Support Bulletin

5250 Java Applet Security Features

Product:	Strategi - BusinessLink/WEB
Modified Date:

The applet provided with BusinessLink/WEB and Strategi provides the highest level of security available, not only through data encryption but also by implementing a multiple-level password and "passphrase" system (for additional encryption security, the passphrase can contain up to 40 characters, such as a complete sentence). All of this is designed to ensure that only the users you want to interact with your iSeries 400 will actually be able to send to and receive data from it without transaction compromise.

All Java traffic is scrambled (even if SSL is not implemented), so anyone watching the TCP/IP packets will see only random garbage, even between otherwise identical emulation sessions. Once the Java user and passphrase have been accepted, the passphrase is used to further encrypt the data; even someone who has analyzed the applet code will be unable to retrieve the actual data. The strength of the security is directly related to the length of passphrase used, with at least 20-30 characters recommended; the longer the passphrase, the stronger the security.

This, then, provides a much higher level of security than the 8 - 10 character passwords commonly used by others. The longer the encryption key, the harder it is to crack the passphrase and, thus, the greater the security. Please note that we're talking here not about an encryption level of 40 to 50 bits, but 40 to 50 bytes.

Secure Sockets Layer
SSL encryption, as described in the network security overview bulletin, controls access to your website HTML pages, and always begins from the homepage. According to Verisign, Inc. (one of the main providers of SSL certification), every page under a SSL-secured website is secured, but only if the URL begins with the domain name of that website. Loading the Java applet from a SSL-secured page adds SSL to the already encrypted data stream thereby increasing the level of security.

SSL certification cannot be given to IP addresses, as they cannot be verified as being "owned" by a particular domain. For example, if the SSL certification were given to your IP address, and you changed ISP's, or your ISP moved you to a different IP address, the SSL certification for the webserver's previous (external) IP address would immediately become worthless.

However, if a company has invested in a domain name, such as "www.businesslink.com", the company would be unlikely to change it, so it is much more secure to give the SSL certification to the domain name.

Enforcing SSL Security in Loading the Strategi Applet
While you might instruct your customers and employees to access Strategi via SSL-secured "https://", some may at times forget and just use "http://", which does not use SSL; clicking on the "Load Strategi" applet link will load and run Strategi, but not in SSL-secured mode.

There is a way, however, to enforce SSL security in loading the Strategi applet. In /homepage.htm, change "/java.htm" to "https://www.xxxxxxx.com/java.htm". This ensures the Strategi applet-loading page (and, thus, the Strategi applet) are loaded securely through SSL, even if someone types "http://…/homepage.htm" instead of "https://…/homepage.htm".

** End of Technical Support Bulletin **