Many different algorithms can be used for encrypting data, and for computing the message authentication code. Some algorithms provide high levels of security but require a large amount of computation for encryption and decryption. Other algorithms are less secure but provide rapid encryption and decryption. The length of the key that is used for encryption affects the level of security; the longer the key, the more secure the data.
To allow users to select the level of security that suits their needs, and to enable communication with others who might have different needs, SSL defines cipher suites, or sets of ciphers. When an SSL connection is established, during the SSL handshake, the client and server exchange information about which cipher suites they have in common. They then communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, then secure communication is not possible and CICS® closes the connection.
Use the ENCRYPTION system initialization parameter to specify the
level of encryption that CICS uses. The default value is
STRONG, which means that CICS a minimum level of TLS version
1.0 to negotiate with clients. You can set a minimum and maximum encryption level by editing the
list of cipher suites in the CIPHERS attribute on the appropriate resource definition, or by editing
the SSL cipher suite specification file for the resource definition.
You can check which cipher suites are being
selected for SSL inbound connections from each CICS region. The performance data field SOCIPHER
(320) in the DFHSOCK group shows the code for the cipher suite that
was used for each SSL inbound connection. Use this information to
identify any cipher suites that are offered by the CICS region but are not being selected for SSL
connections. You can also identify any less efficient or less secure
cipher suites that are being selected for SSL connections, but that
you would prefer to eliminate.
- For inbound HTTP
- Use the CIPHERS attribute of the TCPIPSERVICE resource definition.
- For outbound HTTP and web service requests
- Use the CIPHERS attribute of the URIMAP resource definition.
- For inbound IPIC
- Use the CIPHERS attribute of the TCPIPSERVICE resource definition.
- For outbound IPIC
- Use the CIPHERS attribute of the IPCONN resource definition.
- For inbound CICSPlex® SM Web User Interface requests
- Use the TCPIPSSLCIPHERS Web User Interface server initialization parameter. This value has the same syntax as the CIPHERS attribute of the TCPIPSERVICE resource, but it is limited to a maximum of 22 cipher codes.
- NOTSUPPORTED
- Is not supported and will result in an error.
- REQUIRED
- Is ignored. The CIPHERS attribute defines the CIPHERS used.
- SUPPORTED
- Is ignored. The CIPHERS attribute defines the CIPHERS used.
The cipher suites that are supported by z/OS® and CICS for each supported security
protocol are described in 
Cipher Suite Definitions in z/OS Cryptographic
Services System SSL Programming.
