Security Enhancements in HACP V13

As part of IBM Host Access Client Package v13, there were a few changes implemented in the area of security. These changes are elaborated below:

• PCOMM 13
  

1.    Automatic selection of security protocol       
With this implementation, secured sessions will not have a selection box for choosing TLS protocol. TLS protocol will be automatically selected as TLS 1.2 which is the highest level of protocol. If the host does not support this level of TLS, connection falls back to TLS 1.1 if configured by host otherwise again falls back to TLS 1.0.
 
All types of secured connection for 5250/3270/FTP will be affected by this change and always get connected with highest supported TLS protocol. Before this implementation, FTP sessions were not enabled to connect with TLS protocol. With this change, even FTP can use highest supported TLS protocol. Level of protocol connected can be checked from FTP trace data. This will make sure that secured connection will always work if any one of the protocol level is supported by the host.
 
Reason for making these changes is selection of security protocol is not something that user should worry about and this always depends on the protocol configured in host hence removed this particular selection out of session properties and to make sure that any connection always has highest enabled protocol.
 
 
2.      Discontinuation of IBM GSKit as the security package
With this implementation, PCOMM will not support GSKit based secured connections. Users can create secured connection only with MSCAPI which uses browser certificate store.
 
As a result of this change, in a fresh install of PCOMM, certificate manager and GSKit package will not get installed in the system. In case of PCOMM migration from a previous version, previously installed certificate manager and GSKit remains in the system however never used in PCOMM. Certificates created in previous version need to be migrated to browser store using “Certificate migration utility” by user and then perform the PCOMM upgrade. This change affects all types of sessions 3270, 5250 and FTP.
 
Impact on UI is that GSKit option under security tab in session properties is removed and only MSCAPI option present and always selected.

•  HOD 13 

1.      GSKit removal for windows
Support for GSKit security package is removed in windows OS, however in non-windows OS HOD will continue to install and support GSKit. This change is applied irrespective of 32 bit or 64 bit of windows OS.
 
Impact of this on Windows HOD setup is, GSKit will not get installed as part of HOD so redirector based on GSKit is no more supported. The alternative is to use JSSE redirector.
 
By default, JSSE redirector is used irrespective of the OS on which HOD is installed. In Windows OS useJSSE=true entry under redir.properties will cease to have an impact after these changes, however in case of nonWindows OS, if user chooses to use GSKit redirector then entry useJSSE=false should be added in redir.properties.
 
2.      100% TLS compliance
With this implementation, all the secured sessions will have support for JSSE connection. By default, secured sessions will be connected through JSSE. TLS protocol level is selected by user and gets connected accordingly, however if host does not have support for the selected protocol then it falls back to lower level of TLS protocol.
 
Impact of this change will be on all types of sessions 3270, 5250 and FTP. Under session properties TLS/SSL tab there is a radio button for JSSE which will be set by default to Yes  and user has option to change it to No. FTP session were not supporting JSSE before this implementation but with this change it is possible and even client authentication, Key usage bit also can be used by FTP based users.
 
Reason for this change is to make sure that user always gets connected with highest level of security protocol which is achieved through JSSE connection. In case of SSLite, connections will connect only with TLS 1.0.

Ashwini Kalghatagi
Senior Test Lead
ashwini_k@hcl.com