manner as outlined above for access to the MQM ID for changes and support.

4.4 Middleware Security Using “sudo”
In UNIX, the sudo command is enabled to control access via groups or user ids. Sudo can be focused to just explicit commands and options, and should always have full audit enabled for logging of user activity.

Standards and Best Practices

Throughout all aspects of the review, there appeared to be a disconnect between the “Regional Bank A” teams and the managed-services provider teams that were implementing and providing first-level support for both WAS and MQ. This disconnect can be resolved by:
1. Defining a single set of Standards, Practices and Guidelines issued by “Regional Bank A” that require unilateral adherence by MSP as well as by internal teams;
2. Setting up regular reviews of such policies and standards on a quarterly or project-by-project basis.
Architecture standards should exist in an ESB Architecture Guide, including the security policies for connectivity and access.
Other concerns and best practice observations are as follows:
5.1 WebSphere MQ
The key resource manager for all incoming and outgoing data for the ESB is controlled by the WebSphere MQ Queue Managers. Queue Manager base definitions were not found to be consistent and varied from default settings for what appear to be arbitrary reasons with high levels of inconsistencies across system and application-object configurations. These configurations do require some level of cleanup and maintenance for best practices environment management.
Use of NFS within the Linux/VM environment could be a regular source of compromise regarding high availability. When all other attempts have failed to resolve an NFS issue, the last resort is to bounce the NAS server, which results in immediate outage of all NAS services to all system consumers.
Instead, moving to a direct-storage product like Veritas™ Volume Manager is a cost-effective and reliable practice for ensuring high availability across clusters.
Also, consideration should be given to implementing MQ AMS (Advanced Message Security) to ensure compliance with PCI-DSS standards. This product is used to enforce encryption of messages at rest in the MQ queues to ensure that any and all access to queues will not provide access to readable message content. AMS in conjunction with MQ Security restriction of access will go far in preventing unauthorized access within this tier of the overall application architecture.
5.2 WebSphere Application Server
Several concerns were noted with the WAS implementation supporting “Regional Bank A’s” Java applications:

  • Operating systems not tuned according to minimum IBM standards
  • JVMs not tuned
  • Environment variables not being set
  • Single application/JVM profiles used on the assumption of securing data segregation of application data
Software Configuration Management and Deployment Automation

When changes are introduced into the ESB for software maintenance, when new applications are introduced, or when changes are made to enable better performance or transaction growth, a key area of concern for problem reduction and ongoing stability is to look at how such changes are introduced, tested and validated prior to deployment into the production environment where business transactions are running – the environment where interruption may involve loss of revenue for “Regional Bank A.”
Improvements in the following areas could be explored further for future engagement scope:
6.1 Software Configuration Management
How the application code is stored and version controlled is critical in the practice of software-configuration management. In addition, how the code is migrated to production is an area of extreme scrutiny for most financial-services companies. PCI compliance generally requires the demonstration of secure and formal access control around all source code and code-migration activities to production systems to ensure against introduction of rogue code or malware on financial systems.
Generally speaking, this is an area where best practice is quite mature as related to CMM and pre-Y2K efforts to manage the deployment of massive amounts of code change without business interruption – more from a stability and availability-management perspective.
Since most problems are related to changes made within the environment, most financial-services IT organizations are quite strict and process-oriented, with significant automation around the software-development life cycle (“SDLC”) to ensure against business disruption due to release testing in an environment that is not managed and controlled with the same configuration as production.
At “Regional Bank A,” application deployments are a highly manual effort with some utilization of homegrown scripts, which are subject to human error, inconsistent configurations, and are time-consuming to manage and support.
Key concerns with the current software-distribution strategy include:

  • High degree of error and inconsistencies
  • High labor cost in deployment process
  • High risk of losing skills relating to custom-deployment process and administrator knowledge of each application’s configuration and deployment requirements

Use of automation tools should be considered where:

  • Application changes are packaged into deployment “bundle” with clear associations between the configuration changes and application release dates to each environment
  • Automation tracks all individual components that constitutes a “bundle”
  • Fully automated backend process (including automated back-out of changes)
  • Provides push-button controlled/approved and self-service levels of deployment process
  • Logging of changes for configuration-management auditing
  • Maximizes access control for PCI-DSS compliance

6.2 Deployment Automation
In addition to managing the source code repository itself, management of deployment through deployment automation that encompasses both application changes as well as system changes is considered a best practice.
Though it is conceivable that scripts could be written to accommodate all of the various types of changes to all of the possible WebSphere products and components involved in the “REGIONAL BANK A” ESB configuration, it is not recommended due to the high complexity and amount of time required, which contributes to the overall cost of maintaining homegrown deployment scripts.
This reason alone is perhaps why “REGIONAL BANK A” deployments continue to be manual in nature.
In evaluating the available tools and utilities for automation deployments for WebSphere, consider that deployment of ESB changes are generally of two types:

  • Application Changes – Application changes include new message flows, new application queues, new .ear files or WTX maps, all of which have association with each other with regard to version control with the application bundle.
  • System Changes. System-level changes include the applying of hot fixes, fix packs, and major-release software-version levels. They could also involve environment-configuration settings such as adding a new application ID, group access, database driver, resource-connection pooling configuration and other parameters that enable better performance and throughput. Additionally, WebSphere and Java version levels are somewhat independent of each other, though many times showing critical dependencies with each other in terms of application functionality and thus require configuration management with application bundles.

As a result of the above, it is recommended that “Regional Bank A” consider packaged products that will automate systems as well as application deployments and manage technical dependencies without the use and ongoing maintenance of deployment scripts.
Because of the complexity of the ESB configuration, such products as Rational UDeploy in conjunction with Rational Team Concert are now considered a best-of-breed product combination for managing application configurations and software distribution for complex multi-product ESB customers.
In closing, the review and recommendations above should be considered for initiating infrastructure projects that will address and close the items of key concern. Additionally, the initiation of projects for addressing future automation, performance management and growth of the ESB should also be considered in both the near future and beyond for strategic reasons, as well as for ongoing compliance and growth supportability.
Photo courtesy of Flickr contributor “Info Cash”

Heartbleed Attack

Bleeding Heart flowers are beautiful. Fragrant, indicative of summer, warm breeze, sunshine…ahhhh. Heartbleed? Another story. This is the newest internet virus attacking the security of millions of websites. It’s such a big deal that experts in security industries are using terms like “catastophic” and “devastating.” And unfortunately, there’s not much we can do to fix it. According to tomsguide.com, Heartbleed mainly creates problems on Web and email servers. Windows PCs, Macs and mobile devices aren’t directly affected, and antivirus software has no impact on Heartbleed. While systems admins across the globe are scrambling to patch server network, the average internet user can do nothing but sit back and wait it out. If you want to be proactive in your efforts, here are some things you can do:
1. Change your passwords – Tumblr, Flickr, and Yahoo were particularly vulnerable to Heartbleed. Unlike many prominent sites, these three sites did not patch systems before the Heartbleed bug became public knowledge on Monday, April 7, 2014. “Security researchers…[April 8] used Heartbleed to capture usernames and passwords as random people logged into their Yahoo! mail accounts. If the good guys were doing that, you can bet the bad guys were, too.” If your Yahoo! password is used for any other accounts you have online, you should also change the password to those accounts.
2. Change Google, Facebook and Dropbox Passwords, too. Even though it has not been proven these sites were susceptible to this particular attack, they were vulnerable against it in past years. One of the most tricky things about Heartbleed is it’s ghostly appearance. It can attack and leave no trace behind. Systems administrators may never know that they have been compromised.
3. Log out of all apps on mobile devices. A lot of times, mobile apps use authorization tokens to keep you logged in, especially to Gmail, Dropbox and Yahoo! mail. If you manually log out of those mobile services, then log back in, all your previous tokens will be cleared and replaced with new ones.
4. Change your password when asked. Even if you change your password now, some systems may request you change your password again in a few days. If you’re asked again, do it. It’s for your own good after those breached have been able to sort out their issues left by the attack.
5. If you have Linux, update your OS. Ubuntu Linux is particularly vulnerable, which means it derivations from Linux Mint and SteamOS likely are, too.
6. Set up two-factor authentication. Many sites offer two-step authentication, which means that attackers can only log in on a remote device if they actually physically have the device. Several sites, including Google, Facebook, Twitter, Yahoo, Dropbox Microsoft and LinkedIn all offer two-factor authentication. Most servers that use Microsoft weren’t impacted by Heartbleed, and many other major sites like Amazon, eBay, Paypal and most major banks weren’t either.
PROMINENT SITES TO CHANGE PASSWORDS

  • Yahoo!
  • Flickr
  • Tumblr
  • Ars Technica
  • IFTTT
  • Blogger/Bloggspot
  • Dropbox
  • Facebook
  • Electronic Frontier Foundation
  • Etsy
  • Google
  • Imgur
  • Instagram
  • Netflix
  • OKCupid
  • Pinterest
  • Stack Overflow
  • Wikipedia
  • Woot
  • WordPress.com/Wordpress.org
  • YouTube

(Photo courtesy of Flickr contributor Global Panorama.)

Microsoft Ending Technical Support On XP

According to the Boston Globe (March 13, 2014) almost 30% of the world’s desktop computers run Microsoft Corp.’s Windows XP, as do 95% of the world’s ATMs (per ATM maker NCR Corp.).
However, on April 8, 2014, Microsoft will stop providing technical support for the software. After the XP sunset, there won’t be any further updates or security patches, and protecting any sensitive data you may have from online piracy may prove to be difficult. You may become a ticking time bomb.
Microsoft will continue to update the XP version of its free Security Essentials program until July 2015. Other security software makers will do the same, but virus programs usually filter out attacks only after the damage is done. Besides, the security flaw that made the attack possible will still be present.
In addition, they’re saying that one single compromised computer in the home or office network exposes all the other computers to attack.
So what are your options?
1. Buy a new computer
2. Install the open operating system, Linux, as an easy interface with Windows
3. Complete a full Windows upgrade, with computers running on Windows 7 instead of Windows 8 which has been labeled by many as user-unfriendly.
4. Purchase an external harddrive and use it to back up all files on your old machine
Source: http://www.bostonglobe.com/business/2014/03/12/for-windows-end-nigh-and-that-good/XH7GAsQ9Xs3IpXzDu2wrcO/story.html
(Photo: Sunset background courtesy of Kevin Dooley on Flickr.)

IBM Announces Fix Packs

Fix Central

 
Fix Central provides fixes and updates for your system’s software. You can find the fix or fixes you are looking for by searching by product, by fix ID, or by APAR. Fix Central also helps you identify any prerequisite or co-requisite fixes associated with the fixes you want to download.
New Fix Packs
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2 
IBM WebSphere Application Server Version 8.5 Fix Pack 2 for all platforms, also known as Version 8.5.0.2
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8 
IBM WebSphere Application Server Version 8.0 Fix Pack 8 for all platforms, also known as Version 8.0.0.8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31 
IBM WebSphere Application Server Version 7.0 and WebSphere DMZ Secure Proxy Server Version 7.0 Fix Pack 31 for all platforms, also known as Version 7.0.0.31
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server 
IBM WebSphere Application Server Cumulative Fix for IBM SDK, Solaris Java? SDK and HP-UX Java SDK.
Recommended fixes for WebSphere Application Server 
A comprehensive list of recommended, generally available (GA) fixes for IBM WebSphere Application Server releases. Fix packs are cumulative. When a prerequisite or co-requisite fix pack is recommended, that specific fix pack or a later fix pack can be applied. For example, if Fix Pack 7.0.0.9 is required, applying Fix Pack 7.0.0.9, 7.0.0.11, 7.0.0.13, or a later fix pack is valid. Tables are organized by version in the order they were released.
IBM Electronic Support 
IBM Electronic Support offers on-line support tools and resources to help you diagnose and resolve problems, and maintain your IBM products.
IBM Software Support Lifecycle 
Find detailed information about the available IBM Software Support Lifecycle Policies to help you realize the full value of your IBM software products.
IBM Support Assistant News 
This document provides the latest news and announcements for IBM Support Assistant V5 Team Server and IBM Support Assistant V4.1 Workbench.
Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.31
Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 7.0.0.31
Security Bulletin: Potential Security Vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8 
Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8
PM91417;7.0.0: provide option for backwards compatibility for earexpander 
Partial application updates will not update JARs in non-active Java EE locations.
Recommended values for web server plug-in config 
In the web server plug-in, what do the LoadBalanceWeight, MaxConnections, ConnectTimeout, ServerIOTimeout, RetryInterval, IgnoreAffinityRequests, and GetDWLMTable options mean and what are the recommended settings for these options?
Exception occurs during recovery of Oracle database transactions 
When WebSphere Application Server attempts to recover Oracle database transactions and an exception is issued.
Using IBM Installation Manager for installing WebSphere Application Server Version 7.0 feature packs 
Usage of the IBM Installation Manager with IBM WebSphere Application Server Version 7.0 is limited to install, update, and uninstall of version 7 feature packs only.
Fixes by version for WebSphere Application Server 
A comprehensive list of recommended, generally available (GA) fixes for WebSphere Application Server releases.
(Photo: Wrenches 2 by Julia Manzerova, on Flickr)

Potential Security Issues fixed In IBM WAS 8.0.0.8

Beware potential forgery.
WebSphere Application Server (WAS) could be vulnerable to a cross-site request forgery, caused by improper validation of portlets in the administrative console. By persuading a user to visit a malicious web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81014 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server (IBM WAS) Versions are affected:
Version 8.5
Version 8.0
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM72275, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.25:
Apply Fix Pack 27 (7.0.0.27), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-4053 (PM90949 and PM91521)
DESCRIPTION: WebSphere Application Server using WS-Security and configured for XML Digital Signature using trust store, could allow a network attacker to gain elevated privileges on the system, caused by improper checking of the certificate.
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86505 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF for WebSphere Application Server as noted below:
For IBM WebSphere Application Server (PM90949)
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
OR
APAR Interim Fix:
Find your applicable Version for APAR Interim Fix PM90949
Ensure you are at the minimally required Fix Pack Level before installing the APAR Interim Fix, then
Apply the APAR Interim Fix
For IBM WebSphere Application Server Feature Pack for Web Services (PM91521)
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
OR
APAR Interim Fix:
Find your applicable Version for APAR Interim Fix PM91521
Ensure you are at the minimally required Fix Pack Level before installing the APAR Interim Fix, then
Apply the APAR Interim Fix
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-4052 (PM91892)
DESCRIPTION: WebSphere Application Server could allow a cross-site scripting attack, caused by improper validation of input in the UDDI Administrative console. A network attacker could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86504 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM91892, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-5414 (PM92313)
DESCRIPTION: WebSphere Application Server could allow existing users to gain elevated privileges on the system caused by incorrect Administration Security roles being assigned after migration from version 6.1 or later.
NOTE: If a migration from WebSphere Application Server Version 6.1 or later has already been performed, all users designated with “adminsecmanager” (Administrative Security Manager) role need to be evaluated to determine if they should have both “admin” role and “adminsecmanager” role. Some users may not need both designations and the privileges should be removed accordingly.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87476 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM92313, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): If a migration from WebSphere Application Server Version 6.1 or later has already been performed, all users designated with “adminsecmanager” role need to be evaluated to determine if they should have both “admin” role and “adminsecmanager” (Administrative Security Manager) role. Some users may not need both designations and the privileges should be removed accordingly.
Mitigation(s): none
CVE ID: CVE-2013-5417 (PM93323 and PM93944)
DESCRIPTION: WebSphere Application Server could be vulnerable to cross-site scripting, caused by improper validation of application HTTP response data.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87479 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing APAR PM93323 for IBM WebSphere Application Server Full Profile or APAR PM93944 for IBM WebSphere Application Server Liberty Profile, as noted below:
For IBM WebSphere Application Server Full Profile
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For IBM WebSphere Application Server Liberty Profile
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-5418 (PM96477)
DESCRIPTION: WebSphere Application Server could allow a cross-site scripting attack, caused by improper validation of input in the Administrative console. A remote attacker could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87480 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM96477, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-6725 (PM98132)
DESCRIPTION: IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of input in the Administrative Console. A remote attacker with Administrative authority could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89280 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM98132, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.1:
Apply Fix Pack 2 (8.5.5.2), or later (targeted to be available 28 April 2014).
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-6325 (PM99450)
DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service, caused by improper handling of requests by a web services endpoint. By passing a specially-crafted request, a remote attacker could exploit this vulnerability to consume available resources.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88906 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM99450, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.1:
Apply Fix Pack 1 (8.5.5.2), or later (targeted to be available 28 April 2014).
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
IBM SDK: Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 7.0.0.31
http://www.ibm.com/support/docview.wss?&uid=swg21655990
Important note:
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Reference: http://www-01.ibm.com/support/docview.wss?uid=swg21661325&acss=danl_334_email
(Photo courtesy of Flickr contributor brykmantra.)

Lifecycle Dates For The Hardware Generation Machine Types – Includes DataPower, Cast Iron & More

The table lists the planned dates that Remote Technical Support will be withdrawn for each Hardware Generation of the IBM WebSphere Appliances – DataPower, Cast Iron, along with IBM Workload Deployer and IBM Cloudburst appliances:
All statements regarding IBM future direction or intent, including current product plans, are subject to change or withdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only, on an “as is” basis, without warranty of any kind.
Notes
• May make support extensions available, for an additional fee, after the standard service end date has been met and as inventory and capability is sustainable
• Extended service maintenance agreements contain limited terms and conditions. Refer to the Service Extension agreement for more details. Contact your IBM Sales rep for additional information regarding extended service maintenance agreements.