Using SSL security for Explorer connections

Managing SSL security and certificates for connections between CICS Explorer® and CICS® systems.

Connections between CICS Explorer and CICS systems are secured using the SSL protocol. By default, certificate management is enabled for CICS Explorer.

Note: Java™ 7 includes increased security, so CICS Explorer now connects only to TCP/IP services configured with STRONG encryption. CICS uses STRONG encryption by default. The MEDIUM level of encryption offered by CICS is no longer compatible. If you attempt to connect CICS Explorer v5.1, or later, to a CICS region with MEDIUM level of encryption you will receive these errors:

In Explorer:

IZE0106E Connect failed with error "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (SYSA CMCI SECURE)"

In the job log:

DFHSO0123 09/19/2012 10:13:22 IYCYZC2K Return code 402 received from function 'gsk_secure_socket_init' of System SSL. 
Reason: No common ciphers negotiated. 
Peer: 9.20.210.250, TCPIPSERVICE: XFHWUTCP.

You can use the Security and certificate management dialog to turn SSL on or off, and to define key stores for your certificates.

The security and certificate management dialog

You can use the Security and certificate management dialog to define a key store and a trust store. A key store is an encrypted file that contains the certificate your system presents to another system to describe itself. A trust store is a type of key store that contains the SSL certificates that are used to control connection authentication to servers. The trust store can be held in a central location. The dialog also contains some optional parameters that provide explicit control of some of the protocols used during connection negotiation. Ask your network administrator for information about the key stores in your organization.

CICS Explorer provides a default key store in the user's workspace which can serve as both a trust store and key store. The default pass phrase for the trust store is changeit

Note: Leave the Secure socket protocol set to default unless instructed by your network administrator. When set to default, CICS Explorer will automatically negotiate the most secure connection with the server.

For more information, see Managing SSL security and certificates

The Add CICS Management Interface Connection dialog contains a check box to select SSL security for the connection.

Add CICS Management Interface Connection dialog

Note: When you attempt to connect, you may receive message IZE0106E Connect failed with error "Unexpected end of file from server", even when you have set Secure connection (SSL) correctly. This exception would also apply if the port was not in use on the server. For security reasons, the SSL port does not respond with the reason for the connection failure, to deny useful information to an unauthorized user.

When you make a connection, CICS Explorer checks that the SSL settings are the same. If, for example, you do not select the Secure connection (SSL) check box and the server expects SSL, the connection will fail. On the first attempt to make this connection, CICS Explorer will display a message indicating the mismatch and giving you an opportunity to retry the connection with SSL enabled.

The message indicates that connection failed because SSL selection did not match at each end of the connection.

The Ambiguity dialog is only shown for existing/old connections where the SSL setting was not confirmed by a previous version of CICS Explorer such as an Explorer upgrade or an import (not load).

If you connect to a server for the first time, CICS Explorer will prompt you to accept the certificate if it does not exist in the key stores.

Certificate alert

Read the information in the certificate carefully and satisfy yourself that this connection is to the server you expect and that the connection is valid. If you click OK, the certificate will be accepted and stored in the key store. It will then be used on every subsequent attempt to connect with this server. You will not be prompted again to check the certificate.

You can manage the certificates in your key store with the IBM Key Management Tool (ikeyman). This tool is supplied as part of IBM Java.