Managing TLS/SSL connections in CICS Explorer

The connections to CICS® systems from CICS Explorer® can be secured by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. For such connections, you can specify the security and certificate management preferences in CICS Explorer, such as disabling the server certificate validation and where to store certificates.

The available ciphers are dictated by the version of Java™ that runs CICS Explorer. By default, CICS uses TLS 1.2 as its TLS protocol. The minimum TLS protocol configured in CICS must be at least TLS 1.1 for CICS Explorer to connect to. Otherwise, the following errors occur:
  • In CICS Explorer:
    IZE0106E Connect failed with error "javax.net.ssl.SSLHandshakeException: 
    Received fatal alert: handshake_failure (SYSA CMCI SECURE)" 
  • In the job log:
    DFHSO0123 09/19/20** 10:13:22 IYCYZC2K Return code 402 received from
    function 'gsk_secure_socket_init' of System SSL. Reason: No common ciphers negotiated. 
    Peer: 9.20.210.250, TCPIPSERVICE: XFHWUTCP.

For more information about the security of CICS web support, see SSL with CICS web support.

Managing TLS/SSL security and certificates

You can use the Security and certificate management pane in the Preferences window to turn trust verification on or off to define keystores for your certificates, and to configure smart card access.
The security and certificate management pane
The Security and certificate management pane allows you to:
Enable or disable certificate management for secure connections (server certification validation)
By default, certificate management is enabled for CICS Explorer.
Define a keystore and a truststore, and to configure a smart card
  • A keystore is an encrypted file that contains the certificates that are presented to another system to authenticate you. You can also use some optional parameters that provide explicit control of some of the protocols that are used during connection negotiation. Ask your network administrator for information about the keystores in your organization.

    CICS Explorer provides a default keystore in the user's workspace that can serve as both a truststore and keystore. The default pass phrase for the truststore is changeit.

  • A truststore is a type of keystore that contains TLS/SSL certificates that are used to verify that a server can be trusted. The truststore can be held in a central location.
  • A smart card or CAC (Common Access Card) is a keystore that is held on a physical card. The card is inserted into a reader on your PC and contains certificates that are used to authenticate you to a host server. You must install a compatible driver to access a smart card; either configure a specific PKCS11 driver from disk or on Windows, use the operating system cryptography support.
Note: To connect by using a certificate of your choice (from a keystore on disk, or on a smart card), you must create a new credential of the appropriate type in the Host Connections view.
Enable or disable the SSL hostname verification
By default, the hostname of the SSL certificate must match that on the server.
Customize the protocol
Leave the Secure socket protocol set to default unless instructed by your network administrator. When set to default, CICS Explorer automatically negotiates the most secure connection with the server.

For detailed instructions, see Managing SSL security and certificates.

Connecting to CICS system connections secured with TLS/SSL

Prerequisites

You must have a suitable connection credential to make any connections. For instructions on creating a credential, see Defining connection credentials.

Note: To connect by using a certificate of your choice (from a keystore on disk, or on a smart card), you must create a new credential of the appropriate type in the Host Connections view.
Procedure
  1. Configure a CICS system connection as described in Connecting CICS Explorer to CICS systems. Make sure you select the Secure connection (TLS/SSL) in the Add CMCI Connection dialog. Certificate authentication can be used only with an SSL- or TLS-secured connection.
  2. If you connect to a server for the first time, CICS Explorer prompts you to accept the certificate if it does not exist in the keystores.
    Certificate alert

    Read the certificate to verify that you are connecting to the server you expect and that the connection is valid. If you click OK, the certificate is accepted and stored in the keystore. It is then used on every subsequent attempt to connect with this server. You are not prompted again to check the certificate.

  3. You can manage the certificates in your keystore with the iKeyman utility. This utility is supplied as part of the IBM® Java Security Socket Extension package.

Troubleshooting exception: Unexpected end of file from server

When you attempt to connect, the following message might occur, even when Secure connection (TLS/SSL) is selected:

IZE0106E Connect failed with error "Unexpected end of file from server"

This exception also applies if the port is not in use on the server. For security reasons, the TLS/SSL port does not respond with the reason for the connection failure so that an unauthorized user does not receive any useful information.