Certain access methods (specifically Batch Data Transformation (BDT) tool and Java library API) need to be certified with and support a broader set of technologies/platforms, which also included our GAE encryption agent.
+Severity: LIKELY SHOWSTOPPER
Why is this an issue: Being a large, global enterprise, RBC uses various middleware technologies on various platforms that need to perform encryption/decryption functions, Not all of these middleware technologies and platforms are supported by our solution. Specifically, we need to support IBM's JDK (instead of just Oracle JDK and OpenJDK) so that mission critical middleware used at RBC that are based on IBM's JDK (such as IBM DataStage -- which is an industry leading ETL tool that RBC used extensively) can run the BDT and can use the Java library API. In addition, the mainframe environment (at minimum, Linux on z) needs to be able to use the BDT and Java library API, which also means the GAE agent needs to be certified on this platform.
...For the BDT used with distributed platform middleware that runs an IBM JDK: At RBC, many DataStage jobs perform a function of bulk loading flat files into Teradata using Teradata's MultiLoad, FastLoad and TPump utilities. The BDT is a Java application. For RBC's DataStage servers, we believe it may be possible for RBC to install a separate OpenJDK on their DataStage servers, such that the BDT should be callable from DataStage (which is using IBM's JDK). This has yet to be proven in RBC's PoC. We are currently encountering some issues that may be the result of library conflicts. So further investigation is underway. If it works without issue, this might be a workable mitigation -- for RBC's DataStage servers. At present, we're not aware of additional IBM middleware that RBC will immediately need to use the BDT so this might remain a sufficient mitigation.
...For the BDT used with mainframe platform applications: At RBC, many mainframe jobs create a flat file that is bulk loaded to Teradata using Teradata's MultiLoad, FastLoad and TPump utilities. Without support of the BDT on the mainframe (say Linux on z - either with IBM JDK or a supported version of OpenJDK for this platform -- and which therefore means the GAE agent will also need to be certified for this platform) RBC will have to look at alternatives such as transferring the files to a distributed platform (such as DataStage) so that the distributed platfrom can invoke the BDT and invoked the Teradata utilities. However RBC has advised that this isn't workable for all scenarios due to SLA restrictions (ie very large files that need to be processed on the mainframe). We are working with them to understand this issue better but they have indicated they need support for the mainrame platform.
...For the Java library APIs used with distributed platform middleware that runs an IBM JDK: At RBC, many DataStage jobs load data into RBC's Hortonwork environment via direct file system (HDFS) access. In order to encrypt data, their DataStage jobs will need to implement an additional step to call our Java library APIs. Although DataStage uses an IBM JDK, we are exploring (with IBM DataStage lab) if it's possible to invoke OpenJDK within DataStage so that at the job level, our OpenJDK-certiffied API can be used. We have RBC experimenting with this right now, but we have some concerns about potential library conflicts. If it does work without issue, this might be a workable short term mitigation -- for RBC's DataStage servers, howeer our DataStage lab has indicated they would only support RBC for this for an interim period -- until Thales formally supports an IBM JDK. In addition, it's likely that RBC will need to perform encryption/decryption using IBM middleware that uses in IBM JDK -- such as WebSphere Application Server (WAS), IBM Integration Bus (IIB) and others. As one example, WAS apps that read off an MQ queue (and which feed Teradata or Hortonworks) that need to encrypt portions of the message will need to have the ability use the Java library API.
...For the Java library APIs used with mainframe platform middleware that runs an IBM JDK: Similar to the above issue, RBC has jobs that populate MQ queues (that feed, for instance, Teradata) with messages that will need certain fields encrypted. This means they will need the ability to use the Java library API (which also includes the need to use the GAE agent) on that platform - at minimum the Linux on Z environment). We have been exploring with RBC the option of using java applications running on a distributed platform to intercept the MQ messages, encrypt them and put them on a new queue for Teradata to ingest. This may be workable, but this likely will not be satisfactory for all scenarios at RBC. Further there may be additional applications (like Spark on the mainframe, or WAS apps or others) that will ultimately dictate the need to support the mainframe (at minimum Linux on z)
Do not place IBM confidential, company confidential, or personal information into any field.