z/OS Encryption Readiness Technology (zERT)

z/OS® Encryption Readiness Technology (zERT) is a new capability provided by the z/OS V2R3 Communications Server. With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH and IPSec cryptographic network security protocols. The collected connection level data is written to SMF in new SMF 119 subtype 11 records for analysis. Additionally, a new real-time network management interface (NMI) service is provided for network management applications to retrieve zERT SMF records as they are generated.

Using zERT, you have a single source of information to determine which traffic is cryptographically protected by TLS/SSL, IPSec and SSH, and which is not. For the traffic with recognized cryptographic protection, you can determine which cryptographic protocol is used, which cryptographic algorithms are used, the length of the cryptographic keys, and other important attributes of the cryptographic protection. This information is valuable for determining regulatory compliance and for identifying connections that might need stronger cryptographic protection.

Restrictions:

zERT collects information for TCP and Enterprise Extender (EE) connections. Information is not collected for non-EE UDP traffic or traffic using other IP protocols.

zERT collects cryptographic security attributes for the TLS, SSL, SSH, and IPSec protocols. No other cryptographic security protocols are supported.

The following cryptographic protocol providers are fully enabled for zERT: z/OS Communications Server IPSec and AT-TLS, z/OS Cryptographic Services System SSL and z/OS OpenSSH. In addition, a zERT-enabled JSSE provider called ZERTJSSE is available for Java™ 8. Detailed security attribute data is available for connections using these protocol providers. Other TLS, SSL, and SSH implementations running on z/OS are monitored through stream observation only. A limited amount of security attribute data is available for these connections.

For information on the specific cases where security attribute data is limited or unavailable, see What are the limitations for zERT discovery? in z/OS Communications Server: IP Configuration Guide.

Dependency: In order to properly monitor IBM® Sterling Connect:Direct® traffic when it is protected through SecurePlus TLS/SSL support, you must apply Connect:Direct APAR PI77316.
Table 1. z/OS Encryption Readiness Technology (zERT)
Task/Procedure Reference

Plan for collection and storage of zERT connection detail SMF records

Enable z/OS Encryption Readiness Technology

GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference
Determine where zERT connection detail SMF records are to be collected:
  • If you want the records to go to the System Management Facility data sets, specify SMFCONFIG TYPE119 ZERTDETAIL.
  • If you want the records to be available to the real-time NMI zERT service (SYSTCPER), specify NETMONITOR ZERTSERVICE.
  • If you want the records available to both services, specify both SMFCONFIG TYPE119 ZERTDETAIL and NETMONITOR ZERTSERVICE.

Display zERT configuration settings

Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands

Use the information from the SMF 119 subtype 11 event records that provide zERT data

zERT connection detail record (subtype 11) in z/OS Communications Server: IP Programmer's Guide and Reference
To find all related topics about z/OS Encryption Readiness Technology, see Table 2.
Table 2. All related topics about z/OS Encryption Readiness Technology
Book name Topics
z/OS Communications Server: IP Configuration Guide
z/OS Communications Server: IP Configuration Reference
z/OS Communications Server: IP Diagnosis Guide Specifying trace options at initialization
z/OS Communications Server: IP System Administrator's Commands Netstat CONFIG/-f report
z/OS Communications Server: IP Programmer's Guide and Reference