Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-04 Thread Timothy Sipples 
I don't think you're going to be able to "hack in" support for higher TLS 
levels. I think you've got a couple near-term options, not necessarily 
mutually exclusive:

A. Place one or a couple newer release CICS regions on the "front side" to 
handle the network connectivity, and connect them to your existing CICS TS 
3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I 
write this, CICS TS Version 5.6 is the latest generally available release, 
and it is compatible with your currently installed z/OS release. Broadly, 
generally speaking this means upgrading some or all of the CICS "Terminal 
Owning Regions" ("TORs") while leaving "Application Owning Regions" 
("AORs") temporarily backlevel if you must. The exact details depend on 
your particular CICS deployment.

If you're using CICS's own TLS support, that's currently up to TLS 1.2. 
CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS 
1.2, but I cannot think of any reason why you'd pick something prior to 
the current release in this role. IBM ended Single Version Charge (SVC) 
restrictions in 2017, so there should be no additional charge to run both 
(or multiple) CICS releases as long as you need to. Check with "your 
friendly IBM representative" if there's any doubt.

B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1 
blithely assumes that the connections are unencrypted. The documentation 
for newer CICS TS releases includes some information on migrating from 
CICS TLS to z/OS AT-TLS, and probably that information will be reasonably 
useful if you attempt the same with CICS TS 3.1.

Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3 
you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only 
official/supported way to get TLS 1.3 with CICS TS. IBM's published 
benchmarks suggest that z/OS AT-TLS is slightly more efficient than 
CICS-configured TLS, but results may vary.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Attila Fogarasi 
You can specify the ciphers in a USS .xml file, the path is set by
USSCONFIG and the file name is in the CICS CIPHERS parameter (which can be
a list of 2 digit cipher codes or the file name).  Good luck, CICS 3.1 is 5
years out of support so it won't have PTFs for anything newer in TLS.  Most
likely the ciphers you are trying to use are not supported once out of
service.

On Fri, Sep 4, 2020 at 4:15 AM Gibney, Dave  wrote:

>   First of all, I know that CICS 3.1 is is very far and away out of
> service. My CICS Sysprog retired over a decade ago, I only fake knowledge
> of CIS when it becomes a necessity.
> SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This
> is a good thing security wise. But, I can't seem to specify tls 1.2 or 1.3
> ciphers via the 3.1 CEDA panels.
> I am thinking I might be able to slip in around the CICS definitions via
> gsk environment variables.
>   I am asking for your collective thoughts and suggestions.
>
> Widely x-posted
>
> Dave Gibney
> Information Technology Services
> Washington State University
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Gibney, Dave 
  First of all, I know that CICS 3.1 is is very far and away out of service. My 
CICS Sysprog retired over a decade ago, I only fake knowledge of CIS when it 
becomes a necessity.
SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This is a 
good thing security wise. But, I can't seem to specify tls 1.2 or 1.3 ciphers 
via the 3.1 CEDA panels.
I am thinking I might be able to slip in around the CICS definitions via gsk 
environment variables.
  I am asking for your collective thoughts and suggestions.

Widely x-posted

Dave Gibney
Information Technology Services
Washington State University


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN