zERT Summary record (subtype 12)
zERT summary records function as both interval and event records for the z/OS® Encryption Readiness Technology (zERT) aggregation function.
As interval records, the zERT summary records are generated at user specified intervals. The record provides statistical data about an individual security session that provided cryptographic protection for one or more TCP or Enterprise Extender (EE) connections during the previous recording interval. The record also provides information describing the cryptographic characteristics of the security session.
Each record reports statistical data about the security session for the previous recording interval. The starting and ending values for the previous recording interval are reported for each statistic.
If zERT aggregation is turned off dynamically or the TCP stack terminates, a final complete set of subtype 12 records is generated to report close out data. These records are reported to the z/OS System Management Facility or the real-time zERT Summary SMF NMI service, or both, depending on the SMF record destination in effect.
In addition, if recording of zERT summary records to the z/OS System Management Facility is turned off dynamically, a final complete set of subtype 12 records is reported to the z/OS System Management Facility to report close out data. No records are reported to the real-time zERT Summary SMF NMI service for this condition.
- The zERT aggregation function is enabled.
- The zERT aggregation function is disabled dynamically.
The format of the zERT summary record is the same for both interval and event usage, although the zERT summary event records include just the TCP/IP Identification section and the zERT common section.
- For all zERT summary records, the TCP/IP stack identification section indicates STACK as the subcomponent.
- zERT summary event records indicate X'08' (event record) for the record reason.
- zERT summary interval records indicate one of three possible interval record reason settings, depending on whether the reporting is because of interval expiration, statistics collection termination, or collection shutdown.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | Standard SMF Header | 24 | Standard SMF header | |
Self-defining section | ||||
24(X'18') | SMF119DS_TRN | 2 | Binary | Number of triplets in this record (6) |
26(X'1A') | 2 | Binary | Reserved | |
28(X'1C') | SMF119IDOff | 4 | Binary | Offset to TCP/IP identification section |
32(X'20') | SMF119IDLen | 2 | Binary | Length of TCP/IP identification section |
34(X'22') | SMF119IDNum | 2 | Binary | Number of TCP/IP identification sections |
36(X'24') | SMF119S1Off | 4 | Binary | Offset to zERT common section |
40(X'28') | SMF119S1Len | 2 | Binary | Length of zERT common section |
42(X'2A') | SMF119S1Num | 2 | Binary | Number of zERT common section |
44(X'2C') | SMF119S2Off | 4 | Binary | Offset to TLS-specific section |
48(X'30') | SMF119S2Len | 2 | Binary | Length of TLS-specific section |
50(X'32') | SMF119S2Num | 2 | Binary | Number of TLS section |
52(X'34') | SMF119S3Off | 4 | Binary | Offset to SSH-specific section |
56(X'38') | SMF119S3Len | 2 | Binary | Length of SSH-specific section |
58(X'3A') | SMF119S3Num | 2 | Binary | Number of SSH-specific sections |
60(X'3C') | SMF119S4Off | 4 | Binary | Offset to IPSec-specific section |
64(X'40') | SMF119S4Len | 2 | Binary | Length of IPSec-specific section |
66(X'42') | SMF119S4Num | 2 | Binary | Number of IPSec-specific section |
68(X'44') | SMF119S5Off | 4 | Binary | Offset to certificate DN section |
72(X'48') | SMF119S5Len | 2 | Binary | Length of certificate DN section |
74(X'4A') | SMF119S5Num | 2 | Binary | Number of certificate DN section |
Unless noted in the field description, all TCP and Enterprise Extender (EE) connection statistics reported in the common section represent activity from the time the zERT aggregation function began tracking this security session until the time that the zERT aggregation function stops tracking it. The zERT aggregation function stops tracking a security session when one complete SMF recording interval passes without any connections being protected by the security session. The TCP and Enterprise Extender (EE) connection statistics counts are approximate.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SS_SAIntervalDuration | 8 | Binary | Duration of recording interval in microseconds, where bit 51 is equivalent to 1 microsecond. |
8(X'8') | SMF119SS_SAEvent_Type | 1 | Binary | Event type:
|
9(X'9') | SMF119SS_SAFlags | 1 | Binary | Flags:
|
10(X'A') | SMF119SS_SASecProtos | 1 | Binary | Cryptographic security protocol. Only one value is set. Possible values are:
|
11(X'B') | SMF119SS_SAJobname | 8 | EBCDIC | Jobname that is associated with the socket. |
19(X'13') | SMF119SS_SAUserID | 8 | EBCDIC | z/OS user ID associated with the
socket Note: The value *FTPUSR* is specified when this security session represents an aggregation of
FTP data connections and we are reporting at the FTP server (SMF119SS_SAFlags =
x’40’).
