z/OS Communications Server - Group home

Things you should know about z/OS Encryption Readiness Technology (zERT)

  

Check out this
survey to provide your feedback on zERT.

z/OS Encryption Readiness Technology (zERT), a core capability of IBM Z pervasive encryption, is an important feature of z/OS V2R3 Communications Server and versions above.

zERT provides intelligent network security discovery and reporting capabilities by monitoring TCP and Enterprise Extender traffic for TLS/SSL, IPsec and SSH protection, as well as cleartext. It also writes information about the state of that protection to SMF 119 records. Moreover, IBM zERT Network Analyzer, a web-based interface on z/OSMF, available since December, 2018, helps you determine which z/OS TCP and Enterprise Extender traffic is or isn’t protected according to specific query criteria. With z/OS V2R5, here comes zERT Policy-based Enforcement which allows policy-based rules that describe different levels of cryptographic protection along with optional actions to take when TCP connections match those rules.

What new in z/OS 3.1 for zERT?

In z/OS 3.1, IBM zERT Network Analyzer supports the use of passphrases as an authentication credential for the network analyzer's Db2 user ID on the plug-in's database settings panel. Additionally, the same panel is intended to be enhanced to allow the saving of empty Db2 user ID and password and passphrase values. This gives flexibility to users who want to support multiple Db2 user IDs.

With z/OS 3.1, IBM zERT Network Analyzer is further enhanced to provide a simplified upgrade of application and database settings from those configured for V2.4 or V2.5 releases. Additionally, new tooling is available to more easily upgrade an existing V2.4 or V2.5 zERT Network Analyzer database to the z/OS 3.1 schema.

What does customers say about zERT?


  • Swiss Re Group
    • "zERT is my one stop shop to monitor and manage the usage of all cryptographic algorithms within my z/OS network stack. It even provides real-time policy-based notifications when cryptographic usage doesn’t match my expectations!
    • "zERT is simple and fast to setup and implement. It gives me immediate results and it increases z/OS network security in its full breadth at once - not just for a single component!"
  • Finanz Informatik
    • “zERT brings all the requested information that we need for our security business and to achieve our described security policy. I am using the zERT Reports in my daily business. For us, zERT is a big relief!"
    • “We have used the zERT aggregation records to totally eliminate the TLS 1.0 protocol and SHA1/HMAC suites. zERT reporting also enabled us to find various problems in environment settings and configurations. I think we never would have had a chance to do this without the zERT support!”

  • Fiducia & GAD IT AG
    • “Fiducia & GAD IT AG is in the process of enabling z/OS Enterprise Readiness Technology (zERT) to monitor and record the cryptographic protection attributes of network connections terminating on z/OS. With zERT, Fiducia & GAD IT AG can determine which of the connections are properly or improperly configured. This could potentially help the company in its efforts to simplify compliance reporting.

zERT Articles


zERT Videos


Watch the videos to learn about zERT:


zERT Badge


Check out the following zERT badge and start your learning

This badge earner has the knowledge and foundational understanding of configuring zERT Policy Enforcement using the IBM Configuration Assistant for z/OS Communications Server (NCA). This individual can create various objects and rules in zERT, install rules to policy agents, and use zERT reports to analyze their NCA zERT configuration.

zERT Documentation


Read the zERT documentation to learn about the technical details of zERT:

zERT discovery collects and records a wide variety of cryptographic protection attributes for TCP and Enterprise Extender (EE) traffic on your z/OS system. With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH and IPSec cryptographic network security protocols.

zERT aggregation provides an alternative SMF view of the collected security session data in the form of  SMF 119 zERT Summary (subtype 12) records that summarize the repeated use of security sessions by many application connections over time.  zERT Summary records are written at the end of each SMF interval. Compared to zERT discovery alone, zERT aggregation can significantly reduce the volume of SMF records while still providing the critical security information.

IBM zERT Network Analyzer is a web-based graphical user interface that z/OS network security administrators can use to analyze and report on data reported in zERT Summary records.

