Axway API Gateway 7.5.3 Release Notes

Document version: 17 September 2018

Summary

API Gateway is available as a software installation, a physical or virtual appliance, a virtualized deployment in Docker containers, or as a managed service on Axway Cloud.

The software installation is available on Windows and Linux. For more details on supported platforms for software installation, see the API Gateway Installation Guide.

The physical appliance is a prehardened appliance running the API Gateway runtime delivered on a Dell PowerEdge server. The virtual appliance is a prehardened appliance running the API Gateway runtime and is available as VMware and as an Amazon Machine Image (AMI).

For more details on appliance options, see the API Gateway Appliance Installation and Administration Guide.

New features and enhancements

Improved visual experience

User interfaces have been refreshed to a more visually attractive look shared by all Axway products:

  • All web-based user interfaces have been made cleaner and simpler.
  • Minor improvements to Policy Studio screens.
  • Shared look-and-feel makes the products feel familiar, making them easy to learn.

Improved Docker support

The support for running API Management in Docker containers has been improved:

  • Pre-built Docker images enable immediate deployment on Docker (CentOS Linux 7 base image).
  • Docker scripts are also included, enabling you to customize the base image, perform security hardening, and rebuild the Docker container (CentOS Linux 7 or Red Hat Enterprise Linux 7 base image).
  • Docker support has been added for API Portal, so you can now run the full API Management Plus solution in Docker containers.

For more details, see the API Gateway Installation Guide.

Open logging

Open logging enables you to consolidate all of the transaction event data, traces, and system metrics stored by API Gateway, and visualize and analyze them in external observability systems (such as Axway Decision Insight or a third-party system like Splunk):

  • The operations database (OpsDB) has been opened in a readable format.
  • An open traffic event log contains traffic event data in a JSON format that is readily consumed by external systems.
  • All events within your deployment can be easily tracked.
  • The event logs are easily exported to a system of your choice for insight generation or archiving.
  • Payload and circuit information is also available.

For more details, see API Gateway Administrator Guide.

Team development

The user experience of team development has been improved:

  • Two working modes: a singe source-controlled project or team development. You can switch between the modes at any time.
  • The projupgrade script enables you to upgrade your source-controlled projects in-place, to be deployed on your newly upgraded system.
  • The project references are now OS-independent.
  • A number of issues have been fixed.

For more details, see API Gateway DevOps Deployment Guide

Zero downtime deployment

Zero downtime deployment (ZDD) minimizes disruptions that updating your configuration may cause in a high-availability (HA) environment:

  • Indicate upcoming downtime to your load balancer up to 20 seconds in advance, and use Admin Node Manager to orchestrate the deployment throughout the system.
  • Deploy a new configuration (for example, a policy) without downtime by indicating that an API Gateway instance is about to load a new configuration.

For more details, see API Gateway Administrator Guide.

Zero downtime upgrade

You can download a package of sample scripts from Axway Support at https://support.axway.com that you can use as a reference to achieve a zero downtime upgrade (ZDU) to API Gateway7.5.3. For more information, see the API Gateway Upgrade Guide.

Better version reporting

Improvements to version reporting include:

  • Check the service pack version numbers as well as the main release version numbers for all the nodes in your deployment on API Gateway Manager.
  • Use the managedomain command with the -v or --version options to find the installed version number, including any installed service pack or patches, and build information.
  • Easily tell which nodes you have updated and which not.

For more details, see API Gateway Administrator Guide.

Cassandra

Updates to Apache Cassandra support include:

  • The supported Cassandra version has been updated to v2.2.8.
  • The Cassandra client has changed from Hector to Datastax, and the driver updated to the recommended Datastax driver to ensure a reliable experience.
  • Improvements to the setup-cassandra script for use locally or remote to Cassandra and automatic backup of Cassandra configuration.

For more details, see API Gateway Installation Guide

Performance and capacity planning

Improvements to performance benchmarks and capacity planning include:

  • The performance benchmarks have been updated to reflect real-life scenarios in API Gateway 7.5.3.
  • Performance testing was done on both single node and multinode HA configurations to provide scalability information for capacity planning.
  • The performance benchmarks for the API Manager REST API have been included.

Identity Access Management

Identity Access Management (IAM) integration has been refreshed:

  • New integration guide with example configurations flows for integrating with third-party products.
  • Updated support of third-party products:
    • IBM Tivoli Access Manager for e-business 6.1 (on Windows only)
    • IBM Secure Directory Service 6.4.0
    • CA Siteminder 12.52
    • RSA Access Manager 6.2

For more details, see API Gateway Authentication and Authorization Integration Guide.

Scriptable kpsadmin tool

The kpsadmin command has been updated to make it easier to manage Key Property Store (KPS) collections:

  • Perform group level operations to manage KPS collections.
  • Script and automate important operations, such as backup.
  • Re-encrypt KPS data.
Note   It is recommended to try out these features in a development environment before using them in a production environment.

