Document version: 25 April 2017
API Gateway is available as a software installation, a physical or virtual appliance, a virtualized deployment in Docker containers, or as a managed service on Axway Cloud.
The software installation is available on Windows and Linux. For
more
details
on
supported
platforms for software installation,
see
the
The physical appliance is a prehardened appliance running the API Gateway runtime delivered on a Dell PowerEdge server. The virtual appliance is a prehardened appliance running the API Gateway runtime and is available as VMware and as an Amazon Machine Image (AMI).
For more details on appliance options, see the
User interfaces have been refreshed to a more visually attractive look shared by all Axway products.
Open logging enables you to consolidate all of the transaction event data, traces, and system metrics stored by API Gateway, and visualize and analyze them in external observability systems (such as Axway Decision Insight or a third-party system, like Splunk).
For more details, see
The user experience of using team development has been improved.
projupgrade
script enables you to upgrade your source-controlled projects in-place, to be deployed on your newly upgraded system.For more details, see
Zero Downtime Deployment (ZDD) minimizes disruptions that updating your configuration may cause in a high-availability (HA) environment.
For more details, see
managedomain
command with the -v
or --version
options to find the installed version number, including any installed service pack or patches, and build information.For more details, see
For more details, see
Identity Access Management (IAM) integration has been refreshed.
For more details, see
Scriptable kpsadmin
tool makes it easier to manage Key Property Store (KPS) collections.
Note | It is recommended to try out these features in the development environment before using them in the production environment. |
For more details, see
For more details on data maps, see the
For more details, see Embedded Analytics for API Management Plus documentation.
The following features have been deprecated in this release:
The following features have been removed in this release:
The fixes for issues included in API Gateway v7.5.2 SP 1 and SP 2 are also included in API Gateway 7.5.3.
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-6801 |
— |
CVE‑2016‑0782, CVE‑2016‑0734, CVE‑2015‑5254 |
Issue: Apache ActiveMQ security vulnerabilities. |
RDAPI-6935 |
00873460 |
CVE-2015-0225 |
Issue: False positive for CVE-2015-0225 during a security scan. |
RDAPI-7002 |
00874797 |
CVE-2016-5725 |
Issue: JSCH library not compatible with certain SSH ciphers. |
RDAPI-7290 |
— |
CVE-2013-5960 |
Issue: Security vulnerability in a SSO dependency. |
RDAPI-7359 |
00878864 |
CVE-2017-3241 |
Issue: API Gateway Java vulnerabilities |
RDAPI-7477 |
00873458 |
CVE-2013-4517 |
Issue: Update XML Security for Java (xmlsec) to version 1.5.8 |
RDAPI-7574 |
— |
CVE-2016-9878 |
Issue: Issue with the spring-core library. |
RDAPI-7575 |
— |
CVE-2016-5725 |
Issue: Upgrade Jsch dependency to v0.1.54. |
RDAPI-7602 |
— |
CVE-2014-3577, CVE-2015-5262 |
Issue: Remove |
RDAPI-8355 |
— |
CVE-2012-4929 |
Issue: The SSL compression enabled by default. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-2998 | 00825813 |
Issue: Outdated information on JVM memory tuning in documentation. Resolution: Previously, the |
RDAPI-3084 |
00831073 |
Issue: No information on how to configure API Gateway Analyticson Windows. has been updated to include an example of how to configure this on Windows. |
RDAPI-3429 |
00833374 |
Issue: Reconnecting to hardware security module (HSM) server not working properly. |
RDAPI-3913 |
00808278 |
Issue: Message content missing in Traffic Monitor when using redaction. |
RDAPI-4082 |
00840941 |
Issue: Configuration package loads very slowly in Policy Studio. |
RDAPI-4648 |
00847257 |
Issue: XPath cannot be created in XPath wizard. |
RDAPI-4790 |
00842538 |
Issue: Wrong trace level for a new JSON body. |
RDAPI-4875 |
00851718 |
Issue: JMS service does not display the environmentalized host URL. |
RDAPI-5268 |
00841109 |
Issue: Memory leak in Traffic Monitor. |
RDAPI-5356 |
00855626 |
Issue: OAuth filter fails when using an invalid selector. |
RDAPI-5538 |
00855363 |
Issue: Throttling filter unreliable under heavy load using distributed cache |
RDAPI-5545 |
00854184 |
Issue: Service name does not show for JMS requests in Traffic Monitor. |
RDAPI-5547 |
00855750 |
Issue: API Gateway Manager shows undefined gateway server values |
RDAPI-5550 |
00855566 |
Issue: Cannot import a web service in Policy Studio. |
RDAPI-5681 |
00849580, 00881178 |
Issue: Unable to log in to web UIs when using port forwarding. |
RDAPI-5699 |
00858525 |
Issue: Session filters do not work correctly with Connection filters. |
RDAPI-5871 |
00857893 |
Issue: Insufficient data logged for an error in the JSON Schema Validation filter. |
RDAPI-5903 |
00859112 |
Issue: Incomplete redaction. |
RDAPI-5907 |
00852304 |
Issue: Issues with keys in SFTP user authentication. |
RDAPI-6039 |
00860536 |
Issue: Cross-site scripting (XSS) vulnerabilities in Analytics Reports REST API. |
RDAPI-6065 | 00854354 |
Issue: Conflicts between Resolution: Previously, the |
RDAPI-6189 |
00839875 |
Issue: Error when XML signature generation configured for Symmetric Key. |
RDAPI-6213 |
00863107 |
Issue: Wrong authorization header encoding in OAuth authentication. |
RDAPI-6257 | 00863872 |
Issue: Cannot use a dash ("-") in names when creating a new group in API Gateway Manager. Resolution: Previously, you could only use alphanumeric characters and underscore ("_") in group names and API Gateway names. Now, group names and API Gateway names can contain any UTF-8 character with the following restrictions:
|
RDAPI-6351 |
00864374 |
Issue: Issue when configuring Cassandra settings in Policy Studio. |
RDAPI-6490 |
00862092 |
Issue: Selectors not allowed when configuring the Alert filter. |
RDAPI-6735 |
00867003 |
Issue: Limit when reading objects from a hardware security module (HSM). |
RDAPI-6742 |
00865176 |
Issue: API Gateway ignores server settings when tunneling from HTTP to HTTPS. |
RDAPI-6765 |
00869368 |
Issue: EULA prompts when only package and deploy tools are installed. |
RDAPI-6923 |
00869225 |
Issue: The |
RDAPI-6947 |
00868341 |
Issue: Broken references when using the |
RDAPI-6954 |
00867203 |
Issue: Issues with SAML Authentication and SAML Authorization filters. |
RDAPI-6973 |
00872682 |
Issue: Bug in directory scanning when an API Gateway instance is stopped. |
RDAPI-6986 |
00871927 |
Issue: Unable to deselect items in Fragment Export. |
RDAPI-7020 |
00875079 |
Issue: Unable to create a new instance if |
RDAPI-7102 |
00870279 |
Issue: Amazon AWS S4 signing is unsuccessful. |
RDAPI-7154 |
00873722, 00873438 |
Issue: Cassandra client authentication failure when changing group configuration passphrase. |
RDAPI-7291 |
00878187 |
Issue: Unable to load or edit MIME types in the Content Type filter. |
RDAPI-7317 |
00872301 |
Issue: Misleading information on a Cassandra script. |
RDAPI-7338 |
00801017 |
Issue: Unable to configure the proxy settings for updates in Web Administration Interface (WAI). |
RDAPI-7374 |
00862631 |
Issue: Issues with nested relative paths. |
RDAPI-7469 |
00879822 |
Issue: Spaces in user name not accepted in the API Gateway utilities. |
RDAPI-7498 | 00866577 |
Issue: Misleading information on redaction in documentation. Resolution: Previously, the documentation mentioned redaction of trace files, which is not supported. Now, the documentation has been clarified and does not mention redaction of trace files. |
RDAPI-7501 |
00878576 |
Issue: Unable to environmentalize a policy called in the Policy Shortcut filter. |
RDAPI-7541 | 00877285 |
Issue: Analytics Resolution: Previously, the documentation did not mention limitations on API Gateway Analytics configureserver script when specifying the user name and password. Now, a clarification has been added to the |
RDAPI-7547 |
00879409 |
Issue: WSDL import breaks. |
RDAPI-7732 |
00878868 |
Issue: Service outage when deploying to multiple instances. |
RDAPI-7850 |
00882355 |
Issue: Unable to deploy a policy package if the environment variable Bind the certificate at runtime is used. |
RDAPI-7913 |
00882483 |
Issue: Cassandra download URL is wrong in the API Gateway Docker zip. |
RDAPI-7928 |
00881808 |
Issue: SSL failure on large messages with the XML Signature Verification filter. |
RDAPI-8006 |
00833619 |
Issue: API Gateway crashes with short hostname aliases. |
RDAPI-8037 |
00883589 |
Issue: Policy Studio does not merge certificates correctly in dependent projects. |
RDAPI-8101 |
00883721 |
Issue: Wrong information on changing the project passphrase. |
RDAPI-8218 |
00886478 |
Issue: Performance degradation in JavaScript scripting filters. |
The following are known issues for this release of API Gateway:
Before upgrading API Gateway v7.5.3, you must remove the old JSON path file ($VDISTDIR/system/lib/modules/json-path-1.2.0.jar
). Upgrading v7.5.3 installs a JSON path file (json-path-2.2.0.jar
) in the same directory.
In addition, Policy Studio uses the JSON path file to validate path expressions. Before upgrading v7.5.3, you must also remove the file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_VERSION_DATE/lib/json-path-1.2.0.jar
). Upgrading v7.5.3 installs a JSON path file (json-path-2.2.0.jar
) in the same directory.
