








	*SMF Tools*

SMF type 119 Record - Subtype 12

This table shows the record layout for type 119 SMF records
(zERT Summary Record).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: SMF 119-12 (zERT summary records) function as both interval and event records for the z/OS Encryption Readiness Technology (zERT) aggregation function.

As interval records, the zERT summary records are generated at user specified intervals. The record provides statistical data about an individual security session that provided cryptographic protection for one or more TCP or Enterprise Extender (EE) connections during the previous recording interval. The record also provides information describing the cryptographic characteristics of the security session.

Each record reports statistical data about the security session for the previous recording interval. The starting and ending values for the previous recording interval are reported for each statistic.

If zERT aggregation is turned off dynamically or the TCP stack terminates, a final complete set of subtype 12 records is generated to report close out data. These records are reported to the z/OS System Management Facility or the real-time zERT Summary SMF NMI service, or both, depending on the SMF record destination in effect.

In addition, if recording of zERT summary records to the z/OS System Management Facility is turned off dynamically, a final complete set of subtype 12 records is reported to the z/OS System Management Facility to report close out data. No records are reported to the real-time zERT Summary SMF NMI service for this condition.

As event records, zERT summary records are written for two events:

The zERT aggregation function is enabled.
The zERT aggregation function is disabled dynamically.

The format of the zERT summary record is the same for both interval and event usage, although the zERT summary event records include just the TCP/IP Identification section and the zERT common section.

It's easy to report on SMF 119 data! (Jump to sample reports)

We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.

