Axway API Gateway and API Manager 7.6.2 SP2 Readme

Document version: 14 December 2018



Readme for v7.6.2 SP2

This Readme applies to Axway API Gateway and API Manager 7.6.2 SP2, for all supported platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

This service pack provides fixes for a number of reported defects. It includes updates for the following components:

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all supported platforms (for example, APIGateway_7.6.2_SP2_Core_linux-x86-64_BNYYYYMMDDn.tar.gz). All components are available on Linux. The Policy Studio and Configuration Studio client tools are also available on Windows.

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE identifier Description
RDAPI-14426 00993605, 00984372 - Issue: Security issue allowed upload of unsupported image formats (such as Flash) that could be used to initiate attacks.
Resolution: Validation has been added for image uploads to check file name and image format. The image is now always processed, which will reduce potential attacks when file content does not match type.
RDAPI-14606 00989768, 00990108, 01014125 - Issue: Location header in 303 See Other response displayed absolute URIs to host specified in Host header, which could be modified and cause a security issue.
Resolution: Location header now contains a relative URI by default, according to RFC 7231. To display absolute URIs in the Location header,
set the com.axway.response.redirect.location.relative Java system property to false in INSTALL_DIR/apigateway/system/conf/jvm.xml.
RDAPI-14608 01009656 - Issue: API Gateway SOAP response to a message with an empty body contained a fault namespace indicating that it is an Axway API Gateway.
Resolution: You can use the -Dcom.axway.soap.faultnamespace system property in jvm.xml to rename this namespace to avoid any potential security issues.

Other fixed issues

Internal ID Case ID Description
RDAPI-13123 00946314, 00961189 Issue: A front-end API was configured with Inbound Security set to OAuth or OAuth (External) and Scopes must match set to All. Requests to this API failed if their access token contained more scopes than were configured for the API.
Resolution: Requests with access tokens containing more scopes than are configured for the API will not fail.
RDAPI-14044 00999445 Issue: Links sent to finish API Manager user registration did not work when special characters like + were used in email address.
Resolution: Email address parameter is now encoded in the URL.
RDAPI-14070 00962018 Issue: API Manager REST API HTTP Basic Authentication fails when user password contains colon character (:).
Resolution: You can now include a colon in the user password.
RDAPI-14203 01000483 Issue: In Visual Mapper, there was an error transforming XML to JSON when XML reference types were used.
Resolution: The error no longer occurs when transforming XML to JSON using XML reference types.
RDAPI-14241 00949835 Issue: Problems importing Swagger when array contains primitive types like string.
Resolution: Changed import to allow arrays that contain simple types.
RDAPI-14388 01004665 Issue: You could not import the same WSDL back-end API twice in API Manager.
Resolution: You can now import the same WSDL back-end API.
RDAPI-14403 00999252 Issue: FTP Poller was not performing the configured action when the processing policy failed.
Resolution: FTP Poller now performs the configured action.
RDAPI-14405 00980797 Issue: OAuth clients configured using selectors failed to trace an appropriate error message.
Resolution: Trace now contains the following message:
OAuth client application is not properly configured. Basic client application properties are not set.
RDAPI-14543 00968288 Issue: When API Gateway as OAuth client received a malformed token, it failed to throw an error and stored the token as null.
Resolution: Token parsing now fails with an error message in API Gateway trace.
RDAPI-14546 00983453, 00990270 Issue: When two APIs shared back-end and front-end URLs, they were randomly chosen independently of their state.
Resolution: The published API now takes precedence.
RDAPI-14555 00988153 Issue: In the OAuth Client Credentials flow, when a refresh token request failed, the process fell back to an access token request, which failed to make the new token available to the outbound API call.
Resolution: The new token obtained after the failed refresh token attempt is now used as expected, and the authorization is granted to the protected content.
RDAPI-14557 01000557 Issue: API Gateway GET requests had different error messages from PUT, POST, and DELETE.
Resolution: API Gateway error handling now provides the same HTTP status codes for all REST API requests.
RDAPI-14628 00988159 Issue: API Gateway Manager web console was very slow when managing a large number of API Gateway instances.
Resolution: Performance of the API Gateway Manager web console has been improved.
RDAPI-14650 01008734 Issue: API Gateway Create Thumbprint filter sometimes removed leading zeros due to translation of byte array to string.
Resolution: Create Thumbprint filter no longer removes leading zeros.
RDAPI-14717 01013276 Issue: In API Manager, an additional incorrect forward slash (/) was appended when matching API definitions that started with path parameters.
Resolution: The incorrect leading / when matching the URL to the method definition has been removed.
RDAPI-14772 01008596 Issue: Error raised when decrypting JWT tokens that were encrypted by another security provider with RSA OAEP algorithm.
Resolution: The security provider has been improved to support RSA OAEP for both encryption and decryption.
RDAPI-14785 00942267, 01004780 Issue: When changing an organization name, if an application API key was previously loaded in a Try It form, API Manager displayed:
The entity could not be found. Please refresh your session.
Resolution: This issue has been fixed and API Manager no longer displays this error message.

