Defining TCPIPSERVICE resources for SSL

The following attributes of the TCPIPSERVICE resource relate to SSL. :
AUTHENTICATE
specifies the authentication and identification scheme to be used for inbound TCP/IP connections for the HTTP and IIOP protocols. Each protocol supports a different set of authentication schemes.

When PROTOCOL(HTTP) is specified:

NO
The client is not required to send authentication or identification information.
BASIC
HTTP basic authentication is used to obtain a user ID and password from the client.
CERTIFICATE
SSL client certificate authentication is used to authenticate and identify the client.
AUTOREGISTER
SSL client certificate authentication is used to authenticate the client. If the client sends a valid certificate that is not registered to the security manager, then CICS will register the certificate.
AUTOMATIC
If the client sends a certificate, SSL client certificate authentication is used to authenticate the client. If the client sends a valid certificate that is not registered to the security manager, then CICS will register the certificate. If the client does not send a certificate, then HTTP Basic authentication is used to obtain a user ID and password from the client.

When PROTOCOL(IIOP) is specified:

NO
The client is not required to send authentication or identification information.
CERTIFICATE
SSL client certificate authentication is used to authenticate and identify the client.
ASSERTED
Asserted identity authentication is used to authenticate and identify the client.
CERTIFICATE
specifies the label of the server certificate used during the SSL handshake. If this attribute is omitted, the default certificate defined in the key ring for the CICS region user ID is used.
Start of changeCIPHERSEnd of change
Start of changeSpecifies a string of up to 56 hexadecimal digits that is interpreted as a list of up to 28 2-digit cipher suite codes. When you use the CEDA transaction to define the resource, CICS automatically initializes the attribute with a default list of acceptable codes. Start of changeFor CICS to initialize the attribute, the KEYRING system initialization parameter must be specified in the CICS region where you are running CEDA. If KEYRING is not set, CICS does not initialize the attribute.End of change The default list of codes depends on the level of encryption that is specified by the ENCRYPTION system initialization parameter.
  • For ENCRYPTION=WEAK, the default value is 03060102
  • For ENCRYPTION=MEDIUM, the initial value is 0903060102
  • For ENCRYPTION=STRONG, the initial value is 0504352F0A0903060102

You can reorder the cipher codes or remove them from the initial list. However, you cannot add cipher codes that are not in the default list for the specified encryption level. To reset the value to the default list of codes, delete all of the cipher suite codes and the field will automatically repopulate with the default list.

See Cipher suites for more information.

End of change
PORTNUMBER
specifies the number of the port on which CICS is to listen for incoming client requests. The well known ports for SSL services supported by CICS are:
443
HTTP with SSL
684
IIOP with SSL
SSL
specifies whether the TCP/IP service is to use SSL for encryption and authentication:
NO
SSL is not to be used.
YES
An SSL session is to be used; CICS will send a server certificate to the client.
CLIENTAUTH
An SSL session is to be used; CICS will send a server certificate to the client, and the client must send a client certificate to CICS.