SMF Type 119 Record -- zERT Summary Record
Offset (Dec.)	Offset (Hex)	Name	Length	Format	Description
0	0	SMF119LEN	2	binary	Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word).
2	2	SMF119SEG	2	binary	Segment descriptor (see record length field).
4	4	SMF119FLG	1	binary	System indicator Bit Meaning When Set 0 New record format 1 Subtypes used 2 Reserved. 3-6 Version indicators 7 System is running in PR/SM mode.
5	5	SMF119RTY	1	binary	Record type 119 77.
6	6	SMF119TME	4	binary	Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10	A	SMF119DTE	4	packed	Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14	E	SMF119SID	4	EBCDIC	System identification (from the SMFPRMxx SID parameter).
18	12	SMF119SSI	4	EBCDIC	Subsystem identification.
22	16	SMF119STY	2	binary	Record subtype.
Self Defining Section
24	18	SMF119TRN	2	binary	Number of triplets in this record (7)
26	1A	--	2	binary	Reserved.
28	1C	SMF119IDOff	4	Binary	Offset to TCP/IP identification section
32	20	SMF119IDLen	2	Binary	Length of TCP/IP identification section
34	22	SMF119IDNum	2	Binary	Number of TCP/IP identification sections
36	24	SMF119S1Off	4	Binary	Offset to zERT connection detail common section
40	28	SMF119S1Len	2	Binary	Length of zERT connection detail common section
42	2A	SMF119S1Num	2	Binary	Number of zERT connection detail common section
44	2C	SMF119S2Off	4	Binary	Offset to TLS protocol attributes section
48	30	SMF119S2Len	2	Binary	Length of TLS protocol attributes section
50	32	SMF119S2Num	2	Binary	Number of TLS protocol attributes sections
52	34	SMF119S3Off	4	Binary	Offset to SSH protocol attributes section
56	38	SMF119S3Len	2	Binary	Length of SSH protocol attributes section
58	3A	SMF119S3Num	2	Binary	Number of SSH protocol attributes sections
60	3C	SMF119S4Off	4	Binary	Offset to IPSec protocol attributes section
64	40	SMF119S4Len	2	Binary	Length of IPSec protocol attributes section
66	42	SMF119S4Num	2	Binary	Number of IPSec protocol attributes sections
68	44	SMF119S5Off	4	Binary	Offset to certificate DNs section
72	48	SMF119S5Len	2	Binary	Length of certificate DNs section
74	4A	SMF119S5Num	2	Binary	Number of certificate DNs sections
TCP/IP stack identification section For all zERT summary records, the TCP/IP stack identification section indicates STACK as the subcomponent. zERT summary event records indicate X'08' (event record) for the record reason. zERT summary interval records indicate one of three possible interval record reason settings, depending on whether the reporting is because of interval expiration, statistics collection termination, or collection shutdown.(Offset from beginning of record: SMF119IDOff)
0	0	SMF119TI_ SYSName	8	EBCDIC	System name from SYSNAME in IEASYSxx
8	8	SMF119TI_ SysplexName	8	EBCDIC	Sysplex name from SYSPLEX in COUPLExx
16	10	SMF119TI_ Stack	8	EBCDIC	TCP/IP stack name
24	18	SMF119TI_ ReleaseID	8	EBCDIC	z/OS Communications Server TCP/IP release identifier
32	20	SMF119TI_ Comp	8	EBCDIC	TCP/IP subcomponent (right padded with blanks): FTPC FTP Client FTPS FTP server IP IP layer STACK Entire TCP/IP stack TCP TCP layer TN3270C TN3270 Client TN3270S TN3270 server UDP UDP layer
40	28	SMF119TI_ ASName	8	EBCDIC	Started task qualifier or address space name of address space that writes this SMF record
48	30	SMF119TI_ UserID	8	EBCDIC	User ID of security context under which this SMF record is written
56	38	--	2	EBCDIC	Reserved
58	3A	SMF119TI_ ASID	2	Binary	ASID of address space that writes this SMF record
60	3C	SMF119TI_ Reason	1	Binary	Reason for writing this SMF record: X'08' Event record X'C0' Interval statistics record, more records follow X'80' Interval statistics record, last record in set X'60' End-of-statistics record, more records follow X'20' End-of-statistics record, last record in set X'50' Shutdown starts record, more records follow X'10' Shutdown starts record, last record in set
61	3D	--	3	EBCDIC	Reserved
zERT summary section. (Subtype 12) Every zERT summary record has one of these sections Unless noted in the field description, all TCP and Enterprise Extender (EE) connection statistics reported in the common section represent activity from the time the zERT aggregation function began tracking this security session until the time that the zERT aggregation function stops tracking it. The zERT aggregation function stops tracking a security session when one complete SMF recording interval passes without any connections being protected by the security session. The TCP and Enterprise Extender (EE) connection statistics counts are approximate.(Offset from beginning of record: SMF119S1Off)
0	0	SMF119SS_ SAIntervalDuration	8	Binary	Duration of recording interval in microseconds, where bit 51 is equivalent to 1 microsecond.
8	8	SMF119SS_ SAEvent_ Type	1	Binary	Event type: 1. Summary interval record 2. zERT aggregation function enabled event record 3. zERT aggregation function disabled event record
9	9	SMF119SS_ SAFlags	1	Binary	Flags: X'80': The session uses IPv6 addresses X’40’: The local socket of this session is acting as the server (only meaningful when SMF119SS_SAIPProto indicates TCP) X’20’: The local socket of this session is acting as the client (only meaningful when SMF119SS_SAIPProto indicates TCP) X'10': This security session represents Enterprise Extender connections (only meaningful when SMF119SS_SAIPProto indicates UDP) X’08’: This security session represents IPv4 outbound data connections that are established by the FTP server to the FTP client. X’04’: AT-TLS cryptographic data protection operations are bypassed for this security session as part of a stack optimization for intra-host connections. Only AT-TLS peer authentication operations are executed in this case.
10	A	SMF119SS_ SASecProtos	1	Binary	Cryptographic security protocol. Only one value is set. Possible values are: X'00': No recognized cryptographic protection X'80': TLS/SSL X'40': SSH X'20': IPSec
11	B	SMF119SS_ SAJobname	8	EBCDIC	Jobname that is associated with the socket.
19	13	SMF119SS_ SAUserID	8	EBCDIC	z/OS® user ID associated with the socket Note The value FTPUSR is specified when this security session represents an aggregation of FTP data connections and we are reporting at the FTP server (SMF119SS_SAFlags = x’40.
27	1B	SMF119SS_ SAIPProto	1	Binary	IP Protocol value. Possible values are: 6: TCP 17: UDP
28	1C	SMF119SS_ SASrvIP	16	Binary	Server IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
44	2C	SMF119SS_ SACltIP	16	Binary	Client IP address. If SMF119SS_Flags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
60	3C	SMF119SS_ SASrvPortStart	2	Binary	Starting value for server port range. For information on this field, see How does zERT aggregation determine the server port? in z/OS Communications Server: IP Configuration Guide.
62	3E	SMF119SS_ SASrvPortEnd	2	Binary	Ending value for server port range. If this security session represents a single-server port, then the ending value equals the starting value for the port range.
64	40	SMF119SS_ SASessionID	42	EBCDIC	Session identifier that uniquely identifies a security session based on the server and client endpoints plus the significant security attributes for the session. The session identifier is in the form p-value, where p represents the cryptographic protocol. Possible values for p are: C = No recognized cryptographic protection I = IPSec T = TLS/SSL S = SSH '-' is a separator character value is a 20-character hexadecimal string
106	6A	--	2	binary	Reserved (alignment)
108	6C	SMF119SS_ SAInitLifeConnCnt	4	Binary	Count of connections for the life of this security session at the beginning of the summary interval.
112	70	SMF119SS_ SAInitLifePartialConnCnt	4	Binary	Count of the partial connections for the life of this security session at the beginning of the summary interval. This is a subset of the connections reported in SMF119SS_SAInitLifeConnCnt. A connection is considered to be a “partial connection” if one or more of these conditions is met: - The connection was in existence before it was associated with this security session - The security session stopped being associated with the connection, but the connection continued to exist.
116	74	SMF119SS_ SAInitLifeShortConnCnt	4	Binary	Count of short connections for the life of this security session at the beginning of the summary interval. Short connections are connections that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP.
120	78	SMF119SS_ SAInitActiveConnCnt	4	Binary	Number of active connections that are associated with this security session at the beginning of the summary interval.
124	7C	SMF119SS_ SAInitLifeInBytes	8	Binary	Inbound byte count for the life of this security session at the beginning of the summary interval.
132	84	SMF119SS_ SAInitLifeOutBytes	8	Binary	Outbound byte count for the life of this security session at the beginning of the summary interval.
140	8C	SMF119SS_ SAInitLifeInSegDG	8	Binary	Inbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval.
148	94	SMF119SS_ SAInitLifeOutSegDG	8	Binary	Outbound TCP segment or UDP datagram count for the life of this security session at the beginning of the summary interval.
156	9C	SMF119SS_ SAEndLifeConnCnt	4	Binary	Count of connections for the life of this security session at the end of the summary interval.
160	A0	SMF119SS_ SAEndLifePartialConnCnt	4	Binary	Count of partial connections for the life of this security session at the end of the summary interval. This is a subset of the connections reported in SMF119SS_SAEndLifeConnCnt that were associated with the security session for only part of their existence, using the same conditions described for SMF119SS_SAInitLifePartialConnCnt.
164	A4	SMF119SS_ SAEndLifeShortConnCnt	4	Binary	Count of short connections for the life of this security session at the end of the summary interval. Short connections are ones that last less than 10 seconds. This value is only meaningful when SMF119SS_SAIPProto indicates TCP.
168	A8	SMF119SS_ SAEndActiveConnCnt	4	Binary	Number of active connections that are associated with this security session at the end of the summary interval.
172	AC	SMF119SS_ SAEndLifeInBytes	8	Binary	Inbound byte count for the life of this security session at the end of the summary interval.
