z/OS Encryption Readiness Technology (zERT)
z/OS® Encryption Readiness Technology (zERT) is a new capability provided by the z/OS V2R3 Communications Server. With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH and IPSec cryptographic network security protocols. The collected connection level data is written to SMF in new SMF 119 subtype 11 records for analysis. Additionally, a new real-time network management interface (NMI) service is provided for network management applications to retrieve zERT SMF records as they are generated.
Using zERT, you have a single source of information to determine which traffic is cryptographically protected by TLS/SSL, IPSec and SSH, and which is not. For the traffic with recognized cryptographic protection, you can determine which cryptographic protocol is used, which cryptographic algorithms are used, the length of the cryptographic keys, and other important attributes of the cryptographic protection. This information is valuable for determining regulatory compliance and for identifying connections that might need stronger cryptographic protection.
zERT collects information for TCP and Enterprise Extender (EE) connections. Information is not collected for non-EE UDP traffic or traffic using other IP protocols.
zERT collects cryptographic security attributes for the TLS, SSL, SSH, and IPSec protocols. No other cryptographic security protocols are supported.
The following cryptographic protocol providers are fully enabled for zERT: z/OS Communications Server IPSec and AT-TLS, z/OS Cryptographic Services System SSL and z/OS OpenSSH. In addition, a zERT-enabled JSSE provider called ZERTJSSE is available for Java™ 8. Detailed security attribute data is available for connections using these protocol providers. Other TLS, SSL, and SSH implementations running on z/OS are monitored through stream observation only. A limited amount of security attribute data is available for these connections.
For information on the specific cases where security attribute data is limited or unavailable, see What are the limitations for zERT discovery? in z/OS Communications Server: IP Configuration Guide.
For video resources of zERT, see zERT video gallery.
Task/Procedure | Reference |
---|---|
Plan for collection and storage of zERT connection detail SMF records |
|
Enable z/OS Encryption Readiness Technology |
GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference |
Determine where zERT connection detail SMF records are to be collected:
|
|
Display zERT configuration settings |
Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands |
Use the information from the SMF 119 subtype 11 event records that provide zERT data |
zERT connection detail record (subtype 11) in z/OS Communications Server: IP Programmer's Guide and Reference |