All BlueZone emulator clients support the SSL v3, TLS v1.0, TLS v1.1, or TLS
v1.2 protocol through the BlueZone Security Server or any SSL enabled Telnet connection
including IBM Communications Server for NT (SSL v3 only), OS/390, z/OS, and the iSeries V4R4
or higher. BlueZone clients can be preconfigured for distribution with SSL/TLS enabled,
eliminating the need for any end-user intervention in the installation or configuration
process. The options for configuration include:
- Security Options
-
- Security Type
- If you want to encrypt your session, select one of the following encryption methods from
the drop-down list box. The method is dictated by the secure Telnet host that you
are connecting to.
- None: Indicates that no encryption is being
used.
- Implicit TLS: Negotiates a secure connection to
the host first, then negotiates the Telnet connection.
- Explicit TLS: Encryption is negotiated during the
Telnet negotiation.
- Minimum TLS Version
- Specifies the minimum allowable TLS protocol version. A higher version
may be negotiated if the server supports it.
- SSL v3: Allows SSLv3 to be used. SSLv3 has numerous
vulnerabilities and is no longer considered secure. This setting is NOT RECOMMENDED.
- TLS v1.0 (Default): Specifies that at least TLS version 1.0 is
used. This is the default value.
- TLS v1.1: Specifies that at least TLS version 1.1 is used. This
version is supported on z/OS V1R11, and later.
- TLS v1.2: Specifies that at least TLS version 1.2 is used. This
version is supported on z/OS V1R13, and later.
- Preferred Cipher Suite
- Specifies a specific SSL/TLS cipher suite (encryption algorithm) to use. To allow the
client and server to negotiate the cipher suite, select Strong
only.
- Invalid Certificates
- Specifies how to handle an invalid server certificate.
- Always Reject: Specifies that an invalid server certificate
must always be rejected.
- Ask Before Accepting (Default):Specifies that the user must be
asked whether to accept an invalid server certificate.
- Always Accept: Specifies that an invalid server certificate
must always be accepted.
- Check for Certificate Revocation
- Specifies how to perform revocation checking on the server certificate chain at
connect time, which will result in a connection failure if a certificate has been
revoked, if the revocation server cannot be contacted, or if revocation
information is not listed in the certificate.
- Do Not Check: Performs no certificate revocation
checking.
- Server Certificate Only: Performs revocation checking
on the end server certificate only.
- Server and Chain Certificates: Performs revocation
checking on the end server certificate and the intermediate certificates in
the chain.
- Server, Chain, and Root Certificates: Performs
revocation checking on the end server certificate, the intermediate
certificates in the chain, and the root certificate.
- Alternate Principal Name
- Type a valid address in this field to use to validate the server certificate.
When a host site's server certificate's Common Name (CN) or
AltSubjectName does not match the address used to connect to the host, a certificate error
occurs, stating that the host address does not match the common name. If it is not
possible to connect to the host address listed in the certificate, the address from the
certificate can be typed into the Alternate Principal Name field.
This address, rather than the host connection address, will then be used to validate the
server certificate.