The STS configuration file

CICS uses a file called sts.xml in the directory that is identified by the JVMPROFILEDIR SIT parameter. If that file does not exist, CICS uses the file that is specified by the JVM property com.ibm.cics.sts.config in the JVM server profile. For example: -Dcom.ibm.cics.sts.config=/var/security/sts/sts-config.xml. A sample STS configuration file, sts-config.xml, is supplied for reference.

The XML schema file, sts.xsd, is supplied in the /usr/lpp/cicsts/cicsts52/schemas/sts directory.

The STS configuration file contains the following elements:

<keystore>

Defines the RACF® keystore type. The possible values are JCERACFKS and JCECCARACFKS. The default value is JCERACFKS.

<issuer>

Defines the STS as an asserting party. This element contains the following elements:

<format>

Contains any string. There is no default value.

<uri>

Contains any string. The default value is http://cics.

<signature>

Specifies the hash algorithm and the certificate label. This element has the following attribute:

hash_algorithm

Possible values are sha-1 and sha-2. The default value is sha-2.

This element contains the following element:

<certificate>

This element contains the following element:

<label>

The value of the RACF certificate label. The default value is CICSCERT.

<clock_skew>

The clock skew time, in milliseconds. The default value is 180000 ms (3 minutes).

A clock skew allows for any time difference in system clocks on different computers. It is applied to all timing conditions in a SAML token.

<sts_configuration xmlns="https://www.ibm.com/xmlns/prod/cics/JVMSERVER/stsconfig">

	<keystore>
		<type>JCECCARACFKS</type>
	</keystore>
  
	<issuer>
		<format>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</format>
		<uri>http://cics</uri>
	</issuer>

	<signature hash_algorithm="sha-1">
		<certificate>
			<label>CICSCERT</label>
		</certificate>
	</signature>

	<clock_skew>90000</clock_skew>

</sts_configuration>