For more details, see API Gateway Key Property Store User Guide

Visual Mapper

Improvements to the Visual Mapper graphical tool include:

  • Use code completion to type function parameters.
  • Get detailed error messages if the complex expressions you enter are incorrect.
  • Use the choose instructions to map an element based on multiple conditional tests.
  • Use new node functions: position and count.
  • Convert input values into outputs with different types using the conversion functions.

For more details on data maps, see the API Gateway Policy Developer Guide. For more details on Visual Mapper, see the API Gateway Visual Mapper User Guide.

Embedded Analytics with Prebuilt Dashboards (General Availability)

Improvements to Embedded Analytics include:

  • Get real-time operational and strategic analytics for API Management Plus using the preconfigured dashboards.
  • Proactively identify abnormal situations before they become critical and investigate the issues now and in the past.
  • Use different dashboards to view metrics for all personas in the API lifecycle.
  • Customize the dashboards to enhance and fine tune the analytics metrics to maximize visibility value in your environment.

For more details, see Embedded Analytics for API Management Plus documentation.

Deprecated features

The following features have been deprecated in this release:

Removed features

The following features have been removed in this release:

Fixed issues

The fixes for issues included in API Gateway v7.5.2 SP 1 and SP 2 are also included in API Gateway 7.5.3.

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description

RDAPI-6801

CVE‑2016‑0782, CVE‑2016‑0734, CVE‑2015‑5254

Issue: Apache ActiveMQ security vulnerabilities.
Resolution: Previously, API Gateway was including Apache ActiveMQ version 5.12 which is vulnerable. Now, API Gateway includes Apache ActiveMQ 5.14.3 addressing known vulnerabilities.

RDAPI-6935

00873460

CVE-2015-0225

Issue: False positive for CVE-2015-0225 during a security scan.
Resolution: During a security scan, a false positive was reported on API Gateway using cassandra-thrift-1.2.18.jar. Now this has been checked and verified that API Gateway does not use cassandra-thrift-1.2.18.jar and that all thrift dependencies have been removed.

RDAPI-7002

00874797

CVE-2016-5725

Issue: JSCH library not compatible with certain SSH ciphers.
Resolution: Previously, the JSCH library (JSCH 0.1.50) that API Gateway used for SFTP connections had a directory traversal vulnerability (CVE-2016-5725). Now, API Gateway uses JSCH 0.1.54 that addresses known vulnerabilities, including CVE-2016-5725.

RDAPI-7290

CVE-2013-5960

Issue: Security vulnerability in a SSO dependency.
Resolution: Previously, API Gateway SSO setup used owasp esapi 2.0.1. Now, the product has been updated to use owasp esapi 2.1.0.1.

RDAPI-7359

00878864

CVE-2017-3241

Issue: API Gateway Java vulnerabilities
Resolution: Previously, API Gateway included a JRE version with security issues. Now, the JRE version has been updated to version 8u121 that fixes a number of security issues.

RDAPI-7477

00873458

CVE-2013-4517

Issue: Update XML Security for Java (xmlsec) to version 1.5.8
Resolution: Previously, API Gateway included xmlsec-1.4.4.jar that was vulnerable. Now, API Gateway includes xmlsec-1.5.8.jar that addresses known vulnerabilities.

RDAPI-7574

CVE-2016-9878

Issue: Issue with the spring-core library.
Resolution: Previously, API Gateway Manager did not include a spring-core library. Now, the library has been updated to v4.3.5 to fix a security vulnerability (CVE-2016-9878).

RDAPI-7575

CVE-2016-5725

Issue: Upgrade Jsch dependency to v0.1.54.
Resolution: Previously, API Gateway included jsch-0.1.50.jar, which had the vulnerability CVE-2016-5725. Now, although API Gateway was not previously exposed to the vulnerability, the dependency has been updated to jsch-0.1.54.jar that addresses all known vulnerabilities.

RDAPI-7602

CVE-2014-3577, CVE-2015-5262

Issue: Remove Fluent-hc dependency from API Gateway.
Resolution: Previously, API Gateway included fluent-hc-4.2.jar that is vulnerable. Now, this jar is no longer used in API Gateway, and it has been removed.

RDAPI-8355

CVE-2012-4929

Issue: The SSL compression enabled by default.
Resolution: Previously, the SSL compression on API Gateway Appliance was enabled by default, which potentially exposed the appliance to CRIME, CVE-2012-4929. Now, the SSL compression is disabled by default.

Other fixed issues

Internal ID Case ID Description
RDAPI-2998 00825813

Issue: Outdated information on JVM memory tuning in documentation.

Resolution: Previously, the API Gateway Administrator Guide contained outdated information on JVM memory performance tuning. Now, the outdated section has been removed.

RDAPI-3084

00831073

Issue: No information on how to configure API Gateway Analyticson Windows.
Resolution: Previously, the API Gateway Installation Guide did not explain how to configure API Gateway Analytics as a service on Windows. Now, the API Gateway Installation Guide

has been updated to include an example of how to configure this on Windows.

RDAPI-3429

00833374

Issue: Reconnecting to hardware security module (HSM) server not working properly.
Resolution: Previously, if API Gateway lost the connection to a SafeNet Network HSM server, API Gateway did not handle cryptoki errors properly to re-establish session. Now, API Gateway re-establishes session and continues to work properly with the HSM server.

RDAPI-3913

00808278

Issue: Message content missing in Traffic Monitor when using redaction.
Resolution: Previously, when XML redaction was enabled and large payloads were received, the redaction layer could have problems parsing the chunks. Now, the XML redaction layer will always handle large payloads and chunking correctly.

RDAPI-4082

00840941

Issue: Configuration package loads very slowly in Policy Studio.
Resolution: Previously, under certain conditions, a configuration package (.fed file) could take unusually long to load in Policy Studio because of the time taken to calculate the visibility of the required and generated message attributes. Now, these conditions are handled correctly, and the message attribute calculations have returned to normal.

RDAPI-4648

00847257

Issue: XPath cannot be created in XPath wizard.
Resolution: Previously, when creating a new XPath, the XPath wizard would fail to create the XPath if the selected node was a digit. In addition, if the Namespace prefixes in the XPath included duplicates, the XPath could randomly fail at run-time.
Now, a digit node is added to the Xpath as a text value, and it is no longer possible to create an XPath containing duplicate prefixes. If an existing configuration fails to resolve at run-time because of the prefix duplication, a message is logged into the trace.

RDAPI-4790

00842538

Issue: Wrong trace level for a new JSON body.
Resolution: Previously, API Gateway was adding diagnostic data about creation of a new JSON body in trace at INFO level. Now, API Gateway adds diagnostic data about creation of a new JSON body in trace at DEBUG level.

RDAPI-4875

00851718

Issue: JMS service does not display the environmentalized host URL.
Resolution: Previously, when environmentalizing IBM MQ URL, the JMS service still displayed the original value of the parameter in trace files. Now, the startup log message displays the correct environment value.

RDAPI-5268

00841109

Issue: Memory leak in Traffic Monitor.
Resolution: Previously, API Gateway might crash or report Out Of Memory errors due to a small memory leak in Traffic Monitor. Now, this memory leak has been fixed.

RDAPI-5356

00855626

Issue: OAuth filter fails when using an invalid selector.
Resolution: Previously, the "Resource Owner Credentials" filter failed if you used an invalid selector that resolved to null when configuring the filter. A NullPointerException was logged in the trace. Now, if the filter fails because of an invalid selector, an IllegalArgumentException is logged in the trace, telling you which selector is causing the issue.

RDAPI-5381 00856560

Issue: Too many failed login attempts on shared account block all users in API Gateway Manager.

Resolution: Previously, if you used a shared account to log in to API Gateway Manager (for example, admin), if any of the account users attempted to log in with a wrong password more than six times, all users logged in under that account were blocked and their active sessions terminated. This could cause a denial-of-service (DoS) attack.

Now, if a user tries to log in with a wrong password more than six times, the other users logged in under the same account are not affected. Their active sessions continue even though further logins are prevented for a period of time.

RDAPI-5538

00855363

Issue: Throttling filter unreliable under heavy load using distributed cache
Resolution: Previously, the Throttling filter was losing accuracy when you ran the API Gateway instance was under heavy load, letting through more messages than you had specified. Now, the API Gateway instance works reliably even under heavy load, without letting through more messages than specified.

RDAPI-5545

00854184

Issue: Service name does not show for JMS requests in Traffic Monitor.
Resolution: Previously, the values for JMS attributes (Service, Operation, and Subject) were stored in the message after the event was written to the opsdb.d directory. Now, these attribute values are written to opsdb.d and are displayed in the corresponding columns in the JMS section in Traffic Monitor in API Gateway Manager.

RDAPI-5547

00855750

Issue: API Gateway Manager shows undefined gateway server values
Resolution: Previously, when Real Time Monitoring was disabled, the Host, Group, and Management Port fields for each instance displayed in the API Gateway Manager UI had values of Undefined, and the traffic charts showed no messages being processed. Now, the Host, Group, and Management Port fields are populated correctly, and the traffic charts are replaced by the text No Data.

RDAPI-5550

00855566

Issue: Cannot import a web service in Policy Studio.
Resolution: Previously, you could not export or import a web service in Policy Studio, because the WSDL associated with the web service was not available after import. Now, you can export and import a web service, and the WSDL associated with the web service is preserved on import.

RDAPI-5681

00849580, 00881178

Issue: Unable to log in to web UIs when using port forwarding.
Resolution: Previously, if you configured port mappings (Docker, tunneling, forwarding) and exposed API Manager and API Gateway Manager on different virtual hosts from the ones configured during installation, you could not log in to the web applications. Now, you can log in even if you configure port mapping such as port forwarding.