180	B4	SMF119SS_ SAEndLifeOutBytes	8	Binary	Outbound byte count for the life of this security session at the end of the summary interval.
188	BC	SMF119SS_ SAEndLifeInSegDG	8	Binary	Inbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval.
196	C4	SMF119SS_ SAEndLifeOutSegDG	8	Binary	Outbound TCP segment or UDP datagram count for the life of this security session at the end of the summary interval.
zERT TLS summary protocol attributes section. (Subtype 12) This section is present in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is a TLS or SSL security session (that is, when it contains the value X'80').(Offset from beginning of record: SMF119S2Off)
0	0	SMF119SS_ TLS_ Source	1	Binary	Source of the information in this record. Can be one of the following values: X'01': Stream observation X'02': Cryptographic protocol provider
1	1	SMF119SS_ TLS_ CryptoFlags	1	BINARY	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used
2	2	SMF119SS_ TLS_ Prot_ Ver	2	Binary	Protocol version: X'0000': Unknown version X'0200': SSLv2 X'0300': SSLv3 X'0301': TLSv1.0 X'0302': TLSv1.1 X'0303': TLSv1.2
4	4	SMF119SS_ TLS_ Neg_ Cipher	6	EBCDIC	Negotiated cipher suite identifier. If the TLS version is SSLv3 or higher, this is a four character value in the first 4 bytes of this field, padded with trailing blanks. Refer to the TLS Cipher Suite registry for a complete list of the 4-hexadecimal-character values. If the TLS version is SSLv2, then all 6 bytes are used: '010080': 128-bit RC4 with MD5 '020080': 40-bit RC4 with MD5 '030080': 128-bit RC2 with MD5 '040080': 40-bit RC2 with MD5 '050080': 128-bit IDEA with MD5 '060040': DES with MD5 '0700C0': 3DES with MD5
10	A	SMF119SS_ TLS_ CS_ Enc_ Alg	2	Binary	The symmetric encryption algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': DES X'0003': DES 40 X'0004': 3DES X'0005': RC2 40 X'0006': RC2 128 X'0007': RC2 X'0008': RC4 40 X'0009': RC4 128 X'000A': RC4 256 X'000B': RC4 X'000C': AES CBC 128 X'000D': AES CBC 192 X'000E': AES CBC 256 X'000F': AES CTR 128 X'0010': AES CTR 192 X'0011': AES CTR 256 X'0012': AES GCM 128 X'0013': AES GCM 256 X'0014': AES CCM 128 X'0015': AES CCM 256 X'0016': AES CCM8 128 X'0017': AES CCM8 256 X'0018': AES 256 X'0019': Blowfish X'001A': Blowfish CBC X'001B': CAST 128 CBC X'001C': ARCFOUR 128 X'001D': ARCFOUR 256 X'001E': ARCFOUR X'001F': Rijndael CBC X'0020': ACSS X'0021': ARIA 128 CBC X'0022': ARIA 256 CBC X'0023': ARIA 128 GCM X'0024': ARIA 256 GCM X'0025': Camellia 128 CBC X'0026': Camellia 256 CBC X'0027': Camellia 128 GCM X'0028': Camellia 256 GCM X'0029': ChaCha20 Poly1305 X'002A': IDEA CBC X'002B': SEED CBC X'002C': Fortezza X'002D': GOST28147 X'002E': TwoFish CBC 256 X'002F': TwoFish CBC X'0030': TwoFish CBC 192 X'0031': TwoFish CBC 128 X'0032': Serpent CBC 256 X'0033': Serpent CBC 192 X'0034': Serpent CBC 128
12	C	SMF119SS_ TLS_ CS_ Msg_ Auth	2	Binary	The message authentication algorithm used by the cipher suite: X'0000': Unknown X'0001': No message authentication, or uses authenticated encryption algorithm like AES-GCM X'0002': MD2 X'0003': HMAC-MD5 X'0004': HMAC-SHA1 X'0005': HMAC-SHA2-224 X'0006': HMAC-SHA2-256 X'0007': HMAC-SHA2-384 X'0008': HMAC-SHA2-512 X'0009': AES-GMAC-128 X'000A': AES-GMAC-256 X'000B': AES-128-XCBC-96 X'000C': HMAC-SHA2-256-128 X'000D': HMAC-SHA2-384-192 X'000E': HMAC-SHA2-512-256 X'000F': HMAC-MD5-96 X'0010': HMAC-SHA1-96 X'0011': UMAC-64 X'0012': UMAC-128 X'0013': RIPEMD-160
14	E	SMF119SS_ TLS_ CS_ Kex_ Alg	2	Binary	The key exchange algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': RSA X'0003': RSA_EXPORT X'0004': RSA_PSK X'0005': DH_RSA X'0006': DH_RSA_EXPORT X'0007': DH_DSS X'0008': DH_ANON X'0009': DH_ANON_EXPORT X'000A': DH_DSS_EXPORT X'000B': DHE_RSA X'000C': DHE_RSA_EXPORT X'000D': DHE_DSS X'000E': DHE_DSS_EXPORT X'000F': DHE_PSK X'0010': ECDH_ECDSA X'0011': ECDH_RSA X'0012': ECDH_ANON X'0013': ECDHE_ECDSA X'0014': ECDHE_RSA X'0015': ECDHE_PSK X'0016': KRB5 X'0017': KRB5_EXPORT X'0018': PSK X'0019': SRP_SHA_RSA X'001A': SRP_SHA_DSS X'001B': SRP_SHA
Server certificate information
16	10	SMF119SS_ TLS_ SCert_ Signature_ Method	2	Binary	Server certificate signature method: X'0000': Unknown X'0001': None X'0002': RSA with MD2 X'0003': RSA with MD5 X'0004': RSA with SHA1 X'0005': DSA with SHA1 X'0006': RSA with SHA-224 X'0007': RSA with SHA-256 X'0008': RSA with SHA-384 X'0009': RSA with SHA-512 X'000A': ECDSA with SHA1 X'000B': ECDSA with SHA-224 X'000C': ECDSA with SHA-256 X'000D': ECDSA with SHA-384 X'000E': ECDSA with SHA-512 X'000F': DSA with SHA-224 X'0010': DSA with SHA-256
18	12	SMF119SS_ TLS_ SCert_ Enc_ Method	2	Binary	Server certificate encryption method: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': ECDSA
20	14	SMF119SS_ TLS_ SCert_ Digest_ Alg	2	Binary	Server certificate digest algorithm: X'0000': Unknown X'0001': None X'0002': MD2 X'0003': MD5 X'0004': SHA1 X'0005': SHA-224 X'0006': SHA-256 X'0007': SHA-384 X'0008': SHA-512
22	16	SMF119SS_ TLS_ SCert_ Key_ Type	2	Binary	Server certificate key type: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC)
24	18	SMF119SS_ TLS_ SCert_ Key_ Len	2	BINARY	Server certificate key length
Client certificate information
26	1A	SMF119SS_ TLS_ CCert_ Signature_ Method	2	BINARY	Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
28	1C	SMF119SS_ TLS_ CCert_ Enc_ Method	2	BINARY	Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
30	1E	SMF119SS_ TLS_ CCert_ Digest_ Alg	2	BINARY	Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
32	20	SMF119SS_ TLS_ CCert_ Key_ Type	2	BINARY	Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
34	22	SMF119SS_ TLS_ CCert_ Key_ Len	2	BINARY	Client certificate key length
zERT summary SSH protocol attributes section. (Subtype 12) This section is present in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is an SSH security session (i.e., when it contains the value X'40').(Offset from beginning of record: SMF119S3Off)
0	0	SMF119SS_ SSH_ Source	1	BINARY	Source of the information in this record. Can be one of the following values: X'01': Stream observation X'02': Cryptographic protocol provider 1 1 1 Unused
2	2	SMF119SS_ SSH_ Prot_ Ver	1	BINARY	Protocol version : 1 Protocol version 1 2 Protocol version 2
3	3	SMF119SS_ SSH_ CryptoFlags	1	BINARY	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used for inbound traffic X'40': Encrypt-then-MAC processing is used for outbound traffic
4	4	SMF119SS_ SSH_ Auth_ Method	2	BINARY	First or only peer authentication method that is used for this security session: X'0000': Unknown X'0001': None X'0002': Password X'0003': Public key X'0004': Host-based X'0005': Rhosts X'0006': RhostsRSA X'0007': RSA X'0008': Keyboard-interactive X'0009': Challenge-response X'000A': Control socket 1 X'000B': GSSAPI with MIC X'000C': GSSAPI Key exchange
6	6	SMF119SS_ SSH_ Auth_ Method2	2	BINARY	If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SS_SSH_Auth_Method
8	8	SMF119SS_ SSH_ In_ Enc_ Alg	2	BINARY	Encryption algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg.
10	A	SMF119SS_ SSH_ In_ Msg_ Auth	2	BINARY	Message authentication algorithm for inbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth.
12	C	SMF119SS_ SSH_ Kex_ Method	2	BINARY	Key exchange method. X'0000' Unknown X'0001' None X'0002' Diffie-Hellman-group-exchangeSHA256 X'0003' Diffie-Hellman-group-exchangeSHA1 X'0004' Diffie-Hellman-group14-SHA1 X'0005' Diffie-Hellman-group1-SHA1 X'0006' ECDH-SHA2-NISTP256 X'0007' ECDH-SHA2-NISTP384 X'0008' ECDH-SHA2-NISTP521 X'0009' GSS-GROUP1-SHA1 X'000A' GSS-GROUP14-SHA1 X'000B' GSS-GEX-SHA1 X'000C' ECMQV-SHA2 X'000D' GSS-* X'000E' RSA1024-SHA1 X'000F' RSA2048-SHA256
14	E	SMF119SS_ SSH_ Out_ Enc_ Alg	2	BINARY	Encryption algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Enc_Alg.
16	10	SMF119SS_ SSH_ Out_ Msg_ Auth	2	BINARY	Message authentication algorithm for outbound traffic. Same values as SMF119SS_TLS_CS_Msg_Auth.
18	12	SMF119SS_ SSH_ SKey_ Type	2	BINARY	Type of raw server key: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC) X'0006': RSA1 (SSHV1 only) X'0007': RSA_CERT (from OpenSSH certificate) X'0008': DSA_CERT (from OpenSSH certificate) X'0009': ECDSA_CERT (from OpenSSH certificate)
20	14	SMF119SS_ SSH_ SKey_ Len	2	BINARY	Length of raw server key in bits.
22	16	SMF119SS_ SSH_ CKey_ Type	2	BINARY	Type of raw client key. Same values as SMF119SS_SSH_Server_Key_Type.
24	18	SMF119SS_ SSH_ CKey_ Len	2	BINARY	Length of raw client key in bits.
Server X.509 certificate information
26	1A	SMF119SS_ SSH_ SCert_ Signature_ Method	2	BINARY	Server certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
28	1C	SMF119SS_ SSH_ SCert_ Enc_ Method	2	BINARY	Server certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
30	1E	SMF119SS_ SSH_ SCert_ Digest_ Alg	2	BINARY	Server certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
32	20	SMF119SS_ SSH_ SCert_ Key_ Type	2	BINARY	Server certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
34	22	SMF119SS_ SSH_ SCert_ Key_ Len	2	BINARY	Server certificate key length
Client X.509 certificate information
36	24	SMF119SS_ SSH_ CCert_ Signature_ Method	2	BINARY	Client certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
38	26	SMF119SS_ SSH_ CCert_ Enc_ Method	2	BINARY	Client certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
40	28	SMF119SS_ SSH_ CCert_ Digest_ Alg	2	BINARY	Client certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
42	2A	SMF119SS_ SSH_ CCert_ Key_ Type	2	BINARY	Client certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
44	2E	SMF119SS_ SSH_ CCert_ Key_ Len	2	BINARY	Client certificate key length
zERT IPSec summary attributes section. (Subtype 12) This section is present in a zERT summary interval record when the SMF119SS_SecProto field of the zERT summary common section indicates that this is an IPSec security session (that is, when it contains the value X'20').(Offset from beginning of record: SMF119S4Off)
0	0	SMF119SS_ IPSec_ IKEMajVer	1	BINARY	Major version of the IKE protocol in use. Only the low-order 4 bits are used.
1	1	SMF119SS_ IPSec_ IKEMinVer	1	BINARY	Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
