Skip to main content
banner image
venafi logo

Mainframes, Expired Certificates, Machine Identities and Other Tales [An Ol’ Mainframer Speaks]

Mainframes, Expired Certificates, Machine Identities and Other Tales [An Ol’ Mainframer Speaks]

December 1, 2020 | Andrew Downie, RSM Partners, now BMC Mainframe Services VP

A customer once said to me, "You know, we've just spent a couple of years and some $9 million trying to integrate the mainframe with our enterprise solution! And you’re telling me you’ve got something – a bolt-on piece of software, that can achieve this integration, literally ‘out of the box!?'"

True story! RSM Partners, now part of BMC, are experts in addressing mainframe infrastructure challenges. A recent Venafi-related example was when a mainframe security consultant was on-site and spotted that the client was struggling, trying to implement machine identity management on their mainframe. We immediately pointed out that we were already working with a company called Venafi, and rather than do things in a siloed approach, it would likely be much quicker and easier if they talked to their enterprise Venafi colleagues.

"Enterprise means everything. Including the mainframe.“

At RSM Partners, now BMC, we were regularly encountering the concern, “We're struggling, trying to integrate our IBM Z mainframe with these enterprise solutions.” The ‘enterprise solution’ is obviously a misnomer and should perhaps better read ‘enterprise solution (apart from the mainframe)’. In seeking to help, looking around the planet for a solution that we could offer, but not finding anything—we decided to create something ourselves—for what was obviously a common problem.

Clearly labeled! enterpriseCONNECTOR aims to do just as its name implies …. ‘connect’ the mainframe with the ‘enterprise’. Its success lies in its ability to effectively hide all the complexity of an IBM mainframe platform from the enterprise software: meaning the enterprise software can ‘speak’, issuing requests to the mainframe including RACF and Top Secret, just as if it were any other server/IT platform—with no need to understand LPARS, sysplexes, multiple mainframe security databases, etc.  

“These days, more than ever in our IT history, everyone's running scared…”

So, how did Venafi and RSM/BMC first engage? A large Venafi client in financial services was looking at extending their use of Venafi to automate certificates on their IBM Z mainframe. Venafi looked at the challenge and did some research: How do you get a windows machine to talk to the mainframe? What interfaces are there on the mainframes? There appeared no easy answers and things were looking very complicated. It risked putting a lot on Venafi—the Trust Protection Platform not really being designed to accommodate the mainframe requirement out of the box.

If there’s a certificate that isn’t managed properly on the mainframe and if it breaks when you're managing it manually, the cost is invariably very high—reputation, downtime, loss of business, and more. Whereas, if it's automated, then risk and ongoing costs become much lower.

Up to that point, the customer had manual checks and balances in place, renewing the certificate three weeks before expiry, putting the new certificate into place, in our vaults. And then, when the application guys were ready, two weeks before expiry, at half-past two in the morning, they go and swap it over, with the assistance of the certificates team.  They were doing this on average about twice a week, if not more often. And the problem was that at least twice a week, somebody from the certificates team had to be on call overnight, being paid overtime. And all of this was risky business, open to errors and mistakes that could bring down the business.

With enterpriseCONNECTOR added to the Venafi project, there was finally a way for the customer to extend automation to their mainframes.

“We need to cause a pause.”

So what do these stories mean? Automating machine identities could not be more important to protect a business, and that goes beyond Apaches and F5s. It is possible to extend the automation of certificates to mainframe systems.

We now have an extended solution that companies using mainframes need to be aware of.  We want to tell them, "Look, do not go developing bespoke code for the mainframe, if you've already got Venafi, integrate it. It’s a much quicker, cheaper, proven outcome that removes risk, as well as the maintenance headache.“

And for the Venafi side of enterprise, we need to be saying, "Look, you've paid money for this solution, to what extent are your mainframe colleagues aware that there's an integration play here, and you can have a proper machine identity management solution like Venafi, running across the whole estate."

Joined up thinking!

Learn more about RSM Partners, a BMC Company, and the enterpriseCONNECTOR today from the Venafi Marketplace.

This blog features a solution from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.

Related posts

Learn more about machine identity management.

Like this blog? We think you will love this.
Featured Blog

Moving PKI to the Cloud: Overcoming 3 Tough Challenges [Axiad and Venafi]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Andrew Downie, RSM Partners, now BMC Mainframe Services VP
Andrew Downie, RSM Partners, now BMC Mainframe Services VP
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more