Embed Size (px)
Citation preview
Java Update for CICS TS 5.6 Phil Wakelin
CICS Strategy & Design - Java Adoption, IBM UK Ltd
November 2020
Session 1AJ
Abstract
Come hear about the latest functionality in CICS TS v5.6 & v5.5, to help you get the most out of the Java and Liberty support in CICS TS. In this session we will discuss the new Spring Boot & Java EE application support along with improvements in performance, resilience, security and management in the JVM server runtime.
Also Rob Stroud, GSE CICS Chairman, will give a brief overview and Java experience from a recent POC.
©2018 IBM Corporation
The Introduction of Java EE 8 & Node.js
Mixed Language Application Server
3
In V5.4 CICS TS was repositioned as the markets only mixed language application server.
The introduction Java EE 7 Full platform which provided customers with a simple and powerful mechanism of modernizing application.
V5.6 continues to deliver on the modernizingneeds that the industry is asking for supporting Spring Boot & Jakarta EE 8
CICS TS also enables developers to create applications in Node.js with full interoperability of existing applications.
CICS Java Roadmap: 2020
2012 2013 2014 2015 2016 2017 2018 2019 2020
CICS TS V5.2✓JTA
✓JDBC
✓zosSecurity
✓jndi, blueprint
Java on IBM z15 / October, 2019 / © 2019 IBM Corporation
CICS TS V5.3✓JEE6 Web profile
✓WAS/JMS
✓JCA Local ECI
CICS TS V5.4 & V5.3 CD APARs✓Improved zIIP offload
✓Remote Development Feature for Java
✓Java EE 7 Web profile
✓Standard mode
✓JEE7 Full Platform (Integrated mode)
✓Database session persistence, Java Mail
✓z/OS Connect EE (embedded)
✓Java batch JSR-352
✓Link to Liberty
✓MQ 9.0 as JMS2 provider
✓Liberty JDBC type 2 data sources
✓JVM server task purge, kill & runaway
CICS TS V5.1✓Servlet/jsp
✓Explorer SDK for
Java & Web
✓JAX-RS, EBAs
CICS TS V5.5 ✓Wait for angel *
✓Multiple Liberty secure servers *
✓Link to Liberty syncpoint support *
✓JVM profile includes
✓Web app bundle status
✓Liberty Admin center
✓Liberty product extensions & features
✓Java storage tuning
✓Java EE 8 Full Platform
✓Link to Spring Boot
*Also in V5.4 by CD APAR
CICS TS V5.6✓JCICS on Maven Central
✓CICS bundle deployment endpoint & tooling
✓JCICSX API - Remote development
✓JVM server GATHER DIAGNOSTICS SPI
✓Liberty Pause & Resume endpoints
✓Spring Boot *
✓Jakarta EE 8 *
✓CICS private storage monitoring
*Also in V5.5 by CD APAR
CICS TS V5.6Java EE8/Jakarta EE
Spring Boot
CICS bundle status enablement
HTTP endpoint pause & resume
Liberty admin center
Monitoring MVS private storage
JVM server SPI extension to gather diagnostics
Product Extensions
Java Enterprise Edition - “A Rich enterprise Software Platform”
Java EE 6 ❑ Web Profile - CICS TS V5.3
Java EE 7 ❑ Full Profile – CICS TS V5.4 & V5.3 CD❑ WebSphere Liberty 8.5.5.6
Java EE 8 ❑ WebSphere Liberty 18.0.0.2❑ CICS TS V5.6 & V5.5 CD
Eclipse Micro Profile❑ “Optimizing Enterprise Java for Microservices Architecture”
Eclipse Jakarta EE 8 Platform❑ Transition of Oracle Java EE 8 to Eclipse ❑ Liberty fix pack 19.0.0.10❑ CICS TS V5.6 & V5.5 CD
Eclipse Jakarta EE 9 Platform❑ “Provide a clear transition to the jakarta namespace, and pare down
the platform”… 6
Java Enterprise Edition – The Evolution
Java Enterprise Edition
CICS TS V5.6 - Java EE 8 & Jakarta EE 8
Java EE 8 & Jakarta EE 8
• Provided by convenience feature javaee-8.0• Take advantage of HTTP 2.0 technologies like servlet-4.0• Includes Java EE Security-1.0 API – JSR 375 (appSecurity-3.0)- which is a fully
portable/standard Security API• Provides new versions of: beanValidation-2.0, cdi-2.0, jaxrs-2.1, jpa-2.2, jsf-2.3,
jsonp-1.0, servlet-4.0• Introduces jsonb-1.0, a standard binding layer for converting Java objects to/from JSON
Important: No support in Java EE 8 for EBA/WAB (OSGi applications)Set: -Dcom.ibm.cics.jvmserver.wlp.wab=false to take advantage of Java EE 8
7
Spring Boot makes it easy to create stand-alone, production-grade Spring based Applications that you can "just run".
