Many different algorithms can be used for encrypting data, and for computing the message authentication code. Some algorithms provide high levels of security but require a large amount of computation for encryption and decryption. Other algorithms are less secure but provide rapid encryption and decryption. The length of the key that is used for encryption affects the level of security; the longer the key, the more secure the data.
To allow users to select the level of security that suits their needs, and to enable communication with others who might have different needs, SSL defines cipher suites, or sets of ciphers. When an SSL connection is established, during the SSL handshake, the client and server exchange information about which cipher suites they have in common. They then communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, then secure communication is not possible and CICS® closes the connection.
Use the ENCRYPTION system initialization parameter to specify the level of encryption that CICS uses. The default value is STRONG, which means that CICS a minimum level of TLS version 1.0 to negotiate with clients. You can set a minimum and maximum encryption level by editing the list of cipher suites in the CIPHERS attribute on the appropriate resource definition, or by editing the SSL cipher suite specification file for the resource definition.
You can check which cipher suites are being selected for SSL inbound connections from each CICS region. The performance data field SOCIPHER (320) in the DFHSOCK group shows the code for the cipher suite that was used for each SSL inbound connection. Use this information to identify any cipher suites that are offered by the CICS region but are not being selected for SSL connections. You can also identify any less efficient or less secure cipher suites that are being selected for SSL connections, but that you would prefer to eliminate.
The cipher suites that are supported by z/OS® and CICS for each supported security protocol are described in Cipher Suite Definitions in z/OS Cryptographic Services System SSL Programming.