SSL for CICS using server certificate
1. Follow - Create an HFS KEYRING File
2. Follow - Create a Self-signed Certificate if a Trusted CA is Not Available
3. Follow - Create a Server Certificate
Note
When creating the Server Certificate, the label name needs special attention. It is not required but it is better to name the label the same as the starting point of the host name: https://cics14.bluezonesoftware.com would have a label of cics14. If both are named the same it will eliminate a dialog box when the URL is accessed.
4. On the PC, locate the Signing CA certificate on the PC and FTP it to the mainframe using binary or ASCII depending on which option was used when it was exported. FTP to an MVS dataset.
5. On MVS go to ISPF option 6, ISPF Command Shell and issue the RACF commands:
a. RACDCERT ID(CICS USERID) ADDRING(RINGNAME)
b. RACDCERT ID(CICS USERID) CONNECT(CERTAUTH LABEL(‘Signing CA label’) RING(RINGNAME))
c. RACDCERT ID(CICS USERID) CONNECT(LABEL(‘Server label’) RING(RINGNAME))
6. Edit the CICS SIP file:
a. ENCRYPTION=NORMAL, (56 bit) =STRONG (168 bit),
b. KEYRING=RINGNAME,
c. SSLDELAY=600,
d. SSLTCBS=8,
7. Change the CICS startup JCL making sure the SSL SGSKLOAD data set is available by means of the STEPLIB, JOBLIB unless it is listed the LNKLST IPL parameter.
8. For the CICS TCPIPSERVICE resource
a. Set the port number. 684 is the well known port
b. Set the SSL property to YES
Related Links
Enable SSL on z/OS (Parent Topic)