Download

 Axway API Gateway 7.4.1 SP 2 Readme

Axway API Gateway 7.4.1 SP 2 Readme

Document version: 18 March 2016


Readme for 7.4.1 SP 2

This Readme applies to Axway API Gateway 7.4.1 SP 2, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.4.1_SP2_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements.

Case ID Internal ID Description
- RDAPI-187

Issue: Upgrade failure from 7.3.0 to 7.4.1.
Resolution: Previously, the migrate step for OAuthProviderProfile was incorrect because it did not handle the case where the entity field named class was not set. Now, the migrate step ensures the class field in the entity has a value.

808883 RDAPI-228 Issue: Policy Studio unresponsive or crashes when configuring a large database query.
Resolution: Previously, Policy Studio became unresponsive if the Retrieve from or write to database filter was configured with a large value for the Expect to retrieve rows setting. The minimal value that caused the issue also depended on the complexity of the SQL query. Now, Policy Studio does not become unstable regardless of the expected number of rows entered by the user.
805098 RDAPI-616 Issue: JMS Timeout setting has an upper limit of 20 seconds.
Resolution: Previously the maximum JMS Wait timeout was 20000 ms. Now, the maximum timeout is the minimum value that an int can have (2^31).
804852 RDAPI-667 Issue: Insert REST API Parameter in the Set Message filter constructs an incorrect parameter.
Resolution: Previously, when inserting REST API parameters in the Set Message filter, incorrect selector strings were created. For the body parameter type, the {params.form} selector string was inserted. Now, the correct {params.body} selector string is inserted.
804626 RDAPI-673 Issue: Upgrade task error when importing the configuration export.
Resolution: Previously, when trying to upgrade a policy fragment containing JMS filters, an upgrade task error was encountered. Now, the JMSFiltermigrate step 9 has been made more robust, and the policy fragment is upgraded correctly.
806759 RDAPI-705

Issue: Java security advisories.
Resolution: Previously, API Gateway was using JRE 1.8.0_40, which has security vulnerabilities. Now, API Gateway uses JRE 1.8.0_66, which addresses known security vulnerabilities in Java. For more details, see http://www.oracle.com/technetwork/java/javase/8u66-relnotes-2692847.html and http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html.

804956 RDAPI-786

Issue: Performance issues due to churn of SSL sessions.
Resolution: Previously, in API Gateway, connection activity time and idle time were not in sync. This resulted in opening new connections instead of reusing existing connections, which were considered expired. Now, in API Gateway, connection activity time and idle time are in sync, and the connection is cached properly.

729048 RDAPI-798

Issue: API Gateway caches failing to connect to LDAP as authN failure.
Resolution: Previously, unsuccessful LDAP connections that failed due to authentication errors were incorrectly cached, and errors were not reported. Now, LDAP connection failed due to authn errors are reported.

807408 RDAPI-802

Issue: Custom filter migration issues from 7.3.1 to 7.4.1.
Resolution: Previously, the user documentation did not state that if you have developed custom filters, you must update your custom filter classes and recompile before upgrading from version 7.3.1. Now, the API Gateway Installation Guide and the API Gateway Developer Guide include the correct information.

790450 RDAPI-877

Issue: API Gateway crashes when decrypting XML with duplicate elements.
Resolution: Previously, API Gateway was crashing if an error was found during XML element decryption. Now, API Gateway correctly handles errors found during XML element decryption.