|
27(X'1B') | SMF119SS_SAIPProto | 1 | Binary |
IP Protocol value. Possible values are:
|
28(X'1C') | SMF119SS_SASrvIP | 16 | Binary | Server IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
44(X'2C') | SMF119SS_SACltIP | 16 | Binary | Client IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
60(X'3C') | SMF119SS_SASrvPortStart | 2 | Binary | Starting value for server port range. For information on this field, see How does zERT aggregation determine the server port? in z/OS Communications Server: IP Configuration Guide. |
62(X'3E') | SMF119SS_SASrvPortEnd | 2 | Binary | Ending value for server port range. If this security session represents a single-server port, then the ending value equals the starting value for the port range. |
64(X'40') | SMF119SS_SASessionID | 42 | EBCDIC | Session identifier that uniquely identifies a security session based on the
server and client endpoints plus the significant security attributes for the session. The session
identifier is in the form p-value, where
|
106(X'6A') | 2 | Reserved (alignment) | ||
108(X'6C') | SMF119SS_SAInitLifeConnCnt | 4 | Binary | Count of connections for the life of this security session at the beginning of the summary interval. |
112(X'70') | SMF119SS_SAInitLifePartialConnCnt | 4 | Binary | Count of the partial connections for the life of this security session at the
beginning of the summary interval. This is a subset of the connections reported in
SMF119SS_SAInitLifeConnCnt. A connection is considered to be a “partial connection” if one or more
of these conditions is met:
|
116(X'74') | SMF119SS_SAInitLifeShortConnCnt | 4 | Binary | Count of short connections for the life of this security session at the beginning of the summary interval. Short connections are connections that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP. |
120(X'78') | SMF119SS_SAInitActiveConnCnt | 4 | Binary | Number of active connections that are associated with this security session at the beginning of the summary interval. |
124(X'7C') | SMF119SS_SAInitLifeInBytes | 8 | Binary | Inbound byte count for the life of this security session at the beginning of the summary interval. |
132(X'84') | SMF119SS_SAInitLifeOutBytes | 8 | Binary | Outbound byte count for the life of this security session at the beginning of the summary interval. |
140(X'8C') | SMF119SS_SAInitLifeInSegDG | 8 | Binary | Inbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval. |
148(X'94') | SMF119SS_SAInitLifeOutSegDG | 8 | Binary | Outbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval. |
156(X'9C') | SMF119SS_SAEndLifeConnCnt | 4 | Binary | Count of connections for the life of this security session at the end of the summary interval. |
160(X'A0') | SMF119SS_SAEndLifePartialConnCnt | 4 | Binary | Count of partial connections for the life of this security session at the end of the summary interval. This is a subset of the connections reported in SMF119SS_SAEndLifeConnCnt that were associated with the security session for only part of their existence, using the same conditions described for SMF119SS_SAInitLifePartialConnCnt. |
164(X'A4') | SMF119SS_SAEndLifeShortConnCnt | 4 | Binary | Count of short connections for the life of this security session at the end of the summary interval. Short connections are ones that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP. |
168(X'A8') | SMF119SS_SAEndActiveConnCnt | 4 | Binary | Number of active connections that are associated with this security session at the end of the summary interval. |
172(X'AC') | SMF119SS_SAEndLifeInBytes | 8 | Binary | Inbound byte count for the life of this security session at the end of the summary interval. |
180(X'B4') | SMF119SS_SAEndLifeOutBytes | 8 | Binary | Outbound byte count for the life of this security session at the end of the summary interval. |
188(X'BC') | SMF119SS_SAEndLifeInSegDG | 8 | Binary | Inbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval. |
196(X'C4') | SMF119SS_SAEndLifeOutSegDG | 8 | Binary | Outbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval. |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SS_TLS_Source | 1 | Binary | Source of the information in this record. Can be one of the following values:
|
1(X'1') | SMF119SS_TLS_CryptoFlags | 1 | Binary | Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used |
2(X'2') | SMF119SS_TLS_Prot_Ver | 2 | Binary | Protocol version:
|
4(X'4') | SMF119SS_TLS_Neg_Cipher | 6 | EBCDIC | Negotiated cipher suite identifier.
|
10(X’A’) | SMF119SS_TLS_CS_Enc_Alg | 2 | Binary |
The symmetric encryption algorithm that is used by the cipher suite:
|
10(X’A’) (continued) |
|
|||
10(X’A’) (continued) |
|
|||
12(X’C’) | SMF119SS_TLS_CS_Msg_Auth | 2 | Binary | The message authentication algorithm that is used by the cipher suite:
|
14(X’E’) | SMF119SS_TLS_CS_Kex_Alg | 2 | Binary | The key exchange algorithm that is used by the cipher suite:
|
Server certificate information | ||||
16(X’10’) | SMF119SS_TLS_SCert_Signature_Method | 2 | Binary | Server certificate signature method:
|
18(X’12’) | SMF119SS_TLS_SCert_Enc_Method | 2 | Binary | Server certificate encryption method:
|
20(X’14’) | SMF119SS_TLS_SCert_Digest_Alg | 2 | Binary | Server certificate digest algorithm:
|
22(X’16’) | SMF119SS_TLS_SCert_Key_Type | 2 | Binary | Server certificate key type:
|
24(X’18’) | SMF119SS_TLS_SCert_Key_Len | 2 | Binary | Server certificate key length |
Client certificate information | ||||
26(X’1A’) | SMF119SS_TLS_CCert_Signature_Method | 2 | Binary | Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method. |
28(X’1C’) | SMF119SS_TLS_CCert_Enc_Method | 2 | Binary | Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method. |
30(X’1E’) | SMF119SS_TLS_CCert_Digest_Alg | 2 | Binary | Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg. |
32(X’20’) | SMF119SS_TLS_CCert_Key_Type | 2 | Binary | Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type. |
34(X’22’) | SMF119SS_TLS_CCert_Key_Len | 2 | Binary | Client certificate key length |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SS_SSH_Source | 1 | Binary | Source of the information in this record. Can be one of the following values:
|
1(X’1’) | 1 | Unused | ||
2(X'2') | SMF119SS_SSH_Prot_Ver | 1 | Binary | Protocol version :
|
3(X'3') | SMF119SS_SSH_CryptoFlags | 1 | Binary | Cryptographic operations flags:
|
4(X'4') | SMF119SS_SSH_Auth_Method | 2 | Binary | First or only peer authentication method that is used for this security session:
|
6(X’6’) | SMF119SS_SSH_Auth_Method2 | 2 | Binary | If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SS_SSH_Auth_Method |
8(X'8') | SMF119SS_SSH_In_Enc_Alg | 2 | Binary | Encryption algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3. |
10(X'A') | SMF119SS_SSH_In_Msg_Auth | 2 | Binary | Message authentication algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3. |
12(X’C’) | SMF119SS_SSH_Kex_Method | 2 | Binary | Key exchange method.
|
14(X’E’) | SMF119SS_SSH_Out_Enc_Alg | 2 | Binary | Encryption algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3. |
16(X’10’) | SMF119SS_SSH_Out_Msg_Auth | 2 | Binary | Message authentication algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3. |
18(X’12’) | SMF119SS_SSH_SKey_Type | 2 | Binary | Type of raw server key:
|
20(X’14’) | SMF119SS_SSH_SKey_Len | 2 | Binary | Length of raw server key in bits. |
22(X’16’) | SMF119SS_SSH_CKey_Type | 2 | Binary | Type of raw client key. Same values as SMF119SS_SSH_Server_Key_Type. |
24(X’18’) | SMF119SS_SSH_CKey_Len | 2 | Binary | Length of raw client key in bits. |
Server X.509 certificate information | ||||
26(X’1A’) | SMF119SS_SSH_SCert_Signature_Method | 2 | Binary | Server certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3. |
28(X’1C’) | SMF119SS_SSH_SCert_Enc_Method | 2 | Binary | Server certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3. |
30(X’1E’) | SMF119SS_SSH_SCert_Digest_Alg | 2 | Binary | Server certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3. |
32(X’20’) | SMF119SS_SSH_SCert_Key_Type | 2 | Binary | Server certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3. |
34(X’22’) | SMF119SS_SSH_SCert_Key_Len | 2 | Binary | Server certificate key length |
Client X.509 certificate information | ||||
36(X’24’) | SMF119SS_SSH_CCert_Signature_Method | 2 | Binary | Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3. |
38(X’26’) | SMF119SS_SSH_CCert_Enc_Method | 2 | Binary | Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3. |
40(X’28’) | SMF119SS_SSH_CCert_Digest_Alg | 2 | Binary | Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3. |
42(X’2A’) | SMF119SS_SSH_CCert_Key_Type | 2 | Binary | Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3. |
44(X’2E’) | SMF119SS_SSH_CCert_Key_Len | 2 | Binary | Client certificate key length |
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SS_IPSec_IKEMajVer | 1 | Binary | Major version of the IKE protocol in use. Only the low-order 4 bits are used. |
1(X'1') | SMF119SS_IPSec_IKEMinVer | 1 | Binary | Minor version of the IKE protocol in use. Only the low-order 4 bits are used. |
2(X'2') | SMF119SS_IPSec_IKETunLclEndpt | 16 | Binary | Local IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
18(X'12') | SMF119SS_IPSec_IKETunRmtEndpt | 16 | Binary | Remote IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field. |
34(X'22') | SMF119SS_IPSec_IKETunLclAuthMeth | 2 | Binary | The authentication method for the local endpoint. One of the following values:
|
36(X'24') | SMF119SS_IPSec_IKETunRmtAuthMeth | 2 | Binary | The authentication method for the remote endpoint. Same values as SMF119SS_IPSec_IKETunLclAuthMeth. |
38(X'26') | SMF119SS_IPSec_IKETunAuthAlg | 2 | Binary | Tunnel authentication algorithm. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3. |
40(X'28') | SMF119SS_IPSec_IKETunEncAlg | 2 | Binary | Tunnel encryption algorithm. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3. |
42(X'2A') | SMF119SS_IPSec_IKETunDHGroup | 2 | Binary | Diffie-Hellman group that is used to generate the keying material for this IKE
tunnel. One of the following values:
|
44(X'2C') | SMF119SS_IPSec_IKETunPseudoRandFunc | 2 | Binary | Pseudo-random function that is used for seeding keying material. One of the
following values:
|
IKE Local certificate information. This information is populated if SMF119SS_IPSec_IKETunLocalAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields are set to zero. | ||||
46(X'2E') | SMF119SS_IPSec_LclCert_Sign_Meth | 2 | Binary | Local IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3. |
48(X'30') | SMF119SS_IPSec_LclCert_Enc_Meth | 2 | Binary | Local IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3. |
50(X'32') | SMF119SS_IPSec_LclCert_Digest_Alg | 2 | Binary | Local IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3. |
52(X'34') | SMF119SS_IPSec_LclCert_Key_Type | 2 | Binary | Local IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3. |
54(X'36') | SMF119SS_IPSec_LclCert_Key_Len | 2 | Binary | Local IKE certificate key length in bits |
IKE Peer certificate information. This information is populated if SMF119SS_IPSec_IKETunRmtAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields set to zero. | ||||
56(X'38') | SMF119SS_IPSec_RmtCert_Sign_Meth | 2 | Binary | Remote IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method in Table 3. |
58(X'3A') | SMF119SS_IPSec_RmtCert_Enc_Meth | 2 | Binary | Remote IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method in Table 3. |
60(X'3C') | SMF119SS_IPSec_RmtCert_Digest_Alg | 2 | Binary | Remote IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg in Table 3. |
62(X'3E') | SMF119SS_IPSec_RmtCert_Key_Type | 2 | Binary | Remote IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type in Table 3. |
64(X'40') | SMF119SS_IPSec_RmtCert_Key_Len | 2 | Binary | Remote IKE certificate key length in bits |
IPsec (Phase 2) tunnel information | ||||
66(X’42’) | SMF119SS_IPSec_PFSGroup | 2 | Binary | Diffie-Hellman group that is used for perfect forward secrecy. Same values as SMF119SS_IPSec_IKETunDHGroup. |
68(X’44’) | SMF119SS_IPSec_EncapMode | 1 | Binary | Tunnel encapsulation mode. One of the following values:
|
69(X’45’) | SMF119SS_IPSec_AuthProto | 1 | Binary | The protocol that is used for message authentication. One of the following values:
|
70(X’46’) | SMF119SS_IPSec_AuthAlg | 2 | Binary | The tunnel authentication algorithms. Same values as SMF119SS_TLS_CS_Msg_Auth in Table 3. |
72(X’48’) | SMF119SS_IPSec_EncAlg | 2 | Binary | The tunnel encryption algorithms. Same values as SMF119SS_TLS_CS_Enc_Alg in Table 3. |
The zERT summary Distinguished Names (DN) section contains one or more variable length X.500 DNs from relevant X.509 certificates. Subject and issuer DNs from the certificates are included in the zERT DNs section.
If any DNs exist, there is one zERT summary DN section that contains all the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. The following structure is used to describe the fields present for each DN.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119SS_DN_Len | 2 | Binary | Length of the DN structure (includes the length of SMF119SS_DN_Len, SMF119SS_DN_Type, and SMF119SS_DN) |
2(X'2') | SMF119SS_DN_Type | 2 | Binary | Type of Distinguished Name:
|
4(X'4') | SMF119SS_DN | 1 to 1024 | EBCDIC | The variable length DN value. |