Use this command to configure TN3270 Plus to create a secure connection to a host computer. This command displays the Security pane of the Session Setup dialog box. The command requires the SSH and/or SSL feature. This Security pane contains the following options.
Encryption Protocol: | Select the desired encryption protocol in the drop-down list box. "None" is the default. After the protocol is selected, configuration options are displayed. |
Protocol |
Description |
None |
No encryption. This is the default setting. |
SSLv2 |
Secure Socket Layer version 2. (Warning: We do not recommend the use of the SSL version 2 protocol because it contains some known security issues.) |
SSLv3 |
Secure Socket Layer version 3. (Warning: We do not recommend the use of the SSL version 3 protocol because it contains some known security issues.) |
TLSv1 |
Transport Layer Security version 1.0 |
TLSv1.1 |
Transport Layer Security version 1.1 |
TLSv1.2 |
Transport Layer Security version 1.2 |
SSHv1 |
Secure Shell version 1. (Warning: We do not recommend the use of the SSH version 1 protocol because it contains some known security issues.) |
SSHv2 |
Secure Shell version 2. |
SSHv1 or SSH v2 |
TN3270 Plus negotiates either SSHv1 or SSHv2 with the host computer. |
Ciphers Button: | Click the Ciphers button to select the ciphers that may be used for the SSL or TLS handshake. The Ciphers button displays the Specify Ciphers dialog box. In the Specify Ciphers dialog box, use the Add -> and <-Remove buttons to add ciphers to, or remove ciphers from, the "Selected Ciphers" list box. Only ciphers in the "Selected Ciphers" list box are available for selection in the SSL or TLS handshake. Use the Remove all CBC ciphers button to remove all cipher-block chaining (CBC) mode ciphers from the list of selected ciphers. Removing the CBC mode ciphers eliminates the POODLE vulnerability from SSLv3 connections. |
SSL or TLS Configuration Options
Host will initiate SSL connection (Optional) If this option is checked, TN3270 Plus waits for the host to send the STARTTLS option instead of initiating the SSL handshake immediately after connection.
Display certificate when connected (Optional) If this option is checked, TN3270 Plus displays the Server Certificate Details dialog and allows you to accept or reject the certificate.
Accept self-signed certificates (Optional) If this option is checked, TN3270 Plus accepts a self-signed server certificate. If this option is not checked, a dialog box prompts you to accept or reject a self-signed certificate. If you accept the self-signed certificate, the connection is completed and "Accept self-signed certificates" is set on for the session, so the self-signed certificate is accepted without prompting the next time you connect. This option applies to server certificates not client certificates.
Accept expired certificates | (Optional) If this option is checked, TN3270 Plus accepts expired SSL server certificates. If this option is not checked, a dialog box prompts you to accept or reject an expired certificate. If you accept the expired certificate, the connection is completed and "Accept expired certificates" is set on for the session, so the expired certificate is accepted without prompting the next time you connect. This option applies to server certificates not client certificates. |
Accept certificates not yet valid (Optional) If this option is checked, TN3270 Plus accepts server certificates that have not reached their effective date. If this option is not checked, a dialog box prompts you to accept or reject the not yet valid certificate. If you accept the not yet valid certificate, the connection is completed and "Accept certificates not yet valid" is set on for the session, so the not yet valid certificate is accepted without prompting the next time you connect. This option applies to server certificates not client certificates.
Accepts ANY invalid certificate (Optional) If this option is checked, TN3270 Plus accepts any invalid server certificates. This option applies to server certificates not client certificates.
Server Certificate File (.pem) | (Optional) Enter the server certificate file name (.pem). Click the Browse... button to display the Select Certificate Filename dialog box. In order for TN3270 Plus to validate the server certificate, this file must contain the entire server certificate chain in the proper order starting with the server certificate and ending with the root Certificate Authority certificate. You can use notepad merge certificates into a single file. |
Use Windows certificate store | (Optional) If this option is checked, TN3270 Plus imports all the certificates from the Internet Explorer Trusted Root Certification Authorities certificate store into the TN3270 Plus certificate store (tn3270.pem). These certificates are then used to validate the SSL certificate chain. If you add certificates to the Internet Explorer Trusted Root Certification Authorities certificate store click the Refresh button and TN3270 Plus add the new certificates to its certificate store. |
Client Certificate File (.pem) | (Optional) Enter a client certificate file name (.pem). Click the Browse... button to display the Select Client Certificate Filename dialog box. |
Password | (Optional) Specify a client certificate encryption password. |
SSH Configuration Options
Authentication Type: | Choose the SSH authentication type. |
Password |
|
Keyboard-interactive |
|
Public Key |
Username: | (Optional) Specify your username. TN3270 Plus will remember the username. You will be prompted for your password. If you leave this field blank, you will be prompted for both your username and password. |
Key regeneration interval (minutes): | (Optional) Specify a key regeneration interval. This specifies how many minutes you want to elapse before key regeneration is initiated. The default is 60 minutes. If an SSH key generated at connection time is used for too long, it is possible that the key could be compromised. The SSHv2 protocol specifies that a new key should be generated periodically. This regeneration may be initiated by the client or the host. TN3270 Plus initiates key regeneration each time the key regeneration interval expires. Data transfer stops while the key is regenerated and renegotiated with the host so there is a performance penalty for doing key regeneration too often. The default key regeneration interval of 60 minutes is the recommended interval. |
Private key file for authentication: | (Optional) Specify a private key file when using public key authentication. This key may be in Putty format (*.ppk), OpenSSH format or IETF format. |
TN3270 Plus is continually being improved. To learn more about the latest enhancements, please review our Version History web page.