Encryption when communicating to CMOD 8.3 z/OS with ODWEK

[Lorelei]

We have recently been asked by our security office to encrypt all in-flight data and we have been told by IBM that ODWEK does not support the use of SSL.  I am asking what others are doing to encrypt data being sent using ODWEK APIs to the CMOD 8.3 database.  Specifically we are sending from Websphere to an Enterprise Server z/OS.

Thanks, Lorelei
BlueCross BlueSheild of South Carolina

[Justin Derrick]

Hi Lorelei.

You're not the first, and certainly won't be the last to ask for encryption of CMOD sessions between clients and servers.  I've asked IBM to implement SSL for CMOD, and the answer in general terms is that the impact to server performance is too high.

I haven't been privy to the solutions implemented, but my first guess is that implementing ODWEK on the same server instance as CMOD gets you half of the way there, since the back-end requests don't have to go over a physical network.

For what it's worth, the data that CMOD whizzes back and forth is in a proprietary compressed format.  Obscurity isn't security, but it's another barrier that will keep casual eavesdroppers from reading data in transit.

-JD.

[Lorelei]

JD (Justin),

Appreciate the response, and it seems to confirm the information that we received in prior communication.  However, we are looking at government requirements that dictate 'security' not 'obscurity'.  We are finding it hard to believe that there are not other OnDemand users that are not required to meet similar security requirements.

As far as putting ODWEK on the same server, this is not possible when in our design due to CMOD 8.3 being on our z/10 and the web application servers being in Websphere.

Thanks for acknowledging the post; hope to hear from others as well.

[cmod83]

Yes, there is a sloution for every problem there is a solution . Its all depend on what kind of environment you have.Please send me details.