2	2	SMF119SS_ IPSec_ IKETunLclEndpt	16	BINARY	Local IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
18	12	SMF119SS_ IPSec_ IKETunRmtEndpt	16	BINARY	Remote IP address of tunnel endpoint. If SMF119SS_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
34	22	SMF119SS_ IPSec_ IKETunLclAuthMeth	2	BINARY	The authentication method for the local endpoint. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': RSA signature X'03': Preshared key X'04': ECDSA-256 signature X'05': ECDSA-384 signature X'06': ECDSA-521 signature X'07': Digital signature
36	24	SMF119SS_ IPSec_ IKETunRmtAuthMeth	2	BINARY	The authentication method for the remote endpoint. Same values as SMF119SS_IPSec_IKETunLclAuthMeth.
38	26	SMF119SS_ IPSec_ IKETunAuthAlg	2	BINARY	Tunnel authentication algorithm. Same values as SMF119SS_TLS_CS_Msg_Auth.
40	28	SMF119SS_ IPSec_ IKETunEncAlg	2	BINARY	Tunnel encryption algorithm. Same values as SMF119SS_TLS_CS_Enc_Alg.
42	2A	SMF119SS_ IPSec_ IKETunDHGroup	2	BINARY	Diffie-Hellman group that is used to generate the keying material for this IKE tunnel. One of the following values: X'00': Unknown or manual tunnel X'01': Group1 X'02': Group 2 X'05': Group 5 X'0E': Group 14 X'13': Group 19 X'14': Group 20 X'15': Group 21 X'18': Group 24 X'FF': No DH group used (only possible for SMF119SS_IPSec_PFSGroup, where these values are also used)
44	2C	SMF119SS_ IPSec_ IKETunPseudoRandFunc	2	BINARY	Pseudo-random function that is used for seeding keying material. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': HMAC-SHA2-256 X'03': HMAC-SHA2-384 X'04': HMAC-SHA2-512 X'05': AES-128-XCBC X'06': HMAC-MD5 X'07': HMAC-SHA1
IKE Local certificate information. This information is populated if SMF119SS_IPSec_IKETunLocalAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields are set to zero.
46	2E	SMF119SS_ IPSec_ LclCert_ Sign_ Meth	2	BINARY	Local IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
48	30	SMF119SS_ IPSec_ LclCert_ Enc_ Meth	2	BINARY	Local IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
50	32	SMF119SS_ IPSec_ LclCert_ Digest_ Alg	2	BINARY	Local IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
52	34	SMF119SS_ IPSec_ LclCert_ Key_ Type	2	BINARY	Local IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
54	36	SMF119SS_ IPSec_ LclCert_ Key_ Len	2	BINARY	Local IKE certificate key length in bits
IKE Peer certificate information. This information is populated if SMF119SS_IPSec_IKETunRmtAuthMeth is not “preshared key” (or not a value of 3). Otherwise, all fields set to zero.
56	38	SMF119SS_ IPSec_ RmtCert_ Sign_ Meth	2	BINARY	Remote IKE certificate signature method. Same values as SMF119SS_TLS_SCert_Signature_Method.
58	3A	SMF119SS_ IPSec_ RmtCert_ Enc_ Meth	2	BINARY	Remote IKE certificate encryption method. Same values as SMF119SS_TLS_SCert_Enc_Method.
60	3C	SMF119SS_ IPSec_ RmtCert_ Digest_ Alg	2	BINARY	Remote IKE certificate digest algorithm. Same values as SMF119SS_TLS_SCert_Digest_Alg.
62	3E	SMF119SS_ IPSec_ RmtCert_ Key_ Type	2	BINARY	Remote IKE certificate key type. Same values as SMF119SS_TLS_SCert_Key_Type.
64	40	SMF119SS_ IPSec_ RmtCert_ Key_ Len	2	BINARY	Remote IKE certificate key length in bits
IPsec (Phase 2) tunnel information
66	42	SMF119SS_ IPSec_ PFSGroup	2	BINARY	Diffie-Hellman group that is used for perfect forward secrecy. Same values as SMF119SS_IPSec_IKETunDHGroup.
68	44	SMF119SS_ IPSec_ EncapMode	1	BINARY	Tunnel encapsulation mode. One of the following values: X'01': Tunnel Mode X'02': Transport Mode
69	45	SMF119SS_ IPSec_ AuthProto	1	BINARY	The protocol that is used for message authentication. One of the following values: 50 Encapsulating Security Payload (ESP) 51: Authentication Header (AH)
70	46	SMF119SS_ IPSec_ AuthAlg	2	BINARY	The tunnel authentication algorithms. Same values as SMF119SS_TLS_CS_Msg_Auth.
72	48	SMF119SS_ IPSec_ EncAlg	2	BINARY	The tunnel encryption algorithms. Same values as !!119SS_TLS_CS_Enc_Alg.
zERT summary Distinguished Names (DN) section (Subtype 12) This section contains one or more variable length X.500 DNs from relevant X.509 certificates. Subject and issuer DNs from the certificates are included in the zERT DNs section. If any DNs exist, there is one zERT summary DN section that contains all the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. (Offset from beginning of record: SMF119S5Off)
0	0	SMF119SS_ DN_ Len	2	Binary	Length of the DN structure (includes the length of SMF119SS_DN_Len, SMF119SS_DN_Type, and SMF119SS_DN)
2	2	SMF119SS_ DN_ Type	2	Binary	Type of Distinguished Name: X'0001': IPSec Local Certificate Subject DN X'0002': IPSec Local Certificate Issuer DN X'0003': IPSec Remote Certificate Subject DN X'0004': IPSec Remote Certificate Issuer DN X'0005': TLS Server Certificate Subject DN X'0006': TLS Server Certificate Issuer DN X'0007': TLS Client Certificate Subject DN X'0008': TLS Client Certificate Issuer DN X'0009': SSH Server Certificate Subject DN X'000A': SSH Server Certificate Issuer DN X'000B': SSH Client Certificate Subject DN X'000C': SSH Client Certificate Issuer DN
4	4	SMF119SS_ DN	1024	EBCDIC	The variable length DN value (up to 1024)

