Document version: 13 November 2019
This Readme applies to Axway API Gateway and API Manager 7.6.2 SP 4, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for these products.
This service pack provides fixes for a number of reported defects. It includes updates for the following:
The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for supported platforms (for example, APIGateway_7.6.2_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz
).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
com.vordel.apimanager.uri.path.trailingSlash.preserve
to true
.false
.com.coreapireg.apimethod.contenttype.legacy
to true
.false
.To improve general system performance and speed, enable caching by setting the com.axway.apimanager.api.data.cache
Java system property to true
.
External Clients, API Keys, and OAuth Credentials cache is optimized and updates are no longer blocking, resulting in performance improvements for corresponding API Manager APIs.
As a result of the non-blocking cache updates, API Manager memory consumption will increase, particularly in systems with large numbers of External Clients, API Keys, or OAuth Credentials.
com.axway.apimanager.csrf
to false
. The default is true
. Related issues: RDAPI-14363, RDAPI-16582, IAP-1592
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-16078 | 01053630 |
Issue: Missing user name validation in API Manager when changing user name of currently logged in user.
Resolution: Validation added to check the user name change for currently logged in user in API Manager. |
|
RDAPI-16110 | 01054493 |
Issue: JQuery version 3.3.1 contains a security vulnerability, which is fixed in version 3.4.0.
Resolution: JQuery version has been upgraded to 3.4.0. |
|
RDAPI-16130 | 01054123 |
Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to Open JDK 1.8.0_212. |
|
RDAPI-16438 | 01056395 |
Issue: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, an OAuth client_id different than the one represented by the JWT token can be passed as a body parameter and injected in the Access Token.
Resolution: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, the Gateway only use the OAuth client_id from the JWT token and disregard any value passed as a body parameter. |
|
RDAPI-16666 | 01067185 |
Issue: The CSRF Token was not being sent with the deployment service call.
Resolution: The CSRF Token is being sent with the deployment service call and the deployment succeeds. Note: The com.axway.apimanager.csrf Java system property (true by default) can be set to false to turn off the CSRF checks by API Manager, API Gateway Manager, and Client Application Registry. |
|
RDAPI-16763 | 01047281, 01048422 |
Issue: Security headers are missing from responses.
Resolution: Missing security headers have been added. Note: You must update existing configurations of API Manager using the update-apimanager script to avail of the feature. New setups of API Manager have the feature by default. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-13433 | 00949172, 00951645 |
Issue: In the API Manager exported Swagger 2.0 file the security field scopes were incorrectly formatted for scope must match Any.
Resolution: In the API Manager exported Swagger 2.0 file the security field scopes are correctly formatted for scope must match Any. |
RDAPI-14550 | 01012098 |
Issue: setup-cassandra script changes the default value of start_rpc property in casssandra,yaml file to true. This is no longer needed.
Resolution: setup-cassandra script respects the current value of start_rpc property in cassandra.yaml file. |
RDAPI-14653 | 01012757 |
Issue: User name checks are too strict.
Resolution: User name regular expression is configurable in Settings of API Manager UI. |
RDAPI-14882 | 01020261 |
Issue: API Key cache not detecting changes in Cassandra.
Resolution: Improved logging and reliability of the Cassandra module and API Manager data synchronization among multiple nodes. |
RDAPI-15678 | 00970706 |
Issue: Query parameter "from" in Monitoring Metrics Summary REST call does not change result.
Resolution: The query parameter that did not have any effect on the call has been removed from the API. |
RDAPI-15873 | 01037992 |
Issue: Some columns are hidden in the table on page API Catalog when values of name and url are too long.
Resolution: Columns are always visible now, because there is limit of size for name and url, and a scroll bar appears when values of the table are big. |
RDAPI-15886 | 01012616, 01043799 |
Issue: When a report is generated in API Gateway Analytics the values inside the report differ when the file type changes from PDF to CSV.
Resolution: Generated PDF and CSV reports in API Gateway Analytics now have the same values when reports have the same date range. |
RDAPI-15987 | 01043924 |
Issue: OAuth Authorization Code Flow Filter throws an exception when an invalid value of the "prompt" parameter is passed resulting in potentially harmful information being written to the logs.
Resolution: OAuth Authorization Code Flow Filter now validates the prompt parameter prior to any authorization logic and gracefully fails without revealing any information about the technology used. |
RDAPI-16050 | 00965063 |
Issue: API Gateway does not forward all headers for HTTP HEAD request.
Resolution: HEAD requests are now managed the same way as GET or POST requests. |
RDAPI-16053 | 01051981, 01044987 |
Issue: API Manager calls appear on monitoring dashboard of API Gateway.
Resolution: API Manager calls are not monitored by API Gateway and do not appear on dashboard. |
RDAPI-16057 | 01044333 |
Issue: Changing dynamic traffic monitoring configuration of a HTTP interface enables recording of payload data.
