Strategi™release compatibility  
 


This document highlights incompatibilities or functionality changes from one release to another. For a complete overview of technical modifications that have occurred through the development of the Strategi product, please refer to our release history.


Version V2R5

New Features and Benefits
  • Compatible with OS/400 V7R3
  • Strategi SSL support has been moved to IBM Digital Certificate Manager (DCM)

Incompatiblities or Upgrade Considerations
  • All SSL certificates related to Strategi will now be managed using IBM Digital Certificate Manager (DCM)
  • Existing SSL certificates will need to be converted into a PKCS#12 format and imported into DCM for use in the V2R5 release
  • Client certificates will need to be recaptured (set user to *CERTWAIT, recapture and then re-enable user after verification)

Version V2R1

New Features and Benefits
  • Distributed 5250 Emulation added
  • Passwords are now case-sensitive (new install, upgrades from V1 remain compatible)
  • Passwords can now be validated against OS/400 password rules. A password validation program was added to the Strategi SGIEXAMPLE source file and the Strategi Value PASSWORDVALIDATION added to enable you to specify the library and validation program name
  • Applet connections are now serviced by ESM
  • Applet sessions can now be retained when configured in the user profile using the EMU parameter
  • Multi-session support added to allow session switching via Alt + 1 - 9 keys
  • Addition of a "Next Generation" client applet that was re-designed from the ground up
  • Enhancement that lifts the restriction requiring SSL for auto-login through a new Strategi Value FORCEKEYEXCHANGESSL and a required applet tag
    <PARAM NAME=connection_protocol value=unsecured_auto_login>
  • Multiple instances of Pushwriter now configurable via Strategi Value PUSHWRITERTHREADS

Incompatiblities or Upgrade Considerations
  • All passwords will be converted to lowercase on upgrade, but logins will remain case-insensitive with the Strategi Value PASSWORDCONTROLS set to '1'
  • Multiple sessions are now started by using the Alt + 1 thru 9 keys (for up to 9 sessions). For the previous functionality of opening multiple applet windows, you must change the Strategi Value XAAMULTISESSION from *HOTKEY to *MLTCNN
  • GUIStyle applet versions older than 806 are not compatible with this release. You must obtain the latest version of the GUIStyle applet.
  • The Strategi Value COMSSERVERADDRESS will be set to *NONE on upgrade and EMULATIONADDRESS set to *WEBSITES on port 43856 from any pre-V2R1 release to enable applet connections to be serviced by ESM
  • Webmaster and Pocket Strategi have been updated to comply with the new case-sensitive password functionality (when compatibility is turned off via PASSWORDCONTROLS value). You must download a new Webmaster client if you have a mixed case or all lowercase password. Otherwise you must store your password in all uppercase to continue to use the older Webmaster client
  • OS/400 Java 1.2 or higher is required to use all new V2 enhancements and functionality. If only V1R9 functionality is required, Strategi must be set to use COMSSERVER instead of the new Emulation Services Manager (ESM)
  • The RTVSGISSNI command has been enhanced to get connection information without requiring a special signon screen (no longer requires the signon marker) and to supply a logical session number for the user, provided that ESM is used to deliver the session (the default after upgrade). New parameters added are CODE and SSNNBR
  • Alt+n now switches between multiple emulation sessions. Previously, Alt+1 through Alt+3 were mapped to 3270 emulation keys PA1 through PA3. Now, Alt+F1 through Alt+F3 can be used for PA1 through PA3. Any V1 users not intending to use session switching under V2, and wishing to continue using Alt+n for PAn, can do so by specifying a new applet parameter tag:
    <PARAM NAME=alt_digit_action VALUE=PAx>
    The new default behavior can be explicitly specified by:
    <PARAM NAME=alt_digit_action VALUE=session>
  • Emulation tunneling has changed in such a way that one HTTPTHREAD job is required for each tunneled session. (Tunneling is when the end user or the site they're connecting to does not have the required port 43856 open. The end result is that the user's connections goes through port 80) This means that you may need a larger Strategi system license that will allow you to run more HTTPTHREAD jobs, should you have more users tunneling than your license would allow for HTTPTHREADS. Please contact BusinessLink Support for more information about this issue.

Version V1R9

New Features and Benefits
  • LDAP authentication support added
  • PUSH file format PDF supported through new conversion server
  • Strategi Group output queue support
  • Improved webserving performance
  • COMSSERVER updated to allow the logged-in Strategi user number to be utilized in the GUIStyle applet for certain types of print handling
  • Newly designed Resources website
       - Emulation (Java 5250), Pushfeed and Change Your Password are now located in "User Resources"
       - SSL Installation is now located in "Admin Resources"
       - Webmaster, Pocket Strategi and Strategi/Remote can be downloaded by going to "User Resources" and selecting "Downloads"
  • Implemented Strategi/REMOTE module for connecting BusinessLink/REMOTE clients to Strategi.
  • Created managed event infrastructure allowing events from HTTP, Remote and pStrategi to be managed and executed in a manner consistent across services.
  • Java HSM API has been entirely rewritten moving as much support as possible to Java, and redesigning the API to fit better into a Java programming model. The API is now multi-thread capable. Note that for reasons relating to the management components, multiple server threads are currently still separate jobs.
  • WebCluster support extended to pStrategi. Strategi has been enhanced to allow HSM requests from the host to a server running on the pStrategi client.
  • New centralized emulation manager added to facilitate Strategi/REMOTE emulation, and to serve as the platform for all future emulation support.


Incompatiblities or Upgrade Considerations
  • User Account Expiration EXPIRY parameter has been changed
  • User Account Expiration has now been activated. If you had previous set up account expiration in a pre-V1R9 release the settings will now take effect. This may result in users becoming disabled within 24 hours from the upgrade date/time. This can be addressed before the upgrade or immediately after the upgrade. Contact support for details.
  • The SNDSGIF and DLTSGIF commands have been updated for mutual compatiblity:
       - MAXPOS parameter changed from 3 to 2 (SNDSGIF already at 2)
       - GROUP parameter changed to type *NAME for both commands
  • PRINTFORMAT *HPT with Format Parameter 1 *NONE no longer valid. Must be *HP4 or left blank
  • GUIStyle and Pocket Strategi are now separately licensed modules
  • Existing GUIStyle or Pocket Strategi users must have their ALWGUI and/or ALWPKT parameters changed to *YES to use those features
  • A minimum of Java 1.2 or higher must be installed to use all available features; however, we recommend installing the latest Java version 1.4 as 1.2 may impose locks on the QSYS/QPRINT file
  • Webmaster download now requires *READ access to the WEBMASTER zone within the Resources website
  • Resources website requires that a Flash plugin be installed
  • Resources web site access via Netscape requires version 6.0 or higher
  • HsmServerInterface class deprecated: compiles on implementing classes will cause deprecation warnings.
  • The HSM server option API has added a new field for a return indication. The API remains compatible with existing code that does not pass the additional parameter
  • Command SNDSGISMTP is deprecated, being incorrectly named. It is replaced with SNDSMTSGI
  • Command RMVIFSTREE is deprecated. It is replaced by DLTDIRSGI
  • Command CRTIFSTREE is deprecated. It is replaced by CRTDIRSGI
  • Command CPYIFSTREE is deprecated. It is replaced by CPYDIRSGI
  • Command CHKHSMSVR parameter names have been changed
  • Command RTVSGISSNI parameter DTAARA set as *NO, no longer accepts Object Owner or Public Authority values
  • The CPYSGIGRP command keyword TOGROUP has been changed to NEWGROUP so as to be consistent with all other Strategi commands.
  • The exclude value '*' for SPF distribution generation has been changed to '*SUBDIR'
  • Peer Server Definition parameters have been changed to allow for LPAR system connections. SRLNBR parameter has been replaced with SYSID

Version V1R8

New Features and Benefits
  • Enhanced emulation applet support - Host configurable connection port
    Configuring Strategi's emulation applet to connect to a port other than the default is now available. A few simple changes to the default set up and your Strategi emulation applet will connect to the host system on your newly configured port value.
  • New temporary mini web server for use during Strategi maintenance
    To provide a temporary web page display while the Strategi system is shut down, the Temporary HTTP Server is a small HTTP server designed to capture requests to specified HTTP address(es) and to respond with a single web page. This page contains the message: "This website is temporarily unavailable.", plus a default message of "Server down for maintenance.". You can replace the default message with a custom message.
  • New PTF retrieval mechanism for easily obtaining and applying PTFs
    Modeled after our successful Retrieve Strategi Product command, the Retrieve Strategi PTF command allows PTFs to be downloaded directly to your iSeries 400, where they can be immediately installed or saved for application at a later time.
  • Enhanced Strategi Tracking file maintenance support
    Modified and newly created Strategi commands allow you to take advantage of cleaning up old Strategi files based upon selection criteria. Getting rid of old reports pushed to your users has never been easier!
  • HSM File Upload: *CURRENT now allowed for the authorityzone property
    The special value of *CURRENT is now allowed for the authorityzone property. This special value, which is case sensitive, allows for securing with a zone located in a non-active (*SUSPENDED) or active website via aliasing. Its use is not limited to aliased zones, but provides added flexibility if using a Strategi zone on a non-active website for file upload purposes only. Prior to this, all zones used for securing the uploaded file required the zone be on an active website.
  • New *SYSTEM Opcode SETIFSAUT
    Sets standard authority and ownership for Strategi IFS objects. When publishing files to Strategi via HSM, and subsequently moving them to another location in a website or IFS location, the automated process that performs the move will become the object owner. SETIFSAUT allows a change in object ownership such that Strategi (e.g., SGIOBJOWN) becomes the owner and is able to perform normal Strategi-related operations. SETIFSAUT should be used on any object deposited via file upload into a Strategi website to ensure Strategi jobs have the necessary authority to perform required operations. See the Strategi HSM Programmer's Guide for information concerning restrictions for this opcode.

Incompatiblities or Upgrade Considerations
  • Incompatiblity with OS/400 V5R4
    V1R8 Licensing is incompatible with OS/400 V5R4. You will need to upgrade Strategi prior to moving to V5R4.
  • New Applet Build
    For normal applet use in Internet Explorer and Netscape, no HTML changes are needed to the applet-loading pages. To run the enhanced applet in Internet Explorer with the plugin, or in Netscape, the archive name must be changed to abljem.signed.jar, This change has been made in the standard Resources website but if you have made any custom copies of the applet-loading pages, you will need to repeat these changes in the HSM resource files or applet HTML. Please contact BusinessLink Support for assistance.
  • Strategi HOSTSCCSID Value Changed
    A Strategi HOSTCCSID value of '65535' is no longer supported. It must be changed to the corresponding CCSID value for your country (e.g.'00037' for the U.S.).

Version V1R7

No known incompatibilties or major functionality changes.

Version 1.6.7 and 1.6.8

Upgrade Considerations
  • Specifically Prefixed Terminal Names

    In the case where a Strategi user has a devicename prefix specified in their Strategi user definition, the behavior when the user disables a device through incorrect signon has changed. In versions prior to 1.6.8, they could simply reload the applet and be given the next device available. This was deemed to be incorrect with respect to security, since this allows someone more chances to "hack" the signon than they would otherwise have. Now, in version 1.6.8 and later, the device must be varied on through administrative action before the user can log back in.

    It is possible, however, to retain the old behavior. You can set the TERMINALVARY Strategi Value to allow failed signons to simply try again. This is done through the following command:

    STRATEGI/CHGSGIVAL KWD(TERMINALVARY) VAL2('1')

    A Strategi restart is required before this change will take effect.

Version 1.6.4

New Features and Benefits

  • HTTP Authentication in Multiple Zones
    The behavior of authentication for HTTP has been changed. Each zone is listed as a separate connection and login point.

    1 Computer - 1 Browser
    In a single browser instance any number of zones can be logged into with any number of users. In order to logout the zone must carry a logout button, or the login page must be requested.

    1 Computer - 2 Browsers (Internet Explorer)
    If a second instance of the browser is started by launching a new program then any zone can be logged into as any user; if the same user accesses the same zone in both browsers the second access will have no effect on the first access.

    1 Computer - 2 Browsers (Netscape Navigator)
    Same behavior as for one browser, second window with CTL-N.

    1 Computer - 2 Browsers (Internet Explorer and Netscape Navigator)
    If any of the browser windows logs out of a given zone then all browsers will have their login for that user and zone invalidated. In the event where a single profile is being used for generic semi-anonymous access, this will not be allowed.

    2 Computers
    If another computer accesses the system, then the same rules as for Internet Explorer with two browsers apply.

    1 Browser - New Window via CTRL-N
    If a second instance of the browser is started with CTL-N or FILE-NEW then any other zone can be logged into as any user. Note that the two browsers share login information - any logins or logouts are effective in all windows. So if a zone that was logged into before the CTL-N is logged out of and then logged in to with a new name the previous window will also immediately begin to use that new login. This is because there is no way for us to determine the difference between the browser windows. This is not preventable, without also preventing the same user from being able to login to a zone twice with different browsers.

    NOTE: As a consequence of carrying the login details at the zone level, the *SESSION=LOGOUT must necessarily change also. Now the link for this directive must be to something within the zone (the designated login page, preferably, or a dummy document) and the directive will return Strategi error code 2106. If desired, a new embedded directive *LOGOUTREDIRECT= may be used to immediately transfer to a new page (the embedded error redirect would also work). For example:

    1.5.x
    <a href="/homepage.htm?*SESSION=LOGOUT">
    LOG *CLIENT.ACCESS_NAME OUT OF SYSTEM
    </a>

    1.6.x
    <a href="no-such-page.htm?*SESSION=LOGOUT&*ERROR_SGI_2106=/homepage.htm">
    LOG *CLIENT.ACCESS_NAME OUT OF SYSTEM
    </a>
  • Detail Information - User Concurrency
    The concurrency of Strategi users has been enhanced on the 'Work with Connections' menu option in Strategi. Logged in users can now be identified by type.

    A concurrent user is any user which has peformed one of the following functions:
      - signed on to our 5250 applet
      - established a connection using webmaster
      - signed in to an authenticated portion of a website

    Regardless of the number of services being performed by a user, only one concurrency will be noted. For example, if a user were to sign on using the Strategi 5250 client applet, establish a connection with webmaster, and authenticate a zone they would only count as one concurrency although they would be seen as three different types of connections.

    By concurrency we actually mean "use of a license". License use and listed connections should be differentiated. There may be multiple connections by a user, but only one license is used per user regardless of how many connections. If a concurrency limit is reached in our current product, a notification message will be sent to QSYSOPR for a 14-day period (extended to 21 days come V2R0M0). During this period, up to 50% of the maximum licensed users would be allowed. If a new key is not applied by the end of the grace period, then the maximum allowed will revert back to the number stated on the license.

New HSM Features


Following is an update to the HSM specifications including DHSM additions and information:

There are no known incompatibilities that will affect the operation of existing servers, whether the server is simply just run or recompiled and run. There are new features existing servers can use, if they enable the feature.

There is however, a subtle change in the way authorization is done for server call chains. We do not expect this to pose a problem with any existing system. But systems that employ a catalog server that uses a backend integration server may need authority changes.

This is the situation where we have client -> server-a -> server-b.

Originally, server-a got details and checked authority for client and server-b got details and checked authority for server-a.

With 1.5.3 this was changed to pass and check the original details at all hops, so both server-a and server-b got details and checked authority for client. Note that there was actually a bug in this implementation that meant the authority was checked for the initial user type, but the immediate user ID, so server-b would actually check, for example, *HOSTUSER 000000001 not *HOSTUSER HSMUSRPRF.

With 1.6.0 this again changes so that the servers are always passed the original details (client-type, client-id, client location and user-attribute). But authority is always checked against the immediate client: server-a checks client, server-b checks server-a.

  • HSM Authority Type *SERVER
    When an HSM server makes a request of another server, while it is processing a request from a client, the authority is checked as *SERVER . This allows servers to be authorized to only fulfill requests from other servers.
  • HSM Authority Type *PEER
    With the introduction of DHSM peer networking, requests that come from another system are authorized with *PEER <PeerSystemCode>. This enables peers systems to be blocked from accessing some servers.
  • *PEER HSM Server
    The xxxHSMSVR commands now have a new interface type, *PEER. This enables fields to define a server that is accessed on a remote peer system.
  • Request Parm User Attribute
    All servers can now define an attribute to be passed to the server in one of the new optional parms. This attribute is internally retrieved when the client type is *STRATEGI. See below for more details.

Incompatiblities or Upgrade Considerations
  • Zone Authority Change -- Resolution when member of multiple Groups
    Checking of authorities to a zone for group members has been corrected to not deny access to a group member with appropriate authority because they are also a member of another group which has been excluded. This change in behavior will directly impact security for sites that have specifically and deliberately configured a zone to permit one group and exclude another, with the intention to exclude any user's who are in both groups.

    While the original "err on the side of safety" behavior is defensible, it is arguably much more useful to be able to define a user as a member of both "Users" and "Trusted Users" and allow the higher authority of "Trusted Users" to apply when "Users" has been specifically excluded from a zone.

    In addition, if a user is a member of a group with *READ authority and also a member of another with *WRITE authority, the user will be considered to have *READWRITE authority.

    As previously, authority specified for a particular user overrides any group authorities.

  • HSM Change -- HSM Resource files must contain a reply group for every server request
    In Strategi V1R6M3 and earlier, it was acceptable for an HSM Resource file contained a [SERVER REQUEST] group, but no [REPLY] group, even though technically this is incorrect coding. As of V1R6M4, there must be at least one [REPLY] group for each [SERVER REQUEST], or an HSM error will result.

    The simplest way to fix situations where such an HSM resource file exists is to simply add a [REPLY] group right after the [SERVER REQUEST] to catch all opcodes, using *OTHER as the opcode:

    [REPLY]
    OPCODE=*OTHER

    This catches all resulting opcodes and does nothing, which is the same behavior present previously.
  • HSM Change -- *PUBLISH URL
    A minor change in how HSM *PUBLISH (file upload) is handled has been made. As a result, the URL used to reference a *PUBLISH file must be changed. Before, one would have used <A HREF="/*PUBLISH/(filehandle)">, referencing *PUBLISH from the root of the website. Now it is required that the *PUBLISH file be referenced as if it where in a subdirectory of the zone you are logged into, in other words <A HREF="*PUBLISH/(filehandle)">. In most cases, simply removing the slash before *PUBLISH is all that is needed.
  • HSM Change -- *PUSHFEED URL
    A minor change in how HSM *PUSHFEED (send file retrieval) is handled has been made. As a result, the URL used to reference a *PUSHFEED file must be changed. Before, one would have used <A HREF="/*PUSHFEED/(usernumber)/(referencenumber)">, referencing *PUSHFEED from the root of the website. Now it is required that the *PUSHFEED file be referenced as if it where in a subdirectory of the zone you are logged into, in other words <A HREF="*PUSHFEED/(usernumber)/(referencenumber)">. In most cases, simply removing the slash before *PUSHFEED is all that is needed.