RDAPI-5699

00858525

Issue: Session filters do not work correctly with Connection filters.
Resolution: Previously, if you used a Create Session filter with a Connect To URL filter, the session cookies were overwritten and not stored in browser after executing the policy. Now, you can use Create Session, Check Session, and Connect To URL filters together in the same policy and the cookies are correctly stored and retrieved.

RDAPI-5871

00857893

Issue: Insufficient data logged for an error in the JSON Schema Validation filter.
Resolution: Previously, when the JSON Schema Validation filter encountered an error when validating JSON, only the basic error message field was logged in the json.errors message attribute, and this information was not always sufficient. Now, the JSON Schema Validation filter includes a new message attribute, json.errors.full. If the filter finds JSON not conforming to a given schema, this message attribute provides the full error context.

RDAPI-5903

00859112

Issue: Incomplete redaction.
Resolution: Previously, the API Gateway Manager web console displayed non-redacted query strings for outgoing HTTP requests. Now, non-redacted query strings are no longer stored. The redacted version of the query is still available in stored data.

RDAPI-5907

00852304

Issue: Issues with keys in SFTP user authentication.
Resolution: Previously, if you tried to store a public key and a dummy private key (because private key is not required for SFTP user authentication), the sample authentication script failed when attempting to connect to use the matching private key. Now, you can store a public key and a dummy private key, and the updated script correctly authenticates when connecting using the matching private key.

RDAPI-6039

00860536

Issue: Cross-site scripting (XSS) vulnerabilities in Analytics Reports REST API.
Resolution: Previously, Analytics Reports REST API was vulnerable to XSS attacks. Now, the XSS vulnerability has been addressed in Analytics Reports REST API.

RDAPI-6065 00854354

Issue: Conflicts between init.d scripts.

Resolution: Previously, the init.d/vshell-AdmNodeMgr script that managedomain creates for Node Manager and the cassandra-appliance init.d script both had the value Server in the Provides line. Now, the init.d/vshell-AdmNodeMgr has the value AxwayAdminNodeManager in the Provides line to avoid the conflict between these scripts.

RDAPI-6189

00839875

Issue: Error when XML signature generation configured for Symmetric Key.
Resolution: Previously, if the XML Signature Generation filter was configured to use a symmetric key and insert a SAML ID, the policy failed with a NullPointerException error. Now, the policy passes.

RDAPI-6213

00863107

Issue: Wrong authorization header encoding in OAuth authentication.
Resolution: Previously, OAuth Client applications that used the Authorization header to authenticate the app with the service provider incorrectly encoded the header with additional padding. Now, the header is properly encoded.

RDAPI-6257 00863872

Issue: Cannot use a dash ("-") in names when creating a new group in API Gateway Manager.

Resolution: Previously, you could only use alphanumeric characters and underscore ("_") in group names and API Gateway names. Now, group names and API Gateway names can contain any UTF-8 character with the following restrictions:

  • Names cannot contain \, /, `, $, ?, <, >, |, :, or " characters.
  • You cannot use . or .. as a name.

RDAPI-6351

00864374

Issue: Issue when configuring Cassandra settings in Policy Studio.
Resolution: Previously, if you tried to add selector strings to the Port field under Cassandra Host Settings in Server Settings > Cassandra > Hosts, you could not do any subsequent changes using the editor. Now, you can use selector strings and change them again later in the editor.

RDAPI-6490

00862092

Issue: Selectors not allowed when configuring the Alert filter.
Resolution: Previously, when you were configuring the Alert filter, you could not use a selector in the In time period (secs) field on the Tracking tab. Now, you can use a selector in that field.

RDAPI-6735

00867003

Issue: Limit when reading objects from a hardware security module (HSM).
Resolution: Previously, the HSM PKCS#11 Java interface implementation in API Gateway was limited to read only 10 objects from HSM. Now, the PKCS#11 Java interface implementation in API Gateway can read all objects in the HSM.

RDAPI-6742

00865176

Issue: API Gateway ignores server settings when tunneling from HTTP to HTTPS.
Resolution: Previously, if you used the Connect to URL filter to tunnel through a HTTP proxy to a HTTPS back end, API Gateway ignored the setting Server's SSL cert's name must match name of requested server in Server Settings and performed the hostname check regardless. This caused SSL certificate verification errors if you tried to connect to the back end using an IP address in the Connect To URL filter.
Now, API Gateway does not perform a hostname check if the setting Server's SSL cert's name must match name of requested server is disabled in the Server Settings.

RDAPI-6765

00869368

Issue: EULA prompts when only package and deploy tools are installed.
Resolution: Previously, if you only installed package and deploy tools, you were prompted to accept the end-user license agreement (EULA) every time you used the projpack or projdeploy script, even though you had already accepted it on the first installation. Now, you are no longer prompted to accept the EULA every time you use projpack or projdeploy.

RDAPI-6923

00869225

Issue: The setup-apimanager script ignores environmentalized values for Cassandra host.
Resolution: Previously, the setup-apimanager script did not use environmentalized values to connect to Cassandra. Now, the script respects environmentalized values (like an environmentalized Cassandra host) when connecting to Cassandra.

RDAPI-6947

00868341

Issue: Broken references when using the projpack script.
Resolution: Previously, the projpack script declared late bound references as broken references. Now, the late bound references are not considered broken references anymore.

RDAPI-6954

00867203

Issue: Issues with SAML Authentication and SAML Authorization filters.
Resolution: Previously, the SAML Authentication and SAML Authorization filters might behave unexpectedly if the policy was invoked in multiple simultaneous client requests. Now, the SAML Authentication and SAML Authorization filters work normally even when invoked in multiple simultaneous client requests.

RDAPI-6973

00872682

Issue: Bug in directory scanning when an API Gateway instance is stopped.
Resolution: Previously, when you stopped an API Gateway instance, any files that were moved to the processing folder after the stop request was sent and before the instance fully shut down remained in the processing folder and were not processed once the instance was restarted. Now, any files moved to the processing folder after the stop request is sent are moved back to the input folder before the instance fully shuts down, so that they are processed once the instance restarts.

RDAPI-6986

00871927

Issue: Unable to deselect items in Fragment Export.
Resolution: Previously, when you exported a fragment, all referenced configuration elements were exported by default. Now, before you export a fragment, you can use a suggested list of referenced configuration elements to select the configuration elements you do not want to include in the export.

RDAPI-7020

00875079

Issue: Unable to create a new instance if README.txt does not exist.
Resolution: Previously, the managedomain script threw an error and did not create a new API Gateway instance if the file ext/lib/README.txt did not exist. Now, the managedomain script creates an API Gateway instance even if the README.txt does not exist.

RDAPI-7102

00870279

Issue: Amazon AWS S4 signing is unsuccessful.
Resolution: Previously, using AWS S4 credentials to sign a request did not work, because API Gateway constructed the AWS region and servicename incorrectly. Now, API Gateway constructs the region and servicename correctly and the request is successfully signed.

RDAPI-7154

00873722, 00873438

Issue: Cassandra client authentication failure when changing group configuration passphrase.
Resolution: Previously, after you changed the group configuration passphrase, API Gateway could not connect to Cassandra anymore. In addition, Key Property Store (KPS) tables were not re-encrypted correctly. Now, if you change the group configuration passphrase, API Gateway successfully connects to Cassandra and the re-encryption of the KPS tables works as expected.

RDAPI-7291

00878187

Issue: Unable to load or edit MIME types in the Content Type filter.
Resolution: Previously, you could not use the Content Type filter in a project that did not have server settings. Now, you can.

RDAPI-7317

00872301

Issue: Misleading information on a Cassandra script.
Resolution: Previously, the API Gateway Installation Guide did not state that the updateCassandraSettings.py script runs against a .fed file. Now, the documentation has been updated to make this clear.

RDAPI-7338

00801017

Issue: Unable to configure the proxy settings for updates in Web Administration Interface (WAI).
Resolution: Previously, you could not use Web Administration Interface (WAI) to configure a proxy server to be used for software updates to API Gateway Appliance. Now, this is possible.

RDAPI-7374

00862631

Issue: Issues with nested relative paths.
Resolution: Previously, API Gateway generated a NullPointerException, a failed transaction, and incomplete Traffic Monitor information for nested relative path requests. Now, API Gateway completes the requests successfully, generates a successful transaction, and records all paths in Traffic Monitor.

RDAPI-7469

00879822

Issue: Spaces in user name not accepted in the API Gateway utilities.
Resolution: Previously, you could not use spaces in the user name in the managedomain and kpsadmin utilities. Now, the utilities accept spaces in the user name.

RDAPI-7498 00866577

Issue: Misleading information on redaction in documentation.

Resolution: Previously, the documentation mentioned redaction of trace files, which is not supported. Now, the documentation has been clarified and does not mention redaction of trace files.

RDAPI-7501

00878576

Issue: Unable to environmentalize a policy called in the Policy Shortcut filter.
Resolution: Previously, you could not environmentalize the policy that the Policy Shortcut filter calls. Now, you can environmentalize the called policy.

RDAPI-7541 00877285

Issue: Analytics configureserver does not allow the euro character ("") in user name or password.

Resolution: Previously, the documentation did not mention limitations on API Gateway Analytics configureserver script when specifying the user name and password. Now, a clarification has been added to the API Gateway Installation Guide that configureserver script does not support the euro character when specifying the user name and password.

RDAPI-7547

00879409

Issue: WSDL import breaks.
Resolution: Previously, an older version of xerces (xercesImpl-2.8.0.jar) was present in the classpath alongside with v2.11.0. In certain cases, this was causing errors in WSDL import. Now, the older xerces jar has been removed, and WSDL import is working as expected.

