Customizing encryption negotiations

You can select the cipher suites that are used in the encryption negotiation process to set a minimum level as well as a maximum level of encryption.

The CIPHERS attribute on the resource definitions TCPIPSERVICE, CORBASERVER and URIMAP specifies the cipher suites that can be used for each encryption level. The default value of the attribute is the list of 2-digit cipher codes that are used in encryption negotiations. You have the option of customizing this list of cipher suites to include your order of preference for the encryption levels at which CICS® should negotiate with clients. You can also choose to remove cipher suites from the list. This is particularly useful if you want to ensure that only a very high level of encryption is used. You can do this as follows:
  1. Select the resource definition that you want to change.
  2. The CIPHERS attribute displays the default value. For example, if the system initialization parameter ENCRYPTION=STRONG, the default value is 0504352F0A0903060201. Start of changeFor CICS to display the default value, the KEYRING system initialization parameter must be specified in the CICS region where you are working with the resource definition.End of change
  3. Edit the attribute value to remove and reorder the cipher suites. For example, you could specify 352F0A0504.
  4. Save the resource definition.
Specifying 352F0A0504 means that CICS will not negotiate below 128-bit encryption for connections using this resource. Each of the 2-digit codes in the attribute, for example 35, 2F, 0A and so on, refer to cipher suites that have at least a 128-bit encryption. CICS will start by trying to negotiate using the AES cipher suites 35 and 2F, because these are first in the list of cipher codes. If the client does not have this level of encryption, CICS will close the connection.

Note that you cannot include cipher suites that are not in the default values for that level of encryption. For example, if you have a MEDIUM level of encryption specified, you cannot add the AES cipher suites 35 and 2F to the CIPHERS attribute. For a complete list of cipher suites for each level of encryption, see dfha2me.htm#dfha2me.