Axway API Gateway and API Manager 7.5.3 SP 1 Readme
Document version: 25 July 2017
Readme for 7.5.3 SP 1
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
- API Gateway Core Server
- API Manager
- API Gateway Analytics
- Policy Studio
- Configuration Studio
The service pack contains new binaries only and does not overwrite the existing configuration.
Note: When upgrading to v7.5.3 from an earlier version, you must install this service pack on your new v7.5.3 installation before starting the upgrade.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP1_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Fixed issues
Fixed security vulnerabilities
Internal ID | Case ID | CVE identifier | Description |
---|---|---|---|
RDAPI-8814 | 00888175 | CVE‑2017‑3241 | Issue: Security vulnerability in JRE version.
Resolution: Previously, API Gateway used JRE version that included a security vulnerability. Now, the JRE version has been updated to v8u131 that fixes this vulnerability. |
RDAPI-9098 | 00894936 | CWE‑285 | Issue: The Revoke OAuth Token filter does not revoke a refresh token if the access token has already expired.
Resolution: Previously, if you tried to revoke an OAuth refresh token after its associated access token had expired, the revoke failed with a wrong error unauthorized_client .
Now, you can revoke a refresh token even if the access token has expired, and any failed attempts are reported as invalid_request . |
Other fixed issues
Internal ID | Case ID | Description |
---|---|---|
RDAPI-1360 | 00813372 | Issue: The dbpurger script fails with a NullPointerException error when used with the dbname parameter.
Resolution: Previously, the dbpurger script was incorrectly trying to use the parameter dburl instead of the provided parameter dbname . Now, the dbpurger script correctly handles the parameter dbname and searches the configuration for the corresponding URL to use. |
RDAPI-5162 | 00853653 | Issue: Error importing a Swagger 2.0 file to API Manager.
Resolution: Previously, you could import a Swagger 2.0 file into API Manager even though the file contained duplicated elements and was therefore not valid. The file was imported successfully as if it was a valid JSON file. Now, when you try to import a Swagger file into API Manager and the file contains duplicated elements, the import is blocked. API Manager returns a HTTP 400 error that states that there were duplicate elements in the file and shows which elements were duplicated to help fix the issue. |
RDAPI-7552 | 00879346 | Issue: API Manager ignores the query parameter string on SOAP endpoints.
Resolution: Previously, when you imported an API web service definition into API Manager, API Manager ignored a query parameter in the soap:address location field, so the routing to the back-end URL was wrong. Now, the query parameter in the soap:address location field is retained on import, and the routing to the back-end URL remains correct. |
RDAPI-7884 | 00882567 | Issue: Problem with the back-end URL if the address location in WSDL ends with / .
Resolution: Previously, if you imported a WSDL API that contained an address location ending with / character, the base path for the API was set incorrectly. Now, the base path is set correctly even when the address ends with / . |
RDAPI-8407 | 00885591 | Issue: REQUIRED fields return HTTP 500 and no detailed error message.
Resolution: Previously in API Gateway, if you called an API that had REQUIRED fields validated by API Manager that did not exist, API Gateway returned HTTP 500 Internal Server Error . Now, API Gateway correctly returns HTTP 400 Bad Request indicating the request was incorrect. |
RDAPI-8415 | 00868410 | Issue: API Gateway flows fail with error when processing the HTTP body of a request that has an unknown Content-Transfer-Encoding mechanism.
Resolution: Previously, API Gateway threw a java.lang.Error exception when writing body part of a request that had an unhandled Content-Transfer-Encoding value.
Now, API Gateway ignores the unknown Content-Transfer-Encoding and treats it as if the value was binary . |
RDAPI-8429 | 00884739 | Issue: OAuth tokens stored in cleartext when using a database-backed OAuth store.
Resolution: Previously, the OAuth refresh tokens not encrypted with a system passphrase contained sensitive data in serialized blobs. Now, the data has been redacted, so the plain text blobs are safe. |
RDAPI-8519 | 00888804 | Issue: Enabling threat protection on an interface prevents API Gateway from serving static files.
Resolution: Previously, when you enabled threat protection on an interface, API Gateway could not access static content. Now, the threat protection mechanism correctly parses requests to static content and responses are sent back to API Gateway. |
RDAPI-8523 | 00889145 | Issue: Unicode defect in the Retrieve from Message filter.
Resolution: Previously, if you configured the Retrieve from Message filter to replace the message payload on Windows OS, the filter did not handle Unicode characters correctly. Now, the Unicode character information is no longer lost when the message payload is replaced. |
RDAPI-8571 | 00874107 | Issue: HTTP status code missing from access logs.
Resolution: Previously, if you enabled the transaction access logging for a policy where you had set the status code option, the status code was not shown in the access log file. Now, the status code is correctly shown in the access log file. |
RDAPI-8573 | 00881441 | Issue: Analytics Reports API returns stack trace in the response body.
Resolution: Previously, responses to certain bad requests (for example, invalid JSON) contained stack trace information. Now, the stack trace information has been replaced by a more generic response. |
RDAPI-8633 | 00888407 | Issue: Policy references incorrect after copying a policy container.
Resolution: Previously in Policy Studio, when you copied a policy container that referenced other policies in the same container, the policy references in the Policy Shortcut and Policy Shortcut Chain filters were not updated to point to the new copy of the container. Instead, the policy references continued to point to the original container. Now, the original behavior has been restored. When you copy a policy container, the policy references are updated to point to the new container, not the original container. |
RDAPI-8767 | 00893117 | Issue: Upgrade to v7.5.3 fails.
Resolution: Previously, if you tried to upgrade to API Gateway v7.5.3 from an older configuration that contained KPS tables overriding the default Cassandra datasource, the upgrade process failed. Now, the upgrade completes and the datasource references are updated correctly. |
RDAPI-8815 | — | Issue: Error messages from API promotion policy do not contain meaningful information.
Resolution: Previously, when you used the API promotion policy to promote APIs, you did not get a meaningful error message in API Manager if the policy failed. Now, if you include the filter Set Attribute Filter in the policy, you can use the attribute errorMessage to set a meaningful error message that is displayed in API Manager if the API promotion policy fails. |
RDAPI-8957 | 00876470 | Issue: Client certificate fails when CA certificates have the same name.
Resolution: Previously, you could not use several CA certificates with the same Subject Distinguished Name (DName) but different Subject Key Identifiers. API Gateway was unable to build the correct certificate chain, and mutual authentication failed. Now, API Gateway can verify certificates against CA certificates with the same Subject DName but different the Subject Key Identifiers, and mutual authentication succeeds. |
RDAPI-8965 | 00894145 | Issue: Wrong error code when calling a non-existent API.
Resolution: Previously, API Gateway returned HTTP 500 Internal Server Error when calling an API that did not exist on API Manager. Now, API Gateway correctly returns HTTP 404 Not Found . |
RDAPI-8967 | 00895453 |
Issue: |
RDAPI-8972 | 00876429 | Issue: Cannot use a selector in the Read from JMS filter.
Resolution: Previously, you could not use a selector in the Read timeout(ms) field in the Read from JMS filter, the deployment failed if you tried to do this. Now, you can use a selector in the Read timeout(ms) field of the Read from JMS filter, and deployment succeeds. |
RDAPI-9090 | 00890617 |
Issue: Duplicate elements in the array output in Visual Mapper data maps. Resolution: Previously in Policy Studio, if you used a Visual Mapper data map to map JSON input to JSON output including arrays, some array elements were duplicated. Now, the content is generated correctly for the arrays, and the array elements are no longer duplicated. After installing this service pack, you must re-generate your data maps to apply this fix to them:
|
RDAPI-9135 | 00897169 | Issue: Payload data recorded by Open Traffic Event Log can get corrupted.
Resolution: Previously, the Open Traffic Event Log used asynchronous file write operation including buffers that could get corrupted or overwritten. Now, file write operations are performed synchronously so that the buffers do not get corrupted. |
RDAPI-9185 | 00889639 | Issue: REMOTE_ADDR has incorrect value when Apache Modsecurity rules are evaluated.
