Download

 Axway API Gateway and API Manager 7.5.3 SP 6 Readme

Axway API Gateway and API Manager 7.5.3 SP 6 Readme

Document version: 27 March 2018



Readme for 7.5.3 SP 6

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 6, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

  • API Gateway Core Server
  • API Manager
  • API Gateway Analytics
  • Policy Studio
  • Configuration Studio

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP6_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Key Case ID CVE Identifier Description
RDAPI-12105 00943446, 00952564 CVE-2017-3737;CVE-2017-3738 Issue: OpenSSL Security Advisory [07 Dec 2017] - CVE-2017-3737/CVE-2017-3738.
Resolution: Previously, API Gateway was vulnerable to CVE-2017-3737 and CVE-2017-3738. Now, API Gateway is packaged with OpenSSL v1.0.2.n.
RDAPI-12194 00917113 CWE-256

Issue: API collections exported from API Manager contain plaintext credentials.
Resolution: Previously, you could export API collections from API Manager as a plaintext file. Now, you can no longer export API collections as a plaintext file by default. You must supply a password and the generated file is encrypted. If you wish to generate a plaintext file, the administrator must add the following lines towards the start of apigateway/webapps/apiportal/vordel/apiportal/app/app.config (for example, before the nodemanager setting):
/* Option to determine if API collections can be exported as clear text
- Set to false if API export as clear text is not allowed (exported file is always encrypted)
- Set to true if API export as clear text is allowed (you can choose to encrypt the file or not) */

allowAPIExportAsClearText: true,

Note: If you change this setting, you must clear the browser cache so that the old setting is removed.

RDAPI-12513 CVE-2017-5645 Issue: [CWE-937] Log4j 2.8.1 has known vulnerabilities.
Resolution: Previously, API Gateway included Apache Log4j version 2.8.1, which has known vulnerabilities. Now, API Gateway is upgraded to Log4j version 2.8.2.

Other fixed issues

Key Case ID Description
RDAPI-10909 00912805, 00911974

Issue: Sorting and filtering issues in API Manager.
Resolution: Previously, you could not:

  • Sort Application Developers and Applications by Organization
  • Display Users and Applications for a specific Organization
  • Link to the respective Organization from the Application Developers and Applications pages
  • Sort in tables with case sensitivity disabled

Now, you can:

  • Sort Application Developers and Applications by Organization
  • Display Users and Applications for a specific Organization
  • Link to the respective Organization from the Application Developers and Applications pages
  • Enable/disable case-insensitive sorting in Settings > API Manager settings > Case-insensitive table sorting
    (sorting in tables is case-insensitive by default)
RDAPI-11131 00908268 Issue: API Manager application image disappears after edit.
Resolution: Previously, after creating an application and adding an image, the image disappeared when you edited the application. Now, the image no longer disappears when you edit the application.
RDAPI-11703 00895802 Issue: API Manager misbehavior when receiving a wrongly-encoded request.
Resolution: Previously, in API Manager, when JSON validation fails, the HTTP response status did not return a 400 Bad Request error. Now, in API Manager, when JSON validation fails, the HTTP response status returns a 400 Bad Request error.
RDAPI-11905 00934697 Issue: Back-end API description display issue in API Manager.
Resolution: Previously, in the API Catalog, a method description that contained some special characters was not displayed correctly. Now, a method description that contains some special characters displays the special characters correctly.
RDAPI-11916 00926083 Issue: WebSockets—no trace log for server-to-client communication.
Resolution: Previously, there was no trace log for WebSocket server-to-client communication in API Gateway Manager. Now, there is a trace log for this WebSocket communication.
RDAPI-12024 00924527 Issue: MalformedURL log improvement.
Resolution: Previously, for an API Manager front-end API, if the Outbound authentication profile was set to SSL, and the certificate was malformed or corrupted, a java.net.MalformedURLException exception was displayed in the API Gateway trace, but the corresponding API Manager front-end API was not listed.
Now, for an API Manager front-end API, if the Outbound authentication profile is set to SSL, and the certificate is malformed or corrupted, an exception is displayed in the API Gateway trace, and the corresponding API Manager front-end API name, organization name, and version are listed.
RDAPI-12077 00940071 Issue: Custom routing policy does not use front-end API settings.
Resolution: Previously, in API Manager, API outbound custom routing policies had to use a custom script to access authentication profiles to configure a Connection filter. Now, in API Manager, authentication profile configurations are enabled for the Connection filter in API outbound custom routing policies.
RDAPI-12139 00939103, 00948780, 00942725

Issue: Wrong encoding of SOAP endpoint URI when contains query parameters.
Resolution: Previously, when importing WSDL in API Manager, the encoding of SOAP endpoint URIs was incorrect when the URI contained query parameters. Now, SOAP endpoint URIs that contain query parameters are encoded correctly.

RDAPI-12154 00930133 Issue: Assertion in SubjectConfirmationData breaks SAML bearer generation.
Resolution: Previously, when extracting attributes from a SAML assertion, attributes could be mistakenly read from a second assertion nested underneath the first. Now, attributes are always read from the correct SAML assertion.
RDAPI-12158 00942279 Issue: Wildcard password for database connection does not work with some selectors.
Resolution: Previously, some selectors did not work when used in the username and password fields in the Configure Database Connection dialog in Policy Studio. Now, you can use any valid selector.
RDAPI-12191 00925300 Issue: API Gateway Manager not displaying KPS entries correctly.
Resolution: Previously, in API Gateway Manager, when a KPS table had very large column names, all KPS entries were not displayed. Now, the KPS display column size is set to ensure that all names are visible, and if the entire table cannot be displayed in the current window, an horizontal scrollbar is added.
RDAPI-12193 00945351 Issue: XACML PEP filter generates duplicate SOAPAction and Content-Type headers.
Resolution: Previously, the XACML PEP filter inserted duplicate SOAPAction and Content-Type headers in each XACML request. Now, only one header of each type is added.
RDAPI-12204 00946452 Issue: The first message to be processed by Data Map takes 30-40 seconds.
Resolution: Previously, initializing the Data Map resolved URLs which was slowing down Data Map initialization. Now, the URL resolving is removed and the initialization of the Data Map is much quicker.
RDAPI-12219 00946105 Issue: Some audit log entries do not contain the username.
Resolution: Previously, there were user actions being written to the audit log with the user as N/A. Now, the user actions are displayed in the audit log with the username that performed the action.
RDAPI-12252 00915537 Issue: Real-time monitoring keeps only the last 50 events.
Resolution: Previously, the default number of events kept in memory was hard-coded to 50. Now, the default number of messages has been increased to 100, and you can change this size using the environment settings property of env.METRICS.EVENTS.MAX.
RDAPI-12254 00948369 Issue: Cannot use email for login with API Manager and external identity provider.
Resolution: Previously, in API Manager, the input validation policy did not allow email addresses for usernames. Now, in API Manager, the input validation policy allows email addresses for usernames.
RDAPI-12271 00942441 Issue: API Management v7.5.3 support for CentOS default Python 2.7.5.
Resolution: Previously, the product documentation incorrectly stated that Python version 2.7.10 was required for Apache Cassandra. Now, the API Gateway Installation Guide has been updated to state that version 2.7.x is required (up to 2.7.10 for Cassandra 2.2.5, and up to the latest 2.7 for Cassandra 2.2.8).
RDAPI-12315 00941806, 00942881 Issue: init.d scripts may not reliably start API Gateways under load.
Resolution: Previously, init.d scripts were exiting without verifying if the API Gateway process was stopped and used ports were free. Now, it waits until the process is killed and the ports are free.
RDAPI-12319 00948674 Issue: Outbound back-end service URL encoding issue after applying SP 5.
Resolution: Previously, after applying SP 5, the Outbound back-end service URL was not displayed correctly in API Manager. Now, the Outbound back-end service URL displays correctly.
RDAPI-12321 00950002 Issue: APIMANAGERSTATIC cookie without APIMANAGERSESSION cookie causes loop on login page.
Resolution: Previously, if an API Manager session cookie was deleted, API Manager would continuously loop on the login page. Now, if the session cookie is deleted, the server ensures that associated cookies are also deleted and you can then login successfully.
RDAPI-12330 00950159 Issue: Updating KPS records containing encrypted strings longer than 56 characters.
Resolution: Previously, updating a non-secure field in a KPS row in API Gateway Manager sent a garbled update for secure properties (> 56 characters) in that row. Now, this bad update no longer occurs.
RDAPI-12334 00948214, 00949201, 00930447

Issue: Upgrade to ModSecurity 2.9.x.
Resolution: Previously, API Gateway only supported ModSecurity version 2.8. Now, API Gateway supports ModSecurity version 2.9.2 on Linux.

RDAPI-12356 00949082 Issue: Inaccessible complex ${} syntax for message attribute for transaction event log.
Resolution: Previously, you could not use general API Gateway selectors when specifying custom attributes to include in the transaction event log. Now, you can use any selector value.
RDAPI-12376 00948561 Issue: Memory leak in API Gateway native code running load test.
Resolution: Previously, calling the com.vordel.security.openssl.PublicKey.getEncoded method caused a memory leak. A temporary buffer was not released. Now, the temporary buffer is released, and there is no memory leak.
RDAPI-12434 00889541 Issue: HTTP responses containing intermediary HTTP 100 Continue responses not displayed correctly in Traffic Monitor log.
Resolution: Previously, if a received response contained HTTP 100 Continue, you did not see any response headers in the Response column in Traffic Monitor. Now, API Gateway Manager skips all HTTP 100 Continue responses, and you can see the final response headers in Traffic Monitor.
RDAPI-12458 00949291 Issue: Content body not available in global fault handler for SOAP call in case of bad request.
Resolution: Previously, API Manager did not reflect the request body in 404 HTTP responses, and the content.body attribute was removed from the message whiteboard before invoking the API Gateway global fault handler. Now, API Manager propagates the content.body attribute to fault handlers.
RDAPI-12511 00945697

Issue: Allow removal of x-axway extension from Swagger response in specific API Manager discovery APIs.
Resolution: Previously, calls to specific discovery APIs to retrieve an extended Swagger feed returned an x-axway extension in the response. Now, you can prevent the generation of the x-axway extension by specifying the extensions=false query parameter in the following API calls:

  • GET /discovery/swagger/api/{name}
  •  GET /discovery/swagger/apis

For example:
https://apiman.axway.com:8075/api/portal/v1.3/discovery/swagger/api/Petstore20?swaggerVersion=2.0&extensions=false
Note: By default, the x-axway extension is generated if you do not specify the extensions query parameter.

RDAPI-12521  

Issue: Diagnostics for the API Gateway kpsadmin command.
Resolution: Previously, the kpsadmin command did not output diagnostic information. Now, a new diagnostics option has been added to kpsadmin to help diagnose common KPS and Cassandra configuration issues. For more details, run kpsadmin --help.

RDAPI-12533 00956406

Issue: API Manager Outbound Pass Through authentication not working.
Resolution: Previously, API Manager did not generate the required message attribute for the Pass Through authentication profile for the Outbound custom routing policy, where it could be consumed by the Connect to URL filter.
Now, API Manager generates the required message attributes for the Outbound custom routing policy with the Connect to URL filter. This policy can be reused for the Pass Through, Basic, Digest, API Key, and OAuth authentication profiles.

Known issues

This service pack has the following known issues, which are planned for a future release:

  • RDAPI-9478: Path matching on listeners works incorrectly when paths found are same.
  • RDAPI-11229: API Manager missing fields in API list on Application page.
  • RDAPI-11606: [CWE-548] OAuth services (port 8089) / path redirects to API Manager and allows directory listing.
  • RDAPI-11936: After registering a WSDL in one API Manager (in a cluster of three), unable to download from others until restart or deploy.
  • RDAPI-12034: Missing generic error exception message not provisioned.
  • RDAPI-12141: Failure to import API results in 400 Inconsistent data format.
  • RDAPI-12142: Wrong status and message if invoked policy contains Connect to URL and connection to API back-end fails.
  • RDAPI-12187: FTP File download filter stuck until active timeout (30 sec) when non-existing file is set and default directory set to / or blank.
  • RDAPI-12455: Java exception when deploying a configuration containing a Directory Scanner with selector expression for Input Directory
  • RDAPI-12536: Bad parameters in Message Size filter error.
  • RDAPI-12709 Crash in API Gateway when viewing response in HTTP transaction at VM_GC_Operation::notify_gc_begin(bool)

Reverted issues

The following issue has been reverted from SP 5:

  • RDAPI-11672: Reflection of Untrusted Data in API Manager.
    Additional investigation discovered that the risk presented from this issue is very low, and the exploitability is infeasible in a real-world scenario. This issue will be fixed in future release.

Install the service pack

Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager script on your installation.

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Apache Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Note:

  • To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
  • To upgrade from an earlier version to v7.5.3, see the API Gateway Upgrade Guide.

Install the API Gateway Core Server service pack

Note: If you have API Manager installed, installing the API Gateway Core Server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is collocated with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  3. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  4. Unzip and extract API Gateway 7.5.3 SP 6 Core over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP6_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
  5. Change to the apigateway directory in your installation: 
    WindowsINSTALL_DIR\apigateway
    LinuxINSTALL_DIR/apigateway
  6. Run the following script:
    Windowsapigw_sp_post_install.bat
    Linux: apigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:

  7. Run the following command:
    # [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  8. Run the following:
    # chown -R admin:admin /opt/gateway/
    # grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
    # setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
    # ldconfig

Note:

  • If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
  • Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the ls -l INSTALL_DIR/apigateway/posix/bin command to view the owner of the binaries.
  • If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
  • If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following
steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.3 SP 6 Analytics over the analytics directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP6_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  4. Change to the analytics directory in your installation: 
    WindowsINSTALL_DIR\analytics
    LinuxINSTALL_DIR/analytics
  5. Run the post-install script for API Gateway Analytics:
    Windowsapigw_analytics_sp_post_install.bat
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

Note:

  • Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the ls -l INSTALL_DIR/analytics/posix/bin command to view the owner of the binaries.
  • You must also install a service pack for your existing 7.5.3 Core Server.

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 6 Policy Studio over the policystudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP6_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 6 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP6_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

API Gateway

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  4. Run the following command to reload the library cache file:
    ldconfig

API Manager

Note: When API Manager is installed, you also must run the update_apimanager script after the API Gateway post-install script to that ensure all paths are up-to-date.

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

  • Axway Supported Platforms
  • Axway Interoperability Matrix

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2018 Axway. All rights reserved.