ENCRYPTION

The ENCRYPTION system initialization parameter specifies the protocols that CICS® uses for secure TCP/IP connections.

The protocols determine which cipher suites can be used. Protocols for TLS 1.1 can only be entered by using XML files that are associated with the resource definition. For more information, see SSL cipher suite specification file

Start of changeENCRYPTION={ALL|TLS12|STRONG|SSLV3}End of change
When a secure connection is established between a pair of processes, the most secure cipher suite that is supported by both is used. Determine the level of TLS that needs to be supported and set the ENCRYPTION parameter accordingly.
ALL
Supports TLS 1.0, 1.1, and 1.2.
Note: If you are running CICS TS with z/OS® 1.13 then using ENCRYPTION=ALL requires that PTFs OA37102 and OA39422 are applied to z/OS and that PTF PM97207 has been applied to CICS TS.
TLS12
Supports TLS 1.2 only.
STRONG
Supports TLS 1.0 only. This is the default value.
SSLV3
Supports SSL 3.0 and TLS 1.0. SSL 3.0 should only be used for a migration period while clients that still require this protocol are upgraded.

For more information about cipher suites, see Cipher suites.

CICS can use only the cipher suites that are supported by the underlying z/OS operating system.

APAR PI28039 update:The default setting for the ENCRYPTION  system initialization parameter, ENCRYPTION=STRONG, no longer allows the use of the SSL version 3.0 security protocol. The minimum security protocol allowed with  ENCRYPTION=STRONG is now TLS version 1.0.

If you have clients that still require the SSL version 3.0 protocol, you can enable support for that protocol by specifying the system initialization parameter  ENCRYPTION=SSLV3for the CICS region. SSL 3.0 should only be used for a migration period while clients that still require this protocol are upgraded. Any connections that require encryption automatically use the TLS protocol, unless the client specifically requires SSL 3.0.

Start of changeTo apply FIPS 140-2 standards, set ENCRYPTION=TLS12 and NISTSP800131A=CHECK. If NISTSP800131A=CHECK is set but ENCRYPTION is set to a value other than TLS12, it is overridden to ENCRYPTION=TLS12 and a warning message is issued.End of change

To apply FIPS 140-2 standards on z/OS Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system. If you have not already done so, apply APAR OA14956 to z/OS.

Start of changeFor more information about NIST SP800-131A conformance, see Making your CICS TS system conformant to NIST SP800-131A.End of change