Cipher suite specification

The set of SSL protocol cipher specifications to be allowed for the secure session can be set. You should not include any that you do not want to allow. Order is important. System SSL selects ciphers according to the server’s order of usage preference. The first cipher in the server’s list that is also in the client’s list is selected. Other implementations might work differently.

AT-TLS does not pass any cipher suites to System SSL by default. For the list of cipher suites supported and the default order used if none is specified, see z/OS Cryptographic Services System SSL Programming.

Guideline: Code TTLSCipherParms statements to support newer cipher algorithms, such as elliptical curve cipher suites, AES Galois Counter Mode (GCM) cipher suites, or cipher suites that use SHA2-based digests.

Requirement: Integrated Cryptographic Service Facility (ICSF) must be active for elliptic curve ciphers and for ciphers using AES-GCM.

If the CSFSERV class is defined, the user ID that is associated with the AT-TLS application must have READ access to the following resources in that class:

CSF1DVK
CSF1GAV
CSF1GKP
CSF1PKS
CSF1PKV
CSF1SKD
CSF1SKE
CSF1TRC
CSF1TRD

For more information about elliptic curve cryptography support, see z/OS Cryptographic Services System SSL Programming.