IBM Bolsters Security in 5250 Emulators
March 9, 2016 Alex Woodie
IBM took steps to improve the security of its widely used terminal emulation software for the IBM i server with the version 12 release of its Host Access Client Package. Among the changes in the product–the first major new release of in seven years–are more widespread use of the Transport Layer Security (TLS) encryption protocol in both the Java-based Host On-Demand (HOD) and Personal Communications for Windows (PCOMM) products.
On February 26, IBM shipped HACP version 12, which includes HOD version 12 and PCOMM version 12. The bundle is the first full refresh of the HACP package since IBM shipped HACP version 7 way back in 2009. That package included HOD version 11 and PCOMM version 6; PCOMM obviously skipped forward six full releases to version 12, apparently so it has the same release number as HOD and HACP.
In any event, the enhancements in HOD and PCOMM 12 appear–at first glance, anyway–to be worth the wait. Among the chief enhancements are improved security, and the removal of Secure Sockets Layer (SSL) technology by default (although the 5250 file transfer function still uses SSL). SSL encryption technology is considered obsolete by security experts, owing to a host of security vulnerabilities, including some recent ones that can also impact its follow-on successor, TLS.
The list of enhancements that IBM brought to HOD and PCOMM 12, as depicted in IBM United States Software Announcement 216-117 (pdf) is extensive. Here are some of the highlights:
Host On-Demand is a browser-based terminal emulator that traditionally uses a three-tier architecture to enable you to log on to your IBM i servers, mainframes, or other host by way of a separate HOD server.
Several security enhancements were made to this release. Among the most important are support for TLS 1.1 and 1.2, and disabling of SSL 3.0 by default (although SSL is still supported for the 5250 file transfer function). IBM is supporting TLS by way of the Java Secure Socket Extension (JSSE) in the HOD Redirector, which serves as a Telnet proxy to provide a barrier between HOD clients and the target Telnet server. The HOD Redirector can now use TLS 1.0, 1.1, or 1.2, which is the most secure version of TLS, until TLS 1.3 ships. IBM has also disabled blank passwords, and improved how encryption keys are managed, including support for “extended key usage.”
The appearance of HOD on your machine will be different now that IBM has adopted the “Java Nimbus” look and feel. IBM has also made changes to how text can be selected, how sessions can be closed, the capability to copy all or part of the green-screen presentation space, and how graphics are printed.
IBM is introducing a new “stand-alone” mode for the HOD client that allows users to configure and access sessions without any dependency on the HOD server. The software can also now run on browsers without Java plug-ins; on Windows 10 machines; and on 64-bit operating systems, where it runs as a 64-bit process.
PCOMM is a Windows-based emulation client that allows users to access IBM i servers, mainframes, and other servers via 5250, 3270, and other emulation protocols.
Among the top security-related enhancements in PCOMM 12 is support for TLS 1.1 and 1.2 encryption protocols. It also removed SSL version 3 to prevent POODLE attacks, which impacted IBM i customers and ISVs in late 2014. It also provides mandatory FIPS mode processing to guard against the Bar Mitzvah security vulnerability, which reared its ugly head almost a year ago.
IBM also is shipping an extension to TLS to support server name indication. IBM says this feature will enable the PCOMM client to specify the server name during the ‘Client Hello” request. This will enable the server to provide a certificate corresponding to that server name when more than one server is sharing a single IP address. PCOMM can also now detects password changes on IBM i hosts and prompts users to update the new password.
PCOMM 12 supports the Windows 10 operating system. But IBM removed the “classic private” application data location from the product to align with the Microsoft strategy to keep application data out of program file paths, IBM says.
IBM made some changes to System Network Architecture (SNA) network support. While IBM removed the SNA networking software stack from PCOMM when running on a 64-bit Windows computer, the company does enable clients to start SNA sessions because it has merged the Remote API Client with PCOMM. In a corresponding move, IBM is now bundling the Remote API Client with PCOMM 12.
For more information see IBM United States Software Announcement 216-117 (pdf).
IBM And ISVs Fight POODLE Vulnerability In SSL 3.0
Migrate Your 5250 Emulator Settings to ACS 1.1.2
IBM Delivers Tech Preview of New Java-Based 5250 Emulator
IBM Updates Host Access Client Emulator Packages
IBM Updates Host Access Client Package for iSeries