released October 2021
Java Security update 1.8.0_312
released July 2021
Java Security update 1.8.0_302
released May 2021
Java Security update 1.8.0_292
Updated Apache HTTP components
released January 2021
Java Security update 1.8.0_282
Updated Apache Tomcat to v9.0.39 for the remote/stand-alone installation of Reflection for the Web.
released October 2020
Java Security update 1.8.0_272
Updated Tomcat, Spring, and Jackson libraries to the latest available security release for the remote/stand-alone installation of Reflection for the Web.
released July 2020
Java Security update 1.8.0_262
released April 2020
Java Security update 1.8.0_252
Updated Tomcat to v9.0.33 for the stand-alone installation
Updated Management and Security Server (MSS) to version 12.6.3, which is required to manage and secure your Reflection for the Web sessions
A workaround is available for Security Vulnerability CVE-2020-1938. See 7024548 for details.
released January 2020
Java Security update 1.8.0_242
Updated Management and Security Server (MSS) to version 12.6.2, which is required to manage and secure your Reflection for the Web sessions
released November 2019
Two enhancements were added for use with the Reflection for the Web Launcher.
To prevent the accidental closure of emulator sessions, a Warning displays when sessions are open and the user attempts to close the links list applet.
The links list applet is hidden when not needed (after successful authentication).
released October 2019
Features and Updates | Resolved issues
Updated Reflection for the Web Launcher to version 1.2.0.
Reflection for the Web Launcher 1.2.0 includes a batch file, RWebLauncher-settings.bat, to start a GUI application that enables you to configure debug logging, certificates, caching, and client-side network settings for proxy servers.
The file is available from your Reflection for the Web Launcher installation location. (The default is \...\AppData\Local\Apps\Micro Focus\Reflection for the Web Launcher.)
Reflection for the Web Launcher applet displays only Reflection for the Web sessions.
In the Reflection for the Web client, added a Connection Setup option to use TLS 1.0 exclusively.
Updated Management and Security Server (MSS) to 12.6.1, which is required to manage and secure your Reflection for the Web sessions.
Java Security update 1.8.0_232
JRE security updates are provided for the Reflection for the Web Launcher (in the RWebLauncher.msi file), the installer, and for stand-alone operation of Reflection for the Web.
Updated Tomcat to version 9.0.22 for the stand-alone installation.
X.509 authentication works when using the Reflection for the Web Launcher.
Fonts scale correctly when printing from an IBM 5250 Printer session.
When using the Reflection for the Web Launcher, the logging messages correctly appear in the Java Console, when "Write client debug output to console” is checked on the MSS Administrative Console - Logging panel.
Saving an edited Reflection for the Web session to the MSS Administrative Server does not automatically launch the session if APPLET tag was selected in Configure Settings - General Settings.
released August 2019
Java Security update 1.8.0_222
JRE security updates are provided for the Reflection for the Web Launcher (in the RWebLauncher.msi file) and for stand-alone operation of Reflection for the Web.
A workaround is available for X.509 authentication when using a hard certificate (smart card) and the Reflection for the Web Launcher. Contact Support for assistance.
Resolved Security Vulnerabilities:
released July 2019
Features | Compatibility requirements | Resolved issues | Known issues
Introduced Reflection for the Web Launcher, a private client-side application that installs an OpenJDK 8 JRE with Web Start (JNLP) to launch Reflection for the Web sessions.
With the Reflection for the Web Launcher, the end-user workstations no longer require Oracle’s JRE, the Oracle Java browser plug-in, or the Netscape PlugIn API (NPAPI). The Reflection for the Web Launcher can be used with any browser, including Google Chrome, Mozilla Firefox, or Microsoft Edge.
MSS administrators, however, still need Internet Explorer 11 and the Oracle Java plug-in to create and manage Reflection for the Web sessions in the Administrative Console.
Note: JRE security updates will be provided in an .msi file in Reflection for the Web product updates.
As you phase out Oracle’s JRE or the Oracle Java plug-in, choose the appropriate deployment option for your environment: Standard, Hybrid, or Launcher. Details are in the Reflection for the Web Installation Guide.
Updated Management and Security Server (MSS) to 12.6, which is required to manage and secure your Reflection for the Web sessions.
Note: MSS requires 3.40 GHz (4 cores) and 8GB of RAM.
Updated Apache Tomcat to 9.0.19.
Renamed the Automated sign-on macro feature to Secure logon macro.
Reflection for the Web 13.0 includes Host Access Management and Security Server 12.6 to create, manage, and secure your host sessions.
The Reflection for the Web automated installer provides the option to install both products, even though the products are installed independently. Versions must be compatible to implement security updates and other functions.
NOTE:The Security Proxy (and any MSS Add-on product) must be the same <major>.<minor>.<update> version as Management and Security Server.
For example, when you upgrade to Reflection for the Web 13.0, which uses MSS version 12.6, be sure to upgrade the Security Proxy to version 12.6.
For information about using Management and Security Server, see the MSS Administrator Guide.
These issues have been resolved since version 12.3 SP1 Update 2.
Resolved Security Vulnerabilities:
The scrollback buffer is updated when the host sends a DECSNLS command to increase lines/screen beyond screen size
We are aware of these issues.
Resolved in version 13.0 Hotfix 2: X.509 authentication fails when using a hard certificate (smart card) and the Reflection for the Web Launcher.
When MSS is configured for X.509 authentication and the Reflection for the Web Launcher deployment option is selected, authentication fails when logging in with a hard certificate (smart card). A workaround is available.
Note: X.509 authentication succeeds when using either a soft certificate or the Oracle JRE.
The EULA appears in English. When the Reflection for the Web Launcher installer is run in a non-English language, the English EULA appears.
Transparent NTLMv2 authentication is disabled by Java by default.
Users can still authenticate using this protocol, but they must enter their credentials into a challenge dialog. Transparent authentication can be re-enabled. Contact Support for assistance.
SiteMinder browser-based Basic authentication does not work with the Reflection for the Web Launcher because the authentication token (cookie) is not passed to the Launcher.
Specifying a protocol prefix of MFJNLP in the URL does not work.
Upgrading custom static sessions is not supported
Reminder: TLS is required for security.
The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.
When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.0.
Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Evaluating Reflection for the Web.
Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.
Security Updates:
Support Resources
Support resources include Knowledge Base articles and Contact Support information.
Reflection for the Web Documentation:
Reflection for the Web Installation Guide
Reflection for the Web Reference Guide, includes:
Management and Security Server (MSS) Documentation:
MSS 12.6 Installation Guide
MSS 12.6.2 Administrator Guide (online Help)
© Copyright 2021 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.