CICS Explorer 5.1.0.0 contains important security updates and enhancements

News


Abstract

You are installing CICS Transaction Server for z/OS (CICS TS) V5.1 and are now able to use the new release of CICS Explorer with Java™ 7. This raises the bar from a security standpoint. because Java 7 supports the TLSv1.2 protocol as described in RFC 5246 that includes new cipher suites and cryptographic functionality enhancements. Some of the weaker ciphers are no longer loaded into the JVM by default at runtime which can result in difficulties connecting to weakly configured servers.

Content

Configure your servers with strong rather than weak encryption. Alternatively, reconfigure Java 7 security configuration to re-enable the weaker ciphers; since this is a backward step from a security perspective, you might want to consider a stronger server security in particular “z/OS Security Level 3”.

The following sections describe the security updates and enhancements in CICS Explorer V5.1.0.0:





Secure Sockets Layer
The Secure Sockets Layer (SSL) implementation within CICS Explorer itself has been extensively updated. Previously SSL connections were made implicitly by the CICS Explorer. Although very flexible and user friendly this did not allow you to control your security requirements. Explorer now provides a check box in the connection configuration to control use of SSL for the connection. The "Secure connection (TLS/SSL)" check box is to the right of the Port number.



When using previously defined connections the new CICS Explorer will apply any previously successful SSL setting. If the Explorer cannot infer an SSL state, you will be presented with an ambiguity dialog prompting you to make the final decision.






Certificates
In conjunction with the SSL updates CICS Explorer V5.1 allows the use of SSL Certificate Trust and Key stores. Previously, these would have been bypassed but now you are able to specify dedicated certificate stores for use with the CICS Explorer. When CICS Explorer V5.1 is installed it creates a new certificate store in your workspace. This store is either empty or is a copy of the default file called cacerts found in the JVM and provides certificates for both Key and Trust store. Note that the location of these stores are configurable. For example, an administrator can supply a definitive Trust store that could be pre-populated by an administrator with valid certificates.

The standard way of managing trust and key stores is using either KeyTool or IKeyMan supplied with the IBM JVM or equivalent. However, to make things simpler CICS Explorer now provides functionality to import certificates into the trust store when it attempts to connect to a server whose certificate is not already in the trust store. In this case, a prompt showing the certificate details is presented to you along with the option to import the certificate.



As previously stated, the Trust and Key store mechanism was bypassed in previous versions of the CICS Explorer and provision has been made for those of you who are using HTTPS and FTPS connections and still wish to do this. See the "Certificate management preference" page under "Explorer" in the preferences and select "Disable certificate management of secure connections".



If you are using DB2, you now have the option to use SSL connections. The JDBC driver implementation does not allow certificate management to be disabled for this type of connection and the driver always uses its own TLSv1 protocol as default. Therefore, these settings are not referenced by the DB2 JDBC driver.




Administrator override
The SSL certificate implementation allows administrators to apply global preferences on behalf of their users. The most common reason for this is because the truststore has been pre-installed with the necessary certificates that specific users can access. It is normally not appropriate for the users to import their own. These preferences are overridden by using the plugin_customization.ini file that appears in the same directory as the cicsexplorer.exe file.

The example below shows a typical modification

#
# Licensed Materials - Property of IBM
# 5655-Y04
# (C) Copyright IBM Corp. 2012
# This source material is provided "AS-IS" under the terms and
# conditions of the IBM Customer Agreement and of the associated
# Licensed Program Specifications documentation for CICS Transaction
# Server for z/OS.
#
# The terms and conditions of this license permit users to modify this
# source material and DO NOT provide for any entitlement to defect
# correction.
com.ibm.cics.core.comm/com.ibm.cics.core.comm.restrictCertificateImport=true
com.ibm.cics.core.comm/javax.net.ssl.trustStore=//centralserver/cics/explorer_keystore.jks
com.ibm.cics.core.comm/javax.net.ssl.trustStorePassword=changeit
com.ibm.cics.core.comm/com.ibm.cics.core.comm.truststore.dbType=JCEKS
com.ibm.cics.core.comm/com.ibm.cics.core.comm.truststore.same=false

Here is an explanation of each of line in the above example::

  • com.ibm.cics.core.comm.restrictCertificateImport
    true specifies that the user cannot accept certificates into their environment using explorer, essentially locking down the certificates available

  • javax.net.ssl.trustStore=//centralserver/cics/explorer_keystore.jks
    javax.net.ssl.trustStorePassword=changeit
    represents a truststore, in this example it is on a common server and the password

  • com.ibm.cics.core.comm.truststore.dbType=JCEKS
    the trust store type. It can be one of JKS, JCEKS, PKCS12

  • com.ibm.cics.core.comm.truststore.same=false
    true if the keystore and truststore are the same file in this installation, false if they are different.

Because the keystore is unique to a particular user it is not likely that this would be overridden. It can be achieved however as follows with similar entry for the passphrase.
com.ibm.cics.core.comm/javax.net.ssl.keyStore=//centralserver/cics/explorer_keystore.jks

Product Alias/Synonym

CICS/TS CICS TS CICS Transaction Server

Rate this page:

(0 users)Average rating

Document information


More support for:

CICS Transaction Server
Explorer

Software version:

3.1, 3.2, 4.1, 4.2, 5.1

Operating system(s):

z/OS

Reference #:

1619304

Modified date:

2012-12-17

Translate my page

Machine Translation

Content navigation