TCPIPSERVICE attributes for SSL

Descriptions of the attributes of the TCPIPSERVICE resource that relate to SSL.

About this task

The following attributes of the TCPIPSERVICE resource relate to SSL:

AUTHENTICATE

Specifies the authentication and identification scheme to be used for inbound TCP/IP connections for the HTTP protocol. The HTTP protocol supports the following authentication scheme:

NO: The client is not required to send authentication or identification information.
BASIC: HTTP basic authentication is used to obtain a user ID and password from the client.
CERTIFICATE: SSL client certificate authentication is used to authenticate and identify the client.
AUTOREGISTER: SSL client certificate authentication is used to authenticate the client. If the client sends a valid certificate that is not registered to the security manager, then CICS® will register the certificate.
AUTOMATIC: If the client sends a certificate, SSL client certificate authentication is used to authenticate the client. If the client sends a valid certificate that is not registered to the security manager, then CICS will register the certificate. If the client does not send a certificate, then HTTP Basic authentication is used to obtain a user ID and password from the client.

CERTIFICATE

Specifies the label of the server certificate used during the SSL handshake. If this attribute is omitted, the default certificate defined in the key ring for the CICS region user ID is used.

CIPHERS

The CIPHERS attribute can be specified in either of two ways:

A string of up to 56 hexadecimal digits that is interpreted as a list of up to 28 2-digit cipher suite codes.
The name of the SSL cipher suite specification file, which is a z/OS® UNIX file in the security/ciphers subdirectory of the directory that is specified by the USSCONFIG system initialization parameter. For example if USSCONFIG is set to /var/cicsts/dfhconfig and CIPHERS is set to strongciphers.xml, the fully qualified file name is /var/cicsts/dfhconfig/security/ciphers/strongciphers.xml. For more information, see SSL cipher suite specification file.

When you use the CEDA transaction to define the resource, CICS automatically initializes the attribute with a default list of acceptable codes. For CICS to initialize the attribute, the KEYRING system initialization parameter must be specified in the CICS region where you are running CEDA. If KEYRING is not set, CICS does not initialize the attribute. The default list of codes is 35363738392F303132330A1613100D15120F0C unless the system initialization parameter NISTSP800131A=CHECK is set, in which case it is 35363738392F303132330A1613100D.

You can reorder the cipher codes or remove them from the initial list. However, you cannot add cipher codes that are not in the default list for the specified encryption level. To reset the value to the default list of codes, delete all of the cipher suite codes. The field is automatically repopulated with the default list.

For more information, see Cipher suites.

PORTNUMBER

Specifies the number of the port on which CICS is to listen for incoming client requests. The well known port for SSL services supported by CICS is 443, for HTTP with SSL.

SSL

Specifies whether the TCP/IP service is to use SSL for encryption and authentication. If you are running CICS TS with z/OS 1.13 then any option other than NO requires that PTFs OA37102 and OA39422 are applied to z/OS:

NO: SSL is not to be used.
YES: An SSL session is to be used; CICS will send a server certificate to the client.
CLIENTAUTH: An SSL session is to be used; CICS will send a server certificate to the client, and the client must send a client certificate to CICS.

ATTLSAWARE: CICS queries the client connection to determine whether AT-TLS is active. CICS retrieves a client certificate from TCP/IP if one was provided by the partner.
Note: If you specify SSL(ATTLSAWARE), you must also specify PROTOCL(HTTP).