Axway API Gateway and API Manager 7.7 SP 1 Readme

Document version: 29 August 2019


Readme for 7.7 SP 1

This Readme applies to Axway API Gateway and API Manager 7.7 SP 1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for these products.

This service pack provides fixes for a number of reported defects. It includes updates for the following:

The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for supported platforms (for example,  APIGateway_7.7_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Feature notes

General

API Manager

Policy Studio/Configuration Studio

Security

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-15686 01039208 Issue: Security vulnerability present by not checking the filename parameter for downloading original API file.
Resolution: Filename parameter is checked and vulnerability is not present anymore.
RDAPI-15753 01025418, 00989754, 00989774 Issue: There is no CSRF token protection for API Gateway Manager calls.
Resolution: Add CSRF token protection for API Gateway Management APIs.
RDAPI-15817 01038716 Issue: Malicious user can overwrite the OAuth scopes passing extra scopes as a form param.
Resolution: If application finds that a scope is present as a form param the request is rejected as invalid.
RDAPI-15901 01028530 Issue: API Manager reveals the existence of a user's email address through the response of the Users API /forgotpassword method.
Resolution: The API Manager Users API /forgotpassword method response no longer shows the distinction between valid and invalid emails.
RDAPI-16090 01053630 Issue: Missing user name validations when changing current user name
Resolution: Validations for user name added.
RDAPI-16111 01054493 Issue: JQuery version 3.3.1 has introduced a security vulnerability, we need to upgrade to 3.4.0
Resolution: JQuery version is now 3.4.0
RDAPI-16132 01054123 Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to Open JDK 1.8.0_212.
RDAPI-16439 01056395 Issue: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, an OAuth client_id different than the one represented by the JWT token can be passed as a body parameter and injected in the Access Token.
Resolution: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, the Gateway only use the OAuth client_id from the JWT token and disregard any value passed as a body parameter.
RDAPI-16685 01043569, 01043657 Issue: API Manager OAuth implementation allows different client ids in header and body with the possibility of the wrong one being used.
Resolution: Client id is taken from body or header depending on policy configuration. Additional client ids are ignored.
RDAPI-16764 01047281, 01048422 Issue: Security headers are missing from responses.
Resolution: Missing security headers have been added.

Note: The existing configurations of API Manager should be updated with update-apimanager script in order to avail of the feature. New setup of API Manager should have feature by default.
10 issues

