Customizing encryption negotiations
You can select the cipher suites that are used in the encryption negotiation process for TLS connections to set a minimum level and a maximum level of encryption.
About this task
The CIPHERS attribute in the resource definitions TCPIPSERVICE, IPCONN, and URIMAP specifies the cipher suites that can be used for each encryption level. The default is to use the cipher suite specification file of defaultciphers.xml for the cipher suites that are used in encryption negotiations. You have the option of customizing the cipher suites to meet your compliance requirements.
If you have different security strengths for different connections, create separate cipher files for these connections.
The TLS cipher suite specification (cipher) file is a z/OS UNIX file in the security/ciphers subdirectory of the directory that is specified by the USSCONFIG system initialization parameter. For more information, see Creating a TLS cipher suite specification file.
If you need to check which cipher suites are in use, for example, to remove an outdated or unused suite, see Changing TLS protocol level or ciphers safely.
For a description of the cipher file stricture and where it is used by CICS and z/OS, see Implementation options for TLS .
Procedure
- Create or use an existing cipher file in the /security/ciphers
directory of USSCONFIG.
The CIPHERS attribute displays the default value. For CICS to display the default value, the KEYRING system initialization parameter must be specified in the CICS region where you are working with the resource definition.
- Edit the attribute value to specify the name of the cipher file. For example, you might specify myciphers.xml if that was the name of the file that is created in step 1.
- Save the resource definition.