This tip applies to users running AP r11.4.2.0 and AP r11.5.0. Patch 1 for both of these releases will protect you against the POODLE vulnerabiltiy (i.e. r11.4.2.1 and r11.5.0.1).

Before you apply the AP r11.4.2.1 or AP r11.5.0.1 patch:

the 3270 Session Settings dialog and the 5250 Session Settings dialog on AP r11.4.2.0 or AP r11.5.0.0 includes the option, Enable SSL.

Enable SSL: Specifies that you want to connect with the host using SSL (Secure Sockets Layer). The TN5250 server to which you are connecting must have support for SSL enabled in order for this connection to work properly.

After AP r11.4.2.1 or AP r11.5.0.1 patch is installed:

• The ‘Poodle SSL vulnerability’ remediation is installed.
• The Enable SSL option for 5250 Session Settings dialog and the 3270 Session Settings dialog, is removed and replaced with the options, Enable Secure Connection and Allow Compromised Protocols. 
• The corresponding ‘?’ (on-line Help) page is updated to describe the new options. 
• If the Enable SSL option is check marked, the patch installer will migrate setting and check mark the Enable Secure Connection option.

5250 Session Settings dialog

? (On-line Help) page will include these descriptions

Enable Secure Connection

Specifies that you want to connect to the host using TLS (Transport Layer Security). The TN5250 server to which you connect must have support for TLS enabled in order for this connection to work properly.

Allow Compromised Protocols

Specifies that you want to allow the use of security protocols that have been compromised. For example SSLv3 or SSLv2. You should only select this option if your TN5250 server requires such protocols to successfully form a connection.

Enable Secure Connection option is unchecked by default

Check mark Enable Secure Connection to use TLS (Transport Layer Security) with remote host connections.

Check marking the Enable Secure Connection option will also enable for selection, the Allow Compromised Protocols option.

After upgrading to either of the patches that installs remediation for the Poodle SSL vulnerability, you may still need to use one of the vulnerable SSL protocols in order to establish a session connection to a remote host.  This may be due to the following reasons:

• The remote host does not support the TLS protocol
• The remote host has not yet been configured to use the TLS protocol for secure connections.

If this is the case, enable the Allow Compromised Protocols option. 

Checkmark both

• Enable Secure Connection
• Allow Compromised Protocols

3270 Session Settings dialog

? (On-line Help) page will include these descriptions

Enable Secure Connection

Specifies that you want to connect to the host using TLS (Transport Layer Security).

Allow Compromised Protocols

Specifies that you want to allow the use of security protocols that have been compromised. For example, SSLv3 or SSLv2. You should only select this option if your TN3270 server requires such protocols to successfully form a connection.

Enable Secure Connection option is unchecked by default

Check mark Enable Secure Connection to use TLS (Transport Layer Security) with remote host connections.

Check marking the Enable Secure Connection option will also enable for selection, the Allow Compromised Protocols option.

After upgrading to either of the patches that installs remediation for the Poodle SSL vulnerability, you may still need to use one of the vulnerable SSL protocols in order to establish a session connection to a remote host.  This may be due to the following reasons:

• The remote host does not support the TLS protocol
• The remote host has not yet been configured to use the TLS protocol for secure connections.

If this is the case, enable the Allow Compromised Protocols option. 

Checkmark both

• Enable Secure Connection 
• Allow Compromised Protocols