Axway API Gateway and API Manager 7.5.3 SP 12 Readme

Document version: 25 October 2019


Readme for 7.5.3 SP12


This Readme applies to Axway API Gateway and API Manager 7.5.3 SP12, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP12_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Feature Notes

General

API Manager

Policy Studio/Configuration Studio

Security


Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-16204 01046587, 01052413 Issue: "openid" is always accepted as a valid scope in all OAuth configurations.
Resolution: A system variable "com.axway.oauth.scopes.openid.allow" can be set to "false" to make "openid" invalid.
RDAPI-17216 01083881 Issue: The response to a HTTP OPTIONS request contains the HTTP OPTIONS request headers.
Resolution: The response to a HTTP OPTIONS request no longer contains the HTTP OPTIONS request headers.
RDAPI-17362 00963339 CVE-2019-14379 Issue: Jackson-databind version 2.9.5 has security vulnerabilities.
Resolution: This component has been updated to 2.9.10 which does not have these security vulnerabilities.

Other fixed issues

Internal ID Case ID Description
RDAPI-13971 01080378, 00999364 Issue: ModSecurity status code was harcoded to 403
Resolution: It can now be configured in ModSecurity configuration.
RDAPI-15163 01019805 Issue: API Gateway cannot configure group passphrase with $ character in the password.
Resolution: API Gateway allows to configure group passphrase containing $ character.
RDAPI-15793 01040133 Issue: Parallel deletion of APIs caused issues in updates of quota relations in tables
Resolution: Parallel deletion of APIs is fixed by removing caching of the quota relations. Only a delete on database is required when removing information about quota.
RDAPI-16472 01064024, 01063687, 01072862 Issue: Frontend API creation fails when using https and unavailable host
Resolution: Frontend API creation does not fail when backend host is not available
RDAPI-16649 01051063 Issue: The 'sha256' digest algorithm, used by the SMIME Sign filter in API Gateway 7.5.3 onward, incorrectly generates SMIME Content-Type header with micalg="sha1" attribute.
Resolution: You can change the default SMIME digest algorithm with the Java system property 'com.axway.apigw.smime.sign.md' in the jvm.xml file, or via the policy message attribute, for example, 'com.axway.apigw.smime.sign.md=sha1'. The policy message attribute supersedes the Java system property.
The following digest algorithms are supported: sha1, sha224, sha256, sha384, and sha512. The corresponding SMIME Content-Type header 'micalg' attribute is set accordingly.
RDAPI-16792 01064543, 01078637 Issue: No option to prevent API Manager adding a forward slash "/" to back-end API calls.
Resolution: Add the "com.vordel.apimanager.swagger.method.singleslash.ignore=true" Java system property to the file jvm.xml in the directory conf/ of the instance to disable passing a single slash method path to the back-end. For example:
<ConfigurationFragment>
    <VMArg name="-Dcom.vordel.apimanager.swagger.method.singleslash.ignore=true" />
</ConfigurationFragment>
RDAPI-16882 01059408 Issue: An assertion is triggered when thread cannot be started.
Resolution: Threads will no longer terminate process when they could not be started.
RDAPI-16890 01103775, 01073101 Issue: XML redaction is very slow when processing large XML files.
Resolution: XML redaction has been fully re-written to be performant and have a low memory foot print: the maximum memory size and the maximum XML nodes' depth accepted can be controlled using properties <XMLRedactor maxBufferSize="32768" maxDepth="1024">.
Issue: XML redaction with disposition "redactDescendants" is only removing children nodes.
Resolution: XML redaction with disposition "redactDescendants" now correctly removes both text and children nodes.
RDAPI-16896 01064774 Issue: API Manager kept user registration data in the database for invalid or expired registrations.
Resolution: User data entered during registration are now entered using "time to live" parameter, which will deleted the data in case user is not validated.
RDAPI-16900 01072496 Issue: Trailing slash is incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
Resolution: Trailing slash is no longer incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
RDAPI-16904 01075614 Issue: Projpack was failing to create a project if the run command contains --passfile and a string containing '-f'
Resolution: The script has been updated to properly handle the occurance of '-f' in a string
RDAPI-16928 01074742 Issue: A missed impact in the advanced editing implementation leads to a blank entity reference overwriting the first in the list of node locations for the XML Signature Generation & Verification filters
Resolution: Valid node location references are not overwritten during save in advanced editing mode
RDAPI-16929 01075694 Issue: The IP address authentication filter updates are very slow.
Resolution: The performance of IP address authentication filter is improved as the amount of disk I/O performed is significantly reduced.
RDAPI-16951 01059408 Issue: Process termination is triggered when network connection cannot be instantiated.
Resolution: Connection instantiation errors are no longer triggering process termination.
RDAPI-16952 01059408 Issue: In API Gateway, in some specific cases, the caching of SSL connections was producing memory leaks that could cause the gateway to crash.
Resolution: Memory handling has been reviewed and is now fixed for SSL connections caching.
RDAPI-17007 01073806, 01074080 Issue: Event logging for API Manager was incorrectly overwriting the Application Id in the Service Context "client" field.
Resolution: API Manager no longer overwrites the Service Context "client" field from its initial value.
RDAPI-17028 01079030 Issue: The apimanager-promote script only had capabilities to add API access to an organisation. There was no functionality to revoke access.
Resolution: 'organization.apis.remove' new property was added to the script to allow to revoke API access from organisations.
RDAPI-17030 01074983 Issue: In API Gateway, when using OpenID Connect 1.0 on top of the OAuth 2.0 protocol, OpenId tokens generated by the hybrid flow do not contain the c_hash (code hash) value.
Resolution: OpenID tokens generated by the hybrid flow now include c_hash.
RDAPI-17068 01067999 Issue: In API Manager, sending requests with invalid Content-Type headers to a Virtual API results in an error with HTTP status code 403 which doesn't represent the error correctly.
Resolution: Sending requests with invalid Content-Type headers to a Virtual API now results in an error response with the HTTP status code 415 and status message "Unsupported Media Type".
RDAPI-17085 01084300, 01056692 Issue: OAuth server does not return 401 in compliance with the RFC for certain "invalid_client" errors.
Resolution: It now returns 401 as per RFC.
RDAPI-17168 01080317 Issue: JSON to XML filter was crashing in some specific cases for valid input
Resolution: JSON to XML filter is fixed now and should work properly for valid inputs
RDAPI-17283 01087893, 01088304 Issue: The browser is unable to process the number of External Clients, OAuth Clients and API Keys that API Gateway is returning - upwards of a 100mb payload in the response payload.
Resolution: Server side pagination is implemented for GET requests for Apikeys, OAuth Clients and External Clients resulting in much smaller payloads being returned to the client.
RDAPI-17284 01087893, 01100357, 01088304 Issue: After deploying to a Gateway a new Api Client Cache is created, but all references to the old cache are not removed so the memory it consumes is not made available again.
Resolution: All references to the discarded Api Client Cache are removed, so the memory it was consuming is made available again right after deployment completes.
RDAPI-17302 01094845, 01065335, 01066017, 01087748, 01100629 Issue: Error on formatting in Traffic Monitor GUI and Trace Files
Resolution: The alignment of trace output has been corrected. The trace indentation error is now reported per processing thread, and if reported, the trace indentation stays intact in unaffected threads.
RDAPI-17333 01048992, 01049266 Issue: As an User a getApplications call results in an individual call to KPS for every application to look up permissions
Resolution: The permissions are already cached, we are now using the cached permissions rather than reading from KPS for each application
RDAPI-17394 01091120, 01087893 Issue: Requests return status code 401 while the API Client Cache is still updating.
Resolution: Requests will now return status code 503 unless system variable is "com.axway.apimanager.apiclient.cache.response.legacy" is set to "true".
RDAPI-17398 01090932 Issue: Dollar Sign ($) is being treated as an invalid character in the API Resource Path.
Resolution: Validation of the Resource Path now accepts characters specified in RFC3986.
RDAPI-17412 01080681, 01084375 Issue: The deployment time for API Manager is too slow when there are many APIs and methods defined in KPS.
Resolution: Improved caching in API Manager while loading API method data stored in KPS. Reuse compiler when loading the Script filters.
RDAPI-17432 01090822 Issue: API Gateway doesn't check OA Authz codes' expiry times when stored in an SQL DB. Purge thread is responsible to delete expired codes. This caused a potential delay, as API Gateway treated all available codes as valid.
Resolution: API Gateway now checks OAuth Authz codes expiry time when uses it. Purge thread behaves as before.
RDAPI-17484 01091984 Issue: In Policy Studio Rest API Repository editing a method does not work if an error response is configured for the method.
Resolution: An API Rest method with an error response configured can now be edited.
RDAPI-17493 01094555, 01094399 Issue: API Manager startup time slows down considerably in HA environments when the number of organizations increase.
Resolution: Organizations are cached in memory so the calls to DB are reduced. This makes the startup process faster.
RDAPI-17700 01083828 Issue: Transaction access logger is doing a reverse DNS lookup with the source IP address even when "%h" is not used.
Resolution: A DNS lookup has been removed from policy pre-execution phase.
RDAPI-17971 01101064 Issue: dbpurger and dbsetup python scripts fail to connect to the database.
Resolution: The dbpurger and dbsetup python scripts now connect to the database.
RDAPI-18017 01105012 Issue: HTTP Basic Filter accepts only case-sensitive "Basic" for scheme name.
Resolution: HTTP Basic and HTTP Digest filters process the Basic Authentication scheme case-insensitively as per RFC 7617.

