Changes to system initialization parameters

There are new and changed system initialization parameters for the improvements to Internet security. The changed parameters are:

ENCRYPTION={STRONG|WEAK|MEDIUM}
Specifies the cipher suites that CICS® uses for secure TCP/IP connections. For compatibility with previous releases, ENCRYPTION=NORMAL is accepted as an equivalent to ENCRYPTION=MEDIUM.
STRONG
Specifies that CICS should use only the following cipher suites:
Cipher suite Encryption algorithm Key length MAC algorithm
01 No encryption MD5
02 No encryption SHA
03 RC4 40 bits MD5
04 RC4 128 bits MD5
05 RC4 128 bits SHA
06 RC2 40 bits MD5
09 DES 56 bits SHA
0A Triple DES 168 bits SHA
2F AES 128 bits SHA
35 AES 256 bits SHA
The terms used in this table are:
MD5
Message Digest algorithm
SHA
Secure Hash algorithm
RC2, RC4
Rivest encryption
DES
Data Encryption Standard
Triple DES
DES applied three times
AES
Advanced Encryption Standard
WEAK
Specifies that CICS should use only the following cipher suites:
Cipher suite Encryption algorithm Key length MAC algorithm
01 No encryption MD5
02 No encryption SHA
03 RC4 40 bits MD5
06 RC2 40 bits MD5
The terms used in this table are:
MD5
Message Digest algorithm
SHA
Secure Hash algorithm
RC2, RC4
Rivest encryption
MEDIUM
Specifies that CICS should use only the following cipher suites:
Cipher suite Encryption algorithm Key length MAC algorithm
01 No encryption MD5
02 No encryption SHA
03 RC4 40 bits MD5
06 RC2 40 bits MD5
09 DES 56 bits SHA
The terms used in this table are:
MD5
Message Digest algorithm
SHA
Secure Hash algorithm
RC2, RC4
Rivest encryption
DES
Data Encryption Standard
The parameter SSLTCBS is obsolete. Use the following new parameter instead:
MAXSSLTCBS={8|number}
Specifies the maximum number of S8 TCBs that can run in the SSL pool. The default is 8, but you can specify up to 1024 TCBs.

The new system initialization parameters are:

Start of change
CRLPROFILE=profilename
Specifies the name of the RACF profile that CICS should use to access the LDAP server that contains certificate revocation lists (CRLs). Specifying this parameter means that CICS checks each client certificate during the SSL negotiation for a revoked status. If the certificate is revoked, CICS closes the connection immediately.
End of change
SSLCACHE={CICS|SYSPLEX}
Specifies whether SSL is to use the local or sysplex caching of session ids. Sysplex caching is useful where multiple CICS socket-owning regions accept SSL connections at the same IP address.