• Spring was designed to simplify Java Enterprise Edition (EE), using plain old Java objects (POJOs) and
dependency injection and now encompasses many aspects of Java EE development
• Spring Boot builds on Spring by adding components to reduce development time & configuration
• CICS Liberty JVM server supports Spring Boot applications via doc, tutorials and examples
• Spring Boot apps can run in CICS without modification
Tutorial & Samples:
• IBM tutorials: https://developer.ibm.com/series/learning-path-spring-boot-java-applications-for-cics/➢JCICS, Security, Transactions, JDBC, JMS
• Code samples published on CICSDev GitHub: https://github.com/cicsdev/
8
CICS TS V5.6 - Spring Boot
CICS TS V5.6 - Spring Boot
1. CICS Liberty supports Spring Boot applications built as WARs• Support in V5.3 onwards• Allows full Liberty/CICS integration -> CICS transactions, CICS security, JCICS and Java EE • Can be deployed in a CICS bundle just like any other Liberty web application• No requirement for springBoot features
2. CICS Liberty supports Spring Boot JAR applications through the springBoot-1.5or springBoot-2.0 features
• Support only in CICS TS v5.6, and CICS TS v5.5 with APAR PH14856• Run Spring apps without modification in CICS, but can only be deployed via Liberty
mechanisms (not CICS bundle)
3 EXEC CICS LINK to a Spring Boot application from COBOL (or other languages)• Target Java method must be annotated with @CICSProgram and use channel and
containers• Link support only in CICS TS v5.6, and CICS TS v5.5 with APAR PH148569
Bundle status & config file polling
CICS bundle status wired to Liberty application status
• CICS bundle with Web application bundle part remains in ENABLING state until applications are started in Liberty
• (Also available in CICS TS V5.5 APAR PH08321)
• Enables:• More robust application deployments
• System policy rules for bundle status to be used for automation
• Liberty Admin Center for recycling apps
• MBean config file updates
<config updateTrigger="mbean"/>
➢Reduces need for continual polling of config files - server.xml & installedApps.xml10
CICS TS V5.6 - Admin center
<feature>adminCenter-1.0</feature>
• View status of JVM and its threads
• Edit/view server.xml
• Start and stop applications
• Application status now integrated with CICS bundle status
• Note: Also available in CICS TS V5.5 APAR PH08321
11
CICS TS V5.6 - Liberty server Pause & Resume
• Liberty HTTP endpoints can be resumed/paused using • EXEC CICS SET JVMENDPOINT command (V5.6 only)
• ServerEndpointControl MBean
• Liberty server pause|resume command
➢Allows Web applications to be taken off-line without terminating JVM
12
CICS TS V5.6 - Liberty server Pause & ResumeWhat:
• If Liberty HTTP endpoints start before Web applications ready• Result can be HTTP 404/Context root not found errors during startup period
Solutions:1. CICS WLMHEALTH SPI control as part of a shared TCP/IP cluster (V5.4 onwards)
2. Custom automation using EXEC CICS SET JVMENDPOINT or Liberty pause SPI and CICS System PolicySee IBM Z Community blog: Avoiding HTTP outages by managing Liberty HTTP endpoints
• If using Liberty application elements (not CICS bundles)3. Set <applicationManager startTimeout="600s"/>
Open Liberty issue 7709 (WLP 20.0.03) defers opening HTTP endpoints until all apps deployed using Liberty <application/> elements have started
4. Open Liberty issue 7331 (WLP 20.0.06) Ability to control application start order via server.xml allows ordering of app startup for apps deployed using Liberty <application/> elements.
CICS TS V5.6 - Liberty Product Extensions
What is a Liberty Product Extension?• A collection of one or more user-features designed to extend the Liberty application server
• Typically placed into the Liberty install directories for use by all derived servers
• In CICS this does not work well because the WLP_INSTALL_DIR location is not writeable
How• Develop and deploy your Product Extension to a specific zFS directory
• Install to Liberty via LIBERTY_PRODUCT_EXTENSIONS option
LIBERTY_PRODUCT_EXTENSIONS=MyExtension;/u/dir1
CICS JVMSERVER SPI enhancements
• New PERFORM JVMSERVER• JVM DUMP / LIBERTY SERVERDUMP to take javacore,
heap and snap dumps, and Liberty dumps
• GATHER DIAGNOSTICS to capture JVM configuration and output into a single tar file
• LIBERTY REFRESH to update Liberty configuration and applications with minimal disruption
• OSGI REFRESHPKGS to force OSGi bundle dependencies to refresh to the latest versions
SPI command
Gathering Logic
<<calls>>
<<reads>>
JVM server (c)<<creates on start-up>>
<<creates>>
Tar file
Sys Admin
<<calls>>
Diagnostics properties file
<<finds out where file is>>
<<uploads to IBM>>
IBM Service
<<views and uses content to diagnose problem>>
Monitoring MVS private area
CICS EDSA
Available
private area
SOS Buffer
Tiers
16
MEMLIMIT
2GB “the bar”
STACK64
HEAP64
HEAP31
HEAP24
JVM storage
Extended LSQA & SWA
MVS common area
24-bit addressing
31-bit addressing
64-bit addressing
Java heap
JIT data
cache
Native stack
ROM classes
JIT codecache
Java monitors
RAM classes (compressed)
SHRLIBRGN
Native libs
MVS TCBs
JCICS malloc areas
CICS storage
GETMAINedareas
SJ domain mallocareas
Java stack
RAM classes (non-compressed)
Hidden area
4GB
Monitoring MVS private area – Feature toggles
com.ibm.cics.mvssm.sos.wait=true # should SOS result in a wait for a storage event
com.ibm.cics.mvssm.mon.interval=60 # frequency in seconds of storage calculations
com.ibm.cics.mvssm.sos24.minavailable.contiguous=32 # size in KB of contiguous storage to cause SOS - 24-bit
com.ibm.cics.mvssm.sos24.minavailable.total=64 - # size in KB of remaining storage to cause SOS - 24-bit
com.ibm.cics.mvssm.sos31.minavailable.contiguous=128 - # size in KB of contiguous storage to cause SOS - 31-bit
com.ibm.cics.mvssm.sos31.minavailable.total=256 - # size in KB of remaining storage to cause SOS - 31-bit
When SOS on MVS storage, Open TCB allocations will wait with MVS_Stor state.
Monitoring MVS private area – Messages
DFHDM0101I IYK2ZDL1 CICS is initializing.
DFHSM0148I IYK2ZDL1 MVS 24-bit unallocated storage: Total 4,660K, Largest contiguous area 4,528K.
DFHSM0153I IYK2ZDL1 MVS 31-bit unallocated storage: Total 1,254,176K, Largest contiguous area 1,254,112K
…
DFHSM0144W IYK2ZDL1 The CICS region is short on 24-bit MVS unallocated storage.
DFHSM0145I IYK2ZDL1 The CICS region is no longer short on 24-bit MVS unallocated storage.
DFHSM0149W IYK2ZDL1 The CICS region is short on 31-bit MVS unallocated storage.
