What's New with IBM Z15, Linuxone III, and SUSE Linux Enterprise?

What's New With IBM z15, LinuxONE III, And SUSE Linux Enterprise?

BOV-1260

Adam Jollans, Program Director, IBM Z and LinuxONE

Mike Friesenegger, Solution Architect, SUSE

1 Agenda

1. IBM z15 and LinuxONE III – What’s New

2. SUSE ® Linux Enterprise – What’s New

3. Community – What’s Happening

4. Customer View

5. Summary

2 IBM Z And LinuxONE – What’s New

Adam Jollans, IBM

3 New Single Frame Models of IBM z15 and LinuxONE III

Cloud Native

Encryption Everywhere

Cyber Resilience

Flexible Compute

4 IBM Z and LinuxONE Security Capabilities

Firmware Tamper Detects firmware tampering Protection and MFA Multifactor Authentication (MFA) option on consoles Built-in virtualization firmware provides highest level of Workload Isolation multitenant workload isolation Each core gets its own crypto co-processor 2x – 7x as fast as x86, depending on crypto function On-chip crypto True Random Number Generator (TRNG) is more secure than pseudorandom number generators (PRNGs) like in x86 LinuxONE III has on-chip Elliptic-Curve Cryptography (ECC) IBM CryptoExpress Hardware Security The only FIPS 140-2 Level 4 certified HSM on the market Module (HSM)

5 IBM Z and LinuxONE Security Capabilities (2)

The IBM Enterprise Key Management Foundation (EKMF) Key Encryption provides real-time, centralized secure management of keys and Management and certificates

Broadly protect Linux file systems using policy-controlled Data Encryption encryption that is transparent to applications and databases

Protect network traffic using standards-based encryption Network from end to end Encryption Hardware-accelerated network encryption algorithms (e.g. SSL/TLS, VPN/IPSec, etc.) Time Source Protects against falsifying or altering time information Security

6 IBM Data Privacy Passports - New

• Provides protection and enforcement for IBM z and LinuxONE data on and off the platform

• Complements Pervasive Encryption

• Data protected by Pervasive Encryption still needs this next level of protection

7 IBM Data Privacy Passports – Use Case #1 Consuming LinuxONE-hosted data in and accessing off-platform

• Enforce data privacy off-platform Logic using Passport Controller on IBM Virtual

z15 or LinuxONE III at the time of z/VM RACF LDAP Table Database Server consumption Protected Table Keys Policy • Identity can be managed on IBM 15 Passport Controller Data Copy or LinuxONE III or elsewhere • Policy for enforcement can be changed dynamically to revoke or SQL Queries entitle users to data visibility • Connection to Passport Controller is through industry standard Apache Data Data Regulator Hive drivers Scientist Owner

8 IBM Data Privacy Passports – Use Case #2 Protecting data as it moves in the enterprise (ETL) LinuxONE III system Off LinuxONE III

• The data is protected at the point

of extraction and is enforced at the z/VM RACF LDAP point of consumption Database Server Clear Text Table PostgreSQL Db2 LUW • Move data from Z or LinuxONE to JDBC JDBC other platforms as Trusted Data Logic Objects – Start with SQL data JDBC JDBC sources on Z or LinuxONE Clear Text Table Oracle DB PostgreSQL Keys Policy sftp • Passport Controller is deployed in a Secure Service Container LPAR JDBC Passport Controller

Data Lake • Create a single protected table to Clear Text in provide multiple views of data Encryption Pervasive with Protected MongoDB with JDBC driver

AdministratorAdministrative Commands 9 IBM Hyper Protect Virtual Servers - New Protect your critical Linux workloads during build, deployment, and management on-premises for IBM Z and LinuxONE servers

Build applications with integrity Leverage the secure image build process to sign images, validate code, and integrate into your CI/CD pipeline.

Deploy workloads with trust Validate the provenance of your applications before deployment.

Manage applications with simplicity Manage your infrastructure without visibility to sensitive code or data – RESTful API deployment.

Encrypt and Sign critical solution components Give your images access to the industry leading FIPS 140-2 level 4 Hardware Security Module for signing and encryption needs.

10 IBM Secure Execution for Linux - New Trusted Execution Environment designed to protect and isolate critical workloads better than a standard software environment, from both internal and external threats

• Scale up to thousands of workloads in full isolation protected from internal and external threats

• Address the security issue present in other Linux servers of running multiple containers in the same virtual machine

• Protects the contents of containers in heterogeneous workloads without extensive software code changes

• Ensures confidentiality and integrity for sensitive data and workloads on IBM Z in the hybrid multicloud.

11 Isolation Approaches Logical Partition Logical Partition 1. Logical Partitions App App App App . Protect logical partitions from each other Operating Environment Operating Environment with EAL5+ isolation . Up to 40 or 85 logical partitions IBM Z or LinuxONE

2. Hyper Protect Virtual Servers Logical Partition Logical Partition

. Evolution of Secure Service Containers App App App App . Protect logical partitions from each other and from system administrators Operating Environment Operating Environment

. Up to 40 or 85 logical partitions IBM Z or LinuxONE

3. Secure Execution Logical Partition Logical Partition

. Protect applications in virtual machines or App App App App containers from each other and from system administrators Operating Environment Operating Environment

. Thousands of virtual machines IBM Z or LinuxONE

12 IBM z/OS Container Extensions (IBM zCX) - New Integrate Linux applications into z/OS A new z/OS V2.4 feature that enables the deployment and management of any open source and Linux on Z application with its associated dependencies, packaged as Docker images, within the z/OS environment without requiring a separately provisioned and managed Linux server.

