Securing the connection to CICS Transaction Server for z/OS by using SSL

Configure the CICSRequest node to communicate with CICS® Transaction Server for z/OS® over the Secure Sockets Layer (SSL) protocol by updating a CICSConnection configurable service or the CICSRequest node to use SSL.

1. For client-authenticated (CLIENTAUTH) SSL connections, CICS expects the SSL client certificate to be mapped to a RACF® user ID. Therefore the SSL client certificate must be mapped to a RACF user ID before attempting to establish the SSL connection to CICS. If the client certificate is not mapped to a RACF user ID, the integration node might display a ECI_ERR_NO_CICS response. You can map a client certificate to a RACF user ID by using the RACF command RACDCERT, which stores the client certificate in the RACF database and associates a user ID with it, or by using RACF certificate name filtering. Client certificates can be mapped one-to-one with a user ID, or a mapping from one to the other can be provided to allow a many-to-one mapping. You can achieve this mapping by using one of the following methods:
   • Associating a client certificate with a RACF user ID
     1. Copy the certificate that you want to process into an MVS™ sequential file. The file must have variable length, blocked records (RECFM=VB), and be accessible from TSO.
     2. Run the RACDCERT command in TSO by using the following syntax:

        RACDCERT ADD('datasetname') TRUST [ ID(userid) ]

        Where:

        • datasetname is the name of the data set containing the client certificate.
        • userid is the user ID to be associated with the certificate. This parameter is optional. If omitted, the certificate is associated with the user issuing the RACDCERT command.

        When you issue the RACDCERT command, RACF creates a profile in the DIGTCERT class. This profile associates the certificate with the user ID. You can then use the profile to translate a certificate to a user ID without giving a password. For full details of RACF commands, see z/OS Security Server RACF Command Language Reference.

   • RACF certificate name filtering
     With certificate name filtering, client certificates are not stored in the RACF database. The association between one or more certificates and a RACF user ID is achieved by defining a filter rule that matches the distinguished name of the certificate owner or issuer (CA). A sample filter rule might look like the following example:

     RACDCERT ID(DEPT3USR) MAP SDNFILTER
     (OU=DEPT1.OU=DEPT2.O=IBM.L=LOC.SP=NY.C=US)

     This sample filter rule would associate user ID DEPT3USR with all certificates when the distinguished name of the certificate owner contains the organizational unit DEPT1 and DEPT2, the organization IBM®, the locality LOC, the state/province NY, and the country US.
2. Turn on SSL support in the integration node by setting the cicsServer property on the CICSConnection configurable service, as shown in the following example.
   This example changes the CICSRequest node that is configured to use the myCICSConnection configurable service for the CICS instance that is running at mycicsregion.com port 56789. After you run this command, the CICSRequest node connects to CICS over SSL.

   mqsichangeproperties IBNODE -c CICSConnection -o myCICSConnection -n 
   cicsServer -v ssl://mycicsregion.com:56789

   Alternatively you can configure the CICS server property directly on the CICSRequest node.