Using the Gen 8.6 Communications Bridge with SSL/TLS

Products

Gen - Run Time Distributed Gen

Issue/Introduction

This article will describe how SSL can be used with the Gen 8.6 Communications Bridge.

Environment

The Communications Bridge (CB) accepts Client/Proxy/Client Manager requests via TCPIP and then forwards the request to
the server defined in the CN server definition file (IEFCB.srv). The CB cannot create an SSL connection to a Server regardless of the defined protocol (i.e. TCPIP, SNA or ECI).
An SSL connection can be created between a Client/Proxy/Client Manager to the CB by following the steps in the resolution.

Resolution

1. First, you must configure the Client/Proxy communications to use SSL by editing the appropriate configuration
file for each Client/Proxy language:

- C (GUI/C Proxy/COM proxy) - commcfg.ini not using Client Manager

# <TRANCODE> TCP <host> <service/port> <connection_persistence> S <SSL_validation_option>
# connection_persistence: controlled by client runtime
# 'Y' - for persistent connections
# 'N' - for non persistent connections
#
# S: to enable SSL connection
#
# SSL_validation_option: client to ignore or validate server's certificate and HostName.
# 'I' - client ignores server's certificate and HostName valiation.
# 'Y' - client only validates the server's certificate and not to validate HostName
# 'H' - client validates the server's certificate and HostName

- C (GUI/C Proxy/COM proxy) - commcfg.ini using Client Manager
  The steps to configure a Client Manager to use SSL are documented in Gen™ 8.6 > Middleware > Working with the Client Manager > Security in Client Manager

- Java Clients/Proxies - commcfg.properties

# <TRANCODE>=TCP <host> <service/port> {connection_persistence} {secure_connection}
# connection_persistence: optional, controlled by client runtime
# Not Specified - for persistent connection
# 'Y' - for persistent connections
# 'N' - for non persistent connections
# secure_connection: optional, controlled by client runtime
# Not Specified - default is non secure connection
# 'S' - for secured connection

- .NET Clients/Proxies - commcfg.txt

# <TRANCODE>=TCP <host> <service/port> {connection_persistence} {secure_connection} {ssl_validation_option} {tls_version} {thumbprint}
# connection_persistence: optional, controlled by client runtime
# Not Specified - for persistent connection
# 'Y' - for persistent connections
# 'N' - for non persistent connections
# secure_connection: optional, controlled by client runtime
# Not Specified - default is non secure connection
# 'S' - for secured connection
# ssl_validation_option: optional, client to ignore or validate server's certificate.
# Not Specified - client validates the server's certificate and HostName
# 'H' - client validates the server's certificate and HostName
# 'Y' - client only validates the server's certificate and not to validate HostName
# 'I' - client ignores server's certificate and HostName valiation.
# tls_version: optional, client runtime to use specific sslprotocol.
# Not Specified - client to use default sslprotocol based on OS.
# - using specfic sslprotocol, ssl_validation_option need to be specified.
# '0' - client to use SslProtocols.Tls1.0 and above
# '1' - client to use SslProtocols.Tls1.1 and above
# '2' - client to use SslProtocols.Tls1.2 and above
# '3' - client to use SslProtocols.Tls1.3
# thumbprint: optional, certificate thumbprint to identify which client certificate to use for Mutual authentication
# Not Specified - No Mutual Authentication
# Specified - 40-digit hexadecimal string without spaces of the certificate thumbprint

2. Next, you must enable the system hosting the Communications Bridge to accept an SSL connection:

- This will require that you install and configure a software package that enables reverse proxy
  with SSL capability like Stunnel, NGINX or Wingate (various vendors).
- This will enable the PC hosting the Communications Bridge to accept an SSL request from
  the Gen GUI client. The Communications Bridge itself is not involved.