On 19/09/2025 2:49 am, Steve Estle wrote:
Is anyone actively using ZERT?
Just looking for any ideas on jumpstarting knowledge / use of.
I've written some zERT reports for EasySMF and JAVA classes to map the
records and translate them to JSON. I'm currently working on some
reports for Splunk. So I'm interested to hear what sort of information
would be useful.
Pretty printed JSON is useful to understand what sort of information is
in the records and the relationship between sections. Here's an example
from my test system:
{
"smfDateTime": "2025-08-02T14:30:11.04",
"system": "S0W1",
"smf119hdSubtype": "ZertDetail",
"identificationSection": {
"smf119tiASName": "TCPIP",
"smf119tiAsid": 72,
"smf119tiAsid2": 72,
"smf119tiComp": "STACK",
"smf119tiReason": "Evt",
"smf119tiRecordID": 0,
"smf119tiReleaseID": "030100",
"smf119tiStack": "TCPIP",
"smf119tiSysName": "S0W1",
"smf119tiSysplexName": "SVSCPLEX",
"smf119tiUserID": "TCPIP"
},
"zertDetailCertificateDN": [
{
"smf119scDn": "CN\u003ddallas31.blackhillsoftware.com",
"smf119scDnType": "TLS_SRV_SDN"
},
{
"smf119scDn": "CN\u003dE5,O\u003dLet\u0027s Encrypt,C\u003dUS",
"smf119scDnType": "TLS_SRV_IDN"
}
],
"zertDetailCommonSection": {
"smf119scSaConnID": 35,
"smf119scSaEDateTime": "2025-08-02T04:30:11.04Z",
"smf119scSaEventType": "Termination",
"smf119scSaInBytes": 149,
"smf119scSaInSegDG": 27,
"smf119scSaIpProto": "TCP",
"smf119scSaJobID": "STC04793",
"smf119scSaJobname": "FTPSERVE",
"smf119scSaLPort": 21,
"smf119scSaLip": "172.20.32.13",
"smf119scSaOutBytes": 803,
"smf119scSaOutSegDG": 34,
"smf119scSaRPort": 51555,
"smf119scSaRip": "172.28.254.112",
"smf119scSaSDateTime": "2025-08-02T04:29:57.66Z",
"smf119scSaSecProtoTls": true,
"smf119scSaUserID": "TCPIP"
},
"zertDetailTLSSection": {
"smf119scTlsSessionId":
"846F75DA52147FECB476D5396E31665C1938D0BDB0A34C9A03FCFE3AE3E4841C",
"smf119scTlsSCertSerial": "05A90577E1902B084D9DFD348B9AC57FF5E6",
"smf119scTlsCCertDigestAlg": "NONE",
"smf119scTlsCCertEncMethod": "NONE",
"smf119scTlsCCertKeyLen": 0,
"smf119scTlsCCertKeyType": "NONE",
"smf119scTlsCCertSignatureMethod": "NONE",
"smf119scTlsCSEncAlg": "AES_GCM_128",
"smf119scTlsCSKexAlg": "ECDHE",
"smf119scTlsCSMsgAuth": "HMAC_SHA2_256",
"smf119scTlsClientHsSigMethod": "NONE",
"smf119scTlsCryptoFlags": 0,
"smf119scTlsFipsMode": "OFF",
"smf119scTlsHandshakeRole": "SERVER",
"smf119scTlsHandshakeType": "FULL",
"smf119scTlsNegCipher": "1301",
"smf119scTlsNegKeyShare": "X25519",
"smf119scTlsProtVer": "TLSV1_3",
"smf119scTlsProtocolProvider": "IBM System SSL",
"smf119scTlsSCertDigestAlg": "SHA384",
"smf119scTlsSCertEncMethod": "ECDSA",
"smf119scTlsSCertKeyLen": 256,
"smf119scTlsSCertKeyType": "ECC",
"smf119scTlsSCertSignatureMethod": "ECDSA_SHA384",
"smf119scTlsSCertTime": "2025-10-14T15:18:43Z",
"smf119scTlsServerHsSigMethod": "ECDSA_SHA256",
"smf119scTlsSource": "PROVIDER"
}
}
--
Andrew Rowley
Black Hill Software
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
