System initialization parameters for SSL
Descriptions of system initialization parameters that relate to SSL.
The following system initialization parameters relate to SSL:
- CRLPROFILE system initialization parameter
- Specifies the name of the profile that authorizes CICS to access certificate revocation lists that are stored in an LDAP server. For more information about certificate revocation lists and setting up this profile, see Configuring an LDAP server for CRLs.
- ENCRYPTION system initialization parameter
- Specifies the cipher suites that CICS® uses for secure TCP/IP connections. When a secure connection is established between a pair of processes, the most secure cipher suite supported by both is used. For more information about cipher suites, see Cipher suites.
- KEYRING system initialization parameter
- Specifies the name of a key ring in the RACF® database that contains keys and certificates used by CICS. It must be owned by the CICS region user ID. You can create an initial key ring with the DFH$RING exec in CICSTS52.CICS.SDFHSAMP.
- MAXSSLTCBS system initialization parameter
- Specifies the maximum number of S8 TCBs that are available to CICS to process secure sockets layer connections and requests to LDAP using the DFHDDAPX XPI interface. This value is a number in the range 0 through 999, and has a default value of 8. The S8 TCBs are created and managed in the SSL pool. An S8 TCB is used by a task only for the duration of the SSL or LDAP processing.
- SSLCACHE system initialization parameter
- Specifies whether CICS should use a local cache of SSL sessions for the CICS region, or share the cache across multiple CICS regions by using the coupling facility. Caching across a sysplex can only take place when the regions accept SSL connections at the same IP address. The cache contains session IDs that enable CICS to perform partial handshakes with clients that it has previously authenticated. A local cache is replaced when you issue the PERFORM SSL REBUILD command for the CICS region, but a sysplex cache is unaffected.
- SSLDELAY system initialization parameter
- Specifies the length of time in seconds for which CICS retains session IDs for secure socket connections in a local CICS region. Session IDs are tokens that represent a secure connection between a client and an SSL server. While the session ID is retained by CICS within the SSLDELAY period, CICS can continue to communicate with the client without the significant overhead of an SSL handshake. The value is a number of seconds in the range 0 through 86400. The default value is 600.