Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

Thu, 03 Sep 2020 23:25:24 -0700 

I don't think you're going to be able to "hack in" support for higher TLS 
levels. I think you've got a couple near-term options, not necessarily 
mutually exclusive:

A. Place one or a couple newer release CICS regions on the "front side" to 
handle the network connectivity, and connect them to your existing CICS TS 
3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I 
write this, CICS TS Version 5.6 is the latest generally available release, 
and it is compatible with your currently installed z/OS release. Broadly, 
generally speaking this means upgrading some or all of the CICS "Terminal 
Owning Regions" ("TORs") while leaving "Application Owning Regions" 
("AORs") temporarily backlevel if you must. The exact details depend on 
your particular CICS deployment.

If you're using CICS's own TLS support, that's currently up to TLS 1.2. 
CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS 
1.2, but I cannot think of any reason why you'd pick something prior to 
the current release in this role. IBM ended Single Version Charge (SVC) 
restrictions in 2017, so there should be no additional charge to run both 
(or multiple) CICS releases as long as you need to. Check with "your 
friendly IBM representative" if there's any doubt.

B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1 
blithely assumes that the connections are unencrypted. The documentation 
for newer CICS TS releases includes some information on migrating from 
CICS TLS to z/OS AT-TLS, and probably that information will be reasonably 
useful if you attempt the same with CICS TS 3.1.

Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3 
you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only 
official/supported way to get TLS 1.3 with CICS TS. IBM's published 
benchmarks suggest that z/OS AT-TLS is slightly more efficient than 
CICS-configured TLS, but results may vary.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to