Use the following procedure to configure SSL or TLS connections using the upgraded security protocols.

The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to establish a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between EXTRA! and the server is encrypted. Depending on the server configuration, the server may also authenticate the client.

Authentication is accomplished by sending an X.509 security certificate. Authentication occurs automatically and invisibly as the first step of establishing an SSL/TLS connection. SSL/TLS connections require the client to authenticate the server. It is optional for the server to authenticate the client.

Once an encrypted connection is established, data is transmitted using the encryption level you have specified in the Reflection Security Properties dialog box.

Supported Cryptographic Algorithms

Reflection supports TLS version 1.2, TLS version 1.0 (the default), and SSL version 3.0. The supported cipher suites are listed below.

Notes:

TLS Version 1.2 is available starting with Reflection 2014 and Reflection FTP Client 14.1 SP3.
The list of cipher suites available for a given connection depends on the SSL/TLS version you specify, the encryption strength setting, and whether or not you are configured to run in FIPS mode.

TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)

TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)

TLS_SRP_SHA_WITH_AES_256_CBC_SHA (0xc020)

TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0x00a7)

TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006d)

TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)

TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA (0xc01a)

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)

TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

TLS_SRP_SHA_WITH_AES_128_CBC_SHA (0xc01d)

TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0x00a6)

TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006c)

TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)

TLS_RSA_WITH_RC4_128_SHA (0x0005)

TLS_RSA_WITH_RC4_128_MD5 (0x0004)

TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)

TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)

TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)

TLS_RSA_WITH_DES_CBC_SHA (0x0009)

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)

TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)

TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)

TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Note: To secure your connections with SSL or TLS, your system must include an SSL/TLS host (server or servers).

To configure the session

Create a new display (or printer) session.
1. From the Start menu, select Attachmate EXTRA!, and click Create a new session. Or, if a session is already open, choose File > New Session.
2. In the New Session Wizard, respond to the prompts to select the host type and the session type.
For the connection type, specify TN3270.
In the tabbed window, click the Add button.
In the Configure Connection dialog box, specify the host name or IP address (IPv6, IPv4 or URI), device type, and port.
For Security Type, choose the appropriate Attachmate TLS or SSL option. If you leave Encryption strength at the default setting (Auto), EXTRA! will negotiate with the host to choose the strongest encryption level supported by the host and the PC. Choosing a value greater than that which the host or PC supports may cause the connection to fail.
To select a client certificate for authentication, do one of the following:
- Leave Automatically select client certificate selected (the default). When you connect, EXTRA! will search the Windows certificate store and use the first certificate it finds that is both valid and designated for client authentication. If this certificate is not the correct one, the connection will fail.
- Choose a certificate from the drop-down list, or select Browse to open the Windows Personal certificate store and choose the appropriate certificate. The specified certificate will be stored in the session file by subject name, issuer and serial number.
  Note: Even though you may have multiple host addresses specified in an EXTRA! session for a fail-over configuration, you can only specify one client certificate and one encryption strength for a host. For this reason, it's generally best to use the default certificate and encryption strength settings.
To have the client compare the host name in the session against the common name in the certificate and validate the certificate authority (CA) chain, select Host name must match certificate.
To ensure that the certificate is valid and hasn't been revoked, select Use Certificate Revocation List and/or Use Online Certificate Status Protocol.
Specify the remaining options to complete the configuration.
To change the security settings, in an open session, choose Options > Settings, and on the left, click Connection.

Connect to an IBM Mainframe via SSL/TLS

About SSL/TLS

Supported Cryptographic Algorithms