TLS/SSL

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two different communication protocols that allow applications to communicate securely over the Internet using data encryption. TLS is based on SSL, but has a different initial handshake protocol and is more extensible. TLS and SSL are not interoperable. That is, an application using TLS cannot communicate with an application running SSL. Both protocols are widely used.

Telnet-negotiated (3270 Display/Printer, VT sessions only)
Determines if the security negotiations between the client and the Telnet server are done on the established Telnet connection or on a TLS connection prior to the Telnet negotiation. For the client to use this feature, the Telnet server must support TLS-based Telnet security. The other options are valid regardless of whether Telnet-negotiated is set to Yes or No.

Server Authentication
Ensures that a secure session is established only if the Internet name of the server matches the common name in the certificate of the server. This is effective only on a locally-installed client or a client downloaded via HTTPS.

Add MSIE browser's keyring
When this option is selected, the Z and I Emulator for Web client accepts certificate authorities trusted by the Microsoft Internet Explorer browser.

The following options are used to specify the handling of client authentication.

Send a Certificate
Enables Client Authentication.  If you click No and the server requests a client certificate, the server is told that no client certificate is available, and the user is not prompted.

Certificate Source
The certificate can be kept in the client browser or a dedicated security device such as a smart card.

Alternatively, it can be kept in a local or network-accessed file that is protected by a password.

URL or Path and Filename
Specifies the default location of the client certificate. The URL protocols you can use depend on the capabilities of your browser. Most browsers support HTTP, HTTPS, FTP, and FTPS.

Select File
Click Select File to browse the local file system for the file containing the certificate.

Setup
Opens the Cryptographic Support Setup dialog where you can specify parameters for using a smart card for client authentication on Linux (32-bit Intel platform) in Z and I Emulator for Web.  This button is accessible on all platforms so that the Administrator can setup the cryptographic module name for the user to use on Linux client, however, the user must provide the password when connecting to the cryptographic token.

For Z and I Emulator for Web to work with smart cards on Linux, in addition to installing the smart card drivers and PKCS11 library for the driver; you also need to download the PKS11 library from the dashboard page and setup LD_LIBRARY_PATH environment variable to include the directory where the shared libraries reside.

This button is only available when the Browser or security device option is selected as the Certificate Source.

Support Key Usage and Extended Key Usage

A key requirement for any solution is that the client be able to automatically recognize and utilize the correct authentication certificate on the user's smart card or browser or p12 file without user configuration or intervention to do this we have to configure the session with the Key Usage or Extended Key Usage properties.

Select Key Usage

This dialog displays all of the defined Object ID (OID) key usages. The following tabs are available:

• Key Usage

  You can choose which bits must be set in the Key Usage certificate extension, in order for a personal certificate to be eligible for use in a client authentication session.

• Extended Key Usage

  You can choose which extended key usages must be listed in the Extended Key Usage certificate extension, in order for a personal certificate to be eligible for use in a client authentication session. The list items appear as a description (for example, Client Authentication), along with an object identifier (OID) (for example, 1.2.3.4). A checkbox indicates whether the item is selected.

Common description and OID pairs are available. You can add more description and OID pairs by clicking Add Extended Key Usage.

Certificate Name
Select a certificate from the list. You can also accept any certificate trusted by the server.

Add Certificate Name
Click Add Name to specify the parameters for choosing a client certificate, including the common name, e-mail address, organizational unit, and organization used to define it.  (This button is only available on the administrator configuration panel.)

How often to prompt
This drop-down box allows you to control the frequency of prompts for client certificates. The certificate source of your clients determines the selection of prompts available to you. You can regard the following two choices as constants; they are always available, regardless of certificate source:

• On each connection - Prompts client each time a connection is made to the server (If you have a Terminal windows open, then the user will be prompted for password only for the first connection, post that the user will not be prompted for password for successive connection attempts).
• First time after ZIEWeb is started - Prompts client the first time a connection is made for that particular session.

If the certificate source is Browser or security device, you have two additional options:

• Only once, storing preferences on client - Prompts client the first time a connection is made. Despite the number of sessions started while Z and I Emulator for Web is active, a client with multiple sessions set to this option receives only one prompt. (If a connection attempt fails, however, the client receives another prompt.)
• Do not prompt - Disables the prompt from Z and I Emulator for Web, but not from the browser or security device.

Currently this is true only for Microsoft Internet Explorer.

If the certificate source is URL or local file, and your clients store user preferences locally, you have two additional options:

• Only once, storing preferences on client - Prompts client the first time a connection is made. Despite the number of sessions started while Z and I Emulator for Web is active, a client with multiple sessions set to this option receives only one prompt. (If a connection attempt fails, however, the client receives another prompt.)
• Only once, for each certificate - Prompts client the first time a connection is made. A client with multiple sessions set to this option receives only one prompt despite the number of sessions started, as long as the same certificate applies to those sessions. (If a connection attempt fails, however, the client receives another prompt.)

If the certificate source is URL or local file, and your clients do not store user preferences locally, you have one additional option:

• Only once, for each certificate - Prompts client the first time a connection is made. A client with multiple sessions set to this option receives only one prompt despite the number of sessions started, as long as the same certificate applies to those sessions. (If a connection attempt fails, however, the client receives another prompt.)

Retrieve certificate before connect
If you click Yes, the client accesses its certificate before connecting the server, whether the server requests a certificate or not. If you click No, the client only accesses the certificate after the server has requested it; depending on other settings, this may force the client to abnormally terminate the connection to the server, prompt the user, and then reconnect.

Lock (Z and I Emulator for Web administrator only)
Select Lock to prevent users from changing the associated startup value for a session. Users can not change values for most fields because the fields are unavailable. However, functions accessed from the session menu or toolbar can be changed.

Use Jsse
You can enable this option to securely connect by using TLS v1.0, TLS v1.1, and TLS v1.2, which use Java Secure Socket Extension (JSSE). To use this option, version of the JRE (IBM or Oracle) must be V7 or later. On JRE V6 or earlier, it is possible to configure a session to use JSSE, but the JSSE-based session can run only with JRE V7 or later.

TLS Version
Select TLS v1.0, TLS v1.1, or TLS v1.2 as appropriate. When one of these options is selected, all the lower version protocols starting from TLS v1.0 are enabled. This option will be enabled by default and TLSv1.2 is selected.

FIP Mode
When the SSLite module is in use, you can enable this option for ZIEWeb to use FIPS 140-2 compliant cryptographic modules.

Note: This option is not available at session level when 'Use JSSE' option is enabled. Fips Mode is enabled by default when using IBM Java and JSSE with jks trust store. It can be disabled by setting 'FipsMode' html parameter value to false.

Related topics

• How TLS and SSL security work
• Configuring TLS and SSL
• Telnet-negotiated security overview
• Telnet-negotiated security
• Configuring Telnet-negotiated security
• Client Authentication