10.1 Secure Connections

InfoConnect supports a number of secure protocols. The protocols available, depend on you session type.

 

ALC

T27

UTS

IBM 3270

IBM 5250

VT

HP

FTP Client

FIPS Mode

X

X

X

X

X

X

X

X

PCI DSS

X

X

X

X

X

X

 

SSL/TLS

X

X

X

X

X

X

X

X

SSH

 

 

 

 

X

X

X

Kerberos

X

X

X

X

X

X

X

SOCKS

X

X

X

X

X

This topic provides information about deploying configuration for some encrypted connection types. For additional information, see Secure Connections in the InfoConnect product help.

10.1.1 Digital Certificates and Reflection Certificate Manager

You can configure certificate authentication for both Secure Shell and SSL/TLS connections.

  • All SSL/TLS sessions require certificates for host authentication; without the necessary certificate, you cannot make a host connection. Depending on the host configuration, you may also need to install certificates for user authentication.

  • Secure Shell sessions typically require both host and user authentication. Certificates can be used for either host and/or user authentication, but are not required by default.

Certificate authentication solves some of the problems presented by public key authentication. For example, for host public key authentication, the system administrator must either distribute host keys for every server to each client's known hosts store, or count on client users to confirm the host identity correctly when they connect to an unknown host. When certificates are used for host authentication, a single CA root certificate can be used to authenticate multiple hosts. In many cases the required certificate is already available in the Windows certificate store.

Digital certificates are maintained on your computer in certificate stores. A certificate store contains the certificates you use to confirm the identity of remote parties, and may also contain personal certificates, which you use to identify yourself to remote parties. Personal certificates are associated with a private key on your computer.

You can use digital certificates located in either or both of the following stores:

  • The Windows Certificate Store

    This store can be used by a number of applications, web browsers, and mail clients. Some certificates in this store are included when you install the Windows operating system. Others may be added when you connect to internet sites and establish trust, when you install software, or when you receive an encrypted or digitally signed e-mail. You can also import certificates manually into your Windows store. Manage the certificates in this store using the Windows Certificate Manager.

  • The Reflection Certificate Manager Store

    This store is used only by Micro Focus applications. To add certificates to this store, you must import them manually. You can import certificates from files and also use certificates on hardware tokens such as smart cards.

Reflection Certificate Manager

Use the Reflection Certificate Manager to manage configure certificates for use exclusively by InfoConnect. Settings and certificates are saved to files in %userprofile%\documents\Micro Focus\Infoconnect\.pki.

You can deploy certificates and settings per-user or for all users of the system. These settings are not included in compound documents

  • User-specific location: %userprofile%\documents\Micro Focus\InfoConnect\.pki\

  • Global location: %ProgramData%\Micro Focus\Reflection\.pki\

The procedures for opening the Certificate Manager depend on your product and session type.

NOTE:For InfoConnect Airline products that run Windows services (this includes some Airline transports, PTR, and Airlines Gateway), the certificates need to be accessible from the SYSTEM account. This means that these certificates must be in a public documents location rather than a user-specific one.

From the Secure Shell Settings dialog box

  1. Open the Reflection Secure Shell Settings dialog box.

  2. On the PKItab, click Reflection Certificate Manager.

From the Security Properties dialog box

  1. Open the Security Properties dialog box.

  2. On the SSL/TLS tab, select Use SSL/TLS Security.

  3. Click Configure PKI.

  4. Click Reflection Certificate Manager.

From the InfoConnect TCP/UDP Path Options dialog box

  1. Set Security type to something other than No Security.

  2. Click PKI Settings.

  3. Click Reflection Certificate Manager.

10.1.2 SSL/TLS Connections

SSL/TLS connections use digital certificates for authentication. Depending on how your certificate was issued and the way your host is configured, you may need to install a host and/or personal certificate before you can connect using SSL/TLS.

  • In ALC, UTS, and T27 sessions, the SSL/TLS connection settings are included in the path.

  • In 3270, 5250, and VT sessions, SSL/TLS connection settings are saved to the session document.

  • In the FTP Client, SSL/TLS connection settings are saved to the FTP Client settings file (*.rfw).

To configure SSL/TLS in most ALC, UTS, and T27 sessions

  1. Open the TCP/UDP Path Options dialog box for the path used for the connection.

  2. Set Security type to the version you require.

  3. Click PKI Settings to open the PKI Settings dialog box. From this dialog box, you can configure certificate revocation settings, and whether host name matching is required. You can also use it to access the Reflection Certificate Manager to configure host and user certificates for the connection.

To configure SSL/TLS in ALC or UTS sessions that use the MATIP transport

  1. Open the MATIP Host Configuration dialog box for the path used for the connection.

  2. Set Security type to the version you require and configure certificate revocation settings, and whether host name matching is required.

  3. Click Reflection Certificate Manager to configure host and user certificates for the connection.

To configure SSL/TLS in 3270, 5250, or VT terminal sessions

  1. Open the Create New Document dialog box, select a session template and click Create.

  2. Select Configure additional settings,and then click OK.

  3. Do one of the following:

    • If you are setting up a 3270 and 5250 terminal session, under Host Connection, click Set Up Connection Security. Then, in the Configure Advanced Connection Settings dialog box, click Security Settings.

    • If you are setting up a VT terminal session, click Configure Connection Settings, confirm Network Connection Type is set to Telnet, and click the Back arrow button. Then, under Host Connection, click Set Up Connection Security.

  4. From the Security Properties dialog box, select the SSL/TLS tab, and select Use SSL/TLS security.

  5. Click Configure PKI to configure certificate settings.

    NOTE:To “lock down” these settings, see “Lock Down” InfoConnect To Restrict Access to Controls.

To configure SSL/TLS in FTP Client Sessions

  1. Start the FTP Client.

  2. In the Connect to Site dialog box, select a site and click Security.

  3. Click the SSL/TLS tab and select Use SSL/TLS security.

  4. Click Configure PKI to configure certificate settings.

10.1.3 Secure Shell Connections

Secure Shell connections are available for VT terminal sessions and to configure SFTP transfers using the FTP Client.

By default, Secure Shell connections use public key authentication for the host and username/password authentication for the user. If you configure non-default settings, they are saved for each host (or ssh configuration scheme) to the ssh configuration file. This file is used for all connections (VT sessions and the FTP Client). You can deploy these settings per-user or for all users of the system. These settings are not included in compound documents.

  • User-specific configuration: %userprofile%\documents\Micro Focus\InfoConnect\.ssh\config

  • Global configuration: %ProgramData%\Micro Focus\Reflection\ssh_config

To configure a secure terminal session using Secure Shell (SSH)

  1. Open the Create New Document dialog box, select the VT Terminal template and click Create

  2. In the Create New dialog box, under Connection, select Secure Shell and click OK.

  3. Click OK.

To configure non-default Secure Shell settings

  1. Open a session that you have configured to use Secure Shell. Disconnect if you are connected.

  2. Open the Document Settings dialog box.

  3. Under Host Connection, click Set up Connection Security.

  4. In the Reflection Secure Shell Settings dialog box, configure any non-default settings and then click OK.

    When you click OK, changes to the default settings are saved in the Secure Shell configfile in %userprofile%\documents\Micro Focus\Infoconnect\.ssh

To configure username and password prompts to appear in the terminal window

  1. Open a session that you have configured to use Secure Shell. Disconnect if you are connected.

  2. Under Host Connection, click Configure Connection Settings.

  3. Under Connection Options, select Handle SSH user authentication in terminal window.

NOTE:To “lock down” these settings, see “Lock Down” InfoConnect To Restrict Access to Controls.

Known Hosts

Host authentication (performed with public key authentication) enables the Secure Shell client to reliably confirm the identity of the Secure Shell server. If the host public key is not installed on the client, the host fingerprint is displayed and users are prompted to contact the system administrator to verify the fingerprint. This confirmation prevents risk of a "man-in-the-middle" attack, in which another server poses as the host. If you select Always in response to this prompt, the host key is saved in a file called known_hosts, which is created in %userprofile%\documents\Micro Focus\Infoconnect\.ssh. After the host key is added, InfoConnect Desktop can authenticate the server without requiring user confirmation, and the unknown host prompt does not appear again.

To prevent end-users from seeing the unknown host message you can deploy a known hosts file per-user or for all users of the system. These settings are not included in compound documents

  • User-specific file: %userprofile%\documents\Micro Focus\InfoConnect\.ssh\known_hosts

  • Global file: %ProgramData%\Micro Focus\Reflection\ssh_known_hosts