Make a secure emulation connection to a trusted host

Follow these steps to configure a TLS connection between the Host Access for the Cloud session server and a host that supports TLS:

  1. Configure the trusted keystore in MSS.

  2. Configure the terminal session.

How to configure the keystore in MSS

For a session to trust the TLS host it connects to, the public certificate of the host must be added to a trusted keystore using the Management and Security Server (MSS). The Host Access for the Cloud session retrieves this certificate the first time a session connects.

Open the MSS Administrative Console > Configure Settings > Trusted Certificates and choose Terminal Emulator Clients. You can access the documentation for the Administrative Console by clicking the Help icon in the upper right of the page.

When the certificate is successfully added to the MSS server's trusted keystore, you are returned to the list of certificates and you should see the new host.

How to configure a HA Cloud terminal session

Depending on your host type, you can configure a terminal session using different security protocols.

Type

Procedure

Using TLS

To connect to the new trusted host using TLS, configure a terminal session as usual, and in the Settings dialog box, specify TLS as the security protocol. Make sure to specify the correct TLS port for the connection.

Using Secure Shell (SSH) with VT host types

Secure shell provides encrypted communications between the client and a VT host.

MSS has a known hosts list that contains the public keys of hosts that you can connect to using SSH. SSH connections can be made only to hosts already trusted by an administrator.

The first time an SSH connection is made from a session to a host, the known hosts file is downloaded from MSS to the session server.

When you attempt to create or edit a session using SSH in the session management panel, you will be notified if the key is not recognized as trusted and asked if you want to trust the key and continue.

  • If you enter yes, the host will be trusted and added to the known host list, and you will be prompted for the SSH host password.

  • If you do not answer yes, then the host will remain untrusted and the session will be disconnected.

You can also configure the SSH known hosts file manually by establishing an SSH connection from a session to the host, and adding the remote host’s key fingerprint to the known hosts list in MSS.

Configure the known hosts file for SSH connections in MSS

  1. Connect to the system where MSS is installed and navigate to the server’s certificates folder: C:\ProgramData\Micro Focus\Mss\MssData\certificates (Windows) or /var/opt/microfocus/mss/Mssdata/certificates (UNIX).

  2. Copy the public certificate file of the new SSH host into the MssData/certificates (Windows) or /etc/ssh/ssh_host_rsa_key.pub (UNIX) folder described above. Only ssh-rsa and ssh-dss are valid as public key types for MSS known_hosts entries.

    The host’s public key format can be OpenSSH, Base64-encode,.DER, or.PFX. The file should follow this format: hostname, IP-address key-type key. For example, a public key entry might look like this: alpsuse132, 10.117.16.232 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...........

  3. Log in to MSS (for example, http://mycompany.com/adminconsole).

  4. Open the Administrative Console.

  5. Click Configure Settings > Secure Shell.

    After the public key is imported into the known hosts file, you will return to the Secure Shell Known Hosts page and the new host will appear in the list.

  6. Follow the directions in MSS to import a known host. After the public key is imported into the known hosts file, you will return to the Secure Shell Known Hosts page and the new host will appear in the list.