zERT Summary record (subtype 12)

zERT summary records function as both interval and event records for the z/OS® Encryption Readiness Technology (zERT) aggregation function.

As interval records, the zERT summary records are generated at user specified intervals. The record provides statistical data about an individual security session that provided cryptographic protection for one or more TCP or Enterprise Extender (EE) connections during the previous recording interval. The record also provides information describing the cryptographic characteristics of the security session.

Each record reports statistical data about the security session for the previous recording interval. The starting and ending values for the previous recording interval are reported for each statistic.

If zERT aggregation is turned off dynamically or the TCP stack terminates, a final complete set of subtype 12 records is generated to report close out data. These records are reported to the z/OS System Management Facility or the real-time zERT Summary SMF NMI service, or both, depending on the SMF record destination in effect.

In addition, if recording of zERT summary records to the z/OS System Management Facility is turned off dynamically, a final complete set of subtype 12 records is reported to the z/OS System Management Facility to report close out data. No records are reported to the real-time zERT Summary SMF NMI service for this condition.

As event records, zERT summary records are written for two events:
  • The zERT aggregation function is enabled.
  • The zERT aggregation function is disabled dynamically.

The format of the zERT summary record is the same for both interval and event usage, although the zERT summary event records include just the TCP/IP Identification section and the zERT common section.

See Table 1 for the contents of the TCP/IP stack identification section.
  • For all zERT summary records, the TCP/IP stack identification section indicates STACK as the subcomponent.
  • zERT summary event records indicate X'08' (event record) for the record reason.
  • zERT summary interval records indicate one of three possible interval record reason settings, depending on whether the reporting is because of interval expiration, statistics collection termination, or collection shutdown.
Note: The interval data for a single security session is always contained within a single SMF record. Because of that, each SMF record is marked as “last record in set”.
Table 1 shows the zERT summary record self-defining section:
Table 1. zERT summary record self-defining section
Offset Name Length Format Description
0(X'0') Standard SMF Header 24   Standard SMF header
Self-defining section
24(X'18') SMF119DS_TRN 2 Binary Number of triplets in this record (6)
26(X'1A')   2 Binary Reserved
28(X'1C') SMF119IDOff 4 Binary Offset to TCP/IP identification section
32(X'20') SMF119IDLen 2 Binary Length of TCP/IP identification section
34(X'22') SMF119IDNum 2 Binary Number of TCP/IP identification sections
36(X'24') SMF119S1Off 4 Binary Offset to zERT common section
40(X'28') SMF119S1Len 2 Binary Length of zERT common section
42(X'2A') SMF119S1Num 2 Binary Number of zERT common section
44(X'2C') SMF119S2Off 4 Binary Offset to TLS-specific section
48(X'30') SMF119S2Len 2 Binary Length of TLS-specific section
50(X'32') SMF119S2Num 2 Binary Number of TLS section
52(X'34') SMF119S3Off 4 Binary Offset to SSH-specific section
56(X'38') SMF119S3Len 2 Binary Length of SSH-specific section
58(X'3A') SMF119S3Num 2 Binary Number of SSH-specific sections
60(X'3C') SMF119S4Off 4 Binary Offset to IPSec-specific section
64(X'40') SMF119S4Len 2 Binary Length of IPSec-specific section
66(X'42') SMF119S4Num 2 Binary Number of IPSec-specific section
68(X'44') SMF119S5Off 4 Binary Offset to certificate DN section
72(X'48') SMF119S5Len 2 Binary Length of certificate DN section
74(X'4A') SMF119S5Num 2 Binary Number of certificate DN section
Table 2 shows the zERT summary common section. Every zERT summary record has one of these sections.

Unless noted in the field description, all TCP and Enterprise Extender (EE) connection statistics reported in the common section represent activity from the time the zERT aggregation function began tracking this security session until the time that the zERT aggregation function stops tracking it. The zERT aggregation function stops tracking a security session when one complete SMF/INTVAL recording interval passes without any connections being protected by the security session. The TCP and Enterprise Extender (EE) connection statistics counts are approximate.

Table 2. zERT summary record common section
Offset Name Length Format Description
0(X'0') SMF119SS_SAIntervalDuration 8 Binary Duration of recording interval in microseconds, where bit 51 is equivalent to 1 microsecond.
8(X'8') SMF119SS_SAEvent_Type 1 Binary Event type:
  1. Summary interval record
  2. zERT aggregation function enabled event record
  3. zERT aggregation function disabled event record
9(X'9') SMF119SS_SAFlags 1 Binary Flags:
  • X'80': The session uses IPv6 addresses
  • X'40': The local socket of this session is acting as the server (only meaningful when SMF119SS_SAIPProto indicates TCP)
  • X'20': The local socket of this session is acting as the client (only meaningful when SMF119SS_SAIPProto indicates TCP)
  • X'10': This security session represents Enterprise Extender connections (only meaningful when SMF119SS_SAIPProto indicates UDP)
  • X'08': This security session represents IPv4 outbound data connections that are established by the FTP server to the FTP client.
  • X'04': AT-TLS cryptographic data protection operations are bypassed for this security session as part of a stack optimization for intra-host connections. Only AT-TLS peer authentication operations are executed in this case.
  • X'02': A zERT Aggregation recording interval separate from the SMF interval is specified with the GLOBALCONFIG ZERT AGGREGATION INTVAL parameter.
10(X'A') SMF119SS_SASecProtos 1 Binary Cryptographic security protocol. Only one value is set. Possible values are:
  • X'00': No recognized cryptographic protection
  • X'80': TLS/SSL
  • X'40': SSH
  • X'20': IPSec
11(X'B') SMF119SS_SAJobname 8 EBCDIC Jobname that is associated with the socket.
19(X'13') SMF119SS_SAUserID 8 EBCDIC z/OS user ID associated with the socket
Note: The value *FTPUSR* is specified when this security session represents an aggregation of FTP data connections and we are reporting at the FTP server (SMF119SS_SAFlags = x'40').
27(X'1B') SMF119SS_SAIPProto 1 Binary
IP Protocol value. Possible values are:
  • 6: TCP
  • 17: UDP
28(X'1C') SMF119SS_SASrvIP 16 Binary Server IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
44(X'2C') SMF119SS_SACltIP 16 Binary Client IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
60(X'3C') SMF119SS_SASrvPortStart 2 Binary Starting value for server port range. For information on this field, see How does zERT aggregation determine the server port? in z/OS Communications Server: IP Configuration Guide.
62(X'3E') SMF119SS_SASrvPortEnd 2 Binary Ending value for server port range. If this security session represents a single-server port, then the ending value equals the starting value for the port range.
64(X'40') SMF119SS_SASessionID 42 EBCDIC Session identifier that uniquely identifies a security session based on the server and client endpoints plus the significant security attributes for the session.
The session identifier is in the form p-value, where
  • p represents the cryptographic protocol. Possible values for p are:
    • C = No recognized cryptographic protection
    • I = IPSec
    • T = TLS/SSL
    • S = SSH
  • “-” is a separator character
  • value is a 20-character hexadecimal string
106(X'6A')   2   Reserved (alignment)
108(X'6C') SMF119SS_SAInitLifeConnCnt 4 Binary Count of connections for the life of this security session at the beginning of the summary interval.
112(X'70') SMF119SS_SAInitLifePartialConnCnt 4 Binary Count of the partial connections for the life of this security session at the beginning of the summary interval. This is a subset of the connections reported in SMF119SS_SAInitLifeConnCnt. A connection is considered to be a “partial connection” if one or more of these conditions is met:
  • The connection was in existence before it was associated with this security session
  • The security session stopped being associated with the connection, but the connection continued to exist.
116(X'74') SMF119SS_SAInitLifeShortConnCnt 4 Binary Count of short connections for the life of this security session at the beginning of the summary interval. Short connections are connections that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP.
120(X'78') SMF119SS_SAInitActiveConnCnt 4 Binary Number of active connections that are associated with this security session at the beginning of the summary interval.
124(X'7C') SMF119SS_SAInitLifeInBytes 8 Binary Inbound byte count for the life of this security session at the beginning of the summary interval.
132(X'84') SMF119SS_SAInitLifeOutBytes 8 Binary Outbound byte count for the life of this security session at the beginning of the summary interval.
140(X'8C') SMF119SS_SAInitLifeInSegDG 8 Binary Inbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval.
148(X'94') SMF119SS_SAInitLifeOutSegDG 8 Binary Outbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval.
156(X'9C') SMF119SS_SAEndLifeConnCnt 4 Binary Count of connections for the life of this security session at the end of the summary interval.
160(X'A0') SMF119SS_SAEndLifePartialConnCnt 4 Binary Count of partial connections for the life of this security session at the end of the summary interval. This is a subset of the connections reported in SMF119SS_SAEndLifeConnCnt that were associated with the security session for only part of their existence, using the same conditions described for SMF119SS_SAInitLifePartialConnCnt.
164(X'A4') SMF119SS_SAEndLifeShortConnCnt 4 Binary Count of short connections for the life of this security session at the end of the summary interval. Short connections are ones that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP.
168(X'A8') SMF119SS_SAEndActiveConnCnt 4 Binary Number of active connections that are associated with this security session at the end of the summary interval.
172(X'AC') SMF119SS_SAEndLifeInBytes 8 Binary Inbound byte count for the life of this security session at the end of the summary interval.
180(X'B4') SMF119SS_SAEndLifeOutBytes 8 Binary Outbound byte count for the life of this security session at the end of the summary interval.
188(X'BC') SMF119SS_SAEndLifeInSegDG 8 Binary Inbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval.
196(X'C4') SMF119SS_SAEndLifeOutSegDG 8 Binary Outbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval.
Table 3 shows the zERT summary TLS protocol attributes section. This section is presented in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is a TLS or SSL security session (that is, when it contains the value X'80'):
Table 3. zERT summary record TLS protocol attributes section
Offset Name Length Format Description
0(X'0') SMF119SS_TLS_Source 1 Binary Source of the information in this record. Can be one of the following values:
  • X'01': Stream observation
  • X'02': Cryptographic protocol provider
1(X'1') SMF119SS_TLS_CryptoFlags 1 Binary Cryptographic operations flags:
  • X'80': Encrypt-then-MAC processing is used
  • X'40': Raw public key authentication is used
  • X'10': Pre-shared key authentication is used
2(X'2') SMF119SS_TLS_Prot_Ver 2 Binary Protocol version:
  • X'0000': Unknown version
  • X'0200': SSLv2
  • X'0300': SSLv3
  • X'0301': TLSv1.0
  • X'0302': TLSv1.1
  • X'0303': TLSv1.2
  • X'0304': TLSv1.3
4(X'4') SMF119SS_TLS_Neg_Cipher 6 EBCDIC Negotiated cipher suite identifier.
  • If the TLS version is SSLv3 or higher, this is a four character value in the first 4 bytes of this field. Refer to the TLS Cipher Suite registry at http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml for a complete list of the 4-hexadecimal-character values.
  • If the TLS version is SSLv2, then all 6 bytes are used:

    • 010080: 128-bit RC4 with MD5

    • 020080: 40-bit RC4 with MD5

    • 030080: 128-bit RC2 with MD5

    • 040080: 40-bit RC2 with MD5

    • 050080: 128-bit IDEA with MD5

    • 060040: DES with MD5

    • 0700C0: 3DES with MD5
10(X'A') SMF119SS_TLS_CS_Enc_Alg 2 Binary

The symmetric encryption algorithm that is used by the cipher suite:

  • X'0000': Unknown
  • X'0001': None
  • X'0002': DES
  • X'0003': DES 40
  • X'0004': 3DES
  • X'0005': RC2 40
  • X'0006': RC2 128
  • X'0007': RC2
  • X'0008': RC4 40
  • X'0009': RC4 128
  • X'000A': RC4 256
  • X'000B': RC4
  • X'000C': AES CBC 128
  • X'000D': AES CBC 192
  • X'000E': AES CBC 256
  • X'000F': AES CTR 128
  • X'0010': AES CTR 192
  • X'0011': AES CTR 256
  • X'0012': AES GCM 128
  • X'0013': AES GCM 256
  • X'0014': AES CCM 128
  • X'0015': AES CCM 256
  • X'0016': AES CCM8 128
  • X'0017': AES CCM8 256
  • X'0018': AES 256
  • X'0019': Blowfish
  • X'001A': Blowfish CBC
  • X'001B': CAST 128 CBC
  • X'001C': ARCFOUR 128
  • X'001D': ARCFOUR 256
  • X'001E': ARCFOUR
  • X'001F': Rijndael CBC
  • X'0020': ACSS
  • X'0021': ARIA 128 CBC
  • X'0022': ARIA 256 CBC
  • X'0023': ARIA 128 GCM
  • X'0024': ARIA 256 GCM
10(X'A') (continued)      
  • X'0025': Camellia 128 CBC
  • X'0026': Camellia 256 CBC
  • X'0027': Camellia 128 GCM
  • X'0028': Camellia 256 GCM
  • X'0029': ChaCha20 Poly1305
  • X'002A': IDEA CBC
  • X'002B': SEED CBC
  • X'002C': Fortezza
  • X'002D': GOST28147
  • X'002E': TwoFish CBC 256
  • X'002F': TwoFish CBC
  • X'0030': TwoFish CBC 192
  • X'0031': TwoFish CBC 128
  • X'0032': Serpent CBC 256
  • X'0033': Serpent CBC 192
  • X'0034': Serpent CBC 128
10(X'A') (continued)      
  • X'0025': Camellia 128 CBC
  • X'0026': Camellia 256 CBC
  • X'0027': Camellia 128 GCM
  • X'0028': Camellia 256 GCM
  • X'0029': ChaCha20 Poly1305
12(X'C') SMF119SS_TLS_CS_Msg_Auth 2 Binary The message authentication algorithm that is used by the cipher suite:
  • X'0000': Unknown
  • X'0001': No message authentication, or uses authenticated encryption algorithm like AES-GCM
  • X'0002': MD2
  • X'0003': HMAC-MD5
  • X'0004': HMAC-SHA1
  • X'0005': HMAC-SHA2-224
  • X'0006': HMAC-SHA2-256
  • X'0007': HMAC-SHA2-384
  • X'0008': HMAC-SHA2-512
  • X'0009': AES-GMAC-128
  • X'000A': AES-GMAC-256
  • X'000B': AES-128-XCBC-96
  • X'000C': HMAC-SHA2-256-128
  • X'000D': HMAC-SHA2-384-192
  • X'000E': HMAC-SHA2-512-256
  • X'000F': HMAC-MD5-96
  • X'0010': HMAC-SHA1-96
  • X'0011': UMAC-64
  • X'0012': UMAC-128
  • X'0013': RIPEMD-160
14(X'E') SMF119SS_TLS_CS_Kex_Alg 2 Binary The key exchange algorithm that is used by the cipher suite:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': RSA
  • X'0003': RSA_EXPORT
  • X'0004': RSA_PSK
  • X'0005': DH_RSA
  • X'0006': DH_RSA_EXPORT
  • X'0007': DH_DSS
  • X'0008': DH_ANON
  • X'0009': DH_ANON_EXPORT
  • X'000A': DH_DSS_EXPORT
  • X'000B': DHE_RSA
  • X'000C': DHE_RSA_EXPORT
  • X'000D': DHE_DSS
  • X'000E': DHE_DSS_EXPORT
  • X'000F': DHE_PSK
  • X'0010': ECDH_ECDSA
  • X'0011': ECDH_RSA
  • X'0012': ECDH_ANON
  • X'0013': ECDHE_ECDSA
  • X'0014': ECDHE_RSA
  • X'0015': ECDHE_PSK
  • X'0016': KRB5
