zERT connection detail record (subtype 11)

zERT connection detail records are written to record important information about the cryptographic protection of TCP connections and Enterprise Extender (EE) connections. Subtype 11 records are written for seven different events:

Cryptographic protection attributes at connection initiation (zERT Connection Init)
Change to the connection's cryptographic protection attributes (zERT Change)
Cryptographic protection attributes at connection termination (zERT Connection Term)
Cryptographic protection attributes at short connection termination (zERT Short Connection Term). In this case, there is no associated zERT Connection Init record for the subject connection.
zERT function enabled (zERT Enabled)
zERT function disabled (zERT Disabled)
Cryptographic protection attributes when a TCP connection matched a zERT policy-based enforcement rule with audit action (zERT enforcement)

The format of the zERT connection detail record is the same for all event types.

See Table 1 for the contents of the TCP/IP stack identification section. For the zERT connection detail record, the TCP/IP stack identification section indicates STACK as the subcomponent and X'08' (event record) as the record reason.

Table 1 shows the zERT connection detail record self-defining section:

Table 1. zERT connection detail record self-defining section
Offset	Name	Length	Format	Description
0(X'0')	Standard SMF Header	24		Standard SMF header
Self-defining section
24(X'18')	SMF119SD_TRN	2	Binary	Number of triplets in this record (8)
26(X'1A')		2	Binary	Reserved
28(X'1C')	SMF119IDOff	4	Binary	Offset to TCP/IP identification section
32(X'20')	SMF119IDLen	2	Binary	Length of TCP/IP identification section
34(X'22')	SMF119IDNum	2	Binary	Number of TCP/IP identification sections
36(X'24')	SMF119S1Off	4	Binary	Offset to zERT connection detail common section
40(X'28')	SMF119S1Len	2	Binary	Length of zERT connection detail common section
42(X'2A')	SMF119S1Num	2	Binary	Number of zERT connection detail common section
44(X'2C')	SMF119S2Off	4	Binary	Offset to IP filter-specific section
48(X'30')	SMF119S2Len	2	Binary	Length of IP filter-specific section
50(X'32')	SMF119S2Num	2	Binary	Number of IP filter-specific sections
52(X'34')	SMF119S3Off	4	Binary	Offset to TLS protocol attributes section
56(X'38')	SMF119S3Len	2	Binary	Length of TLS protocol attributes section
58(X'3A')	SMF119S3Num	2	Binary	Number of TLS protocol attributes sections
60(X'3C')	SMF119S4Off	4	Binary	Offset to SSH protocol attributes section
64(X'40')	SMF119S4Len	2	Binary	Length of SSH protocol attributes section
66(X'42')	SMF119S4Num	2	Binary	Number of SSH protocol attributes sections
68(X'44')	SMF119S5Off	4	Binary	Offset to IPSec protocol attributes section
72(X'48')	SMF119S5Len	2	Binary	Length of IPSec protocol attributes section
74(X'4A')	SMF119S5Num	2	Binary	Number of IPSec protocol attributes sections
76(X'4C')	SMF119S6Off	4	Binary	Offset to certificate DNs section
80(X'50')	SMF119S6Len	2	Binary	Length of certificate DNs section
82(X'52')	SMF119S6Num	2	Binary	Number of certificate DNs sections
84(X'54')	SMF119S7Off	4	Binary	Offset to zERT policy-based enforcement section
88(X'58')	SMF119S7Len	2	Binary	Length of zERT policy-based enforcement section
90(X'5A')	SMF119S7Num	2	Binary	Number of zERT policy-based enforcement sections

Table 2 shows the zERT connection detail common section. Every zERT connection detail record has one of these sections:

Table 2. zERT connection detail common section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_SAEvent_Type	1	Binary	Event type: X'01': Connection initiation X'02': Change in cryptographic attributes X'03': Connection termination X'04': Short connection termination (Connection terminates within 10 seconds of being established. No associated Connection initiation record is written.) X'05': zERT Enabled (all remaining fields in this section are unused and set to 0) X'06': zERT Disabled (all remaining fields in this section are unused and set to 0) X'07': zERT Enforcement (Connection matches zERT policy-based enforcement rule with audit action)
1(X'1')	SMF119SC_SASecProtos	1	Binary	Cryptographic security protocols for the connection. Zero or more of these flags may be specified: X'00': No recognized cryptographic protection X'80': TLS/SSL X'40': SSH X'20': IPSec
2(X'2')	SMF119SC_SAFlags	1	Binary	Flags: X'80': IPv6 connection X'40': AT-TLS cryptographic data protection operations are bypassed for this connection as part of a stack optimization for intra-host connections. Only AT-TLS peer authentication operations are executed in this case. X'20': Connection reset by zERT policy-based enforcement Can only be set when event type (SMF119SC_SAEvent_Type) is connection termination or short connection termination otherwise, 0
3(X'3')	SMF119SC_SASecFlags	1	Binary	IP security Flags: x'80': IP security is enabled x'40': IPv6 security is enabled x'20': IP filtering done for connection
4(X'4')	SMF119SC_SAIPProto	1	Binary	IP Protocol value: X'06': TCP X'11': UDP
5(X'5')	SMF119SC_SA_Rsvd1	3	Binary	Reserved
8(X'8')	SMF119SC_SAJobname	8	EBCDIC	Jobname associated with the socket
16(X'10')	SMF119SC_SAJobID	8	EBCDIC	Job ID associated with the socket
24(X'18')	SMF119SC_SAUserID	8	EBCDIC	z/OS® user ID associated with the socket
32(X'20')	SMF119SC_SASTime	4	Binary	Time of day of connection establishment in 1/100 seconds since midnight (using Coordinated Universal Time (UTC))
36(X'24')	SMF119SC_SASDate	4	Packed	Date of connection establishment (UTC)
40(X'28')	SMF119SC_SAETime	4	Binary	Time connection ended in 1/100 seconds since midnight (using Coordinated Universal Time (UTC))
44(X'2C')	SMF119SC_SAEDate	4	Packed	Date connection end set when event type (SMF119SC_SAEvent_Type) is connection termination or short connection termination otherwise, 0
48(X'30')	SMF119SC_SARIP	16	Binary	Remote connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
64(X'40')	SMF119SC_SALIP	16	Binary	Local connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
80(X'50')	SMF119SC_SARPort	2	Binary	Remote port
82(X'52')	SMF119SC_SALPort	2	Binary	Local port
84(X'54')	SMF119SC_SAConnID	4	Binary	Transport layer connection ID
88(X'58')	SMF119SC_SAInBytes	8	Binary	Inbound byte count since connection started
96(X'60')	SMF119SC_SAOutBytes	8	Binary	Outbound byte count since connection started
104(X'68')	SMF119SC_SAInSegDG	8	Binary	Inbound TCP segment or UDP datagram count since connection started
112(X'70')	SMF119SC_SAOutSegDG	8	Binary	Outbound TCP segment or UDP datagram count since connection started
120(X'78')	SMF119SC_SA_Rsvd2	8	Binary	Reserved

Table 3 shows the zERT IP filter-specific section. This section is present if IP filtering is active and an IP filter rule applies to the connection (SMF119SC_SAIPFiltering flag is set in SMF119SC_SASecFlags). The IP filter section is not included for intra-host connections because IP filtering is not done for those connections.

Table 3. zERT IP filter-specific section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_IPFlt_OutAct	1	Binary	Outbound IP filtering behavior: X'01': Outbound traffic permitted in the clear X'02': Outbound traffic permitted with IPSec protection X'03': Outbound traffic denied (X'00' if no associated outbound filter rule). A change in this attribute causes a protection state change record to be written.
1(X'1')	SMF119SC_IPFlt_InbAct	1	Binary	Inbound IP filtering behavior: X'01': Inbound traffic permitted in the clear X'02': Inbound traffic permitted with IPSec protection X'03': Inbound traffic denied (X'00' if no associated inbound filter rule). A change in this attribute causes a protection state change record to be written.
2(X'2')	SMF119SC_IPFlt_Rsvd1	2	Binary	Reserved
4(X'4')	SMF119SC_IPFlt_OutRuleName	40	EBCDIC	Outbound traffic IP filter rule name (blank if no associated outbound filter rule)
44(X'2C')	SMF119SC_IPFlt_OutRuleExt	8	EBCDIC	Outbound traffic IP filter rule name extension (blank if no associated outbound filter rule or the filter rule has no rule name extension value)
52(X'34')	SMF119SC_IPFlt_InRuleName	40	EBCDIC	Inbound traffic IP filter rule name (blank if no associated inbound filter rule)
92(X'5C')	SMF119SC_IPFlt_InRuleExt	8	EBCDIC	Inbound traffic IP filter rule name extension (blank if no associated inbound filter rule or the filter rule has no rule name extension value)

Table 4 shows the zERT TLS protocol attributes section. This section will be present if the connection is protected by TLS or SSL. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".

Table 4. zERT TLS protocol attributes section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_TLS_Prot_Ver	2	Binary	Protocol version: X'0000': Unknown version X'0200': SSLv2 X'0300': SSLv3 X'0301': TLSv1.0 X'0302': TLSv1.1 X'0303': TLSv1.2 X'0304': TLSv1.3
2(X'2')	SMF119SC_TLS_Source	1	Binary	Source of the TLS/SSL information in this record: X'01': Stream observation X'02': Cryptographic protocol provider Information only
3(X'3')	SMF119SC_TLS_Handshake_Type	1	Binary	Handshake type: X'01': Full handshake X'02': Abbreviated handshake Information only
4(X'4')	SMF119SC_TLS_Handshake_Role	1	Binary	Local handshake role: X'00': Unknown X'01': Client X'02': Server X'03': Server with client authentication Information only
5(X'5')	SMF119SC_TLS_Rsvd1	2	Binary	Reserved
7(X'7')	SMF119SC_TLS_Session_ID_Len	1	Binary	Length of TLS session ID value in bytes. Information only
8(X'8')	SMF119SC_TLS_Session_ID	32	Binary	TLS session ID (left justified). Information only
40(X'28')	SMF119SC_TLS_Protocol_Provider	16	EBCDIC	Source of the information in this record (padded with trailing blanks): "Observation": Information was observed by the TCP/IP stack, not supplied by a CPP. This value is used when SMF119SC_TLS_Source is set to 1. "IBM® System SSL" : System SSL other values may be added in the future Information only
56(X'38')	SMF119SC_TLS_Neg_Cipher	6	EBCDIC	Negotiated cipher suite identifier. If the TLS version is SSLv3 or higher, this is a four character value in the first 4 bytes of this field, padded with trailing blanks. Refer to the TLS Cipher Suite registry at http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml for a complete list of the 4-hexadecimal-character values. If the TLS version is SSLv2, then all 6 bytes are used: "010080": 128-bit RC4 with MD5 "020080": 40-bit RC4 with MD5 "030080": 128-bit RC2 with MD5 "040080": 40-bit RC2 with MD5 "050080": 128-bit IDEA with MD5 "060040": DES with MD5 "0700C0": 3DES with MD5
62(X'3E')	SMF119SC_TLS_CS_Enc_Alg	2	Binary	The symmetric encryption algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': DES X'0003': DES 40 X'0004': 3DES X'0005': RC2 40 X'0006': RC2 128 X'0007': RC2 X'0008': RC4 40 X'0009': RC4 128 X'000A': RC4 256 X'000B': RC4 X'000C': AES CBC 128 X'000D': AES CBC 192 X'000E': AES CBC 256 X'000F': AES CTR 128 X'0010': AES CTR 192 X'0011': AES CTR 256 X'0012': AES GCM 128 X'0013': AES GCM 256 X'0014': AES CCM 128 X'0015': AES CCM 256 X'0016': AES CCM8 128 X'0017': AES CCM8 256 X'0018': AES 256 X'0019': Blowfish X'001A': Blowfish CBC X'001B': CAST 128 CBC X'001C': ARCFOUR 128 X'001D': ARCFOUR 256 X'001E': ARCFOUR X'001F': Rijndael CBC X'0020': ACSS X'0021': ARIA 128 CBC X'0022': ARIA 256 CBC X'0023': ARIA 128 GCM X'0024': ARIA 256 GCM X'0025': Camellia 128 CBC X'0026': Camellia 256 CBC X'0027': Camellia 128 GCM X'0028': Camellia 256 GCM X'0029': ChaCha20 Poly1305 X'002A': IDEA CBC X'002B': SEED CBC X'002C': Fortezza X'002D': GOST28147 X'002E': TwoFish CBC 256 X'002F': TwoFish CBC X'0030': TwoFish CBC 192 X'0031': TwoFish CBC 128 X'0032': Serpent CBC 256 X'0033': Serpent CBC 192 X'0034': Serpent CBC 128
64(X'40')	SMF119SC_TLS_CS_Msg_Auth	2	Binary	The message authentication algorithm used by the cipher suite: X'0000': Unknown X'0001': No message authentication, or uses authenticated encryption algorithm like AES-GCM X'0002': MD2 X'0003': HMAC-MD5 X'0004': HMAC-SHA1 X'0005': HMAC-SHA2-224 X'0006': HMAC-SHA2-256 X'0007': HMAC-SHA2-384 X'0008': HMAC-SHA2-512 X'0009': AES-GMAC-128 X'000A': AES-GMAC-256 X'000B': AES-128-XCBC-96 X'000C': HMAC-SHA2-256-128 X'000D': HMAC-SHA2-384-192 X'000E': HMAC-SHA2-512-256 X'000F': HMAC-MD5-96 X'0010': HMAC-SHA1-96 X'0011': UMAC-64 X'0012': UMAC-128 X'0013': RIPEMD-160
66(X'42')	SMF119SC_TLS_CS_Kex_Alg	2	Binary	The key exchange algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': RSA X'0003': RSA_EXPORT X'0004': RSA_PSK X'0005': DH_RSA X'0006': DH_RSA_EXPORT X'0007': DH_DSS X'0008': DH_ANON X'0009': DH_ANON_EXPORT X'000A': DH_DSS_EXPORT X'000B': DHE_RSA X'000C': DHE_RSA_EXPORT X'000D': DHE_DSS X'000E': DHE_DSS_EXPORT X'000F': DHE_PSK X'0010': ECDH_ECDSA X'0011': ECDH_RSA X'0012': ECDH_ANON X'0013': ECDHE_ECDSA X'0014': ECDHE_RSA X'0015': ECDHE_PSK X'0016': KRB5 X'0017': KRB5_EXPORT X'0018': PSK X'0019': SRP_SHA_RSA X'001A': SRP_SHA_DSS X'001B': SRP_SHA X'001C': ECDHE X'001D': DHE
68(X'44')	SMF119SC_TLS_FIPS_Mode	1	Binary	FIPS 140 mode of the TLS/SSL provider: X'00': Not in FIPS 140 mode X'01': FIPS 140 mode is enabled (80-bit strength enforced) X'02': FIPS 140 mode is enabled at level 1 (synonymous with X'01') X'03': FIPS 140 mode is enabled at level 2 (112-bit strength enforced when creating new keys or performing digital signature generation and encryption type operations. Digital signature verification, decryption using 3DES and RSA decryption with 80-bit key lengths allowed when processing already protected information). X'04': FIPS 140 mode is enabled at level 3 (112 bit or higher strength enforced as defined in NIST SP800-131A.) Information only
69(X'45')	SMF119SC_TLS_CryptoFlags	1	Binary	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used X'40': Raw public key authentication is used X'20': Pre-shared key is used (Information only) X'10': Pre-shared key authentication is used All other flags reserved
70(X'46')	SMF119SC_TLS_Rsvd2	2	Binary	Reserved
Server certificate information
72(X'48')	SMF119SC_TLS_SCert_Signature_Method	2	Binary	Server certificate signature method: X'0000': Unknown X'0001': None X'0002': RSA with MD2 X'0003': RSA with MD5 X'0004': RSA with SHA1 X'0005': DSA with SHA1 X'0006': RSA with SHA-224 X'0007': RSA with SHA-256 X'0008': RSA with SHA-384 X'0009': RSA with SHA-512 X'000A': ECDSA with SHA1 X'000B': ECDSA with SHA-224 X'000C': ECDSA with SHA-256 X'000D': ECDSA with SHA-384 X'000E': ECDSA with SHA-512 X'000F': DSA with SHA-224 X'0010': DSA with SHA-256 X'0011': RSA PSS RSAE with SHA-256 X'0012': RSA PSS RSAE with SHA-384 X'0013': RSA PSS RSAE with SHA-512 X'0014': ED 25519 X'0015': ED 448 X'0016': RSA PSS PSS with SHA-256 X'0017': RSA PSS PSS with SHA-384 X'0018': RSA PSS PSS with SHA-512
74(X'4A')	SMF119SC_TLS_SCert_Enc_Method	2	Binary	Server certificate encryption method: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': ECDSA
76(X'4C')	SMF119SC_TLS_SCert_Digest_Alg	2	Binary	Server certificate digest algorithm: X'0000': Unknown X'0001': None X'0002': MD2 X'0003': MD5 X'0004': SHA1 X'0005': SHA-224 X'0006': SHA-256 X'0007': SHA-384 X'0008': SHA-512
78(X'4E')	SMF119SC_TLS_Rsvd3	1	Binary	Reserved
79(X'4F')	SMF119SC_TLS_SCert_Serial_Len	1	Binary	Server certificate serial number length in bytes. Information only
80(X'50')	SMF119SC_TLS_SCert_Serial	20	Binary	Server certificate serial number, left justified. Information only
100(X'64')	SMF119SC_TLS_SCert_Time_Type	1	Binary	Format of server certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
101(X'65')	SMF119SC_TLS_SCert_Time	15	Binary	Server certificate "not after" time: If the time type is UTC (SMF119SC_TLS_SCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GT (SMF119SC_TLS_SCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (`YYYYMMDDhhmmssZ`). Information only
116(X'74')	SMF119SC_TLS_SCert_Key_Type	2	Binary	Server certificate key type: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC)
118(X'76')	SMF119SC_TLS_SCert_Key_Len	2	Binary	Server certificate key length in bits
Client certificate information
120(X'78')	SMF119SC_TLS_CCert_Signature_Method	2	Binary	Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method.
122(X'7A')	SMF119SC_TLS_CCert_Enc_Method	2	Binary	Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method
124(X'7C')	SMF119SC_TLS_CCert_Digest_Alg	2	Binary	Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg
126(X'7E')	SMF119SC_TLS_Rsvd4	1	Binary	Reserved
127(X'7F')	SMF119SC_TLS_CCert_Serial_Len	1	Binary	Client certificate serial number length in bytes. Information only
128(X'80')	SMF119SC_TLS_CCert_Serial	20	Binary	Client certificate serial number, left justified. Information only
148(X'94')	SMF119SC_TLS_CCert_Time_Type	1	Binary	Format of client certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
149(X'95')	SMF119SC_TLS_CCert_Time	15	Binary	Client certificate "not after" time: If the time type is UTC (SMF119SC_TLS_CCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GMT (SMF119SC_TLS_CCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GMT format (`YYYYMMDDhhmmssZ`). Information only
164(X'A4')	SMF119SC_TLS_CCert_Key_Type	2	Binary	Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type.
166(X'A6')	SMF119SC_TLS_CCert_Key_Len	2	Binary	Client certificate key length in bits
Additional connection informtion
168(X'A8')	SMF119SC_TLS_Server_HS_Sig_Method	2	Binary	Server-specified signature method used to encrypt certain TLS handshake messages. Same values as SMF119SC_TLS_SCert_Signature_Method. Note: Only valid for TLSv1.2 and later connections.
170(X'AA')	SMF119SC_TLS_Client_HS_Sig_Method	2	Binary	Client-specified signature method used to encrypt certain TLS handshake messages. Same values as SMF119SC_TLS_SCert_Signature_Method. Note: Only valid for TLSv1.2 and later connections.
172(X'AC')	SMF119SC_TLS_Neg_Key_Share	2	Binary	Negotiated key share: X'0000': Unknown X'0001': None X'0002': SECP-256R1 X'0003': SECP-384R1 X'0004': SECP-521R1 X'0005': X-25519 X'0006': X-448 X'0007': FFDHE with 2048 X'0008': FFDHE with 3072 X'0009': FFDHE with 4096 X'000A': FFDHE with 6144 X'000B': FFDHE with 8192

Table 5 shows the zERT SSH protocol attributes section. This section will be present if the connection is protected by SSH. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".

Table 5. zERT SSH protocol attributes section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_SSH_Prot_Ver	1	Binary	Protocol version: X'01': Protocol version 1 X'02': Protocol version 2
1(X'1')	SMF119SC_SSH_Source	1	Binary	Source of the SSH information in this record: X'01': Stream observation X'02': Cryptographic protocol provider Information only
2(X'2')	SMF119SC_SSH_FIPS_Mode	1	Binary	FIPS 140 mode of the SSH provider. Same values as SMF119SC_TLS_FIPS_Mode in Table 4. Information only
3(X'3')	SMF119SC_SSH_CryptoFlags	1	Binary	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used for inbound traffic X'40' Encrypt-then-MAC processing is used for outbound traffic All other flags reserved
4(X'4')	SMF119SC_SSH_Rsvd1	4	Binary	Reserved
8(X'8')	SMF119SC_SSH_Comp	8	EBCDIC	SSH subcomponent (-padded with trailing blanks): 'SFTPS': sftp server 'SFTPC': sftp client 'SCPS ' : scp server 'SCPC' : scp client 'SSH' : ssh client 'SSHD' : sshd daemon Information only
16(X'10')	SMF119SC_SSH_Protocol_Provider	16	EBCDIC	Protocol provider (padded with trailing blanks): "Observation": Information was observed by the TCP/IP stack, not supplied by a CPP. This value is used when SMF119SC_SSH_Source is set to 1. "IBM OpenSSH": z/OS-provided OpenSSH Other values may be added in the future Information only
32(X'20')	SMF119SC_SSH_Auth_Method	2	Binary	First or only peer authentication method used for this connection: X'0000': Unknown X'0001': None X'0002': Password X'0003': Public key X'0004': Host-based X'0005': Rhosts X'0006': RhostsRSA X'0007': RSA X'0008': Keyboard-interactive X'0009': Challenge-response X'000A': Control socket 1 X'000B': GSSAPI with MIC X'000C': GSSAPI Key exchange
34(X'22')	SMF119SC_SSH_Auth_Method2	2	Binary	If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SC_SSH_Auth_Method
36(X'24')	SMF119SC_SSH_In_Enc_Alg	2	Binary	Encryption algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4.
38(X'26')	SMF119SC_SSH_In_Msg_Auth	2	Binary	Message authentication algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4.
40(X'28')	SMF119SC_SSH_Kex_Method	2	Binary	Key exchange method. X'0000' Unknown X'0001' None X'0002' Diffie-Hellman-group-exchangeSHA256 X'0003' Diffie-Hellman-group-exchangeSHA1 X'0004' Diffie-Hellman-group14-SHA1 X'0005' Diffie-Hellman-group1-SHA1 X'0006' ECDH-SHA2-NISTP256 X'0007' ECDH-SHA2-NISTP384 X'0008' ECDH-SHA2-NISTP521 X'0009' GSS-GROUP1-SHA1 X'000A' GSS-GROUP14-SHA1 X'000B' GSS-GEX-SHA1 X'000C' ECMQV-SHA2 X'000D' GSS-* X'000E' RSA1024-SHA1 X'000F' RSA2048-SHA256 X'0010' Diffie-Hellman-group14-SHA256 X'0011' Diffie-Hellman-group16-SHA512 X'0012' Diffie-Hellman-group18-SHA512 X'0013' Curve 25519-SHA256
42(X'2A')	SMF119SC_SSH_Out_Enc_Alg	2	Binary	Encryption algorithm for outbound traffic. . Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4.
44(X'2C')	SMF119SC_SSH_Out_Msg_Auth	2	Binary	Message authentication algorithm for outbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4.
46(X'2E')	SMF119SC_SSH_Rsvd2	2	Binary	Reserved
48(X'30')	SMF119SC_SSH_SKey_Type	2	Binary	Type of raw server key: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC) X'0006': RSA1 (SSHV1 only) X'0007': RSA_CERT (from OpenSSH certificate) X'0008': DSA_CERT (from OpenSSH certificate) X'0009': ECDSA_CERT (from OpenSSH certificate) X'000A': ED 25519 X'000B': ED 25519 (from OpenSSH certificate)
50(X'32')	SMF119SC_SSH_SKey_Len	2	Binary	Length of raw server key in bits.
52(X'34')	SMF119SC_SSH_CKey_Type	2	Binary	Type of raw client key. Same values as SMF119SC_SSH_SKey_Type.
54(X'36')	SMF119SC_SSH_CKey_Len	2	Binary	Length of raw client key in bits.
56(X'38')	SMF119SC_SSH_SKey_FPLen	2	Binary	Length (in bytes) of the server public key fingerprint. If no server public key is used, then this length is set to zero. Information only
58(X'3A')	SMF119SC_SSH_CKey_FPLen	2	Binary	Length (in bytes) of the client public key fingerprint. If no client public key is used, then this length is set to zero. Information only
60(X'3C')	SMF119SC_SSH_SKey_FP	64	Binary	The server public key fingerprint (a hash of the public key used to identify that key), left justified and padded on the right with X’00’. Information only
124(X'7C')	SMF119SC_SSH_CKey_FP	64	Binary	The client public key fingerprint (a hash of the public key used to identify that key), left justified and padded on the right with X’00’. Information only
Server X.509 certificate information
188(X'BC')	SMF119SC_SSH_SCert_Signature_Method	2	Binary	Server certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4.
190(X'BE')	SMF119SC_SSH_SCert_Enc_Method	2	Binary	Server certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4.
192(X'C0')	SMF119SC_SSH_SCert_Digest_Alg	2	Binary	Server certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4.
194(X'C2')	SMF119SC_SSH_Rsvd3	1	Binary	Reserved
195(X'C3')	SMF119SC_SSH_SCert_Serial_Len	1	Binary	Server certificate serial number length in bytes. Information only
196(X'C4')	SMF119SC_SSH_SCert_Serial	20	Binary	Server certificate serial number, left justified. Information only
216(X'D8')	SMF119SC_SSH_SCert_Time_Type	1	Binary	Format of server certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
217(X'D9')	SMF119SC_SSH_SCert_Time	15	Binary	Server certificate "not after" time: If the time type is UTC (SMF119SC_SSH_SCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GT (SMF119SC_SSH_SCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (`YYYYMMDDhhmmssZ`). Information only
232(X'E8')	SMF119SC_SSH_SCert_Key_Type	2	Binary	Server certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4.
234(X'EA')	SMF119SC_SSH_SCert_Key_Len	2	Binary	Server certificate key length in bits
Client X.509 certificate information
236(X'EC')	SMF119SC_SSH_CCert_Signature_Method	2	Binary	Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4.
238(X'EE')	SMF119SC_SSH_CCert_Enc_Method	2	Binary	Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4.
240(X'F0')	SMF119SC_SSH_CCert_Digest_Alg	2	Binary	Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4.
242(X'F2')	SMF119SC_SSH_Rsvd4	1	Binary	Reserved
243(X'F3')	SMF119SC_SSH_CCert_Serial_Len	1	Binary	Client certificate serial number length in bytes. Information only
244(X'F4')	SMF119SC_SSH_CCert_Serial	20	Binary	Client certificate serial number, left justified. Information only
264(X'108')	SMF119SC_SSH_CCert_Time_Type	1	Binary	Format of client certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
265(X'109')	SMF119SC_SSH_CCert_Time	15	Binary	Client certificate "not after" time: If the time type is UTC (SMF119SC_SSH_CCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GT (SMF119SC_SSH_CCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (`YYYYMMDDhhmmssZ`). Information only
280(X'118')	SMF119SC_SSH_CCert_Key_Type	2	Binary	Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4.
282(X'11A')	SMF119SC_SSH_CCert_Key_Len	2	Binary	Client certificate key length in bits

Table 6 shows the zERT IPSec attributes section. This section will be present if the connection is protected by IPSec. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".

Note:

If the connection is protected by a manual tunnel (SMF119SC_IPSec_TunType is 1), the IKE tunnel fields will be zero or blank.

Table 6. zERT IPSec attributes section
Offset	Name	Length	Format	Description
IKE (Phase 1) tunnel information
0(X'0')	SMF119SC_IPSec_IKETunID	4	Binary	IKE tunnel identifier. This value is displayed as Ktunid in ipsec command displays. Information only
4(X'4')	SMF119SC_IPSec_IKEMajVer	1	Binary	Major version of the IKE protocol in use. Only the low-order 4 bits are used.
5(X'5')	SMF119SC_IPSec_IKEMinVer	1	Binary	Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
6(X'6')	SMF119SC_IPsec_Rsvd1	2	Binary	Reserved
8(X'8')	SMF119SC_IPSec_IKETunKeyExchRule	48	EBCDIC	Key exchange rule for this IKE tunnel (padded with trailing blanks). Information only
56(X'38')	SMF119SC_IPSec_IKETunLclEndpt	16	Binary	Local IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
72(X'48')	SMF119SC_IPSec_IKETunRmtEndpt	16	Binary	Remote IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
88(X'58')	SMF119SC_IPSec_IKETunLclAuthMeth	2	Binary	The authentication method for the local endpoint. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': RSA signature X'03': Preshared key X'04': ECDSA-256 signature X'05': ECDSA-384 signature X'06': ECDSA-521 signature X'07': Digital signature
90(X'5A')	SMF119SC_IPSec_IKETunRmtAuthMeth	2	Binary	The authentication method for the remote endpoint. Same values as SMF119SC_IPSec_IKETunLclAuthMeth.
92(X'5C')	SMF119SC_IPSec_IKETunAuthAlg	2	Binary	Tunnel authentication algorithm. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4.
94(X'5E')	SMF119SC_IPSec_IKETunEncAlg	2	Binary	Tunnel encryption algorithm. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4.
96(X'60')	SMF119SC_IPSec_IKETunDHGroup	2	Binary	Diffie-Hellman group used to generate the keying material for this IKE tunnel. One of the following values: X'00': Unknown or manual tunnel X'01': Group1 X'02': Group 2 X'05': Group 5 X'0E': Group 14 X'13': Group 19 X'14': Group 20 X'15': Group 21 X'18': Group 24 X'FF': No DH group used (only possible for SMF119SC_IPSec_PFSGroup, where these values are also used)
98(X'62')	SMF119SC_IPSec_IKETunPseudoRandFunc	2	Binary	Pseudo-random function used for seeding keying material. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': HMAC-SHA2-256 X'03': HMAC-SHA2-384 X'04': HMAC-SHA2-512 X'05': AES-128-XCBC X'06': HMAC-MD5 X'07': HMAC-SHA1
100(X'64')	SMF119SC_IPSec_IKETunLifesize	4	Binary	IKE tunnel lifesize. If not 0, this value indicates the lifesize limit for the tunnel, in Kbytes. Otherwise (value is 0), no lifesize enforced. Information only
104(X'68')	SMF119SC_IPSec_IKETunLifetime	4	Binary	IKE tunnel lifetime. This value indicates the total number of minutes the tunnel remains active. Information only
108(X'6C')	SMF119SC_IPSec_IKETunReauthIntvl	4	Binary	Reauthentication interval. Indicates the number of minutes between reauthentication operations. Information only
IKE Local certificate information (will be populated if SMF119SC_IPSec_IKETunLocalAuthMeth indicates RSA, ECDSA, or Digital signature and local certificate information is available Otherwise, all fields set to zero.)
112(X'70')	SMF119SC_IPSec_LclCert_Sign_Meth	2	Binary	Local IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4.
114(X'72')	SMF119SC_IPSec_LclCert_Enc_Meth	2	Binary	Local IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4.
116(X'74')	SMF119SC_IPSec_LclCert_Digest_Alg	2	Binary	Local IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4.
118(X'76')	SMF119SC_IPsec_Rsvd2	1	Binary	Reserved.
119(X'77')	SMF119SC_IPSec_LclCert_Serial_Len	1	Binary	Local IKE certificate serial number length in bytes. Information only
120(X'78')	SMF119SC_IPSec_LclCert_Serial	20	Binary	Local IKE certificate serial number, left justified. Information only
140(X'8C')	SMF119SC_IPSec_LclCert_Time_Type	1	Binary	Format of local IKE certificate "not after" time: X'00': Manual tunnel - unused X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
141(X'8D')	SMF119SC_IPSec_LclCert_Time	15	Binary	Local IKE certificate "not after" time: If the time type is UTC (SMF119SC_IPSec_LclCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GT (SMF119SC_IPSec_LclCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (`YYYYMMDDhhmmssZ`). Information only
156(X'9C')	SMF119SC_IPSec_LclCert_Key_Type	2	Binary	Local IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4.
158(X'9E')	SMF119SC_IPSec_LclCert_Key_Len	2	Binary	Local IKE certificate key length in bits.
IKE Peer certificate information (will be populated if SMF119SC_IPSec_IKETunRmtAuthMeth indicates RSA, ECDSA, or Digital signature and remote certificate information is available . Otherwise, all fields set to zero.)
160(X'A0')	SMF119SC_IPSec_RmtCert_Sign_Meth	2	Binary	Remote IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4.
162(X'A2')	SMF119SC_IPSec_RmtCert_Enc_Meth	2	Binary	Remote IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4.
164(X'A4')	SMF119SC_IPSec_RmtCert_Digest_Alg	2	Binary	Remote IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4.
166(X'A6')	SMF119SC_IPSec_Rsvd3	1	Binary	Reserved
167(X'A7')	SMF119SC_IPSec_RmtCert_Serial_Len	1	Binary	Remote IKE certificate serial number length in bytes. Information only
168(X'A8')	SMF119SC_IPSec_RmtCert_Serial	20	Binary	Remote IKE certificate serial number, left justified. Information only
188(X'BC')	SMF119SC_IPSec_RmtCert_Time_Type	1	Binary	Format of remote IKE certificate "not after" time: X'00': Manual tunnel - unused X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
189(X'BD')	SMF119SC_IPSec_RmtCert_Time	15	Binary	Remote IKE certificate "not after" time: If the time type is UTC (SMF119SC_IPSec_RmtCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (`YYMMDDhhmmssZ`). If the time type is GT (SMF119SC_IPSec_RmtCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (`YYYYMMDDhhmmssZ`). Information only
204(X'CC')	SMF119SC_IPSec_RmtCert_Key_Type	2	Binary	Remote IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4.
206(X'CE')	SMF119SC_IPSec_RmtCert_Key_Len	2	Binary	Remote IKE certificate key length in bits.
IPsec (Phase 2) tunnel information
208(X'D0')	SMF119SC_IPSec_TunID	4	Binary	IPSec tunnel identifier. This value is displayed as Y`tunid` or M`tunid` in ipsec command displays. Information only
212(X'D4')	SMF119SC_IPSec_TunFlags	1	Binary	IP tunnel flags: X'80': IPv6 indicator. If set, security endpoint addresses and data endpoint addresses are IPv6; otherwise, they are IPv4. X'40': FIPS 140 mode indicator. If this field is set, cryptographic operations for this tunnel are performed using cryptographic algorithms and modules that are designed to meet the FIPS 140 requirements; otherwise, cryptographic algorithms and modules that do not meet the FIPS 140 requirements might be used. All remaining bits: Reserved Information only
213(X'D5')	SMF119SC_IPSec_TunType	1	Binary	Tunnel type. One of the following values: X'01': Manual IPSec tunnel X'02': Dynamic IPSec tunnel X'03': Shadow tunnel
214(X'D6')	SMF119SC_IPSec_TunState	1	Binary	One of the following tunnel states: X'01': Manual or dynamic tunnel is active. X'02': Manual tunnel is inactive.
215(X'D7')	SMF119SC_IPSec_Rsvd4	1	Binary	Reserved
216(X'D8')	SMF119SC_IPSec_EncapMode	1	Binary	One of the following tunnel encapsulation modes: X'01': Tunnel Mode X'02': Transport Mode
217(X'D9')	SMF119SC_IPSec_AuthProto	1	Binary	The protocol used for message authentication. One of the following: X'32' Encapsulating Security Payload (ESP) X'33': Authentication Header (AH)
218(X'DA')	SMF119SC_IPSec_AuthAlg	2	Binary	One of the following tunnel authentication algorithms. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4.
220(X'DC')	SMF119SC_IPSec_EncAlg	2	Binary	One of the following tunnel encryption algorithms. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4.
222(X'DE')	SMF119SC_IPSec_PFSGroup	2	Binary	Diffie-Hellman group used for perfect forward secrecy. Same values as SMF119SC_IPSec_IKETunDHGroup.
224(X'E0')	SMF119SC_IPSec_Lifesize	4	Binary	SA lifesize in KBytes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only
228(X'E4')	SMF119SC_IPSec_Lifetime	4	Binary	SA lifetime in minutes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only
232(X'E8')	SMF119SC_IPSec_VPNLifeExpire	4	Binary	Tunnel VPN lifetime in minutes (length of time after which the tunnel family ceases to be refreshed). Zero indicates no VPN lifetime limit is enforced. Information only

The zERT Distinguished Names (DN) section contains one or more variable length X.500 DNs from relevant X.509 certificates. For each security protocol used to protect the connection that is using X.509 certificates for peer authentication, subject and issuer DNs from those certificates are included in the zERT DNs section. Any change in distinguished names will cause a protection state change record to be written.

If any DNs exist, there is one zERT DNs section that contains all of the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. The following structure is used to describe the fields present for each DN.

Table 7 illustrates the format of the data structure for each DN in a zERT record DNs section.

Table 7. Data structure for each DN included in a zERT Distinguished Name section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_DN_Len	2	Binary	Length of the DN structure (includes the length of SMF119SC_DN_Len, SMF119SC_DN_Type, and SMF119SC_DN)
2(X'2')	SMF119SC_DN_Type	2	Binary	Type of Distinguished Name: X'0001': IPSec Local Certificate Subject DN X'0002': IPSec Local Certificate Issuer DN X'0003': IPSec Remote Certificate Subject DN X'0004': IPSec Remote Certificate Issuer DN X'0005': TLS Server Certificate Subject DN X'0006': TLS Server Certificate Issuer DN X'0007': TLS Client Certificate Subject DN X'0008': TLS Client Certificate Issuer DN X'0009': SSH Server Certificate Subject DN X'000A': SSH Server Certificate Issuer DN X'000B': SSH Client Certificate Subject DN X'000C': SSH Client Certificate Issuer DN
4(X'4')	SMF119SC_DN	Up to 1024	EBCDIC	The variable length DN value.

Table 8 is present if zERT enforcement policy is active and the connection matched one or more zERT enforcement rules. For each protocol used to protect the connection, there can be one matching zERT enforcement rule. If any matching zERT enforcement rules exist, there is one zERT policy-based enforcement section that contains all the matching zERT enforcement policy rule names. This section is applicable only to TCP connections. End of change

Table 8. zERT policy-based enforcement section
Offset	Name	Length	Format	Description
0(X'0')	SMF119SC_ZERTIPsecPol	48	EBCDIC	Matching zERT IPSec policy rule name
48(X'30')	SMF119SC_ZERTTLSPol	48	EBCDIC	Matching zERT TLS policy rule name
96(X'60')	SMF119SC_ZERTSSHPol	48	EBCDIC	Matching zERT SSH policy rule name
144(X'90')	SMF119SC_ZERTNoRecognizedPol	48	EBCDIC	Matching zERT No recognized protection policy rule name