Use the following procedure to configure SSL or TLS connections using the upgraded security protocols.
Encryption protects the confidentiality of data in transit. This protection is accomplished by encrypting the data before it is sent using a secret key and cipher. The received data must be decrypted using the same key and cipher. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. You can use thetab of the dialog box to specify which ciphers the Secure Shell connection should use.
The following data encryption standards are supported:
DES (56-bit) - Available with SSH protocol 1 only
Arcfour, Arcfour128, and Arcfour258 (stream mode)
TripleDES (168-bit) CBC mode
Blowfish (128-bit) CBC mode
AES (also known as Rijndael) (128-, 192-,or 256-bit) CBC mode and CTR mode
Data integrity ensures that data is not altered in transit. Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server. Extra! supports the following MAC standards:
Digital signatures are used for public key authentication (including certificate authentication). The authenticating party uses the digital signature to confirm that the party being authenticated holds the correct private key. The Secure Shell client uses a digital signature to authenticate the host. The Secure Shell server uses a digital signature to authenticate the client when public key authentication is configured. Extra! supports the following digital signature algorithms:
NOTE:To secure your connections with SSL or TLS, your system must include an SSL/TLS host (server or servers).
To configure the session
From themenu, select , and click . Or, if a session is already open, choose > .
In the> , respond to the prompts to select the host type and the session type.
For the connection type, specify TN5250.
On thetab, specify the host name, IP address, and port. You can specify a primary and a backup address using IPv6 or IPv4 addresses.
For, choose the appropriate TLS or SSL option. If you leave at the default setting ( ) Extra! will negotiate with the host to choose the strongest encryption level supported by the host and the PC. Choosing a value greater than that which the host or PC supports may cause the connection to fail.
To select a client certificate for authentication, do one of the following:
Leaveselected (the default). When you connect, Extra! will search the Windows certificate store and use the first certificate it finds that is both valid and designated for client authentication. If this certificate is not the correct one, the connection will fail.
Choose a certificate from the drop-down list, or selectto open the Windows Personal certificate store and choose the appropriate certificate. The specified certificate will be stored in the session file by subject name, issuer and serial number.
NOTE:Even though you may have multiple host addresses specified in an Extra! session for a fail-over configuration, you can only specify one client certificate and one encryption strength for a host. For this reason, it's generally best to use the default certificate and encryption strength settings.
Specify the remaining options to complete the configuration.
To change the security settings, in an open session, choose> , and on the left, click .