PM97207: APAR TO DELIVER CICS CAPABILITY FOR NIST SP8001-131A COMPLIANCE FOR TCPIPSERVICE, URIMAP AND IPCONN RESOURCES

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• APAR to deliver CICS capability for NIST SP8001-131A
  compliance for TCPIPSERVICE, URIMAP and IPCONN resources
  

Local fix

• n/a
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: This APAR delivers CICS capability for  *
  *                      NIST SP8001-131A compliance when using  *
  *                      TCPIPSERVICE, URIMAP, IPCONN and        *
  *                      outbound HTTP requests with SSL.        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  This APAR extends socket domain to support TLS 1.1 and TLS 1.2.
  Previously CICS sockets domain only supported SSL V3 and
  TLS 1.0.
  
  This APAR also provides support for a new socket domain SSL
  environment which is suitable for implementing the National
  Institute of Standards and Technology (NIST) Special Publication
  (SP) 800-131A guidelines document.
  

Problem conclusion

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

• CICS sockets domain is changed to support TLS 1.1 and TLS 1.2.
  Previously CICS sockets domain only supported SSL V3 and
  TLS 1.0.
  
  The 2 new protocols can be exploited in combination with the old
  protocols by setting the SIT ENCRYPTION parameter to a new value
  of ENCRYPTION=ALL.
  
  In addition, the TLS 1.2 protocol can be activated on its own -
  with the lower level protocols disabled by using another new
  ENCRYPTION value of ENCRYPTION=TLS12FIPS. This option also
  activates FIPS processing mode in the SSL environment
  established by CICS.
  
  The use of ENCRYPTION=TLS12FIPS creates an environment which
  enables a CICS system to be configured to comply with the
  NIST SP800-131A guidelines document.
  
  In order to exploit the extended set of CIPHER suites which TLS
  1.2 supports, CICS is further enhanced to provide a new way of
  specifying CIPHERS for the following 3 CICS resource
  definitions :-
  
  IPCONN
  TCPIPSERVICE
  URIMAP
  
  The EXEC CICS WEB OPEN command does not support the use of a
  CIPHERS file name in its CIPHERS option. EXEC CICS WEB OPEN
  needs to reference a URIMAP in order to exploit support for
  CIPHERS files.
  
  The CIPHERS option of these 3 resources can now optionally
  contain the name of a CIPHERS file held on zFS.
  The TCPIPSSLCIPHERS option of the CPSM WUI can also contain
  the name of a CIPHERS file.
  
  CICS is providing 3 sample CIPHERS files in the following new
  zFS sub-directory
  
  USSHOME/security/ciphers
  
  These files are named :-
  
  strongciphers.xml   - designed for use with ENCRYPTION=STRONG
  allvalidciphers.xml - designed for use with ENCRYPTION=ALL
  fipsciphers.xml     - designed for use with ENCRYPTION=TLS12FIPS
  
  Additionally, a new SIT option is created called USSCONFIG.
  The USSCONFIG system initialization parameter specifies the name
  and path of the root directory for CICS Transaction Server
  configuration files on z/OS UNIX.
  
  CICS searches directory USSCONFIG/security/ciphers for CIPHERS
  files when a CICS resource definition references a CIPHERS file
  name.
  This means that setting USSCONFIG to the USSHOME value will
  allow CICS to locate the 3 new sample CIPHERS files.
  CIPHERS file names such as 'fipsciphers.xml' are limited to
  a length of 28-characters.
  
  Additionally, the REXX sample DFH$RING which is used to
  generate a RACF KEYRING and populate it with self-signed
  certificates has been enhanced.
  DFH$RING now generates a new certificate authority ( CERTAUTH )
  certificate which is a 2048bit RSA certificate. This is used to
  sign a 2048bit RSA PERSONAL certificate which is suitable for
  using with IPCONN, TCPIPSERVICE, URIMAP and the CERTIFICATE
  option of EXEC CICS WEB OPEN command. This strength of
  certificate complies with the NIST SP800-131A standard.
  
  
  A number of documentation updates have been made to the CICS
  Transaction Server for z/OS Version 5 Release 1 manuals and
  Information Center in support of this APAR. The changes should
  be available by the end of December 2013.
  
  Please see the following Information Center link for an overview
  of the extended cryptographic support provided by this APAR :-
  
   What's new > Foundational enhancements >
   Extended support for cryptographic standards
  
   http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic/
   com.ibm.cics.ts.whatsnew.doc/found_crypto/dfhe4_overview.html
  
  Please see the following Information Center link for an overview
  of making your CICS system comply with NIST SP800-131A :-
  
   Securing > Security for TCP/IP clients >
   Configuring CICS to use SSL >
   Making your CICS TS system compliant with NIST SP800-131A
  
   http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic/
   com.ibm.cics.ts.doc/dfht5/topics/dfht5_tls12fips.html
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI13353 UI13354 UI13355 UI13356 UI13357 UI13358

Modules/Macros

• DFHLEPT@ DFHSOGH@ DFHWBCLH
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R80D PSY UI13354

     UP13/12/14 P F312

• R80M PSY UI13355

     UP13/12/14 P F312

• R800 PSY UI13353

     UP13/12/14 P F312

• R801 PSY UI13356

     UP13/12/14 P F312

• R802 PSY UI13357

     UP13/12/14 P F312

• R803 PSY UI13358

     UP13/12/14 P F312

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.