Using SSL/TLS


Telnet Secure Socket Layer (SSL) and Transport Layer Security (TLS) security protocols are available for 3270 and 5250 session types, and Telnet Extended SSL/TLS support is available for 3270 session types. These Telnet options help you implement a connection between a host requiring this form of security and the Host Integrator session server. To implement a secure connection between the client and the Host Integrator session server, use the security options in the Administrative Console.

If SSL is implemented on the host for encryption purposes only, select the SSL/TLS checkbox.

SSL 3.0 is no longer supported by Host Integrator, but can be accessed for legacy host connections, if needed. See Technical Note 10068, Encryption Between Verastream Host Integrator and Your Host for more information.

You can use the Management and Security Server security proxy to configure a secure SSL/TLS connection. Using this secure tunnel you can use SSL or TLS for hosts that are not running an SSL/TLS Telnet server.

Client Authentication

If the host requires client authentication from Host Integrator, your private key and client certificate must be stored in a file named certificate.pem. The file must be in PEM format with the private key first, followed by the certificate chain in chain order.

You must create and store this file in a subdirectory named securehost. For example:

If your certificate and private key are in PFX format, you can use the OpenSLL command line utility or other conversion tool to convert it to standard PEM format. For example, this conversion tool.

It is good practice to open the resulting file in a text viewer to verify it is in PEM format with the private key first. PEM certificates are text files containing base64-encoded data and lines such as "----BEGIN CERTIFICATE---" and "----END CERTIFICATE---".

FIPS Validation

To use FIPS 140-2 validated TLS version 1 encryption for SSL support, you must first define an environment variable, VHI_FIPS = 1. After this variable is set all SSL/TLS connections will use the FIPS 140-2 Crypto Libraries.

 

Related Topics
Bullet Configuring a host session
Bullet Configuring a connection through the Management and Security Server Secure Proxy Server