docmain.css" /> Securing Reflection ZFE Session Server to the Host - Reflection ZFE 2.1.4

4.3 Securing Reflection ZFE Session Server to the Host

Follow these basic steps to configure a TLS connection between the Reflection ZFE session server and a host that supports TLS:

  1. Install unlimited strength policy jars from Oracle.

  2. Configure a keystore location on the Reflection ZFE session server. (Optional)

  3. Configure the keystore using the MSS Administrative Server.

  4. Configure a Reflection ZFE terminal session for TLS.

4.3.1 How to install unlimited strength policy jars

TLS/SSL encryption between the Reflection ZFE session server and the host computer requires the unlimited strength policy files from Oracle or IBM. If you installed using the standard installation process, these files are already installed. However, if needed, you can find the files here:

  • For Oracle Java 8 - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  • For IBM Java 8 - https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

The Oracle readme file included with the download explains how to install their files.

4.3.2 How to configure the keystore location on the Reflection ZFE Server

This step is not required if you are using a default Reflection ZFE installation. However, some performance adjustments can require a local keystore directory.

By default, Reflection ZFE creates an MSS parameter that points to a local directory, keystore, located under the current working directory of the Reflection ZFE session server (typically, sessionserver/bin/keystore). You can specify an alternate keystore directory by defining the Java system property, haapi.ecl.keystore.location=<path_to_dir>.

4.3.3 How to configure the keystore in MSS

For a Reflection ZFE session to trust the TLS host it connects to, the public certificate of the host must be added to a trusted keystore using the Reflection Management and Security Server (MSS). The Reflection ZFE session retrieves this certificate the first time a session connects.

To configure the keystore with the public certificates of trusted TLS hosts:

  1. Connect to the system where MSS is installed.

  2. Copy the public certificate file of the new trusted host into the MssData/certificates folder. In an automated Windows installation this file is located in C:\ProgramData\Micro Focus\mss\MssData. The file can be either a base64-encoded DER certificate or a binary Reflection Administrative Server certificate.

  3. Log in to MSS For example, http://mycompany.com/mss/AdminStart.html.

  4. Click Administrative WebStation at the bottom right of the links list panel.

  5. In the Administrative WebStation, click Security Setup section, and then open the Certificates tab.

  6. On the Certificates tab, click the link to View or modify certificates trusted by the terminal emulator applet.

  7. On the Certificates page, the certificates that were imported are listed at the top, while trusted root certificates (CA certificates) are listed in the bottom section of the page. To import a certificate for a new trusted host, click Import.

  8. On the Import Trusted Certificate page, enter the name of the certificate file that you copied to MssData/certificates, the password of the public cert file, if needed, and a friendly name for identifying the certificate on the MSS certificates page.

  9. Click Submit.

When the certificate is successfully added to the MSS server's trusted keystore, you are returned to the list of certificates and you should see the new host.

4.3.4 How to configure a Reflection ZFE terminal session

Depending on your host type, you can configure a terminal session using different security protocols.

To configure a terminal session using TLS/SSL

To connect to the new trusted host using TLS/SSL, configure a Reflection ZFE terminal session as usual, and in the Settings dialog box, specify TLS/SSL as the security protocol. Make sure to specify the correct TLS port for the connection.

To configure a VT terminal session using Secure Shell (SSH)

Secure shell provides encrypted communications between the client and a VT host.

MSS has a known hosts list that contains the public keys of hosts that you can connect to using SSH. SSH connections can be made only to hosts already trusted by an administrator.

The first time an SSH connection is made from a Reflection ZFE session to a host, the known hosts file is downloaded from the Management and Security Server to the Reflection ZFE session server.

When you attempt to create or edit a session using SSH in Session Manager, you will be notified if the key is not recognized as trusted and asked if you want to trust the key and continue.

  • If you enter yes, the host will be trusted and added to the known host list, and you will be prompted for the SSH host password.

  • If you do not answer yes, then the host will remain untrusted and the session will be disconnected.

You can also configure the SSH Known Hosts file manually by establishing an SSH connection from a Reflection ZFE session to the host, and adding the remote host’s key fingerprint to the known hosts list in MSS.

Configure known hosts file for SSH connections using MSS

To configure the known hosts file for SSH connections in MSS:

  1. Connect to the system where MSS is installed and navigate to the server’s certificates folder: C:\ProgramData\Micro Focus\Mss\MssData\certificates (Windows) or /var/opt/microfocus/mss/Mssdata/certificates (UNIX).

  2. Copy the public certificate file of the new SSH host into the MssData/certificates (Windows) or /etc/ssh/ssh_host_rsa_key.pub (UNIX) folder described above. Only ssh-rsa and ssh-dss are valid as public key types for MSS known_hosts entries.

    The host’s public key format can be OpenSSH, Base64-encode,.DER, or.PFX. The file should follow this format: hostname, IP-address key-type key. For example, a public key entry might look like this: alpsuse132, 10.117.16.232 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...........

  3. Log in to MSS (for example, http://mycompany.com/mss/AdminStart.html).

  4. Click Administrative WebStation at the bottom right of the links list panel.

  5. In the Administrative WebStation, click Security Setup, and open the Secure Shell tab.

  6. In the Administer Secure Shell Known Hosts List, click the View or modify secure shell known hosts list link. The Secure Shell Known Hosts page displays.

  7. Click Import. The Import Known Host page displays.

  8. Enter the name of the file containing the public key, the name of the host, optionally the password for the public key file, and the IP address of the host. The name of the host you enter must exactly match the name on the key; for example, if the name on the key is hostname.example.com, you cannot enter just hostname.

  9. Click Submit.

After the public key is imported into the Reflection Known Hosts file, you will return to the Secure Shell Known Hosts page and the new host will appear in the list.