Customizing encryption negotiations

The CIPHERS attribute on the resource definitions TCPIPSERVICE, IPCONN, and URIMAP specifies the cipher suites that can be used for each encryption level. The default value of the attribute is the list of 2-digit codes for the cipher suites that are used in encryption negotiations. You have the option of customizing this list of cipher suites to include your order of preference for the encryption levels at which CICS® negotiates with clients. You can also choose to remove cipher suites from the list. This option is useful if you want to ensure that only a very high level of encryption is used.

You can customize the list either by editing the list of codes directly or by setting the CIPHERS attribute to the name of an SSL cipher suite specification file, in which you have specified the cipher suites to be used. The SSL cipher suite specification file is a z/OS® UNIX file in the security/ciphers subdirectory of the directory that is specified by the USSCONFIG system initialization parameter. For more information, see SSL cipher suite specification file

You can check which cipher suites are being selected for SSL inbound connections from each CICS region. The performance data field SOCIPHER (320) in the DFHSOCK group shows the code for the cipher suite that was used for each SSL inbound connection. Use this information to identify any cipher suites that are offered by the CICS region but are not being selected for SSL connections. You can also identify any less efficient or less secure cipher suites that are being selected for SSL connections, but that you would prefer to eliminate.

You cannot include cipher suites on the list that are not in the default values for your level of encryption.

For a list of cipher suites that are supported by CICS and z/OS, see Cipher suites.