zERT connection detail record (subtype 11)
- Cryptographic protection attributes at connection initiation (zERT Connection Init)
- Change to the connection's cryptographic protection attributes (zERT Change)
- Cryptographic protection attributes at connection termination (zERT Connection Term)
- Cryptographic protection attributes at short connection termination (zERT Short Connection Term). In this case, there is no associated zERT Connection Init record for the subject connection.
- zERT function enabled (zERT Enabled)
- zERT function disabled (zERT Disabled)
- Cryptographic protection attributes when a TCP connection matched a zERT policy-based enforcement rule with audit action (zERT enforcement)
The format of the zERT connection detail record is the same for all event types.
See Table 1 for the contents of the TCP/IP stack identification section. For the zERT connection detail record, the TCP/IP stack identification section indicates STACK as the subcomponent and X'08' (event record) as the record reason.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | Standard SMF Header | 24 | Standard SMF header | |
Self-defining section | ||||
24(X'18') | SMF119SD_TRN | 2 | Binary | Number of triplets in this record (8) |
26(X'1A') | 2 | Binary | Reserved | |
28(X'1C') | SMF119IDOff | 4 | Binary | Offset to TCP/IP identification section |
32(X'20') | SMF119IDLen | 2 | Binary | Length of TCP/IP identification section |
34(X'22') | SMF119IDNum | 2 | Binary | Number of TCP/IP identification sections |
36(X'24') | SMF119S1Off | 4 | Binary | Offset to zERT connection detail common section |
40(X'28') | SMF119S1Len | 2 | Binary | Length of zERT connection detail common section |
42(X'2A') | SMF119S1Num | 2 | Binary | Number of zERT connection detail common section |
44(X'2C') | SMF119S2Off | 4 | Binary | Offset to IP filter-specific section |
48(X'30') | SMF119S2Len | 2 | Binary | Length of IP filter-specific section |
50(X'32') | SMF119S2Num | 2 | Binary | Number of IP filter-specific sections |
52(X'34') | SMF119S3Off | 4 | Binary | Offset to TLS protocol attributes section |
56(X'38') | SMF119S3Len | 2 | Binary | Length of TLS protocol attributes section |
58(X'3A') | SMF119S3Num | 2 | Binary | Number of TLS protocol attributes sections |
60(X'3C') | SMF119S4Off | 4 | Binary | Offset to SSH protocol attributes section |
64(X'40') | SMF119S4Len | 2 | Binary | Length of SSH protocol attributes section |
66(X'42') | SMF119S4Num | 2 | Binary | Number of SSH protocol attributes sections |
68(X'44') | SMF119S5Off | 4 | Binary | Offset to IPSec protocol attributes section |
72(X'48') | SMF119S5Len | 2 | Binary | Length of IPSec protocol attributes section |
74(X'4A') | SMF119S5Num | 2 | Binary | Number of IPSec protocol attributes sections |
76(X'4C') | SMF119S6Off | 4 | Binary | Offset to certificate DNs section |
80(X'50') | SMF119S6Len | 2 | Binary | Length of certificate DNs section |
82(X'52') | SMF119S6Num | 2 | Binary | Number of certificate DNs sections |
84(X'54') | SMF119S7Off | 4 | Binary | Offset to zERT policy-based enforcement section |
88(X'58') | SMF119S7Len | 2 | Binary | Length of zERT policy-based enforcement section |
90(X'5A') | SMF119S7Num | 2 | Binary | Number of zERT policy-based enforcement sections |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_SAEvent_Type | 1 | Binary | Event type:
|
1(X'1') | SMF119SC_SASecProtos | 1 | Binary | Cryptographic security protocols for the connection. Zero or more of these
flags may be specified:
|
2(X'2') | SMF119SC_SAFlags | 1 | Binary | Flags:
|
3(X'3') | SMF119SC_SASecFlags | 1 | Binary | IP security Flags:
|
4(X'4') | SMF119SC_SAIPProto | 1 | Binary | IP Protocol value:
|
5(X'5') | SMF119SC_SA_Rsvd1 | 3 | Binary | Reserved |
8(X'8') | SMF119SC_SAJobname | 8 | EBCDIC | Jobname associated with the socket |
16(X'10') | SMF119SC_SAJobID | 8 | EBCDIC | Job ID associated with the socket |
24(X'18') | SMF119SC_SAUserID | 8 | EBCDIC | z/OS® user ID associated with the socket |
32(X'20') | SMF119SC_SASTime | 4 | Binary | Time of day of connection establishment in 1/100 seconds since midnight (using Coordinated Universal Time (UTC)) |
36(X'24') | SMF119SC_SASDate | 4 | Packed | Date of connection establishment (UTC) |
40(X'28') | SMF119SC_SAETime | 4 | Binary | Time connection ended in 1/100 seconds since midnight (using Coordinated Universal Time (UTC)) |
44(X'2C') | SMF119SC_SAEDate | 4 | Packed | Date connection end
|
48(X'30') | SMF119SC_SARIP | 16 | Binary | Remote connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
64(X'40') | SMF119SC_SALIP | 16 | Binary | Local connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
80(X'50') | SMF119SC_SARPort | 2 | Binary | Remote port |
82(X'52') | SMF119SC_SALPort | 2 | Binary | Local port |
84(X'54') | SMF119SC_SAConnID | 4 | Binary | Transport layer connection ID |
88(X'58') | SMF119SC_SAInBytes | 8 | Binary | Inbound byte count since connection started |
96(X'60') | SMF119SC_SAOutBytes | 8 | Binary | Outbound byte count since connection started |
104(X'68') | SMF119SC_SAInSegDG | 8 | Binary | Inbound TCP segment or UDP datagram count since connection started |
112(X'70') | SMF119SC_SAOutSegDG | 8 | Binary | Outbound TCP segment or UDP datagram count since connection started |
120(X'78') | SMF119SC_SA_Rsvd2 | 8 | Binary | Reserved |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_IPFlt_OutAct | 1 | Binary | Outbound IP filtering behavior:
|
1(X'1') | SMF119SC_IPFlt_InbAct | 1 | Binary | Inbound IP filtering behavior:
|
2(X'2') | SMF119SC_IPFlt_Rsvd1 | 2 | Binary | Reserved |
4(X'4') | SMF119SC_IPFlt_OutRuleName | 40 | EBCDIC | Outbound traffic IP filter rule name (blank if no associated outbound filter rule) |
44(X'2C') | SMF119SC_IPFlt_OutRuleExt | 8 | EBCDIC | Outbound traffic IP filter rule name extension (blank if no associated outbound filter rule or the filter rule has no rule name extension value) |
52(X'34') | SMF119SC_IPFlt_InRuleName | 40 | EBCDIC | Inbound traffic IP filter rule name (blank if no associated inbound filter rule) |
92(X'5C') | SMF119SC_IPFlt_InRuleExt | 8 | EBCDIC | Inbound traffic IP filter rule name extension (blank if no associated inbound filter rule or the filter rule has no rule name extension value) |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_TLS_Prot_Ver | 2 | Binary | Protocol version:
|
2(X'2') | SMF119SC_TLS_Source | 1 | Binary | Source of the TLS/SSL information in this record:
Information only |
3(X'3') | SMF119SC_TLS_Handshake_Type | 1 | Binary | Handshake type:
Information only |
4(X'4') | SMF119SC_TLS_Handshake_Role | 1 | Binary | Local handshake role:
Information only |
5(X'5') | SMF119SC_TLS_Rsvd1 | 2 | Binary | Reserved |
7(X'7') | SMF119SC_TLS_Session_ID_Len | 1 | Binary | Length of TLS session ID value in bytes. Information only |
8(X'8') | SMF119SC_TLS_Session_ID | 32 | Binary | TLS session ID (left justified). Information only |
40(X'28') | SMF119SC_TLS_Protocol_Provider | 16 | EBCDIC | Source of the information in this record (padded with trailing blanks):
Information only |
56(X'38') | SMF119SC_TLS_Neg_Cipher | 6 | EBCDIC | Negotiated cipher suite identifier.
