3.3.3 Securing Outbound Services to Add TLS Support
The outbound flow of TMA TCP for CICS uses the CICS Socket interface. Follow these steps to enable TLS Support for outbound flow.
- Configure and enable mutual TLS on the server side –
SSL. - It is required to set up certificates on both the client and server sides to enable two-way authentication:
- CICS keyring must have client and server certificates
- Tuxedo wallet must have client and server certificates
- Define and load
AT-TLSoutbound rule (CICS_CLIENT) in policy agent for remote address and remote port range.The TTLSEnvironmentAction statement in
AT-TLS CICS_CLIENTrule must contain HandshakeRole as Client and ApplicationControlled must be off.
Listing Sample reference for TTLSEnvironmentAction, HandshakeRole, ApplicationControlled
TTLS Condition Summary: NegativeIndicator: Off
Local Address:
FromAddr: All
ToAddr: All
Remote Address:
FromAddr: 111.111.111.111
ToAddr: 111.111.111.111
LocalPortFrom: 0 LocalPortTo: 0
RemotePortFrom: 1111 RemotePortTo: 1111
JobName: UserId:
ServiceDirection: Outbound
HandshakeRole: Client
SuiteBProfile: Off
TTLSKeyringParms:
Keyring: SYSCICS/CICSRING
TTLSEnvironmentAdvancedParms:
SSLv2: Off
SSLv3: Off
TLSv1: Off
TLSv1.1: Off
TLSv1.2: On
TLSv1.3: Off
MiddleBoxCompatMode: Off
ApplicationControlled: OffFigure 3-4 Sample Outbound AT-TLS rule - from IBM’s IP CICS Sockets Guide
Parent topic: Security Enforcement: SSL/TLS Support