zERT policy-based enforcement
z/OS® V2R5 Communications Server enhances the z/OS Encryption Readiness Technology (zERT) function to provide enforcement of your network encryption standards. The zERT policy-based enforcement (zERT enforcement) solution allows policy-based rules that describe different levels of cryptographic protection along with optional actions to take when TCP connections match those rules. zERT enforcement actions enable immediate notification through messages, auditing through SMF records, and automatic connection termination when questionable or unacceptable cryptographic protection is detected.
z/OS network security administrators can create and manage zERT enforcement rules and actions through the Network Configuration Assistant with APAR PH35304 and the z/OS Communications Server policy agent.
- zERT enforcement applies only to TCP traffic. It does not apply to UDP traffic (including EE) or traffic using other IP protocols.
- For TLS and SSH, zERT enforcement uses the cryptographic protection attributes that are obtained through stream observation only. A limited amount of security attribute data is available through observation as compared to data obtained by zERT enabled z/OS cryptographic protocol providers.
- zERT discovery collects cryptographic security attributes for the TLS, SSL, SSH, and IPsec protocols. No other cryptographic security protocols are supported. For more information, see What are the limitations for zERT discovery? in z/OS Communications Server: IP Configuration Guide.
- z/OS Encryption Readiness Technology (zERT) function must be enabled with the GLOBALCONFIG statement in the TCP/IP profile.
- To create and manage zERT enforcement rules and actions with the Network Configuration Assistant (NCA), NCA APAR PH35304 is required.
- zERT enforcement requires policy agent to be started.
- If you plan to configure zERT enforcement to log messages to syslogd, the syslog daemon and traffic regulation manager daemon (TRMD) must be active.
Using zERT policy-based enforcement
To use the zERT policy-based enforcement, perform the tasks in Table 1.
Task/Procedure | Reference |
---|---|
Evaluate zERT policy-based enforcement requirements. | |
(Preferred) Use the IBM® Configuration Assistant for z/OS Communications Server to create the zERT enforcement policies and install them on the z/OS system where policy agent can process them | Network Configuration Assistant online help |
(Optional) To define zERT enforcement policies manually in policy agent:
|
|
Enable z/OS Encryption Readiness Technology discovery function | GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference |
If an audit action is enabled in your zERT enforcement policies:
|
|
If a syslogd logging action is enabled in your zERT enforcement policies:
|
|
If a console logging action is enabled in your zERT enforcement policies, to prevent the TCP/IP job log from growing very large and filling up the spool space, ensure that the TCP/IP job log is being spun-off on a regular basis. | |
Start the Policy Agent | |
Display zERT configuration settings in the TCP/IP profile | Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands |
Display zERT enforcement policy entries (rules and actions)
|
The z/OS UNIX pasearch command: Display policies in z/OS Communications Server: IP System Administrator's Commands |
Display the names of the zERT enforcement policy rule for a connection
|
Netstat ALL/-A report in z/OS Communications Server: IP System Administrator's Commands |