Connecting to host systemsBlueZone iSeries Display and PrinterCreating BlueZone iSeries Display and Printer connectionsTN5250E PropertiesSecurity tab

Security tab

All BlueZone emulator clients support the SSL v3, TLS v1.0, TLS v1.1, or TLS v1.2 protocol through the BlueZone Security Server or any SSL enabled Telnet connection including IBM Communications Server for NT (SSL v3 only), OS/390, z/OS, and the iSeries V4R4 or higher. BlueZone clients can be preconfigured for distribution with SSL/TLS enabled, eliminating the need for any end-user intervention in the installation or configuration process. The options for configuration include:

Security Options
Security Type
If you want to encrypt your session, select one of the following encryption methods from the drop-down list box. The method is dictated by the secure Telnet host that you are connecting to.
  • None: Indicates that no encryption is being used.
  • Implicit TLS: Negotiates a secure connection to the host first, then negotiates the Telnet connection.
  • Explicit TLS: Encryption is negotiated during the Telnet negotiation.
Minimum TLS Version
Specifies the minimum allowable TLS protocol version. A higher version may be negotiated if the server supports it:
  • SSL v3: Allows SSLv3 to be used. SSLv3 has numerous vulnerabilities and is no longer considered secure. This setting is NOT RECOMMENDED.
  • TLS v1.0 (Default): Specifies that at least TLS version 1.0 is used. This is the default value.
  • TLS v1.1: Specifies that at least TLS version 1.1 is used.
  • TLS v1.2: Specifies that at least TLS version 1.2 is used.
Preferred Cipher Suite
Specifies a specific SSL/TLS cipher suite (encryption algorithm) to use. To allow the client and server to negotiate the cipher suite, select Strong only.
Invalid Certificates
Specifies how to handle an invalid server certificate.
  • Always Reject: Specifies that an invalid server certificate must always be rejected.
  • Ask Before Accepting (Default): Specifies that the user must be asked whether to accept an invalid server certificate.
  • Always Accept: Specifies that an invalid server certificate must always be accepted.
Check for Certificate Revocation
Specifies how to perform revocation checking on the server certificate chain at connect time, which will result in a connection failure if a certificate has been revoked, if the revocation server cannot be contacted, or if revocation information is not listed in the certificate.
  • Do Not Check: Performs no certificate revocation checking.
  • Server Certificate Only: Performs revocation checking on the end server certificate only.
  • Server and Chain Certificates: Performs revocation checking on the end server certificate and the intermediate certificates in the chain.
  • Server, Chain, and Root Certificates: Performs revocation checking on the end server certificate, the intermediate certificates in the chain, and the root certificate.
Alternate Principal Name
Type a valid address in this field to use to validate the server certificate.

When a host site's server certificate's Common Name (CN) or AltSubjectName does not match the address used to connect to the host, a certificate error occurs, stating that the host address does not match the common name. If it is not possible to connect to the host address listed in the certificate, the address from the certificate can be typed into the Alternate Principal Name field. This address, rather than the host connection address, will then be used to validate the server certificate.

Parent topic: TN5250E Properties