Configuring Z and I Emulator for Windows Session Security

Whether you are configuring a TN3270, TN5250, or VT session, the underlying protocol must be TCP/IP. Use the following procedure to enable security:

Start a workstation profile from the Session Manager; or, from an active session, click Configure from the Communication menu. When the dialog box opens, click Configure.
In the Customize Communication panel, choose the appropriate Type of Host, Interface, and Attachment values for the desired Telnet host.
Click Link Parameters.
On the Host Definition property page, do the following:
1. Specify the normal host name and LU parameters under Primary.
2. Specify the Port Number under Primary. It is likely that it will not be the default port value for Telnet. The administrator of the destination server might have set up a specific port number to handle TLS/SSL service.
On the Security Setup property page, check Enable Security.
For server authentication only, no additional setup is required. For client authentication, proceed to the next step.
For 3270 sessions, select the Telnet-negotiated option to have Z and I Emulator for Windows negotiate security with the Telnet 3270 server. See Negotiated Telnet Security for details. If Enable Security is unchecked, the Telnet-negotiated option cannot be selected.
On the Security Setup property page, select the Microsoft CryptoAPI (MSCAPI) security package.
Note: To avoid the need of manually adding host certificate into the Microsoft Certificate Store, refer to Pass Through Certificate Validation.
To protect against security vulnerability in RC4 stream cipher, the FIPS (Federal Information Processing Standard) mode has been made mandatory.
For MSCAPI, refer to the vedor documentation for the latest information.
Note: Follow the below steps to enable AES support with MSCAPI on Windows 8, Windows 8.1, Windows 10, Windows Server 2008, and Windows Server 2012.
1. From an administrator account, open Group Policy Editor (gpedit.msc).
2. Choose Computer Configuration->Administrative Templates->Network->SSL Configuration Settings.
3. Open SSL Cipher Suite Order and select Enabled.
4. Alter the cipher order as per you organization's needs, save the changes, and REBOOT the system for the above changes to apply.
It is important to note that the client can only present the server a prioritized cipher list. The host has the final say on what gets selected as the cipher for the session. When choosing an algorithm with a specific a bit length, one important consideration is to remember that encryption and decryption are CPU intensive operations which take time depending upon the key size. In almost all cases, a 128-bit key is more than sufficient to protect the information you are exchanging over your telnet connections.
Enable Check for Server Name and Certificate Name Match to have the session authenticate the server by matching the server name to the host or server certificate name. The server and certificate names must match exactly. For MSCAPI sessions, if the certificate name and server name do not match, an error is returned.
In the Client Authentication group box, you determine when and how the client certificate will be chosen for sending to the server.
If you want to enable client authentication and have the personal client certificate from the key database file sent to the server when requested, check Send Personal Certificate to Server if Requested.

Send Personal Certificate Trusted by Server

Select this option if you do not want to be prompted to select a personal client certificate from a key database file. Z and I Emulator for Windows will send the personal client certificate trusted by the server.

Send Personal Certificate based on Key Usage

Use this option to select one or more key usages. Click Key Usage to select the defined Object ID (OID) key usages. Go to the Extended Key Usage panel to add a new OID and description to the list.
At authentication time, Z and I Emulator for Windows chooses certificates for client authentication, based on the key usage that you select. If a certificate's Enhanced Key Usage attribute contains one or more of the OIDs that you specify, the certificate is eligible for use.

If no eligible certificates are found, the authentication fails. If one eligible certificate is found, it is automatically used. If two or more eligible certificates are found, you will be prompted to select a personal client certificate.

Select or Prompt for Personal Client Certificate

Use this option if you want to choose the personal client certificate. You will be prompted to select a personal client certificate during session establishment, when the server requests the client certificate.
To preselect a personal client certificate during configuration, click Select now and choose the Personal Certificate Label.

Pass Through Host Certificate Validation

Use this option to disable the default certificate validation process during TLS handshake. Applicable only for Microsoft schannel provider.
Note: By default, schannel (MSCAPI) is responsible for validating the host certificate chain received during TLS handshake. Schannel runs several checks on the received certificate chain one of which is verifying that the signature affixed to the certificate valid, that is, the hash value computed on the certificate contents matches the value that results from decrypting the signature field using the public component of the issuer. In order to perform this operation, the user must possess the public component of the iss either through some integrity-assured channel, or by extracting it from another (validated) certificate. The default certificate valid process is exhaustive and runs several checks on the host certificate chain in order to successfully validate it. By enabling this option the user would effectively suppress the default validation done by schannel and the identity of the host is not verified. The use of this option is not recommended.