Changing TLS protocol level or ciphers safely

If a TLS protocol is compromised, you need to switch to a higher minimum TLS level. If a cipher is compromised, you need to remove the cipher from all TLS connections. To safely make a change, you need to identify if the compromised protocol or ciphers is in use. When you know it is in use, you need to identify who is using it so that the client or server that CICS® is communicating with can also be upgraded. CICS statistics and monitoring can be used to help you evaluate the TLS protocol levels and ciphers in use and identify the impact of a change to you and your users.

Why evaluate TLS protocol levels or ciphers in use?

Using older or compromised TLS protocol levels or ciphers is a risk. Using higher TLS protocol levels or newer ciphers can mitigate such risks. You might also be asked to switch to a newer TLS protocol level or cipher as a result of a security alert or audit requirement. To achieve this switchover safely, it is important for you to know which protocols or ciphers are in use and by who. With this knowledge, you can plan and move to more secure options with minimal risk.

Several steps are involved in making such a move:
  1. Identify what TLS protocols or ciphers are in active use by gathering relevant statistics data.
  2. Evaluate whether the older protocols or ciphers are still in use.
  3. Identify applications that need to upgrade from the older TLS protocol level or ciphers that are no longer to be used by reviewing monitoring data.
  4. Address the applications and ensure they are updated to use the new higher-level TLS protocols.
  5. When all previous steps are complete, update your configuration to use a higher MINTLSLEVEL or remove a cipher.
For more information about TLS protocol information within TCP/IP statistics, see TCP/IP global and TCP/IP Service statistics.

For more information about cipher statistics, see Cipher statistics.

For more information about the data fields SOTLSLVL and SOCIPHER, see Performance data in group DFHSOCK.

Consider these two scenarios, one for removing a lower TLS level and the other for removing a compromised cipher.

Example scenario for removing a previous TLS level

You're advised by a security alert or an auditor that TLS 1.1 is no longer sufficient for your business and you must remove this protocol level. To make this change, all connections between CICS regions and clients or servers must be running at TLS 1.2 or higher.

Connections use the highest level that is supported by both sides. Therefore, if a connection is at TLS 1.1, one side needs to be upgraded or configured to support TLS 1.2.

You can use the available CICS statistics and monitoring to help you with this exercise.
  1. The CICS region must have its MAXTLSLEVEL set to TLS12 or higher.
  2. All connections definitions (TCPIPSERVICE, IPCONN, URIMAP) must include ciphers that are supported by TLS 1.2 or higher.
    Recommended: It is recommended that you use the cipher files rather than numeric ciphers.
  3. Gather statistics for the TLS protocols. Set up gathering of statistics to identify the TLS protocols in use by using CEMT PERFORM STATISTICS RECORD. This data gathering needs to be done on all regions with inbound or outbound connections. Only data from new handshakes is collected during the defined gathering period. You must ensure that the gathering period is sufficient to capture the data you require.
  4. Check whether the gathered statistics identified any handshakes for the TLS 1.1 level protocol. See Figure 1 for an example of how the statistics output shows which TLS protocols were involved in handshakes for the selected time period. If you find no cases, you can proceed to step 8.
  5. For more detailed analysis, use the monitoring information to determine which TLS protocol levels were used during the selected monitoring period. The performance data field SOTLSLVL shows which applications used which TLS protocols. You can also use other data in the monitoring results to identify IP addresses and port numbers to assist you with identifying the client or server that is associated with the connection.
  6. Update the associated client or server that is reported as using TLS 1.1. See Figure 2 to see the SOTLSLVL information. Other TLS information such as the cipher used, TCP/IP address, and port number is also available.
  7. Run the statistics and monitoring steps again to confirm that no remaining applications use the TLS protocol you want to remove.
  8. Update MINTLSLEVEL to the new minimum protocol level.

Example scenario for removing a compromised cipher

You're advised by a security alert or an auditor that a specific cipher is no longer sufficient for your business and you must remove this cipher.

The cipher depends on the configuration and capabilities of both partners in a connection. The client and the server each provides a list of one or more ciphers that are used as part of the TLS handshake. The cipher that is used is the first one in the server's list, which is also in the client's list. Therefore, it is important that before you remove a cipher, other ciphers are available, and used.

