Configuring Z and I Emulator for Windows Session Security
- Start a workstation profile from the Session Manager; or, from an active session, click Configure from the Communication menu. When the dialog box opens, click Configure.
- In the Customize Communication panel, choose the appropriate Type of Host, Interface, and Attachment values for the desired Telnet host.
- Click Link Parameters.
- On the Host Definition property page, do the
following:
- Specify the normal host name and LU parameters under Primary.
- Specify the Port Number under Primary. It is likely that it will not be the default port value for Telnet. The administrator of the destination server might have set up a specific port number to handle TLS/SSL service.
- On the Security Setup property page, check Enable Security.
For server authentication only, no additional setup is required. For client authentication, proceed to the next step.
- For 3270 sessions, select the Telnet-negotiated option to have Z and I Emulator for Windows negotiate security with the Telnet 3270 server. See Negotiated Telnet Security for details. If Enable Security is unchecked, the Telnet-negotiated option cannot be selected.
- On the Security Setup property page, select
the Microsoft CryptoAPI (MSCAPI) security package.
Note: To avoid the need of manually adding host certificate into the Microsoft Certificate Store, refer to Pass Through Certificate Validation.
- To protect against security vulnerability in RC4 stream
cipher, the FIPS (Federal Information Processing Standard) mode has
been made mandatory.
For MSCAPI, refer to the vedor documentation for the latest information.
Note: Follow the below steps to enable AES support with MSCAPI on Windows® 8, Windows® 8.1, Windows® 10, Windows® Server 2008, and Windows® Server 2012.- From an administrator account, open Group Policy Editor (gpedit.msc).
- Choose Computer Configuration->Administrative Templates->Network->SSL Configuration Settings.
- Open SSL Cipher Suite Order and select Enabled.
- Alter the cipher order as per you organization's needs, save the changes, and REBOOT the system for the above changes to apply.
- Enable Check for Server Name and Certificate Name Match to have the session authenticate the server by matching the server name to the host or server certificate name. The server and certificate names must match exactly. For MSCAPI sessions, if the certificate name and server name do not match, an error is returned.
- In the Client Authentication group box,
you determine when and how the client certificate will be chosen for
sending to the server.
If you want to enable client authentication and have the personal client certificate from the key database file sent to the server when requested, check Send Personal Certificate to Server if Requested.
- Send Personal Certificate Trusted by Server
- Select this option if you do not want to be prompted to select a personal client certificate from a key database file. Z and I Emulator for Windows will send the personal client certificate trusted by the server.
- Send Personal Certificate based on Key Usage
- Use this option to select one or more key usages. Click Key Usage to select the defined Object ID (OID)
key usages. Go to the Extended Key Usage panel
to add a new OID and description to the list.
At authentication time, Z and I Emulator for Windows chooses certificates for client authentication, based on the key usage that you select. If a certificate's Enhanced Key Usage attribute contains one or more of the OIDs that you specify, the certificate is eligible for use.
If no eligible certificates are found, the authentication fails. If one eligible certificate is found, it is automatically used. If two or more eligible certificates are found, you will be prompted to select a personal client certificate.
- Select or Prompt for Personal Client Certificate
- Use this option if you want to choose the personal client certificate.
You will be prompted to select a personal client certificate during
session establishment, when the server requests the client certificate.
To preselect a personal client certificate during configuration, click Select now and choose the Personal Certificate Label.
- Pass Through Host Certificate Validation
- Use this option to disable the default certificate
validation process during TLS handshake. Applicable only for Microsoft
schannel provider.
Note: By default, schannel (MSCAPI) is responsible for validating the host certificate chain received during TLS handshake. Schannel runs several checks on the received certificate chain one of which is verifying that the signature affixed to the certificate valid, that is, the hash value computed on the certificate contents matches the value that results from decrypting the signature field using the public component of the issuer. In order to perform this operation, the user must possess the public component of the iss either through some integrity-assured channel, or by extracting it from another (validated) certificate. The default certificate valid process is exhaustive and runs several checks on the host certificate chain in order to successfully validate it. By enabling this option the user would effectively suppress the default validation done by schannel and the identity of the host is not verified. The use of this option is not recommended.