ENCRYPTION
The ENCRYPTION system initialization parameter specifies the protocols that CICS® uses for secure TCP/IP connections.
The protocols determine which cipher suites can be used. Protocols for TLS 1.1 can only be entered by using XML files that are associated with the resource definition. For more information, see SSL cipher suite specification file
- ENCRYPTION={ALL|TLS12|STRONG|SSLV3}
- When a secure connection is established between a pair of processes,
the most secure cipher suite that is supported by both is used. Determine
the level of TLS that needs to be supported and set the ENCRYPTION parameter
accordingly.
- ALL
- Supports TLS 1.0, 1.1, and 1.2.Note: If you are running CICS TS with z/OS® 1.13 then using ENCRYPTION=ALL requires that PTFs OA37102 and OA39422 are applied to z/OS and that PTF PM97207 has been applied to CICS TS.
- TLS12
- Supports TLS 1.2 only.
- STRONG
- Supports TLS 1.0 only. This is the default value.
- SSLV3
- Supports SSL 3.0 and TLS 1.0. SSL 3.0 should only be used for a migration period while clients that still require this protocol are upgraded.
For more information about cipher suites, see Cipher suites.
CICS can use only the cipher suites that are supported by the underlying z/OS operating system.
APAR PI28039 update:The default setting for the ENCRYPTION system initialization parameter, ENCRYPTION=STRONG, no longer allows the use of the SSL version 3.0 security protocol. The minimum security protocol allowed with ENCRYPTION=STRONG is now TLS version 1.0.
If you have clients that still require the SSL version 3.0 protocol, you can enable support for that protocol by specifying the system initialization parameter ENCRYPTION=SSLV3for the CICS region. SSL 3.0 should only be used for a migration period while clients that still require this protocol are upgraded. Any connections that require encryption automatically use the TLS protocol, unless the client specifically requires SSL 3.0.
To apply FIPS 140-2 standards, set ENCRYPTION=TLS12 and NISTSP800131A=CHECK. If NISTSP800131A=CHECK is set but ENCRYPTION is set to a value other than TLS12, it is overridden to ENCRYPTION=TLS12 and a warning message is issued.
To apply FIPS 140-2 standards on z/OS Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system. If you have not already done so, apply APAR OA14956 to z/OS.
For more information about NIST SP800-131A conformance, see Making your CICS TS system conformant to NIST SP800-131A.