RDAPI-7732

00878868

Issue: Service outage when deploying to multiple instances.
Resolution: Previously, if you deployed to multiple API Gateway instances, the deployment happened to all instances at the same time. This caused a service outage, because none of the instances was available during that time. Now, the deployment is orchestrated one instance after another to ensure that an API Gateway instance is available to handle the incoming traffic throughout the deployment.

RDAPI-7850

00882355

Issue: Unable to deploy a policy package if the environment variable Bind the certificate at runtime is used.
Resolution: Previously, deploying a policy+environment package failed if your policy package contained late bound references. Now, you can deploy the policy package successfully even with late bound references.

RDAPI-7913

00882483

Issue: Cassandra download URL is wrong in the API Gateway Docker zip.
Resolution: Previously, when you executed the build.py script in an API Gateway Docker container, the Cassandra version was displayed as v2.2.7 and the Apache website returned a HTTP 404 error. This caused the command to fail. Now, the Cassandra is upgraded to v2.2.8, the version is displayed correctly, and the Apache website does not return an error. The build.py script is executed successfully.

RDAPI-7928

00881808

Issue: SSL failure on large messages with the XML Signature Verification filter.
Resolution: Previously, the XML Signature Verification filter could inadvertently cause SSL failures on large messages. Now, the XML Signature Verification filter works as expected even with large messages.

RDAPI-8006

00833619

Issue: API Gateway crashes with short hostname aliases.
Resolution: Previously, the Connect to URL filter might cause API Gateway to crash if the hostname alias of the URL was very short, for example, http://loc:80 instead of http://localhost:8080. Now, API Gateway handles these requests without crashing.

RDAPI-8037

00883589

Issue: Policy Studio does not merge certificates correctly in dependent projects.
Resolution: Previously, Policy Studio did not display the list of certificates for a project with a project dependency if both projects contained different certificates from the same issuer. Now, the correct list of certificates for the selected project is displayed.

RDAPI-8101

00883721

Issue: Wrong information on changing the project passphrase.
Resolution: Previously, the documentation described how to change a project passphrase using a Policy Studio menu option that did not exist in Policy Studio. Now, the documentation has been updated to describe how to change a project passphrase using the projchangepass command.

RDAPI-8218

00886478

Issue: Performance degradation in JavaScript scripting filters.
Resolution: Previously, the documentation did not mention the possibility of a drop in performance if you did not update scripts from v7.4.0 and earlier to use the Nashorn engine syntax. Now, the documentation highlights this, and describes how to update the scripts.

RDAPI-9480 00900389 Issue: Default value for Unmarshal as field in JSON Path filter is incorrect in documentation
Resolution: Previously, the user documentation for the Retrieve Attributes with JSON Path filter did not include the correct default value for the Unmarshal as field, and did not include example settings. Now, the documentation has been updated with the correct default data type and includes example settings.
RDAPI-10215 00882400 Issue: Documentation should specify that Docker containers require a license not locked to a specific host name
Resolution: Previously, for Docker images, the API Gateway user documentation did not include the requirement for an API Gateway license that is not restricted to a specific host name. Now, the API Gateway Installation Guide states that Docker images require an API Gateway license that is not restricted to a specific host name, and which is available from your Axway account manager.
RDAPI-10351 00900738 Issue: HTTP security headers
Resolution: Previously, the API Gateway user documentation did not describe how to customize HTTP security headers included in the API Gateway response on port 8090. Now, the topic on configuring HTTP services in the Policy Developer Guide includes a new section that explains how to customize the list of HTTP security headers included in the response.

Known issues

The following are known issues for this release of API Gateway:

Team development – Conflicts when adding dependencies between template projects

In Policy Studio, if you create a new common project from the Common Project template and a new API project from the API Project template and you try to add the API project as a dependent project of the common project, a conflict occurs.

This is due to an issue with the Axway PassPort repositories containing conflicting (randomly generated) password fields in the common and API projects.

As a workaround, use the Entity Explorer tool to set the value of the field FIELD_KEYSTORE_PASSWORD to the same value in both the common and API projects. For more information on using the Entity Explorer, see the API Gateway Developer Guide.

JSON path version change

Before upgrading API Gateway v7.5.3, you must remove the old JSON path file ($VDISTDIR/system/lib/modules/json-path-1.2.0.jar). Upgrading v7.5.3 installs a JSON path file (json-path-2.2.0.jar) in the same directory.

In addition, Policy Studio uses the JSON path file to validate path expressions. Before upgrading v7.5.3, you must also remove the file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_VERSION_DATE/lib/json-path-1.2.0.jar). Upgrading v7.5.3 installs a JSON path file (json-path-2.2.0.jar) in the same directory.

Note   If any JSON Path filters are being used in a policy, the JSON path expression used must be checked for compatibility with json-path-2.2.0. It is possible that a policy which worked in earlier versions contains an invalid JSON path expression in API Gateway v7.5.3. For example:
  • Worked in earlier versions:
  • $[?(@.virtualHost == <example>)]
  • Requires following syntax in v7.5.3:
  • $[?(@.virtualHost == '<example>')]

Export error holding on to KPS resources when upgrading API Gateway (Windows only)

The sysupgrade export command calls the old API Gateway version 7.x server to export Key Property Store (KPS) data to JSON files. On Windows, these JSON files are created successfully, but the locks on the JSON files are kept open because the old API Gateway server does not release the locks. For example, this means that if you try to delete the JSON file in Windows Explorer, you get a message that the file cannot be deleted because it is being used by another process. If you try to run sysupgrade export again, the export will fail.

This is only an issue when upgrading API Gateway versions earlier than 7.5.1.

The workaround is to restart the old API Gateway instance after each sysupgrade export, which releases the locks. To avoid downtime, you should restart each API Gateway instance after each export one-by-one.

API Manager users cannot complete registration after upgrading API Gateway

New users that were registered in API Manager before an upgrade, but who did not complete registration by activating their account with the link provided in email, cannot complete registration after the upgrade. The link in the email references the API Manager API v1.1 that is no longer available. For example:

https://<API Gateway IP address>/api/portal/v1.1/users/validateuser?email=s@s.com&validator=9a5addcb-e10c-499b-bf0a-0c70915f3862

The workaround is that the user copies the link address, pastes it to the address bar, and changes the API version v1.1 to v1.2 or v1.3. After this, the activation link works, and the user can complete registration.

Cassandra JRE bundled with API Gateway

When installing Cassandra, you are prompted to specify a JRE for Cassandra. You can select the default 32-bit JRE bundled with API Gateway. However, this default RE has the following limitations on Windows:

  • Running Cassandra with this 32-bit JRE limits the maximum amount of memory available to Cassandra on 64-bit systems
  • You cannot use this JRE to run Cassandra as a Windows Service

It is recommended to download and install a separate 64-bit JRE before installing Cassandra on Windows, and select this JRE during Cassandra installation. Cassandra requires the latest version of JRE 8.

For more details, see the API Gateway Installation Guide.

Powershell script execution policy

Modern Windows versions support the new PowerShell command-line interpreter. The Cassandra installation provides both the old .bat and the new .ps1 startup files.

When you run the cassandra command in CASSANDRA_HOME\bin, it runs either in the legacy startup mode or the new startup mode depending on the PowerShell script execution policy setting. If this policy is set to Unrestricted, the new PowerShell startup script runs. Else, the legacy startup script runs.

The startup behavior and command line options are different depending on the type of startup. For more details, see the API Gateway Installation Guide.

TLS for non-default JRE

If you select an alternative JRE instead of the default JRE during the installation and want to enable Cassandra to use TLS, you must install Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction policies for your JRE.

Save to File filter

The Save to File filter may cause up to 2% of the transactions to fail with the following error:

java.lang.RuntimeException: No such file or directory. cannot remove file '/path/to/filename'

This happens in the following cases:

  • The Save to File filter is pointing to a directory where the number of files has already reached the set Maximum number of files limit.
  • The Save to File filter is part of a policy that is under heavy concurrent load.

If this happens, it is recommended to use a periodic job scheduled at an appropriate frequency for the "housekeeping" of the directory, and not to rely on the Save To File filter to do this.

WebSocket protocol

  • If you use %h in the Access Log initial string and your DNS configuration is not correct (for example, a name server configured on /etc/resolv.conf is not reachable), the HTTP Long Polling connections have a time delay at the API Gateway. WebSocket connections are not affected.
  • Adding the same URL for a WebSocket path and a HTTP path is not supported. You get an error message, if you try this in Policy Studio.

JWT Filters

When you operate in FIPS mode, the implementation from the default, non-FIPS provider is invoked, if any of the following algorithms is selected in the JWT Signing filter:

  • RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  • RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  • RSASSA-PSS using SHA-512 and MGF1 with SHA-512

To avoid this, disable the Bouncy Castle Crypto Provider in the /system/conf/jvm.xml file. When the JWT Signing filter with one of the above algorithms selected is called, the filter fails with the following error:

ERROR 18/Apr/2016:16:24:39.275 [4a48:17e014570200451f205ec316] java exception:

com.vordel.circuit.jwt.JWTException: com.nimbusds.jose.JOSEException: Unsupported RSASSA algorithm: SHA512withRSAandMGF1 Signature not available

For more details, see the API Gateway Policy Developer Guide.

Add JSON Node filter displays redacted data in trace

When the Add JSON Node filter is used in an API Gateway policy, and redaction of JSON message content has been configured, sensitive redacted data in the JSON body is still displayed in the API Gateway trace log file. Regardless of the trace level, the redacted data should be hidden in the trace log when the message body has been processed by API Gateway.

API Gateway Appliance OVA does not enforce password change

If you install the API Gateway Appliance using the virtual appliance OVA format, you are not prompted to change the password for the default administrator account (user name admin) when you first log in to the terminal or to the Web Administration Interface.

For security reasons, you should change this password when you first log in to the terminal or the Web Administration Interface.

