CICS® can use the
Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) security
protocols to support secure TCP/IP connections. To authenticate servers
to clients, create certificates and key rings in RACF® and ensure that the CICS region and resources are correctly configured
to support security.
Before you begin
Before you begin to configure CICS,
decide which type of certificates to use in SSL handshakes.
About this task
You can use RACF to
create certificates, but you must configure your clients to ensure
that they can recognize the RACF server
certificate. If you cannot configure your clients in this way, for
example when clients are external to your organization, use a certificate
signed by an external certificate authority.
Procedure
- Set the correct authorizations in RACF to create a key ring, create a signing
certificate (certificate authority certificate), and to add certificates
to the key ring.
- Optional: If you decide to use a certificate
from a certificate authority, create a certificate request using RACF and send it to the certificate
authority.
You might have to wait a number of days to
receive a signing certificate from the certificate authority. If your
chosen certificate authority does not have its certificate built in
to RACF, you might have to
import it.
- Create a key ring.
You must create a key ring
in the RACF database. The key
ring contains:
- Your public and private keys
- Your server certificates
- Signing certificates for the server certificates
- If the client certificate is not associated with a valid RACF userid, the signing certificates
for any client certificates owned by clients with which you expect CICS to communicate using client
authentication should be added to the keyring.
- Create the certificates and add them to the key ring.
- Ensure that the CICS region
has access to the z/OS® system SSL library SIEALNKE.
You can use STEPLIB or JOBLIB statements, or use the system
link library.
- Define the CICS system
initialization parameters that are related to security.
In
particular, specify the name of the key ring that you created in the KEYRING system
initialization parameter.
- Define TCPIPSERVICE resources.
Example
CICS supplies a
sample REXX program, DFH$RING, that contains all of the RACF commands to create a key ring, create a
signing certificate, create additional certificates, and add them
to the key ring. DFH$RING contains sample values which are suitable
for building a test key ring only. You must edit all the values if
you want to create a key ring that is suitable for a production environment.