Resolution: Previously, API Gateway was not always setting correct remote IP address for Apache ModSecurity, and the threat protection rules with REMOTE_ADDR did not work as expected. Now, API Gateway sets the correct remote IP address for Apache ModSecurity, and the threat protection rules work as expected. |
RDAPI-9229 | 00891478 | Issue: Encoding issue with the Connect to URL filter and AWS V4 signing.
Resolution: Previously, when encoding parameters for Amazon Web Services (AWS) V4 signing, certain values were being incorrectly encoded. Now, encoding has been updated to ensure it complies with the AWS requirements. |
Known issues
This service pack has the following know issue:
Internal ID | Case ID | Description |
---|---|---|
RDAPI-8277 | — | API Gateway Manager UI takes a long time to load after login |
Install the service pack
Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager
script on your v7.5.3 installation.
Prerequisites
This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:
- Shut down any Node Manager or API Gateway instances on your existing installation.
- Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
- Remove any old third-party libraries. To do this, delete the
INSTALL_DIR/system/lib/modules
directory. - If you have an existing Cassandra installation, ensure
JAVA_HOME
is set correctly incassandra.in.sh
andcassandra.in.bat
to ensure Cassandra tools are launched successfully.
FIPS mode only
If FIPS mode is enabled, you must perform the following steps to install the service pack:
- Run
togglefips --disable
to turn FIPS mode off. - Start the Node Manager to move the JARs.
- Stop the Node Manager.
- Install the API Gateway service pack.
- Start the Node Manager.
- Stop the Node Manager.
- Run
togglefips --enable
to turn FIPS on again. - Start the Node Manager.
Installation
This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Note
- To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
- To upgrade from an earlier version of v7.5.3, see the API Gateway Upgrade Guide.
Install the API Gateway Core Server service pack
If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following
steps:
- Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 1 Core over the
apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
- Run the following script:
Windows:INSTALL_DIR\apigateway\apigw_sp_post_install.bat
Linux:INSTALL_DIR/apigateway/apigw_sp_post_install.sh
Note: On Linux, run the script using thebash
command.
API Gateway Appliance only
Perform the following additional steps as theroot
user on the appliance before starting the Node Manager or API Gateway: - Run the following command:
# [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
- Run the following:
# chown -R admin:admin /opt/gateway/
# grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
# setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
# ldconfig
Note
- If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
- Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the
ls -l INSTALL_DIR/apigateway/posix/bin
command to view the owner of the binaries. - If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
- If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Install the API Gateway Analytics service pack
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following
steps:
- Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 1 Analytics over the
analytics
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
- Go to the
analytics
directory in your installation:
Windows:INSTALL_DIR\analytics
Linux:INSTALL_DIR/analytics
- Run the post-install script for API Gateway Analytics:
Windows:apigw_analytics_sp_post_install.bat
Linux:apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using thebash
command.
Note
- Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the
ls -l INSTALL_DIR/analytics/posix/bin
command to view the owner of the binaries. - You must also install a service pack for your existing 7.5.3 Core Server.
Install the Policy Studio service pack
To install the service pack on your existing Policy Studio installation, perform the following steps:
- Shut down Policy Studio.
- Back up your existing
INSTALL_DIR/policystudio
directory. - Unzip and extract API Gateway 7.5.3 SP 1 Policy Studio over the
policystudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
Install the Configuration Studio service pack
To install the service pack on your existing Configuration Studio installation, perform the following steps:
- Shut down Configuration Studio.
- Back up your existing
INSTALL_DIR/configurationstudio
directory. - Unzip and extract API Gateway 7.5.3 SP 1 Configuration Studio over the
configurationstudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
After installation
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
- Add the following line to the
INSTALL_DIR/system/conf/jvm.xml
file:<VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
- Run the command
setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
Documentation
Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at http://docs.axway.com:
- Axway Supported Platforms
- Axway Interoperability Matrix
Support services
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2017 Axway. All rights reserved.