BlueZone Security ServerEnabling SSL on z/OSSSL for CICS using server certificate

SSL for CICS using server certificate

  1. Create an HFS KEYRING file. Refer to Creating HFS KEYRING files for more information.
  2. Create a self-signed certificate if a trusted CA is not available. Refer to Creating self-signed certificates for more information.
  3. Create a server certificate. Refer to Creating server certificates for more information.
    Note: When creating the server certificate, the label name needs special attention. It is not required but it is better to name the label the same as the starting point of the host name: https://cics14.bluezonesoftware.com would have a label of cics14. If both are named the same it will eliminate a dialog box when the URL is accessed.
  4. On the PC, locate the signing CA certificate and FTP it to the mainframe using binary or ASCII depending on which option was used when it was exported. FTP to an MVS dataset.
  5. On MVS, select ISPF option 6, ISPF Command Shell, and issue the following RACF commands:
    • RACDCERT ID(CICS USERID) ADDRING(RINGNAME)
    • RACDCERT ID(CICS USERID) CONNECT(CERTAUTH LABEL(‘Signing CA label’) RING(RINGNAME))
    • RACDCERT ID(CICS USERID) CONNECT(LABEL(‘Server label’) RING(RINGNAME))
  6. Edit the CICS SIP file as follows:
    1. ENCRYPTION=NORMAL, (56 bit) =STRONG (168 bit),
    2. KEYRING=RINGNAME,
    3. SSLDELAY=600,
    4. SSLTCBS=8,
  7. Change the CICS startup JCL making sure that the SSL SGSKLOAD dataset is available by means of the STEPLIB, JOBLIB unless it is listed the LNKLST IPL parameter.
  8. For the CICS TCPIPSERVICE resource:
    1. Set the port number. 684 is the well known port.
    2. Set the SSL property to YES.
Parent topic: Enabling SSL on z/OS