MINTLSLEVEL
The MINTLSLEVEL system initialization parameter specifies the minimum TLS protocol that CICS® uses for secure TCP/IP connections.
- MINTLSLEVEL={TLS11|TLS12|TLS13}
- When a secure connection is established between a pair of processes, the most secure TLS
protocol that is supported by both processes is used.
- TLS11
- Sets the minimum level of TLS to 1.1.
- TLS12
- Sets the minimum level of TLS to 1.2. This setting is the default value.
- TLS13
- Sets the minimum level of TLS to 1.3.
Changing minimum TLS protocol levels
If you are looking to raise the minimum TLS protocol level that is defined in MINTLSLEVEL, you want to be certain to identify all handshakes that are made by using that protocol. For more information about how to manage the process, see Changing TLS protocol level or ciphers safely.
FIPS 140-2 standards
To apply FIPS 140-2 standards, set MINTLSLEVEL=TLS12 and NISTSP800131A=CHECK.
If NISTSP800131A=CHECK is set but MINTLSLEVEL is set to TLS11, it is overridden to MINTLSLEVEL=TLS12 and a warning message is issued. This check does not apply if TLS is set to 1.3.
To apply FIPS 140-2 standards on z/OS® Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system.
For more information about NIST SP800-131A conformance, see Making your CICS TS system conformant to NIST SP800-131A.