Reflection for the Web - Release Notes

December 2021

1.0 Version 13.2 Hotfix 2

released December 2021

1.1 Resolved issue:

  • Log4j library updated to version 2.17.0 to mitigate CVE 2021-45105

2.0 Version 13.2 Hotfix 1

released December 2021

2.1 Resolved issue:

  • Log4j library updated to version 2.16.0 to mitigate CVE-2021-44228 and CVE-2021-45046

3.0 Version 13.2

released September 2021

3.1 What’s New in 13.2

All releases are cumulative, and contain the features introduced in earlier releases, including the version 13.1 updates.

Features

  • TLS 1.3 connections

    TLS 1.3 is now supported and enabled. Other TLS settings are available and vary with the type of connection being configured.

    • From the Reflection for the Web client to the host: None, TLS 1.3, TLS 1.2, or a range.

    • From Reflection for the Web client to MSS 12.8: TLS 1.3.

      Refer to your browser’s documentation to ensure that TLS 1.3 is supported.

    • From the Reflection for the Web client to the MSS Security Proxy Server: TLS 1.3, TLS 1.2, or a range.

    NOTE: TLS 1.0 is no longer supported

    When upgrading, any Reflection for the Web sessions that previously had TLS 1.0 selected will be automatically updated to the range of TLS 1.3, TLS 1.2. Otherwise previous settings may remain intact.

  • TLS display in status bar

    The Reflection for the Web status bar displays the configured TLS version and its historical identification in parentheses, such as TLSv1.3 (3.4) 128-bit AES SHA2. The historical version, (3.4) in this example, will likely be removed in a future release.

  • Assigned Sessions List

    Beginning with version 13.2 (MSS 12.8), Reflection for the Web sessions are launched using the HTML-based MSS Assigned Sessions List, which requires the Reflection for the Web Launcher.

    These technologies replace the Oracle JRE and the JRE’s browser plug-in, thereby enabling you to stay current with security updates while removing the need to pay Oracle for licensing.

  • Ability to centrally manage networking settings for the Reflection for the Web Launcher

    Use the provided Windows PowerShell script along with Microsoft Installer (MSI) technology to manage networking settings, such as those for a web proxy. For more information, see the Reflection for the Web Installation Guide.

    Note: When upgrading the Reflection for the Web product, you must also update the Reflection for the Web Launcher.

  • Support for SAML authentication using MSS

Third-party software changes

  • Updated JRE (Azul OpenJDK) to 1.8.0_302 in the RWeb Launcher and RWeb standalone. MSS also uses this version.

  • Updated Apache Tomcat to v9.0.52

3.2 Compatibility requirements

Reflection for the Web includes Host Access Management and Security Server (MSS) to create, manage, and secure your host sessions. Versions must be compatible to implement security updates and other integrated functions.

When upgrading, be sure these components are updated to compatible versions:

  • Management and Security Server (MSS) 12.8: installed with Reflection for the Web 13.2

    The Reflection for the Web automated installer provides the option to install both products as a chained installation.

  • Reflection for the Web Launcher: same version as the Reflection for the Web product (13.2)

    See the Reflection for the Web Installation Guide for details about installing and distributing the Reflection for the Web Launcher.

  • Security Proxy: same <major>.<minor>.<update> version as MSS (12.8.<n>)

For information about using Management and Security Server, see the MSS Administrator Guide.

3.3 Changes in Behavior and Usage

Some new features require a new way of working with Reflection for the Web. Check the list to see which features have changed in Reflection for the Web version 13.2 (MSS 12.8) and higher.

  • Ability to launch RWeb sessions using the Oracle Java browser plugin has been deprecated. Instead, use the Reflection for the Web Launcher.

  • The Reflection for the Web links list has been replaced with the MSS Assigned Sessions list.

  • Ability to define and use Custom Login pages (templates) has been removed.

  • Ability to specify the codebase and pluginspage attributes for the Object tag has been removed.

  • Ability to specify launching modes for the Reflection for the Web Launcher has been removed.

    All Reflection for the Web sessions are now launched using the MSS Assigned Sessions list or by launching an *.MFJNLP file directly. This change includes the localized strings for the RWeb Launcher landing page.

  • Ability to configure and use auto-launched sessions has been removed. Instead, individual sessions can be launched directly using a session link.

  • Ability to configure and use embedded sessions is no longer supported. Instead, all sessions are now framed.

  • The Java LiveConnect feature (Java to JavaScript bridge) is no longer supported.

  • Static unprotected sessions are no longer supported.

3.4 Resolved issues

since Reflection for the Web 13.1 Hotfix 7:

  • Download clutter from the browser's caching of MFJNLP files has been resolved.

  • General issues surrounding Web Proxy support have been resolved.

  • For HP emulation, the destructive backspace now works correctly.

  • When using the Reflection for the Web Launcher, language selection now works correctly.

  • In the RWeb SDK, the keystoreLocation property now correctly reads the new BCFKS keystores.

3.5 Known issues

If you encounter an issue in Reflection for the Web, contact Customer Support for assistance.

  • Long delays seen on headless platforms, particularly during installation or at product runtime, when using the RWeb SDK.

    In some environments, such as headless server-based installations, cryptographic operations can strain the Java Virtual Machine's entropy source. An insufficient pool of entropy can result in long delays during server startup and at other times while additional entropy is collected.

    To remedy the issue: Install either a hardware-based random number generator or a software-based entropy daemon, such as Haveged or Rng-tools. Note: Some platforms already install and enable an entropy service by default.

    For more information, see the Knowledge base article, Ensuring Sufficient Entropy.

4.0 Resources

4.1 About Upgrading

The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.

4.2 If you are evaluating

When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.2.

Follow the steps in the Installation Guide to install Reflection for the Web, and then walk through the evaluation scenario presented in Evaluating Reflection for the Web.

Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.

4.3 Technical Resources

Security Updates:

Support Resources

Support resources include Knowledge Base articles and Contact Support information.

Reflection for the Web Documentation:

Management and Security Server (MSS) Documentation: