Reflection for the Web - Release Notes

December 2017

Reflection for the Web version 12.3 SP1 Update 1 released December 2017.

Reflection for the Web includes Host Access Management and Security Server to create, manage, and secure sessions to your hosts.

This document lists the features, resolved issues, and known issues since version 12.3 SP1.

What’s New

Reflection for the Web 12.3 SP1 Update 1 includes the following features (in addition to the 12.3 SP1 features).

Updates
Compatibility Requirements
The Administrative Console
New cryptographic module for secure connections
TLS 1.2
Java 9 Support
Reference Guide

Updates

Added Subject Alternative Name (SAN) support to the Management and Security Server dialogs used to generate certificates or certificate signing requests (CSRs) -- in the Security Proxy Wizard, HTTPS Certificate Utility, and the Configure Settings - Certificates panel.
Updated Java to version 1.8.0_151
Upgraded BCTLS (Bouncy Castle TLS) to 1.0.3

Compatibility Requirements

Reflection for the Web version 12.3 SP1 requires Host Access Management and Security Server version 12.4 SP1 Update 1 (12.4.11) to support the new cryptographic module.

While the two products are installed independently, the Reflection for the Web automated installer provides the option to both products -- Reflection for the Web and a compatible version of Management and Security Server. Follow the prompts during installation.

For information about installing or using Management and Security Server, refer to the product documentation.

The Administrative Console

Reflection for the Web 12.3 SP1 Update 1 uses the Administrative Console as the user interface to create, manage, and secure sessions. The Administrative Console, which is part of Management and Security Server, replaces the Administrative WebStation in previous versions.

The Administrative Console features:

an HTML login that does not require Java
UI that expands as options are selected
online Help set, also available as the Management and Security Server Administrator Guide
new navigation:
- Manage Sessions replaces Session Manager
- Manage Packages replaces Package Manager
- Assign Access replaces Access Mapper
- Configure Settings replaces Settings and Security Setup
- Run Reports replaces Reports

New cryptographic module for secure connections

Host Access Management and Security and Reflection for the Web were updated to use a new cryptographic module (Bouncy Castle 1.0.3) for providing encrypted connections to your mainframe.

The cryptographic module was updated because the previous third party cryptographic module provider announced the end of support for their cryptographic module. Bouncy Castle is the provider for keystore operations, and the cryptographic files are generated using the.bcfks (bouncy castle FIPS keystore) extension. See Technical Note 2900 for more information.

Micro Focus strongly recommends upgrading Reflection for the Web to version 12.3 SP1 (or higher) at the earliest opportunity. Failing to upgrade to this version could

put you out of compliance with regulatory requirements, such as PCI-DSS, which require that critical security libraries be up to date and supported.
put you at risk if a new security vulnerability is announced, as security patches are not expected to be available for the older cryptographic modules.

TLS 1.2

Secure connections can be set to use TLS 1.2 without needing to use PKI Services Manager.

NOTE: A new installation of Security Proxy Server is set to TLS 1.2 by default.

If your Reflection for the Web sessions use a different TLS protocol, either configure the client to use TLS 1.2 (more secure) or configure the Security Proxy to use TLSv1.1 or TLSv1 (less secure).

Java 9 Support

Reflection for the Web 12.3 SP1 Update 1 supports Java 9 when these changes are configured.

Browser support
TLS connections

Browser support

Reflection for the Web clients require a web browser using JRE 8 or later that can run trusted applets.

With Java 8, Internet Explorer 11 and Mozilla Firefox ESR 32-bit are supported.
With Java 9, only Internet Explorer 11 64-bit is supported with Reflection for the Web.

Java 9 support requires these settings in Internet Explorer 11 (64-bit):

In Internet Explorer 11, open Internet Options to the Security tab.
Check Enable Protected Mode* (requires restarting Internet Explorer) for each zone:
- Internet
- Local intranet
- Trusted sites
- Restricted sites
Click Apply.
Click the Advanced tab.
Scroll to the Security section, and check Enable Enhanced Protected Mode*.
Click Apply and OK. Close Internet Explorer.
Restart your computer for the changes to take effect.

TLS connections

To make TLS connections with Java 9, apply this configuration:

Open the Java 9 Control Panel to the Desktop Settings tab.

One or more JREs are listed.
In the Runtime Parameters column, add this text to each line:

--illegal-access=warn
Click Apply.

Reference Guide

The Reflection for the Web Reference Guide includes the Advanced topics that were previously in the Administrative WebStation. The guide is a separate document available from the documentation site.

The Reference Guide includes:

API and Scripting
Using ECL
Applet Attributes and Parameters
HTML Samples
Host-initiated RCL Support

Resolved Issues

Resolved vulnerability: Replaced Bouncy Castle 1.0.2 with Bouncy Castle 1.0.3

CVE-2017-13098
Resolved the intermittent TLS connections. The time to start the TLS negotiations on the TCP/IP connection is reduced. As a result, the TLS timeouts do not need to be increased on the host.
IBM 3270 Printer Definition Files (PDFs) are migrated when upgrading to Reflection for the Web 12.3 SP1 Update 1.

Known Issue

This issue relates to the version of Java being used and affects only secure connections.

Unlimited Strength Jurisdiction Policy Files

For TLS connections to your host, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files may be required.

Unlimited strength policy files contain no restrictions on cryptographic strengths, in contrast to the strong but limited cryptography policy files bundled in a JRE.

NOTE: Oracle introduced a new Security policy in Java 1.8_u151. To enable unlimited cryptography, refer to the Oracle release notes.

In Java 9, the policy files are unlimited by default. No further configuration is needed. However, to use the TLS protocol, a workaround is necessary.

To apply the JCE Unlimited Strength Jurisdiction Policy Files

For Java 8 versions prior to update 151, apply the JCE policy files as follows:

Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle or IBM. Be sure to download the correct policy file updates for your version of Java:

Java 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

IBM: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
Uncompress and extract the downloaded file. The download includes a Readme.txt and two .jar files with the same names as the existing policy files.
Locate the two existing policy files:

local_policy.jar

US_export_policy.jar

On UNIX, look in <java-home>/lib/security/

On Windows, look in C:\Program Files\Java\jre<version>\lib\security\
Replace the existing policy files with the unlimited strength policy files you extracted.

NOTE: The JCE Unlimited Strength Jurisdiction Policy Files must be applied each time you upgrade your JRE.

Resources

About Upgrading

The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.

If you are evaluating

If you are running an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 12.3 SP1.

Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Technical Note 2818: Evaluating Reflection for the Web.

Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.

Online Resources

Security Updates: http://support.attachmate.com/security/?prod=RWEB

Technical Resources, including documentation and technical notes: http://support.attachmate.com/product/?prod=RWEB

Reflection for the Web Installation Guide: https://www.attachmate.com/documentation/rweb-12-3sp1/rweb-installguide/data/bookinfo.htm

Reflection for the Web Reference Guide: https://www.attachmate.com/documentation/rweb-12-3sp1/rweb-reference-guide/data/bookinfo.htm

Management and Security Server Installation Guide: https://www.attachmate.com/documentation/mss-12-4sp1/mss-installguide/data/bookinfo.htm

Management and Security Server Administrator Guide: https://www.attachmate.com/documentation/mss-12-4sp1/mss-admin-guide/data/bookinfo.htm

Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.

Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.