Security tab
All BlueZone emulator clients support the SSL v3 or TLS v1 protocol through the BlueZone Security Server or any SSL enabled Telnet connection including IBM Communications Server for NT (SSL v3 only), OS/390, z/OS, and the iSeries V4R4 or higher. BlueZone clients can be pre-configured for distribution with SSL/TLS enabled, eliminating the need for any end-user intervention in the installation or configuration process. The options for configuration include:
Security Options
If you want to encrypt your session, select one of the following encryption methods from the drop-down listbox. The method is dictated by the secure Telnet host that you are connecting to.
•  None:  Indicates that no encryption is being used.
•  Implicit SSL/TLS: Negotiates a secure connection to the host first, then negotiates the Telnet connection.
Note
For users of BlueZone prior to version 5.1, when SSL/TLS encryption was enabled, you were using Implicit SSL/TLS, even though the dialog did not expressly state Implicit SSL/TLS encryption.
•  Explicit SSL/TLS: Encryption is negotiated during the Telnet negotiation.
SSL Version
Specifies which version of the SSL protocol is used:
♦  SSL v3: (Default): Specifies that SSL version 3 is used.
♦  TLS v1: Specifies that TLS version 1 is used.
Note
SSL v3 and TLS v1 are nearly identical. TLS v1 is preferred.
Invalid Certificates
Specifies how to handle an invalid server certificate. Options include:
♦  Always Reject: Specifies that an invalid server certificate must always be rejected.
♦  Ask Before Accepting: (Default) Specifies that the user must be asked whether to accept an invalid server certificate.
♦  Always Accept: Specifies that an invalid server certificate must always be accepted.
•  Preferred Cipher Suite: Specifies a specific SSL/TLS cipher suite (encryption algorithm) to use. To allow the client and server to negotiate the cipher suite, select None.
•  Alternate Principal Name: Type a valid address in this field to use to validate the server certificate.
When a host site's server certificate's Common Name (CN) or AltSubjectName does not match the address used to connect to the host, a certificate error occurs, stating that the host address does not match the common name. If it is not possible to connect to the host address listed in the certificate, the address from the certificate can be typed into the Alternate Principal Name field. This address, rather than the host connection address, is used to validate the server certificate.
•  Check for Certificate Revocation: When this is checked, a revocation check is performed on the server certificate chain at connect time, resulting in a connection failure if a certificate has been revoked, if the revocation server cannot be contacted, or if revocation information is not listed in the certificate. Clearing this bypasses the certificate revocation checking.
Related Links
TN3270E configuration (Parent Topic)