NISTSP800131A

NOCHECK

Conformance checking is not required in this CICS region. This is the default value.

CHECK

The CICS region is required to check for conformance with the NIST SP800-131A security standard. If this value is set, CICS issues a message if an actual or potential violation is detected.

This option also causes the CICS SSL environment to use only TLS v 1.2 with FIPS 140-2 standards applied.

The checks that are performed are as follows:

Web services

If the <wsse_handler> tag is specified in a pipeline configuration file, it implies that the pipeline is to be used for web services security. Because not all of the encryption algorithms that can be used for web services security are SP800-131A conformant, installing a pipeline that uses web services means that CICS might be non-conformant. CICS issues message DFHXS1300, which warns of potential nonconformance.

If you receive message DFHXS1300, check whether you are using DFHWSSE as the web services security handler. If you are not using DFHWSSE, inspect your security handler to check which encryption and signing algorithms it uses. If these algorithms are SP800-131A conformant, you can ignore the message. If they are not conformant, consider whether to use conformant algorithms instead. Otherwise, if the CICS region that issues the message must be conformant, consider moving the web service security workload to a different CICS region where conformance is not required.

CICS also checks for certain things that are not conformant to SP800-131A. If any of these situations are found, CICS issues message DFHXS1301:

• An <algorithm> element exists within the <authentication> element of the <wsse_handler> definition in the pipeline configuration file. The only algorithms that can be used are SHA-1 routines, which are not conformant with NIST SP800-131A.
• A <sign_body> element exists in the pipeline configuration file. The only algorithms that can be used are SHA-1 routines, which are not conformant with SP800-131A.
• An <encrypt_body> element in the pipeline configuration file. Of the four algorithms that can be used, three are conformant with SP800-131A but one is not. If the nonconformant algorithm is specified, DFHXS1301 is issued.

If you receive message DFHXS1301, consider not performing the encryption or signing operations in this CICS region. If the nonconformant algorithm is specified in the <encrypt_body> element, consider using a conformant algorithm.

Sockets

If SSL is active, setting NISTSP800131A=CHECK forces ENCRYPTION=TLS12 if it is not already set. If ENCRYPTION=TLS12 is forced, message DFHSO0144 is issued. Sockets domain initializes the SSL environment with the FIPS option on and the System SSL started task runs in FIPS mode. The effect of this is that SSL allows fewer ciphers to be used on a successful handshake.

To use FIPS with z/OS® Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system. If you have not already done so, apply APAR OA14956 to z/OS.

If SSL is inactive because no KEYRING parameter is specified, then setting NISTSP800131A has no effect on sockets domain.

JVM servers

When a JVM server is started, CICS sets the Java™ properties to make Java NIST SP800-131A conformant.

If you set NISTSP800131A=CHECK, you should also set ENCRYPTION=TLS12. However, if you do not do so, CICS overrides the value of ENCRYPTION to ENCRYPTION=TLS12 and issues a warning message.