MINTLSLEVEL

The MINTLSLEVEL system initialization parameter specifies the minimum TLS protocol that CICS® uses for secure TCP/IP connections.

Note: When AT-TLS is used to secure socket sessions, CICS SSL/TLS system initialization parameters such as KEYRING, MINTLSLEVEL, and MAXTLSLEVEL are no longer required because the implementation of TLS is provided by AT-TLS policy statements and all encryption and decryption is done outside of the CICS address space. For more information, see Implementation options for TLS .

MINTLSLEVEL={TLS11|TLS12|TLS13}

When a secure connection is established between a pair of processes, the most secure TLS protocol that is supported by both processes is used.

TLS11: Sets the minimum level of TLS to 1.1.
TLS12: Sets the minimum level of TLS to 1.2. This setting is the default value.
TLS13: Sets the minimum level of TLS to 1.3.

Changing minimum TLS protocol levels

If you are looking to raise the minimum TLS protocol level that is defined in MINTLSLEVEL, you want to be certain to identify all handshakes that are made by using that protocol. For more information about how to manage the process, see Changing TLS protocol level or ciphers safely.

FIPS 140-2 standards

To apply FIPS 140-2 standards, set MINTLSLEVEL=TLS12 and NISTSP800131A=CHECK.

If NISTSP800131A=CHECK is set but MINTLSLEVEL is set to TLS11, it is overridden to MINTLSLEVEL=TLS12 and a warning message is issued. This check does not apply if TLS is set to 1.3.

To apply FIPS 140-2 standards on z/OS® Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system.

For more information about NIST SP800-131A conformance, see Making your CICS TS system conformant to NIST SP800-131A.