zERT policy-based enforcement

z/OS® V2R5 Communications Server enhances the z/OS Encryption Readiness Technology (zERT) function to provide enforcement of your network encryption standards. The zERT policy-based enforcement (zERT enforcement) solution allows policy-based rules that describe different levels of cryptographic protection along with optional actions to take when TCP connections match those rules. zERT enforcement actions enable immediate notification through messages, auditing through SMF records, and automatic connection termination when questionable or unacceptable cryptographic protection is detected.

z/OS network security administrators can create and manage zERT enforcement rules and actions through the Network Configuration Assistant with APAR PH35304 and the z/OS Communications Server policy agent.

Restrictions:

zERT enforcement applies only to TCP traffic. It does not apply to UDP traffic (including EE) or traffic using other IP protocols.
For TLS and SSH, zERT enforcement uses the cryptographic protection attributes that are obtained through stream observation only. A limited amount of security attribute data is available through observation as compared to data obtained by zERT enabled z/OS cryptographic protocol providers.
zERT discovery collects cryptographic security attributes for the TLS, SSL, SSH, and IPsec protocols. No other cryptographic security protocols are supported. For more information, see What are the limitations for zERT discovery? in z/OS Communications Server: IP Configuration Guide.

Dependencies:

z/OS Encryption Readiness Technology (zERT) function must be enabled with the GLOBALCONFIG statement in the TCP/IP profile.
To create and manage zERT enforcement rules and actions with the Network Configuration Assistant (NCA), NCA APAR PH35304 is required.
zERT enforcement requires policy agent to be started.
If you plan to configure zERT enforcement to log messages to syslogd, the syslog daemon and traffic regulation manager daemon (TRMD) must be active.

Using zERT policy-based enforcement

To use the zERT policy-based enforcement, perform the tasks in Table 1.

Table 1. zERT policy-based enforcement
Task/Procedure	Reference
Evaluate zERT policy-based enforcement requirements.	How does zERT enforcement work? in z/OS Communications Server: IP Configuration Guide Defining a zERT enforcement policy in z/OS Communications Server: IP Configuration Guide
(Preferred) Use the IBM® Configuration Assistant for z/OS Communications Server to create the zERT enforcement policies and install them on the z/OS system where policy agent can process them	Network Configuration Assistant online help
(Optional) To define zERT enforcement policies manually in policy agent: Understand the policy configuration files Review sample zERT enforcement policy definitions Enable zERT configuration for policy agent Create zERT enforcement rules per security protocol	Policy-based networking inz/OS Communications Server: IP Configuration Guide Policy configuration files and Policy Agent general configuration file statements in z/OS Communications Server: IP Configuration Reference ZERTConfig statement, PolicyServer statement, and DynamicConfigPolicyLoad statement in z/OS Communications Server: IP Configuration Reference zERT policy statements in z/OS Communications Server: IP Configuration Reference The policy agent sample file is provided here: `/usr/lpp/tcpip/samples/pagent.conf` The ZERT policy sample file is provided here: `/usr/lpp/tcpip/samples/pagent_ZERT.conf`
Enable z/OS Encryption Readiness Technology discovery function	GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference
If an audit action is enabled in your zERT enforcement policies: Determine where zERT SMF records are to be collected If you want the records to go to the System Management Facility, specify SMFCONFIG TYPE119 ZERTDETAILBYPOLICY. If you want the records to be available to the real-time NMI zERT service (SYSTCPER), specify NETMONITOR ZERTSERVICEBYPOLICY. If you want the records available to both services, specify both SMFCONFIG TYPE119 ZERTDETAILBYPOLICY and NETMONITOR ZERTSERVICEBYPOLICY. Use the information from the SMF 119 subtype 11 'zERT enforcement' event records that provide zERT data	Selecting a destination for zERT discovery SMF record in z/OS Communications Server: IP Configuration Guide SMFCONFIG statement in z/OS Communications Server: IP Configuration Reference NETMONITOR statement in z/OS Communications Server: IP Configuration Reference zERT connection detail record (subtype 11) in z/OS Communications Server: IP Programmer's Guide and Reference
If a syslogd logging action is enabled in your zERT enforcement policies: (Optional) Configure syslogd rule to direct zERT messages to a file. zERT messages are written to syslog facility local5 using the priority configured for the zERT action. Start syslog daemon Start TRMD (for each stack in use)	Syslog daemon in z/OS Communications Server: IP Configuration Reference Starting the traffic regulation manager daemon (TRMD) from the z/OS shell and Starting the traffic regulation manager daemon (TRMD) as a started task in z/OS Communications Server: IP Configuration Reference
If a console logging action is enabled in your zERT enforcement policies, to prevent the TCP/IP job log from growing very large and filling up the spool space, ensure that the TCP/IP job log is being spun-off on a regular basis.	Writing your own master scheduler JCL in z/OS MVS Initialization and Tuning Reference Determining the source JCL for the started task in z/OS MVS JCL Reference JESLOG parameter in z/OS MVS JCL Reference
Start the Policy Agent	Starting and stopping the Policy Agent in z/OS Communications Server: IP Configuration Guide Starting Policy Agent from the z/OS shell and Starting Policy Agent as a started task in z/OS Communications Server: IP Configuration Reference
Display zERT configuration settings in the TCP/IP profile	Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands
Display zERT enforcement policy entries (rules and actions) Issue the pasearch -z command	The z/OS UNIX pasearch command: Display policies in z/OS Communications Server: IP System Administrator's Commands
Display the names of the zERT enforcement policy rule for a connection Issue the Netstat ALL/-A command	Netstat ALL/-A report in z/OS Communications Server: IP System Administrator's Commands

