Providing support to update to TLS 1.3
TLS 1.3 differs from prior versions of the protocol. It is important to avoid enabling TLS 1.3 until you complete your upgrade to CICS® TS 6.1. You can then focus on enabling TLS 1.3 in isolation from any other work.
Before you begin
Recommended: Your migration to TLS 1.3 must be separate from your
upgrade to CICS TS 6.1.
Hardware and Software Prereqs required for upgrading to TLS 1.3:
- TLS 1.3 requires a minimum z/OS level of z/OS 2.4.
About this task
TLS 1.3 is a step change to the TLS protocol. Because of this change, you need to complete the following steps to implement TLS 1.3 in CICS TS.
A number of factors impact this task:
- No ciphers in common between TLS 1.3 and earlier versions of the TLS protocol.
- The ciphers are 4-digit ciphers that can be defined only in CICS by using XML files.
- Software dependencies higher than the minimum level for CICS TS 6.1.
- Several hardware and software dependencies that might affect performance.
- There is an increase in the number of CWXN transactions that execute when you use TLS 1.3 compared to when you use TLS 1.2.
To move from TLS 1.2 to TLS 1.3, you need to:
- Complete the upgrade to CICS Transaction Server 6.1.
- Prepare RDO definitions that include configuring cipher file definitions and updating your WEB OPEN commands.
- Upgrade your certificates.
- Enable TLS 1.3.
- Disable TLS 1.2.
The SIT parameter MAXTLSLEVEL defaults to TLS12. This value enables an upgrade to CICS TS 6.1 to take place without affecting any existing TLS connections or programs that open TLS connections.
Learn more about the RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3.