|
|
|
How to connect Telnet sessions using Encryption SSLv3.0 with 'Verify Server Identity' enabled.
Technical Note IRE2904
Created 24-Feb-2006
Applies To
EXTRA! X-treme 8SP1
EXTRA! X-treme 8.0
EXTRA! X-treme 8.1
Telnet
TN3270
TN5250
SSL V3.0
"Verify Server Identity" is selected
Symptoms
If 'Verify Server Identity' is selected connection failsError: "Bad Certificate chain from Host <host name>" in Audit Log
Error occurs if host name in client configuration does not match the common name in the server's x509 certificate
Error: "Untrusted certificate from host <host name>" in Audit Log
Error occurs if the Root CA Certificate which has signed the server Certificate is not trusted
Goal
How to connect Telnet sessions using Encryption SSLv3.0 with 'Verify Server Identity' enabled.Cause
'verify server identity' provides a higher level of security which verifies the following:1. Does the host name in the client configuration match the common name in the server's x509 certificate.
2. Is the servers x509 certificate verified against the root certificate for an additional trust
3. Is the servers x509 certificate still valid.
If one of the above is not met the connection will fail!
Fix
First step is to check the servers certificate's common name, it must exactly match the host address you put in to the Client configuration. So, if for example the servers certtificate common name is server.domain.com, but you enter the IP address as host name in to the clients connection properties it will fail.Once you know the common name matches the host name in the client connection settings you need to check if the certificate is trusted.
- To trust a server certificate you need to install the CA root certificate on the client. This is a root certificate from the Certificate Authority which was used for signing your servers certificate.
Please note: By default Extra! 8.X already trusts most popular Certificate Authorities like VeriSign or Thawte. But if you use your own Certificate Authority, or you use a Certificate Authority which is not trusted by default you need to follow the steps below.
In Extra! 8.X you have 2 options to install the CA root certificate.
Option 1, use Extra! root certificate store. This is a file called ROOTCAS.CDB:
In the EXTRA! client, the ROOTCAS.CDB file is located in the ·Sessions· folder, which is located wherever the User Files are installed (My Documents, All Users, or the Application Directory).
Location of User Files Location of ROOTCAS.CDB
"My Documents" ...\My Documents\Attachmate\Sessions
"All Users" ...\Documents and Settings\All Users\Attachmate\E!E2K\Sessions
"Application Directory" ...\Program Files\Attachmate\E!E2K\Sessions
1. You need to export/download the CA root certificate in BASE64 encoded format.
2. Open the CA root certificate with a text editor and copy the content of this file:
Note that you must copy the entire certificate, including the
"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.
4. Open your the clients ROOTCAS.CDB and paste the certificate in to this file and save it
Option 2, use the Microsoft Store.
Do do this simply import the CA certificate on the client in to Internet Explorer,
Go to 'Internet Options --> Content --> Certificates' and import the CA root certificate in to the 'Trusted Root Certificate Authorities'.
You can also simply copy the CA root certificate to your client and double-click on it and select install certificate.
In the Extra Client connection settings you have to enable the option 'Use Microsoft Security Implementation' to make sure the client is able to read the CA root certificate from the MS store.
- Last thing to check is the expiry date on the cert and ensure that it is still valid.
