IBM Support

CICSCM CCVXXMLC securing the Batch REXX Sockets API using AT-TLS

Question & Answer


Question

I need to ensure all my TCP/IP communications are encrypted when using CICS Configuration Manager for z/OS (CICS CM). How do I get the CICS CM TSO Batch REXX sample CCVXXMLC to secure and encrypt my communication to my CICS CM V5.2 server region that runs CICS Transaction Server for z/OS (CICS TS) V5.1?

I currently use the CCVSSL port with SSL when I access the ISPF dialog or CICS Explorer CM plugin, but when I run the sample CCVXXMLJ that invokes the CCVXXMLC REXX sample provided in SCCVSAMP, line 244 of the REXX sample says "Must NOT be SSL port".

Answer

The reason line 244 in the sample REXX procedure CCVXXMLC says "Must NOT be SSL port" is because this REXX procedure calls CCVXXMLS REXX sample that uses the z/OS Communications Server REXX Socket API. This API supports Application Transparent-Transport Layer Security (AT-TLS) so you need to configure AT-TLS policy rules and use the non-SSL port for the CICS CM server.

Here is an example using the CICS CM TCPIPSERVICE for non-SSL port 01401 with policy rules for the CICS CM server and batch REXX client.

 #
 TTLSRule                   CICSCM_1401_Server    
 {                                             
 LocalPortRange             1401               
 Priority                   254                
 Direction                  Inbound            
 TTLSGroupActionRef         Main_TTLS_Group    
 TTLSEnvironmentActionRef   Secure_CICSCM_Env     
 }
 #                                             
 TTLSRule                   CICSCM_1401_Client    
 {                                             
 LocalPortRange             0                  
 RemotePortRange            1401               
 Priority                   255                
 Direction                  Outbound           
 TTLSGroupActionRef         Main_TTLS_Group    
 TTLSEnvironmentActionRef   Secure_CICSCM_Client  
 }
 #
 #
 TTLSGroupAction Main_TTLS_Group     
 {                                   
  TTLSEnabled On                     
 # Log Errors to syslogd             
  Trace 255                          
 }
 #
 #
 TTLSEnvironmentAction      Secure_CICSCM_Env         
  {                                                
   HandshakeRole Server                            
   Trace 255                                       
   CtraceClearText   On                            
   TTLSKeyRingParms                                
  {                                                
     Keyring       CICSCM/CCMrng                
   }                                               
   TTLSCipherParms                                 
      {                                            
         V3CipherSuites                  35        
         V3CipherSuites                  38        
         V3CipherSuites                  39        
         V3CipherSuites                  2F        
         V3CipherSuites                  32        
         V3CipherSuites                  33        
         V3CipherSuites                  0A        
         V3CipherSuites                  16        
         V3CipherSuites                  13        
         V3CipherSuites                  15        
         V3CipherSuites                  12        
   }  
  }
 #
 #
 TTLSEnvironmentAction      Secure_CICSCM_Client    
  {                                              
   HandshakeRole   Client                        
   Trace 255                                     
   CtraceClearText   On                          
   TTLSKeyRingParms                              
  {                                              
     Keyring       CICSCM/CCMrng              
   }                                             
   TTLSCipherParms                               
      {                                          
         V3CipherSuites                  35      
         V3CipherSuites                  38      
         V3CipherSuites                  39      
         V3CipherSuites                  2F      
         V3CipherSuites                  32      
         V3CipherSuites                  33      
         V3CipherSuites                  0A      
         V3CipherSuites                  16      
         V3CipherSuites                  13      
         V3CipherSuites                  15      
         V3CipherSuites                  12      
  }
 }                                               

See Application Transparent Transport Layer Security (AT-TLS) in the z/OS Communications Server documentation for more information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS2L7A","label":"CICS Configuration Manager for z\/OS"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICSCM CICS CM

Document Information

Modified date:
29 September 2016

UID

dwa1282495