SSL Encryption Strength Configuration in EXTRA! 9 SP2 or higher

  • Document ID:7021374
  • Creation Date:15-Jul-2008
  • Modified Date:02-Mar-2018
    • Micro Focus Products:
      Extra!

Environment

EXTRA! X-treme version 9.0 SP2 or higher

Situation

This technical note describes a new setting available in EXTRA! 9 Service Pack 2 (SP2) to configure SSL/TLS encryption key strength for Attachmate Security.

Resolution

Beginning in EXTRA! 9.0 SP2, the SSLEncryptionStrength setting permits selection of a set of SSL encryption ciphers by specifying the encryption key strength. For example, you can now specify that EXTRA! connect over SSL using encryption algorithms that use 128-bit keys. This feature applies only when Attachmate Security is selected in a connection configuration dialog, and either SSL/TLS or FIPS 140-2 security is selected as the level of encryption.

Enabling New SSLEncryptionStrength Setting

To enable the SSLEncryptionStrength setting in EXTRA! 9 SP2 or higher, follow these steps:

  1. Open the session profile (EDP file) for a session whose encryption strength you want to restrict. Session files are normally stored in the user’s Documents folder under Attachmate\EXTRA!\Sessions.
  2. In the EDP file, add a new setting to the [Connection] section called SSLEncryptionStrength. Valid values are currently 40, 56, 128, 168 and 256.

For example, setting SSLEncryptionStrength=128 results in EXTRA! offering cipher suites that use only 128-bit keys for data encryption during the SSL handshake. If the SSL server supports any of these cipher suites, it chooses the one that provides what it considers to be the greatest level of security at an encryption strength of 128 bits. This cipher suite is then used for the duration of the SSL session.

Omitting this setting from the EDP file or giving it an invalid value results in EXTRA!'s default behavior: offering all valid cipher suites for the selected operating mode (SSL/TLS or FIPS).

Note: This setting is ignored by the other two SSL engines: Microsoft Secure Channel (offered only with IBM Mainframes) and EXTRA!'s legacy SSL (SSL V3.0).

Important Note

By default, Attachmate Security connects to the highest level of security that both EXTRA! and the SSL server support. Use this SSLEncryptionStrength setting only when you want to insure the level selected or want a level lower than that supported. We recommend against using this new setting without fully understanding the consequences.

Examples

Setting SSLEncryptionStrength=40 might result in a successful connection to a host system using an encryption strength that is unacceptable for sensitive data transfers.

Alternately, your system may support a 256 encryption strength, but your hardware supports only 168 so that you have to lower the level to allow a connection to be successful.

Additional Information

For information about EXTRA! 9 SP2, see Technical Note 2257.

Legacy KB ID

This article was originally published as Attachmate Technical Note 2356.