Topics Map > University of Chicago > IT Services > Business Systems > Mainframe

Mainframe – Enabling AT-TLS TLSv1 on HostExplorer

This article explains how to enable “Application Transparent-Transport Layer Security” (AT-TLS) security/encryption for Open Text HostExplorer.

Background

The encryption scheme (SSLv3) used by the University of Chicago’s mainframe terminal emulator, OpenText HostExplorer, has been reported to be compromised. SSLv3 can potentially be exploited by a vulnerability called “Padding Oracle On Downgraded Legacy Encryption” (POODLE).

An alternative and more secure encryption protocol, “Application Transparent-Transport Layer Security” (AT-TLS) is now available. All UC mainframe users should switch to AT-TLS as soon as possible. Eventually, SSLv3 will no longer be supported or available.

Note for Macintosh/ OS X users:

IT Services does not support tn3270 for Mac OS. However, a secure TN3270 client can be downloaded from Brown University: http://www.brown.edu/cis/tn3270/

You will need to turn on AT-TLS TLSv1 and configure it to connect to port 4992. If FIPS 140-2 Cryptography can be enabled then select this option as well.
Instructions can be found here.

Verify Software Level

To begin, HostExplorer must be minimally at Version 14. Check this by clicking the Help tab and About.
001

Version 15.0.1.191 was the most recent maintenance level at time of writing this document.

If your version is earlier than Version 15, go to this URL and follow the instructions to download and install Version 15:
https://answers.uchicago.edu/58817

Enabling AT-TLS

Before making any changes, make sure that HostExplorer is disconnected from the mainframe. You SHOULD NOT see the UofC sign-on screen. Use the “light switch” icon to toggle if off.

Click the Options tab and select Session Properties.

Expand the Connection folder and select TN3270
45437

Change the Port value by double-clicking the Host Name field. Make sure the TCP port value is 4992.
006

Now, expand the Security folder and select General. Select SSL/TLS under Security Options.
007

Next, under the Security folder, select SSL/TLS. Make changes exactly as seen here. Note: If the Version window is greyed out you may need to temporarily un-select "Enable FIPS 140-2 Cryptography", make the change, and then re-select FIPS.
image001.jpg


Click OK to accept changes. Toggle a session by clicking the “light switch” icon.
009

Connected using AT-TLS SSLv1 security!
010




Keywords:opentext mvs tn3270 uchimvs1   Doc ID:45437
Owner:Bob C.Group:University of Chicago
Created:2014-12-04 15:04 CDTUpdated:2016-11-21 09:12 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  1   0