Configuring Reflection for the Web and Reflection Security Gateway to Use TLS Connections

To avoid the 'POODLE' vulnerability, SSL 3.0 can be disabled. This technical note describes how to configure Reflection for the Web and Reflection Security Gateway use TLS protocols only.

Note the following:

• In a future release of these products, SSL 3.0 will be disabled by default to minimize the chance that the POODLE vulnerability can be exploited. For more information, see the POODLE alert in https://support.microfocus.com/security/.
• For additional client-side security, SSL 3.0 support should be disabled in the Java Control Panel. See KB 7022190 for instructions.

Procedure

To configure Reflection for the Web or Security Gateway to use only TLS protocols:

1. In Reflection for the Web emulation and file transfer applets:
   1. Go to Connection Setup > SSL/TLS dialog, and select TLS 1.2, TLS 1.0.
   2. Save changes.
2. In the Security Proxy Wizard:
   1. Go to Advanced Settings and uncheck SSL 3.0.
   2. Restart the Security Proxy Server service.
3. Reflection for the Web and Security Gateway ship with Apache Tomcat as the default Servlet runner, which supports SSL 3.0. Edit the Apache Tomcat configuration to explicitly enable TLS support:
   1. Note your version of Apache Tomcat, verified in RELEASE-NOTES located in the Attachmate/ReflectionServer/apache-tomcat directory.
   2. Open server.xml file in a text editor. This file is located in the apache-tomcat/conf directory of your Tomcat installation.
   3. Locate the following two connectors in the server.xml file:

4. At the end of each connector, you will see sslProtocol="TLS." Revise these as follows:

5. Save the file and restart the ReflectionServer service.

Legacy KB ID

This article was originally published as Attachmate Technical Note 2759.