Document version: 18 March 2016
This Readme applies to Axway API Gateway 7.4.1 SP 2, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new binaries only and does not overwrite the existing configuration.
File packages: An installation archive is provided for all platforms (for example,
APIGateway_7.4.1_SP2_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
This service pack provides the following corrections and enhancements.
Case ID | Internal ID | Description |
---|---|---|
- | RDAPI-187 |
Issue: Upgrade failure from 7.3.0 to 7.4.1. |
808883 | RDAPI-228 | Issue: Policy Studio unresponsive or crashes when configuring a large database query. Resolution: Previously, Policy Studio became unresponsive if the Retrieve from or write to database filter was configured with a large value for the Expect to retrieve rows setting. The minimal value that caused the issue also depended on the complexity of the SQL query. Now, Policy Studio does not become unstable regardless of the expected number of rows entered by the user. |
805098 | RDAPI-616 | Issue: JMS Timeout setting has an upper limit of 20 seconds. Resolution: Previously the maximum JMS Wait timeout was 20000 ms. Now, the maximum timeout is the minimum value that an int can have (2^31). |
804852 | RDAPI-667 | Issue: Insert REST API Parameter in the Set Message filter constructs an incorrect parameter. Resolution: Previously, when inserting REST API parameters in the Set Message filter, incorrect selector strings were created. For the body parameter type, the {params.form} selector string was inserted. Now, the correct {params.body} selector string is inserted. |
804626 | RDAPI-673 | Issue: Upgrade task error when importing the configuration export. Resolution: Previously, when trying to upgrade a policy fragment containing JMS filters, an upgrade task error was encountered. Now, the JMSFilter migrate step 9 has been made more robust, and the policy fragment is upgraded correctly. |
806759 | RDAPI-705 |
Issue: Java security advisories. |
804956 | RDAPI-786 |
Issue: Performance issues due to churn of SSL sessions. |
729048 | RDAPI-798 |
Issue: API Gateway caches failing to connect to LDAP as authN failure. |
807408 | RDAPI-802 |
Issue: Custom filter migration issues from 7.3.1 to 7.4.1. |
790450 | RDAPI-877 |
Issue: API Gateway crashes when decrypting XML with duplicate elements. |
787174 | RDAPI-882 | Issue: Resolver paths not working correctly. Resolution: Previously, API Gateway failed to resolve to the proper path / policy while handling HEAD requests, and having both GET and HEAD methods for the same path configured. Now, API Gateway resolves to the correct path / method rule. |
- | RDAPI-921 | Issue: Connect to URL filter throws NPE when using Kerberos Credential Profile under stress. Resolution: Previously, the Connect to URL filter threw a NullPointerException when authentication was done using SPNEGO Kerberos under stress (multiple threads).
Now, Connect to URL filter works under stress with authentication over SPNEGO Kerberos. |
808053 | RDAPI-998 | Issue: No Content-Type returned when using the Authorization Code flow.Resolution: Previously, the OAuth Authorization form in the HTTP response did not include Content-Type in the HTTP header.
Now, the Content-Type HTTP header is set to the content-type HTTP message body. |
800861 | RDAPI-1005 | Issue: Upgrading API Gateway gives error: KPS Table with alias: OAuthAuthorizations does not exist .Resolution: Previously, when upgrading a configuration, an OAuth-specific table named OAuthAuthorizations was missing. Now, the OAuth table is created using the sysupgrade process. |
760690 | RDAPI-1008 | Issue: Disabling traffic monitor suppresses incoming/outgoing data from trace file. Resolution: Previously, API Gateway did not write incoming/outgoing DATA traces in the trace file when traffic monitoring was disabled.
Now, API Gateway writes incoming/outgoing DATA traces in the trace file regardless of whether traffic monitoring is enabled. |
802357 | RDAPI-1072 | Issue: Setting JNDI Properties in LDAP configuration does not work. Resolution: Previously, in Policy Studio, it was not clear if LDAP connection custom JNDI parameters are applied successfully, and for some SSL configurations the java.net.SocketException : Unconnected sockets not implemented was thrown.
