Host Access Management and Security Server - Release Notes

January 2024

Host Access Management and Security Server (MSS) 14.0.0.2

What's New

All MSS releases are cumulative, and contain the features introduced in earlier releases. For previous versions, see MSS Documentation.

Features and Fixes

• Updated Java and applied security updates to address CVEs and additional bug fixes. (14.0.0.2)
• Applied security updates to address multiple CVEs. (14.0.0.1)
• Added X.509 authentication support for Reflection Desktop when configured for centralized management. See below for more information. (14.0.0.1)
• Addressed an issue that prevented the advanced Kubernetes dashboard from loading in a deployment that was not connected to the internet. (14.0.0.1)
• Added strict Transport Security Headers (HSTS) to enhance security. (14.0.0.1)

• SiteMinder Agent name is now automatically replicated between nodes. (14.0.0.1)

• MSS has adopted a new architecture that simplifies deployment, tightens security, improves scaling and high availability, and eases ongoing maintenance. There are two new deployment options, a virtual software appliance and Linux installers. See the deployment guide for information and how to choose the deployment that best fits your needs. (14.0)

  Some benefits provided by the new architecture:

  • A single certificate is used for the entire cluster. TLS is used to secure end-to-end communication.

  • Services are self healing and automatically distributed across cluster nodes, providing built in high availability and fault tolerance.

  • Scaling to handle changes in capacity has been greatly simplified.

  • Clustering workflows have been improved and no longer require complicated certificate management.

  • Load balancers are now optional and no longer require complicated configurations.

  • Management workflows and basic monitoring of the cluster have been both simplified and expanded.

  • The new architecture is built on standards so common tools can be used when working with the cluster.

  • The virtual software appliance provides a convenient update channel for applying product and operating system updates.

  • The process for configuring the following has been simplified: Metering, Terminal ID Manager, Kerberos authentication, X.509 authentication

• The MSS Admin Console, Metering Reports Console and Terminal ID Manager Consoles all share the same password for easier management. (14.0)

• Applied security updates and additional bug fixes. (14.0)

• Apache Commons Text library updated to version 1.10.0 to mitigate CVE-2022-42889. (12.8.5)

• Apache Shiro library updated to version 1.10.0 to mitigate CVE-2022-40664. (12.8.5)

• Removed the JXPath library to mitigate CVE-2022-41852. (12.8.5)

• Fixed bug that occasionally resulted in SAML related errors on servers under high load. (12.8.4)

• Windows Authentication - Kerberos is available for end users launching sessions via the Assigned Sessions list. (12.8.3)

• Automated Sign-On for Host Access is a new feature that allows an end user to receive a one-time, time-limited passcode to sign on to back-end host systems. The passcode is associated with the end user's host userid and only issued if the host has authorized the connection.
  Note: This feature requires some changes on the host. (12.8.2)

• Host Access for the Cloud sessions can be exported and imported using the MSS Admin Console. (12.8.2)

• Added support for IPv6 in dual stack (IPv6/IPv4) environments. (12.8.2)

• Log4j library was upgraded to version 2.17.1 to mitigate multiple CVEs. (12.8.1)

• MSS Documentation was converted to Markdown. (12.8.1)

Changes in Behavior and Usage

• The process for configuring X.509 authentication has changed slightly. Please see the documentation for the updated steps. (14.0.0.1)

• The minimum disk space requirement for the Appliance and Linux based installers has been increased from 60GB to 100GB. (14.0.0.1)

• The Installation Guide has been renamed to the Deployment Guide and has been updated to document the new deployment process. (14.0)

• A collection of features that were believed to be unused have been deprecated and removed. Please contact support if a feature has been removed that you depended upon. (14.0)

• The configuration process for the Security Proxy, Terminal ID manager and Metering have changed. See the documentation for more information. (14.0)

• The Terminal ID Manager Console and Metering Admin Console now share the same password as MSS Admin Console. (14.0)

• The configuration process for various authentication types has been changed and simplified. See the documentation for more information. (14.0)

• The clustering process has changed and the clustering view has been removed in favor of the new Cluster Management Console. Log into the Admin Console then choose Cluster Management from the upper left menu. See the Deployment Guide for more information. (14.0)

• Support for NTLM based authentication has been removed and replaced with support for Kerberos. (14.0)

• Microsoft has retired Internet Explorer 11, and as such, our ability to resolve IE 11 browser specific issues in older versions of MSS is limited. Support for IE 11 has been removed from MSS 14.0 and greater. However, we will continue to support IE 11 for older versions of MSS that currently support it, as per the Product Support Lifecycle. (14.0)

Known Issues

If you encounter unexpected issues with Management and Security Server, contact Support.

• Certain X.509 capabilities related to OCSP, CRL and multi-LDAP support are not fully supported in this release. Please contact support if these capabilities are critical to your deployment. (14.0.0.1)

• Following initial installation, server node restarts, or adding new nodes to the cluster, it may take approximately 15 minutes for the cluster to stabilize and report itself as 'Healthy.' Numerous warning events may appear in the Cluster Management - Events view during startup. These are part of the normal operation and will be cleared after approximately 15 minutes. Always wait for the cluster to be reported as healthy before proceeding with cluster operations. (14.0)

• Occasionally upon initial installation of the product, a session server will fail to start due to a problem with the underlying storage engine. This can be recognized in the Cluster Management console > Cluster Health, the session server(s) will show as not ready. To work around this issue, access the server node using SSH and run cspctl cluster reset. Be aware that this command resets the node to a clean state and any application data is lost, so only run it as needed on first installation if this issue appears. (14.0)

• When using the Appliance, the process of downloading a Support Zip can take several minutes, with no feedback in the user interface. After clicking "Ok", please stay on the view until the download completes (14.0)

• When using the migration tool to migrate from a system with Terminal ID manager configured, on the new system Terminal ID manager will fail to start after migration. To work around this issue please contact support. (14.0)

• Automated Sign-on for Host Access is currently not functioning. This will be addressed in an upcoming release. (14.0)

• Support for X.509 authentication through a load balancer is not currently functioning. (14.0)

• Reflection/InfoConnect Desktop FTP sessions that run through the Security Proxy may fail with a "Failed to establish an FTP Gateway session" message. Please contact support for assistance. (14.0)

Contacting Open Text

Check these online resources.

• MSS Security Updates -- contact Customer Support

• MSS Product Documentation

  - MSS Deployment Guide

  - MSS Admin Console Help

• Product information, including the MSS Add-On products and a Free Trial link

• Support Resources

For specific product issues, contact Customer Support.

Legal Notice

© 2024 Open Text

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.