PH55369: ADD SUPPORT FOR HTTP STRICT-TRANSPORT-SECURITY

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• This APAR adds support for CICS to automatically add the
  Strict-Transport-Security header to HTTP responses that use
  secure connections.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: Provide support for HTTP Strict         *
  *                      Transport Security                      *
  ****************************************************************
  When CICS is acting as an HTTP server within a secure domain
  there is no way to configure CICS to automatically return an
  HTTP Strict-Transport-Security header in its responses.
  

Problem conclusion

• CICS has been updated to add support for including the HTTP
  Strict-Transport-Security header automatically in secure
  responses.
  
  The capability applies to all HTTP based TCPIPSERVICEs and the
  CMCI JVM server. It is configured by setting the following
  feature toggles:
  
  com.ibm.cics.web.hsts.max-age=seconds
  
  This toggle activates HSTS for the entire region and sets the
  max-age time in seconds (0-99999999). One year is 31536000
  seconds.
  
  com.ibm.cics.web.hsts.includesubdomains=true|false
  
  This toggle only takes effect if the previous toggle has also
  been specified. It indicates if the includeSubDomains option
  should be added to the HSTS header.
  
  com.ibm.cics.web.hsts.max-age.TCPIPS=seconds|-1
  
  This toggle allows for an individual TCPIPSERVICE named in the
  toggle (TCPIPS in this case) to have a different max-age value
  in its HSTS header. -1 can also be used to disable HSTS for that
  TCPIPSERVICE.
  
  com.ibm.cics.web.hsts.includesubdomains.TCPIPS=true|false
  
  This toggle only takes effect if the previous toggle has also
  been specified. It indicates if the includeSubDomains option
  should be added to the HSTS header for this specific
  TCPIPSERVICE.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  PH55370 UI96022 UI96023

Modules/Macros

• DFHAPJVM DFHAXIS2 DFHCDJNI DFHEIPSE DFHEIQSO DFHEISO  DFHIEIE
  DFHISCO  DFHISEM  DFHISIC  DFHISRR  DFHISST  DFHLEPTS DFHMNAD
  DFHMNXM  DFHPITH  DFHPITS  DFHPIWT  DFHRZDM  DFHRZIX  DFHRZLN
  DFHRZNR2 DFHRZRG2 DFHRZRM  DFHRZRS1 DFHRZSO  DFHRZSO1 DFHRZTA
  DFHRZTCX DFHRZTR1 DFHRZTRI DFHRZXM  DFHSJBD  DFHSJDM  DFHSJDS
  DFHSJDUF DFHSJIN  DFHSJIS  DFHSJIX  DFHSJJS  DFHSJL   DFHSJNA
  DFHSJNR  DFHSJNT  DFHSJRE  DFHSJRL  DFHSJRM  DFHSJRT  DFHSJSC
  DFHSJSM  DFHSJST  DFHSJT8  DFHSJTH  DFHSJTRI DFHSJXM  DFHSOAD
  DFHSOCK  DFHSODM  DFHSODS  DFHSODUF DFHSOGH@ DFHSOHN  DFHSOIS
  DFHSOIST DFHSOL   DFHSOLI  DFHSOLS  DFHSOLX  DFHSOLX6 DFHSOM01
  DFHSOM02 DFHSOM03 DFHSONT  DFHSOPL  DFHSORD  DFHSORL  DFHSORM
  DFHSOS00 DFHSOS01 DFHSOS02 DFHSOS03 DFHSOS04 DFHSOS05 DFHSOS06
  DFHSOS07 DFHSOS08 DFHSOS09 DFHSOS10 DFHSOS11 DFHSOS12 DFHSOS13
  DFHSOS14 DFHSOS15 DFHSOS16 DFHSOS17 DFHSOS18 DFHSOS19 DFHSOS20
  DFHSOS21 DFHSOS22 DFHSOS23 DFHSOSE  DFHSOSES DFHSOSK  DFHSOSM
  DFHSOST  DFHSOTB  DFHSOTI  DFHSOTRI DFHSOUE  DFHSOXM  DFHSTP
  DFHTFIQ  DFHWBA   DFHWBA1  DFHWBAP  DFHWBAPF DFHWBBLI DFHWBBMS
  DFHWBCL  DFHWBDM  DFHWBDUF DFHWBENV DFHWBPA  DFHWBPW  DFHWBRP
  DFHWBSC  DFHWBSO  DFHWBSR  DFHWBST  DFHWBSV  DFHWBTRI DFHWBTTA
  DFHWBUR  DFHWBXM  DFHWBXN  DFJ@H350 DFJ@H356 DFJ@H360 DFJ@H427
  DFJ@H467 DFJ@H468 DFJ@H571 DFJDTCOE DFJOUTRE DFJWLPBP DFJWLPPL
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R200 PSY UI96023

     UP24/03/12 P F403  

• R300 PSY UI96022

     UP24/03/12 P F403  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.