IBM Support

PH38091: ADD SUPPORT FOR DEFAULTCIPHERS.XML

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Add support to CICS TS 5.6 for use of defaultciphers.xml on
EXEC CICS WEB OPEN and EXEC CICS INVOKE SERVICE commands.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS users                               *
****************************************************************
* PROBLEM DESCRIPTION: Add support for defaultciphers.xml      *
*                      on EXEC CICS WEB OPEN and EXEC CICS     *
*                      INVOKE SERVICE commands                 *
****************************************************************
A CICS application makes an outbound HTTPS request using an EXEC
CICS WEB OPEN or EXEC CICS INVOKE SERVICE command.  If the
command does not specify a list of ciphers to use via the
CIPHERS or URIMAP parameters, then CICS will use a default list
of 2 digit ciphers.  That list is currently 3538392F3233.

If the target endpoint no longer supports any of the ciphers
from the CICS default list the outbound request will fail.

In many cases it is not easy or possible to update every
affected CICS application to use a URIMAP and a suitable cipher
file.

This APAR was raised to provide a default cipher file to replace
the default list of 2 digit ciphers.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • CICS has been updated to add support for a defaultciphers.xml
file on EXEC CICS WEB OPEN and EXEC CICS INVOKE SERVICE
commands.

A sample defaultciphers.xml file is provided in the
USSHOME/security/ciphers directory.  It should be copied to the
USSCONFIG/security/ciphers directory and customised to meet
your security requirements.

To make use of the defaultciphers.xml file you need to set the
following feature toggle;

  com.ibm.cics.web.defaultcipherfile=true

If the feature toggle is set then the defaultciphers.xml file
will be processed during CICS initialization.  If there is a
problem with the file then message DFHWB0112 will be issued and
CICS will revert to using the existing default list of 2 digit
cipher suites.


The CICS TS 5.6 documentation will be updated to describe the
new feature toggle and document message DFHWB0112.

    



APAR Information




    

  • APAR number
    PH38091
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    300
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-06-14
    • 

  • Closed date
    2021-07-09
    • 

  • Last modified date
    2021-08-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI76260 PH45703
    

    • 



Modules/Macros


    

  • DFHMEWBC DFHMEWBE DFHMEWBK DFHWBCL  DFHWBDM  DFHWBDUF DFJ@H606

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.6","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            15 July 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback