You can select the cipher suites that are used in the encryption
negotiation process to set a minimum level as well as a maximum level
of encryption.
The CIPHERS attribute on the resource definitions TCPIPSERVICE,
CORBASERVER, and URIMAP specifies the cipher suites that can be used
for each encryption level. The default value of the attribute is the
list of 2-digit cipher codes that are used in encryption negotiations.
You have the option of customizing this list of cipher suites to include
your order of preference for the encryption levels at which CICS® should
negotiate with clients. You can also choose to remove cipher suites
from the list. This is particularly useful if you want to ensure that
only a very high level of encryption is used. You can do this as follows:
- Select the resource definition that you want to change.
- The CIPHERS attribute displays the default value. For example,
if the system initialization parameter ENCRYPTION=STRONG, the default
value in z/OS 1.9 is 050435363738392F303132330A1613100D0915120F0C03060201.
- Edit the attribute value to remove and reorder the cipher
suites. For example, you could specify 352F0A0504.
- Save the resource definition.
Specifying
352F0A0504 means that CICS will
not negotiate below 128-bit encryption for connections using this
resource. Each of the 2-digit codes in the attribute, for example
35, 2F, 0A and so on, refer to cipher suites that have at least a
128-bit encryption. CICS will start by trying to negotiate
using the AES cipher suites 35 and 2F, because these are first in
the list of cipher codes. If the client does not have this level of
encryption, CICS will close the connection.
Note that
you cannot include cipher suites that are not in the default values
for that level of encryption. For example, if you have a MEDIUM level
of encryption specified, you cannot add the AES cipher suites 35 and
2F to the CIPHERS attribute. For a complete
list of cipher suites for each level of encryption, see the ENCRYPTION system
initialization parameter.