SSL with CICS web support
You can use the Secure Sockets Layer (SSL) with HTTP to enable encryption, message authentication, and client and server authentication using certificates. When you have configured CICS® to use SSL, its facilities are available for both CICS as an HTTP server, and CICS as an HTTP client.
When CICS is an HTTP server, you can use SSL to protect an interaction with a web client. You specify appropriate security options on the TCPIPSERVICE definition for the port on which CICS receives the client requests.
As well as specifying the use of SSL, you can require basic authentication or require a client certificate. To give more assistance to web clients, you can allow a client to provide a client certificate, and then register itself to the security manager to supply identification for the CICS environment. You can also allow a client to use self-registration or basic authentication as needed to supply identification. CICS handles all these activities, so, if you are providing an application-generated response, your application does not have to handle this registration. Refer to Creating TCPIPSERVICE resource definitions for CICS web support.
- Use HTTPS as the scheme for the connection.
- Supply a list of cipher suites that you want to use for the connection. You can specify them in the URIMAP definition that you use on the WEB OPEN command for the connection.
- Supply a client certificate. Client certificates are not a requirement for all SSL transactions, but a server might require one for particular transactions. If a server does request a client certificate, you can specify the label of a suitable certificate in the URIMAP definition that you use on the WEB OPEN command for the connection, or on the WEB OPEN command itself. The client certificate must be stored in your security manager key ring. If you use a URIMAP definition but do not specify a certificate label, the default certificate defined in the key ring for the CICS region user ID is used.