  • X'0017': KRB5_EXPORT
  • X'0018': PSK
  • X'0019': SRP_SHA_RSA
  • X'001A': SRP_SHA_DSS
  • X'001B': SRP_SHA
  • X'001C': ECDHE
  • X'001D': DHE
Server certificate information
16(X'10') SMF119SS_TLS_SCert_Signature_Method 2 Binary Server certificate signature method:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': RSA with MD2
  • X'0003': RSA with MD5
  • X'0004': RSA with SHA1
  • X'0005': DSA with SHA1
  • X'0006': RSA with SHA-224
  • X'0007': RSA with SHA-256
  • X'0008': RSA with SHA-384
  • X'0009': RSA with SHA-512
  • X'000A': ECDSA with SHA1
  • X'000B': ECDSA with SHA-224
  • X'000C': ECDSA with SHA-256
  • X'000D': ECDSA with SHA-384
  • X'000E': ECDSA with SHA-512
  • X'000F': DSA with SHA-224
  • X'0010': DSA with SHA-256
  • X'0011': RSA PSS RSAE with SHA-256
  • X'0012': RSA PSS RSAE with SHA-384
  • X'0013': RSA PSS RSAE with SHA-512
  • X'0014': ED 25519
  • X'0015': ED 448
  • X'0016': RSA PSS PSS with SHA-256
  • X'0017': RSA PSS PSS with SHA-384
  • X'0018': RSA PSS PSS with SHA-512
18(X'12') SMF119SS_TLS_SCert_Enc_Method 2 Binary Server certificate encryption method:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': RSA
  • X'0003': DSA
  • X'0004': ECDSA
20(X'14') SMF119SS_TLS_SCert_Digest_Alg 2 Binary Server certificate digest algorithm:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': MD2
  • X'0003': MD5
  • X'0004': SHA1
  • X'0005': SHA-224
  • X'0006': SHA-256
  • X'0007': SHA-384
  • X'0008': SHA-512
22(X'16') SMF119SS_TLS_SCert_Key_Type 2 Binary Server certificate key type:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': RSA
  • X'0003': DSA
  • X'0004': Diffie-Hellman (DH)
  • X'0005': Elliptic Curve Cryptography (ECC)
24(X'18') SMF119SS_TLS_SCert_Key_Len 2 Binary Server certificate key length
Client certificate information
26(X'1A') SMF119SS_TLS_CCert_Signature_Method 2 Binary Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
28(X'1C') SMF119SS_TLS_CCert_Enc_Method 2 Binary Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
30(X'1E') SMF119SS_TLS_CCert_Digest_Alg 2 Binary Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
32(X'20') SMF119SS_TLS_CCert_Key_Type 2 Binary Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
34(X'22') SMF119SS_TLS_CCert_Key_Len 2 Binary Client certificate key length
Additional connection specific information
36(X'24') SMF119SS_TLS_Server_HS_Sig_Method 2 Binary Server-specified signature method used to encrypt certain TLS handshake messages. Same values as SMF119SS_TLS_SCert_Signature_Method.
Note: Only valid for TLSv1.2 and later connections.
38(X'26') SMF119SS_TLS_Client_HS_Sig_Method 2 Binary Client-specified signature method used to encrypt certain TLS handshake messages. Same values as SMF119SS_TLS_SCert_Signature_Method.
Note: Only valid for TLSv1.2 and later connections.
40(X'28') SMF119SS_TLS_Neg_Key_Share 2 Binary Negotiated key share:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': SECP-256R1
  • X'0003': SECP-384R1
  • X'0004': SECP-521R1
  • X'0005': X-25519
  • X'0006': X-448
  • X'0007': FFDHE with 2048
  • X'0008': FFDHE with 3072
  • X'0009': FFDHE with 4096
  • X'000A': FFDHE with 6144
