z/OS Communications Server - Group home

Strengthening your network cryptographic posture with zERT

By Flora Gui posted Wed November 18, 2020 03:49 AM

  

Network security is not a new topic for IT practitioners, but always a hot one. Data breaches can be devastating to business both operationally and financially. However, the cybersecurity landscape never stands still. Each day attackers invent new ways to probe organizations’ systems for weaknesses. Thus, in 2017, IBM launched Pervasive Encryption as a consumable approach to enable extensive encryption of data in-flight and at-rest to substantially simplify encryption and reduce costs associated with protecting data and achieving compliance mandates. As a critical part of IBM Z Pervasive Encryption, z/OS Encryption Readiness Technology (zERT) provides intelligent network security discovery and reporting capabilities by monitoring TCP and Enterprise Extender connections for TLS/SSL, IPsec and SSH protection. Since its debut with z/OS V2R3 in 2017, zERT has been helping z/OS system administrators with monitoring network cryptographic status.

  • Adopting zERT brings relief to daily business

Finanz Informatik Technologie Service, located in Germany, is an innovative IT Partner for the financial sector and supports both public and private banks, insurance companies and finance service providers with standardized outsourcing services. Finanz Informatik has adopted zERT, which has strongly optimized their network encryption experience.

According to Svend Zaunick from Finanz Informatik, zERT has simplified their daily work. In the last few month, Finanz Informatik has used the zERT aggregation records to totally eliminate the TLS 1.0 protocol and SHA1/HMAC Suites in all of their z/OS subystems. “zERT brings all the requested information that we need for our security business and to achieve our described security policy. zERT is here a big relief!”

 “zERT reporting also enabled us to find various problems in environment settings and configurations. I think we never would have had a chance to do this without the zERT support!” said Svend.

Finanz Informatik is not the only client that has benefited from Pervasive Encryption and zERT. As IT service provider to approximately 900 German banks, Fiducia & GAD IT AG is responsible for protecting huge amounts of very valuable data. To effectively secure data on behalf of its banking clients, Fiducia & GAD IT AG is in the process of enabling zERT to monitor and record the cryptographic protection attributes of network connections terminating on z/OS. With zERT, Fiducia & GAD IT AG can determine which of the connections are properly or improperly configured. This could potentially help the company in its efforts to simplify compliance reporting.  Learn more about Fiducia &GAD IT AG’s story with Pervasive Encryption from IBM.com.

  • Optimized user experience through IBM zERT Network Analyzer

Speaking of modern enterprise software, along with performance and stability, ease of use matters a lot. In order to make all that zERT data easy to access and consume, the z/OS Communications Server team developed the IBM zERT Network Analyzer to help users easily access and analyze zERT SMF data through a z/OSMF-based web GUI. Recently, IBM has released zERT Network Analyzer APARs that enhance database administration tasks for z/OS V2R3 and V2R4 users.

To provide additional flexibility in IBM zERT Network Analyzer's Db2 for z/OS database schema definitions and to reduce the access privileges required by the IBM zERT Network Analyzer's database user ID, z/OS Communications Server team introduced APAR PH16222 for z/OS V2R3 and APAR PH16223 for z/OS V2R4. The supplied database schema tooling now supports customized values for the database schema name, index names and even table names along with many other operational parameters that were already configurable.

Note: there’s no new dependency introduced with the APARs, but the IBM zERT Network Analyzer requires z/OSMF to be installed and a type 4 JDBC connection to Db2 for z/OS 11 or higher.

To learn more about APAR details, see APARs and related help documentation as follows.

In addition, the IBM zERT Network Analyzer APAR PH24492 for z/OS V2R3 and APAR PH24494 for z/OS V2R4, introduces a configurable report timeout and limits to the maximum number of open reports per user.

To learn more about APAR details, see APARs and related help documentation as follows.

For users upgrading from z/OS V2R3 to z/OS V2R4, z/OS Communications Server provides a migration guide for the IBM zERT Network Analyzer. See Upgrading to z/OS V2R4 Communications Server IBM zERT Network Analyzer.

To learn more about zERT and find more use cases and demos, check out the zERT technical content portal, Things you should know about zERT on IBM Community (https://ibm.biz/thingsaboutzert).