Host Access Management and Security Server - Release Notes

November 2017

Host Access Management and Security Server version 12.4 SP1 (12.4.10) released November 2017.

This document lists the features, resolved issues, and known issues since version 12.4.0 released.

What’s New

Host Access Management and Security Server 12.4 SP1 (12.4.10) includes the following features (in addition to the 12.4 features described in Technical Note 2885):

  • The Administrative Console

    This release introduces the redesigned user interface for Management and Security Server’s Administrative Server -- the Administrative Console.

  • New Cryptographic module for secure connections

    The Host Access Management and Security family of products has been updated to use a new cryptographic module for providing encrypted connections to your mainframe.

  • The HTTPS Certificate Utility provides the ability to generate a new private key and a Certificate Signing Request (CSR), and then import the signed certificate and private key.

  • Java version: 1.8.0_144

  • Apache Tomcat version: 8.5.23

  • On the Security Proxy Server, multiple cipher suites of the same key type can use the same certificate. That is, all RSA cipher suites use one RSA certificate, and all DSA cipher suites use one DSA certificate.

  • Check the Known Issues for potentially incompatible secure protocol settings.

The Administrative Console

The Administrative Console replaces the Administrative WebStation as the user interface for Management and Security Server’s Administrative Server.

The Administrative Console features:

  • an HTML login that does not require Java

  • UI that expands as options are selected

  • online Help set, also available as the Management and Security Server Administrator Guide

  • new navigation:

    • Manage Sessions replaces Session Manager
    • Manage Packages replaces Package Manager
    • Assign Access replaces Access Mapper
    • Configure Settings replaces Settings and Security Setup
    • Run Reports replaces Reports

New Cryptographic module for secure connections

The cryptographic module was updated because the previous third party cryptographic module provider announced the end of support for their cryptographic module. Bouncy Castle is the provider for keystore operations, and the cryptographic files are generated using the.bcfks (bouncy castle fips keystore) extension. See Technical Note 2900 for more information.

Micro Focus strongly recommends upgrading to the Host Access Management and Security 12.4 SP1 at the earliest opportunity. Failing to upgrade to this version could

  • put you out of compliance with regulatory requirements, such as PCI-DSS, which require that critical security libraries be up to date and supported.

  • put you at risk if a new security vulnerability is announce, as security patches are not expected to be available for the older cryptographic modules.

All future security updates related to cryptography will be addressed by Micro Focus in the Host Access Management and Security Server 12.4 SP1 release and its successors.

Resolved Issues

  • The Entropy Gathering Device (EGD) was changed to/dev/urandom to resolve issues where installation and starting of applications may be slow or appear to hang on headless UNIX systems.

    If the use of /dev/urandom is not acceptable or permitted in your environment, you can configure the applications to use dev/random. See the alternative solutions detailed in the Management and Security Server Installation Guide.

  • When the unix-nojre installer is used to install the product, the "server" shell script now executes as expected on Linux and UNIX systems.

  • In Administrative Console, when an LDAP Server is configured to use the Security option TLS/SSL, you can search for users or groups on your LDAP server to assign (map) sessions.

  • Resolved vulnerabilities:

    • Apache Commons FileUpload 1.1.1
    • CVE-2014-0050 High
    • CVE-2013-0248 Low
    • Apache Struts 1.3.10
    • CVE-2016-1181 Medium
    • CVE-2014-0114 High
    • CVE-2015-0899 Medium
    • CVE-2016-1182 Medium
    • Apache Struts 1.3.10
    • CVE-2014-0114 High
    • CVE-2015-0899 Medium
    • CVE-2016-1181 Medium
    • CVE-2016-1182 Medium
    • Bouncy Castle 1.3.7
    • CVE-2007-6721 High

Known Issues

  • After installing the Windows Desktop Emulation activation file in Management and Security Server, the browser instance running the administrative console needs to be closed and restarted to complete and enable activation.

  • Incompatible secure protocol settings. New installations of the Security Proxy Server are set to use TLS 1.2 for secure connections. When the client, such as Reflection Desktop, is set to use a security protocol other than TLS 1.2, the setting is incompatible.

    Resolution: Either the client (Reflection Desktop) can be configured to use TLS 1.2 (more secure), or the Security Proxy Server can be configured to use TLS v1.1 or TLS v1 (less secure).

    Note: Existing protocol configurations are preserved when Management and Security Server and the Security Proxy Server are upgraded, and sessions continue to work as expected.

  • If a Security Proxy Server is configured with the Client authorization option disabled (Security Proxy Wizard > Advanced Settings tab), connections to the Security Proxy server from Windows-based emulators that are launched from the Java links list can fail. For more information about this issue, please contact Support.

  • In the Administrative Console, the NTLM configuration option, Fall back to Basic authentication, was removed. If this setting is needed, you can set a property. Contact Support for details.

  • If you are installing or upgrading from Reflection ZFE version 2.1.1 or 2.1.0, contact Support.

    A workaround is needed to resolve version compatibility between Reflection ZFE and Management and Security Server 12.4.10.


Security Updates:

Technical Resources, including documentation and technical notes:

Product information, including the Management and Security Server (MSS) Add-Ons:

Technical Note 2900: Updated Cryptographic Modules in Host Access Management and Security Server