- Are all my z/OS TCP/IP connections encrypted?
- How do I know what level of TLS is being used?
- Which TCP/IP clients or servers are using insecure ciphers?
zERT – the z/OS Encryption Readiness Technology is designed to answer these questions.
zERT is a function of TCP/IP on z/OS. It collects information about cryptographic security attributes of TCP/IP connections and writes it to SMF. IBM provides some free zERT reports in z/OSMF, but the data needs to be loaded into DB2 before you can view the reports.
EasySMF allows you to view zERT SMF reports without DB2.
zERT can produce 2 types of records – Connection Detail and Aggregation. Like z/OSMF, EasySMF reports on zERT Aggregation records: SMF type 119 subtype 12.
zERT Aggregation records contain similar information to the zERT Connection Detail records, but information for multiple connections with the same security characteristics are combined. This reduces the number of records generated.
The aggregation records still break the information down to the IP address and port level, but they combine information from multiple connections with the same security settings from the same client.
Finding the Important Information
Even using aggregation records, zERT reports have a lot of information. Records are produced for each client connecting to TCP/IP. Most of these records are not interesting. The entries you probably want to see are connections with specific security attributes, e.g. insecure ciphers or old TLS versions.
EasySMF makes it easy to find the important entries. EasySMF groups connections by security attributes and server port.
Here we can see there are multiple clients connecting to FTP and z/OSMF using TLS V1.0.
We can filter the report to show only the TLS 1.0 entries, and expand the groups to show the individual client addresses. To save the report data, you can export it to Excel or in CSV format.
zERT is a very useful facility to help you secure your z/OS system. Download a 30 day trial of EasySMF and see how EasySMF can help you interpret your zERT data.