Configuring Secure Connections (including FIPS 140-2) in EXTRA!

  • 7021783
  • 14-Nov-2007
  • 02-Mar-2018

Environment

EXTRA! X-treme version 9.0 SP1

Situation

Beginning in EXTRA! X-treme 9 SP1, Attachmate enhanced security by adding TLS and data encryption components that meet FIPS 140-2 requirements. Client authentication options have also been changed in this release. This technical note explains the new features and describes how to configure them.

When you create a new session, you can select the Attachmate Security check box to configure the encryption level to None, SSL/TLS, or FIPS 140-2. When Attachmate Security is not selected, the encryption options are None and SSL v3.0.

Existing sessions will continue to use their original connection configuration unless you manually edit the connection properties and change to Attachmate Security.

New sessions created in EXTRA! 9 SP1 include the Attachmate Security feature, and by default, the security level is set to None.

Resolution

Use the Configure Connection dialog box to configure your connection security options.

Note: In addition to supporting IPv4, EXTRA! 9 SP1 introduces support for IPv6. If your host supports IPv6, simply enter the host name or IPv6 address (see example below) in the Host alias/IP address field.

2245_0.gif

In the Configure Connection dialog box, under Encryption, when you select the "Use Attachmate security" check box, the Level of encryption drop-down list offers three options:

None

None is the default selection. If you select None as your level of encryption, the connection will not use SSL.

SSL/TLS

When you select SSL/TLS, the connection will use SSL or TLS. This option replaces the SSL 3.0 option available in versions of EXTRA! earlier than version 9 SP1.

The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to established a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between EXTRA! and the server is encrypted.

Authentication is accomplished by sending an X.509 security certificate. Authentication occurs automatically and invisibly as the first step of establishing an SSL/TLS connection. SSL/TLS connections require the client to authenticate the server. It is optional for the server to authenticate the client.

Once an encrypted connection is established, data is transmitted using the encryption level you specified in the Configure Connection dialog box.

Data Encryption Standards

The SSL/TLS option supports the following data encryption standards:

RC2 (40-bit)
RC4 (40-, 56- and 128-bit)
DES (56-bit)
TripleDES (168-bit)
AES (128-bit)

FIPS 140-2

When you select the FIPS 140-2 option, the connection will be made using security protocols and algorithms that meet FIPS 140-2 standards.

What is FIPS 140-2?

The United States government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in eleven categories by independent, US government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of certified products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at http://csrc.nist.gov/cryptval/vallists.htm.

Client Authentication

Beginning in EXTRA! 9 SP1, client authentication is available for both 3270 and 5250 connections.

For 3270 Connections

Client authentication has been enhanced in EXTRA! 9 SP1. In the Client Authentication section of the Configure Connection dialog box, you can choose from two options: Automatically select certificate and Manually select certificate.

If you choose the Manually select certificate option, the Select Certificate dialog box opens with a list of the certificates in your personal store. (Note that if you run EXTRA! on Windows 2000, the Client Certificate Selection dialog box used in versions prior to 9 SP1 will open.) Select a certificate and click the View Certificate button to view specific information about the selected certificate.

For 5250 Connections

Beginning in EXTRA! 9 SP1, client authentication is supported in TN5250 connections. When you configure settings for your connection, on the General tab in the Security options section, select the "Provide client identity" check box and then click the Select button to select the certificate to use.

Note: Beginning in EXTRA! 9 SP1, IPv6 is supported in addition to IPv4. You can connect by entering the Host name, or if your host supports IPv6, simply enter the host IPv6 address (see example above) in the Host alias/IP address field.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 2245.