How to configure TLS from CICS
Configure a TLS connection from CICS® to a IBM® z/OS® Connect server.
zosConnect-2.0 Applies to zosConnect-2.0.
This task is applicable when z/OS Connect is used as an API requester.
About this task
You can use TLS to secure your connection between CICS and your z/OS Connect server.
To configure a TLS connection from CICS to your IBM z/OS Connect server you must customize the supplied
URIMAP BAQURIMP specifying
- USAGE(CLIENT) because CICS is the HTTP client.
- SCHEME(HTTPS) to enable the HTTPS connection.
- PORT to specify the HTTPS port of the IBM z/OS Connect server. See note.
- Optionally, CIPHERS(value), to specify cipher suites.
Note: If an AT-TLS policy is in place, for example, an outbound AT-TLS policy, then the schema in
the URIMAP must be HTTP but still use the name of the HTTPS port the of IBM z/OS Connect server. Otherwise, both CICS system SSL and AT-TLS attempt to perform a TLS handshake and
the following error messages are displayed:
DFHSO0123 05/11/2020 11:59:41 CICSZA51 Return code 410 received from function gsk_secure_socket_init of System SSL. Reason: Handshake abandoned by peer. Peer: <redacted ip address>, TCPIPSERVICE: *NONE* BAQT0008E 2020/05/11 11:59:41 Socket error.
If the z/OS Connect server requires TLS client
authentication you must also customize the supplied URIMAP BAQURIMP to add
- CERTIFICATE(label), where label specifies the label of the X.509 certificate that is to be used as the client certificate during the TLS handshake.
For more information, see 
CICS as an HTTP client: authentication and identification and URIMAP resource definitions in the CICS Transaction Server
for z/OS documentation.
If you use a site certificate in an SSL connection from CICS to z/OS Connect, you must define the
site certificate with a usage of PERSONAL. For more information, see Configuring a RACF site certificate for use with CICS TS in the
CICS Transaction Server for z/OS documentation.