Known issues

The following known issues are currently scheduled for the next service pack:

Internal ID Description
RDAPI-13433 API Manager generates wrong top-level OAuth security requirements in Swagger
RDAPI-14095 SSL handshake failing HTTPS WSDL import in API Manager
RDAPI-14321 Improper handling of SOAP WSDL with several service ports in API Manager and API Gateway
RDAPI-14465 OAuth JWT: get scope by calling a policy does not trigger assigned policy
RDAPI-14470 First-In-First-Out eviction in API Gateway cache: adding existing data removes original instead of updating
RDAPI-14622 Value of Via header is not written to API Gateway Transaction Access Log
RDAPI-14653 Error creating account for external identity provider with name containing special characters
RDAPI-14660 JWT Verify filter logs at trace level INFO
RDAPI-14661 File Upload filter performance is 20 times better with ASCII rather than Binary mode
RDAPI-14666 KPS restore command failing in production
RDAPI-14673

Significant API Manager performance deterioration as user numbers increase

RDAPI-14676 Automated deployment of API Gateway policy with passphrase fails
RDAPI-14689 OCSP response validation: OCSP filter does not try all three options
RDAPI-14692 WSDL schema cannot contain two global components and results in import error
RDAPI-14694 Threatening Content filter not parsing parameters with duplicate names
RDAPI-14722 Policy Studio cannot connect to Admin Node Manager using a proxy
RDAPI-14767 Issues with API Manager api/portal/v1.3/organizations API
RDAPI-14867 API Gateway crashes with core dump when load causes Connection filter to hit max connections
RDAPI-14869 API resource path with blank spaces not being validated in API Manager
RDAPI-14880 Retired API can be assigned to organization in API Manager
RDAPI-14882 API key not authorized error when calling API in API Manager
RDAPI-14885 Unable to view some APIs in the API Catalog in API Manager
RDAPI-14900 Swagger allOf limitation in API Manager is not documented


Install the service pack

Note   These instructions apply to API Gateway and API Manager classic deployments only. For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin) and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note    

Install the API Gateway server service pack

Note   If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.6.2 SP2 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP2_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/
  4. Change to the apigateway directory in your installation: 
  5. LinuxINSTALL_DIR/apigateway
  6. Run the following script:
  7. Linuxapigw_sp_post_install.sh
  8. Note   On Linux, run the script using the bash command, and ensure that the correct permissions are set.
Note    

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway Analytics 7.6.2 SP2 over the analytics directory in your existing API Gateway 7.6.2 installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP2_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
  3. Change to the analytics directory in your installation: 
  4. LinuxINSTALL_DIR/analytics
  5. Run the post-install script for API Gateway Analytics:
  6. Linuxapigw_analytics_sp_post_install.sh
Note    

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract Policy Studio 7.6.2 SP2 over the policystudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP2_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
Note   The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract Configuration Studio 7.6.2 SP2 over the configurationstudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP2_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
Note   The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

The following steps apply after installing the service pack.

API Gateway

To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
  2. <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  3. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  4. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
  5. INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  6. Run the following command to reload the library cache file:
  7. ldconfig

API Manager

Note   When API Manager is installed, you must run the update-apimanager script (located in the bin directory) after the API Gateway post-install script to ensure that all paths are up-to-date.

Documentation

Go to the Axway Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Axway Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.

Copyright © 2018 Axway. All rights reserved.