The following attributes of the
TCPIPSERVICE resource
relate to SSL. :
- AUTHENTICATE
- specifies the authentication and identification scheme to be used for
inbound TCP/IP connections for the HTTP and IIOP protocols. Each protocol
supports a different set of authentication schemes.
When PROTOCOL(HTTP)
is specified:
- NO
- The client is not required to send authentication or identification information.
- BASIC
- HTTP basic authentication is used to obtain a user ID and password from
the client.
- CERTIFICATE
- SSL client certificate authentication is used to authenticate and identify
the client.
- AUTOREGISTER
- SSL client certificate authentication is used to authenticate the client.
If the client sends a valid certificate that is not registered to the security
manager, then CICS will register the certificate.
- AUTOMATIC
- If the client sends a certificate, SSL client certificate authentication
is used to authenticate the client. If the client sends a valid certificate
that is not registered to the security manager, then CICS will register the
certificate. If the client does not send a certificate, then HTTP Basic authentication
is used to obtain a user ID and password from the client.
When PROTOCOL(IIOP) is specified:
- NO
- The client is not required to send authentication or identification information.
- CERTIFICATE
- SSL client certificate authentication is used to authenticate and identify
the client.
- ASSERTED
- Asserted identity authentication is used to authenticate and identify
the client.
- CERTIFICATE
- specifies the label of the server certificate used during the SSL handshake.
If this attribute is omitted, the default certificate defined in the key ring
for the CICS region user ID is used.
CIPHERS
Specifies
a string of up to 56 hexadecimal digits that is interpreted as a list
of up to 28 2-digit cipher suite codes. When you use the CEDA transaction
to define the resource, CICS automatically initializes the attribute
with a default list of acceptable codes.
For CICS to
initialize the attribute, the KEYRING system initialization parameter
must be specified in the CICS region where you are running CEDA. If
KEYRING is not set, CICS does not initialize the attribute.
The
default list of codes depends on the level of encryption that is specified
by the ENCRYPTION system initialization parameter.- For ENCRYPTION=WEAK, the default value is 03060102
- For ENCRYPTION=MEDIUM, the initial value is 0903060102
- For ENCRYPTION=STRONG, the initial value is 0504352F0A0903060102
You can reorder the cipher codes or remove them from the initial
list. However, you cannot add cipher codes that are not in the default
list for the specified encryption level. To reset the value to the
default list of codes, delete all of the cipher suite codes and the
field will automatically repopulate with the default list.
See Cipher suites for more
information.

- PORTNUMBER
- specifies the number of the port on which CICS is to listen for incoming client requests.
The well known ports for SSL services supported by CICS are:
- 443
- HTTP with SSL
- 684
- IIOP with SSL
- SSL
- specifies whether the TCP/IP service is to use SSL for encryption and
authentication:
- NO
- SSL is not to be used.
- YES
- An SSL session is to be used; CICS will send a server certificate to the
client.
- CLIENTAUTH
- An SSL session is to be used; CICS will send a server certificate to the
client, and the client must send a client certificate to CICS.