Now, the custom JNDI parameters specified for an LDAP connection are reported in DEBUG trace level, and the SSL connections have the required socket implementation. |
786561 | RDAPI-1205 |
Issue: Proxied 304 Not Modified responses have binary bodies added when using gzip. |
807497 | RDAPI-1241 |
Issue: Analytics Audit log Search query does not work properly |
- | RDAPI-1412 | Issue: Add noexec warning to system requirements in Installation Guide. Resolution: Previously, the user documentation did not state that noexec must not be set on /temp before installing on Linux. Now, the API Gateway Installation Guide states this as a prerequisite. |
812623 | RDAPI-1418 | Issue: JSON Add Node throwing exception. Resolution: Previously, if the JSON Add Node filter was used to add a node to a JSON document and the node content evaluated to null, a NullPointerException was thrown. Now, the new JSON node is successfully added with value set to null. |
- | RDAPI-1479 | Issue: Optimize OAuth Token Info filter. Resolution: Previously, the OAuth Token Info filter and token validation were slow due to object serialization and reflection. Now, the OAuth Token Info filter and token are refactored to be more efficient. |
814952 | RDAPI-1489 |
Issue: KPS entry error. |
813541 | RDAPI-1656 |
Issue: Cannot encrypt message with existing symmetric.key . |
813971 | RDAPI-1659 | Issue: Installation of 7.4.1 SP1 will fail if FIPS mode is enabled. Resolution: Previously, when you installed 7.4.1 SP1 over a 7.4.1 installation, where FIPS is enabled, it caused the instances and node managers to fail and start with errors. The API Gateway SP readme did not include instructions to disable FIPS before applying the SP. Now, the API Gateway SP readme includes instructions to disable FIPS before applying the SP. |
- | RDAPI-1680 | Issue: Update 7.4.1 user documentation to cover multiple groups on single host. Resolution: Previously, the user documentation did describe configuring multiple groups on a single host. Now, the API Gateway Administrator Guide and API Gateway Key Property Store Guide are updated with this information. |
813971 | RDAPI-1783 | Issue: Issues with upgrade from 7.2. Resolution: Previously, upgrade from version 7.2.2 with API Portal, multiple groups, same host, and embedded LDAP failed with a duplicate JAR issue. Now, the upgrade is successful. |
820411 | RDAPI-2120 | Issue: Exported WSDL cannot be imported later. Resolution: Previously, an import of a previously exported WSDL web service failed to import with the Couldn't find resource set for id error. Now, the previously exported WSDL web service imports correctly. |
818782 | RDAPI-2125 | Issue: Proxy authentication fails for HTTPS requests. Resolution: Previously, the Connect To URL filter was not sending the Proxy-Authorization header to proxy for HTTPS requests (tunneling) when required. Now, the Connect To URL filter sends the Proxy-Authorization header to proxy for HTTPS requests (tunneling) as required. |
813470 | RDAPI-2144 | Issue: Memory leak in CRL (Dynamic) filter. Resolution: Previously, I/O streams were not closed in case of errors during CRL processing. Now, I/O streams are closed when they are no longer needed. |
821087 | RDAPI-2216 |
Issue: Kerberos is not working with SPNEGO. |
819438 | RDAPI-2228 | Issue: Alert filter fails to import correctly Resolution: Previously, Policy Studio was reporting There was a problem displaying the edit dialog null errors when users attempted to edit imported Alert filter.
Now, you can modify the Alert filter in Policy Studio after importing it with a policy. |
- | RDAPI-2234 |
Issue: Error while upgrading configuration in Policy Studio. |
820016 | RDAPI-2316 | Issue: API Gateway should not wait indefinitely after sending expect: 100-continue .Resolution: Previously, there was a problem with API Gateway acting as a client to a particular back-end server with mandatory gzip. Non-gzip requests were rejected. Now, by setting a SystemProperty of dont.expect.100.continue to true in jvm.xml , API Gateway will not wait for a 100-continue response on a HTTP 1.1 connection before sending a message body. |
820584 | RDAPI-2329 | Issue: Unable to use envSettings.props certificate and environmentalized bind certificate at runtime. Resolution: Previously, in Policy Studio, you could incorrectly externalize already environmentalized certificates using the Bind certificate at runtime option. Now, in Policy Studio, the Bind certificate at runtime option is removed from the certificate selector dialog for already environmentalized certificates. This prevents the externalization of certificates with environment variables. |
811546 | RDAPI-2344 | Issue: Problem getting Cassandra configuration from kpsadmin .Resolution: Previously, getting Cassandra configuration from multiple groups failed. Now, configuration is retrieved correctly. |
800386 | RDAPI-2393 |
Issue: OAuth Authorization Code flow in v7.4 now prompts to Authorize for scopes. <VMArg name="-Dcom.axway.oauth.acceptRequestScopes=true"/>. |
- | RDAPI-2441 | Issue: Memory leak getting encoded certificate info (PKSC7). Resolution: Previously, there was a memory leak encoding certificates in PKCS7 format. Now, no memory leak when encoding certificates in PKCS7 format. |
- | RDAPI-2442 | Issue: Memory leak getting encoded private key (PKCS8). Resolution: Previously, there was a memory leak encoding private key in PKCS8 format. Now, no memory leak when encoding private key in PKCS8 format. |
815452 | RDAPI-2456 | Issue: Different behavior for form-based authentication. Resolution: Previously, the HTML Form Based Authentication filter was incorrectly setting the authentication.subject.id and authentication.subject.format message attributes to User Name format instead of X509DName because it was configured in the corresponding LDAP repository. Now, the HTML Form Based Authentication filter sets authentication.subject.id and authentication.subject.format respectively as configured in the corresponding repository. |
782400 | RDAPI-2462 | Issue: XML Signature Verification filter fails when request from SoapUI uses a SAML Assertion with Sender Vouches confirmation method. Resolution: Previously, generation or verification of XML signatures were not supported using the STR-Transform for a SAML 2.0 assertion; although, SAML 1.0/1.1 was supported. Now, API Gateway supports generation and verification of XML Signatures using the STR-Transform for a SAML 1.0, 1.1, and 2.0 assertions. |
824012 | RDAPI-2467 | Issue: HTML format request to opsdb allows XSS vulnerability.Resolution: Previously, an XSS vulnerability was discovered on API Gateway. Now, the XSS vulnerability is fixed. |
803048 | RDAPI-2529 | Issue: Create WS-Trust Message filter does not follow the protocol. Resolution: Previously, the inserted Created and Expires elements in the RequestSecurityTokenResponse were created in the WST namespace element.
Now, the inserted Created and Expires elements in the RequestSecurityTokenResponse are created with the WSU namespace. |
820769 | RDAPI-2532 | Issue:
Policy import does not recognize change to filter parameter list. Resolution: Previously, importing changes to the Validate REST filter would incorrectly report The imported configuration contains no applicable differences .
Now, changes to the Validate REST filter are correctly detected on import. |
- | RDAPI-2535 | Issue: API Gateway crashes during soak test. Resolution: Previously, API Gateway could crash due to a small memory leak in traffic monitoring. Now, memory handling in API Gateway traffic monitoring is improved. |
822497 | RDAPI-2548 | Issue:
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Resolution: Previously, API Gateway included OpenSSL 1.0.1p-fips, which has security vulnerabilities. Now, API Gateway includes OpenSSL 1.0.1s-fips, addressing known security vulnerabilities. For more details, see http://openssl.org/news/secadv/20160301.txt. |
- | RDAPI-2622 | Issue:
In XML-Encryption, derived symmetric key not used to encrypt as expected. Resolution: Previously, the XML Encrypt filter did not always correctly encrypt a message with a derived key. Now, the XML Encrypt filter encrypts messages with a derived key as expected. |
The following issues are known and scheduled for correction in a future release.
