Dr. Gilbert Houtekamer - 22 July 2019

How to track your mainframe network traffic with IBM’s zERT

As the mainframe assumes its role as the data hub in your network, it is important to make sure that the mainframe asset, security, is well protected. Enter IBM zERT.

With the z14, IBM invested significantly in making pervasive encryption a more realistic goal. Pervasive encryption is an IBM technical marketing concept to promote that all data should always be encrypted: at rest (on disk), in flight (on the network links), and in the cloud.

Implementing this is expensive and complex, and not all sites will want or need to go all the way. However, everybody will agree that network traffic between the outside world and the mainframe needs to be encrypted, so it cannot be listened into.

z Encryption Readiness Technology (zERT)

As part of IBM’s pervasive encryption program, they provide the z Encryption Readiness Technology (zERT). This is a new feature in the IBM TCP/IP product designed to provide you full visibility into all the network traffic from the mainframe TCP/IP stack, whether it leaves the mainframe or not. The zERT feature captures the encryption settings used for each and every session managed by the TCP/IP address space.

SMF 119 Records

IBM provides two flavors of SMF records: the extremely voluminous 119 subtype 11 that has a record for each session, and the more practical subtype 12 that captures all unique session types between client/server pairs per interval.

Both the subtype 11 and 12 records are very detailed and they provide all the settings negotiated for the key exchange and traffic for the 4 ways to protect data by z/OS: direct TLS/SSL usage, Application Transparent TLS (AT-TLS), Virtual Private Networks using IPSec and IKE, and Secure Shell using z/OS OpenSSH. The level of detail available from the auditing depends on the session, e.g. for a VPN the information is about the tunnel. In the zERT records (and in this paper) all the different flavors of TLS and SSL including AT-TLS are grouped under “TLS/SSL”.

The zERT records will allow you to find out what traffic is protected, and if so, what security protocol and version is used. Unprotected traffic to the public internet is likely undesirable, but so is the use of a deprecated protocol version of TLS. So the details are important in these records.

We expect that zERT will be used widely within the enterprise: by the security staff to track the implementation of encryption across the company, and by the auditors to verify that the IT department meets the regulatory and company security requirements.

How to get the Most Out of IBM’s zERT for Tracking Mainframe Network Traffic

Like with most SMF data sources, out of the box all the good data is there, but to get useful information a significant analysis effort is required.

Our white paper, How to get the most out of IBM’s zERT for tracking mainframe network traffic, details how you can effectively process the SMF 119 subtype 12 records and provide reporting tailored to your environment and reporting needs. Doing so will not only give you greater visibility and access to your encryption data, but will allow you to more effectively monitor and track this data crucial to your network security.

This article's author

Dr. Gilbert Houtekamer
Founder and Director
More from Dr. Houtekamer

Share this blog

Integrating z/OS Performance Management with Splunk

How to get the most out of IBM’s zERT for tracking mainframe network traffic

IBM zERT provides very detailed statistics on the use of encryption protocols for all IP and TCP traffic to and from z/OS mainframes. Like with most SMF data sources, there is good data out of the box, but a significant analysis effort is required to get useful information.

Related Resources


Mainframe encryption causes higher demand in TCP/IP address space

Many shops are using IBM’s pervasive encryption to protect their mainframe's integrity, but how do we get in front of the mainframe impacts or know which encryption methods might meet security requirements at lower cost?

Read more

A Better Mainframe Gearbox for your DevOps Environment

DevOps is here, and it will continue to evolve. Learn how to optimize your DevOps environment and how to integrate your teams into the DevOps oriented environment.

Read more

Potential Infrastructure CPU Reduction Opportunities in an Enterprise Consumption Environment

From a performance perspective, IBM's Tailored Fit Pricing opens up an array of options for reducing MSU consumption. This article summarizes tuning actions that you can take at the infrastructure level to realize CPU reductions.


Go to Resources