Encrypting Host Connections
For increased security, you can encrypt the communications between the session server or Design Tool and your host.
Telnet Secure Socket Layer (SSL) and Transport Layer Security (TLS) security protocols are available for 3270 and 5250 session types, and Telnet Extended SSL/TLS support is available for 3270 session types. These Telnet options help you implement a connection between a host requiring this form of security and the Host Integrator session server. To implement a secure connection between the client and the Host Integrator session server, use the security options in the Administrative Console.
Note
Beginning in VHI version 7.9, TLS 1.2 and TLS 1.3 will be the only versions enabled by default when connecting to 3270 and 5250 hosts. To enable older versions see Enabling TLS 1.0 and TLS 1.1.
How to enable TLS/SSL encryption
To configure SSL/TLS encryption in your model:
-
In Design Tool, you must be offline and disconnected.
-
To modify an existing model, click Connection > Session Setup. To configure a new model, click File > New to display the New Model dialog.
Beginning in version 7.1, check the Transport "Use SSL/TLS" checkbox (for 3270 or 5250). In version 7.0 and earlier, select the Transport Type “Telnet SSL” (for 3270 or 5250) or “Telnet Extended SSL” (for 3270).
After connecting to the host using Design Tool, to determine the negotiated cipher, see Settings > View Settings > Host Communication > Telnet > Secure Host SSL Negotiated Cipher. Beginning in version 7.6 SP1, the TLS version and negotiated cipher are also logged in model debug messages (.vmr files).
Enabling FIPS 140-2 Validated Encryption
FIPS is the Federal Information Processing Standards used by US government agencies. Beginning in version 6.6, when using TLS/SSL, you can enable FIPS 140-2 validated encryption. To enable this feature, set an operating system environment variable (VHI_FIPS=1) before starting the Session Server service or Design Tool application.
Note
On Linux, you may need to export the environment variable so it’s available to the process that runs the Session Server component.
Beginning in version 7.0, you can confirm FIPS 140-2 TLS/SSL encryption is enabled in Administrative Console (session server > Properties > General > Security) and in the session server log. FIPS mode is not supported on the IBM AIX platform.
Enabling TLS 1.0 and TLS 1.1
Beginning in VHI version 7.8 SP1, TLS 1.0 and TLS 1.1 are disabled by default. If your host does not yet support TLS 1.2 or TLS 1.3, you may see errors related to TLS version not supported in Design Tool, the session server log, or model debug messages (.vmr file).
To enable TLS 1.0 and TLS 1.1, set an operating system environment variable VHITELNETALLOWTLS1=1
before starting the session server service or Design Tool application.
Note
On Linux, you may need to export the environment variable so it’s available to the process that runs the Session Server component.
Enabling SSL 3.0
Beginning in VHI version 7.7, SSL 3.0 is disabled by default due to a vulnerability in this protocol (as described in Technical Note 2750. If your host does not yet support TLS, you may see the following errors in Design Tool, the session server log, or model debug messages (.vmr file):
- [VHI 3050] SSL Error - Could not complete the SSL connection
- [VHI 3053] SSL Error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
To enable SSL 3.0, set an operating system environment variable VHITELNETALLOWSSL3=1
before starting the session server service or Design Tool application.