**************************** * RELEASE 3.5 - 2008/01/07 * **************************** Major Enhancements - Framework ------------------------------ VersaLex now provides the ability to clone and activate preconfigured hosts directly from the Cleo web site. To use this feature, right click on the "Hosts" folder in the Preconfigured tab and choose the "Clone and Activate from Web site..." option. When the dialog appears, click the "Download List" button to display a list of all the available preconfigured hosts from the Cleo web site. Right-click on the desired preconfigured host and choose the "Clone and Activate" option to activate the host in the Active pane. - VersaLex can now be configured through the "Tools>Software Update" dialog to automatically send an email alert to the registered email address when a software update is available. Major Enhancements - FTP ------------------------ VLTrader only: Added OpenPGP encryption/decryption to FTP server for outgoing/incoming files. Major Enhancements - HTTP ------------------------- VLTrader only: Added an HTTP server/service with methods for connecting, listing, sending, and receiving payload. See Local Listener HTTP service and Local HTTP Users preconfigured host. Trading partners can use a web browser to manually trade with VLTrader or an application (such as Cleo LexiCom) to automate trades with VLTrader. The Generic Cleo VLTrader HTTPs preconfigured host captures the HTTP methods and parameters acceptable to the VLTrader HTTP server. The server supports either password-based WWW authentication or public key-based SSL client authentication. Major Enhancements - AS2/AS3 ---------------------------- VersaLex now supports S/MIME 3 and extends the ability to encrypt and decrypt with the AES and RC/4 algorithms. The supported encryption algorithms under S/MIME 3 include all the previously supported S/MIME 2 algorithms (i.e., RC2/40, RC2/64, RC2/128, DES and TripleDES) as well as AES/128, AES/192, AES/256, RC4/40, RC4/64 and RC4/128. (RC4 is also known as ARCFOUR.) Additionally, more secure SHA MIC algorithms (SHA-256, SHA-384 and SHA-512) are now available. SPECIAL NOTE: Check with your trading partner before attempting to use the new S/MIME 3 encryption and/or SHA MIC algorithms since some AS2/AS3 products may not yet support these algorithms! Enhancements - Framework ------------------------ For all protocols, added new "Fixed Record Incoming Insert EOL" Advanced property which works in conjunction with existing "Fixed Record

Length" and "Fixed Record EOL Characters" to allow fixed length records to be created while writing inbound payload. The existing "Fixed Record Incoming Delete EOL" property is mutually exclusive with this new property. - VersaLex now performs daily checks of the support contract renewal date when it is about to expire and if it has been updated, a new license is automatically applied as long as no other license settings have also been updated. - VLTrader only: Local FTP, HTTP, and SSH FTP Users can now be configured to have a sentbox directory, which is populated with a copy of files retrieved by the user from the configured outbox directory. Also added Local Listener "Number of Days Before Auto Delete Files In Local User Sent/Receivedbox" advanced property, which defaults to 7 days. If this property is set to 0, local user sent/received box files are not automatically deleted. - Previously when synchronization between two VLTraders or LexiComs was disabled, updates would accumulate in a queue and if synchronization was disabled for an extended period, this would cause considerable overhead. Now when temporarily disabling synchronization, the user has a choice of whether updates should accumulate or would prefer to re-initialize synchronization after it is re-enabled. - In addition to %file% and %status% macros, now support %mailbox% and %host% macros for passing mailbox and host aliases to Execute On Fail/Successful Send/Receive scripts. - When using the commandline -i option to install a patch file, LexiCom/VLTrader will now recognize that it is a patch file and create a backup of the updated files. - Added command line option (-s threaddump) and checkbox on the Help>Support>Bundle panel for generating a thread dump to include in a support bundle. - Added highlighting (bold text) to show differences in the release notes between an installed patch and the patch selected through Tools>Software Update panel. - VLTrader only: Local FTP, HTTP, and SSH FTP Users can now be configured to have a receivedbox directory, which is populated with a copy of files stored in the user's configured inbox directory either directly or, in the case of FTP or SSH FTP, via a rename. - Partner/ CA certificates that have expired or are about to expire are now included in the daily email notification that previously only included Local User certificates. The original 'Email Local Certificate Expiration Notices' property (defined in the Local Listener>Advanced panel) has been changed to 'Email Local And Partner Certificate Expiration Notices'. Additionally, the new property ('Email Local And Partner Certificate Expiration Warning Days') has been added to the Local Listener>Advanced panel to configure the number of days before the

