To help system administrators to better monitor system network cryptographic status, IBM launched z/OS Encryption Readiness Technology (zERT) discovery as phase one of zERT in z/OS V2R3 Communications Server.
zERT discovery collects and records a wide variety of cryptographic protection attributes for TCP and Enterprise Extender (EE) traffic on your z/OS system. Having all of this information collected in one place makes it possible to build a clear picture of your z/OS network protection status.
To configure zERT and turn on Discovery, we have three new parameters in the TCP/IP profile.
- The GLOBALCONFIG ZERT | NOZERT parameter turns zERT in-memory monitoring on and off (the default value is NOZERT).
- The SMGCONFIG ZERTDETail | NOZERTDETail parameter enable and disables writing of SMF 119 subtype 11 (zERT Connection Detail) records to the System Management Facility (SMF) (the default value is NOZERTDETAIL).
- The NETMONITOR ZERTSERvice | NOZERTSERvice parameter enables and disables writing of SMF records to the zERT real-time NMI service (the default value is NOZERTSERVICE).
You should note that the zERT discovery function is enabled independently of the destinations to which records are written. All parameters can be dynamically enabled or disabled. You can configure all these parameters through the z/OSMF-based Configuration Assistant for Communications Server under the TCP/IP profile perspective.
The following facilities are updated to report on the new zERT-related configuration parameters:
- NETSTAT CONFIG command
- SMF 119 subtype 4 (TCP/IP profile event) record
- Callable NMI (EZBNMIFR) GetProfile function
Realtime zERT discovery network monitoring service
The new SYSTCPER NMI service makes zERT 119 SMF zERT Connection Detail (subtype 11) records available to network management applications as they are generated. SYSTCPER uses the same programming model as SYSTCPCN (TCP connection service). For more details, see the z/OS Communications Server: IP Programmer’s Guide in the IBM Knowledge Center.
SMF 119 subtype 11 "zERT Connection Detail" record
zERT connection detail records are written to record the cryptographic protection history of individual TCP application and Enterprise Extender connections. Subtype 11 records are written for six different events:
- Cryptographic protection attributes at connection initiation (zERT Connection Init)
- Change to the connection's cryptographic protection attributes (zERT Change)
- Cryptographic protection attributes at connection termination (zERT Connection Term)
- Cryptographic protection attributes at the termination of a short-lived connection (zERT Short Connection Term). In this case, there is no associated zERT Connection Init record for the subject connection. A connection is considered short-lived if it lasts less than 10 seconds.
- zERT function enabled (zERT Enabled)
- zERT function disabled (zERT Disabled)
The format of the zERT connection detail record is the same for all event types. The general layout of this record is illustrated in the graphic at the top of this blog entry. The record will contain zero or more cryptographic protocol-specific sections (TLS/SSL, IPSec, and SSH) depending on what cryptographic protocols were used to protect that subject connection. For example:
- A cleartext connection will have zero cryptographic protocol-specific sections.
- A connection that is protected by TLS only will have a single TLS-specific section.
- A connection that is protected by both SSH and IPSec will have sections for each of those cryptographic protocols.
It is very important to note that zERT does not collect, store, or record the values of secret keys, initialization vectors, or any other secret values that are negotiated or derived during cryptographic protocol handshakes.
For a detailed description of the zERT Connection Details (SMF 119 subtype 11) record, see the z/OS Communications Server: IP Programmer’s Guide in the IBM Knowledge Center.
IBM Connect:Direct corequisite APAR
If you are an IBM Connect:Direct customer and you use the Secure Plus feature to protect your z/OS Connect:Direct traffic with TLS/SSL, then you will need to apply Connect:Direct APAR PI77316 to ensure that zERT properly monitors the Connect:Direct TLS/SSL-protected connections. Without this APAR, zERT will always report Connect:Direct traffic as being unprotected.
IBM Security zSecure Audit v2.3
IBM Security zSecure Audit V2.3 provides reporting of SMF 119 subtype 11 records and can feed them to SIEMs like QRadar.
With zERT, a z/OS network administrator can discover and audit the network encryption attributes associated with TCP and Enterprise Extender traffic by analyzing new SMF records.
For more details of zERT discovery, see the z/OS Communications Server: New Function Summary in the IBM Knowledge Center.