No updates found when upgrading API Gateway on the appliance

When you upgrade your Appliance Platform to version 7.1.2 and try to upgrade your API Gateway software to version 7.5.3, the system reports that no updates are found. This is because the appliance update repository is pointing to the wrong URL.

A workaround is to edit the file /etc/zypp/repos.d/APIGATEWAY-UPDATES.repo and modify the baseurl as follows:

baseurl=https://appliance-repo.axway.com/repos/products/apigateway/7.5.3/updates/
Note   You must make this change after upgrading the Appliance Platform but before upgrading the API Gateway software.

Cassandra cqlsh does not run on upgraded API Gateway Appliance

When you upgrade your appliance to Appliance Platform7.1.2 and API Gateway7.5.3 the version of Python is not upgraded, and the cqlsh utility (which requires a newer version of Python) does not run. As a workaround, you can install Python version 2.7.11 and set cqlsh to use that version. For more details, see the API Gateway Appliance Installation and Administration Guide.

Increase in the minimum length for DH handshakes

In OpenSSL v1.0.2-i or later, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available, and DH handshakes with parameters shorter than 1024 bits are now rejected.

Tips and tricks

Upgrade

  • If you are upgrading API Gateway from v7.5.1 or 7.5.2 to v7.5.3, the Cassandra architecture is the same. You can continue using your existing Cassandra without any need to upgrade it.
  • If you are upgrading from API Gateway v7.4.1 or lower to v7.5.3, you should read the Release Notes for v7.5.1 and v7.5.2 as well. They contain important information on the key changes in previous release that may have an effect on your implementation, such as the externalized Cassandra architecture and improved WebSocket protocol implementation.
  • If you are upgrading your API Gateway installation, and you are using a Scripting Language filter in your old installation with the Language field set to JavaScript (Rhino engine JRE7 and earlier), you must change the Language of the filter to JavaScript and ensure that the JavaScript syntax in the script conforms with Nashorn engine syntax. If you do not make these changes, the script continues to work in your new installation, but with a severe drop in performance. It is recommended to use Nashorn for all new development.

High availability

  • Cassandra is required for API Manager and optional for some API Gateway components (for example, OAuth, API keys, and custom KPS). If you have Cassandra installed, you must ensure that Cassandra is running before starting API Gateway.
  • To tolerate the loss of one Cassandra node and to ensure 100% data consistency, API Gateway requires the following cluster configuration in a HA production environment:
    • Three Cassandra nodes (with one seed node)
    • QUORUM consistency to ensure that you are reading from a quorum of Cassandra nodes (two) every time
    • Replication factor set to 3 so each node holds 100% of the data and you can tolerate the loss of one node
  • If you have a HA deployment (for example, two API Gateways and three Cassandra nodes), remember to start each node one at a time.

For more details, see Install Apache Cassandra in the API Gateway Installation Guide.

Multiple datacenters

  • You must add external load balancer hosts to the Node Manager whitelist to ensure that they are accepted in each datacenter.
  • You may need to increase the Node Manager timeout for longer API Gateway startup times in a multi-datacenter environment.
  • You may need to increase the maximum received bytes per transaction to optimize performance in a multi-datacenter environment.

For more details, see Multi-datacenter configuration in the API Gateway Installation Guide.

Performance

For best performance, do the following:

  • Always install the latest release and service packs to benefit from new improvements and features.
  • Use HTTP 1.1 instead of 1.0 whenever possible to enable persistent connections.
  • Use persistent connections throughout the entire stack, and overwrite the connection type with keep-alive whenever possible to avoid creating and dropping connections for each individual request.
  • Use Ehcache instead of KPS whenever possible, because data held in process memory is quicker to access.
  • Keep thread count reasonable. A good starting point to use as a rule of thumb is initial latency(ms)* expected throughput (count) / 1000 ms = the number of threads (count). In HA deployment, you may want to account failure in one node. Note that the ratio of thread count and CPU cores impacts the latency. You may also want to consider horizontal scaling instead of vertical scaling.

Documentation

You can find the latest information and up-to-date user guides at the Axway Documentation portal at http://docs.axway.com.

This section describes documentation enhancements and related documentation.

Documentation enhancements

See What's new in documentation for a summary of the documentation changes in this release.

Go to the Axway Documentation portal at http://docs.axway.com to find documentation for this product version. Additional documentation may be available at Axway Support at https://support.axway.com.

The API Management Plus solution enables you to create, publish, promote, and manage Application Programming Interfaces (APIs) in a secure and scalable environment. For more information, see the API Management Plus Getting Started Guide.

The following reference documents are available on the Axway Documentation portal at http://docs.axway.com:

  • Supported Platforms
  • Lists the different operating systems, databases, browsers, and thick client platforms supported by each Axway product.
  • Interoperability Matrix
  • Provides product version and interoperability information for Axway products.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.

See Get help with API Gateway in the API Gateway Administrator Guide for the information that you should be prepared to provide when you contact Axway Support.

Related Links