SSL with CICS Web support

The Secure Sockets Layer (SSL) can be used with HTTP to enable encryption, message authentication, and client and server authentication using certificates. The HTTPS scheme is HTTP with SSL. When you have configured CICS® to use SSL, its facilities are available for both CICS as an HTTP server, and CICS as an HTTP client.

The CICS RACF® Security Guide explains the facilities that SSL provides. The CICS RACF Security Guide tells you how to make SSL work with CICS.

When CICS is an HTTP server, you can use SSL to protect an interaction with a Web client. To do this, specify appropriate security options on the TCPIPSERVICE definition for the port on which CICS receives the client's requests.

As well as specifying the use of SSL, you can require basic authentication or require a client certificate. To give more assistance to Web clients, you can allow a client to provide a client certificate, and then register themselves to the security manager to supply identification for the CICS environment. You can also allow a client to use self-registration or basic authentication as needed to supply identification. All these activities are handled by CICS itself, so if you are providing an application-generated response, your application does not need to handle this. Creating TCPIPSERVICE resource definitions for CICS Web support explains how to create TCPIPSERVICE definitions that include these security options. Start of change(Note that when CICS document templates and HFS files are delivered directly from a URIMAP definition, as a static response, basic authentication does not operate. If you need to implement access controls based on a user ID, use an application to provide the resources as a dynamic response.)End of change

When CICS is an HTTP client, a server might require the use of SSL for some connections. If that is the case, you need to do some or all of the following: