Activator 5.12 SP3 release notes

The following are the release notes for Axway Activator 5.12 Service Pack 3. These includes new features and enhancements and known issues.

Optional Axway products for Activator 5.12 require the following versions.

Axway product Version Service Pack
Sentinel 4.1.0 2
PassPort 4.6.0 6
Composer 3.4.2 2, Patch 1

For service pack installation procedures, see the "Apply service packs and patches" section of the Activator Installation Guide.

New features and enhancements

Acceptance of email sender by domain: Email pickups now include an option for accepting inbound emails via POP3/SMTP based on a list of authorized domains. This enables multiple individuals within a partner organization to send messages to Activator. Wildcard characters are supported for defining groups of accepted email sending addresses.

Sequencing of consumed messages by destination delivery exchange: Activator now offers an option (set at the level of the pickup exchange) that enables the processing of consumed messages in the order in which they are consumed, and additionally orders the processing of messages per their resolved delivery exchange.

Sentinel tracking of FTP/SFTP customer download events: When a remote partner accesses the embedded FTP/SFTP server to download a file, Activator now generates and sends an event to Sentinel that indicates one of the following new STATES:

  • Downloading
  • Downloaded
  • Interrupted
  • Removed

For additional information about Sentinel tracking of embedded FTP/SFTP server event states, see the Activator Administrator Guide, XFBTransfer topic.

Visibility - Sentinel performance and exchange monitoring:

  • More detailed reporting to Sentinel
  • HeartBeat node monitoring - Activator now delivers the Activator and Secure Relay (DMZ) node status reporting in Sentinel
  • Improved installation and configuration, including configuration of the backup Sentinel server for notifications
  • Sentinel server connection configuration from the Activator user interface
  • Sentinel tracking of WebTrader events - Sentinel now collects information about WebTrader user and administrator actions.
  • Sentinel Tracked Object evolutions - The number of events reported by the Sentinel Tracked Object for Activator has been reduced to limit processing load.

Admin user password change requirement: To enhance product security, when logging into the Activator user interface for the first time as the admin user, the interface requires you to change the default admin password. This new validation does not apply to updated systems where the user (admin) already has access.

Security improvements:

  • Access control enhancements - more permissions, controls, and restrictions
  • Broader support for encryption and TLS/SSL everywhere
  • Broader configuration of encryption on partner and transaction type levels
  • PGP enhancements

Security Governance: Enhanced fine-grained roles and access controls ensure a comprehensive approach to user level permissions and restrictions. Complete support for encryption and TLS/SSL is supported throughout the product, as well as password credential encryption. Additionally, EDI transaction-type level encryption and signing validation is supported.

Windows 2012 platform support: Activator 5.12 has been tested and validated on Windows Server 2012 R2 and SMB3 platforms. Axway confirms that Activator additionally supports Windows Server 2012 RI with SMB3. See the Activator 5.12 Installation Guide for specific Windows configuration requirements.

Web Services SOAP header metadata: You can now configure Activator to generate metadata attributes from the SOAP headers of inbound Web Services messages. The metadata can be used in ways similar to other Activator-handled metadata.

FTP message processing can now be set to the order of oldest to newest: FTP external pickup configuration now enables you to use the consumption order (consumption timestamp) to determine the message processing order.

MLLP transport support: Activator now supports the exchange of messages using MLLP.

Other enhanced transports: Adapter enhancements have been made to multiple communication protocols including Email (APOP support), WebSphere MQ (V8/SSL, Multi-Instance), FTP (SAPPEND/SUNIQUE), and PeSIT.

AS4 support: Activator provides full and certified support for the two AS4 conformance profiles: AS4 ebHandler Conformance Profile and AS4 Light Client Conformance Profile. The AS4 conformance policy is a subset of the ebMS specification. AS4 provides an entry-level on-ramp for business-to-business web services based messaging. The message packaging is governed by ebMS 3.0 and provides support for push and pull message exchange patterns.

User interface enhancements:

  • Enhanced search tools including more granularity for searches of unpackaged protocols
  • Improved display controls - Pagination / scalability for displays of thousands of configuration objects
  • Updated navigation and help links
  • Permission-driven control of users' rights to change/delete all objects
  • Flexible trading partner management, with user-defined attributes

WebSphere MQ 8.x support: Activator now provides JARs in support of WebSphere MQ 8.x

CRL retrieval using HTTPS URLs: You can now configure automated CRL checking and downloading using HTTPS URLs, in addition to the HTTP and LDAP URLs that were already supported.

Documentation updates: The following documents have been updated to take into account new product features and enhancements:

  • Activator Administrator Guide
  • Activator Installation Guide
  • Activator online help

Discontinued functionality

The following features have been discontinued in Activator 5.12:

  • Platforms
  • Activator 5.12 is only supported on Windows, Linux, and AIX. See the Activator Installation Guide for more details.
  • EBICS
  • Activator 5.12 does not support EBICS.
  • Anonymous user for staged HTTP discontinued
  • Activator 5.12 no longer supports anonymous user feature. Instead, there is now a default remote user included with the deployment.
  • Persistable event queue discontinued
  • The persistable event queue for Sentinel is no longer supported.

Virtualization support for x86/x64 based systems

Axway generally supports product installation and operation on VMware virtual machine platforms. For Activator support cases, Axway will investigate and troubleshoot a problem until it is determined that the problem is due to virtualization. If Axway suspects that a specific defect occurs because the system is virtualized and we cannot reproduce the problem in a non-virtualized environment, we will request you to either reproduce the defect on a non-virtualized environment and to contact the virtualization vendor for a resolution, or to switch to a non-virtualized platform.

Important note for FIPS implementations

This announcement applies to all Activator implementations that adhere to the Federal Information Processing Standards (FIPS). In Activator, FIPS is a license key-enabled option that turns on FIPS-compliant implementations of certain cryptographic algorithms. 

The security provider libraries for FIPS have been updated in Activator 5.12. There is now stricter enforcement of the allowable key lengths in RSA Key Pair Generation, aligned with the following excerpt of the requirement. Full NIST requirements are available at:
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf.

"This Standard specifies three choices for the length of the modulus (i.e., nlen): 1024, 2048 and 3072 bits. Federal Government entities shall generate digital signatures using one or more of these choices."

As a result, cryptographic functions that use alternate key lengths (for example 512 or 4096) will be blocked while in FIPS mode. This could render trading with existing certificates inoperable, including certificates imported from trading partners. Administrators of existing Activator installations who upgrade to Activator 5.12, and who have keys of alternate lengths (512 and 4096 are most common) must either:

  • Update (import new, or re-generate) any certificates that are not compatible (those not of a 1024, 2048, or 3072 length)

- or -

  • Disable the key length enforcement. See Override FIPS key length validation.
    Caution: Disabling key length validation will make your environment non-FIPS compliant, and non-compliant with the Federal standard. It should only be used as a temporary measure.

