How To Configure the SSL Connection with H3270

When using the H3270 protocol to connect over SSL, there are a few authentication types that need to be taken into account, as there are multiple options.

Server Authentication:

In the case of server authentication, the are two ways of connecting:

1. With server certificate validation:

   additional-params: -xrm ws3270.unlockDelay:false -cafile {path to the server CA file}

2. Without certificate validation (trusting the certificate):

   additional-params: -xrm ws3270.unlockDelay:false -noverifycert

Communication is encrypted even if you are not verifying the certificate.

Server-Client (Mutual) Authentication:

When using Server-Client Authentication, you need to pass the following parameters:

For additional configuration details, please refer to the following page: http://x3270.bgp.nu/Unix/s3270-man.html

-accepthostname spec

Specifies a particular hostname to accept when validating the name presented in the host's SSL certificate, instead of comparing to the name or address used to make the connection. spec can either be any, which disables name validation, DNS:hostname, which matches a particular DNS hostname, or IP:address, which matches a particular numeric IPv4 or IPv6 address.

-cadir directory

Specifies a directory containing CA (root) certificates to use when verifying a certificate provided by the host.

-cafile filename

Specifies a PEM-format file containing CA (root) certificates to use when verifying a certificate provided by the host.

-certfile filename

Specifies a file containing a certificate to provide to the host, if requested. The default file type is PEM.

-certfiletype type

Specifies the type of the certificate file specified by -certfile. Type can be pem or asn1.

-chainfile filename

Specifies a certificate chain file in PEM format, containing a certificate to provide to the host if requested, as well as one or more intermediate certificates and the CA certificate used to sign that certificate. If -chainfile is specified, it overrides -certfile.

-keyfile filename

Specifies a file containing the private key for the certificate file (specified via -certfile or -chainfile). The default file type is PEM.

-keyfiletype type

Specifies the type of the private key file specified by -keyfile. Type can be pem or asn1.

-keypasswd type:value

Specifies the password for the private key file, if it is encrypted. The argument can be file:filename, specifying that the password is in a file, or string:string, specifying the password on the command-line directly. If the private key file is encrypted and no -keypasswd option is given, secure connections will not be allowed.

-selfsignedok

When verifying a host SSL certificate, allow it to be self-signed.

-verifycert

For SSL or SSL/TLS connections, verify the host certificate, and do not allow the connection to complete unless it can be validated.