ENCRYPTION

The ENCRYPTION system initialization parameter specifies the protocols that CICS uses for secure TCP/IP connections.

The protocols determine which cipher suites can be used. Protocols for TLS 1.1 can only be entered by using XML files that are associated with the resource definition. For more information, see SSL cipher suite specification file.

ENCRYPTION={Start of changeALL|TLS12FIPS|End of changeSTRONG|Start of changeSSLV3End of change}
When a secure connection is established between a pair of processes, the most secure cipher suite that is supported by both is used. Determine the level of TLS that needs to be supported and set the ENCRYPTION parameter accordingly.
Start of change
ALL
Supports TLS 1.0, 1.1, and 1.2.
Note: If you are running CICS® TS with z/OS® 1.13 then using ENCRYPTION=ALL requires that PTFs OA37102 and OA39422 are applied to z/OS and that PTF PM97207 has been applied to CICS TS.
TLS12FIPS
Supports TLS 1.2 only with FIPS 140-2 standards applied.
STRONG
Start of changeSupports TLS 1.0 only. This is the default value.End of change
SSLV3
Supports SSL 3.0 and TLS 1.0. SSL 3.0 should only be used for a migration period while clients that still require this protocol are upgraded.
End of change

For more information about cipher suites, see Cipher suites.

CICS can use only the cipher suites that are supported by the underlying z/OS operating system.

Start of changeIf you specify ENCRYPTION=TLS12FIPS, you must use a NIST-compliant certificate. For more information, see Making your CICS TS system compliant with NIST SP800-131A.End of change

Start of changeTo use TLS12FIPS with z/OS Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system. If you have not already done so, apply APAR OA14956 to z/OS.End of change

Parent topic: The system initialization parameter descriptions and summary

dfha2_encryption.html | Timestamp icon Last updated: Thursday, 27 June 2019