|
62(X'3E') | SMF119SC_TLS_CS_Enc_Alg | 2 | Binary | The symmetric encryption algorithm used by the cipher suite:
|
64(X'40') | SMF119SC_TLS_CS_Msg_Auth | 2 | Binary | The message authentication algorithm used by the cipher suite:
|
66(X'42') | SMF119SC_TLS_CS_Kex_Alg | 2 | Binary | The key exchange algorithm used by the cipher suite:
|
68(X'44') | SMF119SC_TLS_FIPS_Mode | 1 | Binary | FIPS 140 mode of the TLS/SSL provider:
Information only |
69(X'45') | SMF119SC_TLS_CryptoFlags | 1 | Binary | Cryptographic operations flags:
|
70(X'46') | SMF119SC_TLS_Rsvd2 | 2 | Binary | Reserved |
Server certificate information | ||||
72(X'48') | SMF119SC_TLS_SCert_Signature_Method | 2 | Binary | Server certificate signature method:
|
74(X'4A') | SMF119SC_TLS_SCert_Enc_Method | 2 | Binary | Server certificate encryption method:
|
76(X'4C') | SMF119SC_TLS_SCert_Digest_Alg | 2 | Binary | Server certificate digest algorithm:
|
78(X'4E') | SMF119SC_TLS_Rsvd3 | 1 | Binary | Reserved |
79(X'4F') | SMF119SC_TLS_SCert_Serial_Len | 1 | Binary | Server certificate serial number length in bytes. Information only |
80(X'50') | SMF119SC_TLS_SCert_Serial | 20 | Binary | Server certificate serial number, left justified. Information only |
100(X'64') | SMF119SC_TLS_SCert_Time_Type | 1 | Binary | Format of server certificate "not after" time:
Information only |
101(X'65') | SMF119SC_TLS_SCert_Time | 15 | Binary | Server certificate "not after" time:
Information only |
116(X'74') | SMF119SC_TLS_SCert_Key_Type | 2 | Binary | Server certificate key type:
|
118(X'76') | SMF119SC_TLS_SCert_Key_Len | 2 | Binary | Server certificate key length in bits |
Client certificate information | ||||
120(X'78') | SMF119SC_TLS_CCert_Signature_Method | 2 | Binary | Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method. |
122(X'7A') | SMF119SC_TLS_CCert_Enc_Method | 2 | Binary | Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method |
124(X'7C') | SMF119SC_TLS_CCert_Digest_Alg | 2 | Binary | Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg |
126(X'7E') | SMF119SC_TLS_Rsvd4 | 1 | Binary | Reserved |
127(X'7F') | SMF119SC_TLS_CCert_Serial_Len | 1 | Binary | Client certificate serial number length in bytes. Information only |
128(X'80') | SMF119SC_TLS_CCert_Serial | 20 | Binary | Client certificate serial number, left justified. Information only |
148(X'94') | SMF119SC_TLS_CCert_Time_Type | 1 | Binary | Format of client certificate "not after" time:
Information only |
149(X'95') | SMF119SC_TLS_CCert_Time | 15 | Binary | Client certificate "not after" time:
Information only |
164(X'A4') | SMF119SC_TLS_CCert_Key_Type | 2 | Binary | Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type. |
166(X'A6') | SMF119SC_TLS_CCert_Key_Len | 2 | Binary | Client certificate key length in bits |
Additional connection informtion | ||||
168(X'A8') | SMF119SC_TLS_Server_HS_Sig_Method | 2 | Binary | Server-specified signature method used to encrypt certain TLS handshake
messages. Same values as SMF119SC_TLS_SCert_Signature_Method. Note: Only valid for TLSv1.2 and later
connections.
