HTTPS protocol settings

You define the parameters for the HTTPS protocol in the GATEWAY section of the configuration file.

You can use the CICS® Transaction Gateway configuration tool to configure the HTTPS protocol settings, or edit the parameters in the configuration file directly. If you edit the configuration file using a text editor, refer to HTTPS protocol parameters.

Bind address

The bind parameter specifies the IP address or name of the host to which the protocol handler is bound.

bind=<name>

Description: Set the value to the IP address or name of the host. If you specify an IP address, it can be in the IPv6 format; for example, 3ffe:307:8:0:260:97ff:fe40:efab. If you specify a host name, it is resolved on startup.
This parameter is in the HTTPS protocol parameters subsection of the GATEWAY section of the configuration file.
Default value: If the bind parameter is not specified or is blank, the default behavior is to bind to all IP addresses.
Configuration Tool: In the Configuration Tool, you can set the value of bind in the Bind address field in the HTTPS settings pages.

Port

The port parameter specifies the TCP/IP port number on which the protocol handler listens for incoming client requests.

port=<number>

Description

Set the value in the range 1 - 65,535 to specify the port number.

On Windows, you can use the ctgservice command with the -httpsport option to override the value of the port parameter. On UNIX and Linux, you can use the ctgstart command with the -httpsport option to override the value of the port parameter. For more information, see the Command reference.

This parameter is in the HTTPS protocol parameters subsection of the GATEWAY section of the configuration file.

Default value

This is a mandatory parameter. There is no default value.

Configuration Tool

In the Configuration Tool, you can set the value of port in the Port field in the HTTPS settings pages.

Use client authentication

The clientauth parameter determines if client authentication is enabled.

clientauth=<on>

Description: Include clientauth=on in the configuration file to specify that any client that attempts to connect using the SSL protocol handler must present its own client certificate.
This parameter is in the HTTPS protocol parameters subsection of the GATEWAY section of the configuration file.
Default value: By default, client authentication is not enabled.
Configuration Tool: In the Configuration Tool, you can include clientauth=on in the configuration file by selecting the Use client authentication check box in the HTTPS settings pages.

Use only these ciphers

Use the ciphersuites parameter to restrict the set of cipher suites that can be used with the HTTPS protocol.

ciphersuites=<name>

Description

Specify the cipher suites that Java™ Client applications can use to connect to the CICS Transaction Gateway. You can define multiple cipher suites by separating them with a comma. If the Java Client application does not support any of the cipher suites listed, it cannot connect to the CICS Transaction Gateway. If no cipher suite is specified or the parameter is omitted, all available cipher suites can be used. Because CICS Transaction Gateway uses cipher suites provided by the Java runtime environment for the HTTPS protocol, the cipher suites available are dependant on the Java version. To determine which cipher suites are available for your version of Java, complete the following steps:

Delete the ciphersuites parameter from your configuration file.
Save the configuration file.
Start CICS Transaction Gateway.

If the HTTPS protocol is correctly configured and CICS Transaction Gateway starts, a list of valid cipher suites is written to the Gateway daemon information log. For more information, see the documentation supplied with your Java runtime environment.

Cipher suite information can be found in the Gateway daemon information log and Java Client application trace.

This parameter is in the HTTPS protocol parameters subsection of the GATEWAY section of the configuration file.

Default value

If this parameter is not specified, the default is that all available cipher suites are available.

Configuration Tool

In the Configuration Tool, you can set the value of ciphersuites in the Use only these ciphers field in the HTTPS settings page. Enter the cipher suite name in the field, and then click Add to add it to the list. To remove a cipher suite, select the suite in the list and click Remove.