  • X'000B': FFDHE with 8192
Table 4 shows the zERT summary SSH protocol attributes section. This section is presented in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is an SSH security session (i.e., when it contains the value X'40'):
Table 4. zERT summary record SSH protocol attributes section
Offset Name Length Format Description
0(X'0') SMF119SS_SSH_Source 1 Binary Source of the information in this record. Can be one of the following values:
  • X'01': Stream observation
  • X'02': Cryptographic protocol provider
1(X'1')   1   Unused
2(X'2') SMF119SS_SSH_Prot_Ver 1 Binary Protocol version :
  1. Protocol version 1
  2. Protocol version 2
3(X'3') SMF119SS_SSH_CryptoFlags 1 Binary Cryptographic operations flags:
  • X'80': Encrypt-then-MAC processing is used for inbound traffic
  • X'40': Encrypt-then-MAC processing is used for outbound traffic
4(X'4') SMF119SS_SSH_Auth_Method 2 Binary First or only peer authentication method that is used for this security session:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': Password
  • X'0003': Public key
  • X'0004': Host-based
  • X'0005': Rhosts
  • X'0006': RhostsRSA
  • X'0007': RSA
  • X'0008': Keyboard-interactive
  • X'0009': Challenge-response
  • X'000A': Control socket 1
  • X'000B': GSSAPI with MIC
  • X'000C': GSSAPI Key exchange
6(X'6') SMF119SS_SSH_Auth_Method2 2 Binary If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SS_SSH_Auth_Method
8(X'8') SMF119SS_SSH_In_Enc_Alg 2 Binary Encryption algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3.
10(X'A') SMF119SS_SSH_In_Msg_Auth 2 Binary Message authentication algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3.
12(X'C') SMF119SS_SSH_Kex_Method 2 Binary Key exchange method.
  • X'0000' Unknown
  • X'0001' None
  • X'0002' Diffie-Hellman-group-exchangeSHA256
  • X'0003' Diffie-Hellman-group-exchangeSHA1
  • X'0004' Diffie-Hellman-group14-SHA1
  • X'0005' Diffie-Hellman-group1-SHA1
  • X'0006' ECDH-SHA2-NISTP256
  • X'0007' ECDH-SHA2-NISTP384
  • X'0008' ECDH-SHA2-NISTP521
  • X'0009' GSS-GROUP1-SHA1
  • X'000A' GSS-GROUP14-SHA1
  • X'000B' GSS-GEX-SHA1
  • X'000C' ECMQV-SHA2
  • X'000D' GSS-*
  • X'000E' RSA1024-SHA1
  • X'000F' RSA2048-SHA256
  • X'0010' Diffie-Hellman-group14-SHA256
  • X'0011' Diffie-Hellman-group16-SHA512
  • X'0012' Diffie-Hellman-group18-SHA512
  • X'0013' Curve 25519-SHA256
  • Start of changeX'0014' GSS-GROUP14-SHA256End of change
  • Start of changeX'0015' GSS-GROUP16-SHA512End of change
  • Start of changeX'0016' GSS-NISTP256-SHA256End of change
  • Start of changeX'0017' GSS-CURVE25519-SHA256End of change
14(X'E') SMF119SS_SSH_Out_Enc_Alg 2 Binary Encryption algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3.
16(X'10') SMF119SS_SSH_Out_Msg_Auth 2 Binary Message authentication algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3.
18(X'12') SMF119SS_SSH_SKey_Type 2 Binary Type of raw server key:
  • X'0000': Unknown
  • X'0001': None
  • X'0002': RSA
  • X'0003': DSA
  • X'0004': Diffie-Hellman (DH)
  • X'0005': Elliptic Curve Cryptography (ECC)
  • X'0006': RSA1 (SSHV1 only)
  • X'0007': RSA_CERT (from OpenSSH certificate)
  • X'0008': DSA_CERT (from OpenSSH certificate)
  • X'0009': ECDSA_CERT (from OpenSSH certificate)
  • X'000A': Edwards curve 25519
  • X'000B': Edwards curve 25519 (from OpenSSH certificate)
  • Start of changeX'0012': ECDSA_SK (SK = security key, used with FID0/U2F key authentication support)End of change
  • Start of changeX'0013': ECDSA_SK_CERT (from OpenSSH certificate)End of change
  • Start of changeX'0014': ED 25519_SKEnd of change
  • Start of changeX'0015': ED 25519_SK_CERT (from OpenSSH certificate)End of change
20(X'14') SMF119SS_SSH_SKey_Len 2 Binary Length of raw server key in bits.
22(X'16') SMF119SS_SSH_CKey_Type 2 Binary Type of raw client key. Same values as SMF119SS_SSH_Server_Key_Type.
24(X'18') SMF119SS_SSH_CKey_Len 2 Binary Length of raw client key in bits.
Server X.509 certificate information
26(X'1A') SMF119SS_SSH_SCert_Signature_Method 2 Binary Server certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3.
28(X'1C') SMF119SS_SSH_SCert_Enc_Method 2 Binary Server certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3.
30(X'1E') SMF119SS_SSH_SCert_Digest_Alg 2 Binary Server certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3.
32(X'20') SMF119SS_SSH_SCert_Key_Type 2 Binary Server certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3.
34(X'22') SMF119SS_SSH_SCert_Key_Len 2 Binary Server certificate key length
Client X.509 certificate information
36(X'24') SMF119SS_SSH_CCert_Signature_Method 2 Binary Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3.
38(X'26') SMF119SS_SSH_CCert_Enc_Method 2 Binary Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3.
40(X'28') SMF119SS_SSH_CCert_Digest_Alg 2 Binary Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3.
42(X'2A') SMF119SS_SSH_CCert_Key_Type 2 Binary Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3.
44(X'2C') SMF119SS_SSH_CCert_Key_Len 2 Binary Client certificate key length
Table 5 shows the zERT summary IPSec attributes section. This section is presented in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is an IPSec security session (that is, when it contains the value X'20'):
Table 5. zERT summary record IPSec protocol attributes section
Offset Name Length Format Description
0(X'0') SMF119SS_IPSec_IKEMajVer 1 Binary Major version of the IKE protocol in use. Only the low-order 4 bits are used.
1(X'1') SMF119SS_IPSec_IKEMinVer 1 Binary Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
2(X'2') SMF119SS_IPSec_IKETunLclEndpt 16 Binary Local IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
18(X'12') SMF119SS_IPSec_IKETunRmtEndpt 16 Binary Remote IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
34(X'22') SMF119SS_IPSec_IKETunLclAuthMeth 2 Binary The authentication method for the local endpoint. One of the following values:
  • 0: Unknown
  • 1: None
  • 2: RSA signature
  • 3: Preshared key
  • 4: ECDSA-256 signature
  • 5: ECDSA-384 signature
  • 6: ECDSA-521 signature
  • 7: Digital signature
36(X'24') SMF119SS_IPSec_IKETunRmtAuthMeth 2 Binary The authentication method for the remote endpoint. Same values as SMF119SS_IPSec_IKETunLclAuthMeth.
38(X'26') SMF119SS_IPSec_IKETunAuthAlg 2 Binary Tunnel authentication algorithm. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3.
40(X'28') SMF119SS_IPSec_IKETunEncAlg 2 Binary Tunnel encryption algorithm. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3.
42(X'2A') SMF119SS_IPSec_IKETunDHGroup 2 Binary Diffie-Hellman group that is used to generate the keying material for this IKE tunnel. One of the following values:
  • X'00': Unknown or manual tunnel
  • X'01': Group1
  • X'02': Group 2
  • X'05': Group 5
  • X'0E': Group 14
  • X'13': Group 19
  • X'14': Group 20
  • X'15': Group 21
  • X'18': Group 24
  • X'FF': No DH group used (only possible for SMF119SS_IPSec_PFSGroup, where these values are also used)
44(X'2C') SMF119SS_IPSec_IKETunPseudoRandFunc 2 Binary Pseudo-random function that is used for seeding keying material. One of the following values:
  • 0: Unknown
  • 1: None
  • 2: HMAC-SHA2-256
  • 3: HMAC-SHA2-384
  • 4: HMAC-SHA2-512
  • 5: AES-128-XCBC
  • 6: HMAC-MD5
  • 7: HMAC-SHA1
IKE Local certificate information. This information is populated if SMF119SS_IPSec_IKETunLocalAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields are set to zero.
46(X'2E') SMF119SS_IPSec_LclCert_Sign_Meth 2 Binary Local IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3.
48(X'30') SMF119SS_IPSec_LclCert_Enc_Meth 2 Binary Local IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3.
50(X'32') SMF119SS_IPSec_LclCert_Digest_Alg 2 Binary Local IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3.
52(X'34') SMF119SS_IPSec_LclCert_Key_Type 2 Binary Local IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3.
54(X'36') SMF119SS_IPSec_LclCert_Key_Len 2 Binary Local IKE certificate key length in bits
IKE Peer certificate information. This information is populated if SMF119SS_IPSec_IKETunRmtAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields set to zero.
56(X'38') SMF119SS_IPSec_RmtCert_Sign_Meth 2 Binary Remote IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3.
58(X'3A') SMF119SS_IPSec_RmtCert_Enc_Meth 2 Binary Remote IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3.
60(X'3C') SMF119SS_IPSec_RmtCert_Digest_Alg 2 Binary Remote IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3.
62(X'3E') SMF119SS_IPSec_RmtCert_Key_Type 2 Binary Remote IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3.
64(X'40') SMF119SS_IPSec_RmtCert_Key_Len 2 Binary Remote IKE certificate key length in bits
IPsec (Phase 2) tunnel information
66(X'42') SMF119SS_IPSec_PFSGroup 2 Binary Diffie-Hellman group that is used for perfect forward secrecy. Same values as SMF119SS_IPSec_IKETunDHGroup.
68(X'44') SMF119SS_IPSec_EncapMode 1 Binary Tunnel encapsulation mode. One of the following values:
  1. Tunnel Mode
  2. Transport Mode
69(X'45') SMF119SS_IPSec_AuthProto 1 Binary The protocol that is used for message authentication. One of the following values:
  • 50 Encapsulating Security Payload (ESP)
  • 51: Authentication Header (AH)
70(X'46') SMF119SS_IPSec_AuthAlg 2 Binary The tunnel authentication algorithms. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3.
72(X'48') SMF119SS_IPSec_EncAlg 2 Binary The tunnel encryption algorithms. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3.

The zERT summary Distinguished Names (DN) section contains one or more variable length X.500 DNs from relevant X.509 certificates. Subject and issuer DNs from the certificates are included in the zERT DNs section.

If any DNs exist, there is one zERT summary DN section that contains all the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. The following structure is used to describe the fields present for each DN.

Table 6 illustrates the format of the data structure for each DN in a zERT summary record DNs section.
Table 6. Data structure for each DN included in a zERT summary record Distinguished Name section
Offset Name Length Format Description
0(X'0') SMF119SS_DN_Len 2 Binary Length of the DN structure (includes the length of SMF119SS_DN_Len, SMF119SS_DN_Type, and SMF119SS_DN)
2(X'2') SMF119SS_DN_Type 2 Binary Type of Distinguished Name:
  • X'0001': IPSec Local Certificate Subject DN
  • X'0002': IPSec Local Certificate Issuer DN
  • X'0003': IPSec Remote Certificate Subject DN
  • X'0004': IPSec Remote Certificate Issuer DN
  • X'0005': TLS Server Certificate Subject DN
  • X'0006': TLS Server Certificate Issuer DN
  • X'0007': TLS Client Certificate Subject DN
  • X'0008': TLS Client Certificate Issuer DN
  • X'0009': SSH Server Certificate Subject DN
  • X'000A': SSH Server Certificate Issuer DN
  • X'000B': SSH Client Certificate Subject DN
  • X'000C': SSH Client Certificate Issuer DN
4(X'4') SMF119SS_DN 1 to 1024 EBCDIC The variable length DN value.