787174 RDAPI-882 Issue: Resolver paths not working correctly.
Resolution: Previously, API Gateway failed to resolve to the proper path / policy while handling HEAD requests, and having both GET and HEAD methods for the same path configured. Now, API Gateway resolves to the correct path / method rule.
- RDAPI-921 Issue: Connect to URL filter throws NPE when using Kerberos Credential Profile under stress.
Resolution: Previously, the Connect to URL filter threw a NullPointerException when authentication was done using SPNEGO Kerberos under stress (multiple threads). Now, Connect to URL filter works under stress with authentication over SPNEGO Kerberos.
808053 RDAPI-998 Issue: No Content-Type returned when using the Authorization Code flow.
Resolution: Previously, the OAuth Authorization form in the HTTP response did not include Content-Type in the HTTP header. Now, the Content-Type HTTP header is set to the content-type HTTP message body.
800861 RDAPI-1005 Issue: Upgrading API Gateway gives error: KPS Table with alias: OAuthAuthorizations does not exist.
Resolution: Previously, when upgrading a configuration, an OAuth-specific table named OAuthAuthorizations was missing. Now, the OAuth table is created using the sysupgrade process.
760690 RDAPI-1008 Issue: Disabling traffic monitor suppresses incoming/outgoing data from trace file.
Resolution: Previously, API Gateway did not write incoming/outgoing DATA traces in the trace file when traffic monitoring was disabled. Now, API Gateway writes incoming/outgoing DATA traces in the trace file regardless of whether traffic monitoring is enabled.
802357 RDAPI-1072 Issue: Setting JNDI Properties in LDAP configuration does not work.
Resolution: Previously, in Policy Studio, it was not clear if LDAP connection custom JNDI parameters are applied successfully, and for some SSL configurations the java.net.SocketException: Unconnected sockets not implemented was thrown. Now, the custom JNDI parameters specified for an LDAP connection are reported in DEBUG trace level, and the SSL connections have the required socket implementation.
786561 RDAPI-1205

Issue: Proxied 304 Not Modified responses have binary bodies added when using gzip.
Resolution: Previously, 304 Not Modified responses had binary bodies added to them when gzip compression was enabled. Now, 304 Not Modified responses no longer have this issue when gzip compression is enabled.

807497 RDAPI-1241

Issue: Analytics Audit log Search query does not work properly
Resolution: Previously, the Any/All and AND/OR buttons did not appear to work in the audit log search dialog in the API Gateway Analytics UI. These buttons are not supported by the API Gateway Analytics back-end. Now, they are disabled in the UI, and their fixed values correctly show the logic that will be applied when the search query executes.

- RDAPI-1412 Issue: Add noexec warning to system requirements in Installation Guide.
Resolution: Previously, the user documentation did not state that noexec must not be set on /temp before installing on Linux. Now, the API Gateway Installation Guide states this as a prerequisite.
812623 RDAPI-1418 Issue: JSON Add Node throwing exception.
Resolution: Previously, if the JSON Add Node filter was used to add a node to a JSON document and the node content evaluated to null, a NullPointerException was thrown. Now, the new JSON node is successfully added with value set to null.
- RDAPI-1479 Issue: Optimize OAuth Token Info filter.
Resolution: Previously, the OAuth Token Info filter and token validation were slow due to object serialization and reflection. Now, the OAuth Token Info filter and token are refactored to be more efficient.
814952 RDAPI-1489

Issue: KPS entry error.
Resolution: Previously, when adding an entry for a field in a KPS table that was of type HashMap, the value field was sent to the key value when it was re-edited in the existing entry on the user interface. Now, when adding an entry for a field in a KPS table that is of type HashMap, the value field is set to the correct value.

813541 RDAPI-1656

Issue: Cannot encrypt message with existing symmetric.key .
Resolution: Previously, the XML-Encryption filter always attempted to use only generated the symmetric key instead of the key provided with using a message attribute (for example, symmetric.key). Now, the XML-Encryption filter uses the symmetric key as configured in the XML-Encryption Settings filter.

813971 RDAPI-1659 Issue: Installation of 7.4.1 SP1 will fail if FIPS mode is enabled.
Resolution: Previously, when you installed 7.4.1 SP1 over a 7.4.1 installation, where FIPS is enabled, it caused the instances and node managers to fail and start with errors. The API Gateway SP readme did not include instructions to disable FIPS before applying the SP. Now, the API Gateway SP readme includes instructions to disable FIPS before applying the SP.
- RDAPI-1680 Issue: Update 7.4.1 user documentation to cover multiple groups on single host.
Resolution: Previously, the user documentation did describe configuring multiple groups on a single host. Now, the API Gateway Administrator Guide and API Gateway Key Property Store Guide are updated with this information.
813971 RDAPI-1783 Issue: Issues with upgrade from 7.2.
Resolution: Previously, upgrade from version 7.2.2 with API Portal, multiple groups, same host, and embedded LDAP failed with a duplicate JAR issue. Now, the upgrade is successful.
820411 RDAPI-2120 Issue: Exported WSDL cannot be imported later.
Resolution: Previously, an import of a previously exported WSDL web service failed to import with the Couldn't find resource set for id error. Now, the previously exported WSDL web service imports correctly.
818782 RDAPI-2125 Issue: Proxy authentication fails for HTTPS requests.
Resolution: Previously, the Connect To URL filter was not sending the Proxy-Authorization header to proxy for HTTPS requests (tunneling) when required. Now, the Connect To URL filter sends the Proxy-Authorization header to proxy for HTTPS requests (tunneling) as required.
813470 RDAPI-2144 Issue: Memory leak in CRL (Dynamic) filter.
Resolution: Previously, I/O streams were not closed in case of errors during CRL processing. Now, I/O streams are closed when they are no longer needed.
821087 RDAPI-2216

Issue: Kerberos is not working with SPNEGO.
Resolution: Previously, when a browser acted as the client to the Kerberos Service filter, SPNEGO authentication failed because updates to the JDK triggered a multi-hop authentication flow between client and service, which were not handled properly. Now, a browser client can authenticate to the Kerberos Service filter using a multi-hop flow over SPNEGO.

819438 RDAPI-2228 Issue: Alert filter fails to import correctly
Resolution: Previously, Policy Studio was reporting There was a problem displaying the edit dialog null errors when users attempted to edit imported Alert filter. Now, you can modify the Alert filter in Policy Studio after importing it with a policy.
- RDAPI-2234

Issue: Error while upgrading configuration in Policy Studio.
Resolution: Previously, the CertValidationOcspFiltermigrate step 2 task, was incorrectly importing an incomplete version of the LoadableModule entity type. This was causing an exception when trying to upgrade API Gateway configuration. Now, the CertValidationOcspFilter migrate step 2 task, imports a complete LoadableModule entity type.

820016 RDAPI-2316 Issue: API Gateway should not wait indefinitely after sending expect: 100-continue.
Resolution: Previously, there was a problem with API Gateway acting as a client to a particular back-end server with mandatory gzip. Non-gzip requests were rejected. Now, by setting a SystemProperty of dont.expect.100.continue to true in jvm.xml, API Gateway will not wait for a 100-continue response on a HTTP 1.1 connection before sending a message body.
820584 RDAPI-2329 Issue: Unable to use envSettings.props certificate and environmentalized bind certificate at runtime.
Resolution: Previously, in Policy Studio, you could incorrectly externalize already environmentalized certificates using the Bind certificate at runtime option. Now, in Policy Studio, the Bind certificate at runtime option is removed from the certificate selector dialog for already environmentalized certificates. This prevents the externalization of certificates with environment variables.
811546 RDAPI-2344 Issue: Problem getting Cassandra configuration from kpsadmin.
Resolution: Previously, getting Cassandra configuration from multiple groups failed. Now, configuration is retrieved correctly.
800386 RDAPI-2393

Issue: OAuth Authorization Code flow in v7.4 now prompts to Authorize for scopes.
Resolution: Previously, configuration upgraded from 7.2.x that used the User Authentication callout policy in OAuth Authorization filters stopped working as expected by presenting an authorization screen to the user. This affected some flows that depended on the previous behavior where authorizations were automatically accepted. Now, this behavior can be reinstated by setting the following system property in conf/jvm.xml:

<VMArg name="-Dcom.axway.oauth.acceptRequestScopes=true"/>.

