Enabling SSL security

For Web applications, SSL security between the user's browser and the ZIETrans application requires an HTTPS connection. This requires that both HTTP server and WebSphere® Application Server be configured to support HTTPS. The HTTP server certificate is stored in the browser certificate store for the browser-HTTP server connection.

The ZIETrans SSL configuration discussed in the remainder of this section is used to configure SSL between the ZIETrans application and the Telnet server (which must be configured with an SSL port). This ZIETrans SSL configuration is supported for ZIETrans Web and EJB applications.

To enable SSL between the ZIETrans application and the Telnet server, select the Enable SSL check box on the Security tab of the connection editor. For more information see Security. By enabling SSL for a connection, you request that data flowing over the connection be encrypted to secure the connection.

Selecting the Use JSSE check box enables the use of TLS v1.0, TLS v1.1, or TLS v1.2 using the Java Secure Socket Extension (JSSE) security library, instead of SSLite, for the connection between ZIETrans and the HOST system. If not selected (default option), SSLite library is used, and TLS v1.1 and TLS v1.2 are not available for the connection.

ZIETrans uses Host On-Demand technology to provide connection support from ZIETrans applications to 3270 and 5250 applications using Telnet protocols. ZIETrans uses the SSL support provided by Host On-Demand technology for securing these connections. Using a secure connection over SSL encrypts data flowing over the connection and thus protects it against observation by a third party.

For a connection to be secured, both the ZIETrans application and the Telnet server it is connected to must support SSL. To secure the connection, the Telnet server must provide a certificate, which is used in encrypting the data.

When connection establishment is attempted, ZIETrans receives the certificate from the Telnet server and determines whether to accept or reject the connection. ZIETrans searches its built-in keystore file for a signer certificate that matches the Telnet server's personal certificate. The ZIETrans keystore file contains a set of well-known certificates including Verisign, Thawte, and RSA. If the Telnet server is using a valid well-known certificate, it will be accepted because it will match one of the well-known certificates that are provided with ZIETrans. In this case, there is no need to create a keystore file containing the certificate - the needed signer certificate is already in the ZIETrans built-in keystore file.

If the Telnet server is not using a well-known certificate, a keystore file containing a valid signer certificate must be created and configured to ZIETrans. This certificate can be obtained by opening the Telnet server's keystore file, extracting the certificate as a binary .der file, and using the java keytool importing the .der file into the keystore file you use with ZIETrans.

If a certificate is required by ZIETrans, you can use options on the Security tab of the connection editor to configure how ZIETrans finds the keystore file containing the certificate. Use the Import button to import the keystore file into your project. Or, use the Use PKCS12 keystore at a specific path option to specify that the keystore file will not be contained within your project but will exist elsewhere on the target runtime system. This option is useful if you want to update the keystore file without having to redeploy the ZIETrans application. If you import the keystore file, ZIETrans copies it to the root of the EAR project (for Web projects). If imported, the keystore file becomes a part of the ZIETrans project, and it is packaged with the rest of the project files when you export the project. For more information see Security.