Use this procedure to configure a 3270 session with end-to-end security in Management and Security Server. This configuration combines user authorization with security from Extra! to the destination host.
You can optionally configure these connections to use the IBM Express Logon (also referred to as ELF), when using an 3270 connection to an IBM Mainframe.
SSL/TLS is enabled on the host. See the documentation included with the host for instructions.
An installation of Management and Security Server. The Security Proxy must be configured to require Client authorization. (It can optionally be configured to require Client authentication. For client authentication, you can use a single certificate or two separate client certificates on each server (Security Proxy and destination host).
Digital certificates. To successfully establish the SSL/TLS sessions between the client and the Security Proxy, and the client and the destination host, you may need multiple digital certificates. Authenticating with Certificates in Extra!.
Server Certificates |
Destination SSL/TLS hosts and Security Proxy servers typically have server certificates already installed. Each of these server certificates must be trusted by the client. The client will trust a server certificate if:
To use a single server certificate for both the destination host and the Security Proxy, do one of the following:
|
Client certificates |
Certificates used for client authentication must be signed by a certificate authority that is trusted by both the Security Proxy and the destination host’s SSL/TLS server. Express Logon also requires that the client certificate used to authenticate on the TN3270 server be registered with RACF. (For details, see the documentation that came with the 3270 server.) |
To configure a session with end-to-end encryption
In a web browser, start Management and Security Server by setting the URL to:
http://server:port /mss/AdminStart.html
where server and port are replaced with the Management and Security Server address.
Click Administrative WebStation and log on as administrator.
From the left pane, click Session Manager.
Add a new session or select an existing session, and click Launch.
Follow the wizard's prompts to configure the session. Make sure to leave the default option Reflection Security Proxy selected as the type of connection.
On the Reflection Security tab, from the Proxy server address menu, specify a Reflection Security Proxy Server.
A description of the selected Reflection Security Proxy Server appears below the fields.
Enter a Destination host and Destination port (the Destination port should be the SSL/TLS port on the host, for example, buttercup.flowers.com:3000), and then select the End-to-end security check box.
Click Next and continue through the wizard to complete the configuration.
When you click Finish, the session opens in Extra!.
Exit Extra! and save the session.
To create another session, repeat this procedure. You can only create (or have open) one session at a time when running Extra! in Administrative WebStation mode.
Next, make the session available to specific users.