CICS can use the Secure Sockets Layer (SSL) or the Transport
Layer Security (TLS) security protocols to support secure TCP/IP connections.
To authenticate servers to clients, create certificates and key rings
in RACF and ensure that the CICS region and resources are correctly
configured to support security.
Before you begin to configure CICS, decide which type of certificates
to use in SSL handshakes.
You can use RACF® to create certificates, but
you must configure your clients to ensure that they can recognize
the RACF server certificate. If you cannot configure your clients
in this way, for example when clients are external to your organization,
use a certificate signed by an external certificate authority.
Complete
the following tasks to configure CICS to use SSL:
- Set the correct authorizations in RACF to create a key
ring, create a signing certificate (certificate authority certificate),
and to add certificates to the key ring.
- Optional: If you decide to use a certificate
from a certificate authority, create a certificate request using RACF
and send it to the certificate authority. You might have
to wait a number of days to receive a signing certificate from the
certificate authority. If your chosen certificate authority does not
have its certificate built in to RACF, you might have to import it.
- Create a key ring. You must create a key ring
in the RACF database. The key ring contains:
- Your public and private keys
- Your server certificates
- Signing certificates for the server certificates
- Signing certificates for any client certificates owned by clients
with which you expect CICS to communicate using client authentication.
- Create the certificates and add them to the key ring.
- Ensure that the CICS region has access to the z/OS® system
SSL library SIEALNKE. You can use STEPLIB or JOBLIB statements,
or use the system link library.
- Define the CICS system initialization parameters that are
related to security. In particular, specify the name of
the key ring that you created in the KEYRING system
initialization parameter.
- Define TCPIPSERVICE resources.
CICS supplies a sample REXX program, DFH$RING, that contains
all of the RACF commands to create a key ring, create a signing certificate,
create additional certificates, and add them to the key ring. DFH$RING
contains sample values which are suitable for building a test key
ring only. You must edit all the values if you want to create a key
ring that is suitable for a production environment.