Reflection for the Web - Release Notes

October 2021

1.0 Version 13.0 Hotfix 11

released October 2021

  • Java Security update 1.8.0_312

2.0 Version 13.0 Hotfix 10

released July 2021

  • Java Security update 1.8.0_302

3.0 Version 13.0 Hotfix 9

released May 2021

  • Java Security update 1.8.0_292

  • Updated Apache HTTP components

4.0 Version 13.0 Hotfix 8

released January 2021

  • Java Security update 1.8.0_282

  • Updated Apache Tomcat to v9.0.39 for the remote/stand-alone installation of Reflection for the Web.

5.0 Version 13.0 Hotfix 7

released October 2020

  • Java Security update 1.8.0_272

  • Updated Tomcat, Spring, and Jackson libraries to the latest available security release for the remote/stand-alone installation of Reflection for the Web.

6.0 Version 13.0 Hotfix 6

released July 2020

  • Java Security update 1.8.0_262

7.0 Version 13.0 Hotfix 5

released April 2020

  • Java Security update 1.8.0_252

  • Updated Tomcat to v9.0.33 for the stand-alone installation

  • Updated Management and Security Server (MSS) to version 12.6.3, which is required to manage and secure your Reflection for the Web sessions

  • A workaround is available for Security Vulnerability CVE-2020-1938. See 7024548 for details.

8.0 Version 13.0 Hotfix 4

released January 2020

  • Java Security update 1.8.0_242

  • Updated Management and Security Server (MSS) to version 12.6.2, which is required to manage and secure your Reflection for the Web sessions

9.0 Version 13.0 Hotfix 3

released November 2019

Two enhancements were added for use with the Reflection for the Web Launcher.

  • To prevent the accidental closure of emulator sessions, a Warning displays when sessions are open and the user attempts to close the links list applet.

  • The links list applet is hidden when not needed (after successful authentication).

10.0 Version 13.0 Hotfix 2

released October 2019

Features and Updates | Resolved issues

10.1 Features and Updates in version 13.0 Hotfix 2

  • Updated Reflection for the Web Launcher to version 1.2.0.

  • Reflection for the Web Launcher 1.2.0 includes a batch file, RWebLauncher-settings.bat, to start a GUI application that enables you to configure debug logging, certificates, caching, and client-side network settings for proxy servers.

    The file is available from your Reflection for the Web Launcher installation location. (The default is \...\AppData\Local\Apps\Micro Focus\Reflection for the Web Launcher.)

  • Reflection for the Web Launcher applet displays only Reflection for the Web sessions.

  • In the Reflection for the Web client, added a Connection Setup option to use TLS 1.0 exclusively.

  • Updated Management and Security Server (MSS) to 12.6.1, which is required to manage and secure your Reflection for the Web sessions.

  • Java Security update 1.8.0_232

    JRE security updates are provided for the Reflection for the Web Launcher (in the RWebLauncher.msi file), the installer, and for stand-alone operation of Reflection for the Web.

  • Updated Tomcat to version 9.0.22 for the stand-alone installation.

10.2 Resolved issues

  • X.509 authentication works when using the Reflection for the Web Launcher.

  • Fonts scale correctly when printing from an IBM 5250 Printer session.

  • When using the Reflection for the Web Launcher, the logging messages correctly appear in the Java Console, when "Write client debug output to console” is checked on the MSS Administrative Console - Logging panel.

  • Saving an edited Reflection for the Web session to the MSS Administrative Server does not automatically launch the session if APPLET tag was selected in Configure Settings - General Settings.

11.0 Version 13.0 Hotfix 1

released August 2019

  • Java Security update 1.8.0_222

    JRE security updates are provided for the Reflection for the Web Launcher (in the RWebLauncher.msi file) and for stand-alone operation of Reflection for the Web.

  • A workaround is available for X.509 authentication when using a hard certificate (smart card) and the Reflection for the Web Launcher. Contact Support for assistance.

  • Resolved Security Vulnerabilities:

    • CVE-2019-10181
    • CVE-2019-10182
    • CVE-2019-10185

12.0 Version 13.0

released July 2019

Features | Compatibility requirements | Resolved issues | Known issues

12.1 Features introduced in version 13.0

  • Introduced Reflection for the Web Launcher, a private client-side application that installs an OpenJDK 8 JRE with Web Start (JNLP) to launch Reflection for the Web sessions.

    With the Reflection for the Web Launcher, the end-user workstations no longer require Oracle’s JRE, the Oracle Java browser plug-in, or the Netscape PlugIn API (NPAPI). The Reflection for the Web Launcher can be used with any browser, including Google Chrome, Mozilla Firefox, or Microsoft Edge.

    MSS administrators, however, still need Internet Explorer 11 and the Oracle Java plug-in to create and manage Reflection for the Web sessions in the Administrative Console.

    Note: JRE security updates will be provided in an .msi file in Reflection for the Web product updates.

    As you phase out Oracle’s JRE or the Oracle Java plug-in, choose the appropriate deployment option for your environment: Standard, Hybrid, or Launcher. Details are in the Reflection for the Web Installation Guide.

  • Updated Management and Security Server (MSS) to 12.6, which is required to manage and secure your Reflection for the Web sessions.

    Note: MSS requires 3.40 GHz (4 cores) and 8GB of RAM.

  • Updated Apache Tomcat to 9.0.19.

  • Renamed the Automated sign-on macro feature to Secure logon macro.

12.2 Compatibility requirements

Reflection for the Web 13.0 includes Host Access Management and Security Server 12.6 to create, manage, and secure your host sessions.

The Reflection for the Web automated installer provides the option to install both products, even though the products are installed independently. Versions must be compatible to implement security updates and other functions.

NOTE:The Security Proxy (and any MSS Add-on product) must be the same <major>.<minor>.<update> version as Management and Security Server.

For example, when you upgrade to Reflection for the Web 13.0, which uses MSS version 12.6, be sure to upgrade the Security Proxy to version 12.6.

For information about using Management and Security Server, see the MSS Administrator Guide.

12.3 Resolved issues

These issues have been resolved since version 12.3 SP1 Update 2.

  • Resolved Security Vulnerabilities:

    • CVE 2019-0199
    • CVE-2019-0221
  • The scrollback buffer is updated when the host sends a DECSNLS command to increase lines/screen beyond screen size

12.4 Known issues

We are aware of these issues.

  • Resolved in version 13.0 Hotfix 2: X.509 authentication fails when using a hard certificate (smart card) and the Reflection for the Web Launcher.

    When MSS is configured for X.509 authentication and the Reflection for the Web Launcher deployment option is selected, authentication fails when logging in with a hard certificate (smart card). A workaround is available.

    Note: X.509 authentication succeeds when using either a soft certificate or the Oracle JRE.

  • The EULA appears in English. When the Reflection for the Web Launcher installer is run in a non-English language, the English EULA appears.

  • Transparent NTLMv2 authentication is disabled by Java by default.

    Users can still authenticate using this protocol, but they must enter their credentials into a challenge dialog. Transparent authentication can be re-enabled. Contact Support for assistance.

  • SiteMinder browser-based Basic authentication does not work with the Reflection for the Web Launcher because the authentication token (cookie) is not passed to the Launcher.

  • Specifying a protocol prefix of MFJNLP in the URL does not work.

  • Upgrading custom static sessions is not supported

Reminder: TLS is required for security.

13.0 Resources

13.1 About Upgrading

The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.

13.2 If you are evaluating

When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.0.

Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Evaluating Reflection for the Web.

Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.

13.3 Technical Resources

Security Updates:

Support Resources

Support resources include Knowledge Base articles and Contact Support information.

Reflection for the Web Documentation:

  • Reflection for the Web Installation Guide

  • Reflection for the Web Reference Guide, includes:

    • API and Scripting
    • Using ECL
    • Applet Attributes and Parameters
    • HTML Samples
    • Host-initiated RCL Support

Management and Security Server (MSS) Documentation: