In the CICS sockets implementation, transaction security environments are not visible to AT-TLS support. The CICS job and all its transactions appear to the stack as a single server application. As a result, all AT-TLS policy look-up, System SSL key ring authorization checks, and ICSF private key authorization checks are processed using the identity of the CICS job.
The connection that is established, whether active or passive, can perform SSL handshake processing as either the client or the server. All of the connections established by a single CICS job can share the session ID cache in the SSL environment. The CICS job should use a private key ring with a Server certificate, and the key ring used must contain the chain of the root certificates it needs to validate the Server certificate it presents to the client.
Mainframe Connect Client and Server Options for CICS take advantage of the AT-TLS security support, provided that the following conditions are true:
The TCP/IP stack supports AT-TLS.
An AT-TLS Policy configuration matches identifiers of the CICS application that will use it, for example, the status of the application as a listener or a client, the IP addresses, and the ports that will be used for communication.
Digital certificates and key rings are created for these applications.