Known issues

Apache Cassandra v2.2.12 support not documented in user guides

v7.5.3 adds improved support for Apache Cassandra 2.2.12. However, the API Gateway Installation Guide and API Gateway Upgrade Guide incorrectly state that API Gateway supports Apache Cassandra versions 2.2.5 and 2.2.8 only. This user documentation will be updated to reflect support for Cassandra version 2.2.12 at a later date.

Related issues: RDAPI-14421

Other known issues

The following known issues are currently scheduled for the next service pack.


Internal ID Description
RDAPI-13517 Duplicate headers returned when calling API Gateway Rest API
RDAPI-13723 Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut
RDAPI-14501 API Manager: load Error "Map XXXX should be YYYY" after importing APIs
RDAPI-14552 API Gateway libxml2 outdated and unsecured?
RDAPI-15290 Cant access NodeManager after submitting external CA signed certs
RDAPI-15490 Request headers reflected as response headers
RDAPI-15529 Analytics scheduled report filename doesn't change
RDAPI-16183 KPS caching seems to not use the table name as part of the cache-key, resulting in undesired behavior
RDAPI-16215 API Administrator is re-created after restoring a Cassandra snapshot backup
RDAPI-16405 unchecking the required field the parameter is not treated optional
RDAPI-17282 Connector for Salesforce APIs in API Manager doesn't work or is impossible to configure
RDAPI-17395 APIGW Analytics - no data in DB during DB unavailability
RDAPI-17569 Nested relative path behavior changed after SP9, causing customer policies to fail
RDAPI-17666 Policy Studio unclear about what environmentalized properties are being exported
RDAPI-17770 Path matching behaviour has changed between 7.5.3 SP3 and SP11
RDAPI-17917 Remove this.py from the product
RDAPI-17921 KPS Run Diagnostic Check is failing with error "HTTP 410 Gone"
RDAPI-17923 API Manager Rest stats interface / DB error cuts connection without proper 500 return
RDAPI-17972 Open id redirect issue in OAuth flow

Reverted issues

This service pack has no reverted issues.


Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.

  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
    Note: Ensure to back up any customized files in your INSTALL_DIR. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:

    webapps/apiportal/vordel/apiportal
    webapps/emc/vordel/manager/app
    webapps/emc

    system/conf/apiportal/email
    system/conf
    samples/scripts/
    tools/filebeat-VERSION-PLATFORM

    For details on API Manager customization, see the API Manager User Guide.
  3. Remove old third-party libraries by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/modules
    INSTALL_DIR/analytics/system/lib/modules
  4. Remove old Jython and JRE versions by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/jython
    INSTALL_DIR/analytics/system/lib/jython
    INSTALL_DIR/apigateway/platform/jre
    INSTALL_DIR/apigateway/upgrade
  5. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.
  6. On Linux, remove existing capabilities on product binaries (which may prevent overwriting files):
  7. setcap -r INSTALL_DIR/apigateway/platform/bin/vshell

FIPS mode only

If FIPS mode is enabled, you must also perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack as described in the Installation section.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
    Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is co-located with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.5.3 SP12 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP12_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/

  4. Change to the apigateway directory in your installation: 
    WindowsINSTALL_DIR\apigateway
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Windowsapigw_sp_post_install.bat
    Linuxapigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:

  6. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  7. Run the following:
    chown -R admin:admin /opt/gateway/

    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    ldconfig

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.5.3 SP12 Analytics over the analytics directory in your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP12_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  3. Change to the analytics directory in your installation: 
    WindowsINSTALL_DIR\analytics
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Windowsapigw_analytics_sp_post_install.bat
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/policystudio/jre
  4. Unzip and extract API Gateway 7.5.3 SP12 Policy Studio over the policystudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP12_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
  5. Start Policy Studio with policystudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/configurationstudio/jre
  4. Unzip and extract API Gateway 7.5.3 SP12 Configuration Studio over the configurationstudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP12_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
  5. Start Configuration Studio with configurationstudio -clean

Note: The -clean option is needed the first time you start Configuration Studio after installing the service pack.

After installation

The following steps apply after installing the service pack.

API Gateway

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the API Gateway server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.

Notes:

  1. The JRE included in API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you can re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
  2. The JRE included in API Gateway enables endpoint identification algorithms for LDAPS (secure LDAP over TLS) by default to improve the robustness of the connections. This may cause API Gateway LDAP filters to fail to connect to an LDAPS server. In this case, you can disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification:

API Manager

When API Manager is installed, you must run the update-apimanager script after the API Gateway post-install script to ensure that all paths are up-to-date.

Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:

/opt/Axway-7.5.3/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Client Application Registry

The following command shows an example of running the update-apimanager script when the Client Application Registry is installed:

/opt/Axway-7.5.3/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP --productname=clientappreg

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Documentation

Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2019 Axway. All rights reserved.