Note | If any JSON Path filters are being used in a policy, the JSON path expression used must be checked for compatibility with json-path-2.2.0 . It is possible that a policy which worked in earlier versions contains an invalid JSON path expression in API Gateway v7.5.3. For example: |
$[?(@.virtualHost == <example>)]
|
$[?(@.virtualHost == '<example>')]
|
The sysupgrade export
command calls the old API Gateway version 7.x server to export Key Property Store (KPS) data to JSON files. On Windows, these JSON files are created successfully, but the locks on the JSON files are kept open because the old API Gateway server does not release the locks. For example, this means that if you try to delete the JSON file in Windows Explorer, you get a message that the file cannot be deleted because it is being used by another process. If you try to run sysupgrade export
again, the export will fail.
This is only an issue when upgrading API Gateway versions earlier than 7.5.1.
The workaround is to restart the old API Gateway instance after each sysupgrade export
, which releases the locks. To avoid downtime, you should restart each API Gateway instance after each export
one-by-one.
New users that were registered in API Manager before an upgrade, but who did not complete registration by activating their account with the link provided in email, cannot complete registration after the upgrade. The link in the email references the API Manager API v1.1 that is no longer available. For example:
https://<API Gateway IP address>/api/portal/v1.1/users/validateuser?email=s@s.com&validator=9a5addcb-e10c-499b-bf0a-0c70915f3862 |
The workaround is that the user copies the link address, pastes it to the address bar, and changes the API version v1.1
to v1.2
or v1.3
. After this, the activation link works, and the user can complete registration.
When installing Cassandra, you are prompted to specify a JRE for Cassandra. You can select the default 32-bit JRE bundled with API Gateway. However, this default RE has the following limitations on Windows:
It is recommended to download and install a separate 64-bit JRE before installing Cassandra on Windows, and select this JRE during Cassandra installation. Cassandra requires the latest version of JRE 8.
For more details, see the
Modern Windows versions support the new PowerShell command-line interpreter. The Cassandra installation provides both the old .bat and the new .ps1 startup files.
When you run the cassandra command in CASSANDRA_HOME\bin, it runs either in the legacy startup mode or the new startup mode depending on the PowerShell script execution policy setting. If this policy is set to Unrestricted, the new PowerShell startup script runs. Else, the legacy startup script runs.
The startup behavior and command line options are different depending on the type of startup. For more details, see the
If you select an alternative JRE instead of the default JRE during the installation and want to enable Cassandra to use TLS, you must install Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction policies for your JRE.
The cqlsh command is not supported on API Gateway Appliance. For more details, see
The jabber
and restJabber
code samples are missing from the INSTALL_DIR/apigateway/samples/developer_guide
directory. You can download these code samples from Axway Support at https://support.axway.com.
The Save to File filter may cause up to 2% of the transactions to fail with the following error:
java.lang.RuntimeException: No such file or directory. cannot remove file '/path/to/filename'
|
This happens in the following cases:
If this happens, it is recommended to use a periodic job scheduled at an appropriate frequency for the "housekeeping" of the directory, and not to rely on the Save To File filter to do this.
/etc/resolv.conf
is not reachable), the HTTP Long Polling connections have a time delay at the API Gateway. WebSocket connections are not affected.When you operate in FIPS mode, the implementation from the default, non-FIPS provider is invoked, if any of the following algorithms is selected in the JWT Signing filter:
To avoid this, disable the Bouncy Castle Crypto Provider in the /system/conf/jvm.xml file. When the JWT Signing filter with one of the above algorithms selected is called, the filter fails with the following error:
|
For more details, see the
When the Add JSON Node filter is used in an API Gateway policy, and redaction of JSON message content has been configured, sensitive redacted data in the JSON body is still displayed in the API Gateway trace log file. Regardless of the trace level, the redacted data should be hidden in the trace log when the message body has been processed by API Gateway.
JavaScript (Rhino engine JRE7 and earlier)
, it is recommended that you change the Language of the filter to JavaScript
and ensure that the JavaScript syntax in the script conforms with Nashorn engine syntax. If you do not make these changes, the script continues to work in your new installation, but with a likely drop in performance. It is recommended to use Nashorn for all new development.3
so each node holds 100% of the data and you can tolerate the loss of one nodeFor more details, see
For best performance, do the following:
keep-alive
whenever possible to avoid creating and dropping connections for each individual request.initial latency(ms)* expected throughput (count) / 1000 ms = the number of threads (count)
. In HA deployment, you may want to account failure in one node. Note that the ratio of thread count and CPU cores impacts the latency. You may also want to consider horizontal scaling instead of vertical scaling.You can find the latest information and up-to-date user guides at the Axway Documentation portal at http://docs.axway.com.
This section describes documentation enhancements and related documentation.
See What's new in documentation for a summary of the documentation changes in this release.
Go to the Axway Documentation portal at http://docs.axway.com to find documentation for this product version. Additional documentation may be available at Axway Support at https://support.axway.com.
The API Management Plus solution enables you to create, publish, promote, and manage Application Programming Interfaces (APIs) in a secure and scalable environment. For more information, see the
The following reference documents are available on the Axway Documentation portal at http://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
See