Session security

Host On-Demand V16.0 uses the TLS protocol to provide security for emulator and FTP sessions.

The TLS protocol provides communications privacy across a TCP/IP network. TLS is designed to prevent eavesdropping, message tampering, or message forgery. TLS also provides a framework that allows new cryptographic algorithms to be incorporated easily. Host On-Demand supports encryption of emulation and FTP sessions and server/client authentication according to TLS Protocol Version 1.0.

Support is provided for the following:

  • RSA type-4 data encryption on connections between the Host On-Demand clients and Telnet or FTP servers that support TLS version 1.0, 1.1, 1.2.
  • X.509 certificates.
  • Bulk encryption algorithms using keys up to 168 bits in length.
  • Authentication algorithms using keys up to 2048 bits in length.
  • Server and client authentication.
  • Support for storage and use of client certificates on the client system.
  • Optional prompting of user for client certificate when requested by server.
  • Secure session indicators. A lock icon is displayed on the session status bar to indicate to the user that the session is secure. The encryption strength, for example, 64, 128, or 256, is also displayed next to the lock icon and when the mouse hovers over the lock icon.
For Host On-Demand, you can use a CA certificate, but you can also create your own self-signed certificate, as described in Using a self-signed certificate.

A graphical Certificate Management utility (available on Windows and AIX platforms) is provided to:

  • Create certificate requests
  • Receive and store certificates
  • Create self-signed certificates

IKEYCMD is a tool, in addition to the Certificate Management utility, that you can use to manage keys, certificates, and certificate requests. IKEYCMD is functionally similar to Certificate Management and is meant to run from the command line without a graphical interface. For more information, refer to Using the IKEYCMD command-line interface.

To support TLS services, Host On-Demand uses six databases:

HODServerKeyDb.kdb
You create the HODServerKeyDb.kdb the first time you configure TLS for the Host On-Demand Redirector. This database contains the server's private key and certificate as well as a list of CA (or signer) certificates. These CAs are considered well-known and are trusted by the Host On-Demand server. You can add certificates from other CAs (unknown CAs) and certificates that you create and sign yourself (self-signed) to this database. Refer to The Redirector for more information.
HODServerKeyStore.jks
Redirector can be configured to use Java Secure Socket Extenstion(JSSE) instead of GSKit. When configured with JSSE, redirecor reads the private key and certificates from HODServerKeyStore.jks. Refer to The Redirector for more information.
CustomizedCAs.p12
The CustomizedCAs.p12 is a PKCS#12 format file that contains the root certificates of unknown CAs and self-signed certificates that are not in the WellKnownTrusted list. CustomizedCAs.p12 file is used with SSLite, where CustomizedCAs.jks is used with JSSE support. If you use a self-signed certificate or a certificate from an unknown authority (CA), you need to create or update the CustomizedCAs.p12. Host On-Demand does not install a CustomizedCAs.p12 file by default. The function of the CustomizedCAs.p12 is to make the certificates available to the client and is used during the TLS handshaking process between the client and the host.

The CustomizedCAs.p12 file is the preferred version of the CustomizedCAs.class file, which you may have created with an earlier release of Host On-Demand. The CustomizedCAs.class file supports Host On-Demand Version 7 and earlier clients, and is located in your publish directory by default. If you are running Windows or AIX, when you upgrade to version 15, the Host On-Demand installation automatically detects the CustomizedCAs.class file, creates the new CustomizedCAs.p12 file, and places it in the publish directory. Both files remain in your publish directory and are available to clients of different versions. If you have an separate user publish directory and not the default publish directory, the Host On-Demand installation will not be able to detect the CustomizedCAs.class file and you will need to run the migration tool manually on the command line.

If you create the CustomizedCAs.p12 file for the first time using the Host On-Demand Certificate Management utility (IKEYMAN), you will also want to have the older CustomizedCAs.class file in your publish directory so that older clients can still operate with the new server. Also, when you subsequently update the CustomizedCAs.p12 file, you will want to make sure these changes are picked up by the CustomizedCAs.class file. For Windows platforms, if these files are in the default publish directory, c:\Program Files\IBM\Host On-Demand\HOD, each time you open IKEYMAN to update the CustomizedCAs.p12 file and then close IKEYMAN, the CustomizedCAs.class file is automatically updated along with the CustomizedCAs.p12 file. If these files are not in the default publish directory, you need to manually run the reverse-migration tool from your publish directory using the following command. The command appears on three lines, but you should type it on one line. 
..\hod_jre\jre\bin\java -cp ..\lib\sm.zip;
com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT
CustomizedCAs.p12 hod CustomizedCAs.class
On AIX, for the CustomizedCAs.class file to pick up the changes you make to the CustomizedCAs.p12 file, you need to run this reverse-migration tool manually from your publish directory using the following command. The command appears on three lines, but you should type it on one line. 
../hod_jre/jre/bin/java -cp ../lib/sm.zip 
com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT
CustomizedCAs.p12 hod CustomizedCAs.class
CustomizedCAs.class

The CustomizedCAs.class is a Java class file that contains the certificates of unknown CAs and self-signed certificates that are not in the WellKnownTrusted list. If you use a self-signed certificate or a certificate from an unknown authority (CA), you need to update the CustomizedCAs.class file. However, note that you can no longer create or update the CustomizedCAs.class file using the Certificate Management utility on Windows or AIX platforms. In Host On-Demand Versions 9 or later, you can only create a newer version of this file called CustomizedCAs.p12. All clients still support the older format, however. For more information, refer to the description of CustomizedCAs.p12 above.

WellKnownTrustedCAs.class, WellKnownTrustedCAs.p12, and WellKnownTrustedCAs.jks
The WellKnownTrustedCAs.class, WellKnownTrustedCAs.p12, and WellKnownTrustedCAs.jks are the files supplied by Host On-Demand that contain the public certificates of all the CAs that Host On-Demand trusts. You should not modify these files.

WellKnownTrustedCAs.class/WellKnownTrustedCAs.p12 and WellKnownTrustedCAs.jks, CustomizedCAs.p12 and/or CustomizedCAs.class and CustomizedCAs.jks must be present in the Host On-Demand publish directory. The Host On-Demand client uses these files to trust the server's certificate during the TLS handshake.

CustomizedCAs.jks
The CustomizedCAs.jks file is different from the CustomizedCAs.p12 file, but both files have the same function. You can create a CustomizedCAs.jks file either by converting the existing CustomizedCAs.p12 to JKS format or by creating a new file in this format. You can use the Certificate Management utility that is installed with Host On-Demand or keytool.exe command-line tool, which is a Java Key and Certificate Management Tool available in the JRE for this purpose.