Other fixed issues

Internal ID Case ID Description
RDAPI-14654 01012757 Issue: User name checks are too strict for some customers.
Resolution: User name regular expression is configurable in Settings of API Manager UI.
RDAPI-15063 01023688 Issue: When a global fault handler is defined in API Manager, if a request come on an existing path/method but with a verb that is not handled, the Global Fault Handler doesn't receive the http.response.info nor http.response.status attribute
Resolution: When a global fault handler is defined in API Manager, the response status is always accessible from the fault handler.
RDAPI-15147 00977858 Issue: Unable to set API Manager user name from identity provider attribute.
Resolution: A new mapping option was added to the API Manager SSO <RenameMapping source="idpNameValue" target="userfullname"/> where "idpNameValue" is the Identity provider attribute mapping.
RDAPI-15186 01020707 Issue: When a Multipart Content Type is used in the Email Alert filter, the policy completes but the email is not sent and an exception is written in the Trace logs.
Resolution: Selecting any Multipart Content Type in the Email Alert filter now sends the email successfully and no exception is written to the Trace logs.
RDAPI-15306 01064166, 01064439 Issue: Content-Type validation does not permit WSDL requests with attachments of Content-Types other than the standard SOAP message request body.
Resolution: Content-Type validation now permits WSDL requests with attachments of varying Content-Types.
RDAPI-15548 01033180 Issue: UTF-8 characters printed in product trace log are not displayed correctly in API Gateway Manager UI.
Resolution: Characters are now correctly encoded by Traffic Monitor REST API.
RDAPI-15553 00975056 Issue: Metrics monitoring can show negative values for response time
Resolution: Invalid calculation for some HTTP requests has been corrected.
RDAPI-15561 00973391, 00987292, 00992534, 01032122 Issue: When enabling CORS handling on a REST API configured in Policy Studio, OPTIONS requests were always returning every methods. In addition OPTIONS requests were invoking policy and returning a body when CORS profile was configured on Service.
Resolution: CORS handling is now performed on the REST API method level so only allowed methods are returned in the header. And it now makes sure that correct profile is accessed when performing preflight requests to prevent from calling policy and returning a body.
RDAPI-15567 01028025 Issue: In Import Project in Policy Studio, if a project is selected before browsing, the file browser window opens on a list of most recent projects instead of the location of the specified project.
Resolution: When a project is chosen, Browser Window opens on the location of that project, otherwise it will open in root project location i.e. apiprojects.
RDAPI-15627 01024906 Issue: API Manager does not allow special characters . and ~ in name of parameter, although these are allowed by swagger definition.
Resolution: API Manager now allows . and ~ as parameter name.
RDAPI-15630 01012722 Issue: PGP Decrypt and Verify filter does not verify messages signed using a sign-only key.
Resolution: Added JVM SecurityProperty to configure PGP to allow verification of messages using sign-only keys:
<ConfigurationFragment>
<SecurityProperty name="com.axway.apigateway.security.pgpsignkeyalgorithmids" value="RSA_GENERAL,RSA_SIGN,DSA,ECDSA,EDDSA" />
</ConfigurationFragment>
Default PGP algorithms: RSA_GENERAL,RSA_ENCRYPT,ELGAMAL_ENCRYPT,ELGAMAL_GENERAL,ECDH
RDAPI-15656 00949172, 00951645 Issue: In the API Manager exported Swagger 2.0 file the security field scopes were incorrectly formatted for scope must match Any.
Resolution: Now, in the API Manager exported Swagger 2.0 file the security field scopes are correctly formatted for scope must match Any.
RDAPI-15673 01012098 Issue: setup-cassandra script changes the default value of start_rpc property in casssandra,yaml file to true. This is no longer needed.
Resolution: setup-cassandra script respects the current value of start_rpc property in cassandra.yaml file.
RDAPI-15679 00970706 Issue: Query parameter "from" in Monitoring Metrics Summary REST call does not change result.
Resolution: The query parameter, that did not have any effect on the call has been removed from the API.
RDAPI-15745 01038330 Issue: OAuth2 applications could not be configured to use API Gateway selectors to set client credentials.
Resolution: Selectors are now accepted and processed by OAuth2 applications.
RDAPI-15789 01023059 Issue: Checks on Application that all the APIs are accessible for assigned Organization are triggered during Organization refresh and causing unexpected dialog "Inconsistent API"
Resolution: UI is fixed to not trigger the checks on Application during Organization refresh and the unwanted "Inconsistent API" dialog is not shown as a result
RDAPI-15814 01021192 Issue: Retired api is able to add to organization through organization view. Also "retired" and "deprecated" APIs are shown as "published" in Organization view.
Resolution: Correctly show "retired" and "deprecated" APIs in Organization view and disable adding of "retired" API to Organization.
RDAPI-15837 01031369 Issue: When an API Project is upgraded a CassandraSettings entity is created. This entity should not be created for an API Project.
Resolution: Now when an API Project is upgraded, a CassandraSettings entity is not created.
RDAPI-15849 01021932, 01022277 Issue: Jersey GlassFish library consumed semicolons as MatrixParam instead of a regular delimiter.
Resolution: Semicolon is no longer treated as the beginning of a matrix parameter, and it is processed as a reserved character.
RDAPI-15870 01032245 Issue: Redeployment from Policy Studio causes the SSO login to fail as object maps are not correctly cleared.
Resolution: The SSO-enabled API Gateway with API Manager configured now clears the object maps correctly on redeployment.
RDAPI-15874 01037992 Issue: Some columns are hidden in the table on page API Catalog, when values of name and url are too long
Resolution: Columns are always visible now, because there is limit of size for name and url and also scroll bar appears when values of the table are big
RDAPI-15887 01012616 Issue: When a reported is generated in API Gateway Analytics the values inside the report differ when the file type changes from PDF to CSV.
Resolution: Generated PDF and CSV reports in API Gateway Analytics now have the same values when reports have the same date range.
RDAPI-15897 01032374 Issue: API Methods' monitoring could display an empty timeline (whatever the selected period)
Resolution: The metrics' REST API has been corrected.
RDAPI-15971 01008197 Issue: get scope by calling a policy does not trigger assigned policy.
Resolution: Policy is now properly trigger and scope retrieved.
RDAPI-15988 01043924 Issue: OAuth Authorization Code Flow Filter throws an exception when an invalid value of the "prompt" parameter is passed resulting in potentially harmful information being written to the logs.
Resolution: OAuth Authorization Code Flow Filter now validates the prompt parameter prior to any authorization logic and gracefully fails without revealing any information about the technology used.
RDAPI-16042 01039041, 00947773, 01043979, 00999332, 01027257 Issue: A default switch value was not implemented for custom properties, so if the switch was not interacted with then the field and corresponding value was not sent to the server on save.
Resolution: A default switch value is now set.
RDAPI-16051 00965063 Issue: API Gateway does not forward all headers for HTTP HEAD request.
Resolution: HEAD requests are now managed the same way than GET or POST requests.

Note: When relaying HEAD response that do not contains content length, product replaces 200 response code by 204. This behavior can be disabled by setting system property "-Dcom.vordel.dwe.auto204response=false" in product configuration.
RDAPI-16054 01051981 Issue: API Manager calls appear on monitoring dashboard of API Gateway.
Resolution: API Manager calls are not monitored by API Gateway and do not appear on dashboard.
RDAPI-16102 01043037, 01042746 Issue: OAuth Refresh flow only returns JSON output. "format" header is ignored.
Resolution: "format" header is now honoured. Other outputs such as XML are returned.
RDAPI-16105 01036400 Issue: API Gateway does not set Cassandra's cluster port property.
Resolution: API Gateway will now set the Cassandra cluster port correctly, rather than always using the default.
RDAPI-16116 01054182 Issue: No way to run update-apimanager when a group was protected by a passphrase
Resolution: Updated update-apimanager so that a group passphrase can be passed in using --passphrase.
RDAPI-16151 01053244, 01053278, 01048495 Issue: Amendments to trailing slash behaviour for REST APIs in API Manager runtime caused path matching to fail for WSDL APIs due to an additional trailing slash.
Resolution: API Manager WSDL API path processing is corrected for SOAP requests sent to back-end server as defined in the corresponding WSDL binding port.
RDAPI-16158 01038361, 01047751 Issue: Remote Host Load Balancer algorithm excludes previously failed address for non-configurable duration of one minute. This may lead to condition when all connection attempts to the listed Load Balancer addresses will fail.
Resolution: The exclusion time period for failed addresses listed in Load Balancer can now be configured to reduce risks of all connections failures. The following system environment variable should set to desirable downtime in milliseconds, AXWAY_LB_ALG_ADDR_DOWNTIME, default is 60000.
RDAPI-16181 01053832 Issue: Selector security scanning was running against non selectors for the outbound parameter value field.
Resolution: Non selectors are not scanned now, because they will be encoded on outbound request anyway. And selectors are validated correctly, ensuring that they are valid selectors and will not encounter exceptions during an outbound request
RDAPI-16208 01053421, 01045179, 01047139 Issue: API Gateway fails to handle correctly required Form Parameters on a back-end API when sent in a multi part request or if an additional attribute is present in the Content-Type header (for example "application/x-www-form-urlencoded; charset=UTF-8")
Resolution: API Gateway now handles required parameters when sent in a multi part request and accepts additional attributes in Content Types.
RDAPI-16284 01025370, 01007245 Issue: In API Manager when configured Traffic Monitor Subject can be set for use in Metrics, a prefix of "Pass Through" is required for this type of client traffic data to be seen in API Manager Monitoring.
Resolution: Now all client traffic data is shown in API Manager Monitoring as relevant to the filter selected and user permissions.
RDAPI-16319 01051869, 01050675 Issue: In API Gateway, XML message content redaction causes the instance to crash when the message contains Multi-Byte encoded characters and requires a restart.
Resolution: API Gateway now handles correctly XML message content redaction with Multi-Byte encoded characters.
RDAPI-16331 01056234 Issue: HTTP Basic Filter accept only Basic for scheme name
Resolution: HTTP Basic and HTTP Digest filters process the Basic Authentication scheme case-insensitively as per RFC 7617.
RDAPI-16474 01075780, 01078365, 01064036 Issue: API Manager is validating the encoding attribute as well as the MIME Type.
Resolution: Swagger import validation in API Manager validates only the base MIME type.
RDAPI-16478 01041751, 01062343, 01062472, 01071286, 01026467 Issue: When API Manager has many applications, the deployment and startup are too slow. API management requests can interfere with 8065 traffic.
Resolution: API Manager no longer interferes with the deployment of API Gateway configurations when processing large amounts of application data. The API requests to API Manager traffic port 8065 now respond with the HTTP status '401 Unauthorized' when the API Client Cache is updating, instead of timing out. Caching is also non-blocking and more performant now.
