MINTLSLEVEL
The MINTLSLEVEL system initialization parameter specifies the minimum TLS protocol that CICS® uses for secure TCP/IP connections.
Note: When AT-TLS is used to secure socket sessions, CICS SSL/TLS system
initialization parameters such as KEYRING and MINTLSLEVEL
are no longer required because the implementation of TLS is provided by AT-TLS policy statements and
all encryption and decryption is done outside of the CICS address space. For details, see Introduction to Application Transparent Transport Layer Security (AT-TLS).
- MINTLSLEVEL={TLS10|TLS11|TLS12|MINTLS10ONLY}
- When a secure connection is established between a pair of processes, the most secure TLS
protocol that is supported by both is used.
- TLS10
- Sets the minimum level of TLS to 1.0. This is the default value. Note: If you used
ENCRYPTION=STRONG
on previous releases, a change in behavior might occur if the client does not handle the negotiation of TLS levels correctly. If this causes a problem, useMINTLSLEVEL=TLS10ONLY
instead. - TLS11
- Sets the minimum level of TLS to 1.1.
- TLS12
- Sets the minimum level of TLS to 1.2.
- TLS10ONLY
- Sets the level of TLS to 1.0 only.
To apply FIPS 140-2 standards, set MINTLSLEVEL=TLS12 and NISTSP800131A=CHECK. If NISTSP800131A=CHECK is set but MINTLSLEVEL is set to a value other than TLS12, it is overridden to MINTLSLEVEL=TLS12 and a warning message is issued.
To apply FIPS 140-2 standards on z/OS® Version 2 Release 1 or later, ICSF (Integrated Cryptographic Services Facility) must be active on your system.
For more information about NIST SP800-131A conformance, see Making your CICS TS system conformant to NIST SP800-131A.