VALIDATEHOST

beta Applies to CICS TS beta. The VALIDATEHOST system initialization parameter controls whether the TLS hostname validation is performed by System SSL as part of the TLS handshake for outbound CICS®- managed TLS connections.

TLS hostname validation compares the host name that CICS is intending to connect to with the subject alternate name field of the server certificate. If the name does not match, or the server certificate does not contain a subject alternate name field, the handshake will fail. CICS does not directly support wildcards to be used within the hostname validation process. If that capability is required you need to manually set the GSK_WILDCARD_VALIDATION_ENABLE attribute to GSK_WILDCARD_VALIDATION_ENABLE_ON. For more information see, Setting the System SSL environment for CICS.

For more information on the TLS hostname validation process, see Server certificate domain-based validation.

If System SSL is not to be used for TLS hostname validation, CICS will perform the validation after the handshake completes. If validation fails, a warning message will be issued but the normal processing will continue.

If the TLS hostname validation fails, the server certificate needs to be updated to include its host name in the subject alternate name field.

TLS hostname validation applies to the following outbound requests:
  • IPCONN with SSL(YES)
  • WEB OPEN or INVOKE SERVICE command using a URIMAP that is defined with USAGE(CLIENT) and SCHEME(HTTPS)
  • WEB OPEN command with SCHEME(HTTPS)
  • IINVOKE SERVICE command with a HTTPS based URI

Defining VALIDATEHOST

You can define the VALIDATEHOST system initialization parameter in the following ways:
  • On the PARM parameter of the EXEC PGM=DFHSIP statement
  • In the SYSIN data set of the CICS start up job stream
  • In the DFHSIT macro

Values for VALIDATEHOST

VALIDATEHOST={ALWAYS |ASIS}
Valid values for the VALIDATEHOST system initialization parameter are as follows:
ALWAYS
ALWAYS is the default value. CICS overrides the VALIDATEHOST option defined in the associated IPCONN or URIMAP resource and requests that System SSL performs the TLS hostname validation as part of the TLS handshake.
ASIS
CICS honors the VALIDATEHOST option defined in the associated IPCONN or URIMAP resource. If the outbound HTTP request does not use an IPCONN or URIMAP, then the TLS hostname validation is performed by CICS after the TLS handshake completes.