Support for security protocols

Start of change CICS supports two security protocols that can be used to provide secure communication over the Internet. The first is the Secure Sockets Layer (SSL) 3.0 protocol. The second is the Transport Layer Security (TLS) 1.0 protocol, which is the latest industry standard SSL protocol and is based on SSL 3.0. The TLS 1.0 specification is documented in RFC2246 and is available on the Internet at www.rfc-editor.org/rfcsearch.html. Any connections that require encryption will automatically use the TLS protocol, unless the client specifically requires SSL 3.0. End of change

Note: Start of changeFor clarity, the term SSL is used to refer to both protocols in the documentation, except where a specific point about either protocol is required.End of change
Start of changeThe primary aim of TLS is to make the Secure Sockets Layer more secure and to make the specification of the protocol more precise and complete. TLS provides the following enhancements over SSL 3.0:
Key-Hashing for Message Authentication
TLS uses Key-Hashing for Message Authentication Code (HMAC), which ensures that a record cannot be altered while travelling over an open network such as the Internet. SSL Version 3.0 also provides keyed message authentication, but HMAC is considered more secure than the (Message Authentication Code) MAC function that SSL Version 3.0 uses.
Enhanced Pseudorandom Function (PRF)
PRF is used for generating key data. In TLS, the PRF is defined with the HMAC. The PRF uses two hash algorithms in a way that guarantees its security. If either algorithm is exposed then the data remains secure as long as the second algorithm is not exposed.
Improved finished message verification
Both TLS 1.0 and SSL 3.0 provide a finished message to both endpoints that authenticates that the exchanged messages were not altered. However, TLS bases this finished message on the PRF and HMAC values, which is more secure than SSL Version 3.0.
Consistent certificate handling
Unlike SSL 3.0, TLS attempts specify the type of certificate which must be exchanged between TLS implementations.
Specific alert messages
TLS provides more specific and additional alerts to indicate problems that either session endpoint detects. TLS also documents when certain alerts should be sent.
End of change
The main features of the security protocols are:
Privacy
The data to be exchanged between the client and the server is encrypted. See SSL encryption for more information.
Integrity
Data which is transmitted using the SSL protocols is protected against tampering by a message authentication code (MAC). The MAC is computed from the data contents using a secure hashing algorithm and transmitted with the data. It is computed again by the receiver, and compared with the value transmitted by the sender. A mismatch between the two values of the MAC indicates that the data may have been tampered with.
Authentication
SSL uses digital certificates to authenticate servers to clients, and — optionally — clients to servers.