The SSL cache

The SSL cache is used to store session IDs for SSL sessions between clients and CICS®. Reusing these session IDs allows CICS to perform partial handshakes with clients that it has previously authenticated. The SSL cache can be local to a CICS regions or shared between CICS regions on a sysplex. This is configured by the system initialization parameter SSLCACHE. For optimal performance, it is important that you select the correct option.

Local caching, SSLCACHE=CICS

In a local CICS region, by default, the SSL cache is stored in the enclave for the S8 TCBs. It is managed by z/OS® System SSL as part of the SSL environment, which exists within this enclave.

When you issue the PERFORM SSL REBUILD command for the CICS region, a new cache is created. The new cache is populated by new SSL sessions that are established in the CICS region. The old cache is removed when the last connection using it is dropped.

If you use the SSLCACHE=CICS option and use port sharing to enable HTTP connection requests to the same host and port to resolve to different CICS regions, a full SSL handshake is required every time a connection request from a client resolves to a different region, and the benefits of the caching are lost.

Sysplex caching, SSLCACHE=SYSPLEX

Sharing SSL session IDs across different CICS regions on a sysplex is particularly useful when HTTP requests are being routed across a set of CICS regions by using TCP/IP connection workload balancing techniques, such as TCP/IP port sharing or Sysplex Distributor. You should use sysplex caching if you have multiple CICS socket-owning regions that accept SSL connections at the same IP address. If appropriate for your CICS systems, using sysplex caching can significantly reduce the number of full SSL handshakes.

To enable sysplex caching, activate the z/OS System SSL started task GSKSRVR and specify the system initialization parameter SSLCACHE=SYSPLEX for the CICS regions. For details of the SSL started task GSKSRVR and its configuration, see The SSL started task GSKSRVR.

To use the sysplex session cache, each system in the sysplex must be using the same external security manager, and a user ID on one system in the sysplex must represent the same user on all other systems in the sysplex.

The PERFORM SSL REBUILD command does not affect the sysplex cache.