Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3
I don't think you're going to be able to "hack in" support for higher TLS levels. I think you've got a couple near-term options, not necessarily mutually exclusive: A. Place one or a couple newer release CICS regions on the "front side" to handle the network connectivity, and connect them to your existing CICS TS 3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I write this, CICS TS Version 5.6 is the latest generally available release, and it is compatible with your currently installed z/OS release. Broadly, generally speaking this means upgrading some or all of the CICS "Terminal Owning Regions" ("TORs") while leaving "Application Owning Regions" ("AORs") temporarily backlevel if you must. The exact details depend on your particular CICS deployment. If you're using CICS's own TLS support, that's currently up to TLS 1.2. CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS 1.2, but I cannot think of any reason why you'd pick something prior to the current release in this role. IBM ended Single Version Charge (SVC) restrictions in 2017, so there should be no additional charge to run both (or multiple) CICS releases as long as you need to. Check with "your friendly IBM representative" if there's any doubt. B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1 blithely assumes that the connections are unencrypted. The documentation for newer CICS TS releases includes some information on migrating from CICS TLS to z/OS AT-TLS, and probably that information will be reasonably useful if you attempt the same with CICS TS 3.1. Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3 you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only official/supported way to get TLS 1.3 with CICS TS. IBM's published benchmarks suggest that z/OS AT-TLS is slightly more efficient than CICS-configured TLS, but results may vary. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3
You can specify the ciphers in a USS .xml file, the path is set by USSCONFIG and the file name is in the CICS CIPHERS parameter (which can be a list of 2 digit cipher codes or the file name). Good luck, CICS 3.1 is 5 years out of support so it won't have PTFs for anything newer in TLS. Most likely the ciphers you are trying to use are not supported once out of service. On Fri, Sep 4, 2020 at 4:15 AM Gibney, Dave wrote: > First of all, I know that CICS 3.1 is is very far and away out of > service. My CICS Sysprog retired over a decade ago, I only fake knowledge > of CIS when it becomes a necessity. > SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This > is a good thing security wise. But, I can't seem to specify tls 1.2 or 1.3 > ciphers via the 3.1 CEDA panels. > I am thinking I might be able to slip in around the CICS definitions via > gsk environment variables. > I am asking for your collective thoughts and suggestions. > > Widely x-posted > > Dave Gibney > Information Technology Services > Washington State University > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3
First of all, I know that CICS 3.1 is is very far and away out of service. My CICS Sysprog retired over a decade ago, I only fake knowledge of CIS when it becomes a necessity. SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This is a good thing security wise. But, I can't seem to specify tls 1.2 or 1.3 ciphers via the 3.1 CEDA panels. I am thinking I might be able to slip in around the CICS definitions via gsk environment variables. I am asking for your collective thoughts and suggestions. Widely x-posted Dave Gibney Information Technology Services Washington State University -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN