Connection Policy
The KCML7 Connection Manager can configure how clients running KClient 6.90 (or later) connect to the server. Connection properties include:
Policies can be defined globally or for a specific service. Global policies only have an effect on services that do not define their own policy.
Connection Broker
The connection broker is a utility which allows KClient and KCML to be used over an unreliable network. When the network link is broken the broker will seamlessly restore the connection once the link is back up. Additionally a mobile device can use a broker-protected connection to enable it to be suspended to save battery power without having to restart a KCML application.
In operation there are two connection brokers, one at the server end and one at the client end. The brokers act as proxies with KClient & KCML remaining unaware of any network disconnections. A server broker process runs for each session which is executed, along with KCML, by the Connection Manager. The client broker functionality is built into KClient and needs no additional installation.
In a typical connection scenario KClient will initiate a connection using its internal broker. This broker will then connect to the Connection Manager which will authenticate and execute a the broker and kcml together. The two processes are connected via a local socket. Each session is given a unique ID and also each client computer has a persistent unique ID. If then for some reason the network connection is broken and say, KClient attempts to send some data to KCML the socket send will fail. KClient's broker will attempt to reconnect to the Connection Manager which passes this request to the server broker. Once this is successful the server broker will use the session ID to restore the original connection and resend any data lost when the connection was broken.
Network Encryption
The network traffic between KClient & KCML can be encrypted using SSL/TLS. KClient 7.16 or later will use at least TLS 1.1 instead of the less secure SSL V3 protocol used by older versions of KClient.
Three levels of encryption are provided:
Session, Authentication & Allow none.
| Value | Description |
|---|---|
| none | Plain textenum |
| allow none | SSL encrypt authentication if client is capable, fall back on clear text |
| authentication | SSL encrypt authententication, session is clear text |
| session | SSL encrypt auth & session, if client cannot do SSL then error |
| check-cert | Use SSL encryption if client is capable and can check the certificate |
| must-check-cert | KClient must use SSL encrption and check the certificate |
Session
This is the most secure level of encryption that is suitable to protect data that may be sent over an unsecured network. Authentication information, typically a username & password, and application data are transmitted using SSL/TLS. The Connection Manager will not allow versions of KClient that do not support SSL negotiation to connect.
Authentication
An intermediate level of security that encrypts the authentication information. Application data is not encrypted. The Connection Manager will not allow versions of KClient that do not support SSL negotiation to connect.
Allow none
Authentication information is encrypted if SSL negotiation is supported by KClient. However, unlike Session & Authentication, the Connection Manager will allow older KClients to authenticate without encryption. This low level of security can be useful when performing a phased upgrade of many KClient terminals.
For all levels of encryption, an SSL Certificate will be required. If the filename of the certificate is a relative pathname, the certicate is assumed to exist in the KCML directory.
The KCML 7.17 Connection Manager can also mandate the minimum SSL protocol.
However, this is only recommended if all client machines connecting to the server are running KClient 7.16 or later on Windows 7 or Windows Server 2008 R2 or later as older versions of KClient & Windows may not support the encryption cipher that has been mandated.
This is set in /etc/kcml/kcml.conf.
For example:-
# Use TLS/1.1 or better. # Requires all client machines to be running KClient 7.16 on Windows 7 or Windows Server 2008 R2. [SSL] MinProtocol=TLSv1_1
Encrypt ODBC
The connection between the ODBC driver, the Connection Manager & the ODBC server can also be encrypted by enabling the Encrypt ODBC option. This requires version 07.17 build 23349, or later, of the ODBC driver and corresponding Linux, Solaris & AIX versions of the Connection Manager & ODBC server. Unlike KClient, where different levels of encryption are available, all sensitive network traffic is encrypted.
Password Cache
Allows the use of KClient's Cache password facility. If this checkbox is disabled, then KClient will not cache a password.
See also:
Secure Sockets