|
170(X'AA') | SMF119SC_TLS_Client_HS_Sig_Method | 2 | Binary | Client-specified signature method used to encrypt certain TLS handshake
messages. Same values as SMF119SC_TLS_SCert_Signature_Method. Note: Only valid for TLSv1.2 and later
connections.
|
172(X'AC') | SMF119SC_TLS_Neg_Key_Share | 2 | Binary | Negotiated key share:
|
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_SSH_Prot_Ver | 1 | Binary | Protocol version:
|
1(X'1') | SMF119SC_SSH_Source | 1 | Binary | Source of the SSH information in this record:
Information only |
2(X'2') | SMF119SC_SSH_FIPS_Mode | 1 | Binary | FIPS 140 mode of the SSH provider. Same values as SMF119SC_TLS_FIPS_Mode in
Table 4. Information only |
3(X'3') | SMF119SC_SSH_CryptoFlags | 1 | Binary | Cryptographic operations flags:
|
4(X'4') | SMF119SC_SSH_Rsvd1 | 4 | Binary | Reserved |
8(X'8') | SMF119SC_SSH_Comp | 8 | EBCDIC | SSH subcomponent (-padded with trailing blanks):
Information only |
16(X'10') | SMF119SC_SSH_Protocol_Provider | 16 | EBCDIC | Protocol provider (padded with trailing blanks):
Information only |
32(X'20') | SMF119SC_SSH_Auth_Method | 2 | Binary | First or only peer authentication method used for this connection:
|
34(X'22') | SMF119SC_SSH_Auth_Method2 | 2 | Binary | If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SC_SSH_Auth_Method |
36(X'24') | SMF119SC_SSH_In_Enc_Alg | 2 | Binary | Encryption algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4. |
38(X'26') | SMF119SC_SSH_In_Msg_Auth | 2 | Binary | Message authentication algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4. |
40(X'28') | SMF119SC_SSH_Kex_Method | 2 | Binary | Key exchange method.
|
42(X'2A') | SMF119SC_SSH_Out_Enc_Alg | 2 | Binary | Encryption algorithm for outbound traffic. . Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4. |
44(X'2C') | SMF119SC_SSH_Out_Msg_Auth | 2 | Binary | Message authentication algorithm for outbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4. |
46(X'2E') | SMF119SC_SSH_Rsvd2 | 2 | Binary | Reserved |
48(X'30') | SMF119SC_SSH_SKey_Type | 2 | Binary | Type of raw server key:
|
50(X'32') | SMF119SC_SSH_SKey_Len | 2 | Binary | Length of raw server key in bits. |
52(X'34') | SMF119SC_SSH_CKey_Type | 2 | Binary | Type of raw client key. Same values as SMF119SC_SSH_SKey_Type. |
54(X'36') | SMF119SC_SSH_CKey_Len | 2 | Binary | Length of raw client key in bits. |
56(X'38') | SMF119SC_SSH_SKey_FPLen | 2 | Binary | Length (in bytes) of the server public key fingerprint.
If no server public key is used, then this length is set to zero. Information only |
58(X'3A') | SMF119SC_SSH_CKey_FPLen | 2 | Binary | Length (in bytes) of the client public key fingerprint.
If no client public key is used, then this length is set to zero. Information only |
60(X'3C') | SMF119SC_SSH_SKey_FP | 64 | Binary | The server public key fingerprint (a hash of the public key used to identify
that key), left justified and padded on the right with X’00’. Information only |
124(X'7C') | SMF119SC_SSH_CKey_FP | 64 | Binary | The client public key fingerprint (a hash of the public key used to identify
that key), left justified and padded on the right with X’00’. Information only |
Server X.509 certificate information– the fields in this section will always contain binary zeroes since z/OS OpenSSH does not support X.509 certificates and SSH stream observation does not inspect certificates. | ||||
188(X'BC') | SMF119SC_SSH_SCert_Signature_Method | 2 | Binary | Server certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4. |
190(X'BE') | SMF119SC_SSH_SCert_Enc_Method | 2 | Binary | Server certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4. |
192(X'C0') | SMF119SC_SSH_SCert_Digest_Alg | 2 | Binary | Server certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4. |
194(X'C2') | SMF119SC_SSH_Rsvd3 | 1 | Binary | Reserved |
195(X'C3') | SMF119SC_SSH_SCert_Serial_Len | 1 | Binary | Server certificate serial number length in bytes. Information only |
196(X'C4') | SMF119SC_SSH_SCert_Serial | 20 | Binary | Server certificate serial number, left justified. Information only |
216(X'D8') | SMF119SC_SSH_SCert_Time_Type | 1 | Binary | Format of server certificate "not after" time:
Information only |
217(X'D9') | SMF119SC_SSH_SCert_Time | 15 | Binary | Server certificate "not after" time:
Information only |
232(X'E8') | SMF119SC_SSH_SCert_Key_Type | 2 | Binary | Server certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4. |
234(X'EA') | SMF119SC_SSH_SCert_Key_Len | 2 | Binary | Server certificate key length in bits |
Client X.509 certificate information– the fields in this section will always contain binary zeroes since z/OS OpenSSH does not support X.509 certificates and SSH stream observation does not inspect certificates. | ||||
236(X'EC') | SMF119SC_SSH_CCert_Signature_Method | 2 | Binary | Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4. |
238(X'EE') | SMF119SC_SSH_CCert_Enc_Method | 2 | Binary | Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4. |
240(X'F0') | SMF119SC_SSH_CCert_Digest_Alg | 2 | Binary | Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4. |
242(X'F2') | SMF119SC_SSH_Rsvd4 | 1 | Binary | Reserved |
243(X'F3') | SMF119SC_SSH_CCert_Serial_Len | 1 | Binary | Client certificate serial number length in bytes. Information only |
244(X'F4') | SMF119SC_SSH_CCert_Serial | 20 | Binary | Client certificate serial number, left justified. Information only |
264(X'108') | SMF119SC_SSH_CCert_Time_Type | 1 | Binary | Format of client certificate "not after" time:
Information only |
265(X'109') | SMF119SC_SSH_CCert_Time | 15 | Binary | Client certificate "not after" time:
Information only |
280(X'118') | SMF119SC_SSH_CCert_Key_Type | 2 | Binary | Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4. |
282(X'11A') | SMF119SC_SSH_CCert_Key_Len | 2 | Binary | Client certificate key length in bits |
- If the connection is protected by a manual tunnel (SMF119SC_IPSec_TunType is 1), the IKE tunnel fields will be zero or blank.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
IKE (Phase 1) tunnel information | ||||
0(X'0') | SMF119SC_IPSec_IKETunID | 4 | Binary | IKE tunnel identifier. This value is displayed as Ktunid in ipsec command displays. Information only |
4(X'4') | SMF119SC_IPSec_IKEMajVer | 1 | Binary | Major version of the IKE protocol in use. Only the low-order 4 bits are used. |
5(X'5') | SMF119SC_IPSec_IKEMinVer | 1 | Binary | Minor version of the IKE protocol in use. Only the low-order 4 bits are used. |
6(X'6') | SMF119SC_IPsec_Rsvd1 | 2 | Binary | Reserved |
8(X'8') | SMF119SC_IPSec_IKETunKeyExchRule | 48 | EBCDIC | Key exchange rule for this IKE tunnel (padded with trailing blanks).
Information only |
56(X'38') | SMF119SC_IPSec_IKETunLclEndpt | 16 | Binary | Local IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
72(X'48') | SMF119SC_IPSec_IKETunRmtEndpt | 16 | Binary | Remote IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
88(X'58') | SMF119SC_IPSec_IKETunLclAuthMeth | 2 | Binary | The authentication method for the local endpoint. One of the following values:
|
90(X'5A') | SMF119SC_IPSec_IKETunRmtAuthMeth | 2 | Binary | The authentication method for the remote endpoint. Same values as SMF119SC_IPSec_IKETunLclAuthMeth. |
92(X'5C') | SMF119SC_IPSec_IKETunAuthAlg | 2 | Binary | Tunnel authentication algorithm. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4. |
94(X'5E') | SMF119SC_IPSec_IKETunEncAlg | 2 | Binary | Tunnel encryption algorithm. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4. |
96(X'60') | SMF119SC_IPSec_IKETunDHGroup | 2 | Binary | Diffie-Hellman group used to generate the keying material for this IKE tunnel.
One of the following values:
|
98(X'62') | SMF119SC_IPSec_IKETunPseudoRandFunc | 2 | Binary | Pseudo-random function used for seeding keying material. One of the following values:
|
100(X'64') | SMF119SC_IPSec_IKETunLifesize | 4 | Binary | IKE tunnel lifesize. If not 0, this value indicates the lifesize limit for the
tunnel, in Kbytes. Otherwise (value is 0), no lifesize enforced. Information only |
104(X'68') | SMF119SC_IPSec_IKETunLifetime | 4 | Binary | IKE tunnel lifetime. This value indicates the total number of minutes the
tunnel remains active. Information only |
108(X'6C') | SMF119SC_IPSec_IKETunReauthIntvl | 4 | Binary | Reauthentication interval. Indicates the number of minutes between
reauthentication operations. Information only |
IKE Local certificate information (will be populated if SMF119SC_IPSec_IKETunLocalAuthMeth indicates RSA, ECDSA, or Digital signature and local certificate information is available Otherwise, all fields set to zero.) | ||||
112(X'70') | SMF119SC_IPSec_LclCert_Sign_Meth | 2 | Binary | Local IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4. |
114(X'72') | SMF119SC_IPSec_LclCert_Enc_Meth | 2 | Binary | Local IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4. |
116(X'74') | SMF119SC_IPSec_LclCert_Digest_Alg | 2 | Binary | Local IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4. |
118(X'76') | SMF119SC_IPsec_Rsvd2 | 1 | Binary | Reserved. |
119(X'77') | SMF119SC_IPSec_LclCert_Serial_Len | 1 | Binary | Local IKE certificate serial number length in bytes. Information only |
120(X'78') | SMF119SC_IPSec_LclCert_Serial | 20 | Binary | Local IKE certificate serial number, left justified. Information only |
140(X'8C') | SMF119SC_IPSec_LclCert_Time_Type | 1 | Binary | Format of local IKE certificate "not after" time:
Information only |
141(X'8D') | SMF119SC_IPSec_LclCert_Time | 15 | Binary | Local IKE certificate "not after" time:
Information only |
156(X'9C') | SMF119SC_IPSec_LclCert_Key_Type | 2 | Binary | Local IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4. |
158(X'9E') | SMF119SC_IPSec_LclCert_Key_Len | 2 | Binary | Local IKE certificate key length in bits. |
IKE Peer certificate information (will be populated if SMF119SC_IPSec_IKETunRmtAuthMeth indicates RSA, ECDSA, or Digital signature and remote certificate information is available . Otherwise, all fields set to zero.) | ||||
160(X'A0') | SMF119SC_IPSec_RmtCert_Sign_Meth | 2 | Binary | Remote IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method in Table 4. |
162(X'A2') | SMF119SC_IPSec_RmtCert_Enc_Meth | 2 | Binary | Remote IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method in Table 4. |
164(X'A4') | SMF119SC_IPSec_RmtCert_Digest_Alg | 2 | Binary | Remote IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg in Table 4. |
166(X'A6') | SMF119SC_IPSec_Rsvd3 | 1 | Binary | Reserved |
167(X'A7') | SMF119SC_IPSec_RmtCert_Serial_Len | 1 | Binary | Remote IKE certificate serial number length in bytes. Information only |
168(X'A8') | SMF119SC_IPSec_RmtCert_Serial | 20 | Binary | Remote IKE certificate serial number, left justified. Information only |
188(X'BC') | SMF119SC_IPSec_RmtCert_Time_Type | 1 | Binary | Format of remote IKE certificate "not after" time:
Information only |
189(X'BD') | SMF119SC_IPSec_RmtCert_Time | 15 | Binary | Remote IKE certificate "not after" time:
