CICS can use the Secure Sockets Layer (SSL) or the Transport
Layer Security (TLS) security protocols to support secure TCP/IP connections.
To authenticate servers to clients, create certificates and key rings
in RACF and ensure that the CICS region and resources are correctly
configured to support security.
Before you begin
Before you begin to configure CICS, decide which type of certificates
to use in SSL handshakes.
About this task
You can use RACF® to create certificates, but
you must configure your clients to ensure that they can recognize
the RACF server certificate. If you cannot configure your clients
in this way, for example when clients are external to your organization,
use a certificate signed by an external certificate authority.
Procedure
- Set the correct authorizations in RACF to create a key
ring, create a signing certificate (certificate authority certificate),
and to add certificates to the key ring.
- Optional: If you decide to use a certificate
from a certificate authority, create a certificate request using RACF
and send it to the certificate authority.
You might have
to wait a number of days to receive a signing certificate from the
certificate authority. If your chosen certificate authority does not
have its certificate built in to RACF, you might have to import it.
- Create a key ring.
You must create a key ring
in the RACF database. The key ring contains:
- Your public and private keys
- Your server certificates
- Signing certificates for the server certificates
- If the client certificate is not associated with a valid RACF userid, the signing certificates
for any client certificates owned by clients with which you expect CICS to communicate using client
authentication should be added to the keyring.
- Create the certificates and add them to the key ring.
- Ensure that the CICS region has access to the z/OS® system SSL library SIEALNKE.
You can use STEPLIB
or JOBLIB statements, or use the system link library.
- Define the CICS system initialization parameters that are
related to security.
In particular, specify the name of
the key ring that you created in the KEYRING system
initialization parameter.
- Define TCPIPSERVICE resources.
Example
CICS supplies a sample REXX program, DFH$RING, that contains
all of the RACF commands to create a key ring, create a signing certificate,
create additional certificates, and add them to the key ring. DFH$RING
contains sample values which are suitable for building a test key
ring only. You must edit all the values if you want to create a key
ring that is suitable for a production environment.