Making Secure Connections

When you open up your legacy hosts to users outside the corporate firewall--business partners, remote users, mobile sales personnel, and others--you need to shield your information from known security threats. With Reflection ZFE, you can provide secure web-to-host access to all your users. Reflection ZFE, along with the MSS, provides HTTPS connections and a variety of authorization and authentication options.

In a typical Reflection ZFE installation there are three main connection points that you need to consider in regard to security:

About Java Keytool and certificates

Reflection ZFE and MSS use the Java Key and Management Tool to manage keys and certificates. Using it, you can manage public/private key pairs and certificates. Keys and certificates are stored in a keystore, which, by default, is implemented as a file.

To.....	Use this.....
List certificates	keytool -list -keystore <keystore-file> -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar -storepass not-secure
Delete certificates	keytool -delete -alias <cert-alias> -keystore <keystore-file> -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar -storepass not-secure
Export a certificate	keytool -exportcert -file <file-to-store-cert> -alias <cert-alias> -keystore <keystore-file> -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar -storepass not-secure
Import a certificate	keytool -importcert -file <cert-file> -alias <alias-to-store-cert-under> -keystore <keystore-file> -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar -storepass not-secure
View stand alone certificate	keytool -printcert -v -file <cert-file>

The Java Key and Certificate Management Tool documentation is available for both Unix and Windows platforms:

Windows
Unix

Securing the Web Browser to the Session Server

NOTE:The file paths noted here are for a default installation. If you have installed Reflection ZFE to another location, you must modify the path appropriately.

When an HTTPS connection is made to the session server, it authenticates itself to the client browser using a server certificate. The client checks the server certificate against its trusted certificate store. If the certificate or its root is in the trusted store, the connection proceeds. However, if the certificate is not trusted, you are warned by the browser and asked to agree to the connection.

By default, a self-signed certificate is generated and used by the session server to identify itself to the client. When you initiate a secure web browser connection to the session server using the HTTPS URL with the self-signed certificate in use, you are warned by the browser that the certificate is not trusted. At this point you can instruct the browser to trust the certificate and proceed with a secure connection.

You can avoid the need to instruct the browser to trust the default self-signed certificate by configuring the session server to use a trusted certificate. The necessary certificate, which most likely will be one signed by a certificate authority (CA) that is universally trusted, is provided by the administrator in charge of the ZFE installation.

The key and certificate chain must be in a keystore in either BCFKS format, or a PKCS12 format with strong encryption (PBE-SHA1-3DES). The password for the key and for the keystore must be the same.

To configure the session server to use the keystore:

Open the sessionserver/conf/container.properties file and add the following three lines, making sure to use either forward slashes or double backward slashes:
- servletengine.ssl.keystore=full path to keystore
- servletengine.ssl.keystoretype=bcfks
- servletengine.ssl.keystorepassword=password for the keystore file you specified
Restart the session server.

It is possible to change the default behavior and disable the client browser from making an insecure HTTP connection to the ZFE session server from the start. To do this:

Open sessionserver/conf/container.properties and set the servletengine.port property to 0 and restart the session server.

Securing the Session Server to MSS

NOTE:The file paths noted here are for a default installation and assume that Java\bin is in your system path. If you have installed Reflection ZFE to another location, you must modify the path appropriately.

These instructions pertain to the session server and require a change to the sessionserver/conf/container.properties file.

This file contains the URL of the Management and Security Server (MSS) that is used by the Reflection ZFE session server: management.server.url=http://my-company.com:80/mss

During the installation, you can specify that you want to configure a secure communication channel between both the Reflection ZFE session server and MSS, which means the install process will handle obtaining the MSS certificate and configure the Reflection ZFE session server.

