2.1.3 Connect using End-to-End Security and Express Logon for 3270 Sessions

Use this procedure to configure a 3270 session with end-to-end security in Management and Security Server. This configuration combines user authorization with security from Extra! to the destination host.

You can optionally configure these connections to use the IBM Express Logon (also referred to as ELF), when using an 3270 connection to an IBM Mainframe.

Requirements

SSL/TLS is enabled on the host. See the documentation included with the host for instructions.
An installation of Management and Security Server. The Security Proxy must be configured to require Client authorization. (It can optionally be configured to require Client authentication. For client authentication, you can use a single certificate or two separate client certificates on each server (Security Proxy and destination host).
Digital certificates. To successfully establish the SSL/TLS sessions between the client and the Security Proxy, and the client and the destination host, you may need multiple digital certificates. Authenticating with Certificates in Extra!.

About Certificates

Server Certificates

Destination SSL/TLS hosts and Security Proxy servers typically have server certificates already installed. Each of these server certificates must be trusted by the client. The client will trust a server certificate if:

It is signed by the certificate authority that is trusted by the client, or
It is self-signed and imported into the trusted root certificate store where Extra! can find it.

To use a single server certificate for both the destination host and the Security Proxy, do one of the following:

In the Extra! session, de-select the Verify Server Identity check box on the Connection Editor dialog box.
(Recommended) Create a certificate that uses the destination host address for the Subject Common Name and the Security Proxy address for the Subject Alternative Name.

Client certificates

Certificates used for client authentication must be signed by a certificate authority that is trusted by both the Security Proxy and the destination host’s SSL/TLS server.

Express Logon also requires that the client certificate used to authenticate on the TN3270 server be registered with RACF. (For details, see the documentation that came with the 3270 server.)

To configure a session with end-to-end encryption

In a web browser, start Management and Security Server by setting the URL to:

http://server:port /mss/AdminStart.html

where server and port are replaced with the Management and Security Server address.
Click Administrative WebStation and log on as administrator.
From the left pane, click Session Manager.
Add a new session or select an existing session, and click Launch.
Follow the wizard's prompts to configure the session. Make sure to leave the default option Reflection Security Proxy selected as the type of connection.
On the Reflection Security tab, from the Proxy server address menu, specify a Reflection Security Proxy Server.

A description of the selected Reflection Security Proxy Server appears below the fields.
Enter a Destination host and Destination port (the Destination port should be the SSL/TLS port on the host, for example, buttercup.flowers.com:3000), and then select the End-to-end security check box.
Click Next and continue through the wizard to complete the configuration.

When you click Finish, the session opens in Extra!.
Exit Extra! and save the session.

To create another session, repeat this procedure. You can only create (or have open) one session at a time when running Extra! in Administrative WebStation mode.

Next, make the session available to specific users.