To find all related topics about zERT policy-based enforcement, see Table 2.

Table 2. All related topics about zERT policy-based enforcement
Book name	Topics
z/OS Communications Server: IP Configuration Guide	Logging of system messages zERT information service access control Secure Shell (SSH) Monitoring cryptographic network protection: z/OS encryption readiness technology (zERT) How does zERT discovery provide the information? What are the limitations for zERT discovery? What does zERT aggregation collect? How does zERT aggregation provide the information? How does zERT enforcement work? Using z/OS Encryption Readiness Technology Enabling zERT discovery Enabling zERT policy-based enforcement Selecting a destination for zERT discovery SMF records Disabling zERT discovery Defining a zERT enforcement policy Policy types and infrastructure overview Configuration files and policy definition files Storing configuration files and policy definition files TCP/IP stack Policy Agent policies Policy sample files zERT policy-based enforcement (ZERT) policy Policy configuration files Step 1: Configure general information Step 2: Configure Policy Agent as a policy server Step 4: Configure policies in Policy Agent configuration files Stopping the Policy Agent FLUSH and PURGE considerations Switching between local and remote policies Traffic regulation management daemon
z/OS Communications Server: IP Configuration Reference	NETMONITOR statement SMFCONFIG statement Policy Agent and policy applications Policy Agent configuration files overview Policy Agent configuration statements overview General syntax rules for Policy Agent PolicyServer statement DynamicConfigPolicyLoad statement IpAddr statement IpAddrGroup statement IpAddrSet statement Facilities used by z/OS Communications Server ZERTConfig statement zERT policy statement
z/OS Communications Server: IP Diagnosis Guide	Diagnosing zERT policy-based enforcement problems Overview Policy definition problems
z/OS Communications Server: IP System Administrator's Commands	The z/OS UNIX pasearch command: Display policies Netstat CONFIG/-f report Not IPv6 enabled (SHORT format) IPv6 enabled or request for LONG format Report field description Netstat ALL/-A report z/OS UNIX syntax Not IPv6 enabled (SHORT format) IPv6 enabled or request for LONG format Report field description
z/OS Communications Server: IP Programmer's Guide and Reference	Real-time TCP/IP network monitoring NMI Real-time NMI: Interacting with the servers Requests sent by the client to the server: SYSTCPER service Processing the cte records for SYSTCPER zERT connection detail record (subtype 11) TCP connection termination record (subtype 2) TCP/IP profile record management section
z/OS Communications Server: Quick Reference	pasearch command
z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)	EZZ8544I EZZ8546I EZZ8547I EZZ8551I EZZ8552I EZZ8553I EZZ8554I EZZ8555I EZZ8556I EZZ8557I EZZ8558I EZZ8559I EZZ8560I EZZ8561I EZZ8562I EZZ8563I EZZ8564I EZZ8565I EZZ8583I EZZ8584I EZZ8585I EZZ8586I