Connecting to host systemsBlueZone Mainframe Display and PrinterCreating BlueZone Mainframe Display or Printer connectionsTN3270E PropertiesSecurity tab

Security tab

All BlueZone emulator clients support the SSL v3 or TLS v1 protocol through the BlueZone Security Server or any SSL enabled Telnet connection including IBM Communications Server for NT (SSL v3 only), OS/390, z/OS, and the iSeries V4R4 or higher. BlueZone clients can be preconfigured for distribution with SSL/TLS enabled, eliminating the need for any end-user intervention in the installation or configuration process. The options for configuration include:

Security Options
Security Type
If you want to encrypt your session, select one of the following encryption methods from the drop-down list box. The method is dictated by the secure Telnet host that you are connecting to.
  • None: Indicates that no encryption is being used.
  • Implicit SSL/TLS: Negotiates a secure connection to the host first, then negotiates the Telnet connection.
  • Explicit SSL/TLS: Encryption is negotiated during the Telnet negotiation.
Security Provider
Specifies the SSL provider.
  • OpenSSL
  • MS-CAPI (Default)
SSL Version
Specifies the version of the SSL protocol that is used:
  • SSL v3: Specifies that SSL version 3 is used.
    Note: SSL v3 has numerous vulnerabilities and is no longer considered secure. This setting is NOT RECOMMENDED. We strongly recommend using TLS v1 instead.
  • TLS v1.0 (Default): Specifies that TLS version 1.0, 1.1, or 1.2 is used. The highest version supported by the client and the host will be used.
    Note: TLS v1.1 and 1.2 are not available on operating systems prior to Windows 7.
Preferred Cipher Suite
Specifies a specific SSL/TLS cipher suite (encryption algorithm) to use. To allow the client and server to negotiate the cipher suite, select Strong only.
Invalid Certificates
Specifies how to handle an invalid server certificate.
  • Always Reject: Specifies that an invalid server certificate must always be rejected.
  • Ask Before Accepting (Default):Specifies that the user must be asked whether to accept an invalid server certificate.
  • Always Accept: Specifies that an invalid server certificate must always be accepted.
Check for Certificate Revocation
When this is checked, a revocation check is performed on the server certificate chain at connect time, which will result in a connection failure if a certificate has been revoked; if the revocation server cannot be contacted; or if revocation information is not listed in the certificate. Clearing this bypasses the certificate revocation checking.
Alternate Principal Name
Type a valid address in this field to use to validate the server certificate.

When a host site's server certificate's Common Name (CN) or AltSubjectName does not match the address used to connect to the host, a certificate error occurs, stating that the host address does not match the common name. If it is not possible to connect to the host address listed in the certificate, the address from the certificate can be typed into the Alternate Principal Name field. This address, rather than the host connection address, will then be used to validate the server certificate.

Parent topic: TN3270E Properties