RDAPI-16491 01063687, 01063723 Issue: Frontend API creation fails when using https and unavailable host
Resolution: Frontend API creation does not fail when backend host is not available
RDAPI-16494 01063817 Issue: In API Manager, sending requests with invalid Content-Type headers to a Virtual API results in an error with HTTP status code 403 which doesn't represent the error correctly.
Resolution: In API Manager, sending requests with invalid Content-Type headers to a Virtual API now results in an error response with the HTTP status code 415 and status message "Unsupported Media Type".
RDAPI-16516 01052320 Issue: Some "SSL shutdown" errors can be triggered when reading or writing data to or from network.
Resolution: An SSL error status, that could remain in memory from a previous un-finished SSL handshake, is now cleared. Additional OpenSSL debug traces are now logged when the variable"V_SSL_SESS_DEBUG" is in use.
RDAPI-16529 01064214 Issue: Sorting mechanism was not implemented for a number of columns in the API Backend, Frontend and Catalog tables in API Manager UI.
Resolution: Sorting mechanism implemented for all columns in the mentioned tables.
RDAPI-16586 01063577 Issue: Exclamation mark (!) is being treated as an invalid character when importing an API from a URL.
Resolution: Validation of the URL now accepts characters specified in RFC3986.
RDAPI-16637 01065847 Issue: API Manager import was removing parts of the Method Path which matched the API Resource Path.
Resolution: API Manager no longer removes parts of Method Path incorrectly importing
RDAPI-16650 01051063 Issue: In API Gateway 7.5.3 and later, the SMIME Sign filter uses 'sha256' digest algorithm by default, but it incorrectly generates SMIME Content-Type header with micalg="sha1" attribute.
Resolution: You can change the default SMIME digest algorithm with the Java system property 'com.axway.apigw.smime.sign.md' in the jvm.xml file, or via the policy message attribute, for example, 'com.axway.apigw.smime.sign.md=sha1'. The policy message attribute supersedes the Java system property.
The following digest algorithms are supported: sha1, sha224, sha256, sha384, and sha512. The corresponding SMIME Content-Type header 'micalg' attribute is set accordingly.
RDAPI-16655 01065718, 01042409 Issue: In a API Manager, setting a custom subject inside the E-mail templates has no effect and E-mails are sent with their default subject.
Resolution: In API Manager, E-mails are now sent with custom subject if set in the templates, default subjects are used otherwise.
RDAPI-16780 01052320 Issue: OpenSSL 'SSL_shutdown:shutdown while in init' error is reported for reused connection with previously failed handshake.
Resolution: Errors for the previous SSL handshake failure are now cleared.
RDAPI-16795 01078661, 01071817 Issue: API Gateway ehcache filters fail to store unserializable class to disk.
Resolution: The com.vordel.circuit.cert.ocsp.CacheObject class is now serializable.
RDAPI-16901 01072496 Issue: Trailing slash is incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
Resolution: Trailing slash is no longer incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
RDAPI-17037 01075614 Issue: Projpack was failing to create a project if the run command contains --passfile and a string containing '-f'
Resolution: The script has been updated to properly handle the occurance of '-f' in a string
RDAPI-17081 01036528 Issue: This Metrics tooltip from API Catalog sends a request to the server when created, this takes time so the code to hide the tooltip can complete before the server responds.
Resolution: This tooltip now sends a request to the server once when the page loads, and saves the response, so there is no longer a race condition.
RDAPI-17245 01073729, 01075893 Issue: In API Manager, accessing an nonexistent URL on a configured API results in a HTTP status code "403 No match found for the request" which can cause confusion.
Resolution: In API Manager, the behavior of an unsuccessful match of an API can be configured to use 404 by adding the "com.axway.apimanager.use404AuthSuccessNoMatch=true" system property to the file jvm.xml in the directory conf/ of the API Manager instance.

Known issues

The following known issues are currently scheduled for the next service pack:

Internal ID Description
RDAPI-13653 API Portal incorrect Content-Type for SOAP + empty model schema
RDAPI-14226 Stored XSS in the application's Oauth Redirect URL. Encode OAuth Redirect URLs on output
RDAPI-14901 Swagger allOf limitation not documented
RDAPI-15116 API Manager remote hosts not synchronized between instances
RDAPI-15298 Update trailing slash support in Jython scripts samples
RDAPI-15607 Cant access NodeManager after submitting external CA signed certs
RDAPI-15676 API Manager: load Error "Map XXXX should be YYYY" after importing APIs
RDAPI-15759 Request headers reflected as response headers
RDAPI-15780 Swagger Generation Tool - Duplicate paths are not reported
RDAPI-16048 Error while importing api-gateway-swagger.json into API Manager
RDAPI-16329 Maven 'clean' on install/pom.xml does not cleanup install/system/lib
RDAPI-16528 Chrome needs double click to collapse filter path in traffic monitor view
RDAPI-16544 HTTPRedactor causes significant processing delay when there is a large message payload and the content-type is either application/xml or text/xml
RDAPI-16575 Duplicate headers returned when calling API Gateway Rest API
RDAPI-16790 KPS Admin Clear should not fail upon throwing a ObjectNotFound exception
RDAPI-16954 API Manager event poller unnecessarily locks cache updates from Cassandra
RDAPI-17010 API Manager swagger does not show Pass Through security device.
RDAPI-17023 Multiple Authorization header forwarded to the backend
RDAPI-17026 modsecurity - "403 operation blocked" not possible to change this status in response
RDAPI-17032 Core file generated while stress testing websockets #1 "Thread::join()" (core.vshell.23985)
RDAPI-17034 API Manager stripping mime sub part headers, incorrect processing of multipart types
RDAPI-17040 Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut
RDAPI-17047 Core file generated while stress testing websockets #2 "__cxa_call_unexpected" (core.vshell.360)
RDAPI-17083 Error message "Cannot modify a published API" at startup after upgrading to 7.7.0
RDAPI-17088 HTTP version in Transaction Audit Payload Logging is always HTTP/1.0
RDAPI-17093 Forward slash ("/") is being appended to the resource path by API Broker policy after upgrade from SP7
RDAPI-17128 User self-registration and Stored Personal Data - GDPR
RDAPI-17132 API Manager Traverse Error
RDAPI-17250 OAuth server does not return 401 in compliance with the RFC for certain "invalid_client" errors
RDAPI-17276 OpenID Connect tokens generated by the hybrid flow are missing c_hash
RDAPI-17290 Rest API paths created by policy studio duplicated
RDAPI-17304 Malformed JSON content is forwarded to backend, when it should be blocked by APIMgr
RDAPI-17326 Access token is wrongly generated when the 'scope' field contains 'openid' along with a scope which is not valid for the client
RDAPI-17330 json to xml filter crashes with proper JSON escaped "\"

Reverted issues


Install the service pack

These instructions apply to API Gateway and API Manager classic deployments only. For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.

  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
    Note: Ensure to back up any customized files in your INSTALL_DIR. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:

    webapps/apiportal/vordel/apiportal
    webapps/emc/vordel/manager/app
    webapps/emc

    system/conf/apiportal/email
    system/conf
    samples/scripts/
    tools/filebeat-VERSION-PLATFORM

    For details on API Manager customization, see the API Manager User Guide.
  3. Remove old third-party libraries by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/modules
    INSTALL_DIR/analytics/system/lib/modules
  4. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/apigateway/platform/jre
  5. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.
  6. On Linux, remove existing capabilities on product binaries (which may prevent overwriting files):
  7. setcap -r INSTALL_DIR/apigateway/platform/bin/vshell

FIPS mode only

If FIPS mode is enabled, you must also perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack as described in the Installation section.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.7 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.7 SP1 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.7_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.7/apigateway/

  4. Change to the apigateway directory in your installation: 
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Linuxapigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.7 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.7 SP1 Analytics over the analytics directory in your existing API Gateway 7.7 installation directory. For example:
    tar -xzvf APIGateway_7.7_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.7/analytics/
  3. Change to the analytics directory in your installation: 
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/policystudio/jre
  4. Unzip and extract API Gateway 7.7 SP1 Policy Studio over the policystudio directory in your existing API Gateway 7.7 installation directory. For example: 
    tar -xzvf APIGateway_7.7_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.7/policystudio/
  5. Start Policy Studio with policystudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/configurationstudio/jre
  4. Unzip and extract API Gateway 7.7 SP1 Configuration Studio over the configurationstudio directory in your existing API Gateway 7.7 installation directory. For example: 
    tar -xzvf APIGateway_7.7_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.7/configurationstudio/
  5. Start Configuration Studio with configurationstudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

After installation

The following steps apply after installing the service pack.

API Gateway

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.

Notes:

  1. The JRE included in API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you can re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
  2. The JRE included in API Gateway enables endpoint identification algorithms for LDAPS (secure LDAP over TLS) by default to improve the robustness of the connections. This may cause API Gateway LDAP filters to fail to connect to an LDAPS server. In this case, you can disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification:

API Manager

When API Manager is installed, you must run the update-apimanager script after the API Gateway post-install script to ensure that all paths are up-to-date.

Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:

/opt/Axway-7.7/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Client Application Registry

The following command shows an example of running the update-apimanager script when the Client Application Registry is installed: 

/opt/Axway-7.7/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP --productname=clientappreg

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Documentation

Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2019 Axway. All rights reserved.