Enabling SSL security

For Web applications, SSL security between the user's browser and the ZIETrans application requires an HTTPS connection. This requires that both HTTP server and WebSphere® Application Server be configured to support HTTPS. The HTTP server certificate is stored in the browser certificate store for the browser-HTTP server connection.

The ZIETrans SSL configuration discussed in the remainder of this section is used to configure SSL between the ZIETrans application and the Telnet server (which must be configured with an SSL port). This ZIETrans SSL configuration is supported for ZIETrans Web and EJB applications.

To enable SSL between the ZIETrans application and the Telnet server, select the Enable SSL check box on the Security tab of the connection editor. For more information see Security. By enabling SSL for a connection, you request that data flowing over the connection be encrypted to secure the connection.

Selecting the Use JSSE check box enables the use of TLS v1.0, TLS v1.1, or TLS v1.2 using the Java Secure Socket Extension (JSSE) security library, instead of SSLite, for the connection between ZIETrans and the HOST system. If not selected (default option), SSLite library is used, and TLS v1.1 and TLS v1.2 are not available for the connection.

Note: The IETF Internet-Draft, TLS-based Telnet Security, defines the protocol for doing the SSL handshake over a TLS-based Telnet connection. If the Telnet server you are connecting to supports this protocol, you must add the SSLTelnetNegotiated property to the advanced connection settings of your connection definition. The advanced connection settings are found on the Advanced tab of the connection editor, see Configure optional, advanced connection settings. Set the value of the property to true.

ZIETrans uses Host On-Demand technology to provide connection support from ZIETrans applications to 3270 and 5250 applications using Telnet protocols. ZIETrans uses the SSL support provided by Host On-Demand technology for securing these connections. Using a secure connection over SSL encrypts data flowing over the connection and thus protects it against observation by a third party.

For a connection to be secured, both the ZIETrans application and the Telnet server it is connected to must support SSL. To secure the connection, the Telnet server must provide a certificate, which is used in encrypting the data.

When connection establishment is attempted, ZIETrans receives the certificate from the Telnet server and determines whether to accept or reject the connection. ZIETrans searches its built-in keystore file for a signer certificate that matches the Telnet server's personal certificate. The ZIETrans keystore file contains a set of well-known certificates including Verisign, Thawte, and RSA. If the Telnet server is using a valid well-known certificate, it will be accepted because it will match one of the well-known certificates that are provided with ZIETrans. In this case, there is no need to create a keystore file containing the certificate - the needed signer certificate is already in the ZIETrans built-in keystore file.

If the Telnet server is not using a well-known certificate, a keystore file containing a valid signer certificate must be created and configured to ZIETrans. This certificate can be obtained by opening the Telnet server's keystore file, extracting the certificate as a binary .der file, and using the Certificate Management tool (also known as the IBM® Key Management tool), importing the .der file into the keystore file you use with ZIETrans.

For example, if the Telnet server platform supports the IBM Key Management tool, to extract the certificate file from the Telnet server's keystore file, take the following steps:
  1. Start the IBM Key Management tool.
  2. Click Key Database File and select Open. For information about opening IBM CMS keystore files, see Using IBM CMS keystore files.
  3. Select the Key database type for the Telnet server's keystore file and then Browse to the directory containing the file.
  4. Click OK.
  5. Under Key database content, select Signer Certificates from the drop-down list.
  6. Select the certificate you want to extract and click Extract.
  7. For Data type select Binary DER data. If the certificate is in ASCII format, select Base64-encoded ASCII data.
  8. Give the certificate file a name and location and click OK.
To create a keystore file to use with ZIETrans that includes the certificate file you extracted from the Telnet server's keystore file, take the following steps:
  1. Copy the certificate extracted from the Telnet server's keystore file to your ZIETrans development system.
  2. Click Start > All Programs > IBM Rational® SDP package group > HCL ZIETrans V1.0 > Certificate Management (where IBM Rational SDP package group is the name of the Rational SDP package group you have installed.
  3. Click Key Database File and select New.
  4. For the Key database type, select PKCS12 orJKS (if you are using JSSE). Give the file a name with an extension of .p12 or .jks (if you are using JSSE) and a location, and click OK.
  5. Type in a password, confirm it, and click OK. For the JKS file, the password must contain at least 6 characters.
  6. Under Key database content, select Signer Certificates from the drop-down list and click Add.
  7. For Data type select Binary DER data. If the certificate is in ASCII format, select Base64-encoded ASCII data.
  8. Browse to find and select the certificate you extracted from the Telnet server's keystore file and click OK.
  9. Enter a label for the certificate and click OK.
  10. Exit the Certificate Management tool.
Note: For more information about Certificate Management, see Using IBM Certificate Management for ZIETrans applications.

If a certificate is required by ZIETrans, you can use options on the Security tab of the connection editor to configure how ZIETrans finds the keystore file containing the certificate. Use the Import button to import the keystore file into your project. Or, use the Use PKCS12 keystore at a specific path option to specify that the keystore file will not be contained within your project but will exist elsewhere on the target runtime system. This option is useful if you want to update the keystore file without having to redeploy the ZIETrans application. If you import the keystore file, ZIETrans copies it to the root of the EAR project (for Web projects). If imported, the keystore file becomes a part of the ZIETrans project, and it is packaged with the rest of the project files when you export the project. For more information see Security.

Note:
  1. Multiple certificates can be added to a single keystore file.
  2. Multiple ZIETrans projects can use the same keystore file, either by importing the same keystore file in the EAR project (for Web applications), or by referencing the same keystore file in the Use PKCS12 keystore at a specific path option.
  3. Each connection within a single ZIETrans project can reference the same or different keystore files.

For more information about WebSphere Application Server security, go to http://www.ibm.com/software/webservers/appserv/was/library/. For information about IBM HTTP Server security, go to http://www.ibm.com/software/webservers/httpservers/library.html.