Case ID | Internal ID | Description |
---|---|---|
807075 | RDAPI-1102 | HTTP Basic filter in Protect Management Interfaces policy triggers six times on logging in successfully to Policy Studio. |
808885 | RDAPI-1164 | API Gateway Analytics defect in filtering. |
808783 | RDAPI-1176 | Traffic monitoring trace level not in sync with system trace level. |
814625 | RDAPI-2113 | FTP poller terminates connection with Java exception. |
776780 | RDAPI-2325 | When Connect to URL reaches the Max Received Bytes limit, it returns a truncated result instead of an error. |
811161 | RDAPI-2471 | Clickjacking of API Gateway Management Services. |
821733 | RDAPI-2491 | Creating policy assembly fails with DuplicateKeysException . |
813773 | RDAPI-2505 | When the logged-in user changes password on 8090 , they lose all their roles. |
824002 | RDAPI-2545 | Retrieve from or write to database filter fails with NullPointerException when Date column contains null. |
825167 | RDAPI-2559 | Valid JSONPath incorrectly returns no matches. |
This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:
INSTALL_DIR/system/lib/modules
directory.Run togglefips --disable
to turn FIPS mode off.
Start the nodemanager
to move the JARs.
Stop the nodemanager
.
Install API Gateway 7.4.1 SP 2.
Start the nodemanager
.
Stop the nodemanager
.
Run togglefips --enable
to turn FIPS on again.
Start the nodemanager
.
This section describes how to install the service pack on an existing installation of API Gateway.
Note
To install the service pack on your existing API Gateway 7.4.1 Core Server installation, perform the following steps:
INSTALL_DIR/ext/lib
directory (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service
pack. You do not need to copy patches from a previous version.
apigateway
directory
in your existing installation directory. For example:
tar -xzvf APIGateway_7.4.1_SP2_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C
/opt/Axway-7.4.1/apigateway/
Note
ls -l INSTALL_DIR/apigateway/posix/bin
command to view the owner of
the binaries.
To install the service pack on your existing API Gateway Analytics 7.4.1 installation, perform the following steps:
INSTALL_DIR/ext/lib
directory (or the ext/lib
directory in an API Gateway Analytics instance). These patches have already been included in this service
pack. You do not need to copy patches from a previous version.
analytics
directory within your existing API Gateway 7.4.1 installation directory. For example:
tar -xzvf APIGateway_7.4.1_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C
/opt/Axway-7.4.1/analytics/
Note
ls -l INSTALL_DIR/analytics/posix/bin
command to view the owner of
the binaries.
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory within your existing API Gateway 7.4.1 installation directory. For example:
tar -xzvf APIGateway_7.4.1_SP2_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C
/opt/Axway-7.4.1/policystudio/
Note
policystudio -clean
.To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory within your existing API Gateway 7.4.1 installation directory. For example:
tar -xzvf APIGateway_7.4.1_SP2_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C
/opt/Axway-7.4.1/configurationstudio/
Note
configurationstudio -clean
.To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file.
<VMArg
name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
<VMArg
name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/i386/server:
$VDISTDIR/$DISTRIBUTION/jre/lib/i386:$VDISTDIR/$DISTRIBUTION/lib/engines:
$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
setcap 'cap_net_bind_service=+ep'
INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
Note
Go to Axway Sphere at https://support.axway.com to find all documentation for this product version.
For information about how API Gateway is used in Axway 5 Suite, refer to:
All Axway documentation is available from Axway Sphere at https://support.axway.com.
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Sphere at https://support.axway.com.
Copyright © 2016 Axway. All rights reserved