Topics Map > University of Chicago > IT Services > Business Systems > Mainframe
Mainframe – Enabling AT-TLS TLSv1 on HostExplorer
This article explains how to enable “Application Transparent-Transport Layer Security” (AT-TLS) security/encryption for Open Text HostExplorer.
The encryption scheme (SSLv3) used by the University of Chicago’s mainframe terminal emulator, OpenText HostExplorer, has been reported to be compromised. SSLv3 can potentially be exploited by a vulnerability called “Padding Oracle On Downgraded Legacy Encryption” (POODLE).
An alternative and more secure encryption protocol, “Application Transparent-Transport Layer Security” (AT-TLS) is now available. All UC mainframe users should switch to AT-TLS as soon as possible. Eventually, SSLv3 will no longer be supported or available.
Note for Macintosh/ OS X users:
IT Services does not support tn3270 for Mac OS. However, a secure TN3270 client can be downloaded from Brown University: http://www.brown.edu/cis/tn3270/
You will need to turn on AT-TLS TLSv1 and configure it to connect to port 4992. If FIPS 140-2 Cryptography can be enabled then select this option as well.
Instructions can be found here.
Verify Software Level
To begin, HostExplorer must be minimally at Version 14. Check this by clicking the Help tab and About.
Version 126.96.36.199 was the most recent maintenance level at time of writing this document.
If your version is earlier than Version 15, go to this URL and follow the instructions to download and install Version 15:
Before making any changes, make sure that HostExplorer is disconnected from the mainframe. You SHOULD NOT see the UofC sign-on screen. Use the “light switch” icon to toggle if off.
Click the Options tab and select Session Properties.
Expand the Connection folder and select TN3270
Change the Port value by double-clicking the Host Name field. Make sure the TCP port value is 4992.
Now, expand the Security folder and select General. Select SSL/TLS under Security Options.
Next, under the Security folder, select SSL/TLS. Make changes exactly as seen here. Note: If the Version window is greyed out you may need to temporarily un-select "Enable FIPS 140-2 Cryptography", make the change, and then re-select FIPS.
Click OK to accept changes. Toggle a session by clicking the “light switch” icon.
Connected using AT-TLS SSLv1 security!