What's new in 3.8.0 release
Recently we published a teaser blog post about new features incoming for this version, and now it is here. This release is all about Cloud. To find out the details, continue reading...
Linux Improved Support
The most important changes are in Linux and cloud related installation optimization and automation. We did a lot of testing in multiple Linux versions to make this version reliable and stable. While installation is a simple bash script which will install all prerequisites, server and application modules.
Update for future versions through the same script is also optimized. New Downloads are now validated and downloaded only if there are changes. Docker instance will not be torn down every time.
Script can be scheduled through Linux scheduler for nightly / weekly updates. Update script will update only application modules, so update is quick and easy.
Docker Only Installation
Except many supported standard Linux environments, we also added support for Google Cloud Optimized and Core OS images. Those Linux versions are very secure and came with pre-installed Docker but without possibility to install other products into the host environment forcing you to use Docker only setups which increase security.
We decided to go to the container only (Docker) setup because service will run inside an isolated container as a limited user. Even if by some odd chance someone managed to break-in into the back-end, the intruder will break into an isolated environment preventing access to the host environment. The Second reason is nonexistent performance impact by running service inside Docker versus bare environment. Thus, we decided to support automated installation into containerized environment only.
Open sourced Linux-Docker Installer
We open sourced our installer scripts in preflight mode. Only difference between production install are links to the sample module intended to be used in preflight mode for installation testing purposes.
Now, sysadmin can adjust scripts to their needs or to test installer for new unsupported Linux distribution.
Source and instructions can be found on GitHub.
NginX Proxy Improved support
We have updated our NginX config example as load balancer for multiple Green Screen Servers in background with SLL configuration including tested configuration for Client Based SSL Access control. Source can be found on GitHub.
Older NginX versions does not send SSL certificate DN in RFC2253 format making SSL validation invalid. We added support for old format to minimize SSL setup pains :).
Web Console management
We added some Cloud related functionalities to the web admin console as a possibility to restart the server or to restart all server nodes inside the cluster from a single place. Servers must be restarted after SSL changes, and now it is much easier to restart whole cluster with a single click.
SSL Certificates
We removed SSL Certificate desktop tool from installation as now it is implemented inside server core and has SSL certificate management UI through web admin console.
Now, the server can be SSL configured through web admin console only. It is possible to create self-signed Root CA and server certificate or to import PEM based certificates directly from web admin console.
If multiple nodes are used and running in the same cluster, Root CA and SSL server certificate will synchronize automatically with other nodes.
We improved SSL Client certificate validation by matching certificate CN/OU fields to new format user@uuid.host. Also, support for proxied and non-proxied SSL connections with client certificate is significantly improved. No matter if SSL client certificate access is validated at proxy or Java Server itself, additional validations are done on application level to increase security.
When Certificate User Verification is enabled - if cert CN contains:
- USER@UUID.HOST - will match USER to UUID and HOST
- USER@UUID - will match USER to UUID (allow access to group of hosts)
When Certificate Verification - if cert CN contains:
- USER@UUID.HOST - will match to UUID and HOST without user check
- USER@UUID - will match UUID without user check
If the alternate list is set, will match to OU value.
Those changes give possibility to link terminal username and Green Screens Server virtual configuration directly to SSL Certificate CN value. As a result, for example, no one will be able to sign on as QSECOFR (requires 5250 signoff to disconnect or to not to show sign-on screen).
SSL Admin API
New SSL certificate generators web API is available through web admin console session. It is not easy to generate a lot of SSL client certificates if there are a lot of workstations. For this, SSL Web API might come in handy. After login, open browser console and use SSL API to generate and download SSL certificates. Find out more here...
Windows Installation
For Windows, we changed installation procedure. Now, there are two installers. Green Screens Terminal Service which is basically a package of 64bit OpenJRE Java 12 and Java Server. Second part is update package for Green Screens Terminal Service Application modules.
We added OpenJava JRE into deployment as some users had a problem with installing Green Screens Terminal Service to run as a Windows Service because of Java installation issues and user permissions. Now, all will run under the same user without interfering with existing OS Java installations.
We also like to call this version STABLE version as there were no significant bug fixes for this release.
Live Demo
With this release we created live demo version in Google Cloud for latest features preview. Preview is protected with time limited Client SSL certificates.
To get access to live demo, please fill in Live Demo Request Form with your company data and official company email. We will send you temporary client certificate, link to demo site and information how to connect and use demo.
You will be able to test not only our 5250 terminal, but simple modernization demo, and Android application including spool printing feature. Also, Web admin console is available with all features enabled in read-only mode, so you can test and play without worry to break something :).
Other
We updated desktop app based on Electron to latest 6.0.1. release including WebKit 66. This enabled FIDO security keys. Also, desktop SCS spool printer client is optimized and improved for stability including support for latest OpenJava.