Reflection for the Web - Release Notes

December 2017

Reflection for the Web version 12.3 SP1 Update 1 released December 2017.

Reflection for the Web includes Host Access Management and Security Server to create, manage, and secure sessions to your hosts.

This document lists the features, resolved issues, and known issues since version 12.3 SP1.

What’s New

Reflection for the Web 12.3 SP1 Update 1 includes the following features (in addition to the 12.3 SP1 features).


  • Added Subject Alternative Name (SAN) support to the Management and Security Server dialogs used to generate certificates or certificate signing requests (CSRs) -- in the Security Proxy Wizard, HTTPS Certificate Utility, and the Configure Settings - Certificates panel.

  • Updated Java to version 1.8.0_151

  • Upgraded BCTLS (Bouncy Castle TLS) to 1.0.3

Compatibility Requirements

Reflection for the Web version 12.3 SP1 requires Host Access Management and Security Server version 12.4 SP1 Update 1 (12.4.11) to support the new cryptographic module.

While the two products are installed independently, the Reflection for the Web automated installer provides the option to both products -- Reflection for the Web and a compatible version of Management and Security Server. Follow the prompts during installation.

For information about installing or using Management and Security Server, refer to the product documentation.

The Administrative Console

Reflection for the Web 12.3 SP1 Update 1 uses the Administrative Console as the user interface to create, manage, and secure sessions. The Administrative Console, which is part of Management and Security Server, replaces the Administrative WebStation in previous versions.

The Administrative Console features:

  • an HTML login that does not require Java

  • UI that expands as options are selected

  • online Help set, also available as the Management and Security Server Administrator Guide

  • new navigation:

    • Manage Sessions replaces Session Manager
    • Manage Packages replaces Package Manager
    • Assign Access replaces Access Mapper
    • Configure Settings replaces Settings and Security Setup
    • Run Reports replaces Reports

New cryptographic module for secure connections

Host Access Management and Security and Reflection for the Web were updated to use a new cryptographic module (Bouncy Castle 1.0.3) for providing encrypted connections to your mainframe.

The cryptographic module was updated because the previous third party cryptographic module provider announced the end of support for their cryptographic module. Bouncy Castle is the provider for keystore operations, and the cryptographic files are generated using the.bcfks (bouncy castle FIPS keystore) extension. See Technical Note 2900 for more information.

Micro Focus strongly recommends upgrading Reflection for the Web to version 12.3 SP1 (or higher) at the earliest opportunity. Failing to upgrade to this version could

  • put you out of compliance with regulatory requirements, such as PCI-DSS, which require that critical security libraries be up to date and supported.

  • put you at risk if a new security vulnerability is announced, as security patches are not expected to be available for the older cryptographic modules.

TLS 1.2

Secure connections can be set to use TLS 1.2 without needing to use PKI Services Manager.

NOTE: A new installation of Security Proxy Server is set to TLS 1.2 by default.

If your Reflection for the Web sessions use a different TLS protocol, either configure the client to use TLS 1.2 (more secure) or configure the Security Proxy to use TLSv1.1 or TLSv1 (less secure).

Java 9 Support

Reflection for the Web 12.3 SP1 Update 1 supports Java 9 when these changes are configured.

Browser support

Reflection for the Web clients require a web browser using JRE 8 or later that can run trusted applets.

  • With Java 8, Internet Explorer 11 and Mozilla Firefox ESR 32-bit are supported.

  • With Java 9, only Internet Explorer 11 64-bit is supported with Reflection for the Web.

Java 9 support requires these settings in Internet Explorer 11 (64-bit):

  1. In Internet Explorer 11, open Internet Options to the Security tab.

  2. Check Enable Protected Mode* (requires restarting Internet Explorer) for each zone:

    • Internet

    • Local intranet

    • Trusted sites

    • Restricted sites

    Click Apply.

  3. Click the Advanced tab.

  4. Scroll to the Security section, and check Enable Enhanced Protected Mode*.

  5. Click Apply and OK. Close Internet Explorer.

  6. Restart your computer for the changes to take effect.

TLS connections

To make TLS connections with Java 9, apply this configuration:

  1. Open the Java 9 Control Panel to the Desktop Settings tab.

    One or more JREs are listed.

  2. In the Runtime Parameters column, add this text to each line:


  3. Click Apply.

Reference Guide

The Reflection for the Web Reference Guide includes the Advanced topics that were previously in the Administrative WebStation. The guide is a separate document available from the documentation site.

The Reference Guide includes:

  • API and Scripting

  • Using ECL

  • Applet Attributes and Parameters

  • HTML Samples

  • Host-initiated RCL Support

Resolved Issues

  • Resolved vulnerability: Replaced Bouncy Castle 1.0.2 with Bouncy Castle 1.0.3


  • Resolved the intermittent TLS connections. The time to start the TLS negotiations on the TCP/IP connection is reduced. As a result, the TLS timeouts do not need to be increased on the host.

  • IBM 3270 Printer Definition Files (PDFs) are migrated when upgrading to Reflection for the Web 12.3 SP1 Update 1.

Known Issue

This issue relates to the version of Java being used and affects only secure connections.

Unlimited Strength Jurisdiction Policy Files

For TLS connections to your host, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files may be required.

Unlimited strength policy files contain no restrictions on cryptographic strengths, in contrast to the strong but limited cryptography policy files bundled in a JRE.

NOTE: Oracle introduced a new Security policy in Java 1.8_u151. To enable unlimited cryptography, refer to the Oracle release notes.

In Java 9, the policy files are unlimited by default. No further configuration is needed. However, to use the TLS protocol, a workaround is necessary.

To apply the JCE Unlimited Strength Jurisdiction Policy Files

For Java 8 versions prior to update 151, apply the JCE policy files as follows:

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle or IBM. Be sure to download the correct policy file updates for your version of Java:

    Java 8:


  2. Uncompress and extract the downloaded file. The download includes a Readme.txt and two .jar files with the same names as the existing policy files.

  3. Locate the two existing policy files:



    On UNIX, look in <java-home>/lib/security/

    On Windows, look in C:\Program Files\Java\jre<version>\lib\security\

  4. Replace the existing policy files with the unlimited strength policy files you extracted.

NOTE: The JCE Unlimited Strength Jurisdiction Policy Files must be applied each time you upgrade your JRE.


About Upgrading

The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.

If you are evaluating

If you are running an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 12.3 SP1.

Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Technical Note 2818: Evaluating Reflection for the Web.

Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.