There are new and changed system initialization parameters for
the improvements to Internet security. The changed parameters are:
- ENCRYPTION={STRONG|WEAK|MEDIUM}
- Specifies the cipher suites that CICS® uses for secure TCP/IP connections.
For compatibility with previous releases, ENCRYPTION=NORMAL is accepted as
an equivalent to ENCRYPTION=MEDIUM.
- STRONG
- Specifies that CICS should use only the following cipher suites:
Cipher suite |
Encryption algorithm |
Key length |
MAC algorithm |
01 |
No encryption |
MD5 |
02 |
No encryption |
SHA |
03 |
RC4 |
40 bits |
MD5 |
04 |
RC4 |
128 bits |
MD5 |
05 |
RC4 |
128 bits |
SHA |
06 |
RC2 |
40 bits |
MD5 |
09 |
DES |
56 bits |
SHA |
0A |
Triple DES |
168 bits |
SHA |
2F |
AES |
128 bits |
SHA |
35 |
AES |
256 bits |
SHA |
The terms used in this table are:- MD5
- Message Digest algorithm
- SHA
- Secure Hash algorithm
- RC2, RC4
- Rivest encryption
- DES
- Data Encryption Standard
- Triple DES
- DES applied three times
- AES
- Advanced Encryption Standard
|
- WEAK
- Specifies that CICS should use only the following cipher suites:
Cipher suite |
Encryption algorithm |
Key length |
MAC algorithm |
01 |
No encryption |
MD5 |
02 |
No encryption |
SHA |
03 |
RC4 |
40 bits |
MD5 |
06 |
RC2 |
40 bits |
MD5 |
The terms used in this table are:- MD5
- Message Digest algorithm
- SHA
- Secure Hash algorithm
- RC2, RC4
- Rivest encryption
|
- MEDIUM
- Specifies that CICS should use only the following cipher suites:
Cipher suite |
Encryption algorithm |
Key length |
MAC algorithm |
01 |
No encryption |
MD5 |
02 |
No encryption |
SHA |
03 |
RC4 |
40 bits |
MD5 |
06 |
RC2 |
40 bits |
MD5 |
09 |
DES |
56 bits |
SHA |
The terms used in this table are:- MD5
- Message Digest algorithm
- SHA
- Secure Hash algorithm
- RC2, RC4
- Rivest encryption
- DES
- Data Encryption Standard
|
The parameter SSLTCBS is obsolete. Use the following new parameter
instead:
- MAXSSLTCBS={8|number}
- Specifies the maximum number of S8 TCBs that can run in the SSL pool.
The default is 8, but you can specify up to 1024 TCBs.
The new system initialization parameters are:

- CRLPROFILE=profilename
- Specifies the name of the RACF profile that CICS should use to access
the LDAP server that contains certificate revocation lists (CRLs). Specifying
this parameter means that CICS checks each client certificate during the SSL negotiation
for a revoked status. If the certificate is revoked, CICS closes the connection immediately.
- SSLCACHE={CICS|SYSPLEX}
- Specifies whether SSL is to use the local or sysplex caching of session
ids. Sysplex caching is useful where multiple CICS socket-owning regions accept SSL connections
at the same IP address.