Configuring and Using Security for Z and I Emulator for Windows

Z and I Emulator for Windows provides session security using Microsoft CryptoAPI (MSCAPI). These packages enable use of the Transport Layer Security (TLS) security protocols.

The configuration information in this chapter usually applies to TLS. See Using Transport Layer Security for more information.

You can display information about the security aspects of your session by clicking Communication → Security Information from the session menu bar. This provides details about the certificates exchanged during TLS negotiations between client and server.

A TLS session is established in the following sequence:
  1. The client and the server exchange hello messages to negotiate the encryption algorithm and hashing function (for message integrity) to be used for the session.
  2. The client requests an X.509 certificate from the server to verify the identity of the server. Optionally, the server can request a certificate from the client (known as Client Authentication).

    The digital signature of the certificate authority (CA) is authenticated using a published root certificate of the issuing CA. The client automatically decrypts certain information on the presented certificate using a public key on the CA's root certificate. This step is successful only when the presented certificate was encrypted using a well-guarded, unique, and corresponding private key, known only to the CA. This process can detect (and reject) intentional alterations (forgeries) and the rare garbling that can occur over data circuits. Z and I Emulator for Windows also allows users to use self-signed certificates for this purpose.

  3. Once the certificate-issuer authentication step succeeds, the client and server negotiate for an encryption key to be used during the ensuing data exchange session. The client randomly generates a set of keys to be used for encryption. The keys are encrypted with the server's public key and are securely communicated to the server.

When a secure connection is established, a padlock icon is displayed in the Z and I Emulator for Windows status bar. Depending on the level of encryption, the icon is accompanied by a number (0, 40, 56, 128, 168, 256). If the session is not TLS-based, the icon shows as unlocked.