Skip to main content

When should I use zERT Discovery, zERT Aggregation or the zERT Network Analyzer?

zERT Discovery, zERT Aggregation and zERT Network Analyzer can all be used for different reasons. Learn when you should use each one.

Chris Meyer, IBM senior technical staff member

Q: When should I use zERT Discovery, zERT Aggregation or the zERT Network Analyzer?


With z/OS* Encryption Readiness Technology (zERT), z/OS network security administrators have a powerful toolkit for discovering, recording and analyzing the cryptographic protection attributes of TCP/IP and Enterprise Extender (EE) traffic that terminates on their local z/OS systems. Unprotected traffic is also reported.

zERT Discovery collects TLS/SSL, IPsec and SSH protection attributes of each TCP and EE connection and writes them to SMF or real-time monitoring applications over a Network Management Interface (NMI) as SMF type 119 subtype 11 “zERT Connection Detail” records. At least one such record is generated for each TCP and EE connection.

zERT Aggregation tracks repeated use of security sessions during an SMF interval, noting each session’s protection attributes and how many connections it protected during that interval. When the interval ends, zERT Aggregation writes one SMF type 119 subtype 12 “zERT Summary” record for each session to SMF or real-time monitoring applications via its own NMI.

The zERT Network Analyzer is a z/OSMF plugin that reads SMF 119-12 records from SMF dump data sets and stores the data in a Db2* for z/OS database, allowing authorized users to build and execute their own queries against that data. Query results are displayed in the web browser or are written to a comma-separated-value (CSV) file.   

For many, the zERT Network Analyzer provides all of the analytic capabilities you’ll need. If you don’t use another product that supports zERT data, and if you use Db2 for z/OS, consider using the network analyzer. 

Several IBM and ISV products for SMF processing and z/OS network monitoring support zERT data. Multiple products use one or both zERT NMI services. If you use any of these products, enable the appropriate real-time NMI service on the TCPIP profile NETMONITOR statement.   

IBM zSecure Audit V2.3 reads zERT records in real time, but does so through an SMF logstream exit, so you must enable TCPIP profile SMFCONFIG TYPE119 parameters for whichever records you want it to handle. zSecure Audit can also feed zERT SMF 119-11 data to IBM QRadar.   

Other products consume both zERT record types from SMF. For these, enable the appropriate parameters on the TCPIP profile SMFCONFIG TYPE119 statement.

Also consider the audience for each product you use. For example, you might have QRadar, but can your z/OS network security administrators use it? Different users may need to use different tools.

Finally, many clients write their own tools to collect and process SMF data. For them, SMF 119-12 records are a great starting point. These records contain the critical cryptographic detail, usually in far fewer records than SMF 119-11s. If you need to correlate per-connection data with other types of records, or if you need some of the non-critical details that only SMF 119-11 records contain, then collect those records instead. You can collect both types if you have the need. Ensure you properly estimate the amount of space you’ll need to store the records per your SMF collection guidelines.

Learn more about zERT.

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →