Homestead site steps out with proxy security for 3000

Finance data provider belies HP profile of static site, uses advanced services through WRQ software

Homesteading an HP 3000 can mean a lot more than tending to static software that’s best left untouched. In the heart of the financial industry, a modest-sized HP 3000 is connected to more than a hundred customers through a secure Internet proxy server, a encryption combination that’s just emerging as HP goes into its last quarter of sales for the system.

That level of sophistication flies in the face of a profile that HP has been pushing about homesteading customers, those who plan to use HP 3000s beyond HP’s end of support. HP talks this spring described the typical homesteader as a company with little change in its applications, driving information through small organizations. While CANNEX may not yet be a typical site, it’s making advances using off-the-shelf solutions and a small IT staff to satisfy big clients.

The CANNEX financial data exchange has used HP 3000s for more than 20 years, but all that time hasn’t frozen the feature set or security for CANNEX customers. Those clients are high-profile firms like Bloomberg, Merrill Lynch, and TD Waterhouse, collecting data sent out each day on things like mortgage interest rates. The data has been traveling over dialup modems and through faxing, but the latest route is the Internet. The three-person IT staff at CANNEX recently took steps to secure that private data being sent over a public network, using software from WRQ.

Data by proxy

The work at CANNEX has been made easier by WRQ, which recently began to include a proxy server module in its Reflection for the Web product. Such a server can run on any Java-enabled system, so customers could even use an HP 3000 to host this software. But WRQ officials say most customers want a standalone system to work as a proxy server, so the task often falls to an Intel-based system. This computer then communicates between customers and the HP 3000, encrypting in both directions.

Steve Waters, the VP of information systems at CANNEX, said his company is using a Dell PowerEdge server for the proxy work. He said that implementing the solution didn’t call for special consultants from WRQ. He got his help from regular technical support.

Some companies choose to implement a Virtual Private Network (VPN) when they must transfer sensitive data to clients. A VPN would have increased the IT head count at CANNEX, Waters explained. And while the company has used Citrix server for years, that solution has developed roadblocks in getting past customers’ firewalls. Proxy service was the best choice, and CANNEX found the WRQ implementation easy to integrate with their applications.

“It took them about a month to convert 100 or so customers from Citrix to [the proxy server],” Waters said. “It was with very non-technical people doing the implementation for us.”

After working with VPN and costing out a Citrix solution for security, the WRQ alternative was far less expensive. “We already had the server all the software was going to run on, so we only had to buy a few licenses of Reflection for the Web,” Waters said. “It was a very inexpensive solution, and it’s working for a good portion of our customer base.”

Some CANNEX customers need the ability to transfer files, so they use WRQ’s Reflection for HP with NS/VT rather than link to their data through a proxy server. The Reflection for the Web product doesn’t do PCLINK file transfers, Waters explained, so the more commonplace connection serves those sites. But proxy service brings encryption to the 3000 application, something HP never finished for MPE/iX.

The WRQ software uses encryption via RSA authentication for Secure Sockets Layer (SSL), key exchange for SSL, and SSL client authentication and authorization through the proxy server. Reflection for HP has also been outfitted with SSL and Transport Layer Security support. An open source SSL implementation (OpenSSL) has been available for MPE/iX since the summer of 2001, but HP reports that it was minimally tested and doesn’t include some cryptographic algorithms. That freeware is not supported by HP.

Waters said the WRQ encryption solution has been fully supported by the same staff that’s been assisting CANNEX for many years. The brainstorm on his part was having the Reflection for HP with NS/VT product configured to use the proxy server delivered with Reflection for the Web.

The Web-based sessions use digitally signed tokens to ensure that only authorized users can connect to the host system. The tokens are deployed to authorized users by the Reflection management server, which checks with CANNEX’s LDAP access control model to verify that the user is authorized to connect to the host system.

In addition to reducing deployment headaches, the token system enables users to connect to multiple host systems through a single open port in the CANNEX firewall. This simplifies security configuration, especially across multiple firewalls.