End-to-end Security Settings

Getting there

You can access this dialog box from the TCP/UDP Path Options dialog box. To access this dialog box, you must launch InfoConnect from the centralized management server, configure the session to use the Security Proxy, and enable End-to-end security as described here:

Launch an InfoConnect Workspace session from the centralized management server.
Use the path wizard to create a path. When asked to select how this path will connect to the Host, select Reflection security proxy.
When you select a proxy, enable End-to-end security, and enter your host address and port.
Configure the remaining Wizard settings, then click OK in the Create Document dialog box.

Open the dialog box. (For example, from the File

The steps depend on your user interface mode.

Ribbon	From the File menu, click InfoConnect Workspace Settings (under the Recent Documents list).
InfoConnect Browser	On the InfoConnect menu, choose Settings and then InfoConnect Workspace Settings.
TouchUX	Tap the Gear icon and then select InfoConnect Workspace Settings.
Classic MDI	From the Options menu, select Global Preferences.

Click Manage Path.
In the Manage Path dialog box, select the path you are configuring, then click Modify the selected path. This opens the Database Editor.
Open the TCP/UDP Path Options dialog box. The steps depend on your connection type. For example:
- For an INT1 connection, click the Connection tab, then click Advanced.
- For a TCPA connection, from the Path tab, under Host, click Advanced.
Confirm that End-to-end security is enabled, then click End-to-end settings.

When you configure connections using the centralized management server Security Proxy, the connection between the client and the Security Proxy server is secured and encrypted using the SSL/TLS protocol. By default, the information sent between the proxy server and the destination host is in the clear. When you enable the End-to-End security, information sent between the Security Proxy the destination host is also encrypted. This is done by tunneling an TLS/SSL direct connection to the host through the centralized management server security proxy.

Use the End-to-end Settings dialog box to configure the SSL/TLS settings for the direct connection to the host. The options are:

Security type

Specify which version of TLS to use.

Encryption strength

Specify the desired level of encryption for TLS connection. The connection will fail if this level cannot be provided. If you select auto, any encryption level is permitted, and InfoConnect will negotiate with the host system to choose the strongest encryption level supported by both the host and the client.

Verify host name against host certificate name

Specifies whether host name matching is required when validating host certificates. When this setting is enabled (the default), the host name you configure for the path in the TCP/UDP Path Options dialog box must exactly match a host name or IP address entered in either the CommonName or the SubjectAltName field of the certificate.

This setting is required for DOD PKI users.

Certificate revocation

Use CRL	Select this option to validate the authenticating certificate by checking it against a digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.
OCSP	Select this option as an alternative to CRL checking to confirm whether a certificate is valid. OCSP uses the HTTP transport and responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown".OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.

User authentication certificate

Pick identity certificate automatically	When you select this option, InfoConnect presents all available personal certificates to the server for client authentication.
Use the selected identity certificate	Select this option to specify a particular certificate. Type the name of a user certificate to use for client authentication, or click Browse to select it from a list of personal certificates available in the Reflection Certificate Manager store and the Windows system store.

Reflection Certificate Manager

Click to import and manage user certificates in the Reflection Certificate Manager.