Environment
Situation
This technical note provides information about the use of Java in Micro Focus terminal emulation products and related components.
Use the guidelines in this document and your product's documentation and technical notes posted to our support web site (see https://support.microfocus.com/product/choose.html) to determine if and how your product uses Java, and to decide if you need to upgrade your version of Java.
Note: Current information about security updates and your product is on our support web site, https://support.microfocus.com/security/.
Resolution
How Java Is Used in Micro Focus Products
There are four different ways Java is used by components of Micro Focus products. Many Micro Focus products do not use Java at all. For information about Java dependencies in your product, see Java Usage Summary and Product-specific Usage.
Micro Focus Java-based products use Java in these ways:
- Java server applications. Server applications are intended to run unattended and have continuous uptime measured in weeks or months. Server applications run in a Java virtual machine with service privileges. Note that applets that may be available as part of the server product are distinct components, and are discussed separately in this note.
- Java desktop applications. Desktop applications are installed for use by end users. Desktop applications run in a Java virtual machine with user privileges.
- Applets. These run in a client web browser and are delivered by a web server. Not all Micro Focus Java server products have applets. Applets require that a Java plug-in be installed and enabled within the user’s browser and have only the privileges defined in the applet.
- Java Web Start (JNLP). Like applets, Web Start applications are delivered by a web server. However, these applications can run outside the browser and do not require the browser to have a Java plug-in installed. JNLP must be enabled. By default, when Java is installed, it also enables JNLP in the browser.
Private vs. Shared Java
When Java is required by a Micro Focus product, it may be installed with the product or you may be required to install Java as a prerequisite before you can install your Micro Focus product. Java that is installed with the product is referred to in this note as "private." Java that you install prior to installing your Micro Focus products is referred to as "shared." Some Micro Focus products use a combination of Java instances, such as private Java on the server and shared Java on the client desktop.
Note: Desktop and Server products may use either a private or a shared JDK or JRE. Applets and Web Start always use a shared JRE.
Characteristics of Private Java
- By default, only the Micro Focus product that installs it uses the private copy of Java, and you should never configure other applications to use this copy. Because other applications will not use this version of Java, Micro Focus can modify it without affecting other applications on the system.
- Using a private Java simplifies installation, and enables Micro Focus to update the Java version when you install Micro Focus product updates.
- Using a private Java enables Micro Focus products that require stronger encryption to replace the default Java security policy files during the Micro Focus product installation.
- Using a private Java enables better control of the runtime environment. Micro Focus can extensively test with the version of Java that is embedded with the product, and your installed Micro Focus product will run using the tested version.
- With some Micro Focus products, you have the option of replacing the private Java with a newer version. Depending on your Micro Focus product, you may be able to install the newer Java using an updated Micro Focus Java installation package, or you may have to install the newer version directly from the Java provider (typically Oracle). If you install directly from the Java provider, you will need to make any required modifications to the new version (such as enabling stronger encryption) and configure the Micro Focus product to use the newer version.
Characteristics of Shared Java
- You must install the shared JRE (or JDK) as a prerequisite to installing the Micro Focus product.
- To upgrade the JRE or JDK used by a Java server or desktop application, you must install the newer version, make any required modifications (such as enabling stronger encryption), and configure your product to use the upgraded copy.
- On Windows systems, you can use the automatic update feature of Java to update the JRE used by browsers and other Java-based applications (including Micro Focus applets or Web Start applications).
Java Usage Summary
The applications listed in this table may be available as separate products or as components in a combined product package.
- Java Server components run with service privileges.
- Java Desktop components run with user privileges.
- Java Applets run in a client web browser, thus requiring a Java plug-in to be installed and enabled on users' systems. Applets have only the privileges defined in the applet.
- Java Web Start applications require JNLP to be enabled in the web browser (as it is in default Java installations). However, JNLP applications can run outside the browser and do not require a Java plug-in to be enabled.
|
Java Server |
Java Desktop |
Applet |
Web Start |
EXTRA! X-treme |
no |
no |
*See note below |
no |
Reflection ZFE |
yes |
no |
*Just for Admin |
no |
Reflection for UNIX and Open VMS 14.x Reflection for IBM 14.x Reflection for HP 14.x Reflection X 14.x |
no |
no |
*See note below |
no |
Reflection Desktop for UNIX and OpenVMS, Reflection for UNIX and OpenVMS 2014 Reflection Desktop for IBM, Reflection for IBM 2014 |
no |
no |
*See note below |
no |
Reflection X Advantage |
private, optional |
private |
*See note below |
5.0 - no 4.2 or earlier -shared, optional |
Reflection for the Web 12.3, 12.2, 12.1 |
private or shared |
optional |
shared |
optional |
Host Access Management and Security Server (MSS) |
private or shared |
no |
shared |
no |
Reflection for Secure IT Client for Windows Reflection for Secure IT Server for Windows Reflection for Secure IT Client and Server for UNIX |
no |
no |
no |
no |
Reflection for Secure IT Gateway |
private |
no |
shared |
no |
Reflection PKI Services Manager |
private |
private, Windows only |
no |
no |
Verastream Host Integrator |
private |
private |
no |
no |
Verastream Bridge Integrator |
no |
shared |
no |
no |
Verastream Process Designer |
private |
private |
no |
no |
FileXpress Gateway |
private |
No |
shared |
no |
INFOConnect |
no |
no |
*See note below |
no |
DATABridge |
no |
no |
shared, optional |
no |
*Note: Applets are not used in these products when they are purchased and used alone. However, if you have also purchased Reflection Security Gateway or Reflection for the Web and use the Administrative WebStation to deploy sessions, a browser with a Java plug-in is required to launch those sessions.
Security Profiles and Cipher Strength
Micro Focus products use the most secure encryption ciphers by default, or recommend that you configure your product to use these ciphers. The default JRE and JDK versions of Java available from Oracle are not allowed to use the strongest ciphers, due to US export restrictions. In some cases private JDK and JRE installations included with Micro Focus products install policy files that provide access to the strongest ciphers. If you upgrade the JDK or JRE used by one of these products, you will also need to reinstall the unlimited strength policy files in the new JDK or JRE. Check your product's documentation and technical notes for information about upgrade procedures and how to re-enable the strong ciphers (https://support.microfocus.com/product/choose.html).
Note: If you upgrade Java using a Java installer provided by Micro Focus, you do not need to reinstall the unlimited strength policy files. The Micro Focus Java installer is currently available for Reflection X Advantage 5.0 on Windows (installed with Reflection X 2014 or Reflection Pro 2014).
Micro Focus Java-based products that support FIPS 140 (a US Government standard for cryptography) install a FIPS-validated cryptographic module to replace the Oracle cryptographic module. Use of this cryptographic module is limited to Micro Focus products through the use of the private JDK or JRE. For more information about products with FIPS-validated cryptography, see KB 7021285.
Java Vulnerabilities
Oracle fixes reported vulnerabilities from time to time and will issue a new release of their Java platforms. Micro Focus tracks these updates in order to assess the possible impact to our Java-based products. Here are some guidelines for you to understand about this process:
- Security policies vary widely among our customers and, as a result, it is impossible for Micro Focus to determine the exact impact that a Java update will have on individual customers and make recommendations that will apply to all customers.
- Micro Focus will assess whether a vulnerability that was addressed in an update is likely to be exposed within specific products. A Java vulnerability may only affect desktop applications, for instance, and we can flag the products that are in that category. If Micro Focus learns of a significant vulnerability that affects an Micro Focus product and can be addressed by updating the JDK or JRE, this information is added to our product-specific Security Update technical note (available from https://support.microfocus.com/security/). If a specific update from Oracle is getting a lot of attention due to a reported security vulnerability, we may provide information about which products are not affected, as well.
- Micro Focus cannot provide assessment information on every update of a JDK or JRE from Oracle. Oracle often does not provide sufficient technical details for us to know whether the update could affect our products or customers.
- Some Micro Focus products support other vendors’ JDK or JRE releases (for instance, IBM and HP). A reported vulnerability in one vendor’s product does not mean it is applicable to another vendor’s version.
- Micro Focus does not always notify customers directly when a determination is made. We recommend that you monitor our support site, or set up an alert (through our RSS feed, Google, or another vendor).
Java Applets and Java Web Start
Applets, which run in browsers using Java plug-ins, frequently receive significant attention as a security concern. The following notes about Java applets also apply to Java Web Start applications, which use a closely related technology.
- A Java applet runs in a different environment than a Java-based server that launched that applet. An Micro Focus Java-based server will often use a private JDK while an applet will use whatever JRE is installed on the client machine. This means the security posture for the server is very different from that of the applet.
- Concerns raised about applets are not that any legitimate vendor’s applet is an attack vector, but that the JRE environment in which an applet runs can, in certain situations, allow a malicious applet to run. A malicious applet is very similar to any other malware – it tries to exploit a weakness in Java just as other forms of malware exploit a weakness in the operating system. There are many measures available to eliminate weaknesses for malware that targets operating system viruses, and the same holds true for malicious applets.
- All Micro Focus Java applets delivered by a Micro Focus server product can use HTTPS. We strongly recommend that the host certificate from the server be issued by a verifiable CA.
- All Micro Focus Java applets are signed by a CA-issued certificate. This, and the HTTPS host certificate, helps protect the end user, who should never visit web sites or allow content into his browser that comes from a non-trusted source. Administrators can enforce this practice through desktop policies.
General Recommendations
You can optimize the security environment for your end users without disabling their use of a Java plug-in with the following steps:
- Configure your servers to always use HTTPS for the protocol that delivers a Java applet, and always use a host certificate issued by a verifiable CA.
- Do not allow your users to accept content that comes from an untrusted source. All Micro Focus applets are signed (or can be signed) by a verifiable, trusted CA-issued signing certificate.
- Check the Micro Focus support site when you have questions about updates to Java platforms (JDK or JRE).
- Keep current whenever possible on Java updates.
Product-specific Usage
Some of our products have an indirect dependency, for instance Reflection for Secure IT Server for UNIX (a native mode application) can interact with PKI Services Manager (a Java Server component), but this is optional and the installations of the two are not linked.
EXTRA! X-treme
EXTRA! X-treme does not use Java except in the following instance: if you have also purchased Reflection Security Gateway (available Fall 2013) and use the Administrative WebStation to deploy EXTRA! 9.3 or higher sessions (including FTP sessions), a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
Reflection ZFE
Reflection ZFE's Session Server uses a privately installed JDK that is updated when the product releases. This may occur with a hotfix, service pack, or full release.
Reflection 14.x
Reflection 14.x products do not use Java except in the following instance: if you have also purchased Reflection Administrator, Reflection Security Gateway, or Reflection for the Web in addition to Reflection 14.x, and use the Administrative WebStation to deploy sessions (including FTP sessions), a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
Reflection Desktop, Reflection 2014
The Reflection Workspace and Reflection FTP Client do not use Java.
If you have also purchased Reflection Security Gateway or Reflection for the Web and use the Administrative WebStation to deploy Reflection sessions (including FTP sessions), a browser with a Java plug-in is required to launch those sessions.
Some Reflection 2014 and 2011 products include the Reflection X Advantage component described separately below.
Reflection X Advantage
A Java Runtime Environment (JRE) is required for all Reflection X Advantage applications and services. Oracle periodically provides security updates for Java. Micro Focus assesses the impact of Java security vulnerabilities on Reflection X Advantage and supplies updated installation packages as needed to provide customers with Java security fixes.
The options available to you for installing Java updates depend on which version of Reflection X Advantage you are running.
Version 5.0 (Included in Reflection 2014 Products)
Reflection X Advantage 5.0 installs a private Java by default. On Windows, this installation is accomplished using a separate Java installation package. The Java installation package runs automatically when you install using the Setup user interface and include the "Java Runtime Environment (JRE)" feature (the default). On UNIX systems, Java is included in the Reflection X Installer, not as a separate installation package.
* Installing Updates to the Default Copy of Java (Windows only)
Micro Focus provides updated Java installers as needed when a Java security vulnerability affects Reflection X Advantage. You can download the updated version and apply it independently of any updates you apply to the main Reflection installer package. For more information, see KB 7021833.
* Installing Updates Directly from Oracle
If you prefer to update Java more frequently, you can monitor the Oracle site and install Java directly using the Oracle JDK installer (which installs the server JRE).
On Windows, to use this option, you need to deselect the "Java Runtime Environment (JRE)" feature in the Reflection installer and configure a Windows environment variable (RXA_JRE_HOME) to direct Reflection X Advantage to use the non-default JRE. For full functionality, you also need to apply the Java Cryptography Extension. For details, see "Changing the JRE" in the Reflection X Advantage Help (https://docs.attachmate.com/reflection/rxa/5.0/en/tshelp/rxa_change_jre.htm).
On UNIX or Linux systems, to update Java, see KB 7021834.
Note: If you don't install the default Java and also don't configure the RXA_JRE_HOME environment variable, Reflection X Advantage attempts to find a system JRE already installed using the Oracle installer. Relying on this option is not recommended. The default JRE installed from a browser does not include unlimited strength cryptography files and installs the client, not the server JRE.
Version 4.2 and Earlier (Included in Reflection 2011 Products)
Prior to version 5.0, all Reflection X Advantage installations included a private copy of Java included directly in the product installer.
Reflection for the Web 12.3, 12.2, 12.1
The terminal emulation and file transfer components are typically deployed as applets in a web browser, and require a Java browser plug-in. Two applets, the Login applet and Links List applet, are used to authenticate users and deploy sessions to authorized users.
The terminal emulation and file transfer components can optionally be deployed as desktop applications rather than as applets. This feature is optional and requires customization.
The terminal emulation and file transfer components can optionally be deployed using Java Web Start (JNLP).
The Management Server, Security Proxy Server, Metering Server, and ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.
Host Access Management and Security Server (MSS)
Two applets, the Login applet and Links List applet, are used to authenticate users and deploy sessions to authorized users.
The Management Server, Security Proxy Server, Metering Server and ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.
Reflection for Secure IT
In this product family, Reflection for Secure IT Web Edition uses Java; the other Reflection for Secure IT products do not use Java.
- Reflection for Secure IT Web Edition contains both a Java Server and a Java applet.
- The installer for the server installs a private JRE that is updated when Reflection for Secure IT Web Edition releases; this may occur with a hotfix, service pack, or full release. You can also manually update the JRE.
- The applet is signed by a CA-issued certificate and served via HTTPS.
Reflection PKI Services Manager
This is an optional component of many Micro Focus products. It can be used with the Reflection for Secure IT Server and Client for UNIX, Reflection for Secure IT Server for Windows, Reflection for Secure IT Web Edition, Reflection for the Web 2014, Reflection Security Gateway 2014, and Reflection X Advantage.
Reflection PKI Services Manager installs a private JRE that you can upgrade. Refer to the product documentation (https://docs.attachmate.com/reflection/pki/1.2_hf2/html/24363.htm) for details on how to upgrade the JRE. This component falls into the Java Server usage pattern.
Verastream
Verastream products use Java in the following ways:
- Host Integrator – The Session Server, Management Server, Web Server, Log Manager, and Administrative Console all use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.
- Bridge Integrator – The Bridge Designer, Transaction Studio, Requestor Clients, and Trace Player all use the shared Java JDK installed by you, and JDK updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
- Process Designer – The Process Server and Process Design Studio use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.
Note: For Verastream products run on AIX and Linux on System z, Verastream uses the Java version that is on the system, and Java updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
INFOConnect Enterprise Edition, INFOConnect Desktop
INFOConnect does not use Java except in the following instance: if you have also purchased Reflection Administrator, Reflection for the Web, or Reflection Security Gateway (available Fall 2013) and use the Administrative WebStation to deploy INFOConnect sessions, a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
DATABridge
The only component of DATABridge that uses Java is the DATABridge console, which is part of the DATABridge client. It is possible (and common) to use the DATABridge client from the command line, in which case you do not need to use the console. The other DATABridge components (including DATABridge host and DATABridge Enterprise) do not use Java.