If necessary, you can make this configuration manually after you complete the installation following these steps:

Change the management.server.url property in sessionserver/conf/container.properties to use the HTTPS protocol and specify the correct MSS port.
Use the browser to connect to the HTTPS Management and Security Server URL and instruct the browser to save the certificate.
Import the certificate into the appropriate Reflection ZFE keystore by running the following command (the command may vary depending on specific values) in the sessionserver/etc directory:

keytool -importcert -file <path-to-the-MSS-certificate> -alias <some-alias> -keystore servletcontainer.bcfks -storetype bcfks - storepass not-secure -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar
Repeat the same command, but replace –keystore servletcontainer.bcfks with system.bcfks.
Restart the appropriate service.

These instructions use the default password, not-secure as the keystore password. You can change the keystore password:

From the sessionserver/etc directory, run the following command:

keytool -storepasswd -new new_password -keystore servletcontainer.bcfks -storetype bcfks -storepass not-secure -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar.
Run the command again for the system.bcfks keystore.

Securing the Session Server to the Host

Follow these steps to configure a TLS connection between the Reflection ZFE session server and a host that supports TLS:

How to install unlimited strength policy jars

TLS/SSL encryption between the Reflection ZFE session server and the host computer requires the unlimited strength policy files from Oracle or IBM. If you installed using the standard installation process, these files are already installed. However, if needed, you can find the files here:

For Oracle Java 8 - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
For IBM Java 8 - https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

The Oracle readme file included with the download explains how to install their files.

How to configure the keystore in MSS

For a Reflection ZFE session to trust the TLS host it connects to, the public certificate of the host must be added to a trusted keystore using the Management and Security Server (MSS). The Reflection ZFE session retrieves this certificate the first time a session connects.

Open the MSS Administrative Console > Configure Settings > Trusted Certificates and choose Terminal Emulator Clients. You can access the documentation for the Administrative Console by clicking the Help icon in the upper right of the page.

When the certificate is successfully added to the MSS server's trusted keystore, you are returned to the list of certificates and you should see the new host.

How to configure a Reflection ZFE terminal session

Depending on your host type, you can configure a terminal session using different security protocols.

To configure a terminal session using TLS

To connect to the new trusted host using TLS, configure a Reflection ZFE terminal session as usual, and in the Settings dialog box, specify TLS as the security protocol. Make sure to specify the correct TLS port for the connection.

To configure a VT terminal session using Secure Shell (SSH)

Secure shell provides encrypted communications between the client and a VT host.

MSS has a known hosts list that contains the public keys of hosts that you can connect to using SSH. SSH connections can be made only to hosts already trusted by an administrator.

The first time an SSH connection is made from a Reflection ZFE session to a host, the known hosts file is downloaded from MSS to the Reflection ZFE session server.

When you attempt to create or edit a session using SSH in the session management panel, you will be notified if the key is not recognized as trusted and asked if you want to trust the key and continue.

If you enter yes, the host will be trusted and added to the known host list, and you will be prompted for the SSH host password.
If you do not answer yes, then the host will remain untrusted and the session will be disconnected.

You can also configure the SSH known hosts file manually by establishing an SSH connection from a Reflection ZFE session to the host, and adding the remote host’s key fingerprint to the known hosts list in MSS.

Configure known hosts file for SSH connections using MSS

To configure the known hosts file for SSH connections in MSS:

Connect to the system where MSS is installed and navigate to the server’s certificates folder: C:\ProgramData\Micro Focus\Mss\MssData\certificates (Windows) or /var/opt/microfocus/mss/Mssdata/certificates (UNIX).
Copy the public certificate file of the new SSH host into the MssData/certificates (Windows) or /etc/ssh/ssh_host_rsa_key.pub (UNIX) folder described above. Only ssh-rsa and ssh-dss are valid as public key types for MSS known_hosts entries.

The host’s public key format can be OpenSSH, Base64-encode,.DER, or.PFX. The file should follow this format: hostname, IP-address key-type key. For example, a public key entry might look like this: alpsuse132, 10.117.16.232 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...........
Log in to MSS (for example, http://mycompany.com/mss/AdminStart.html).
Open the Administrative Console.
Click Configure Settings > Secure Shell.
Follow the directions in MSS to import a known host.

After the public key is imported into the known hosts file, you will return to the Secure Shell Known Hosts page and the new host will appear in the list.