Enable AT-TLS TLSv1 on HostExplorer


Background

The encryption scheme (SSLv3) used by the University of Chicago's mainframe terminal emulator, OpenText HostExplorer has been reported to be compromised. SSLv3 can potentially be exploited by a vulnerability called Padding Oracle On Downgraded Legacy Encryption (POODLE).

An alternative and more secure encryption protocol, AT-TLS is now available. All UC mainframe users should switch to AT-TLS as soon as possible. Eventually, SSLv3 will no longer be supported or available.

Note for Macintosh/ OS X users:

IT Services does not support tn3270 for Mac OS. However, a secure TN3270 client can be downloaded from Sourceforge here you can download x3270 Terminal Emulator. You will need to turn on AT-TLS TLSv1 and configure it to connect to port 4992. If FIPS 140-2 Cryptography can be enabled, then select this option as well.

Verify Software Level

To begin, HostExplorer must be Version 14 or higher. Look under the Help tab then About to verify the version you are running.
Help Tab in toolbar

If your version is earlier than Version 15, go to the knowledge base article Install and Upgrade OpenText HostExplorer 15 and follow the instructions to download and install Version 15.

Enable AT-TLS

  1. Disconnect from the mainframe.
    Alert! Always disconnect before making changes. If you see the UChicago sign-on screen, you are still connected to the mainframe. Use the "light switch" icon to toggle your connection on and off.
    Light Switch Icon next to Clipboard and Font Icons
  2. Select the Options tab and select Session Properties.
    Options to Session Properties
  3. Expand the Connection folder and select TN3270.
    Expanded Connection Folder
  4. Change the Port value by double-clicking the Host Name field. Tip: Make sure the TCP port value is 4992.
    Edit Host Info
  5. Now, expand the Security folder and select General. Select SSL/TLS under Security Options.
    Set Security Options to SSL/TLS
  6. Next, under the Security folder, select SSL/TLS. Make changes exactly as seen here.
    Note: If the Version window is greyed out, you may need to temporarily un-select Enable FIPS 140-2 Cryptography, make the change, then re-select FIPS.
    Security SSL/TLS Menu
  7. Select OK to accept changes. Tip: Toggle a session by clicking the light switch icon.
    Toggle Session with Light Switch
  8. Connected using AT-TLS SSLv1 security.
    ITS Mainframe Sign In