Known issues

  • Sentinel displays incorrect order for XFBTransfer events
  • Issue: Depending on the version of the XFBTransfer tracked object you are using, Sentinel may incorrectly record and display the order of events tracked by this tracked object.
  • Workaround:
    1. Unzip the contents of interchange.zip, located at Components\_<version>\extras\sentinel, and import the XFB_ALL_EN.xml file into Composer.
    2. In Composer, go to the General subtab and expand the Tracked Object node.
    3. Double-click the XFBTransfer Tracked Object in the list of installed Tracked Objects.
    4. Select the Advanced tab.
    5. In the Event display order section, select the State order option, and in the "State order" field add the following states:
      [TO_EXECUTE],[SUPPLIED],[CONSUMING],[CREATED],[RETRY], [RESEND],[REPROCESS],[PENDING],[APPROVED],[UNPACK],[PACK], [SUSPENDED],[AVAILABLE],[PRODUCING],[SENDING],[VERIFIED],[RECEIVING], [INTERRUPTED],[REJECTED],[CANCELED],[SENT],[RECEIVED],[TERMINATED], [DELIVERED],[ROUTED],[ENDED_TO_ACK],[TO_ACK],[ACK_COMPLETE], [ACKED],[NACKED],[DOWNLOADING],[DOWNLOADED],[ACCESSED],[REMOVED],[PURGED]
    6. Deploy the modified tracked object from Composer to your runtime server.
  • SSO: SSO is not supported for this release.
  • With ebXML intermediary (SMTP), message cannot be delivered to external SMTP server
  • When setting up an ebXML intermediary (SMTP), an embedded SMTP server must be used for the receiver. If the external SMTP server is used, the trading to the receiver fails.
  • MQ/SSL - Cipher SSL_RSA_WITH_RC4_128_SHA does not work with 8.0 server/jars
  • Using MQ 8.0 forces the support of a new cipher spec/cipher suite combination (TLS_RSA_WITH_RCA_128_SHA256/SSL_RSA_WITH_RC4_128_SHA) from the unsupported combination (RC4_SHA_US/SSL_RSA_WITH_RC4_128_SHA). This change by IBM is documented and can be accessed from the following link: http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
  • AS4: SoapHeaderAndBody packaging method is not supported
  • Messages that are sent over AS4 can be packaged using the BodyOnly method only. SOAPHeaderAndBody is not currently supported. This issue will be fixed in a future release.
  • AS4: Incorrect receipt linking
  • A receipt for a failed receipt is not linked with the initial receipt on the receiver, when the first receipt is signed with a certificate belonging to another partner.
  • AS4: Incorrectly signed synchronous push receipts are not rejected
  • If an AS4 message push sender is configured to expect synchronous receipts for sent messages that are signed with the SHA 256 algorithm, and the returned receipt is signed with SHA1, then the original push sender does not reject the incorrectly signed receipt.
  • AS4: Wrong signature generated when using SOAP body with CDATA and MTOM in combination
  • When "Sign Message" and "Use MTOM" are enabled in collaboration settings, and a SOAP body payload has both CDATA and base64 encoded content, the wrong signature value is generated. When the receiver receives this message, it incorrectly fails the message and generates a "The signature or decryption was invalid" SOAP fault.
  • AS4: Username tokens are not encrypted for asynchronous automatically-generated receipts in response to pulled user messages
  • Automatically-generated receipts contain an unencrypted username token in the following scenario:
    • User messages are consumed by a client in Pull mode where (a) "generate receipts" is enabled by the AS4 pulling client, and (b) both "encrypt" and "usernameToken" are enabled in the server's AS4 collaboration settings.
  • The same behavior occurs when asynchronous receipts are generated in push mode for successfully-processed split messages.
  • AS4: Reconstructed (split and rejoined) messages fail if the rejoined packaged size exceeds the maximum configured message size
  • Although the individual elements of a split message do not exceed the "Restrict maximum file size for this transport" setting, if the rejoined message exceeds the maximum size, the message fails.
  • AS4: No negative response receipt is returned when the splitting fragment numbering is incorrect
  • If the splitting fragment number is set to a valid value, but that value corresponds to another fragment, no negative response receipt is returned. The reconstructed message fails with the reason: "Failure: java.io.IOException: End of Stream, but boundary not found". No negative response receipt is generated.