You can use the available CICS statistics and monitoring to help you with this exercise.
  1. Move the cipher that you want to remove to the end of either:
    • The list in cipher files.
    • The numeric ciphers specified in the CIPHERS options of connection definitions (TCPIPSERVE, IPCONN, and URIMAP).
    Recommended: It is recommended that you use the cipher files rather than numeric ciphers.
  2. Gather statistics for the cipher. Set up gathering of statistics to identify new handshakes that use ciphers by using CEMT PERFORM STATISTICS.RECORD. This data gathering needs to be done on all regions with inbound or outbound connections. Only data from new handshakes is collected during the defined gathering period. You must ensure that the gathering period is sufficient to capture the data you require.
  3. Check whether the gathered statistics identified any relevant data for the selected cipher. See Figure 1 for an example of how the statistics output shows which ciphers were used for the selected time period. If you find no cases, then you can proceed to step 7.
  4. For more detailed analysis, use the monitoring information to determine which ciphers were used during the selected monitoring period. See Figure 2 to see the SOCIPHER information. You can also use other data in the monitoring results to identify IP addresses and port numbers to assist you with identifying the client or server that is associated with the connection.
  5. Either update the associated clients or servers to add a cipher is acceptable to the CICS region. Or update the CICS cipher files to add a cipher that is acceptable to the clients or servers. This cipher must be in front of the cipher that you want to remove.
  6. Run the statistics and monitoring steps again to confirm that no remaining applications use the ciphers you want to remove.
  7. Remove the cipher definition.

Example screens

Figure 1. Statistics data (formatted output)
___________________________________________________________________________________________________________________________________
TLS LEVEL
_________
  CICS Configured TLS Level and Handshake Type                   Inbound  Outbound
  ________________________________________________________________________________
  Full                                                                 1         0
  Abbreviated                                                          0         0

  TLS 1.1                                                              1         0
  TLS 1.2                                                              0         0
  TLS 1.3                                                              0         0
  ________________________________________________________________________________
  TOTAL                                                                1         0
  ________________________________________________________________________________
  AT-TLS SSL 3                                                         0         0
  AT-TLS 1.0                                                           0         0
  AT-TLS 1.1                                                           0         0
  AT-TLS 1.2                                                           1         1
  AT-TLS 1.3                                                           0         0
  ________________________________________________________________________________
  TOTAL                                                                1         1
CICS 7.4.0 Statistics Utility Program                                    Report Date 02/23/2022   Report Time 16:11:39   Page   106
Requested Statistics Report        Collection Date-Time 02/23/2022-16:10:49  Last Reset 16:10:34  Applid IYK4ZON1  Jobname D1
___________________________________________________________________________________________________________________________________
TLS CIPHER STATISTICS
_____________________
                                                                     TLS       TLS    AT-TLS    AT-TLS
  Number  Cipher Name                                            Inbound  Outbound   Inbound  Outbound
  ____________________________________________________________________________________________________
    009D  TLS_RSA_WITH_AES_256_GCM_SHA384                              0         0         1         1
    0035  TLS_RSA_WITH_AES_256_CBC_SHA                                 1         0         0         0
Figure 2. Monitoring data (formatted output)
___________________________________________________________________________________________________________________________________
SDSF OUTPUT DISPLAY MONDSERV JOB68349  DSID   111 LINE  CHARS
COMMAND INPUT ===>
         DFHCICS  P362     OTRANNUM         0000045C                                          45
         DFHCICS  C363     OTRAN            C3E6E7D5                                      CWXN
         DFHCICS  C364     OUSERID          C7C2F1F2 F2F04040                             GB1220
            ...
         DFHCICS  C366     OTCPSVCE         E6C5C2E3 D3E24040                             WEBTLS
         DFHCICS  A367     OPORTNUM         0000271F                                       10015
         DFHCICS  C372     OCLIPADR         F94BF2F0 40404040 40404040 40404040 40404040  9.20.5.0
                                   +X0014   40404040 40404040 40404040 40404040 40404040
         DFHCICS  A369     OCLIPORT         0000FA66                                       641020
         DFHCICS  A370     OTRNFLAG         8000804009800000
         DFHCICS  C371     OFCTYNME         5C5CE2E3 C55C5C40                             **STE**
         DFHWEBB  C380     WBURIMNM         00000039 F14BF240                             DFH$URI4
            ...
         DFHWEBB  C385     WBPROGNM         00000039 F14BF240                             DFH$WBHC
            ...
         DFHCICS  P376     PHTRANNO         0000000C                                           0
            ...
         DFHSOCK  A458     SOFLAG           40000000
         DFHSOCK  C457     SOTLSLVL         E3D3E2E5 F14BF240                             TLSV1.2
         DFHSOCK  A320     SOCIPHER         00000039 F14BF240                                 57
         DFHTASK  C430     CECMCHTP         F3F9F0F6                                      3906