Configuring CICS to use SSL

CICS® can use the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) security protocols to support secure TCP/IP connections. To authenticate servers to clients, create certificates and key rings in RACF® and ensure that the CICS region and resources are correctly configured to support security.

1. Set the correct authorizations in RACF to create a key ring, create a signing certificate (certificate authority certificate), and to add certificates to the key ring.
2. Optional: If you decide to use a certificate from a certificate authority, create a certificate request using RACF and send it to the certificate authority.
   You might have to wait a number of days to receive a signing certificate from the certificate authority. If your chosen certificate authority does not have its certificate built in to RACF, you might have to import it.
3. Create a key ring.
   You must create a key ring in the RACF database. The key ring contains:

   • Your public and private keys
   • Your server certificates
   • Signing certificates for the server certificates
   • If the client certificate is not associated with a valid RACF userid, the signing certificates for any client certificates owned by clients with which you expect CICS to communicate using client authentication should be added to the keyring.
4. Create the certificates and add them to the key ring.
5. Ensure that the CICS region has access to the z/OS® system SSL library SIEALNKE.
   You can use STEPLIB or JOBLIB statements, or use the system link library.
6. Define the CICS system initialization parameters that are related to security.
   In particular, specify the name of the key ring that you created in the KEYRING system initialization parameter.
7. Define TCPIPSERVICE resources.