A fix is available
APAR status
Closed as new function.
Error description
APAR to deliver CICS capability for NIST SP8001-131A compliance for TCPIPSERVICE, URIMAP and IPCONN resources
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: This APAR delivers CICS capability for * * NIST SP8001-131A compliance when using * * TCPIPSERVICE, URIMAP, IPCONN and * * outbound HTTP requests with SSL. * **************************************************************** * RECOMMENDATION: * **************************************************************** This APAR extends socket domain to support TLS 1.1 and TLS 1.2. Previously CICS sockets domain only supported SSL V3 and TLS 1.0. This APAR also provides support for a new socket domain SSL environment which is suitable for implementing the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131A guidelines document.
Problem conclusion
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
CICS sockets domain is changed to support TLS 1.1 and TLS 1.2. Previously CICS sockets domain only supported SSL V3 and TLS 1.0. The 2 new protocols can be exploited in combination with the old protocols by setting the SIT ENCRYPTION parameter to a new value of ENCRYPTION=ALL. In addition, the TLS 1.2 protocol can be activated on its own - with the lower level protocols disabled by using another new ENCRYPTION value of ENCRYPTION=TLS12FIPS. This option also activates FIPS processing mode in the SSL environment established by CICS. The use of ENCRYPTION=TLS12FIPS creates an environment which enables a CICS system to be configured to comply with the NIST SP800-131A guidelines document. In order to exploit the extended set of CIPHER suites which TLS 1.2 supports, CICS is further enhanced to provide a new way of specifying CIPHERS for the following 3 CICS resource definitions :- IPCONN TCPIPSERVICE URIMAP The EXEC CICS WEB OPEN command does not support the use of a CIPHERS file name in its CIPHERS option. EXEC CICS WEB OPEN needs to reference a URIMAP in order to exploit support for CIPHERS files. The CIPHERS option of these 3 resources can now optionally contain the name of a CIPHERS file held on zFS. The TCPIPSSLCIPHERS option of the CPSM WUI can also contain the name of a CIPHERS file. CICS is providing 3 sample CIPHERS files in the following new zFS sub-directory USSHOME/security/ciphers These files are named :- strongciphers.xml - designed for use with ENCRYPTION=STRONG allvalidciphers.xml - designed for use with ENCRYPTION=ALL fipsciphers.xml - designed for use with ENCRYPTION=TLS12FIPS Additionally, a new SIT option is created called USSCONFIG. The USSCONFIG system initialization parameter specifies the name and path of the root directory for CICS Transaction Server configuration files on z/OS UNIX. CICS searches directory USSCONFIG/security/ciphers for CIPHERS files when a CICS resource definition references a CIPHERS file name. This means that setting USSCONFIG to the USSHOME value will allow CICS to locate the 3 new sample CIPHERS files. CIPHERS file names such as 'fipsciphers.xml' are limited to a length of 28-characters. Additionally, the REXX sample DFH$RING which is used to generate a RACF KEYRING and populate it with self-signed certificates has been enhanced. DFH$RING now generates a new certificate authority ( CERTAUTH ) certificate which is a 2048bit RSA certificate. This is used to sign a 2048bit RSA PERSONAL certificate which is suitable for using with IPCONN, TCPIPSERVICE, URIMAP and the CERTIFICATE option of EXEC CICS WEB OPEN command. This strength of certificate complies with the NIST SP800-131A standard. A number of documentation updates have been made to the CICS Transaction Server for z/OS Version 5 Release 1 manuals and Information Center in support of this APAR. The changes should be available by the end of December 2013. Please see the following Information Center link for an overview of the extended cryptographic support provided by this APAR :- What's new > Foundational enhancements > Extended support for cryptographic standards http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic/ com.ibm.cics.ts.whatsnew.doc/found_crypto/dfhe4_overview.html Please see the following Information Center link for an overview of making your CICS system comply with NIST SP800-131A :- Securing > Security for TCP/IP clients > Configuring CICS to use SSL > Making your CICS TS system compliant with NIST SP800-131A http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic/ com.ibm.cics.ts.doc/dfht5/topics/dfht5_tls12fips.html
APAR Information
APAR number
PM97207
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-09-17
Closed date
2013-12-09
Last modified date
2015-03-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI13353 UI13354 UI13355 UI13356 UI13357 UI13358
Modules/Macros
DFHLEPT@ DFHSOGH@ DFHWBCLH
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R80D PSY UI13354
UP13/12/14 P F312
R80M PSY UI13355
UP13/12/14 P F312
R800 PSY UI13353
UP13/12/14 P F312
R801 PSY UI13356
UP13/12/14 P F312
R802 PSY UI13357
UP13/12/14 P F312
R803 PSY UI13358
UP13/12/14 P F312
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 March 2015