- RDAPI-2441 Issue: Memory leak getting encoded certificate info (PKSC7).
Resolution: Previously, there was a memory leak encoding certificates in PKCS7 format. Now, no memory leak when encoding certificates in PKCS7 format.
- RDAPI-2442 Issue: Memory leak getting encoded private key (PKCS8).
Resolution: Previously, there was a memory leak encoding private key in PKCS8 format. Now, no memory leak when encoding private key in PKCS8 format.
815452 RDAPI-2456 Issue: Different behavior for form-based authentication.
Resolution: Previously, the HTML Form Based Authentication filter was incorrectly setting the authentication.subject.id and authentication.subject.format message attributes to User Name format instead of X509DName because it was configured in the corresponding LDAP repository. Now, the HTML Form Based Authentication filter sets authentication.subject.id and authentication.subject.format respectively as configured in the corresponding repository.
782400 RDAPI-2462 Issue: XML Signature Verification filter fails when request from SoapUI uses a SAML Assertion with Sender Vouches confirmation method.
Resolution: Previously, generation or verification of XML signatures were not supported using the STR-Transform for a SAML 2.0 assertion; although, SAML 1.0/1.1 was supported. Now, API Gateway supports generation and verification of XML Signatures using the STR-Transform for a SAML 1.0, 1.1, and 2.0 assertions.
824012 RDAPI-2467 Issue: HTML format request to opsdb allows XSS vulnerability.
Resolution: Previously, an XSS vulnerability was discovered on API Gateway. Now, the XSS vulnerability is fixed.
803048 RDAPI-2529 Issue: Create WS-Trust Message filter does not follow the protocol.
Resolution: Previously, the inserted Created and Expires elements in the RequestSecurityTokenResponse were created in the WST namespace element. Now, the inserted Created and Expires elements in the RequestSecurityTokenResponse are created with the WSU namespace.
820769 RDAPI-2532 Issue: Policy import does not recognize change to filter parameter list.
Resolution: Previously, importing changes to the Validate REST filter would incorrectly report The imported configuration contains no applicable differences. Now, changes to the Validate REST filter are correctly detected on import.
- RDAPI-2535 Issue: API Gateway crashes during soak test.
Resolution: Previously, API Gateway could crash due to a small memory leak in traffic monitoring. Now, memory handling in API Gateway traffic monitoring is improved.
822497 RDAPI-2548 Issue: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Resolution: Previously, API Gateway included OpenSSL 1.0.1p-fips, which has security vulnerabilities. Now, API Gateway includes OpenSSL 1.0.1s-fips, addressing known security vulnerabilities. For more details, see http://openssl.org/news/secadv/20160301.txt.
- RDAPI-2622 Issue: In XML-Encryption, derived symmetric key not used to encrypt as expected.
Resolution: Previously, the XML Encrypt filter did not always correctly encrypt a message with a derived key. Now, the XML Encrypt filter encrypts messages with a derived key as expected.

Known issues

The following issues are known and scheduled for correction in a future release.

Case ID Internal ID Description
807075 RDAPI-1102 HTTP Basic filter in Protect Management Interfaces policy triggers six times on logging in successfully to Policy Studio.
808885 RDAPI-1164 API Gateway Analytics defect in filtering.
808783 RDAPI-1176 Traffic monitoring trace level not in sync with system trace level.
814625 RDAPI-2113 FTP poller terminates connection with Java exception.
776780 RDAPI-2325 When Connect to URL reaches the Max Received Bytes limit, it returns a truncated result instead of an error.
811161 RDAPI-2471 Clickjacking of API Gateway Management Services.
821733 RDAPI-2491 Creating policy assembly fails with DuplicateKeysException.
813773 RDAPI-2505 When the logged-in user changes password on 8090, they lose all their roles.
824002 RDAPI-2545 Retrieve from or write to database filter fails with NullPointerException when Date column contains null.
825167 RDAPI-2559 Valid JSONPath incorrectly returns no matches.

Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  1. If FIPS mode is enabled, you must perform the following steps:
    1. Run togglefips --disable to turn FIPS mode off.

    2. Start the nodemanager to move the JARs.

    3. Stop the nodemanager.

    4. Install API Gateway 7.4.1 SP 2.

    5. Start the nodemanager.

    6. Stop the nodemanager.

    7. Run togglefips --enable to turn FIPS on again.

    8. Start the nodemanager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

Note

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.4.1 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 2 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP2_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/apigateway/

Note

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.4.1 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 2 Analytics over the analytics directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/analytics/

Note

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 2 Policy Studio over the policystudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP2_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/policystudio/

Note

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 2 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP2_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/configurationstudio/

Note

After installation

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file.
  2. 64-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  3. 32-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/i386/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/i386:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Note


Documentation

Go to Axway Sphere at https://support.axway.com to find all documentation for this product version.

For information about how API Gateway is used in Axway 5 Suite, refer to:

All Axway documentation is available from Axway Sphere at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Sphere at https://support.axway.com.


Copyright © 2016 Axway. All rights reserved