Installing Reflection ZFE

Before you install

These prerequisites need to be met before you can successfully install Reflection ZFE.

  • Host Access Management and Security Server

    Reflection ZFE requires Host Access Management and Security Server (MSS) for session management: you can use an existing MSS installation or a simple first-time install. The Windows install program will install MSS, the ZFE session server, and documentation to a single machine. Different components can reside on different machines.

    You will be asked for the user name and password for the Management and Security Server used by Reflection ZFE. It is a good idea to have those credentials in hand before you start installation.

    MSS uses activation files (activation.jaw) to enable product functionality. The Reflection ZFE install program contains the needed activation file. You will need to provide an activation file if you intend to use an already installed or remote MSS server that has not been activated for use with Reflection ZFE. Support for UTS, T27, and the Terminal ID Manager require separate activation files. You can read all about MSS activation files in the Host Access Management and Security Server Installation Guide.

  • Reflection ZFE and Java

    Reflection ZFE requires a Java JDK version 8 or higher and MSS requires a Java JRE version 8 or higher. This Java requirement is met during installation, except for these platform exceptions:

    • For systems, such AIX or Linux on System Z that require an IBM JDK, you can use the “nojdk” installer media, which does not include a bundled JDK.

      To use the nojdk media option:

      • The installation must be able to locate a Java executable to start. If a Java executable cannot be found by the installer, then you can set the INSTALL4J_JAVA_HOME environment variable to refer to a Java installation’s bin directory.
      • When started, the installation program will automatically search for version-compatible JDKs on the system. If more than one JDK is found, a list is displayed from which you can choose. If only a JRE is found on the system, you can continue with the installation, but the Reflection ZFE server will not run correctly until you have updated the wrapper.java.command property located in sessionserver/container.conf to refer to a JDK installation.
  • Both Reflection ZFE and MSS require that the Java installation support unlimited strength encryption. More information is available on the Java web site.

  • If necessary, you can use the environment variables named above and INSTALL4J_JAVA_HOME_OVERRIDE to specify a specific Java installation.

  • If you plan on using the IIS Reverse Proxy with Reflection ZFE, read Technical Note 2859 for prerequisites and configuration instructions.

System requirements

All requirements listed are the minimum required to successfully install Reflection ZFE.

Supported web browsers

The only thing needed to access Reflection ZFE terminal emulation is a supported web browser. The following web browsers are currently supported:

  • Google Chrome 33+

  • Mozilla Firefox 27+

  • Microsoft Internet Explorer 11+

    See Browser issues for information on performance issues when using Internet Explorer.

  • Microsoft Edge

  • Apple iOS Safari 7+

MSS is platform independent and supports any web browser using JRE 7 or later that supports JavaScript and Cascading Style Sheets (CSS).

Session server operating systems

The Reflection ZFE session server supports the following 64-bit platforms:

  • Windows 2008 Server

  • Solaris 10 (SPARC)

  • Red Hat Enterprise Linux (RHEL) 6.x

  • SUSE Enterprise Linux 11.x

  • AIX 6.x

z/Linux (SUSE E11.x and RHEL 6.x) installation

Follow the procedures described in the download site instructions.

Installing on UNIX platforms

  • You must either install as “root” or use a user account with root privileges to complete successfully. When the installation has successfully completed, the installed application can be started and managed by “root” or someone running as ‘root”.

  • Elevated privileges are needed to open any application ports lower than 1024. Reflection ZFE will not start using a lower port number unless you have system privileges to open low numbered ports.

  • You can use the chmod command to assign application privileges to users other than root.

Preparing to install

Reflection ZFE supports TLS and SSH protocols to protect mission-critical data. To secure your passwords and other sensitive data, you should require browsers to use the HTTPS protocol.

To configure a Reflection ZFE session to use TLS, you must first establish a “trust” for the public certificate chain of the host to which you’re connecting. MSS centrally manages the trust store that Reflection ZFE uses. Be default, the Reflection ZFE session server fetches this trust store every time it attempts a connection.

For a successful installation you must have a valid certificate signed by a trusted Certificate Authority (CA) and install it on the session server. To head off any installation issues, read Making Secure Connections. In a typical Reflection ZFE installation there are three main connection points that you need to consider in regard to security, the Making Secure Connections topic deals with all three; web browser to Reflection ZFE session server, Reflection ZFE session server to MSS, and Reflection ZFE session server to the host legacy system.

Ports used by Reflection ZFE

Configure your firewall to allow connections on the following TCP listening ports:

Component

Default Port Numbers

Reflection ZFE session server

7070 - HTTP

7443 - HTTPS

MSS

80 - HTTP

443 - HTTPS

Both the Reflection ZFE and the MSS Administrative Server ports can be changed depending on your network needs. To modify the Reflection ZFE session server ports, see How to Change Ports.

Upgrading from previous installations

Upgrading is a simple and easy. It’s best to back up any previous work before you upgrade.

To upgrade from previous versions to the current version:

  1. Stop Management and Security Server.

  2. Uninstall the previous version of Reflection ZFE, but do not uninstall Management and Security Server.

  3. Install the latest version of Reflection ZFE.

Troubleshooting the installation

To complete a successful installation, make sure that you have taken care of these common connection issues:

Is MSS configured for HTTPS?

Connect to the system where the Administrative Server is installed and log in to the Administrative Server. In the Administrative WebStation, open the Security Setup section and note the protocol selection.

Verify that both MSS and Reflection ZFE are using trusted certificates.

MSS imports certificates and private keys to C:\ProgramData\Micro Focus\MSS\MSSData\certificates.

If you are not using trusted certificates, have you configured Reflection ZFE to run using HTTP?

Are your connection properties configured properly?

In the unlikely event that you have to verify connection information, the container.properties file for both the management component and the Reflection ZFE session server contains the connection properties needed to make the Reflection ZFE to MSS connection as well as the browser to Reflection ZFE connection.

You can find the file in the Reflection ZFE installation at <install-dir>/sessionserver/conf/container.properties.

Connecting using HTTP

If you do not have a trusted certificate in place, you can configure Reflection ZFE to use HTTP. This configuration is not secure and should be used only when no other option is available.

Connecting to...

Do this...

An existing remote MSS Administrative Server

  1. During the Reflection ZFE installation, after you accept the license agreement and choose a destination directory, select Use remotely hosted MSS. Click Next.

  2. Enter either the host name, DNS name, or IP address.

  3. Change the port from 443 to 80.

  4. Select HTTP and complete the installation process.

The MSS Administrative Server that is installed with Reflection ZFE

  1. Select Install MSS and follow the installation instructions.

  2. Clear the Perform this action option and click Finish.

    If this option is not disabled, you can open <install-directory>\Micro Focus\ReflectionZFE\sessionserver\conf\container.properties in a text editor and change 443 to 80 in the following line: management.server.url=http://yourmachine:80/mss

    If this option is not cleared, an internal error is generated and you will be asked to contact your system administrator.

  3. Restart the Reflection ZFE Session Server service.

Other known issues

This section documents miscellaneous known issues and work around tips for Reflection ZFE.

HTTPS connections between mobile devices running Apple iOS8 and the Reflection ZFE session server

Due to an apparent bug in iOS 8, Reflection ZFE users cannot connect to a session server over HTTPS from their iPad when using a self-signed certificate. If feasible, the quickest solution is to use HTTP instead of HTTPS.

If HTTPS is needed, you have the following options:

  • Obtain a valid certificate signed by a trusted CA and install it on the session server.

  • Find an alternate browser that will accept the self-signed certificate. See System requirements for a list of supported browsers.

  • Leverage a custom certificate authority:

    1. Create a custom CA, CA root certificate, and a server certificate signed by that CA’s root certificate.

    2. Install the server certificate on the session server.

    3. Install the custom CA root certificate on te iPad by means of a profile. The iPad show now accept the server certificate as it was signed by a “trusted CA”.

    For a list of CAs trusted by Apple iOS, see Lists of available trusted root certificates in iOS.

SSL/TLS error message issues

  • (ECL1011) Error connecting to host: Connection to host failed.

    This error can display in a number of situations that are not simply due to a connection failure.

    • You may see this error if an SSL/TLS connection failed due to the lack of a trusted certificate in the MSS trust store.

    • This error displays when a SSL/TLS handshake failure occurs when you use TLS to connect to or from a plain text host.

Displaying the Euro character

If the EURO character does not display correctly on the terminal screen, talk to your system administrator to make sure the host character set for the session is setup correctly. By default, Reflection ZFE uses a character set which does not support the Euro character (€). To display the Euro character, change the character set to one that supports the Euro character.

Install does not complete on UNIX or Linux platforms

The Reflection ZFE install program may stall on UNIX or Linux systems, particularly headless ones. This stall is caused by an insufficient amount of entropy in the system, typically due to a lack of interaction with the operating system’s UI (or lack of UI).

To remedy the issue:

  1. Stop the installation process.

  2. On the installer’s command line, prepend –J to the Java System property: ./reflectionzfe-xxxx-linux-x64.sh -J-Djava.security.egd=file:///dev/urandom

  3. Run the installation program containing the added argument.