For more hands-on details of IBM zERT Network Analyzer, see IBM zERT Network Analyzer tutorial.

zERT policy-based enforcement (zERT enforcement) allows policy-based rules that describe different levels of cryptographic protection along with optional actions to take when TCP connections match those rules. zERT enforcement actions enable immediate notification through messages, auditing through SMF records, and automatic connection termination when questionable or unacceptable cryptographic protection is detected.

    zERT Events


    The following mainframe events include sessions about zERT:

    • 2024
      • SHARE Kansas City 2024 (coming soon)
      • SHARE Orlando
    • 2023 
      • SHARE Orleans
      • SHARE Atlanta
    • 2022
      • SHARE Dallas 2022 - 03/27 - 03/30, 2022, Dallas/Online
        • zERT Overview/Hints and Tips (Chris Meyer, Keziah Knopp)
        • Using Network Configuration Assistant to configure zERT Policy Enforcement (Chris Meyer)
      • Enterprise Knights Days - 01/31 - 02/03, 2022 (APAC events scheduled for 02/28 - 03/04), Online
        • Enforcing Network Encryption Strength (Chris Meyer)
      • Guide Share Europe TK-Guide Telecommunications and Enterprise Networking: 02/02 - 02/03, 2022
    • 2021
      • IBM Tech U - 10/25 - 10/28, 2021, Online
        • z/OS Encryption Readiness Technology (zERT) goes live! (Navya Ramanjulu) - Recording & Slides
        • Using Network Configuration Assistant to configure zERT Policy Enforcement (Mike Fox) - Recording & Slides
      • IBM Worldwide Z Security Conference - October 19-22, 2021
        • z/OS V2R5: What's New in Network Security?
      • SHARE Virtual Experience 2021 - 08/10 - 08/12, 2021, Online
        • z/OS Encryption Readiness Technology goes live! (Chris Meyer)
      • SHARE Virtual Summit March 2021 - March 2021, Online
        • Taking zERT to the next nevel (Chris Meyer)
    • 2020
      • SHARE Virtual 2020 - October, 2020, Online
        • Pervasive Encryption: Get a Grip on Your z/OS Network Encryption with zERT (Chris Meyer)
      • 2020 Winter SHARE Conference: 02/23 - 02/28, 2020, Fort Worth, Texas
        • Pervasive Encryption: Get a Grip on Your z/OS Network Encryption with zERT (Al Chakra, Chris Meyer)
    • 2019
      • Vanguard Security and Compliance 2019: 09/30 - 10/03, 2019, Charlotte, NC
        • Getting a Grip on Your z/OS Network Encryption (Chris Meyer)
      • IBM Systems Technical University: 10/7 -10/11, 2019, LasVegas
        • Pervasive Encryption: Get a Grip on Your z/OS Network Encryption with zERT (Sam Reynolds)
      • 2019 WW IBM Z Security Conference: 10/15 - 10/19, 2019, Montpellier, France
        • z/OS Communications Server V2R4:  Network Security Update (Joshua Bennetone)
      • 2019 Summer SHARE Conference: 08/04 - 08/9, Pittsburgh
        • Pervasive Encryption: Get a Grip on Your z/OS Network Encryption with zERT (Chris Meyer)
        • z/OS Communications Server Network Security Overview (Chris Meyer)
      • 2019 Winter SHARE Conference: 03/10 - 03/15, Phoenix, Arizona
        • Is your z/OS network traffic properly encrypted? zERT has the answer (Chris Meyer)
        • Using zERT to determine how secure your network really is (Stephen Norris - CA Technologies)
    • 2018

    zERT Webinar


    Using Network Configuration Assistant to configure zERT Policy Enforcement

    Time: 10/28/2021 11:30 EDT


    Speaker: Mike Fox

    Learn more details and watch the webinar recording here.

    z/OS Encryption Readiness Technology goes live!

    Time: 10/27/2021 9:30 EDT


    Speaker: Navya Ramanjulu

    Learn more details and watch the webinar recording here.

    Getting a grip on your z/OS network encryption!


    Time: 12/9/2019 2:00 PM EST (11:00 AM PST)

    Speaker: Chris Meyer

    Learn more details and register to watch the webinar recording here.


    Time: 2/26/2019 11:00 AM EST

    Speaker: Chris Meyer

    Duration: 60 minutes

    Learn more details and register to watch the webinar recording here.

    zERT Presentation


    The following technical session presentations will provide more details on zERT:


    For questions about zERT, email comsvrcf@us.ibm.com.