Information Center

Configuring clients to use client authentication

Client authentication can be configured in the session configuration properties on the server or on the client workstation.

On the server, take the following steps:

  1. Open the Administrator Utility window.
  2. Click Users/Groups in the left pane to open the list of defined groups and users.
  3. Right-click a user or group and select Sessions to open the Configured Sessions window.
  4. If you are configuring a new session, click the appropriate button. If you are changing a session, right-click the session icon and click Properties.
  5. In the left pane, click Connection.
  6. In the right pane, in the Protocol listbox, select a secure protocol (either Telnet-TLS or Telnet-SSL only).
  7. In the left pane, expand Connection and click TLS/SSL.
  8. To enable server authentication, select Server authentication. Read about known security limitations when using the Internet.
  9. To use client authentication, click Yes for Send a Certificate.
  10. Specify the Certificate Source and Certificate Location or Certificate Name.

    To specify a default location of the client certificate, enter a URL or path and file name. The URL protocols that can be used depends on the capabilities of your browser. Most browsers support HTTP, HTTPS, FTP, and FTPS.

    To specify parameters for using smart cards with Z and I Emulator for Web, click Setup.

    The Setup button is only available when the 'Browser or security device option' is specified as the Certificate Source.

    To specify a default name, choosing 'Any certificate trusted by the server' causes Z and I Emulator for Web to search through the Microsoft Internet Explorer Personal Certificate store for the first certificate that is signed by a Certificate Authority trusted by the server requesting the certificate. Choosing a specific name causes Z and I Emulator for Web to send only that certificate. You may also add the name of a certificate that is not in the administrator's Certificate Store by clicking the Add Certificate Name button and specifying certificate components, such as the common name, organization, and other components.

    If you do not want the location or name changed, click Lock. Otherwise, users can choose the certificate location or name.

    To be prompted each time the server requests a client certificate, expand the How often to prompt listbox and click On each connection.

    To be prompted once each time you start Z and I Emulator for Web, click First time after ZIEWeb is started.

    Specify whether or not to Retrieve Certificate before Connecting.

  11. Click OK.
  12. If clients will use secure sessions to the Z and I Emulator for Web server, click Redirector Service in the left pane of the Administration Utility.

On the client, take the following steps:

Some of the following fields may have been disabled by the administrator.
  1. If you want to create a new session, click Add Sessions and double-click the type of session you want to create. If you want to change an existing session, right-click the session icon, then click Properties.
  2. In the left pane, click Connection.
  3. In the right pane, in the Protocol listbox, select a secure protocol (either Telnet-TLS or Telnet-SSL only).
  4. In the left pane, expand Connection and click TLS/SSL.
  5. To enable server authentication, click Server authentication. Read about known security limitations when using the Internet.
  6. To use client authentication, click Yes for Send a Certificate.
  7. Then specify the Certificate Source and Certificate Location or Certificate Name.

    To specify a default location of the client certificate, enter a URL or path and file name. The URL protocols that can be used depends on the capabilities of your browser. Most browsers support HTTP, HTTPS, FTP, and FTPS.

    To specify parameters for using smart cards with Z and I Emulator for Web, click Setup.

    The Setup button is only available when the 'Browser or security device option' is specified as the Certificate Source.

    To specify a default name, make a selection from the Certificate Name drop-down box. Choosing 'Any certificate trusted by the server' causes Z and I Emulator for Web to search through the Microsoft Internet Explorer Personal Certificate store for the first certificate that is signed by a Certificate Authority trusted by the server requesting the certificate. Choosing a specific name causes Z and I Emulator for Web to send only that certificate.

    To be prompted each time the server requests a client certificate, expand the How often to prompt listbox and click On each connection.

    To be prompted once each time you start Z and I Emulator for Web, click First time after ZIEWeb is started.

    If your client supports storing preferences locally, clicking Only once, storing preferences on client causes Z and I Emulator for Web to prompt the next time the connection is made, but never after that, unless the connection attempt fails.

    Specify whether or not to Retrieve Certificate before Connecting.

  8. Click OK.

Not all servers request certificates. When you try to connect to a telnet server that does, a window appears prompting you for the location and password of your certificate.

Setting security on the Redirector

To use secure sessions on a Z and I Emulator for Web Redirector, you must set a security level on the port used by the Redirector. On the server, take the following steps:

  1. Log on as the administrator.
  2. Click Redirector Service.
  3. If you are creating a new connection, click Add. If you are changing a connection, highlight the entry and click Change.
  4. In the Add (or Change) Configuration window, choose the appropriate value for Security. The most likely choice is Client-side because this provides secure sessions between the client and the server. Click the help button to refer to the online help for more information.

Related topics