Axway Gateway documentation

What's new in this version

Gateway 6.17.3 SP5

What's new Refer to
Gateway's response for a non existing file can be switched from an empty listing to 550 (Request action not taken). To configure this behavior you can set peluconf [ft_ftp] alter_list_response parameter to 1

Gateway 6.17.3 SP4

What's new Refer to
SFTPv6 protocol can now be disabled through configuration at remote site level.
HTTP authentication protocols NTLM and NTLMv2 are now supported for Gateway Client.

Gateway 6.17.3 SP3

What's new Refer to
X-Priority SMIME headers now have alphanumeric values starting with the 1902 SEPAMAIL standard. Numeric values are encoded as 1 = HIGHEST, 2 = HIGH, 3 = NORMAL, 4 = LOW, 5 = LOWEST.

Gateway 6.17.3 SP2

What's new Refer to

Improved cache for Passport: Gateway can be configured to cache user authentication and privileges when PassPort AM is configured as access manager.

Configuring connectors
You can set a policy to archive audit files automatically

Managing audits > Viewing and managing Audit

New option to avoid restart on broken statuses caused by vital processes

Messages and codes > Process Monitoring messages (GC)

Gateway now chooses local certificate only if its key is compatible with the key exchange algorithm of the negotiated cipher. You can thus configure a security profile with multiple certificates, to use connections with different requirement levels: old software that only supports RSA ciphers, as well as new software supporting elliptic curve cryptography.

Security guide > Managing TLS > Certification path building mode

Command line option to disable the use of MD5 hash algorithms

Security guide > TLS Cypher suites

Security guide > Using SSH

Delete only temporary files when purging, option to keep mailbox record

Managing transfers > ... > Working with Purge Models (command line)

Managing transfers > ... > Viewing and managing Mailbox contents

To preserve security, the Browse button has been removed from Navigator.

All references to the Browse button removed in documentation.

Gateway supports SFTP versions 0, 1, 2, 3 and 6

Protocols > SFTP protocol

Gateway 6.17.3 SP1

What's new Refer to

Documentation

To protect the security of your data, documentation content previously contained in the User guide under the Managing security chapter has been moved to the Security guide > Security administration.

The reason is that access to the Security guide is restricted on the internet to users with Axway IDs, which excludes malevolent hackers looking for insights into any sensitive information. 

Security guide > Security administration (requires a login)

The connection to Integrator/XIB can be secured using TLS

Configuration > Configuring connectors


Gateway 6.17.3

What's new Refer to
TLS extensions: When connecting as a client, Gateway uses the host name of the remote partner as the value for the Server Name Indication extension, as specified by RFC6606 from the IETF.

See restrictions:

Security guide > SSL and TLS protocols > TLS Extensions

Native support for 64-bit architecture on AIX and Windows

Installation guide > Installation prerequisites

SWIFT: Compliance with SWIFT CSP

 
Multiple backup sites for SwiftNet remote sites. Gateway now allows up to 4 backup sites for each SWIFTNet remote site. Site objects: Parameters List

Longer keys: maximum length of certificates with RSA keys imported in Gateway is raised to 8192 bits (formerly 4096). PEM and DER formats are supported.

Only RSA-based signature algorithms are supported. Two hash algorithms are available and can be associated with RSA: MD5 and SHA-1.

Security guide > Certificate Restrictions

Security guide > Managing TLS

Updated OpenSSL: Cryptographic operations now rely on OpenSSL version 1.0.2k  
JMS logging now supported by Apache Log4j 2  

No longer supported in this version:

  • ETEBAC 3 Client & Bank and ETEBAC 5 Client & Bank
  • Infozip and infounzip tools
 

Gateway 6.17.2 SP2

What's new Refer to

Cipher suites configuration

It is now possible to configure - both in GUI and CLI - up to 32 TLS ciphers in TLS security profiles (server and client).

Security guide > Managing TLS Security Profiles

Audit support

Gateway stores the actions performed by users on the Gateway configuration (global and objects configuration) on a dedicated file, providing visibility of the changes done on the product. This functionality cannot be disabled.
Managing Audit files

Payload integrity

You can enable the payload integrity check to assure that payload haven’t changed between the moment is has been received by Gateway and further actions: routing to Integrator or routing to a third party. The protocols for which the signature is computed in Gateway, for incoming transfers are: SWIFTNet, PeSIT and JMS.
Security guide > Payload Security

Gateway 6.17.2

What's new Refer to
Encryption of password information in export files

Security guide > Managing SSH Security Profiles (command line)

Security guide > Managing TLS Security Profiles (command line)

User guide > Importing and exporting objects

ECDSA support with PassPort and XSR Termination

ECDSA keys and certificates can now be used with PassPort and XSR Termination. Please make sure you use Passport 4.6 SP12 P2 and SecureRelayRA 2.7.0.

Security guide > TLS cipher suites

Improved cache for TLS sessions

An improvement in TLS cache now allows the use of cache between control and data sessions on FTP.

 

Certificate chain size on TLS

The limit of chain size sent on TLS was increased from 16k to 64k.

 

Native support for AIX-64 bit operating systems

With this release, Gateway includes native 64-bit support for AIX Operating System. Besides the new installation package, a cross-platform migration tool is available to handle the Gateway 6.17.2 AIX 32-bit to Gateway 6.17.2 AIX 64-bit migration.

Upgrade guide > Upgrading to 6.17

New signature for transfer user exits ExitXfer* (perl and C)

To support passing custom user data in subsequent ssh exit calls and to be able to differentiate between ssh and tls context, the transfer exits ExitXfer* (perl and C) have a new signature.

Signatures: refer to User guide > Customizing Gateway processes > User exits > External user exits

Upgrade: Upgrade guide > Upgrading to 6.17

Length of file label PeSIT transfer parameter

The limit for transfer parameter file label has increased from 80 chars to 256 chars.

Refer to User guide > Managing transfers > Submitting transfers > Transfer requests > New Transfer Request: PeSIT tab

Gateway 6.17.1

What's new Refer to

Upgrade to Perl 5.24

Perl version 5.24.0 is required to compile the Perl exits or to run the Perl scripts.

Refer to User guide > User interfaces > Online commands > Online commands in Perl

Password authorizing operations on Gateway is secured

The password used for authorizing operations on Gateway through commands (command line utility, exists, scripts) when access management is enabled is now stored in encrypted form.

Security guide > Password management

Gateway 6.16.1

What's new Refer to
ECDSA keys support for SSH

The ECDSA keys supported are the ones required by RFC5656 (nistp256, nistp384 and nistp521). The key exchange algorithm list has been updated with new entries specific to this key format.

Security guide > SSH user exits

ECDSA certificates support for TLS

You can now import in Gateway ECDSA certificates. The supported curve format for ECDSA certificates are the ones specified in rfc4492 .

Security guide > Managing Keys and Certificates in SSH

New TLS ciphers support

Next cipher suites are now available: DHE - ECDHE-RSA - ECDHE-ECDSA - AES-GCM

Security guide > TLS cipher suites

Weak ciphers disabled

On the new Gateway installations the weak ciphers are not present on TLS profiles. User will still have the possibility to enable them using a configuration option, [tls] enable_weak_ciphers set on ‘yes’, but this is strongly discouraged.

Security guide > TLS cipher suites

Secured the connection between Gateway and Sentinel using TLS

Gateway can now use TLS when connecting to Sentinel. TLS connection is activated by default on new installations. You must make sure that Sentinel exposes a TLS-secured port, in order to have a successful connection between the two products.

Configuring connectors

Upgrade to OpenSSL version 1.0.2

For the cryptographic operations the OpenSSL version 1.0.2 is being used.

 

Manually force Gateway to re-read PassPort PM Communication Protocol Profiles (DEA)

Pelctl was extended with a new subcommand to invalidate all cache used for the communication with Passport PM, or to invalidate the cache per DEA (pelctl invalidate_tpm_cache). Changes should reflect immediately on incoming/outgoing exchanges.

PassPort PM cache

Gateway 6.16.0

What's new Refer to
Managing TLS Security Profiles

New commands to create and modify security profiles using the command line UI.

Support for TLS 1.1 and 1.2

Configure and use TLS1.1 and TLS1.2 with Gateway

Discontinued support for CSR sample certificates

Secure Relay IP filtering

Configuring IP filtering on Secure Relay Master Agent, from Gateway, using black lists and white lists

PassPort configuration

Configuring Gateway's connector to PassPort for services: PKI, access management, partner management

Support for FIPS

Configuring Gateway correctly to establish FIPS-compliant secure connections

 

Links to documentation set for Axway Gateway 6.17.3:

Related Links