Making your CICS TS system conformant to NIST SP800-131A

To make your system SP800-131A conformant, update various SIT parameters and resource attributes to use suitable cipher suites and certificates.

About this task

Conformance to the National Institute of Standards and Technology (NIST) SP800-131A security standard strengthens security by requiring the use of stronger cryptographic keys and more robust algorithms.

Full details of the NIST standards are available at the National Institute of Standards and Technology website (csrc.nist.gov).

Procedure

To make your system conformant to NIST SP800-131A, complete the following steps:

  1. Start of changeSet the NISTSP800131A system initialization parameter to NISTSP800131A=CHECK. End of change
  2. Set the ENCRYPTION system initialization parameter to ENCRYPTION=TLS12.
  3. Set the KEYRING system initialization parameter to the name of a key ring that is populated with NIST SP800-131A conformant certificates.
  4. Set the USSCONFIG system initialization parameter to the name and path of the root directory for CICS® Transaction Server configuration files on z/OS® UNIX.
    This directory must have a /security/ciphers/ subdirectory, which contains at least one SSL cipher suite specification file. For more information, see SSL cipher suite specification file.
  5. Update any TCPIPSERVICE, IPCONN, or URIMAP definitions, setting the CIPHERS attribute to the name of an SSL cipher suite specification file that contains SP800-131A conformant cipher suites.
    The sample file fipsciphers.xml is suitable.
  6. Update any TCPIPSERVICE, IPCONN, or URIMAP definitions, setting the CERTIFICATE attribute to the name of an SP800-131A conformant certificate label.
    Also, any outbound HTTP application that uses SSL must also use an SP800-131A conformant certificate on any EXEC CICS WEB OPEN command. If you use the key ring default certificate with any of these resources definitions or the WEB OPEN command, ensure that the key ring default certificate is SP800-131A conformant.
  7. If you use the CICSPlex® SM Web User Interface (WUI) to connect to CICS, set the TCPIPSSLCIPHERS WUI server initialization parameter to the name of an SSL cipher suite specification file that contains SP800-131A conformant cipher suites.
    The sample file fipsciphers.xml is suitable.
  8. If you use the CICSPlex SM WUI to connect to CICS, set the TCPIPSSLCERT WUI server initialization parameter to the name of an SP800-131A conformant certificate label.
    If you use the key ring default certificate, ensure that it is SP800-131A conformant.

What to do next

Any clients that connect to CICS must be SP800-131A-conformant and must support TLS 1.2. To be conformant, they must be capable of using SP800-131A conformant cipher suites and, if they use certificates, SP800-131A conformant certificates.

Any partner CICS system must use ENCRYPTION=TLS12 or ENCRYPTION=ALL to talk to an ENCRYPTION=TLS12 system and it must be configured to use cipher suites and certificates that are SP800-131A conformant.

Note: If you set NISTSP800131A=CHECK, CICS takes the following actions:
  • When a JVM Server is started, CICS sets the Java™ properties to make Java NIST SP800-131A conformant.
  • If you use SAML and sign outbound messages, CICS issues message DFHXS1300 to warn you to check that the certificates used are conformant.
  • If you use WS-Security, CICS issues message DFHXS1301 because CICS support of WS-Security is not conformant with NIST SP800-131A.