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Spectrum SMF Writer - the 4GL SMF Report Writer.

Sample Report from SMF 119 Subtype 2 Records
Showing Information about TCP Connections

The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

In this report, we read as input the SMF file and select just the type 119 subtype 2 TCP Connection Termination records. (See SMF 119 Subtype 2 record layout.) The report shows information about terminated TCP connections, including start time, end time and computed elapsed time. It also shows the total number of bytes sent and received during the connection and the termination code. Our record layout also expands the 1-byte termination code into a readable descriptive text. The report is grouped by TCP/IP Stack and Resource. The report includes subtotals for each Resource.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:


INPUT:  SMF119 LIST(YES)

INCLUDEIF: SMF119RTY=119 AND SMF119STY=2

COMPUTE: MY_DURATION(2) = #MAKETIME(
               ((#MAKENUM(SMF119AP_TTEDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTETIME))
             - ((#MAKENUM(SMF119AP_TTSDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTSTIME))
                                   )

TITLE: 'Z/OS TCP DAILY CONNECTIONS REPORT'
TITLE: 'SYSTEM:' SMF119TI_SYSNAME
       'SYSPLEX:' SMF119TI_SYSPLEXNAME
       'STACK:' SMF119TI_STACK
TITLE: 'SORTED BY STACK AND RESOURCE NAME'

