Reflection for Secure IT Windows Client 7.1 Service Pack 2 (SP2) is available for maintained customers. This technical note provides information about how to obtain your service pack and a list of features and fixes included in SP2. (Note: There was no Service Pack 1 for Reflection for Secure IT Windows Client 7.1.) This note also includes a list of features and fixes in Reflection FTP Client 14.0 SP7, which ships with Reflection for Secure IT Windows Client.
Note the following:
- This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products.
- Reflection for Secure IT version 7.2 is available beginning June 2010. For a list of new features in 7.2, see KB 7021989.
- For a list of features originally included in Reflection for Secure IT Windows Client 7.1, see KB 7021986.
Obtaining Your Service Pack
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For information about logging into and using the Download Library, see KB 7021965.
New Features and Fixes in Reflection for Secure IT 7.1 SP2
The following new features and resolved issues are included in Reflection for Secure IT Windows Client version 7.1 Service Pack 2.
New Features in 7.1 SP2
- Configure Reflection Certificate Manager to store trusted certificates in a shared location.
A new option, Store trusted certificates in the common application data folder, is now available in the Reflection Certificate Manager on the Trusted Certificate Authorities tab. By default, trusted roots are added to a user-specific location. When this option is selected, trusted roots are saved to the following location, which makes them available to all users of the computer:
Note the following:
- If a shared store exists, trusted roots are read exclusively from the shared store. Trusted roots you have configured for individual user accounts no longer have any effect.
- To revert to user-specific trusted root stores after creating a shared store, you must delete or rename the shared trust_store.p12 file. If you simply clear this setting, subsequent changes will modify your personal store, but the personal store continues to have no effect on Reflection's behavior as long as trust_store.p12 is still present in the common application data folder.Â·
- If the operating system has been configured by the administrator to deny users write access to common_application_data_folder\Attachmate\Reflection, this setting is not available to those users and they will not be able to modify items in the shared trusted root store.
Resolved Issues in 7.1 SP2
- Security fix for vulnerabilities in Microsoft Active Template Library (ATL).
This service pack addresses vulnerabilities described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution.
- CPU management for Secure Shell sessions running in Citrix environments.
Improvements have been made to how CPU is managed in Citrix environments.
- Rekeying when host key is not present no longer disconnects the session.
The client now presents the unknown host key prompt if a rekey occurs and the host key is not present.
- Reflection Certificate Manager correctly handles removing and reinserting a token.
The PKCS #11 tab of the Reflection Certificate Manager includes a setting called "Disconnect automatically when token is removed." Prior to this service pack, removing the token correctly triggered a disconnect, but reinserting it caused the client to close unexpectedly. This service pack fixes this issue; you can now reinsert your token and connect again.
- Banner text wraps correctly.
The client now correctly handles new line requests in banners displayed in Secure Shell connections. This fixes a problem that was reported with SP 6.
- scp transfer now returns non-zero return codes when an error occurs.
Prior to this service pack some failing scp transfers returned a zero error code. This was reported for transfers in which the error was "Access is denied" and "The system cannot find the path specified." These errors now return the appropriate non-zero error codes.
- Host logout is now successfully displayed during Secure Shell sessions.
This service pack resolves a problem reported with Secure Shell connections that sometimes resulted in a no host logout message being displayed in the Reflection terminal window.
- Window-change requests no longer cause the Secure Shell connection to fail.
Reflection no longer sends incorrect pixel values with the client's Window-change request. This resolves a problem that caused the Secure Shell connection to be terminated when using the BalaBit Shell Control Box.
- Smart card authentication no longer fails with a provider exception error for some manufacturers.
Prior to this service pack, some smartcard hardware and software configurations led to authentication failures with the error "ProviderException (11) when attempting to sign data." This problem has been resolved.
- Recursive scp copies now include the top-level directory.
After execution of the command, scp -r user@host:Demo, the directory "Demo" is now created on the server. Previously, only files and subdirectories contained within "Demo" were copied to the server.
- Password error messages from the server are now displayed.
During Secure Shell password authentication, error messages from the server are now displayed in the Reflection window.
- Authentication with a certificate stored in the Key Agent.
Authentication now succeeds when you authenticate using a valid certificate stored in the Reflection Key Agent.
- Kerberos "Use Window Logon" option is now dimmed on systems that don't support it.
The "Use Window Logon" option is not available on some 64-bit operating systems, which don't support this option. Previously, attempts to use this option on these systems caused an unexpected shutdown. The control is no longer available to set on systems that don't support it.
- Default values can now be saved to the user's configuration file.
The default value of a setting configured using the Reflection Secure Shell Settings dialog box is now written to the user-specific config file if and only if a non-default value for that setting is configured in a system-wide ssh_config file. Also, if a user adds a default value by manually editing the user-specific configuration file, the default value is honored and not removed from the user's file.
- Values from the global configuration file are no longer written to the user-specific file.
Prior to this service pack, if a global configuration file was present, any non-default values in the global file were written to the user-specific file when the user made any changes using the Secure Shell Settings dialog box. Settings configured in the system-wide ssh_config file no longer have any effect on user-specific config files.
- Remote commands that include spaces now execute correctly.
If you specify a remote command that includes spaces as part of an ssh command line, the remote command is now executed as expected.
- Support for hmac-sha256 and hmac-sha512 Message Authentication Code (MAC) algorithms.
The client now supports the hmac-sha25 and hmac-sha512 MACs. The client now proposes the following MACS by default (in this order):"hmac-sha1,hmac-sha256,hmac-sha512, hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96".
New Features and Fixes in Reflection FTP Client 14.0 SP7
The following new features and resolved issues apply to Reflection FTP Client 14.0 SP7, which ships with Reflection for Secure IT 7.1 SP2.
Note: See the updates in the sections above for additional new features and resolved issues that affect SFTP connections.
New Features in Reflection FTP Client 14.0 SP7
- Preserve timestamps and file attributes during SFTP transfers.
A new site-specific setting, Preserve timestamps and file attributes, is available for SFTP transfers. When this option is selected, file attributes and timestamps are not modified when files are transferred to and from the server. To configure this setting, select your site, click Security, then click the Secure Shell tab. Note: Selecting this setting sets the PreserveTimestamps in the Secure Shell configuration file.
- Configure default file attributes for uploads and downloads.
You can now configure global default attributes for file transfers to and from any server using Tools > Options > Attributes. (Note: To be able to specify non-default attributes during a file transfer, go to the Site Properties dialog box. On the Transfer tab, enable Show upload options before transfer and/or Show download options before transfer.)
- Server view filter is now supported for SFTP connections.
File view filters (configured using either View > Filter or Site Properties > Directories > File view filter) are now supported for SFTP connections.
Resolved Issues in Reflection FTP Client 14.0 SP7
- Intermittent "File or directory not found" errors no longer interrupt transfers made using the FTP Client API.
This service pack resolves a problem that caused intermittent errors in transfers made using the FTP Client API. The error interrupted program execution and reported "File or directory not found" even though the required files were present on the server and the program was able to execute successfully on many other attempts.
Supported Platforms in 7.1 SP2
For information about platform support in Reflection for Secure IT, see KB 7022010.
Legacy KB ID
This document was originally published as Attachmate Technical Note 2471.