z/OS Encryption Readiness Technology (zERT) aggregation
z/OS® V2R3 Communications Server, introduced a new function called z/OS Encryption Readiness Technology (zERT). With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH, and IPSec cryptographic network security protocols. The collected connection level data is written to SMF in SMF 119 subtype 11 records.
In certain environments, the volume of SMF 119 subtype 11 records can be large. z/OS V2R4 Communications Server provides the zERT aggregation function. The zERT aggregation function provides an alternative SMF view of the collected security session data. This alternate view is written in the form of new SMF 119 subtype 12 records that summarize the use of security sessions by many application connections over time and which are written at the end of each SMF/INTVAL interval. This alternate view condenses the volume of SMF record data while still providing all the critical security information.
Decreasing the frequency at which zERT summary records are written may increase the amount of 64-bit pageable, private memory needed, because the zERT aggregation information is held longer in memory before being written out to SMF.
The following restrictions apply to both zERT discovery and zERT aggregation functions.
-
zERT collects information for TCP and Enterprise Extender (EE) connections. Information is not collected for non-EE UDP traffic or traffic using other IP protocols.
-
zERT collects cryptographic security attributes for the TLS, SSL, SSH, and IPSec protocols. No other cryptographic security protocols are supported.
-
The following z/OS cryptographic protocol providers are fully enabled for zERT: z/OS Communications Server IPSec and AT-TLS, z/OS Cryptographic Services System SSL, and z/OS OpenSSH. Detailed security attribute data is available for connections using these protocol providers. Other TLS, SSL, and SSH implementations running on z/OS are monitored through stream observation only. A limited amount of security attribute data is available for these connections.
- The interval at which the SMF 119 subtype 12 records are created will be determined by the ZERT AGGregation sub-parameter INTVAL. (INTVAL/SYNCVAL sub-parameters are available in z/OS V2R4 Communications Server with APAR PH25049.)
-
For information on the specific cases where security attribute data is limited or unavailable, see What are the limitations for zERT discovery? in z/OS Communications Server: IP Configuration Guide.
For video resources of zERT, see zERT video gallery.
Using z/OS Encryption Readiness Technology (zERT) aggregation
To enable z/OS Encryption Readiness Technology (zERT) aggregation, perform the tasks in Table 1.
| Task/Procedure | Reference |
|---|---|
|
Plan for collection and storage of zERT summary SMF records and decide whether or not you want to discontinue collection of zERT connection detail records. |
|
|
Enable the zERT aggregation function. |
GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference |
|
If you want zERT summary records to be available in the System Management Facility data sets or log streams, specify SMFCONFIG TYPE119 ZERTSUMMARY. |
|
|
If you want zERT summary records to be available to a real-time NMI application:
|
|
| Display zERT aggregation configuration settings | Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands |
| Enable the zERT aggregation INTVAL and SYNCVAL. | GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference |
| Display zERT aggregation INTVAL and SYNCVAL configuration settings. | Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands |