• LDAP authentication support added
• PUSH file format PDF supported through new conversion server
• Strategi Group output queue support
• Improved webserving performance
• COMSSERVER updated to allow the logged-in Strategi user number to be utilized in the GUIStyle applet for certain types of print handling
• Newly designed Resources website
     - Emulation (Java 5250), Pushfeed and Change Your Password are now located in "User      Resources"
     - SSL Installation is now located in "Admin Resources"
     - Webmaster, Pocket Strategi and Strategi/Remote can be downloaded by going to "User      Resources" and selecting "Downloads"
• Implemented Strategi/REMOTE module for connecting BusinessLink/REMOTE clients to Strategi.
• Created managed event infrastructure allowing events from HTTP, Remote and pStrategi to be managed and executed in a manner consistent across services.
• Java HSM API has been entirely rewritten moving as much support as possible to Java, and redesigning the API to fit better into a Java programming model. The API is now multi-thread capable. Note that for reasons relating to the management components, multiple server threads are currently still separate jobs.
• WebCluster support extended to pStrategi. Strategi has been enhanced to allow HSM requests from the host to a server running on the pStrategi client.
• New centralized emulation manager added to facilitate Strategi/REMOTE emulation, and to serve as the platform for all future emulation support.

• The SNDSGIF and DLTSGIF commands have been updated for mutual compatiblity:
     - MAXPOS parameter changed from 3 to 2 (SNDSGIF already at 2)
     - GROUP parameter changed to type *NAME for both commands
• GUIStyle and Pocket Strategi are now separately licensed modules
• Existing GUIStyle or Pocket Strategi users must have their ALWGUI and/or ALWPKT parameters changed to *YES to use those features
• A minimum of Java 1.2 or higher must be installed to use all available features; however, we recommend installing the latest Java version 1.4 as 1.2 may impose locks on the QSYS/QPRINT file
• Webmaster download now requires *READ access to the WEBMASTER zone within the Resources website
• Resources website requires that a Flash plugin be installed
• Resources web site access via Netscape requires version 6.0 or higher
• HsmServerInterface class deprecated: compiles on implementing classes will cause deprecation warnings.
• The HSM server option API has added a new field for a return indication. The API remains compatible with existing code that does not pass the additional parameter
• Command SNDSGISMTP is deprecated, being incorrectly named. It is replaced with SNDSMTSGI
• Command RMVIFSTREE is deprecated. It is replaced by DLTDIRSGI
• Command CRTIFSTREE is deprecated. It is replaced by CRTDIRSGI
• Command CPYIFSTREE is deprecated. It is replaced by CPYDIRSGI
• Command CHKHSMSVR parameter names have been changed
• The CPYSGIGRP command keyword TOGROUP has been changed to NEWGROUP so as to be consistent with all other Strategi commands.
• The exclude value '*' for SPF distribution generation has been changed to '*SUBDIR'
• Peer Server Definition parameters have been changed to allow for LPAR system connections. SRLNBR parameter has been replaced with SYSID
• User Account Expiration EXPIRY parameter has been changed

• Enhanced emulation applet support - Host configurable connection port
  Configuring Strategi's emulation applet to connect to a port other than the default is now available. A few simple changes to the default set up and your Strategi emulation applet will connect to the host system on your newly configured port value.
• New temporary mini web server for use during Strategi maintenance
  To provide a temporary web page display while the Strategi system is shut down, the Temporary HTTP Server is a small HTTP server designed to capture requests to specified HTTP address(es) and to respond with a single web page. This page contains the message: "This website is temporarily unavailable.", plus a default message of "Server down for maintenance.". You can replace the default message with a custom message.
• New PTF retrieval mechanism for easily obtaining and applying PTFs
  Modeled after our successful Retrieve Strategi Product command, the Retrieve Strategi PTF command allows PTFs to be downloaded directly to your iSeries 400, where they can be immediately installed or saved for application at a later time.
• Enhanced Strategi Tracking file maintenance support
  Modified and newly created Strategi commands allow you to take advantage of cleaning up old Strategi files based upon selection criteria. Getting rid of old reports pushed to your users has never been easier!
• HSM File Upload: *CURRENT now allowed for the authorityzone property
  The special value of *CURRENT is now allowed for the authorityzone property. This special value, which is case sensitive, allows for securing with a zone located in a non-active (*SUSPENDED) or active website via aliasing. Its use is not limited to aliased zones, but provides added flexibility if using a Strategi zone on a non-active website for file upload purposes only. Prior to this, all zones used for securing the uploaded file required the zone be on an active website.
• New *SYSTEM Opcode SETIFSAUT
  Sets standard authority and ownership for Strategi IFS objects. When publishing files to Strategi via HSM, and subsequently moving them to another location in a website or IFS location, the automated process that performs the move will become the object owner. SETIFSAUT allows a change in object ownership such that Strategi (e.g., SGIOBJOWN) becomes the owner and is able to perform normal Strategi-related operations. SETIFSAUT should be used on any object deposited via file upload into a Strategi website to ensure Strategi jobs have the necessary authority to perform required operations. See the Strategi HSM Programmer's Guide for information concerning restrictions for this opcode.

• New Applet Build
  For normal applet use in Internet Explorer and Netscape, no HTML changes are needed to the applet-loading pages. To run the enhanced applet in Internet Explorer with the plugin, or in Netscape, the archive name must be changed to abljem.signed.jar, This change has been made in the standard Resources website but if you have made any custom copies of the applet-loading pages, you will need to repeat these changes in the HSM resource files or applet HTML. Please contact BusinessLink Support for assistance.
• Strategi HOSTSCCSID Value Changed
  A Strategi HOSTCCSID value of '65535' is no longer supported. It must be changed to the corresponding CCSID value for your country (e.g.'00037' for the U.S.).

• Specifically Prefixed Terminal Names
  
  In the case where a Strategi user has a devicename prefix specified in their Strategi user definition, the behavior when the user disables a device through incorrect signon has changed. In versions prior to 1.6.8, they could simply reload the applet and be given the next device available. This was deemed to be incorrect with respect to security, since this allows someone more chances to "hack" the signon than they would otherwise have. Now, in version 1.6.8 and later, the device must be varied on through administrative action before the user can log back in.
  
  It is possible, however, to retain the old behavior. You can set the TERMINALVARY Strategi Value to allow failed signons to simply try again. This is done through the following command:
  
  STRATEGI/CHGSGIVAL KWD(TERMINALVARY) VAL2('1')
  
  A Strategi restart is required before this change will take effect.

• HTTP Authentication in Multiple Zones
  The behavior of authentication for HTTP has been changed. Each zone is listed as a separate connection and login point.
  
  1 Computer - 1 Browser
  In a single browser instance any number of zones can be logged into with any number of users. In order to logout the zone must carry a logout button, or the login page must be requested.
  
  1 Computer - 2 Browsers (Internet Explorer)
  If a second instance of the browser is started by launching a new program then any zone can be logged into as any user; if the same user accesses the same zone in both browsers the second access will have no effect on the first access.
  
  1 Computer - 2 Browsers (Netscape Navigator)
  Same behavior as for one browser, second window with CTL-N.
  
  1 Computer - 2 Browsers (Internet Explorer and Netscape Navigator)
  If any of the browser windows logs out of a given zone then all browsers will have their login for that user and zone invalidated. In the event where a single profile is being used for generic semi-anonymous access, this will not be allowed.
  
  2 Computers
  If another computer accesses the system, then the same rules as for Internet Explorer with two browsers apply.
  
  1 Browser - New Window via CTRL-N
  If a second instance of the browser is started with CTL-N or FILE-NEW then any other zone can be logged into as any user. Note that the two browsers share login information - any logins or logouts are effective in all windows. So if a zone that was logged into before the CTL-N is logged out of and then logged in to with a new name the previous window will also immediately begin to use that new login. This is because there is no way for us to determine the difference between the browser windows. This is not preventable, without also preventing the same user from being able to login to a zone twice with different browsers.
  
  NOTE: As a consequence of carrying the login details at the zone level, the *SESSION=LOGOUT must necessarily change also. Now the link for this directive must be to something within the zone (the designated login page, preferably, or a dummy document) and the directive will return Strategi error code 2106. If desired, a new embedded directive *LOGOUTREDIRECT= may be used to immediately transfer to a new page (the embedded error redirect would also work). For example:
  
  1.5.x
  <a href="/homepage.htm?*SESSION=LOGOUT">
  LOG *CLIENT.ACCESS_NAME OUT OF SYSTEM
  </a>
  
  1.6.x
  <a href="no-such-page.htm?*SESSION=LOGOUT&*ERROR_SGI_2106=/homepage.htm">
  LOG *CLIENT.ACCESS_NAME OUT OF SYSTEM
  </a>
• Detail Information - User Concurrency
  The concurrency of Strategi users has been enhanced on the 'Work with Connections' menu option in Strategi. Logged in users can now be identified by type.
  
  A concurrent user is any user which has peformed one of the following functions:
    - signed on to our 5250 applet
    - established a connection using webmaster
    - signed in to an authenticated portion of a website
  
  Regardless of the number of services being performed by a user, only one concurrency will be noted. For example, if a user were to sign on using the Strategi 5250 client applet, establish a connection with webmaster, and authenticate a zone they would only count as one concurrency although they would be seen as three different types of connections.
  
