Axway API Gateway and API Manager 7.5.3 SP 6 Readme
Document version: 27 March 2018
Readme for 7.5.3 SP 6
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 6, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
- API Gateway Core Server
- API Manager
- API Gateway Analytics
- Policy Studio
- Configuration Studio
The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP6_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Fixed issues
Fixed security vulnerabilities
Key | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-12105 | 00943446, 00952564 | CVE-2017-3737;CVE-2017-3738 |
Issue: OpenSSL Security Advisory [07 Dec 2017] - CVE-2017-3737/CVE-2017-3738.
Resolution: Previously, API Gateway was vulnerable to CVE-2017-3737 and CVE-2017-3738. Now, API Gateway is packaged with OpenSSL v1.0.2.n. |
RDAPI-12194 | 00917113 | CWE-256 |
Issue: API collections exported from API Manager contain plaintext credentials.
|
RDAPI-12513 | CVE-2017-5645 | Issue: [CWE-937] Log4j 2.8.1 has known vulnerabilities.
Resolution: Previously, API Gateway included Apache Log4j version 2.8.1, which has known vulnerabilities. Now, API Gateway is upgraded to Log4j version 2.8.2. |
Other fixed issues
Key | Case ID | Description |
---|---|---|
RDAPI-10909 | 00912805, 00911974 |
Issue: Sorting and filtering issues in API Manager.
Now, you can:
|
RDAPI-11131 | 00908268 | Issue: API Manager application image disappears after edit.
Resolution: Previously, after creating an application and adding an image, the image disappeared when you edited the application. Now, the image no longer disappears when you edit the application. |
RDAPI-11703 | 00895802 | Issue: API Manager misbehavior when receiving a wrongly-encoded request.
Resolution: Previously, in API Manager, when JSON validation fails, the HTTP response status did not return a 400 Bad Request error. Now, in API Manager, when JSON validation fails, the HTTP response status returns a 400 Bad Request error.
|
RDAPI-11905 | 00934697 | Issue: Back-end API description display issue in API Manager.
Resolution: Previously, in the API Catalog, a method description that contained some special characters was not displayed correctly. Now, a method description that contains some special characters displays the special characters correctly. |
RDAPI-11916 | 00926083 | Issue: WebSockets—no trace log for server-to-client communication.
Resolution: Previously, there was no trace log for WebSocket server-to-client communication in API Gateway Manager. Now, there is a trace log for this WebSocket communication. |
RDAPI-12024 | 00924527 | Issue: MalformedURL log improvement.
Resolution: Previously, for an API Manager front-end API, if the Outbound authentication profile was set to SSL, and the certificate was malformed or corrupted, a java.net.MalformedURLException exception was displayed in the API Gateway trace, but the corresponding API Manager front-end API was not listed.
Now, for an API Manager front-end API, if the Outbound authentication profile is set to SSL, and the certificate is malformed or corrupted, an exception is displayed in the API Gateway trace, and the corresponding API Manager front-end API name, organization name, and version are listed. |
RDAPI-12077 | 00940071 | Issue: Custom routing policy does not use front-end API settings.
Resolution: Previously, in API Manager, API outbound custom routing policies had to use a custom script to access authentication profiles to configure a Connection filter. Now, in API Manager, authentication profile configurations are enabled for the Connection filter in API outbound custom routing policies. |
RDAPI-12139 | 00939103, 00948780, 00942725 |
Issue: Wrong encoding of SOAP endpoint URI when contains query parameters. |
RDAPI-12154 | 00930133 | Issue: Assertion in SubjectConfirmationData breaks SAML bearer generation.
Resolution: Previously, when extracting attributes from a SAML assertion, attributes could be mistakenly read from a second assertion nested underneath the first. Now, attributes are always read from the correct SAML assertion. |
RDAPI-12158 | 00942279 | Issue: Wildcard password for database connection does not work with some selectors.
Resolution: Previously, some selectors did not work when used in the username and password fields in the Configure Database Connection dialog in Policy Studio. Now, you can use any valid selector. |
RDAPI-12191 | 00925300 | Issue: API Gateway Manager not displaying KPS entries correctly.
Resolution: Previously, in API Gateway Manager, when a KPS table had very large column names, all KPS entries were not displayed. Now, the KPS display column size is set to ensure that all names are visible, and if the entire table cannot be displayed in the current window, an horizontal scrollbar is added. |
RDAPI-12193 | 00945351 | Issue: XACML PEP filter generates duplicate SOAPAction and Content-Type headers.
Resolution: Previously, the XACML PEP filter inserted duplicate SOAPAction and Content-Type headers in each XACML request. Now, only one header of each type is added.
|
RDAPI-12204 | 00946452 | Issue: The first message to be processed by Data Map takes 30-40 seconds.
Resolution: Previously, initializing the Data Map resolved URLs which was slowing down Data Map initialization. Now, the URL resolving is removed and the initialization of the Data Map is much quicker. |
RDAPI-12219 | 00946105 | Issue: Some audit log entries do not contain the username.
Resolution: Previously, there were user actions being written to the audit log with the user as N/A . Now, the user actions are displayed in the audit log with the username that performed the action.
|
RDAPI-12252 | 00915537 | Issue: Real-time monitoring keeps only the last 50 events.
Resolution: Previously, the default number of events kept in memory was hard-coded to 50. Now, the default number of messages has been increased to 100, and you can change this size using the environment settings property of env.METRICS.EVENTS.MAX .
|
RDAPI-12254 | 00948369 | Issue: Cannot use email for login with API Manager and external identity provider.
Resolution: Previously, in API Manager, the input validation policy did not allow email addresses for usernames. Now, in API Manager, the input validation policy allows email addresses for usernames. |
RDAPI-12271 | 00942441 | Issue: API Management v7.5.3 support for CentOS default Python 2.7.5.
Resolution: Previously, the product documentation incorrectly stated that Python version 2.7.10 was required for Apache Cassandra. Now, the API Gateway Installation Guide has been updated to state that version 2.7.x is required (up to 2.7.10 for Cassandra 2.2.5, and up to the latest 2.7 for Cassandra 2.2.8). |
RDAPI-12315 | 00941806, 00942881 | Issue: init.d scripts may not reliably start API Gateways under load.
Resolution: Previously, init.d scripts were exiting without verifying if the API Gateway process was stopped and used ports were free. Now, it waits until the process is killed and the ports are free.
|
RDAPI-12319 | 00948674 | Issue: Outbound back-end service URL encoding issue after applying SP 5.
Resolution: Previously, after applying SP 5, the Outbound back-end service URL was not displayed correctly in API Manager. Now, the Outbound back-end service URL displays correctly. |
RDAPI-12321 | 00950002 | Issue: APIMANAGERSTATIC cookie without APIMANAGERSESSION cookie causes loop on login page.
Resolution: Previously, if an API Manager session cookie was deleted, API Manager would continuously loop on the login page. Now, if the session cookie is deleted, the server ensures that associated cookies are also deleted and you can then login successfully. |
RDAPI-12330 | 00950159 | Issue: Updating KPS records containing encrypted strings longer than 56 characters.
Resolution: Previously, updating a non-secure field in a KPS row in API Gateway Manager sent a garbled update for secure properties (> 56 characters) in that row. Now, this bad update no longer occurs. |
RDAPI-12334 | 00948214, 00949201, 00930447 |
Issue: Upgrade to ModSecurity 2.9.x.
|
RDAPI-12356 | 00949082 | Issue: Inaccessible complex ${} syntax for message attribute for transaction event log.
Resolution: Previously, you could not use general API Gateway selectors when specifying custom attributes to include in the transaction event log. Now, you can use any selector value. |
RDAPI-12376 | 00948561 | Issue: Memory leak in API Gateway native code running load test.
Resolution: Previously, calling the com.vordel.security.openssl.PublicKey.getEncoded method caused a memory leak. A temporary buffer was not released. Now, the temporary buffer is released, and there is no memory leak.
|
RDAPI-12434 | 00889541 | Issue: HTTP responses containing intermediary HTTP 100 Continue responses not displayed correctly in Traffic Monitor log.
Resolution: Previously, if a received response contained HTTP 100 Continue , you did not see any response headers in the Response column in Traffic Monitor. Now, API Gateway Manager skips all HTTP 100 Continue responses, and you can see the final response headers in Traffic Monitor.
|
RDAPI-12458 | 00949291 | Issue: Content body not available in global fault handler for SOAP call in case of bad request.
Resolution: Previously, API Manager did not reflect the request body in 404 HTTP responses, and the content.body attribute was removed from the message whiteboard before invoking the API Gateway global fault handler.
Now, API Manager propagates the content.body attribute to fault handlers. |
RDAPI-12511 | 00945697 |
Issue: Allow removal of
For example:
|
RDAPI-12521 |
Issue: Diagnostics for the API Gateway |
|
RDAPI-12533 | 00956406 |
Issue: API Manager Outbound Pass Through authentication not working.
|
Known issues
This service pack has the following known issues, which are planned for a future release:
- RDAPI-9478: Path matching on listeners works incorrectly when paths found are same.
- RDAPI-11229: API Manager missing fields in API list on Application page.
- RDAPI-11606: [CWE-548] OAuth services (port
8089
)/
path redirects to API Manager and allows directory listing. - RDAPI-11936: After registering a WSDL in one API Manager (in a cluster of three), unable to download from others until restart or deploy.
- RDAPI-12034: Missing generic error exception message not provisioned.
- RDAPI-12141: Failure to import API results in
400 Inconsistent data format
. - RDAPI-12142: Wrong status and message if invoked policy contains Connect to URL and connection to API back-end fails.
- RDAPI-12187: FTP File download filter stuck until active timeout (30 sec) when non-existing file is set and default directory set to
/
or blank. - RDAPI-12455: Java exception when deploying a configuration containing a Directory Scanner with selector expression for Input Directory
- RDAPI-12536:
Bad parameters in Message Size filter
error. - RDAPI-12709 Crash in API Gateway when viewing response in HTTP transaction at
VM_GC_Operation::notify_gc_begin(bool)
Reverted issues
The following issue has been reverted from SP 5:
- RDAPI-11672: Reflection of Untrusted Data in API Manager.
Additional investigation discovered that the risk presented from this issue is very low, and the exploitability is infeasible in a real-world scenario. This issue will be fixed in future release.
Install the service pack
Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager
script on your installation.
Prerequisites
This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:
- Shut down any Node Manager or API Gateway instances on your existing installation.
- Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
- Remove any old third-party libraries. To do this, delete the
INSTALL_DIR/system/lib/modules
directory. - If you have an existing Apache Cassandra installation, ensure
JAVA_HOME
is set correctly incassandra.in.sh
andcassandra.in.bat
to ensure Cassandra tools are launched successfully.
FIPS mode only
If FIPS mode is enabled, you must perform the following steps to install the service pack:
- Run
togglefips --disable
to turn FIPS mode off. - Start the Node Manager to move the JARs.
- Stop the Node Manager.
- Install the API Gateway service pack.
- Start the Node Manager.
- Stop the Node Manager.
- Run
togglefips --enable
to turn FIPS on again. - Start the Node Manager.
Installation
This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Note:
- To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
- To upgrade from an earlier version to v7.5.3, see the API Gateway Upgrade Guide.
Install the API Gateway Core Server service pack
Note: If you have API Manager installed, installing the API Gateway Core Server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:
- Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is collocated with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent
apigw_sp_post_install.bat
from completing successfully. - Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 6 Core over the
apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP6_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
- Change to the apigateway directory in your installation:
Windows:INSTALL_DIR\apigateway
Linux:INSTALL_DIR/apigateway
- Run the following script:
Windows:apigw_sp_post_install.bat
Linux:apigw_sp_post_install.sh
Note: On Linux, run the script using the
bash
command.
API Gateway Appliance only
Perform the following additional steps as theroot
user on the appliance before starting the Node Manager or API Gateway: - Run the following command:
# [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
- Run the following:
# chown -R admin:admin /opt/gateway/
# grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
# setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
# ldconfig
Note:
- If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
- Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the
ls -l INSTALL_DIR/apigateway/posix/bin
command to view the owner of the binaries. - If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
- If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Install the API Gateway Analytics service pack
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following
steps:
- Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 6 Analytics over the
analytics
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP6_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
- Change to the
analytics
directory in your installation:
Windows:INSTALL_DIR\analytics
Linux:INSTALL_DIR/analytics
- Run the post-install script for API Gateway Analytics:
Windows:apigw_analytics_sp_post_install.bat
Linux:apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using the
bash
command.
Note:
- Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the
ls -l INSTALL_DIR/analytics/posix/bin
command to view the owner of the binaries. - You must also install a service pack for your existing 7.5.3 Core Server.
Install the Policy Studio service pack
To install the service pack on your existing Policy Studio installation, perform the following steps:
- Shut down Policy Studio.
- Back up your existing
INSTALL_DIR/policystudio
directory. - Unzip and extract API Gateway 7.5.3 SP 6 Policy Studio over the
policystudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP6_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
Install the Configuration Studio service pack
To install the service pack on your existing Configuration Studio installation, perform the following steps:
- Shut down Configuration Studio.
- Back up your existing
INSTALL_DIR/configurationstudio
directory. - Unzip and extract API Gateway 7.5.3 SP 6 Configuration Studio over the
configurationstudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP6_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
After installation
API Gateway
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
- Add the following line to the
INSTALL_DIR/system/conf/jvm.xml
file:<VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
- Run the command
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports. - Create a file
/etc/ld.so.conf.d/gateway-libs.conf
that contains the following lines:INSTALL_DIR/platform/jre/lib/amd64/server
INSTALL_DIR/platform/jre/lib/amd64
INSTALL_DIR/platform/lib/engines
INSTALL_DIR/platform/lib
INSTALL_DIR/ext/lib
- Run the following command to reload the library cache file:
ldconfig
API Manager
Note: When API Manager is installed, you also must run the update_apimanager
script after the API Gateway post-install script to that ensure all paths are up-to-date.
Documentation
Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at http://docs.axway.com:
- Axway Supported Platforms
- Axway Interoperability Matrix
Support services
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2018 Axway. All rights reserved.