The internal OpenSSL based model has support internally for LDAP and OCSP CRL validation. These two models are
mutually exclusive, that is, if the Microsoft model is selected, OCSP and LDAP support must be provided by user or
company supplied plugins to the the Microsoft CryptoAPI.
If the internal model is selected, the CryptoAPI and any associated revocation plugins will not be utilized.
At the current time, the X509 Server Validation does not apply to the Globus authentication model. Refer to the Globus
GSSAPI for details.
The Options/OCSP dialog consists of three areas, certificate validity options, certificate acceptance, and OCSP setup.
The server validation model should be selected first, and can be either the Microsoft model or the internal OpenSSL
model. If the Microsoft model is desired, select the "Use Microsoft CRL processing" option. If the internal OpenSSL
model is desired, select the "Use internal CRL processing" option.
The "Enable endpoint identity check" option specifies whether the server's host name will be checked againt the servers
certificate Subject Name or Subject Alternative Name fields. If this option is not selected, the host name will not be
checked and validity will be based upon the certificate validity period and revocation check only. A possible security
risk could result by not selecting this option, as anyone with a certificate issued by the same trusted CA that issued the
host server certificate could perform a man-in-the-middle attack.
The "Disable CRL processing" option disables the certificate revocation list checks. Selecting this option is a security
risk and should only be used for testing. Internally, all certificate revocation checks are done, but any resulting
revocation is ignored. Results of intenal revocation checks are written to the internal log file. The internal log file can be
configured/viewed with the programs Options-Show Log File menu option.
The "Use certificate distribution points" option instructs the internal crl logic to look for CRL distribution points in the
server certificate, and if present, try to obtain that revocation information from the URL(s) specifed. If the Microsoft
method is selected, the option is passed to the Microsoft CryptoAPI .
The certificate acceptance area allows you to provide a final check of the server certificate, after all the normal checks
such as date, common name (CN) and revocation (CRL) checks have been made, by checking for a pattern in the server
certificate subject line. If this option is selected, then normal known_hosts processing will be bypassed. The pattern can
be against any of the fields contained within the certificate subject line, such as Organizational Unit (OU), Orgainzation
(O), city (L), and state (S). During pattern matching, the certificate subject is processed with the following positional
CN=eagle.netterm.com, OU=Systems Development, O=InterSoft International Inc., L=Katy, ST=Texas
The pattern can check any field, or combination of fields, and can contain the normal glob characters "?" and "*". For
example, if you want to check both the O and OU fields, then the following patterns could be used:
*OU=Systems Development**O=InterSoft International Inc.*
OU=Systems Development, O=InterSoft International Inc.
The Microsoft certificate manager (Options-Certificates) can be used to display the contents of a certificate subject, if
you are in doubt about contents and positional order of the fields. The Microsoft certificate manager can also be
activated with the current server certificate with the Options-Show Server Certificate if you are connected to the host.
Note that each field is seperated by a comma, followed by a space.
The OCSP section provides for the ability to enable/disable the use of the internal OCSP client, and controls its
operations. If the OCSP client is not desired, select the "Do not use OCSP for certificate validation" option. If the OCSP
client is desired, select whether it should be utilized to validate all certificates, or just those that contain a valid authority
info access url within the host certificate itself.
Guide to Using SecureNetTerm
Global Settings 33
The LDAP Servers dialog provides for the ability to enable/disable the use of LDAP servers for the retrieval of certificate
revocation information for host server certificate validation. If enabled, the location of these server(s) can be defined by
a URL and the LDAP version to be used. Selection, modification and deletion of the LDAP servers is controlled by the
Add, Edit and Delete pushbuttons. The order of the servers can be moved using the move up and move down
pushbuttons. The LDAP control information is located in the SecureCommon.ini file, and is global in nature.
The OCSP Responders dialog allows for the definition of global responders to query for revocation information. The use
of the responders is controlled by the options specified in the Options/OCSP section. The responders will be utilized in
sequential order, so place the most used at the top of the list.
Responders are added by entering the responder URL in the URL entry/editing area, and pressing the add button. A
responder currently in the list can be changed by clicking on the URL and pressing the edit button. Once it has been
changed, press the add button to place it back in the list. Responders can be deleted by clicking on the URL, and
pressing the delete button.. The order of the servers can be moved using the move up and move down pushbuttons. The
OCSP control information is located in the SecureCommon.ini file, and is global in nature
Globus GSSAPI support is provided for SSH authentication, and is based upon SSL style certificate authentication. This
style of authentication is normally supported only by SSH host servers that have been modified to support Globus related
GSSAPI authentication is based upon a special short duration "proxy certificate" that is created from a user certificate.
The proxy certificate is passed to the host during the connection process, and is used by the host server to grant access.
The proxy certificate can also be used by the host to determine the login userid, if it is not specified by the SSH client.
In addition to the host verification process, GSSAPI specifications require the SSH client to verify the host certificate
presented to the client during the connection process.
GSSAPI authentication requires a user certificate (usercert.pem) and associated certificate private key (userkey.pem)
which is utilized by the SSH client to create the proxy certificate. In addition, the client host certificate verification
requires a copy of the public portion of the CA certificate, which signed the host certificate, and the accompanying
signing policy file.
These four files are normally created for a UNIX based user and placed within the users home directory in the .globus
directory. The CA public certificate and accompanying signing policy file follow the naming convention <hash>.0 and
<hash>.signing_policy, where <hash> is a value created by hashing the contents of the CA certificate. These two files
are normally located in the .globus/certificates directory.
The four files should be copied from the UNIX host, and placed within a corresponding directory structure on the users
Windows workstation. The selected location of the files can then be specified in the Global Settings-Globus GSSAPI
Configuration panel. The location of the temporary proxy certificate can be left blank, which will allow the proxy
generating process to place it in a user specific temporary directory. Once a temporary proxy certificate has been created,
the location of the resulting certificate will be shown in the configuration panel.
The Globus GSSAPI also supports the placement of the user certificate, with its corresponding private key, as well as the
public portion of the CA certificate to be placed within the Microsoft browser certificate store. Many organizations in
fact issue the user certificate directly to the Microsoft browser, along with their CA certificate. If the certificates are
currenly located in the Microsoft browser certificate store, then you can select the "User certificate is located in:
Browser" option located in the global Globus GSSAPI Configuration dialog. The only remaining file needed will be the
CA Certificate signing_policy, which must be located in the directory specified by the "Trusted Certificate Directory".
The required signing_policy file is often listed on the organizations web page responsible for the host you are connecting
to, and can be downloaded from that location to the Windows workstation.
The generation of these four files is beyond the scope of this document. Please direct your inquires for the creation and
location of these files to the authority responsible for the host you are trying to connect to.
CA Signing Policy File
Certificates bind a string (called a Distinguished Name) to a public key, together with some other data. The
Distinguished Name (DN) is arranged heirarchically, much like a filesystem's directories and files are laid out.
Globus requires that CA certificates are accompanied by a signing policy, which specifies what subset of the CA
Distinguished Name must be in the host certificate. The contents of a typical signing policy follows:
# EACL 1
access_id_CA X509 '/O=Grid/OU=ThaiGrid/CN=ThaiGrid CA'
pos_rights globus CA:sign
cond_subjects globus '"/O=Grid/OU=ThaiGrid/*"'
The 'access_id_CA X509 line' is the printable contents of the CA certificate Distinguished Name. The Distinguished
Name may contain an email address, which would appear as Email=myEmail@abc.com
Normally, this would be at the end of the line, such as:
The attribute "Email" is dependent upon the version of Globus (or more precise, the version of OpenSSL utilized by
Globus) that was used when the signing policy was created. On later versions of OpenSSL, the attrribute "Email" would
appear as "emailAddress".
The Windows version of Globus GSSAPI uses the latest version of OpenSSL, thus whenever the Distinguished Name is
converted to printable format, the "emailAttribute" attribute will result. If the signing policy file contains the attribute
"Email", the host certificate will be rejected.
This is easily corrected by changing all references of "Email" to "emailAddress" in the signing policy file located on the
The Proxy Management panel displays the current proxy certificate, if any, and allows for the creation of a new proxy
certificate. The key size of the new certificate and the length of time the certificate is valid can be specified.
Import Certificate Files
The Import Certificate Files panel controls a specialized utility designed to import OpenSSL style certificate files to the
Microsoft certificate store. Although mainly used for Globus GSSAPI support, this utility may be used to import any
RSA based certificate files to the certificate store.
Guide to Using SecureNetTerm
Site Profile Manager 35
Site Profile Manager
The Site Profile Manager is composed of a site tree, containing site profiles and optional folders in which site profiles can
be placed on the left side, and a detailed site profile on the right side. Note that the term "site" refers to an individual
host, which can be connected to.
Each folder may contain multiple sites, which contain all the necessary information about how to connect to a single host
and any necessary security control information and options. Each site profile must have a unique name, within a specific
folder. When a new host is added, you should select the desired folder in which it should be placed, and a current host
within that folder that most resembles the characteristics of the new host. Then press the “New Site” button on the lower
left portion of the Site Profile Manager window. This will create a new site profile, containing default values. The new
site profile can now be customized as required. If the Shift key is pressed at the same time as the "New Site", the
contents of the selected host will be duplicated in the new site profile. This is a quick way to generate a new site profile
for hosts with similar information. You can also drag a site from one folder to another can move folders and sites.
A site profile (the right side of the Site Profile Manager) allows you to enter the information required to connect and
communicate with the host. The “Profile Description”, located at the top, allows you to enter descriptive information
about the host, to help you remember the purpose and function of the host. The “Host” name can either be an IP address
or a fully qualified network host name. The “Port” defines the host port to connect to and is dependent upon the
connection type. The "Connection Type" list box defines what kind of software server you are using on the host. The
“Interface Type” list box defines how you connect to the host, and in most cases it will be "Network". The "Modem"
option is for those sites which is dialed direct by SecureNetTerm. This does not refer to a modem connection established
by the Microsoft OS to your Internet Provider.
The "Exclude from firewall" exempts this host from the use of a global firewall. This is useful for those installations
where the majority of their sites require the use of a firewall, therefore one is defined in the global options. For those
hosts that do not require the use of the global firewall, selecting this option will bypass the firewall processing.
The "Default Site" option allows you to select the site profile which should be selected by the site manager each time the
Site Profile Manager is started.
The "User" and "Password" text areas are optional, and are used to supply the host with your userid and password. If
these are not supplied, and they are required by the host for the login process, SecureNetTerm will request them during
the connection process.
If you place a password in the profile, it will be saved in the SecureCommon.xml file, however, this violates most
company security policies and should not be used if your company has such a policy. If a password is not saved,
SecureNetTerm will request it when needed. Passwords saved to the SecureCommon.xml file are encrypted with a very
simple encryption method, and should NOT be considered secure.
For telnet based hosts, which required a script for logging in, the "Login Script" text area allows you to specify the script
file to be used. Refer to the section ActiveX scripting for script details.
The "Mapping File" text area allow for the definition of a language translation file. See the section on language
considerations for more detailed information.
The import tools allow you to import selected items from your NetTerm or SecureNetTerm version 5.4.3 and previous
control files. NetTerm maintains its global data and phonebook in the netterm.ini file. SecureNetTerm maintains its
global data and phonebook in the netterm2.ini file. The Import Globals tool imports items of global nature from these
files. The Import Phonebook tool will import sites (hosts) from these files and place them in the current Site Profile
Manager .xml file. Note that you must select the 'Save and Exit' or 'Connect' option when you exit the Site Profile
Manager to make the import permanent.
Site File Management
The Site File Management tools allow you to import/export selected folders from the current Site Profile Manager .xml
file. The high level folder to be exported should first be selected (highlighted) in the folder/site tree. The export tool
will save all folders/sites that is a "child" of the selected folder to the file that you specify. Note that the purpose of these
tools is not for backup. They are designed to allow selected folders of your site management files be exchanged with
In addition to these tools, you can specify the Site Profile Manager .xml file to use on the command line or change the
global Site Profile Manager .xml file in the registry.
SecureNetTerm, as well as SecureFTP, has the ability to share a common Site Profile Manager .xml file. Profiles within
that file can be (1) SecureFTP only, (2) SecureNetTerm only, and (3) Dual use. The Dual use function allows a single
site profile to contain common information about a single host which can be used by both programs. Dual use profiles
should only be used when needed, since both the size of the .xml file is affected, as well as the load time for the Site
Profile Manager. Profiles which are only used for FTP access, should be declared as SecureFTP style profiles. The same
holds true for hosts which are only accessed by SecureNetTerm.
Guide to Using SecureNetTerm
Advanced Host Settings 37
Advanced Host Settings
The Desktop dialog allows you to control host-dependent display information such as the number of rows displayed and
the number of columns. Most terminals have 24 rows by 80 columns in normal mode and 24 rows by 132 columns in
report mode. However, some host applications have a need for more, so you are given a choice. All this really controls
is the screen model for those applications, which create menus and expect to have a defined number of lines. Most
applications simply write lines, thus the screen will scroll whenever the maximum number of lines have been displayed.
The same is true for the maximum number of columns, which can be displayed.
SecureNetTerm supports the NAWS option, which will allows the terminal to send the current number of rows/columns
to the host. This option is defined within RFC-1073 and is supported by the most Telnet and SSH servers. When used in
conjunction with the desktop number of rows/columns option, larger screen sizes can be obtained. Refer to the 'resize'
command on your UNIX host for additional information on the use of larger screen sizes.
The return sends, line control, and scroll-back options further allow you to enhance the display. The 'return sends' option
determines the type of end-of-line sequence to send to the host. Local echo determines how characters typed locally are
treated. If characters typed on the local keyboard do not appear on the screen, it probably means that you need to select
this option. The auto-wrap options controls what happens whenever a line sent from the host exceeds the number of
columns you have selected. If auto-wrap is on, any characters received after the maximum have been exceeded will be
displayed on the next line. If it is off, each character received after the maximum has been reached will be displayed in
the last column.
The 'Time Format' options controls what is displayed in the time field on the status bar. The options are elapsed time,
current time or the current row/column location of the cursor.
The option to turn off the blinking cursor should be used with caution. The cursor is common to all Windows
applications, so if you turn off blinking within SecureNetTerm, it will turn off blinking in all applications. The option
will be valid only when SecureNetTerm is connected. The cursor blinking rate will be set to its original value when
SecureNetTerm is not connected. The preferred method to set the cursor blinking rate is within the Microsoft control
The “Enable UTF-8 host character encoding” option turns on host UTF-8 support. This option can be used if your UNIX
host supports UTF-8 and it has been enabled for your login profile. If the UNIX command:
results in a reply of UTF-8, then it is enabled.
UTF-8, when used with a sufficiently populated monospaced font (such as Andale Mono
, Everson Mono Unicode
Courier New) can display text in many languages and writing systems within the same screen. The “UTF-8 and Unicode
FAQ for Unix-Linux
” by Markus Kuhn is an excellent source of information on UTF-8.
The scroll-back option allows you to define the number of lines that are kept in the scroll-back buffer. As lines get
scrolled off the screen, they are transferred to this buffer, up to a maximum of 32,767 lines. The vertical scroll bar will
use the number of lines contained within the scroll-back buffer to control the relative position of the scroll button.
The scroll slow option allows you to set the rate at which lines are placed on the screen. If this option is not selected,
lines sent by the host will be placed on the screen at the fastest possible rate. If the option is selected, you should enter
the rate (in milliseconds) at which the lines should appear on the screen. The default rate is 100 milliseconds.
The 'Answer Back' option provides a method to identify your terminal to the host system. The contents of this text field
will be sent to the host when it is requested.
The 'Terminal Type' field allows you to override the terminal identification string sent to the host when requested. If this
field is defined, it will override the default terminal type information associated with the emulation selected. For
example, if VT220 emulation is selected in the Site Manager for a host, SecureNetTerm will send the string “vt220” as
the terminal type. If you set the ‘Terminal Type’ field to “vt200”, that value will be sent instead of “vt220”.
The Window Sizing dialog provides for the selection of how SecureNetTerm should handle the sizing of the window by
the user, or by the host.
When the window is sized by the user, by grabbing a portion of the window with the mouse, then dragging it to increase
or decrease it size, you can (1) change the number of rows/columns and keep the font size constant, or (2) Change the
font size and keep the number of rows/columns the same. Selection two is the preferred method.
When the window is sized by the host, such as switching from 80 columns to 132 column report mode, SecureNetTerm
offers three methods to deal with the window size. The first is to keep the same font and font size, and employ horizontal
sizing. The window size remains the same. The second is to keep the same font and font size, but the window size is
changed to match the additional columns. The third, and preferred method, is to keep the same window size, do not use
horizontal scrolling, and scale the font to current window size. This method has one additional option to maximize the
number of rows displayed.
QuickButtons provide a quick and easy way to send keystrokes to the host using the mouse. The buttons are located
directly below the toolbar and can contain up four sets of eight buttons. The normal QuickButton bar displays one set of
eight buttons. The active set can be selected by a mouse clink on the "Change QuickButton Set" icon located to the left
of the buttons. Each mouse click will select the next sequential set. If desired, all four sets can be displayed at the same
time by selecting the View-Use QuickButton Pad. The QuickButtons can be enabled/disabled on a global basis within
the View menu.
Each button can be defined with a button label and up to 255 characters which can be sent to the host system when
pressed. Control characters such as carriage return can be a part of the string and follow the same conventions as
defining keys within the keyboard dialog box. An example of the use of QuickButtons to perform several commands is:
cd test^Mls -l^M
QuickButtons also supports URL's, menu items, and starting other Windows programs, providing a quick and easy way to
access commonly used menu items, run programs, and control a complex program startup on the host.
If an html style URL is detected, SecureNetTerm will start the users preferred browser and pass it the URL. This is a
very powerful feature, allowing unique uses of SecureNetTerm with a browser. For example, you could use this feature
to start an ftp request to the host:
Documents you may be interested
Documents you may be interested