certificate will expire and will be used to trigger the email notification. The default is 30 days. - When sending certificates via CEM or email, or accepting a certificate received through CEM, now check the certificate expiration and generate a warning. - Temporary actions, which are automatically created as part of the database payload and routing features and SMTP protocol and which can be created via the API, are no longer displayed in the Active host tree. These temporary actions usually come and go rather quickly, and their logged messages are viewable from the main messages pane so no information is lost by not displaying them in the tree. Removing them keeps the tree from excessive redraws, which was making it difficult to select a specific node near the temporary action (especially in the web gui). - Added integrity check when applying patch files using Software Update. - If any configuration or host XML file has been corrupted (e.g. by an abrupt shutdown), the synchronization feature will now attempt to restore the corrupt file at startup by retrieving it from the synchronized VersaLex. - VLTrader only: Custom reference numbers in EDI database logging can now be set to be extracted only if another element within the EDI segment has a specific value. - Added archiving for host sentbox and received box. Archiving parameters in Configure>Options>Other panel. - Added support for generating a DSA key pair when generating a selfsigned certificate. - The archived log zip file name now includes the license serial number. This allows two LexiComs or VLTraders to share an archive log directory. - Added capability for sending support bundle directly via email. - VLTrader only: For the database payload feature, added "Maximum Number of Concurrent Sends Per Mailbox" property (default 5) which controls how many concurrent sends can be active at any given time for any given mailbox. - Three web GUI session timeout properties are now configurable in the Local Listener Web Browser service panel. The properties include "Initial startup" (default 120 seconds), "Waiting for response" (default 120 seconds), and "Abnormal exit detection" (default 60 seconds). - All service panels now have scrolling support for better resizing. - VLTrader only: For the database payload feature, added "Maximum Number of Concurrent Sends" property which controls how many concurrent sends can be active at any given time. Also now immediately check for more

outgoing payload when a database send completes rather than waiting the full "Polling interval". - On Unix, added cut, copy and paste key mappings to text fields for copying text between actions, etc. - Added support for new %inbox% and %outbox% macros in the source or destination paths for LCOPY, LREPLACE, and LDELETE commands. These macros can be used as shortcuts to the configured inbox or outbox paths (they can only be used at the start of the path). - VLTrader only: When database payload is being used, any incoming FTP or SSH FTP server transfers that aren't going directly to the user's configured inbox are now marked with an "Interim Success" status in the transfer log. - VLTrader only: When sending via database outgoing payload and the send fails, the VLSend table now contains a LastFailedAttemptResultText column that is populated with the reason why the send attempt failed. - VLTrader only: Local FTP and SSH FTP users inbox and outbox directories are now configurable. The default values of 'inbox/' and 'outbox/payload/' can be modified at any time and VLTrader will create/rename/remove directories as necessary for each mailbox; however, non-empty directories will never be removed. Other directories besides the inbox and outbox directories can also be configured for VLTrader to create for each mailbox. If the database payload feature is in use, incoming payload will only be inserted into the database if the client is placing the file in the configured inbox directory or is renaming the file into the inbox directory. - Added a new feature to send test emails via a new 'Test' button in the "SMTP Mail Server" field on the Configure>Options>Other panel. Note: Test emails may be sent whether the SMTP Mail Server has been defined or not. - Added the MIC algorithm (for signed MDN requests) and the encryption method (when encryption is enabled) to the Email Profile for AS2 and AS3. - VLTrader only: Enhanced EDI logging custom reference number extraction feature such that extraction rules can now have a) multiple transaction types listed together separated by commas or semicolons, b) either inbound only or outbound only or both identified, and c) a "matching" segment element which must match the specified value for extraction to occur. Enhancements - FTP ------------------ VLTrader only: Added Local FTP User mailbox advanced property "Active Mode Source Data Port" which can be used to specify the FTP server source data port for Active Mode when set to a value > 0. Default value is 0 where the data port is unspecified. Related incident #63224. - Added AES-128, AES-192, AES-256, DES, and Twofish OpenPGP encryption algorithm options. Removed support for IDEA encryption algorithm.

- VLTrader only: Added Local FTP Users mailbox Advanced panel property "Automatically Delete Retrieved Outbox Files". When this option is selected, a retrieved file will be deleted when the next appropriate FTP command is received from the client and the response will be a multi-line response which includes confirmation of the deleted file. - For OpenPGP, added checkbox to override the Local Listener Signing Certificate for OpenPGP encryption. Defaults to unchecked so the Local Listener certificate is used by default. Enhancements - HTTP ------------------- Added support for the %filename keyword in PUT command header values. At runtime, the keyword is replaced with the actual filename being sent. - Added new "Successful Put Response Phrase" advanced property. Even if the server response code is a 200 level response, if the configured phrase is not found anywhere in the content of the server response, the PUT is not considered successful. Enhancements - AS2/AS3 ---------------------- When trading with a partner using a server that is non-compliant with the AS2 Filename Preservation rules, improved the processing rules for naming the destination file to use the AS2 transport header's ContentDisposition filename value if it exists and it's not either 'smime.p7m' or 'smime.p7z'. - GXS MDEP AS2 Production and Test preconfigured hosts are now configured with the latest GXS ICS X509 certificate. - Added new "Force MDN Signature" Inbound Message Security property to the mailbox. - Added System-wide and Host-specific support for detecting duplicate file names for Filename Preservation and returning the appropriate MDN responses. - When "Force Signature" inbound message security is enabled, it is now applied to inbound MDNs as well as inbound payload. - AS2 only: When a synchronous MDN is received, now log a 'File' element instead of the previous 'Detail' element. - Now trap and manually parse the Content-Disposition header string when a ParseException is thrown which occurs if a trading partner had included a special character (i.e., '(' ')' '' '[' ']' '/' '?' '=' '@' ',' ';' ':' '\' '"' a tab or a space) within the filename but did not enclose that filename in quotes. Enhancements - ebMS -------------------

- Added support for generating an ebMS signature from a DSA certificate/private key. - Added a configurable number of days to the service panel for retaining the message ID history for duplicate checking. Enhancements - OFTP ------------------- Added a configurable number of days to the service panel for retaining the message ID history for duplicate checking. Enhancements - SMTP ------------------- VLTrader only: SMTP server can now be configured to ignore case when looking for a configured SMTP trading partner's username. - Added a configurable number of days to the service panel for retaining the message ID history for duplicate checking. Bug Fixes - Framework --------------------- VLTrader only: For MS SQL Server, "java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]Connection reset by peer: socket write error" that were being thrown when logging EDI information are now handled by re-acquiring a connection to the database and retrying. - For networked AS/400 directories, fixed problem where VersaLex was marking an autosend action as invalid if it got a SocketException or InterruptedIOException when connecting to the AS/400 to verify a command's source or destination path. When this occurs, VersaLex will now just re-authenticate with the AS/400 and retry the scheduled action. - Fixed intermittent problem where NumberFormatExceptions originating from the LoggerThread with descriptions like "multiple points" or "For input String: """ were being thrown. - Fixed problem where if "Fixed Record Incoming Insert EOL" Advanced property is being used and appending to an existing file, existing file's last record length was not being taken into account. - Fixed problem when a Host Receivedbox was configured for an AS/400 path where the received files were not being copied to the Receievedbox. - When an unexpected host, mailbox, or action "not found" error is logged, error now includes stack trace information to better determine cause for error. - Added logged synchronization error if sync request from other VLTrader is malformed. - Added support for importing a User Certificate and Private Key which uses the DSA algorithm.

- Checks that configured inbox and outbox directories exist are now made solely by the running service/daemon rather than a connected GUI because of possibility that a different user account (with different permissions) may be running the service/daemon. - Added check for checking for existence of schedule lock file which could prevent a command-line from executing if another command-line process was about to end. Related incident 64543. - Fixed problem when email related timeouts (connection timeout) were set to zero, the timeout would occur immediately instead of never timing out. - Fixed problem when manually applying a patch via the web GUI where the uploaded patch file would be deleted from the webserver\temp directory before it could be applied. - VLTrader only: Fixed problem where TradeLink web service was incorrectly treating receipt files as payload files. - Fixed problem where 'Email On Successful Receive' was incorrectly sending email notifications when an asynchronous MDN was received. - VLTrader only: Fixed problem where the Local FTP, HTTP, or SSH FTP users' configured subdirectories were being incorrectly reset to absolute paths in the installed directory. - Corrected issue with exporting a user certificate as an OpenPGP key where the self-signature on the exported key was not recognized by GnuPG. Removed critical tag on identity in signature sub packet for compatibility with GnuPG. - When updating software, method used in highlighting differences in patch notes was causing a java.lang.NoSuchMethodError under JRE 1.3. Problem will occur after updating to patches 3.4.57 to 3.4.63. - Added check so Local (FTP, HTTP SSH FTP) User sent/received boxes are not archived. - For long running actions, only the last 100 logged messages are not retained in the host in order to avoid overly large host files. - Fixed problem where temporarily disabling synchronization could potentially cause a synchronization collision of the conf\Sync.xml file when synchronization was re-enabled. - Corrected issue with exporting a user certificate as an OpenPGP key to which had unrelated info included in the identity. - Corrected issue where generating a Trusted CA certificate from OpenPGP public key with a OpenPGP secret key as the input was failing without showing an error message due to a null pointer exception. - Fixed problem where the same temporary action was being used for two different sends at the same time, resulting in NoSuchElementExceptions or

StringIndexOutOfBoundsExceptions. Temporary actions are employed by the VLTrader database payload and router features and can also be created using the API's MailboxController. - Fixed problem where NumberFormatExceptions were being logged when copying a sent file to the sentbox and system property "Starting Unique File Affix" was set to an alphanumeric. - Fixed problem in web GUI where some of the Certificate Manager tree node menu items were not activating a dialog when selected. - Fixed problem where a property change made to a Local Listener service via a synchronized VersaLex was not affecting the running Local Listener. - Fixed problem where one or more NumberFormatExceptions were being logged right after an action's schedule was updated via the GUI. This problem could then also result in continuous NullPointerExceptions being thrown by the scheduler, keeping it from scheduling actions correctly. - Corrected a ClassCastException problem which was occurring while saving a host file. - VLTrader only: If using outgoing database payload, corrected problem where two synchronized VLTraders could potentially send the same payload. - Corrected issues with sentbox and receivedbox archive filename when the directory name ended in a digit which could cause a new archive to be created on startup instead of adding to an existing archive. - Automatic log file archiving is no longer disabled by the software should archiving fail because of an I/O or other exception. If archiving because the log file has reached the maximum size, now archiving will be reattempted after a 10 minute delay. - VLTrader only: Fixed problem with exception that was thrown when removing a local user mailbox if the user's home directory was blank. - VLTrader only: Fixed problem where an exception being thrown when the apply button was clicked on a Local FTP, HTTP, or SSH FTP user's mailbox if the User Home Directory was blank when running as a service. - For Execute on Failure/Success, fixed issue where the system command would fail to execute if both the command and last parameter were quoted. - When using AS/400 network access on Windows, fixed problem where current drive letter was always being prepended to the configured system or host level inbox/outbox directories, which was causing a local folder rather than the networked AS/400 folder to be accessed. - Added additional checks to Maximum Memory setting on Configure>Launcher dialog to prevent startup problems caused entries without M (megabytes) or G (gigabytes) specified.

- If a host file becomes corrupt before queued up changes could be synchronized with another VersaLex, VersaLex no longer mistakenly deletes the host from the synchronized system. - Added logic for setting sentbox and receivedbox files as read-only when archiving for sent/received boxes is not enabled. If archiving is enabled, the files will not be marked as read-only so the files can be archived automatically. - An abrupt system shutdown can cause "garbage" characters to be appended to the active system log file. Now at startup, any invalid characters found at the end of the system log file are deleted before new log entries are added. - Enhanced the View->File feature for faster loading of the file which corrects a problem in the Web GUI for large files where the display was continuously being refreshed. Additionally, the file offset is now always displayed where it had previously only been displayed in the "Dump" mode. - If the scheduler tries to run an action whose parent host is being currently updated by a synchronized VersaLex, the scheduler no longer needs to be restarted to recover. Now the action will simply be run at the next scheduled interval. - VLTrader only: Fixed problem where scheduler could potentially cause a system slowdown when actions were not allowed to run concurrently. - View>Log... now detects when the log file is corrupt and indicates the last date/time mark before the corruption was found. - In web GUI sessions, fixed problems related to selecting a node or node page in the active tree that no longer exists. - VLTrader only: Improved efficiency with which temporary actions for outgoing database payload and router features are created, executed, and removed. - In Certificate Manager - Fixed problem where chained Intermediate CA could not be deleted and would cause high CPU usage. - View>Log... now shows a progress dialog while reading the log files in case of an extensive retrieval. This progress dialog allows cancellation if desired. If using the web GUI, the progress dialog also keeps the web GUI session from timing out. - VLTrader only: For the database payload feature, fixed problem where if host was set to not "Allow Actions to Run Concurrently", no longer repeatedly create then remove temporary actions over and over again when there is more than one pending outgoing payload for one of the host's mailboxes.

- VLTrader only: Fixed problem where a response from FTP and SSH FTP server if the file was already being accessed could include path information outside of the user's virtual home directory. - VLTrader only: Fixed problem where an exception being thrown when the apply button was clicked on a Local FTP, HTTP, or SSH FTP user's mailbox if the User Home Directory was blank. - VLTrader only: Fixed the browse button (...) on the Local HTTP user's mailbox for the User Home Directory which was not working. - Fixed problem where a timed out web GUI session was not unregistering, causing delayed disconnects and/or thread death. - Corrected issue where running multiple command line actions may not complete or log the results. - Fixed problem where a forward slash ('/') in an alias would cause synchronization of a host to fail. - VLTrader only: Fixed problem where router was not checking that delete of completed route file was successful. - Fixed problem where the embedded key information for an imported nonarmored (binary) OpenPGP secret key would not display properly. - Fixed problem where Local Listener message count was being reset back to a previous value if the service was restarted or if the Local Listener was updated from a synchronized system. - Fixed problem where an already running action could be started again via commandline. - When retrying email messages using an explicit email server, now only make retry attempts to the failed email addresses. - Fixed problem where a newly registered/licensed LexiCom or VLTrader was incorrectly stating that it was a backup-only system and would not allow the schedule (or router, in the case of VLTrader) to be started. - VLTrader only: After starting a scheduled action for a host whose "Allow Actions To Run Concurrently" advanced property was set to false, fixed problem where the scheduler would possibly not start any actions for any other hosts until this action completed. - VLTrader only: Added SSH FTP Server and SMTP info to TCP/IP port usage. - On Unix, added support for searching user's path for a browser including FireFox, Epiphany, Mozilla, Netscape, and Opera browsers. - VLTrader only: SQL Server 2005 is now supported.

- Fixed problem where a certificate (without an embedded OpenPGP key) exported as an OpenPGP key had the wrong valid seconds value which could cause it to be expired. - VLTrader only: Fixed problem where if database payload option was just enabled, payload would not start streaming into the database until VLTrader was restarted. - If a commandline action cannot be run for some condition (e.g. local listener not running), an error is now logged rather than a warning and the exit status returned by the application is now -1 rather than 0. - VLTrader only: On startup, added better error reporting when the FTP or SSH FTP default root path or any user paths use an AS/400 IFS directory and a connection cannot be made to the AS/400. - Fixed problem where a synchronized modification to one of the Local Listener services was not being displayed on the synchronized system until the GUI was reopened. - The file names of the files written to the AS/400 IFS are no longer forced to upper case. This is only being done for file names on the AS/400 NFS. - VLTrader only: Fixed problem with database payload feature where streamed FTP server sends or receives was causing a "java.io.IOException: Invalid argument" exception to be logged. - VLTrader only: Fileindex is now part of the primary key of the VLOutgoingProperties table so that multiple attachments can now have different values for the same property (e.g. Content-Disposition). - Fixed problem importing a host from a zip file whose alias contains a \ or /. Also fixed problem importing hosts when LexiCom is running as an AS/400 process. - Fixed problem where a NullPointerException was being thrown when saving a host file (during calculation of stored check sums). - VLTrader only: When EDI logging is enabled, fixed problem where shutting down the VLTrader service/daemon could potentially hang if there were pending EDI logs. - Fixed problem where VersaLex web GUI sessions would timeout on the HPUX Firefox web browser. Bug Fixes - FTP --------------- Added mailbox level option for "No Password Required". Related incident 62609 going to a Tumbleweed FTP server (SecureTransport 4.6.1) in explicit mode (AUTH SSL). Server required an SSL client certificate and username for login but would respond with a "530 Already logged in." error if the PASS command was sent.

- Corrected problem with client authentication when the server returns a large list of trusted CAs. - VLTrader only: : Fixed problem where FTP server was responding with the full path rather than the relative user path when the remote path specified was outside of the user's root directory. - VLTrader only: If a Local FTP OpenPGP User stores a zero-length file a warning is generated instead of an exception. Corrected a timing related issue where receiving small (