Axway EBICS Gateway 3.5 Release Notes

Document version: 11 December 2020

EBICS Gateway 3.5 is classed as a Long Term Update in the Axway product life-cycle.

Important information about upgrade:

EBICS Gateway 3.5 introduces several major changes. If you are upgrading from a previous version, consult the Upgrade Guide for important information about tasks you need to perform before running the new version.

New features and enhancements

Bank segregation

Important: If you are using the Embedded application server, with Keycloak or LDAP for Identity & Access Management, EBICS Gateway 3.5 introduces mandatory bank segregation. The correct permissions must be assigned to users before they can access EBICS Gateway. Bank segregation provides additional security by ensuring that users only have access to the banks that they need for their daily work. An administrator will require access to all banks (ALL_BANKS_ALLOWED permission) to perform any required updates and to assign bank rights to regular users.

After upgrading to EBICS Gateway 3.5, no user will be able to connect to the EBICS Gateway UI until the Bank list properties file has been set up correctly.

For details, see Bank segregation in the EBICS Gateway 3.5 Administrator Guide.

Use Secure Relay with the integrated EBICS Client

Axway Secure Relay can now be used as a proxy in the DMZ to secure connections to the integrated EBICS Client. This is in addition to being able to use Secure Relay with the Server part of EBICS Gateway, which was already possible in previous versions. Note that the required version of Secure Relay is 2.7.x.

Additional database support

EBICS Gateway now includes support for:

  • MySQL 8
  • Oracle 19c
  • MariaDB
  • PostgreSQL 12 (or later)

New version of WildFly

The Embedded application server now runs on WildFly 20.

New encryption tool

This version of EBICS Gateway includes a new encryption tool called cipherTool. You can use this tool to encrypt any string, such as a password or passphrase. This new encryption tool replaces the encryptTool that was available in previous versions of EBICS Gateway.

Flexible Data Model

Objects are now configured at Bank level instead of Server level. Send and fetch transactions are configured per Bank, so each Bank can have its own set of send and fetch transactions. In certain screens of the UI it is possible to select one specific Bank or "All Banks".

Flexible supply related to accounts

Flexible supply allows you to supply files with specific account-related information such as IBAN, SWIFT, or customer-based. Flexible supply is managed directly from the EBICS Gateway UI — you do not need to use any additional tool. For details, see Using a Monitored directory as a flexible supplier in the EBICS Gateway 3.5 Administrator Guide.

Payload file size limitation

Only if you are using the Embedded application server.

You can now set an upper size limit for the upload of files. The setting applies to all Customers and EBICS Users. For details, see Use the EBICS Gateway Configuration tool in the EBICS Gateway 3.5 Administrator Guide.

New handlers

The following new handlers are available for send transactions:

  • Polish domestic payment (PLI)
  • Swiss Credit Transfer Initiation

Fixed issues

This section lists issues specifically resolved in this release. For details of corrections included in a service pack or patch, refer to the corresponding Readme file available from the Axway Support website.

Fixed security vulnerabilities

Case ID Internal ID CVE ID Description
RDEBICS-3348

Issue: HTTP Strict Transport Security (HSTS) not always enforced.

Resolution: For the Embedded application server, the fix is deployed by the installer. For WebSphere and EAP, a manual configuration step is required (as explained in the post-configuration tasks in the EBICS Gateway 3.5 Administrator Guide).

Other fixed issues

Case ID Internal ID Description
01037702 RDEBICS-3042

Issue: PTK is always generated in English.

Resolution: Now, the PTK can be generated in German or English, depending on the EBICS User requesting the PTK and the language set up for this EBICS User in EBICS Gateway. Any other language setting will generate an English PTK.

01051333 RDEBICS-3068, RDEBICS-3104

Only if you are using the Embedded application server.

Issue: The following warning messages appeared in the server log at product startup:

...

12:23:29,343 WARN [org.hibernate.orm.deprecation] (ServerService Thread Pool – 79) HHH90000014: Found use of deprecated [org.hibernate.id.SequenceGenerator] sequence-based id generator; use org.hibernate.id.enhanced.SequenceStyleGenerator instead. See Hibernate Domain Model Mapping Guide for details.