Resolution: Recording of payload data is now part of UI configuration. |
RDAPI-16092 | 01053832 |
Issue: Selector security scanning was running against non selectors for the outbound parameter value field.
Resolution: Non selectors are not scanned now, because they will be encoded on outbound request anyway. And selectors are validated correctly, ensuring that they are valid selectors and will not encounter exceptions during an outbound request |
RDAPI-16101 | 01043037, 01042746 |
Issue: OAuth Refresh flow only returns JSON output. "format" header is ignored.
Resolution: "format" header is now honoured. Other outputs such as XML are returned. |
RDAPI-16104 | 01036400 |
Issue: API Gateway does not set Cassandra's cluster port property.
Resolution: API Gateway will now set the Cassandra cluster port correctly, rather than always using the default. |
RDAPI-16115 | 01054182 |
Issue: No way to run update-apimanager when a group was protected by a passphrase
Resolution: Updated update-apimanager so that a group passphrase can be passed in using --passphrase. |
RDAPI-16150 | 01053244, 01055388, 01053278, 01048495 |
Issue: Amendments to trailing slash behaviour for REST APIs in API Manager runtime caused path matching to fail for WSDL APIs due to an additional trailing slash.
Resolution: API Manager WSDL API path processing is corrected for SOAP requests sent to back-end server as defined in the corresponding WSDL binding port. |
RDAPI-16157 | 01038361, 01047751 |
Issue: Remote Host Load Balancer algorithm excludes previously failed address for non-configurable duration of one minute. This may lead to a condition where all connection attempts to the listed Load Balancer addresses will fail.
Resolution: The exclusion time period for failed addresses listed in Load Balancer can now be configured to reduce risks of all connections failing. Set the AXWAY_LB_ALG_ADDR_DOWNTIME system environment variable to the desirable downtime in milliseconds, the default is 60000. |
RDAPI-16161 | 01056103, 01056255, 01057873, 01057553 |
Issue: Non-SSO users cannot use any API Portal functionality after log in because of a CSRF check error.
Resolution: The CSRF token is generated on API Portal log in, allowing non-SSO users to use API Portal functionalities. |
RDAPI-16209 | 01053421, 01045179, 01047139 |
Issue: API Gateway fails to handle correctly required Form Parameters on a back-end API when sent in a multi part request or if an additional attribute is present in the Content-Type header (for example "application/x-www-form-urlencoded; charset=UTF-8")
Resolution: API Gateway now handles required parameters when sent in a multi part request and accepts additional attributes in Content Types. |
RDAPI-16216 | 01056234 |
Issue: HTTP Basic Filter accepts only case-sensitive "Basic" for scheme name.
Resolution: HTTP Basic and HTTP Digest filters process the Basic Authentication scheme case-insensitively as per RFC 7617. |
RDAPI-16283 | 01025370, 01007245 |
Issue: In API Manager when configured Traffic Monitor Subject can be set for use in Metrics, a prefix of "Pass Through" is required for this type of client traffic data to be seen in API Manager Monitoring.
Resolution: Now all client traffic data is shown in API Manager Monitoring as relevant to the filter selected and user permissions. |
RDAPI-16317 | 01051869, 01050675 |
Issue: In API Gateway, XML message content redaction causes the instance to crash when the message contains Multi-Byte encoded characters and requires a restart.
Resolution: API Gateway now handles correctly XML message content redaction with Multi-Byte encoded characters. |
RDAPI-16407 | 01069752 |
Issue: Content-Type validation does not permit WSDL requests with attachments of Content-Types other than the standard SOAP message request body.
Resolution: Content-Type validation now permits WSDL requests with attachments of varying Content-Types. |
RDAPI-16477 | 01041751, 01062343, 01062472, 01026467 |
Issue: When API Manager has many applications, the deployment and startup are too slow. API management requests can interfere with 8065 traffic.
Resolution: API Manager no longer interferes with the deployment of API Gateway configurations when processing large amounts of application data. The API requests to API Manager traffic port 8065 now respond with the HTTP status '401 Unauthorized' when the API Client Cache is updating, instead of timing out. Caching is also non-blocking and more performant now. |
RDAPI-16511 | 01064458, 01064765 |
Issue: In a Policy Studio project, when error reponse codes are added to a REST API method, the method becomes uneditable after the project is closed and reopened.
Resolution: Now in a Policy Studio project, when error response codes are added to a REST API method, the method remains editable after the project is closed and reopened. |
RDAPI-16515 | 01052320 |
Issue: Some "SSL shutdown" errors can be triggered when reading or writing data to or from network.
Resolution: An SSL error status, that could remain in memory from a previous un-finished SSL handshake, is now cleared. Additional OpenSSL debug traces are now logged when the variable"V_SSL_SESS_DEBUG" is in use. |
RDAPI-16543 | 01062392 |
Issue: In API Gateway, when HTTP redaction is enabled, API Gateway automatically turns on XML redaction for XML messages. This can result in performance issues, espcially on larger XML messages.
Resolution: In API Gateway, enabling HTTP redaction will not perform XML redaction on XML messages unless it is specifically configured. |
RDAPI-16548 | 01067546, 01065718, 01042409 |
Issue: In a API Manager, setting a custom subject inside the E-mail templates has no effect and E-mails are sent with their default subject.
Resolution: In API Manager, E-mails are now sent with custom subject if set in the templates, default subjects are used otherwise. |
RDAPI-16779 | 01052320 |
Issue: OpenSSL 'SSL_shutdown:shutdown while in init' error is reported for reused connection with previously failed handshake.
Resolution: Errors for the previous SSL handshake failure are now cleared. |
The following known issues are currently scheduled for the next service pack:
Internal ID | Description |
---|---|
RDAPI-14225 | Stored XSS in the application's OAuth redirect URL, encode OAuth Redirect URLs on output |
RDAPI-14622 | Value of 'Via' Header is not written to Transaction Access Log |
RDAPI-15115 | API Manager remote hosts not synchronized between instances |
RDAPI-15297 | Update trailing slash support in Jython scripts samples |
RDAPI-15547 | Cassandra Restore Script Fails from Docs |
RDAPI-15608 | Cant access NodeManager after submitting external CA signed certs |
RDAPI-15675 | API Manager: load Error "Map XXXX should be YYYY" after importing APIs |
RDAPI-15758 | Request headers reflected as response headers |
RDAPI-15779 | Swagger Generation Tool - Duplicate paths are not reported |
RDAPI-16328 | Maven 'clean' on install/pom.xml does not cleanup install/system/lib |
RDAPI-16365 | API Mgr, attributes set in Token information policy not available in fault policy |
RDAPI-16490 | Frontend API creation fails if WSDL host is invalid with a HTTPS scheme |
RDAPI-16553 | Regression: database connection leaks when client disconnects abnormally |
RDAPI-16574 | Duplicate headers returned when calling API Gateway Rest API |
RDAPI-16633 | Backend invocation failing with 500 when Outbound Oauth is used |
RDAPI-16648 | SMIME message policy calling SOAP request fails in backup after upgrade |
RDAPI-16777 | Trailing slash wrongly added to SOAP calls with method override |
RDAPI-16811 | [CWE-359] Password can be retrieved in GET /api/portal/v1.3/proxies |
RDAPI-16915 | Correct and improve test coverage for HEAD request forwarding |
RDAPI-16953 | API Manager event poller unnecessarily locks cache updates from Cassandra |
RDAPI-17022 | Multiple Authorization header forwarded to the backend |
RDAPI-17025 | modsecurity - "403 operation blocked" not possible to change this status in response |
RDAPI-17031 | Core file generated while stress testing websockets #1 "Thread::join()" (core.vshell.23985) |
RDAPI-17036 | projpack incorrect parsing for string containing '-f' |
RDAPI-17039 | Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut |
RDAPI-17043 | Core file generated while stress testing websockets #2 "__cxa_call_unexpected" (core.vshell.360) |
RDAPI-17074 | Unknown MimeType: "application/json;charset=UTF-8" |
RDAPI-17080 | Metrics pop-up doesn't disappeared |
RDAPI-17095 | Forward slash ("/") is being appended to the resource path by API Broker policy after upgrade from SP7 |
RDAPI-17120 | Topologies fail to manually sync with managedomain |
RDAPI-17127 | User self-registration and Stored Personal Data - GDPR |
RDAPI-17131 | API Manager Traverse Error |
RDAPI-17149 | Malformed JSON content is forwarded to backend, when it should be blocked by APIMgr |
RDAPI-17169 | Rest API paths created by policy studio duplicated |
RDAPI-17197 | PUT /organizations/{{org-id}} resets the readOnly field, createdOn, to 0 |
RDAPI-17249 | OAuth server does not return 401 in compliance with the RFC for certain "invalid_client" errors |
RDAPI-17275 | OpenID Connect tokens generated by the hybrid flow are missing c_hash |
RDAPI-17319 | Access log, if enabled, delays transactions by causing a DNS query even when unnecessary |
RDAPI-17325 | Access token is wrongly generated when the 'scope' field contains 'openid' along with a scope which is not valid for the client |
RDAPI-17329 | json to xml filter crashes with proper JSON escaped "\" |
RDAPI-17339 | Can't update client app registry after an sp is applied |
RDAPI-17384 | Core file generated while stress testing websockets #3 "<signal handler called>" (core.vshell.21451) |
RDAPI-17404 | Gateways are unresponsive after deployment in SP11, increased memory usage suspected |
RDAPI-17473 | Deployment REST API envsettings/service/{serviceId} returns 500 Internal server error when instance is remote |
RDAPI-17478 | Valid API credentials can give 401 error while API Manager cache loading |
RDAPI-17491 | NotSerializableException: com.vordel.circuit.cert.ocsp.CacheObject |
RDAPI-17538 | Policy Studio Slowness |
RDAPI-17545 | KPS Admin - List Rows return HTTP Status code 410 - GONE |
RDAPI-17549 | Api-manager does not accept '+' sign in email-address |
RDAPI-17650 | Provide meaningful error tracing when filter fails because scope is provided in form parameters when generating a token. |
RDAPI-17678 | Regex is incorrectly treating Resource Path of "/" as valid on import |
RDAPI-17758 | Backend Resource Description has disappeared from APIMgr UI in SP4 |
RDAPI-17767 | Manager doesn't perform input validation with OPTIONS |
RDAPI-17773 | Error on formatting in Traffic Monitor GUI and Trace Files |
RDAPI-17805 | Analytics single day reports not matching multi day time range for same days |
RDAPI-17811 | API Gateway doesn't check Oauth authz codes' expiry times when stored in an SQL DB |
RDAPI-17927 | HTTP error when relaying a 204 (No Content) response of a HEAD request |
RDAPI-17931 | SMTP with STARTTLS not working for Manager password reset |
RDAPI-17985 | Invalid field name, 'schema' for type: CoreAPIMethodErrorResponse |
RDAPI-18033 | big times to start the API Manager instance -- 8 min |
RDAPI-18036 | Slow start of the product |
RDAPI-18044 | Issue when configuring passphrase on an API Gateway with $ character in the password |
RDAPI-18102 | Bug using Advanced edit mode (shift-double-click) in "XML Signature Generation" filter |
RDAPI-18105 | Unable to load Application's Authentication tab in API Manager, with many API Keys |
RDAPI-18108 | slowness in API Portal due to issue in API Manager |
RDAPI-18112 | Problem with event log Service Context Client field is updated incorrectly |
RDAPI-18116 | apimanager-promote can add but not remove granted organization |
RDAPI-18218 | Update API Gateway 7.6 with OpenJDK 8u232 |
RDAPI-18240 | Open id redirect issue in OAuth flow |
RDAPI-18246 | JSON redaction can cause missing data in traffic monitor |
These instructions apply to API Gateway and API Manager classic deployments only. For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
Shut down any Node Manager or API Gateway instances on your existing installation.
Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
Note: Ensure to back up any customized files in your INSTALL_DIR
. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:
webapps/apiportal/vordel/apiportal
webapps/emc/vordel/manager/app
webapps/emc
system/conf/apiportal/email
system/conf
samples/scripts/
tools/filebeat-VERSION-PLATFORM
INSTALL_DIR/apigateway/system/lib/modules
INSTALL_DIR/analytics/system/lib/modules
INSTALL_DIR/apigateway/platform/jre
kpsadmin
), and that the JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.setcap -r INSTALL_DIR/apigateway/platform/bin/vshell
If FIPS mode is enabled, you must also perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:
Remove any previous patches from your INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
Unzip and extract API Gateway 7.6.2 SP4 server over the apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.6.2_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/
apigateway
directory in your installation: INSTALL_DIR/apigateway
apigw_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.6.2 installation directory. For example:tar -xzvf APIGateway_7.6.2_SP4_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
analytics
directory in your installation: INSTALL_DIR/analytics
apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP4_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
policystudio -clean
Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP4_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
configurationstudio
-clean
Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.
The following steps apply after installing the service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.
Notes:
anon
from the jdk.tls.disabledAlgorithms
Java security property in the INSTALL_DIR/Linux.x86_64/jre/lib/security/java.security
file<VMArg
name="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"/>
line to the INSTALL_DIR/system/conf/jvm.xml
fileWhen API Manager is installed, you must run the update-apimanager
script after the API Gateway post-install script to ensure that all paths are up-to-date.
Caution: Before executing the update-apimanager script:
This script updates the active deployment in the API Manager group. After running the script, you must recreate the API Manager project (common project, containing Server Settings) from the deployment, so that you won't need to revert the changes the next time you perform a project deployment.
As an alternative to recreating the API Manager project, you can deploy only your common project to a development server and run the update-apimanager script against it, and create a new common project from this gateway instance. Then, you must deploy your updated policies to your API Manager group.
Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:
/opt/Axway-7
.6.2
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
The following command shows an example of running the update-apimanager
script when the Client Application Registry is installed:
/opt/Axway-7
.6.2
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
--productname=clientappreg
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at https://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2019 Axway. All rights reserved.