Idea Details

Provide support for using zERT Aggregation

Last activity 05-18-2019 08:59 AM
Bob Davidson's profile image
02-20-2019 12:45 PM

Allow NetMaster to make sure of the SMF 119 subtype 12's if available and not insist on the subtype 11's being available. zERT Aggregation can reduce significantly the amount of SMF records being cut.




For reference definition of zERT aggregation


zERT aggregation, available with new function APAR PI83362, is designed to provide the same level of cryptographic detail with much lower SMF volume than zERT discovery can generate.


zERT aggregation summarizes the repetitive use of security sessions over time. Security sessions are summarized from the server’s perspective (based on server IP address, server port, and client IP address), regardless of whether z/OS is the client or the server. For Enterprise Extender traffic, they are always summarized from the local z/OS peer’s perspective.

Summaries are written at the end of each SMF interval through new SMF 119 zERT summary (subtype 12) records which contain:

Connection attributes (Server IP addr, server port, client IP addr, transport protocol) Significant security attributes (those that materially contribute to the strength of the cryptographic protection) Statistics (connection counts, byte counts, etc.) With aggregation, the data recorded across a large number of SMF 119 subtype 11 records can be greatly condensed into a small set of SMF 119 subtype 12 records.


zERT aggregation configuration

Like zERT discovery, aggregation is enabled independently of the recording destinations:

A new GLOBALCONFIG ZERT sub-parameter enables/disables aggregation:

            GLOBALCONFIG ZERT AGGregation | NOAGGregation (the default is NOAGGREGATION)

A new SMFCONFIG parameter to configure writing of SMF 119 subtype 12 records to SMF:

            SMFCONFIG ZERTSUMmary | NOZERTSUMmary (default is NOZERTSUMMARY)

A new NETMONITOR parameter to configure writing of SMF 119 subtype 12 records to the SYSTCPES realtime NMI service: