Dr. Gilbert Houtekamer - 22 July 2019

How to track your mainframe network traffic with IBM’s zERT

As the mainframe assumes its role as the data hub in your network, it is important to make sure that the mainframe asset, security, is well protected. Enter IBM zERT.

With the z14, IBM invested significantly in making pervasive encryption a more realistic goal. Pervasive encryption is an IBM technical marketing concept to promote that all data should always be encrypted: at rest (on disk), in flight (on the network links), and in the cloud.

Implementing this is expensive and complex, and not all sites will want or need to go all the way. However, everybody will agree that network traffic between the outside world and the mainframe needs to be encrypted, so it cannot be listened into.

z Encryption Readiness Technology (zERT)

As part of IBM’s pervasive encryption program, they provide the z Encryption Readiness Technology (zERT). This is a new feature in the IBM TCP/IP product designed to provide you full visibility into all the network traffic from the mainframe TCP/IP stack, whether it leaves the mainframe or not. The zERT feature captures the encryption settings used for each and every session managed by the TCP/IP address space.

SMF 119 Records

IBM provides two flavors of SMF records: the extremely voluminous 119 subtype 11 that has a record for each session, and the more practical subtype 12 that captures all unique session types between client/server pairs per interval.

Both the subtype 11 and 12 records are very detailed and they provide all the settings negotiated for the key exchange and traffic for the 4 ways to protect data by z/OS: direct TLS/SSL usage, Application Transparent TLS (AT-TLS), Virtual Private Networks using IPSec and IKE, and Secure Shell using z/OS OpenSSH. The level of detail available from the auditing depends on the session, e.g. for a VPN the information is about the tunnel. In the zERT records (and in this paper) all the different flavors of TLS and SSL including AT-TLS are grouped under “TLS/SSL”.

The zERT records will allow you to find out what traffic is protected, and if so, what security protocol and version is used. Unprotected traffic to the public internet is likely undesirable, but so is the use of a deprecated protocol version of TLS. So the details are important in these records.

We expect that zERT will be used widely within the enterprise: by the security staff to track the implementation of encryption across the company, and by the auditors to verify that the IT department meets the regulatory and company security requirements.

How to get the Most Out of IBM’s zERT for Tracking Mainframe Network Traffic

Like with most SMF data sources, out of the box all the good data is there, but to get useful information a significant analysis effort is required.

Our white paper, How to get the most out of IBM’s zERT for tracking mainframe network traffic, details how you can effectively process the SMF 119 subtype 12 records and provide reporting tailored to your environment and reporting needs. Doing so will not only give you greater visibility and access to your encryption data, but will allow you to more effectively monitor and track this data crucial to your network security.

This article's author

Dr. Gilbert Houtekamer
Founder and Managing Director
More from Dr. Houtekamer

Share this blog

Integrating z/OS Performance Management with Splunk

How to get the most out of IBM’s zERT for tracking mainframe network traffic

IBM zERT provides very detailed statistics on the use of encryption protocols for all IP and TCP traffic to and from z/OS mainframes. Like with most SMF data sources, there is good data out of the box, but a significant analysis effort is required to get useful information.

Related Resources

Whitepaper

Monitor the Performance and Resource Usage of WebSphere Transactions

IntelliMagic's WebSphere transaction support lets you monitor the performance and resource usage of WebSphere transactions.

Download
Blog

IBM z15 Announcement Highlights and How to Take Advantage

The z15 (with a General Availability date of 9/23/2019) offers up to 190 CPU cores (vs. 170 on z14) and 40 TB of usable memory (vs. 32 on z14), in addition to processor cache and overall performance improvements.

Read more
Blog

CPU – Just the Tip of the z/OS Iceberg

z/OS is now responsible for everything from online transactions, network traffic, replicated data, and so much more. The infrastructure to handle this complexity is no longer limited to ensuring CPU is going to be okay.

Read more

Go to Resources