Cipher suites

There are many different algorithms which can be used for encrypting data, and for computing the message authentication code. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption; others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security - the longer the key, the more secure the data.

Start of changeTo allow users to select the level of security that suits their needs, and to enable communication with others who might have different security requirements, SSL defines cipher suites, or sets of ciphers. When an SSL connection is established, the client and server exchange information about which cipher suites they have in common. They then communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, then secure communication is not possible and CICS closes the connection. End of change

Start of changeUse the ENCRYPTION system initialization parameter to specify the level of encryption that CICS® should use. The default is STRONG, which means that CICS can use all of the available cipher suites to negotiate with clients. You can set a minimum as well as a maximum encryption level by editing the list of cipher suites in the CIPHERS attribute on the appropriate resource definition.End of change

Start of changeTo specify the level of encryption required:
For inbound HTTP and IIOP
Use the CIPHERS attribute of the TCPIPSERVICE resource. This automatically defines the PRIVACY attribute.
For outbound IIOP
Use the CIPHERS attribute of the CORBASERVER resource. This automatically defines the OUTPRIVACY attribute
For outbound HTTP requests
Use the CIPHERS attribute of the URIMAP resource definitions.
For inbound Web service requests
Use the CIPHERS attribute of the URIMAP resource definitions.
For outbound Web service requests
CICS uses the default cipher suites from System SSL if you are using strong encryption. An outbound Web service does not use the URIMAP resource to determine what cipher suites to use. You can change the default cipher suite in System SSL. Alternatively, provide an ENVAR parameter as a Language Environment runtime option in CEEDOPT to set the environment variable, GSK_V3_CIPHER_SPECS, to the required list of cipher suites.
The PRIVACY and OUTPRIVACY attributes are no longer supported, except in compatibility mode. The values are determined by the list of ciphers in the CIPHERS attribute as follows:
NOTSUPPORTED
Specified when the list of ciphers in the CIPHERS attribute only includes ciphers with no encryption. For example, cipher suites 01 and 02.
REQUIRED
Specified when the list of ciphers in the CIPHERS attribute only includes cipher suites with encryption. For example, if ENCRYPTION=STRONG is specified, the full list of cipher suites are listed in the CIPHERS attribute. If you remove 01 and 02, the PRIVACY attribute changes to REQUIRED.
SUPPORTED
Specified when the list of ciphers in the CIPHERS attribute includes 01 and 02 in combination with any other cipher suites.
End of change
Start of changeThe cipher suites supported by z/OS® 1.9 and CICS are shown in Table 1. The list of available ciphers depends on the release of z/OS that you are using to run CICS. Always check the appropriate z/OS documentation for the most up to date list of cipher suites.
Table 1. Cipher suites supported by z/OS 1.9 and CICS
Cipher suite Encryption algorithm Key length Digest Key exchange
01 No encryption MD5 None
02 No encryption SHA-1 None
03 RC4 40 bits MD5 RSA
04 RC4 128 bits MD5 RSA
05 RC4 128 bits SHA-1 RSA
06 RC2 40 bits MD5 RSA
09 DES 56 bits SHA-1 RSA
0A 3DES 168 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
0C DES 56 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
0D 3DES 168 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
0F DES 56 bits SHA-1 Fixed Diffie-Hellman key exchange using RSA certificate
10 3DES 168 bits SHA-1 Fixed Diffie-Hellman key exchange using RSA certificate
12 DES 56 bits SHA-1 Ephemeral Diffie-Hellman key exchange using DSS certificate
13 3DES 168 bits SHA-1 Ephemeral Diffie-Hellman key exchange using DSS certificate
15 DES 56 bits SHA-1 Ephemeral Diffie-Hellman key exchange using RSA certificate
16 3DES 168 bits SHA-1 Ephemeral Diffie-Hellman key exchange using RSA certificate
2F AES 128 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
30 AES 128 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
31 AES 128 bits SHA-1 Fixed Diffie-Hellman key exchange using RSA certificate
32 AES 128 bits SHA-1 Ephemeral Diffie-Hellman key exchange using DSS certificate
33 AES 128 bits SHA-1 Ephemeral Diffie-Hellman key exchange using RSA certificate
35 AES 256 bits SHA-1 RSA
36 AES 256 bits SHA-1 Fixed Diffie-Hellman key exchange using DSS certificate
37 AES 256 bits SHA-1 Fixed Diffie-Hellman key exchange using RSA certificate
38 AES 256 bits SHA-1 Ephemeral Diffie-Hellman key exchange using DSS certificate
39 AES 256 bits SHA-1 Ephemeral Diffie-Hellman key exchange using RSA certificate
The terms used in this table are:
AES
Advanced Encryption Standard
DES
Data Encryption Standard
DSS
Digital Signature Standard
MD5
Message Digest algorithm
RC2, RC4
Rivest encryption
RSA
Rivest-Shamir-Adleman encryption
SHA-1
Secure Hash algorithm
3DES
DES applied three times
 
End of change