Basic TLS enablement for Z and I Emulator for Web clients

When you select the TLS protocol for the Z and I Emulator for Web client, a basic TLS session is established. During the TLS negotiation process, the server presents its certificate to the client. With basic TLS enablement, the certificate must be signed by an authority that the client trusts. The client checks WellKnownTrustedCAs.class first, followed by the CustomizedCAs.class. If Z and I Emulator for Web is configured to use JSSE for TLS enablement, WellKnownTrustedCAs.jks and CusomizedCAs.jks files will be used. The client rejects the session if it does not find the signer in these files. If the client finds the signer in these files, the session is established. This is basic Server Authentication. Z and I Emulator for Web allows you to configure a more enhanced form of Server Authentication in its client configuration. Refer to the following section for more information.

Server authentication
Encrypting the data exchange between the client and the server does not guarantee the client is communicating with the correct server. To help avoid this danger, you can enable server authentication, so that the client, after making sure that the server's certificate can be trusted, checks whether the Internet name in the certificate matches the Internet name of the server. If they match, the TLS negotiation will continue. If not, the connection ends immediately. See server authentication in the online help for more information.
Client authentication
Client authentication is similar to server authentication except that the Telnet server requests a certificate from the client to verify that the client is who it claims to be. Not all servers support client authentication, including the Z and I Emulator for Web Redirector. To configure client authentication, you need to do the following:
  • obtain certificates for clients
  • send the certificates to the clients
  • configure the clients to use client authentication
Refer to configuring clients to use client authentication in the online help for more information.
Express Logon
There are two types of Express Logon:
  • Web Express Logon: Web Express Logon allows users to log on to host systems and host applications without having to provide a user ID and password. This feature works in conjunction with your network security application by acquiring the user's network credentials and mapping them to their host credentials, eliminating the need to log on multiple times. Depending on your host, the logon automation process can be macro-based or connection-based. For more information, refer to the Web Express Logon Reference.
  • Certificate Express Logon: Certificate Express Logon is macro-based and also allows users to log on without having to enter a user ID and password. It is functionally similar to Web Express Logon, although it requires you to configure your session for TLS and client authentication, and the Communications Server must support and be configured for Express Logon. For more information, refer to Express logon in the online help.
    Table 1. Tip
    top Graphic Image
    Web Express Logon offers a type of logon automation that uses client-side certificates. This model is called certificate-based Web Express Logon and is significantly different than Certificate Express Logon. With Certificate Express Logon, client certificates are used to authenticate users to an Express Logon-enabled TN3270 server that is configured to automate the login process. With certificate-based Web Express Logon, however, client certificates are used to authenticate users to a Web server or a network security application, and the login process is automated by a plug-in and a macro. For more information, refer to the Web Express Logon Reference.
TLS-based Telnet security
Telnet-negotiated security allows the security negotiations between the client and the Telnet server to be done on the established Telnet connection. You can configure Telnet-negotiated security for Z and I Emulator for Web 3270 display and printer sessions.

The Telnet server must support TLS-based Telnet security (as described in the IETF Internet-Draft TLS-based Telnet Security) for the Z and I Emulator for Web clients to use Telnet-negotiated security. The Communications Server for z/OS supports TLS-based Telnet security.

For more information regarding Telnet-negotiated security, see the Telnet-negotiated security overview in the online help. Refer to your Telnet server's documentation for more information about configuring TLS on the Telnet server, and refer to the Security topic in the online help for more information about configuring a client to connect to a secure Telnet server.

TLS-based FTP Security
Z and I Emulator for Web provides TLS-based secure file transfer for FTP sessions. The FTP session does not support implicit/unconditional TLS negotiations to port 990/989. So, port 990 should not be used for secure FTP sessions. It only supports explicit/conditional (AUTH command) TLS negotiations to any other port.

The security properties of the FTP session are independent of the emulator session's security properties. For an integrated FTP session, you need to configure FTP security information using the new Security tab in FTP session properties. If you configure an emulator session to be secure and the File Transfer Type is set to FTP, the FTP session will not be secured automatically. In this situation, the following message appears when you click the OK button: If a secure file transfer session is desired, configure the security information in File Transfer Defaults.

The TLS based secure FTP function is supported by z/OS V1R2 or later.