DFHSM0150I IYK2ZDL1 The CICS region is no longer short on 31-bit MVS unallocated storage
• CICS System Policy can be used to automate from these messages
• System Policy rule can set region WLMHEALTH open or closed
Issued at initialisation and when storage goes past a tier level
System task periodically monitors storage:
Message reissued if storage remaining significantly changes
CICS TS V5.5JWT supportWait for AngelJVM profile includesRemoval of SDFJAUTHJVMLOG
19
©2018 IBM Corporation
Liberty JWT feature
• Programmatically parse, build and verify JWT tokens in Java applications
• Provides for authentication using digitally signed web tokens
• Also available on CICS TS V5.3 and 5.4 with APAR PI91554
➢Can be used in servlets, or in Liberty TAI or JASPIC security modules to build custom security infrastructure
JSON Web Token
20
©2018 IBM Corporation
JWT authentication mapping to SAF user
CICS Liberty
IBM Z
SAF
Registry
1. Authentication of user credentials
2. TAI parses JWT as follows:Validates JWT signature using public key in RACF• Extracts “client_id” claim and “iss” claims• Maps client_id and iss claims to a SAF userid using
RACMAP• Validates SAF userid exists in registry
RegistryHelper.getUserRegistry().isValidUser())
• Sets Subject as SAF userid
{JWT} CICS PGMRESTful
client
WindowsClient username
HTTPS
OAuth Identity
server
2. TAI
{JWT}
Subject
Task
Userid
3. CICS Liberty security feature sets Subject as CICS Task userid4. CICS Transaction security validates userid has access to TCICSTRN profile for the transaction
3.
4.
©2018 IBM Corporation
OpenID Connect Client feature
• Configure Liberty server to authenticate a request using a JWT token without writing any code
• Supports identity mapping
• Map Subject in JWT to local registry user
• Map distributed identity to SAF registry user via RACMAP
JSON Web Tokens - OIDC
22
IBM Z Community Blog - Using OpenID Connect with CICS Liberty https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/eric-phan1/2020/10/19/openid-connect-cics-liberty
©2018 IBM Corporation
Example scenario – CICS JWT LINK-able API service
CICS WhitePaper - Using the Liberty JWT Feature with CICS: https://github.com/cicsdev/cics-java-liberty-loans-and-scoring
©2018 IBM Corporation
Multiple secure Liberty servers in a CICS region
• Provides improved application isolation or scalability without increasing number of regions
• Each Liberty server can have its own configuration and lifecycle – ideal for developers
Wait for Liberty angel process (also in V5.4 APAR PI92676)
-Dcom.ibm.ws.zos.core.angelRequired=true
• More robust CICS start-up and IPL procedures
• Integrates with named Liberty angel process -Dcom.ibm.ws.zos.core.angelName
Liberty angel process
24
©2018 IBM Corporation
Include & share common configuration
• For example unique ports, database configuration or log settings
%INCLUDE=<file>
Reference variables
CLONEDIR=&USSHOME;/&JVMSERVER;/bundles
OSGI_BUNDLES=&CLONEDIR;/mybundle.jar
Append to variables
OSGI_BUNDLES=&CLONEDIR;/mybundle.jar
+OSGI_BUNDLES=/newpath/mybundle2.jar
… is equivalent to …
OSGI_BUNDLES=&USSHOME;/&JVMSERVER;/bundles/mybundle.jar,/newpath/mybundle2.jar
CICS JVM profiles - includes
25
©2018 IBM Corporation
Passing variables into server.xml includes
• In JVM profile
SERVER_INCLUDE=&USSHOME;/&APPLID;/server.xml
• In server.xml
<include location="${env.SERVER_INCLUDE}" />
Inject Liberty configuration into server.xml
• In JVM profile
LIBERTY_INCLUDE_XML=<file>
Liberty server.xml
26
©2018 IBM Corporation
Extended CICS JVM server message
LOG_LEVEL=INFO | WARNING | ERROR | NONE
• New dfhjvmlog zFS file for CICS JVM server information, warnings and errors
• Can be redirected to MVS JES DD
Management – JVM server log
27
©2018 IBM Corporation
Removal of DPL subset restrictions for Link to Liberty (also in V5.4 & 5.3 APAR PI98229)
• Liberty Java applications invoked via LINK can now issues CICS SYNCPOINT and use JTA
• DPL calls to Java can use SYNCONRETURN option
Removal of SDFJAUTH
• All load modules are now in the SDFHAUTH library to simplify Java setup
Removal of restrictions
28
Please submit your session feedback!
• Do it online at http://conferences.gse.org.uk/2020/feedback/1AJ
• This session is 1AJ
GSE UK Conference 2020 Charity
• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
