|
|
|
Attachmate Security: New SSL Configuration Option Available in EXTRA! 9 SP2
Technical Note 2356
Last Reviewed 15-Jul-2008
Applies To
EXTRA! X-treme version 9.0 SP2 or higher
Summary
Technical Note 2356
Last Reviewed 15-Jul-2008
Applies To
EXTRA! X-treme version 9.0 SP2 or higher
Summary
This technical note describes a new setting available in EXTRA! 9 Service Pack 2 (SP2) to configure SSL encryption key strength for Attachmate Security.
New Setting Enables You to Specify Encryption Key Strength
The new SSLEncryptionStrength setting permits selection of a set of SSL encryption ciphers by specifying the encryption key strength. For example, you can now specify that EXTRA! connect over SSL using encryption algorithms that use 128-bit keys. This feature applies only when Attachmate Security is selected in a connection configuration dialog, and either SSL/TLS or FIPS 140-2 security is selected as the level of encryption.
Note: This SSLEncryptionStrength setting is available in EXTRA! 9 SP2 or higher. For information about EXTRA! 9 SP2, see Technical Note 2257.
Enabling New SSLEncryptionStrength Setting
To enable the SSLEncryptionStrength setting in EXTRA! 9 SP2 or higher, follow these steps:
- Open the session profile (EDP file) for a session whose encryption strength you want to restrict. Session files are normally stored in the user’s Documents folder under Attachmate\EXTRA!\Sessions.
- In the EDP file, add a new setting to the [Connection] section called SSLEncryptionStrength. Valid values are currently 40, 56, 128, 168 and 256.
For example, setting SSLEncryptionStrength=128 results in EXTRA! offering cipher suites that use only 128-bit keys for data encryption during the SSL handshake. If the SSL server supports any of these cipher suites, it chooses the one that provides what it considers to be the greatest level of security at an encryption strength of 128 bits. This cipher suite is then used for the duration of the SSL session.
Omitting this setting from the EDP file or giving it an invalid value results in EXTRA!'s default behavior: offering all valid cipher suites for the selected operating mode (SSL/TLS or FIPS).
Note: This setting is ignored by the other two SSL engines: Microsoft Secure Channel (offered only with IBM Mainframes) and EXTRA!'s legacy SSL (SSL V3.0).
Important Note
By default, Attachmate Security connects to the highest level of security that both EXTRA! and the SSL server support. Use this SSLEncryptionStrength setting only when you want to insure the level selected or want a level lower than that supported. We recommend against using this new setting without fully understanding the consequences.
Examples
Setting SSLEncryptionStrength=40 might result in a successful connection to a host system using an encryption strength that is unacceptable for sensitive data transfers.
Alternately, your system may support a 256 encryption strength, but your hardware supports only 168 so that you have to lower the level to allow a connection to be successful.
