3.3.2 Securing Inbound Services to Add TLS Support
The TMA TCP for CICS Inbound flow uses Sockets for CICS Listener. Follow these steps to enable TLS Support.
- Configure and enable mutual TLS on the client side –
SSL. - Enable the
GETTID(Get AT-TLS ID) parameter to get client certificates and user IDs from AT-TLS by setting it toYESin the IBM listener configuration via EZAC transaction.If the status is
ENABLED, the listener can get client certificates and user IDs through AT-TLS enabled in the TCP/IP stack. - Ensure to check both client and server certificates for two-way authentication:
- CICS keyring must have client and server certificates.
- Tuxedo wallet must have client and server certificates.
- Define and load
AT-TLSinbound rule (CICS_SERVER) in policy agent for configured port on IBM Listener, follow the listing.TTLSEnvironmentAction must specify HandshakeRole as ServerWithClientAuth with ApplicationControlled off.
Listing Sample reference for TTLSEnvironmentAction, HandshakeRole, ApplicationControlledTTLS Condition Summary: NegativeIndicator: Off Local Address: FromAddr: All ToAddr: All Remote Address: FromAddr: All ToAddr: All LocalPortFrom: 3010 LocalPortTo: 3010 RemotePortFrom: 0 RemotePortTo: 0 JobName: UserId: ServiceDirection: Inbound HandshakeRole: ServerWithClientAuth SuiteBProfile: Off TTLSKeyringParms: Keyring: SYSCICS/CICSRING TTLSEnvironmentAdvancedParms: SSLv2: Off SSLv3: Off TLSv1: Off TLSv1.1: Off TLSv1.2: On TLSv1.3: Off MiddleBoxCompatMode: Off ApplicationControlled: Off
Figure 3-3 Sample Inbound AT-TLS rule - from IBM’s IP CICS Sockets Guide
Parent topic: Security Enforcement: SSL/TLS Support