  • AS4: Unable to specialize the as4.fragmentSize value for inbound fragments at trading pickup level
  • When consuming split message fragments on an AS4 community trading pickup, it is not possible to specialize the as4.fragmentSize restriction on the trading pickup. Currently as4.fragmentSize is a global system property and applies to both outbound and inbound flows.
  • AS4: Unable to configure a partner-specific fragment size in collaboration settings
  • Currently, metadata can be added only in the message attributes section of the polling client and AS4 protocol exchange.
  • AS4: Split compression algorithm is set to "gzip" on the first fragment and to "application/gzip" on the original message and other fragments
  • When a file is split into multiple fragments, if the MIME/GZIP algorithm was selected for the MIME envelope compression under AS4 collaboration settings/split messages, then on the sender side in Message Tracker, "Split Compression Algorithm metadata" is set to "gzip" on the first fragment and to "application/gzip" on the original message and other fragments. The expected behavior is for the algorithm to be the same for all fragments and for the original payload.
  • AS4: Upgrades from earlier implementations
  • Activator offers native AS4 support as a license-enabled feature from version 5.12 only. In earlier versions, it was possible to implement AS4 trading through Web Services features combined with custom plug-in code. The migration of these custom AS4 implementations to 5.12 native features is not supported by the upgrade code, and must be handled through manual reconfiguration.
  • Upgrade limitation: Message Tracker fails to display message details
  • After upgrading a Activator 5.10 implementation to Activator 5.12, Message Tracker no longer displays message-processing details of messages that were processed prior to the Activator 5.12 upgrade.
  • Cipher suites fail with secure protocols (FTPS, HTTPS, ...)
  • The following cipher suites do not function in support of secure protocol connections in Activator 5.12:
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_NULL_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_RC4_128_SHA
    • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_RSA_WITH_NULL_SHA
  • This issue will be fixed in an upcoming service pack.
  • MQSeries 7.x server access
  • Activator 5.12 installs updated WebSphere MQ jars. You may need to modify the MQSeries configuration in order to enable an existing MQ 7.x configuration to work after upgrading to Activator 5.12.
  • In some cases, the MQ jars that are updated in Activator 5.12 enable additional MQ 7.x security features. Depending on your configuration, you may need to do one or more of the following:
  • Update channel authentication records
  • Add or update authentication or object authorities
  • Add an MQ user to an Activator MQ exchange point that formerly worked anonymously
  • We recommend that you contact your MQ administrator if problems are noted.
  • MQ/SSL cipher suite selection – In the Activator user interface, when configuring an IBM WebSphere MQ pickup or delivery exchange with SSL, it is necessary to select the SSL cipher suite to use. The cipher suite that you select must correspond to a specific cipher specification that the IBM server supports. The following table indicates the correct relationship between specification and cipher suite. Additionally, cipher suites preceded by an asterisk (*) are used to connect to a FIPS provider and, although they are displayed, they are not currently supported in Activator:
  • Cipher specification (MQSeries name) Activator JSSE cipher suite
    DES_SHA_EXPORT1024 *SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
    RC4_56_SHA_EXPORT1024 *SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
    RC4_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC4_40_MD5
    RC2_MD5_EXPORT *SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    FIPS_WITH_3DES_EDE_CBC_SHA *SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA *SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA *SSL_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA *SSL_RSA_WITH_AES_256_CBC_SHA
    DES_SHA_EXPORT SSL_RSA_WITH_DES_CBC_SHA
    NULL_MD5 SSL_RSA_WITH_NULL_MD5
    NULL_SHA SSL_RSA_WITH_NULL_SHA
    RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5
    RC4_SHA_US SSL_RSA_WITH_RC4_128_SHA
  • * Not currently supported. Do not select this cipher suite.
  • General Web Services limitations:
    • Activator 5.12 supports Web Services on the trading (partner side), but not on the application side.
    • By default, WS-Addressing must be used in provider mode. To disable the need for WS-addressing, refer to the alternate axis2NoWSAddressing.xml file in your WS pickup configuration.
    • The Activator WSDL wizard currently only supports the generation of WSDL definitions. These definitions cannot be edited afterwards. To change the WS interface, you must either regenerate a new WSDL using the wizard, or edit the WSDL manually.
  • Web Services provider mode HTTP connection fails to close – When configuring Web Services provider mode for one-way communication with faults returned to client, on the Web Service trading pickup you must normally select the option "Synchronous response generated in backend" in order to enable sending of the fault file to the requesting service consumer. However, if the incoming request message does not trigger a fault and is correctly delivered to the back end, the HTTP connection is kept open until timeout on the client side.
  • Workaround – For a one-way Web Service provider configuration, do not select the option "Synchronous response generated in backend". This prevents the provider from sending a fault message, but allows the connection to close normally after receiving the client request message.
  • Uninstalling Activator in Windows non-service mode – The Activator server must be stopped before Activator can be properly uninstalled. In Windows environments when Activator components are installed in Windows Service mode, the uninstaller automatically stops the server before proceeding with the uninstall. However, if you installed the components in manual start mode, you must be sure to manually stop all components before uninstalling.
  • EBICS - EBICS is not supported in Activator 5.12.
  • MQ JAR version conflicts block trading - You cannot have multiple versions of JMS provider JAR files in the ...Interchange/site/jars or ...Interchange/corelib/db/ directories. For example, if you already have v7.5 IBM MQ JARs and then add V8.0 JARs, you must remove the older JARS to avoid conflicts.
  • Cannot create an embedded WebDAV SSL partner delivery - When defining a WebDav embedded SSL server to support a WebDav type partner delivery, you cannot successfully add a trusted SSL root certificate linked to the partner. This prevents the creation of a valid WebDav delivery.

Related documentation

Axway Activator is accompanied by a complete set of documentation, covering all aspects of using the product. These documents include the following:

  • Activator online help
  • Activator Installation Guide
  • Activator Administrator Guide

All Axway documentation is available from Axway Sphere at support.axway.com.

Support services

The Axway Global Support team provides worldwide support 24/7. You can find all support numbers by country on Axway Sphere at support.axway.com.

In addition, you can download the latest information from Axway Sphere relating to Activator including:

  • Technical articles
  • Information about supported platforms
  • Service Packs and Patches
  • FAQs

For more information about Axway training services, go to: www.axway.com.


Copyright © Axway Software 2015. All rights reserved.

Related Links