Connect using End-to-End Encryption in 3270 Sessions

Use this procedure to configure end-to-end encryption in sessions that connect to hosts via the Reflection Security Gateway. Without end-to-end encryption, only data between the client and proxy server is encrypted.

End-to-end encryption tunnels a direct SSL/TLS connection to the host, while still connecting through the Reflection Security Proxy Server. These connections require two certificates and SSL/TLS handshakes — one for the client/proxy server connection and another for the client/host connection.

Requirements

About Certificates

To configure a session with end-to-end encryption

  1. In a web browser, start Reflection Security Gateway by setting the URL to:

    http://server:port/rweb/AdminStart.html
    where server and port are replaced with the Reflection Management server address.

  2. Click Administrative WebStation and log on as administrator.
  3. From the left pane, click Session Manager.
  4. Click Add to open the Add New Session page.

    Under Windows-Based, select Reflection Workspace, and click Continue.

  5. Specify a trusted location on the user's workstation where settings files will be stored, and then click Launch.

    Reflection opens the new session document on your workstation in Administrative WebStation mode.

  6. Enter the host name and port, select the check box Configure additional settings, and click OK.
  7. In the Reflection Settings dialog box, under Host Connection, click Set Up Connection Security.
    1. Click Security Settings, and in the Security Properties dialog box, make the following required selections:
    2. Select Use SSL/TLS security.
    3. Select Use Reflection security proxy.
    4. From Security proxy settings, choose your Security proxy and Proxy port from the drop-down menus.
    5. In the Destination host box, type the host name.
    6. Select the End-to-End encryption check box.

      Note: You can modify the level of security by adjusting the SSL protocol version and encryption key-strength setting. Click PKI Manager to add the Certificate Revocation List (CRL) and Online Certificate Status protocols (OCSP) to certificate validation.

  8. Click OK to close the Security Settings dialog box, and then make any other modifications to the session before clicking OK to save it.

    The session opens and attempts to connect to the host. The session file is saved to the Reflection Management server.

  9. In the Administrative WebStation, click Access Mapper and specify which users have access to the file. The users you specify can access the file from the Links List.