Axway API Gateway and API Manager 7.5.3 SP8 Readme

Document version: 24 August 2018



Readme for 7.5.3 SP8

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP8, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP8_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-13387 00981694 CVE-2016-1000338
CVE-2016-1000339
CVE-2016-1000340
CVE-2016-1000341
CVE-2016-1000342
CVE-2016-1000343
CVE-2016-1000344
CVE-2016-1000345
CVE-2016-1000346
CVE-2016-1000352,
CVE-2017-13098
Issue: Bouncy Castle library 1.55 causes security vulnerabilities.
Resolution: API Gateway now ships with Bouncy Castle library version 1.60.
RDAPI-13616 00987148 CVE-2018-1199 Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of vulnerabilities, including CVE-2018-1199.
Resolution: API Gateway includes Spring framework version 4.3.17.RELEASE, which addresses known vulnerabilities.
RDAPI-13699 00991632, 00989952 See Oracle Critical Patch Update Advisory - July 2018 Issue: API Gateway used a JRE version that included security vulnerabilities.
Resolution: The API Gateway JRE version has been updated to JRE 8u181, which fixes these vulnerabilities. For more information, see:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Other fixed issues

Internal ID Case ID CVE Identifier
RDAPI-12034 00930007 Issue: Missing Generic Error exception message not provisioned. For a given fault handler, if the Show detailed explanation of error option was selected, the custom error message set was not populated in the HTTP response, and a generic error was displayed instead.
Resolution: The custom error message is now set in the response if this option is selected. In addition, some improvements were made including rendering a correct SOAP version fault body based on the option set in the SOAP fault handler (previously, in some cases, a default SOAP version 1.1 fault body was rendered).
RDAPI-12344 00976884, 00991615, 00932805, 00984330 Issue: API Manager reflected the request body in generated responses for 400, 404, 405, and 429 HTTP errors, which were not handled by Global Fault handlers.
Resolution: API Manager now removes the request body from generated responses for all of these HTTP errors when the new com.axway.apimanager.fault.removeContentBody Java system property is set to true.
There is also new fault handling for these API Manager-specific errors. The fault is routed to the GenericFaultProcessor to generate a response body. This is controlled by the com.axway.apimanager.fault.legacy Java system property, which is set to false by default. This allows the old behavior of the API Manager-specific errors to be used if required.
RDAPI-12798 00959616 Issue: API Manager crash when deleting a remote host created on another instance in the same group.
Resolution: The API Manager crash has been fixed, and debug traces are logged when remote hosts are not found.
RDAPI-13115 00971103 Issue: Downloading Swagger for different APIs with the same name results in the same download file.
Resolution: Each Swagger download file is now unique for each API, including when APIs have the same name.
RDAPI-13176 00969687 Issue: Importing an XSD that includes other XSDs (by <include>) under Resources > XML Schema Document Bundles > User-defined Catalog in Policy Studio fails for Data Map creation.
Resolution: The XSD for Data Map creation imports correctly in Policy Studio under Resources > XML Schema Document Bundles > User-defined Catalog.
RDAPI-13188 00972252 Issue: WebSocket traffic is not logged to the Transaction Access Log when this is enabled.
Resolution: HTTP connections upgraded to WebSockets are now recorded in the server access log. WebSockets calls are rejected when an incoming remote host is explicitly configured to forbid HTTP 1.1.
RDAPI-13206 00961953 Issue: Deleting an API Manager front-end API in a system with many APIs and quotas took too long. This was because the application hit the database with too many unnecessary CRUD operations.
Resolution: Only necessary operations are performed, and deleting a front-end API should only take a few seconds, depending on how close API Gateway is to the Apache Cassandra cluster.
Note: You must back up your data (Cassandra and kpsadmin) before applying this service pack.
RDAPI-13212 00974976, 00982285, 00975245 Issue: Trailing / added after applying SP6 for SOAP APIs. Trailing slashes were not always processed correctly for API Manager inbound requests in SOAP and REST APIs.
Resolution: Inbound API requests are processed as designed by an API developer. This allows inbound API requests with a trailing slash to match an API path with no trailing slash only when the com.vordel.apimanager.uri.path.trailingSlash.preserve Java property is set to true. The outbound API request paths are processed as designed by an API developer. In addition, the Content-Type of an API request, if present, is now taken into consideration for a single API path match.
RDAPI-13227 00968176

Issue: When using the implicit OAuth flow, the token response did not include scopes for the token in the location header of the response, even when the scopes were different to the request, as required by the specification.
Resolution: The implicit OAuth token response always contains the scopes whether they are different from the requested scopes or not.

RDAPI-13229 00976057

Issue: Organization API access alerts were not triggered during POST requests to /proxies/grantaccess.
Resolution: An organization API access alert is generated for every organization/API pair during POST requests to /proxies/grantaccess.

RDAPI-13286 00971897

Issue: If Single Sign On (SSO) was enabled for an API Gateway with API Manager configured, the process did not terminate cleanly when startinstance -k was issued.
Resolution: The SSO-enabled API Gateway with API Manager configured now shuts down cleanly.

RDAPI-13312 00976711 Issue: When API Gateway decrypts a PGP-encrypted unsigned message with a PGP Decrypt and Verify filter set to verify signature, the message is decrypted.
Resolution: You can use the -DpgpFailDecryptNoSignature=true system property to configure whether the message is decrypted in this case.
RDAPI-13327 00987729, 00926473 Issue: After registering WSDL in API Manager, downloading the WSDL from other API Manager instances requires restarting the servers.
Resolution: Downloading WSDL from multiple API Manager instances no longer requires restarting the servers.
RDAPI-13396 00981358 Issue: Validation in the API Manager Base Path URL field restricted the use of selector syntax characters (i.e., ${env.MY_VAR})
Resolution: You can now use selector syntax characters in the Base Path URL field. Additional back-end validation has been added to ensure that the final URL is valid.
RDAPI-13430 00969445 Issue: Cannot limit the number of simultaneous open WebSockets for a client IP address.
Resolution: You can now configure the WebSocket listener with a policy to trigger when the connection is closed. You must configure a com.axway.websocket.policy.onclose Java global property in the jvm.xml file with the reference to the policy called.
RDAPI-13537 00981086 Issue: Broken access control in API Manager. When logged in as organization admin, you could edit applications owned by other organizations by changing the application ID in the URL.
Resolution: When authenticated in API Manager, you can now only access the applications that you are authorized to access.
RDAPI-13576 00980017 Issue: In the Open Traffic Event Log, the Maximum disk space for logs setting in Policy Studio was not taken into account. This was limited to 2047 MiB due to a miscalculation.
Resolution: Higher values for the Maximum disk space for logs setting are now taken into account.
RDAPI-13799 -

Issue: API Manager user and password audit events were missing information that is useful from an audit perspective.
Resolution: The audit log format has been updated as follows:

  • User create/delete events now show the full username, role, and organization, created date, description, email (redacted), enabled flag, phone (redacted), and state, and include the user ID as metadata
  • User update events now show the full username, role, and organization, include the user ID as metadata, and the new and old values of any fields that changed
  • Password change/reset events now show the full username, role, and organization, and include the user ID as metadata

Known issues

This service pack has the following known issues, which are planned for a future release.

Internal ID Description
RDAPI-9478 Path matching on listeners works incorrectly when the paths found are same
RDAPI-13121 API Manager application updates are not logged in audit log
RDAPI-13672 Errors due to spill to disk files that are not cleaned up
RDAPI-13681 OAuth scope management issues in API Manager 7.5.3
RDAPI-13556 DevOps - apimanager-promote returns zero on success or failure

Install the service pack

These instructions apply to both API Gateway and API Manager.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Apache Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
    Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is collocated with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.3 SP8 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP8_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
  4. Change to the apigateway directory in your installation: 
  5. WindowsINSTALL_DIR\apigateway
  6. LinuxINSTALL_DIR/apigateway
  7. Run the following script:
  8. Windowsapigw_sp_post_install.bat
  9. Linuxapigw_sp_post_install.sh
  10. Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.
  11. API Gateway Appliance only:
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:
  12. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  13. Run the following:
    chown -R admin:admin /opt/gateway/
    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
    ldconfig

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway Analytics 7.5.3 SP8 over the analytics directory in your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP8_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  3. Change to the analytics directory in your installation: 
  4. WindowsINSTALL_DIR\analytics
  5. LinuxINSTALL_DIR/analytics
  6. Run the post-install script for API Gateway Analytics:
  7. Windowsapigw_analytics_sp_post_install.bat
  8. Linuxapigw_analytics_sp_post_install.sh

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP8 Policy Studio over the policystudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP8_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract Configuration Studio 7.5.3 SP8 over the configurationstudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP8_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

The following steps apply after installing the service pack.

API Gateway

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway server service pack.

To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  4. Run the following command to reload the library cache file:
    ldconfig

API Manager

Note: When API Manager is installed, you also must run the update_apimanager script after the API Gateway post-install script to that ensure all paths are up-to-date.

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

Support

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com

Copyright © 2018 Axway. All rights reserved.