  By concurrency we actually mean "use of a license". License use and listed connections should be differentiated. There may be multiple connections by a user, but only one license is used per user regardless of how many connections. If a concurrency limit is reached in our current product, a notification message will be sent to QSYSOPR for a 14-day period (extended to 21 days come V2R0M0). During this period, up to 50% of the maximum licensed users would be allowed. If a new key is not applied by the end of the grace period, then the maximum allowed will revert back to the number stated on the license.

There is however, a subtle change in the way authorization is done for server call chains. We do not expect this to pose a problem with any existing system. But systems that employ a catalog server that uses a backend integration server may need authority changes.

This is the situation where we have client -> server-a -> server-b.

Originally, server-a got details and checked authority for client and server-b got details and checked authority for server-a.

With 1.5.3 this was changed to pass and check the original details at all hops, so both server-a and server-b got details and checked authority for client. Note that there was actually a bug in this implementation that meant the authority was checked for the initial user type, but the immediate user ID, so server-b would actually check, for example, *HOSTUSER 000000001 not *HOSTUSER HSMUSRPRF.

With 1.6.0 this again changes so that the servers are always passed the original details (client-type, client-id, client location and user-attribute). But authority is always checked against the immediate client: server-a checks client, server-b checks server-a.

• HSM Authority Type *SERVER
  When an HSM server makes a request of another server, while it is processing a request from a client, the authority is checked as *SERVER . This allows servers to be authorized to only fulfill requests from other servers.
• HSM Authority Type *PEER
  With the introduction of DHSM peer networking, requests that come from another system are authorized with *PEER <PeerSystemCode>. This enables peers systems to be blocked from accessing some servers.
• *PEER HSM Server
  The xxxHSMSVR commands now have a new interface type, *PEER. This enables fields to define a server that is accessed on a remote peer system.
• Request Parm User Attribute
  All servers can now define an attribute to be passed to the server in one of the new optional parms. This attribute is internally retrieved when the client type is *STRATEGI. See below for more details.

• Zone Authority Change -- Resolution when member of multiple Groups
  Checking of authorities to a zone for group members has been corrected to not deny access to a group member with appropriate authority because they are also a member of another group which has been excluded. This change in behavior will directly impact security for sites that have specifically and deliberately configured a zone to permit one group and exclude another, with the intention to exclude any user's who are in both groups.
  
  While the original "err on the side of safety" behavior is defensible, it is arguably much more useful to be able to define a user as a member of both "Users" and "Trusted Users" and allow the higher authority of "Trusted Users" to apply when "Users" has been specifically excluded from a zone.
  
  In addition, if a user is a member of a group with *READ authority and also a member of another with *WRITE authority, the user will be considered to have *READWRITE authority.
  
  As previously, authority specified for a particular user overrides any group authorities.
  
  
• HSM Change -- HSM Resource files must contain a reply group for every server request
  In Strategi V1R6M3 and earlier, it was acceptable for an HSM Resource file contained a [SERVER REQUEST] group, but no [REPLY] group, even though technically this is incorrect coding. As of V1R6M4, there must be at least one [REPLY] group for each [SERVER REQUEST], or an HSM error will result.
  
  The simplest way to fix situations where such an HSM resource file exists is to simply add a [REPLY] group right after the [SERVER REQUEST] to catch all opcodes, using *OTHER as the opcode:
  
  [REPLY]
  OPCODE=*OTHER
  
  This catches all resulting opcodes and does nothing, which is the same behavior present previously.
• HSM Change -- *PUBLISH URL
  A minor change in how HSM *PUBLISH (file upload) is handled has been made. As a result, the URL used to reference a *PUBLISH file must be changed. Before, one would have used <A HREF="/*PUBLISH/(filehandle)">, referencing *PUBLISH from the root of the website. Now it is required that the *PUBLISH file be referenced as if it where in a subdirectory of the zone you are logged into, in other words <A HREF="*PUBLISH/(filehandle)">. In most cases, simply removing the slash before *PUBLISH is all that is needed.
• HSM Change -- *PUSHFEED URL
  A minor change in how HSM *PUSHFEED (send file retrieval) is handled has been made. As a result, the URL used to reference a *PUSHFEED file must be changed. Before, one would have used <A HREF="/*PUSHFEED/(usernumber)/(referencenumber)">, referencing *PUSHFEED from the root of the website. Now it is required that the *PUSHFEED file be referenced as if it where in a subdirectory of the zone you are logged into, in other words <A HREF="*PUSHFEED/(usernumber)/(referencenumber)">. In most cases, simply removing the slash before *PUSHFEED is all that is needed.

The documentation for Strategi will now be available from the RESOURCES website in all Strategi versions 1.6.0 and higher. Our Strategi documentation area has all updated documentation available as well. If you have questions about any of the new features available in the latest version of Strategi please contact our technical services representatives for further discussion.

** End of Technical Support Bulletin **