z/OS Communications Server - Group home

zERT | Understanding zERT - zERT aggregation


100-second glimpse of zERT: http://ibm.biz/zerttotherescue

Learn about zERT aggregation on IBM Knowledge Center: zERT aggregation

As we discussed in a previous article, zERT discovery gives z/OS network administrators a way to effectively monitor z/OS network security status. However, workloads that consist of large numbers of frequent short-lived connections could generate huge volumes of zERT subtype 11 records. Although some measures are already taken in zERT discovery to reduce the number of records, these measures may be insufficient in environments that manage thousands of connections per hour or minute. 

zERT aggregation, available with new function APAR PI83362, is designed to provide the same level of cryptographic detail with much lower SMF volume than zERT discovery can generate.  

zERT aggregation summarizes the repetitive use of security sessions over time. Security sessions are summarized from the server’s perspective (based on server IP address, server port, and client IP address), regardless of whether z/OS is the client or the server. For Enterprise Extender traffic, they are always summarized from the local z/OS peer’s perspective. Summaries are written at the end of each SMF interval through new SMF 119 zERT summary (subtype 12) records which contain:

  • Connection attributes (Server IP addr, server port, client IP addr, transport protocol)
  • Significant security attributes (those that materially contribute to the strength of the cryptographic protection)
  • Statistics (connection counts, byte counts, etc.)

With aggregation, the data recorded across a large number of SMF 119 subtype 11 records can be greatly condensed into a small set of SMF 119 subtype 12 records.

zERT aggregation configuration
Like zERT discovery, aggregation is enabled independently of the recording destinations:

  • A new GLOBALCONFIG ZERT sub-parameter enables/disables aggregation: GLOBALCONFIG ZERT AGGregation | NOAGGregation (the default is NOAGGREGATION)
  • A new SMFCONFIG parameter to configure writing of SMF 119 subtype 12 records to SMF: SMFCONFIG ZERTSUMmary | NOZERTSUMmary (default is NOZERTSUMMARY)
  • A new NETMONITOR parameter to configure writing of SMF 119 subtype 12 records to the SYSTCPES realtime NMI service:  NETMONITOR ZERTSUMmary | NOZERTSUMmary (default is NOZERTSUMMARY)

All parameters can be dynamically enabled or disabled and are exposed in the z/OSMF-based Configuration Assistant for Communications Server under the TCP/IP profile perspective.

The same configuration reporting interfaces that were updated for discovery are also updated for aggregation.

Realtime zERT aggregation network monitoring service
The new SYSTCPES NMI service makes zERT 119 SMF zERT Summary (subtype 12) records available to network management applications as they are generated. Like the SYSTCPER service for zERT discovery, SYSTCPES uses the same programming model as SYSTCPCN (TCP connection service). For more details, see  z/OS Communications Server: IP Programmer’s Guide in the IBM Knowledge Center.

SMF 119 subtype 12 "zERT Summary" record
Subtype 12 records are written at the end of each SMF interval. Since they are associated with security sessions and not individual application connections, they contain either zero or one cryptographic protocol-specific section (zero for cleartext sessions, one for TLS/SSL, IPSec or SSH sessions). Contrast this with the per-connection subtype 11 records which can contain zero or more cryptographic protocol-specific sections (zero for cleartext connections, one or more for connections that are protected by some combination of TLS/SSL, IPSec and SSH).

The general layout of the subtype 12 record is illustrated in the graphic at the top of this blog entry.  

For a detailed description of the zERT Summary (SMF 119 subtype 12) record, see z/OS Communications Server: IP Programmer’s Guide in IBM Knowledge Center.


You have options!

With zERT discovery and aggregation in place, you now have the option of collecting the lower-volume zERT Summary records on an ongoing basis to maintain a constant watch on your z/OS network protection posture. Then, when you when you need to do more in-depth investigation of specific traffic patterns, you can enable the recording of the per-connection zERT Connection Detail records.

(This blog was originally published on Apr. 30, 2018 on z/OS Communications Server developerWorks.)