SSL cipher suite specification file

The SSL cipher suite specification file is an XML file that contains a list of cipher suites that can be used in an SSL connection.

The name of the file can be up to 28 characters long including the extension, which must be .xml. The specified value must be a valid name for a UNIX file and can contain only the characters A-Z a-z 0-9 # - . @ _. It is case-sensitive.

The SSL cipher suite specification file must be in the ussconfig/security/ciphers directory, where ussconfig is the value of the SIT parameter USSCONFIG.

The CICS® region must have permission to access z/OS® UNIX, and it must have read and execute access to the directory that contains the file, and read access to the file itself.

Sample files are provided in the usshome/security/ciphers directory, where usshome is the value of the SIT parameter USSHOME. A schema file is also supplied, in the usshome/schemas/security directory. The file name is ciphersfile.xsd.

To create your SSL cipher suite specification file, copy one of the sample files to the ussconfig/security/ciphers directory, and edit it as required. For example, you can remove unwanted cipher suites that do not meet your security requirements, or that are not supported by your hardware. You can also add cipher suites, but only those cipher suites that are supported by CICS and z/OS. Alternatively, create your own file in ussconfig/security/ciphers and specify the appropriate cipher suites. For more information, see Cipher suites.

The first time a resource that uses a specific cipher file is installed, the file is read from zFS and parsed. Any errors are flagged during this parse. If the file is valid, the resource is installed and the cipher information is stored in a new control block that is associated with the file. When subsequent resources that use the same cipher file are installed, cached information in the control block is used. If you change the contents of the file, the new contents have no effect until CICS is restarted. Start of changeThe file is reread for any type of start, whether the START system initialization parameter is set to INITIAL, COLD, or AUTO.End of change

Start of changeTo update the list of cipher suites for a CSD resource such as a TCPIPSERVICE while CICS is still running, perform the following steps:
  1. Create a new cipher suite specification file with a name that has not been loaded by this CICS system - for example newciphers.xml.
  2. Populate the newciphers.xml file with the list of ciphers you require.
  3. Update the existing resource definition to refer to the new cipher suite specification file. For example, issue a CREATE TCPIPSERVICE command with the parameter CIPHERS(newciphers.xml).
  4. Reinstall the resource definition.
End of change

Structure of the file

Each cipher suite is specified as a number attribute of a cipher element. The cipher number is a four-character code. If you use a two-character code, pad it with leading zeros.

The sample files also contain a comment for each cipher, which contains a text string that describes the cipher suite. However, CICS does not validate this element or take any action on it.

The following example shows the structure of the cipher file:
<?xml version="1.0"?>
<cipher_list xmlns="https://www.ibm.com/software/htp/cics/ciphers">
    <cipher number="000A">
        <!-- SSL_RSA_WITH_3DES_EDE_CBC_SHA -->
    </cipher>
    <cipher number="000D">
        <!-- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA -->
    </cipher>
    ...
</cipher_list>