Connect to Hosts using the Security Proxy

The Security Proxy acts provides additional features to authorize users and encrypt session data. Several configuration options are available.

Client Authorization

When using the default configuration for the Security Proxy, users are authorized using security tokens. Transmitted data between the client and the Security Proxy is encrypted; transmitted data between the Security Proxy and the host is not. The Security Proxy server should be installed behind a corporate firewall when used in this mode.

Pass Through

When configured as a Pass Through Proxy, the Security Proxy passes data to the destination host without regard to content (that is, it ignores any SSL handshaking data). You can secure data traffic using SSL between the client and the destination host by enabling SSL user authentication on the destination host. When using a Pass Through proxy, client authorization is not an option.

End-to-End SSL/TLS Security

This option is available for 3270, UTS, T27, and some ALC sessions. It combines user authorization with SSL security for the entire connection. Single sign-on capability using the IBM Express Logon Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password. is also supported, provided the host supports SSL.

Create a Session that Connects through the Security Proxy

Use this procedure to create an InfoConnect emulation session that connects to the Security Proxy and requires a user token for client authorization. Client authorization is a configurable option in Security Proxy that is enabled by default.

This feature is supported for Telnet connected sessions.

Requirements

A Micro Focus Management and Security Server, with a Security Proxy Configured. For end-to-end encryption, the Security Proxy must be configured to require Client authorization. (It can optionally be configured to require Client authentication. For client authentication, you can use a single certificate or two separate client certificates on each server (Security Proxy and destination host).
Digital certificates. To successfully establish the SSL/TLS sessions between the client and the Security Proxy, and the client and the destination host, you may need multiple digital certificates. End-to-end connections require two certificates and SSL/TLS handshakes — one for the client/proxy server connection and another for the client/host connection.
On the administrator's workstation, installation of InfoConnect Desktop and a browser (with Java enabled)

To configure an ALC, UTS, or T27 session to use the Security Proxy

Start the Administrative WebStation and launch a session. (See Create Sessions using the Administrative WebStation.)

InfoConnect opens in Administrative WebStation mode.
From the Create New Document dialog box, select an ALC, UTS, or T27 terminal template and click Create.
In the Create New Document dialog box, click Create Path to start the Path Wizard. Respond to the prompts for your connection type until you see the following dialog box. (These options appear only when you are running in WebStation mode.)
Select Reflection security proxy and click Next. You can use the next dialog box to configure your connection to the host through the proxy.
Click Next and continue through the wizard to complete the configuration. When you click Finish, the session opens in InfoConnect.
Finish configuring your session, then save the new session and close the Workspace.

The session file is saved to the Management and Security Server.

Configure an IBM terminal session to use the Security Proxy

Start the Administrative WebStation and launch a session. (See Create Sessions using the Administrative WebStation.)

InfoConnect opens in Administrative WebStation mode.
From the Create New Document dialog box, select a 3270 or 5250 terminal template and click Create.
Select the check box Configure additional settings, and click OK.
Under Host Connection, click Set Up Connection Security, then click Security Settings.
In the Security Properties dialog box, select Use SSL/TLS security, then select Use Reflection security proxy. Use this dialog box to configure your connection to the host through the proxy.
Finish configuring your session, then save the new session and close the Workspace.

The session file is saved to the Management and Security Server.

About Certificates

Server Certificates

Destination SSL hosts and Security Proxy servers typically have server certificates already installed. Each of these server certificates must be trusted by the client. The client will trust a server certificate if:

It is signed by the certificate authority that is trusted by the client, or
It is self-signed and imported into the trusted root certificate store where InfoConnect can find it.

To use a single server certificate for both the destination host and the Security Proxy, do one of the following:

Configure the InfoConnect session not to enforce having the server name in the certificate match the server in the connection. (In IBM sessions, in the PKI Configuration clear Certificate host name must match host being contacted, which is enabled by default. For ALC, UTS, and T27 sessions, the setting in the Path Wizard is called Verify host name against host certificate, and it is not enabled by default.)
(Recommended) Create a certificate that uses the destination host address for the Subject Common Name and the Security Proxy address for the Subject Alternative Name.

Client certificates

Certificates used for client authentication must be signed by a certificate authority that is trusted by both the Security Proxy and the destination host’s SSL server.

Express Logon also requires that the client certificate used to authenticate on the TN3270 server be registered with RACF. (For details, see the documentation that came with the 3270 server.)

For more details on configuring SSL and creating certificates on the host, see Technical Note 1759 and Technical Note 1760.