100-second glimpse of zERT: http://ibm.biz/zerttotherescue
With the increasing number of corporate, industry, and government regulations regarding cryptographic protection of data in flight, as well as discoveries of weaknesses in existing cryptographic protocols and algorithms, it is very important for z/OS® administrators and auditors to be able to assess the quality of the cryptographic network protection being applied to their key z/OS workloads.
Currently, z/OS provides 4 mechanisms for cryptographic protection of TCP/IP traffic:
However, the 4 mechanisms vary widely in protocol, configuration methods, and audit and log records. Given these variations, it can be difficult to clearly understand the overall state of cryptographic network protection for your z/OS system.
This all leads to the question: how do you effectively ensure that your z/OS network traffic is properly protected?
Don't worry, zERT is here to the rescue!
z/OS Encryption Readiness Technology, known as zERT, positions the z/OS TCP/IP stack as a central collection and reporting point for the cryptographic protection attributes for TLS, SSL, SSH and IPSec security sessions that are protecting TCP and Enterprise Extender connections that terminate on the local stack.
zERT is designed for z/OS network security administrators. Two methods are used to discover the security sessions and their attributes:
The cryptographic attributes are reported through new SMF 119 records via SMF and/or new real-time NMI services.
To help you better monitor cryptographic network protection, we are happy to present two features of zERT: zERT discovery and zERT aggregation.
zERT discovery is available with z/OS V2R3. With zERT discovery, attributes are collected and recorded at the connection level. These attributes are provided in SMF 119 subtype 11 "zERT Connection Detail" records. These records describe the cryptographic protection history of each TCP and EE connection. At least one record is written for every such connection, so the number of subtype 11 records could be quite large in some environments.
zERT aggregation was introduced in March 2018 via new function APAR PI83362. With zERT aggregation, attributes collected by zERT discovery are aggregated by security session. These attributes are provided in SMF 119 subtype 12 "zERT Summary" records. These records describe the repeated use of security sessions over time. Aggregation can greatly reduce the volume of SMF records while maintaining the fidelity of the information, which is well suited for reporting applications.
With zERT discovery and aggregation in place, more advanced capabilities for analyzing z/OS network cryptographic protection become possible. For example, IBM Security zSecure Audit V2.3 already supports zERT Connection Detail records, providing the ability to search and display the records based on a variety of query criteria.
Watch this space for more articles about zERT – they will be coming your way soon!