Client authentication

Client authentication (also referred to as user authentication) requires users to prove their identity using digital certificates (the default setting for the Reflection Security Proxy).

Client authentication is typically required when an SSL session is first established. It will also be required by a TN 3270 server if the user is using the Express Logon Feature provided by some mainframe systems.

Client authorization

Used in connections secured by the Management and Security Server to ensure that access to host systems is approved before the connection can proceed.

When a user logs into the Management and Security Server, he or she only has access to terminal session files and other features for which he has been explicitly authorized to use.

CRL (Certificate Revocation List)

A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

digital certificate

An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.

Express Logon Feature (ELF)

Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password.

OCSP (Online Certificate Status Protocol)

A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.