Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts

Untitled

HostConnection Encryption Support

To encrypt the Telnet communicationsbetween Session Server (or Design Tool) and your host, the followingtechnologies are supported:

Howto Enable TLS/SSL Encryption

To configure TLS/SSL encryption forthe host communication, refer to the following information.

Configuring Your Model

To configure SSL/TLS encryption inyour model:

  1. In Design Tool, you must be offline and disconnected.
  1. To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
  1. Beginning in version 7.1, check the Transport “Use SSL/TLS” checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).

Note: The SSL/TLS transport option can only be enabled in theTransport configuration in Design Tool. It cannot be specified in Design ToolDeployment Options, a deployment descriptor deploy_desc.xml file, Administrative Console (version 7.0 or higher), orAdministrative WebStation (version 6.6 or earlier).

After connecting to the host usingDesign Tool, to determine the negotiated cipher, see Settings > View Settings> Host Communication > Telnet > Secure Host SSL Negotiated Cipher.Beginning in version 7.6 SP1, the TLS version and negotiated cipher are alsologged in model debug messages (.vmr files).

EnablingFIPS 140-2 Validated Encryption

FIPS is the Federal InformationProcessing Standards used by US government agencies. Beginning in version 6.6,when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enablethis feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Beginning in version 7.0, you canconfirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console(session server > Properties > General > Security) and in the sessionserver log. Note: FIPS mode is not supported on the IBM AIX platform.

Enabling TLS 1.0 and TLS 1.1

Beginning in VHI version 7.8 SP1,TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet supportTLS 1.2, you may see errors related to TLS version not supported in DesignTool, the session server log, or model debug messages (.vmr file).

To enable TLS 1.0 and TLS 1.1, setan operating system environment variable VHITELNETALLOWTLS1=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Enabling SSL 3.0

Beginning in VHI version 7.7, SSL3.0 is disabled by default due to a vulnerability in this protocol (asdescribed in Technical Note 2750). If yourhost does not yet support TLS, you may see the following errors in Design Tool,the session server log, or model debug messages (.vmr file):

[VHI 3050] SSL Error – Could not complete the SSL connection

[VHI 3053] SSL Error: error:140770FC:SSLroutines:SSL23_GET_SERVER_HELLO:unknown protocol

To enable SSL 3.0, set an operatingsystem environment variable VHITELNETALLOWSSL3=1 before starting the Session Server service or Design Toolapplication.

Note: On UNIX, you may need to export the environment variable so it’s available to the processthat runs the Session Server component.

Client Authentication

If the host requires clientauthentication from VHI, your private key and client certificate must be storedin a file named certificate.pem. The file must be in PEM format with the private key first,followed by the certificate chain in chain order. This file must be stored in asubdirectory named securehost, typically as follows:

  • Version 7.5 or higher on 64-bit Windows: Program FilesAttachmateVerastreamHostIntegratorsecurehost
  • Version 7.0 through 7.1 SP2 on 64-bit Windows: Program Files (x86)AttachmateVerastreamHostIntegratorsecurehost (Note: With version 7.0 only, the securehost subfolder is not created by the installer and you must create it manually.)
  • Version 7.0 or higher on Linux/UNIX: /opt/attachmate/verastream/hostintegrator/securehost
  • Version 6.5 or 6.6 on 32-bit Windows: Program FilesVHIsecurehost

If your certificate and private keyare in PFX format, you can use the OpenSSL command line utility (ProgramFilesVHIopensslopenssl.exe in version6.5 or 6.6) or other conversion tool (such as https://www.sslshopper.com/ssl-converter.html) to convert it to standard PEM format. It is recommendedyou open the resulting file in a text viewer to verify it is in PEM format withthe private key first. PEM certificates are text files containingbase64-encoded data and lines such as “—–BEGINCERTIFICATE—–” and “—–ENDCERTIFICATE—–“.

Note: Encrypted private keys and public certificates are notsupported.

The client certificate is used forSSL/TLS connections by both Session Server and Design Tool.

EnablingEncryption on the Host

For more information about how toconfigure your z/OS mainframe (3270) or iSeries host (5250) to support SSL/TLS,see information in Technical Note 2214 orTechnical Note 2215respectively. Note: These technical notes refer to connecting withReflection, but the host configuration steps also apply to Verastream.

Related:

  • No Related Posts