...

12:23:39,080 WARN [org.jboss.weld.Bootstrap] (MSC service thread 1-2) WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for class org.jberet.creation.BatchBeanProducer is deprecated from CDI 1.1!

12:23:39,231 WARN [org.jboss.weld.Bootstrap] (MSC service thread 1-2) WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for class org.hibernate.validator.internal.cdi.interceptor.ValidationInterceptor is deprecated from CDI 1.1!

12:23:39,269 WARN [org.jboss.weld.Bootstrap] (MSC service thread 1-2) WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for class com.sun.faces.flow.FlowDiscoveryCDIHelper is deprecated from CDI 1.1!

...

Resolution: Fixed. The version of WildFly used in the embedded application server has been upgraded to WildFly 20.0.1.Final.

01058730 RDEBICS-3108

Issue: Importing master data using curl command does not function. This issue only occurred if Keycloak was used for Access and Key Management. Importing master data was however possible using the EBICS Gateway GUI.

Resolution: Fixed. It is now possible to import master data using curl or the EBICS Gateway GUI, with no restrictions on choice of Access and Key Management (LDAP, Keycloak, or PassPort).

01059628 RDEBICS-3097

Issue: Server was generating a SEVERE log message that is proven to be harmless: "HANDLER Unknown : orderParams is NULL".

Resolution: Fixed. This log message is no longer generated.

01060970 RDEBICS-3105

Issue: Directory scanning error when using the embedded EBICS Client and Sentinel. If the dataDir location on the server has been changed from the default location, directory scanning cannot find the partner definition from the embedded EBICS Client.

An error message similar to this example will be generated:

2019-05-23 15:28:46,244 SEVERE [com.axway.fex.ebics.sentinel.AxwayLogInterceptor] (EJB default - 1) Unable to load Bank Configuration file, no notification will be sent to the Sentinel Server: java.io.FileNotFoundException: <filename> (No such file or directory)

Resolution: Fixed. EBICS Gateway now accepts other locations for the dataDir directory.

01068955 RDEBICS-3115

Issue: Server returns a 061099 (EBICS_INTERNAL_ERROR) when performing a send transaction.

When EBICS Client does not have the right bank keys and attempts a send, EBICS Gateway returns a 061099 EBICS_INTERNAL_ERROR message instead of the message 91008 EBICS_BANK_PUBKEY_UPDATE_REQUIRED.

To resolve the error, update the bank keys.

01069863 RDEBICS-3117

Only if you are using the Embedded application server.

Issue: Windows service no longer functions after upgrading EBICS Gateway. This happens because the Windows service directory defined in the previous version no longer exists.

Workaround:

  • Restore the <EBICS Gateway install dir>\applicationServer\bin\service directory from your backup of the previous version.
  • Restart the Windows service.

For more information, refer to "Run the Embedded application server as a Windows service" in the Administrator Guide.

01079355 RDEBICS-3128

Issue: Periodical tasks in error after trying to set up a permissions export with * for hour / minutes

Resolution: Fixed. In addition, the explanation about the time and date syntax for periodical tasks in the Administrator Guide has been improved.

01091593 RDEBICS-3140

Issue: Typo in server logs

Resolution: Fixed. The word "operation" is now spelled correctly.

01096460 RDEBICS-3147

Issue: Production issue after migration

Resolution: Fixed. Administrator Guide updated to state that the Force Certificates option must be selected when using EBICS with French banks.

01101408 RDEBICS-3153

Issue: Issue with a flow sent as duplicate

Resolution: Fixed

01104683 RDEBICS-3161

Issue: No CCY information available at User/Accounts level

Resolution: Fixed

01105479 RDEBICS-3164, RDEBICS-3197

Issue: The Messaging post-processing step is not able to handle a payload modified by the previous post-processing steps.

Resolution: Because the Messaging post-processing step is now deprecated, this fix only applies to the Axway Post-processing JMS Message post-processing step. Now this post-processing step uses the correct payload.

Note: For consistency reasons, when data at rest encryption is enabled in EBICS Gateway, Axway Post-processing JMS Message will send an XMLSec payload. If however, data at rest encryption is disabled, the sent payload is not encrypted.

01111645 RDEBICS-3170

Issue: Protocol version issue not logged on Protocol logs.

Resolution: Fixed

01123358 RDEBICS-3189

Issue: Problem with Sentinel notifications in case of simultaneous Send or Fetch transactions (incoherent data sent to Sentinel).

Resolution: Fixed

01128677 RDEBICS-3224

Issue: Sentinel notifications for Fetch transactions were not sent to Event Router

Resolution: Fixed

01129233 RDEBICS-3219

Issue: Action "lock user"

Resolution: Fixed. The Permissions descriptions have been improved in the Administrator Guide.

01130294 RDEBICS-3221

Issue: Server sending EBICS_X509_CERTIFICATE_EXPIRED when it is not the case.

Resolution: Fixed

01131322 RDEBICS-3233

Issue: SQLGrammarException: could not extract ResultSet on purge

Resolution: The cleanup feature must be used rather than the purge command. The Administrator Guide has been updated.

01146388 RDEBICS-3251

Issue: Invalid message when a HPB is required

Resolution: Fixed

01152401 RDEBICS-3258

Issue: "Import user keys" option not present for master data import from outside GUI.

Resolution: Fixed

01152442 RDEBICS-3261

Issue: Attribute placeOfBirth is missing from the provided master-data.xsd.

Resolution: Fixed

01152463 RDEBICS-3296

Issue: XSD compliancy check on master data export.

Resolution: Fixed

01154717 RDEBICS-3266

Issue: Unexpected order orderState of POSTPROCESSING_DS during post processing.

Resolution: Fixed

01158986 RDEBICS-3272

Issue: Case sensitive logic between EBICS Gateway and LDAP.

Resolution: Fixed for new installations. If upgrading from an earlier version, refer to the information in the Upgrade Guide about removing conflicting user names in an LDAP/Oracle implementation.

01161410 RDEBICS-3277

Issue: Exported birthDate is incorrect.

Resolution: Fixed

01172858 RDEBICS-3337

Issue: Using buttons Next and Previous on User-channels result on wrong displays.

Resolution: Fixed

01181787 RDEBICS-3384

Issue: Strange behavior on fetch with DateRange with end date excluded.

Resolution: Fixed

RDEBICS-3086

Issue: PassPort certificates expired on 09 August 2019 (PassportSSOCA) and on 28 November 2019 (PassportCA)

Resolution: Fixed. Added the new PassPort root certificates as trusted in the EBICS Gateway PassPort truststore, keeping the old ones for existing objects.

IMPORTANT:

  • You can install EBICS Gateway 3.5 even if you are not upgrading PassPort immediately.
  • Only upgrade PassPort to version 4.6.0 SP21 after you have installed EBICS Gateway 3.5.
  • This fix only applies to new installations. If you are upgrading from an older version of EBICS Gateway, you must update the certificates manually. Refer to the Knowledgebase article "How to manually update EBICS Gateway certificates after PassPort 2019 certificate renewal" on the Axway Support site at https://support.axway.com/kb/180327.

Known issues

Case ID Internal ID Description
RDEBICS-3369

Only if you are using an EAP application server.

Issue: Multiple warnings about XML bind dependency are present in the console. Warning in the log:

[Server:ebics-server] 21:17:15,842 WARN [org.jboss.as.dependency.private] (MSC service thread 1-2) JBAS015867: Deployment "deployment.bankrechner.ear.APP-INF/lib/securerelay-program-osgi-cftpkis-2.11.0-4.jar" is using a private module ("com.sun.xml.bind:main") which may be changed or removed in future versions without notice.

Workaround: Proceed as follows to prevent these warnings from appearing in the console:

  • Create a directory <EAP Install Root>/modules/com/sun/xml/bind/main
  • Copy the jars and module.xml files from <EAP Install Root>/modules/system/layers/base/com/sun/xml/bind/main to the new directory.
  • In the new directory, edit the module.xml file and remove value="private"
    • Original - <property name="jboss.api" value="private"/>
    • Target - <property name="jboss.api"/>
RDEBICS-3486

Only if you are using Keycloak with the Embedded application server.

Issue: Multiple org.keycloak.adapters.OAuthRequestAuthenticator warnings appear in the server.log each time you log out of EBICS Gateway. Examples:

10:32:16,214 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-15) state parameter invalid
10:32:16,215 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-15) cookie: 8185186c-984a-493d-9985-b56dc9b66de4
10:32:16,216 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-15) queryParam: 877cdb6b-adeb-4148-863f-a2a29d19851c

You can ignore these warnings. They are generated because two different calls take place on logout resulting in different response cookies.

RDEBICS-3472

Only if you are using Keycloak with the Embedded application server.

Issue: "No state cookie" warnings when attempting to log in to EBICS Gateway. The UI displays "Bad Request". Example of warning in the log file:
2020-09-24 12:18:23,421 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state cookie

This only occurs if you are running an older version of Keycloak.

Solution: It is strongly recommended to use Keycloak 10.0.2 (or higher). This is the version that was used when qualifying this release of EBICS Gateway.

RDEBICS-3499

Issue: Export statistics function throws SQL Exception with MariaDB and PostgreSQL if no Bank exists in the database. The exception is displayed on the UI as well as in the server.log file.
Workaround: Ensure that at least one Bank is present in the database before using this functionality.

RDEBICS-3516

Issue: Intermittent warnings about autoscroll in the server.log. Example:

12:31:25,013 WARNING [org.apache.myfaces.shared_tomahawk.renderkit.html.HtmlJavaScriptUtils] (default task-78) Error getting y offset for autoscroll feature. Bad param value: 0,249.3333282470703 12:31:25,013 WARNING [org.apache.myfaces.shared_tomahawk.renderkit.html.HtmlJavaScriptUtils] (default task-78) Error getting y offset for autoscroll feature. Bad param value: 0,249.3333282470703

This is due to a minor bug in a third party library in combination with the autoscroll feature and some newer browsers. You can ignore these warnings.

Deprecated features

The following items are classified as deprecated in EBICS Gateway 3.5. These features still function in this version of EBICS Gateway but it is advised to stop using them. They might not function in future versions of the product.

  • The Injector. Consider using the Import master data feature instead. For details, see Import master data in the EBICS Gateway 3.5 Administrator Guide.
  • The Supplier. Consider using the flexible supply feature. Flexible supply allows you to supply files without specifying an IBAN. Flexible supply is managed directly from the EBICS Gateway UI - you do not need to use any additional tool. For details, see Using a Monitored directory as a flexible supplier in the EBICS Gateway 3.5 Administrator Guide.
  • The following fetch handlers: Axway Database Fetch Handler, Axway Database Zip Fetch Handler, Axway Generic Fetch Transaction, Axway Generic Zip Fetch Handler.
  • The "Axway ActiveMQ Post-processing" step. Use the "Axway Post-processing JMS Message" step instead. For details, see Axway Post-processing JMS Message in the EBICS Gateway 3.5 Administrator Guide.
  • The encryptTool. Use the new encryption tool called cipherTool to encrypt any string, such as a password or passphrase. For details, see Password encryption tool in the EBICS Gateway 3.5 Administrator Guide.
  • The WebSphere application server. For new installations, it is recommended to use the Embedded application server.
  • Axway PassPort for IAM. If you are using the Embedded application server, it is recommended to use Keycloak or LDAP for Identity & Access Management.

Discontinued features

New technologies and evolution in customer requirements drive the need for Axway to modify or discontinue some features. The following features are discontinued in EBICS Gateway 3.5.

Discontinued handlers

  • VPB fetch handler (de.businesslogics.bankrechner.transaction.VPBTransaction)
  • ESG fetch handler (de.businesslogics.bankrechner.communication.ftp.ESGTransaction)

Documentation

This section lists the documents that relate to EBICS Gateway.

EBICS Gateway documentation set

The EBICS Gateway 3.5 documentation set includes the following documents:

All these documents, including PDF versions, are available on the Axway Documentation portal.

Quickly find all manuals

  1. Go to the Manuals page.
  2. Under Filters, select your product version.
  • Axway Supported Platforms
  • Lists the different operating systems, databases, browsers, and thick client platforms supported by each Axway product.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.

 

Related Links