Using SSL

 Top  Previous  Next

XTND support communication over SSL (Secure Socket Layer). SSL mode only works in multithreaded mode (multiplex=false). To make use of SSL a valid java keystore must be configured.

XTND supports SSLv3 and TLSv1.

Generating a keystore

You can use the "keytool" utility, delivered with the Java SDK,  to define a valid keystore.

The name of the keystore file (xtndkeystore.jks in the sample below) and the keystore password (xframe in the sample below) must be respectively specified in the keystore and keystorepassword attributes of XTND configuration.

I.e.

# keytool -genkey -alias tn3270 -keyalg RSA -keypass xframe -storepass xframe -keystore $HOME/etc/xtndkeystore.jks

In the xtnd.xml:

<configuration>
  <settings>
          <service port="8040" welcome="true" multiplex="false" tn3270e="true"/>
          <security ssl="true" keystore="%h/etc/xtndkeystore.jks" keystorepassword="xframe"/>
....

Once the keystore has been defined and XTND has been configured and started, terminal emulators with SSL/TSL support may connect it.

Setting up emulators for SSL

Many emulators simply require to turn on SSL/TLS support in the session definition before to connect the tn3270 server.

IBM Personal Communication, the most popular 3270 terminal emulator, has a more complex setup. To enable the secure communication between the XTND server and the terminal emulator, the server certificate must be installed on the emulator PC.

To do that follow this procedure:

1.Export  the certificate using the keytool utility:

keytool -export -rfc -alias tn3270 -keystore xtndkeystore.jks -storepass xframe -file export.arm

2.Download the "export.arm" file on the PC
3.Start the IBM utility for Certificate Management (IBM Key Management)
4.Open the Personal Communication keys file (normally located in the its setup directory in the "private" subdirectory and named PcommClientKeyDb.kdb). To open the file a password is required: "pcomm" is teh IBM default password.
5.Add a certificate: select the downloaded file and provide a label (a mnemonic name)
6.Save the file (overwrite)
7.Define a new session enabling security and connect. If the emulator prompts for a password, supply the password of the key file as in point 4 ("pcomm").

For more detailed information, please refer to your terminal emulator.