Technical Notes

How to Enable FIPS in Reflection for IBM 2007
Technical Note 2216
Last Reviewed 06-Jul-2007
Applies To
Reflection for IBM 2007
Summary

Follow the steps in this technical note to enable FIPS (Federal Information Processing Standards) mode in Reflection for IBM 2007.

For general information about FIPS mode, see http://www.attachmate.com/docs/reflection/2007/R1/Guide/6499.htm.

Note: To successfully connect in FIPS mode, your server must support "high-encryption" capabilities.

Step 1 – Download and Copy the ReflectionPolicy.adm File

Download and unzip the Reflection policy template:

1. From the Attachmate Download Library, download the file ReflectionPolicy.zip.
2. Unzip the file to \%systemroot%\inf folder (for example, C:\Windows\inf\).

Step 2 – Install the Group Policy

To use this policy, the Reflection policy template must first be added to your Windows Group Policy editor by adding the ReflectionPolicy.adm file to the editor.

1. Run Gpedit.msc from the command line, or open the properties for an Organizational Unit in the Active Directory Users and Computers console, click the Group Policy tab, and edit or create a new policy object.
2. Expand the User Configuration tree.
3. Right-click the Administrative Templates container and select Add/Remove Templates.
4. In the Add/Remove Templates dialog box, click Add and browse to the \%systemroot%\inf folder (for example, “C:\Windows\inf”).
5. Select the ReflectionPolicy.adm file. Open the template, and then close the Add/Remove Templates dialog box.

Step 3 – Configure FIPS-Only Mode

Once you have added the template, use it to configure the policy.

1. In the Group Policy Object Editor, under User Configuration, expand the Administrative Templates. Expand Classic Administrative Templates (ADM).
2. Click the Reflection Settings tree and, in the right pane, double-click "Allow non-FIPS mode."
3. On the Setting tab, select Disabled, and then click OK.

Note: "Allow non-FIPS mode" is the only policy supported by Reflection for IBM 2007 at this time. Do not change other Reflection policies included in the template.

Step 4 – Configure Reflection for IBM 2007 Security Settings

1. In the Reflection Workspace, open or create a document.
2. On the Session ribbon, click the Host setup icon.

3. In the left pane, click Configure Advanced 3270 Settings (or Configure Advanced 5250 Settings).
4. Jump to (or scroll to) Security and click the Security Settings button.
5. In the Security Properties dialog box on the SSL/TLS tab, select the "Use SSL/TLS security" check box.
6. Verify that TLS Version 1.0 (the default) is the SSL/TLS version selected.
7. Click OK.

Troubleshooting Tips

The following error may display if you configure the FIPS-only mode policy, but do not configure the Reflection for IBM 2007 security settings:

Figure 1. The selected operation/feature is not available in FIPS mode.

The following error may display if your host does not support high-encryption:

Figure 2. Reflection SSL/TLS could not establish an encrypted connection.

Related Technical Notes

2211	Reflection for IBM 2007 Technical Notes