Security Enhancements

The Personal Communications now supports TLS 1.3 for host connections, providing a more secure and reliable connection. This improvement removes older security methods and uses stronger, modern encryption to better protect your data.

Note:

TLS 1.3 is supported on systems running Windows 11, Windows Server 2022, or later.

Automatic selection of security protocol

With IBM Personal Communications V16.0, provision to choose the security protocol between TLS 1.2, TLS 1.1 and TLS 1.0 has been removed. With the new implementation, emulator session attempts the secure connection starting with the highest protocol version – TLS 1.2. If the host does not support the security protocol, negotiation will fall down to the next lower level, up till TLS 1.0. This enhancement ensures that an end user is always connected over the highest security protocol supported by the host.

This is true with PCOMM FTP Client as well. With this release, PCOMM FTP Client support TLS 1.2, TLS 1.1, in addition to TLS 1.0. Support for SSL v3.0 has now been discontinued due to security reasons.

Discontinuation of IBM GSKit as the security package

IBM Personal Communications V16.0 provides Microsoft Crypto API (MSCAPI) as the only security package to establish secured emulator and FTP sessions. Use of IBM GSKit as the cryptographic service provider has been discontinued.

If secured emulator sessions are configured to use IBM GSKit with previous versions of IBM Personal Communications, the personal and CA (signer) certificates will have to be migrated to Microsoft certificate store before upgrading to IBM Personal Communications V16.0. Please use the Certificate Migration utility from IBM Personal Communications -> Administrative and PD Aids to migrate the certificates from IBM GSKit to MSCAPI.

Enhancements to HI License Manager

With this release, IBM Personal Communications will support both HTTPS and HTTP connections to the License Manager. In an intranet environment, when a License Manager Server is configured with local Certificate Authorities, the HTTPS connectivity from PCOMM client to the license manager may fail, due to failure in verifying the certificates received from the license manager. Following pcswin.ini keywords have been introduced to ignore these scenarios arising out of such a situation:

[License]

IgnoreUnknownCA=Y

IgnoreInvalidCertCN=Y

IgnoreCertRevCheck=Y

When IgnoreUnknownCA is set to Y, it allows an invalid certificate authority. This allows PCOMM to send License information even when the License Manager Server sends an untrusted CA certificate. This setting is recommended only under test environments. The default value of the keyword is N. When IgnoreInvalidCertCN is set to Y, it allows an invalid common name in a certificate; that is, the server name specified by the application does not match the common name in the certificate. This setting is recommended only under test environments. The default value of the keyword is N.

When IgnoreCertRevCheck is set to Y, it ignores certificate revocation problems. This allows PCOMM to send License information even when it could not verify whether the host certificate is valid or revoked. This setting is recommended only under test environments. The default value of the keyword is N. \

Please note that these keywords are recommended only under test environments.