Modernize z/OS workloads by providing flexibility for development and operations on Z.

Maintain operational control and extend z/OS Qualities of Service to Linux software.

Make use of existing IT investments by employing Linux within the z/OS platform.

https://www.ibm.com/support/z-content-solutions/container-extensions/

13 SUSE Linux Enterprise What’s New

Mike Friesenegger, SUSE

1412 SUSE Linux Enterprise Server 15 SP1 for IBM Z and LinuxONE

What’s New: • z14 exploitation updates KVM – zPCI passthrough, guest dedicated crypto adapter Networking – OSA-Express7S support, SMC-Direct support Performance – Additional z14 counter support, network stack optimizations • Common Criteria certification and FIPS 140-2 validation • Crypto Card updates for pervasive encryption • 19,927 s390x packages on SUSE Package Hub with continued growth 15 SUSE Linux Enterprise Server 12 SP5 for IBM Z and LinuxONE

Support for IBM z15: • exploitation of integrated compression for zlib and gzip • toolchain support (glibc, binutils, ...) • kernel support, e.g. enhanced CPU-MF hardware counters

Enhancements for... • kernel: qeth performance, SMC updates • Security: Enhancements for protected key usage, openCryptoki ep11 token, fine granular access control to HW crypto resources, openSSL • SIMD implementation enhancements • KVM: IBM z15 support, huge page support, interactive bootloader, PCI passthrough, crypto passthrough • Various package updates: s390-tools, smc-tools, qclib 16 SUSE Linux Enterprise Server Support of Pervasive Encryption

Data-in-flight Data-at-rest

Encrypting data before Encrypting data as it is being sent on a network being saved on storage

SLES12 SP5 and 15 SP1 SLES12 SP5 and15 SP1 • Kernel and userspace • Support protected volume tools support IBM z15 encryption using protected cryptography hardware keys in plain and LUKS2 • Applications use modes openSSL, openCryptoki, libica libraries

17 Available in YAST in SLES15 SP2

Contains forward looking statements. 18 Subject to change. SUSE Linux Enterprise Server 15 SP2 for IBM Z and LinuxONE

What’s upcoming from IBM Z-Specific Features & Fixes (s390x) release notes: • Support for IBM z15 in binutils, glibc and gdb • Compression Improvements • Performance Counters • Support for a NIST compliant pseudo-random number generator • DASD Passthrough Support in KVM • Secure Linux Boot Toleration • Secure Execution enablement (kernel and userspace)

Contains forward looking statements. 19 Subject to change. SUSE Manager

Best-in-class open source infrastructure management solution designed to help your enterprise DevOps and IT Operations teams to: •Optimize operations while reducing costs •Reduce complexity and regain control of IT assets •Ensure compliance with internal security policies and external regulations Installing on IBM Z

20 Kernel Live Patching for IBM Z and LinuxONE

What? • Extend Live Patching to IBM Z and LinuxONE, starting with SLES 12 SP4 and SP5. Why? • As Live Patching continues to mature, the call to support additional architectures increases. When? • June 2020 timeframe

Contains forward looking statements. 21 Subject to change. Community

Mike Friesenegger, SUSE

22 Impacting the mainframe ecosystem

Community collaboration

Focus on open source development

Increasing academic interest

23 Cloud Foundry on IBM Z

Intern Projects Three years of mentorship • Provide stable containerized Cloud Foundry builds in the community that can be used on IBM Z and LinuxONE

Goal • Build cloud applications on Z with SUSE Cloud Application Platform

24 Customer View

25 North Carolina Farm Bureau Delivers fast, personalized customer services at scale with cutting-edge IBM technology Business challenge NCFB writes over USD 1.1 billion in premiums annually. As demand for its insurance policies continued to grow, NCFB wanted to maintain the speed and responsiveness of its customer services, which meant upgrading its IT infrastructure to better support custom

“The ability to run our legacy applications and our modern, applications for policy management. specialist ones using both the IBM z/OS and Linux on Z is super convenient, and gives us a high degree of IT management flexibility.” —Justin Randall, Technical Services Supervisor, NCFB Transformation To help maintain rapid, responsive customer services as it expanded, NCFB implemented an IBM z14 Model Solution components ZR1, working closely with long-term IBM Business • IBM z14 ZR1 Partner Mainline Information Systems Inc. • IBM z/VM ® • Linux on Z (SUSE) • WebSphere ® App Platform Read the case study: ® • IBM z/OS ibm.com/case-studies/ncfb-systems-hardware-growth- • CICS® Servers, Db2 ® for z/OS, Enterprise COBOL for z/OS • Storage: IBM DS8880 insurance

26 Summary

27 Summary

SUSE and IBM Z and LinuxONE • Benefits • Security, availability and resilience • Integration and co-location • Use cases • Energy saving • Workload consolidation • Hybrid cloud

More Information • www.suse.com • www.ibm.com/z • www.ibm.com/linuxone

28 General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of SUSE, LLC, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.