Connect Using SSL/TLS

The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to establish a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between Reflection and the server is encrypted. Depending on the server configuration, the server may also authenticate the client.

Attachmate Reflection 2014 supports SSL/TLS connections for IBM 3270, IBM 5250, and VT terminals.

Note: SSL/TLS connections use digital certificates for authentication. Depending on how your certificate was issued and the way your host is configured, you may need to install a host and/or personal certificate before you can connect using SSL/TLS.

Before you start

Make sure your system has an SSL/TLS host (server or servers) and that you know how certificates are handled for your server.

The following instructions show how to configure a connection for a host that requires server authentication (but not client authentication) and uses a certificate from a trusted certification authority (CA).

This procedure shows how to import the certificate into the Reflection certificate store. To set up this connection, you need:

  • The SSL/TLS host name
  • A user name and password
  • The port used by the SSL/TLS server
  • Access to a CA certificate for the server

To configure a secure terminal session using SSL/TLS

  1. Open the Create New Document dialog box.
  2. From the Create New Document dialog box, select a session template and click Create.
  3. For Host Name/IP Address, enter the fully qualified host name.

    Note: By default, the host name you enter must exactly match one of the host names entered in either the CommonName or the SubjectAltName field of the host's certificate. The setting Certificate host name must match host being contacted is configured from the PKI Configuration dialog box. Leave this setting selected for maximum security.

  4. In the Port box, set the port your host uses for SSL/TLS connections. In most cases you will have to change the default port value. Contact the host system administrator for this information. (For connections to an AS/400, the SSL/TLS port will typically be 992.)
  5. Select Configure additional settings, and then click OK.
  6. Do one of the following:
    • If you are setting up a 3270 and 5250 terminal session, under Host Connection, click Set Up Connection Security. Then, in the Configure Advanced Connection Settings dialog box, click Security Settings.
    • If you are setting up a VT terminal session, click Configure Connection Settings, confirm Network Connection Type is set to Telnet, and click the Back arrow. Then, under Host Connection, click Set Up Connection Security.
  7. From the Security Properties dialog box, select the SSL/TLS tab, and select Use SSL/TLS security.
  8. (Optional) To specify the minimum allowable level of encryption for SSL/TLS connections, select a level in the Encryption strength list. The connection fails if this level cannot be provided.

    Note: If you select Default, any encryption level is permitted, and Reflection negotiates with the host system to choose the strongest encryption level supported by both the host and the PC.

  9. (Optional) Click Configure PKI.

    The PKI Configuration dialog box opens, from which you can manage the digital certificates used for authentication.

    1. Click Reflection Certificate Manager.
    2. In the Reflection Certificate Manager dialog box, select the Trusted Certificate Authorities tab.
    3. Click Import and browse to select the CA certificate for the server.
    4. Modify default settings as required. (For example, to use only the Reflection store, you might choose to clear Use System Certificate Store for SSL/TLS connections. When this option is selected, Reflection looks for certificates in both the Reflection store and the Windows certificate store.)

      When you customize any of the default PKI settings, the pki_config file is created.

    5. Close the Certificate Manager dialog box and click OK to close the other open dialog boxes.

      The imported certificate is saved in the trust_store.p12 file.

    6. After a connection is established, click the Save button on the Quick Access toolbar and save the session document.