COLUMNS: SMF119AP_TTRNAME('RESOURCE')
         SMF119AP_TTSDATE('DATE/STARTED')
         SMF119AP_TTSTIME('TIME/STARTED')
         SMF119AP_TTEDATE('DATE/ENDED')
         SMF119AP_TTETIME('TIME/ENDED')
         MY_DURATION('CONNECTION/DURATION/HH:MM:SS.SS' ACCUM
                     TP'ZZ:ZZ:Z9.99')
         SMF119AP_TTINBYTES('INBOUND/BYTES')
         SMF119AP_TTOUTBYTES('OUTBOUND/BYTES')
         SMF119AP_TTTERMCODE(HEX 'TERM/CODE')
         SMF119AP_TTTERMCODE_DESC('TERM CODE DESC')

SORT:    SMF119TI_STACK
         SMF119AP_TTRNAME
         SMF119AP_TTSDATE
         SMF119AP_TTSTIME

BREAK:   SMF119AP_TTRNAME

Produce This SMF Report:


                                              Z/OS TCP DAILY CONNECTIONS REPORT
                                    SYSTEM: ST1      SYSPLEX: SYPROD    STACK: S01QDAS
                                             SORTED BY STACK AND RESOURCE NAME

                                                    CONNECTION
            DATE      TIME       DATE      TIME      DURATION      INBOUND        OUTBOUND    TERM
 RESOURCE STARTED    STARTED    ENDED      ENDED    HH:MM:SS.SS     BYTES          BYTES      CODE     TERM CODE DESC
 ________ ________ ___________ ________ ___________ ___________ ______________ ______________ ____ _______________________

 FTPTA5   03/21/09 14:04:06.81 03/21/09 14:04:07.46        0.65        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:05:35.59 03/21/09 14:05:45.67       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 14:12:13.81 03/21/09 14:12:14.51        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:12:27.35 03/21/09 14:12:37.42       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 15:30:34.96 03/21/09 15:30:35.64        0.68        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 15:35:13.92 03/21/09 15:35:24.00       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA5   (    6 ITEMS)                     32.26        853,740         10,143
 
 FTPTA6   03/21/09 14:05:38.03 03/21/09 14:05:38.70        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:07:23.60 03/21/09 14:07:33.68       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 14:12:29.83 03/21/09 14:12:30.50        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:17:10.02 03/21/09 14:17:20.16       10.14         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 15:35:16.45 03/21/09 15:35:17.21        0.76        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 15:36:15.10 03/21/09 15:36:25.18       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA6   (    6 ITEMS)                     32.40        853,740         10,143
 
 FTPTA7   03/21/09 14:07:26.16 03/21/09 14:07:26.86        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:08:24.36 03/21/09 14:08:34.50       10.14             70            507  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 14:17:12.60 03/21/09 14:17:13.31        0.71        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:21:40.01 03/21/09 14:21:50.08       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 15:36:17.53 03/21/09 15:36:18.17        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 15:37:11.45 03/21/09 15:37:21.53       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA7   (    6 ITEMS)                     32.34        826,767         10,321
 
 FTPTA8   03/21/09 08:09:32.96 03/21/09 15:29:02.41  7:19:29.45        274,763         15,912  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 13:17:39.42 03/21/09 14:42:50.82  1:25:11.40         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:42:57.42 03/21/09 14:43:21.38       23.96         45,921          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:43:26.45 03/21/09 15:28:27.01    45:00.56         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:50:01.00 03/21/09 15:28:26.10    38:25.10         35,513          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:51:01.03 03/21/09 14:52:28.82     1:27.79         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:05.50 03/21/09 15:28:22.53    35:17.03         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:51.74 03/21/09 14:55:51.42     1:59.68         35,306          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:56:05.98 03/21/09 15:11:31.19    15:25.21         33,066            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:12:01.80 03/21/09 15:13:30.66     1:28.86         35,266          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:13:45.48 03/21/09 15:17:09.41     3:23.93         38,223          2,199  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:18:54.59 03/21/09 15:20:07.26     1:12.67         34,273          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:20:22.01 03/21/09 15:28:20.73     7:58.72         33,118            875  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA8   (   13 ITEMS)               11:16:44.36        726,991         34,632

 
 FTPTA9   03/21/09 14:09:28.52 03/21/09 14:09:29.22        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 14:10:24.02 03/21/09 14:10:34.10       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA9   03/21/09 15:01:06.82 03/21/09 15:01:07.46        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 15:13:52.13 03/21/09 15:14:02.53       10.40         27,043            329  52  APPL ISSUED CLOSE

 ...

See other sample SMF reports.