SSL/TLS Tab (Security Properties Dialog Box)

The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to establish a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between the client and the server is encrypted. Depending on the server configuration, the server may also authenticate the client.

The options are:

Use SSL/TLS Security

Enables SSL/TLS connections. You must select this before you can set other values on the SSL/TLS tab. When Use SSL/TLS security is selected, connections are made to the host only if a secure SSL/TLS connection can be established.

Before making an SSL/TLS connection, your client must authenticate the host. Authentication is handled through the use of digital certificates. These certificates are part of the same Public Key Infrastructure (PKI) that is used to secure internet transactions. Your computer must be configured to recognize the digital certificate presented by your host and, if necessary, to provide a certificate for client authentication. If your computer is not properly configured, or if the certificates presented for authentication are not valid, you will not be able to make SSL/TLS connections. Depending on how a host certificate was issued, you may need to install a certificate on your local computer.

Configure PKI

Opens the PKI Configuration dialog box, which you can use to configure PKI settings for your SSL/TLS sessions.

Encryption Strength

Specify the desired level of encryption for SSL/TLS connections. The connection will fail if this level cannot be provided.

If you select Default, any encryption level is permitted, and your client will negotiate with the host system to choose the strongest encryption level supported by both the host and the client. If you are running in FIPS mode and select Default, the negotiation will allow only FIPS compliant encryption levels.

NOTE:The effective encryption strength of the established connection may not match the value you select here. For example, 168 bit encryption uses 3DES cipher suites, which use a 168 bit key length, but provide an effective security of only 112 bits.

SSL/TLS version

Specifies which SSL or TLS version to use.

Retrieve and validate certificate chain

Specifies whether certificates presented for host authentication are checked to determine if they are valid and signed by a trusted CA.

CAUTION:Disabling this option can make connections vulnerable to man-in-the-middle attacks, which could compromise the security of the connection.

Reflection Security Proxy Server Settings

You can use settings under Use Reflection security proxy if you use a centralized management server (available separately from Micro Focus) to manage sessions and you launched this session from the Administrative WebStation. With these options, your session connects to your host via the Security Proxy included in the centralized management server. You can use this Security Proxy to configure secure connections even if your host is not running an SSL/TLS-enabled Telnet server. (Some of these settings are only visible when using the Administrative WebStation.)


  • When the Security Proxy is used, the connection between the client and the Security Proxy server is secured and encrypted using the SSL/TLS protocol. By default, the information sent between the proxy server and the destination host is in the clear. If you enable the End-to-End encryption option (available for 5250, 3270, and VT sessions), information sent between the Security Proxy the destination host is also encrypted. (End-to-End encryption requires that the host support SSL/TLS.)

  • If you configure sessions that connect through the Security Proxy with authorization enabled, users must log on to the centralized management server before they can connect using these sessions.

Use Reflection security proxy

Configure this session to use the Security Proxy for the server connection.

Security proxy

Select the proxy server name from the drop-down list, which shows available servers.

Proxy port

Select the proxy server port from the drop-down list.

Destination host

If client authorization is enabled on the Security Proxy, enter the destination host name. If client authorization is not enabled, this box is read only.

When you select a security port, the destination host configured to use that port is displayed automatically.

Destination port

If client authorization is enabled on the Security Proxy, enter the destination host name. If client authorization is not enabled, this box is read only.

When you select a security port, the destination port and destination host are displayed automatically.

End-to-End SSL/TLS (Client to proxy to destination host)

This option tunnels a direct SSL/TLS connection to the host, while still connecting through the Security Proxy Server. These connections require two certificates and two SSL/TLS handshakes—one for the client/proxy server connection and another for the client/host connection.

No data encryption from proxy to destination host

This option applies a null cipher to the direct SSL/TLS connection from the client to the host so that this connection is not encrypted. This does not affect the encryption of the SSL/TLS connection from the client to the proxy server that provides the “tunnel” for the client/host connection. When this option is selected, the data is encrypted from the client to the proxy server and unencrypted (“in the clear”) from the proxy to the host.

Proxy cipher suites

A read-only list of cipher suites supported by this proxy host and port. This list is only visible when the product is launched from the Administrative WebStation (included with the centralized management server).

Implicit SSL/TLS Connection

IBM z/VM or z/OS Telnet servers can be configured to send the STARTTLS command when negotiating secure SSL/TLS connections. To connect to servers that are configured to send this command, unselect this option.

To connect to servers that are not configured to send this command, leave this option selected. The STARTTLS command is not an industry accepted standard and this option should be selected only for servers that require it. When selected, secure connections to servers that send the STARTTLS command are not supported.