Information only |
204(X'CC') | SMF119SC_IPSec_RmtCert_Key_Type | 2 | Binary | Remote IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type in Table 4. |
206(X'CE') | SMF119SC_IPSec_RmtCert_Key_Len | 2 | Binary | Remote IKE certificate key length in bits. |
IPsec (Phase 2) tunnel information | ||||
208(X'D0') | SMF119SC_IPSec_TunID | 4 | Binary | IPSec tunnel identifier. This value is displayed as Ytunid
or Mtunid in ipsec command displays. Information only |
212(X'D4') | SMF119SC_IPSec_TunFlags | 1 | Binary | IP tunnel flags:
Information only |
213(X'D5') | SMF119SC_IPSec_TunType | 1 | Binary | Tunnel type. One of the following values:
|
214(X'D6') | SMF119SC_IPSec_TunState | 1 | Binary | One of the following tunnel states:
|
215(X'D7') | SMF119SC_IPSec_Rsvd4 | 1 | Binary | Reserved |
216(X'D8') | SMF119SC_IPSec_EncapMode | 1 | Binary | One of the following tunnel encapsulation modes:
|
217(X'D9') | SMF119SC_IPSec_AuthProto | 1 | Binary | The protocol used for message authentication. One of the following:
|
218(X'DA') | SMF119SC_IPSec_AuthAlg | 2 | Binary | One of the following tunnel authentication algorithms. Same values as SMF119SC_TLS_CS_Msg_Auth in Table 4. |
220(X'DC') | SMF119SC_IPSec_EncAlg | 2 | Binary | One of the following tunnel encryption algorithms. Same values as SMF119SC_TLS_CS_Enc_Alg in Table 4. |
222(X'DE') | SMF119SC_IPSec_PFSGroup | 2 | Binary | Diffie-Hellman group used for perfect forward secrecy. Same values as SMF119SC_IPSec_IKETunDHGroup. |
224(X'E0') | SMF119SC_IPSec_Lifesize | 4 | Binary | SA lifesize in KBytes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only |
228(X'E4') | SMF119SC_IPSec_Lifetime | 4 | Binary | SA lifetime in minutes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only |
232(X'E8') | SMF119SC_IPSec_VPNLifeExpire | 4 | Binary | Tunnel VPN lifetime in minutes (length of time after which the tunnel family
ceases to be refreshed). Zero indicates no VPN lifetime limit is enforced. Information only |
The zERT Distinguished Names (DN) section contains one or more variable length X.500 DNs from relevant X.509 certificates. For each security protocol used to protect the connection that is using X.509 certificates for peer authentication, subject and issuer DNs from those certificates are included in the zERT DNs section. Any change in distinguished names will cause a protection state change record to be written.
If any DNs exist, there is one zERT DNs section that contains all of the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. The following structure is used to describe the fields present for each DN.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_DN_Len | 2 | Binary | Length of the DN structure (includes the length of SMF119SC_DN_Len, SMF119SC_DN_Type, and SMF119SC_DN) |
2(X'2') | SMF119SC_DN_Type | 2 | Binary | Type of Distinguished Name:
|
4(X'4') | SMF119SC_DN | Up to 1024 | EBCDIC | The variable length DN value. |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SC_ZERTIPsecPol | 48 | EBCDIC | Matching zERT IPSec policy rule name |
48(X'30') | SMF119SC_ZERTTLSPol | 48 | EBCDIC | Matching zERT TLS policy rule name |
96(X'60') | SMF119SC_ZERTSSHPol | 48 | EBCDIC | Matching zERT SSH policy rule name |
144(X'90') | SMF119SC_ZERTNoRecognizedPol | 48 | EBCDIC | Matching zERT No recognized protection policy rule name |