Document version: 15 November 2018
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP9, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP9_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Internal ID | Case ID | CVE ID | Description |
---|---|---|---|
RDAPI-13282 |
00946657, 00988077, 01002570, 00965605 |
Issue: Requiring an encryption password when exporting an API or application collection fails the apimanager-promote script because it is not possible to provide a decryption password or passfile.
Resolution: apimanager-promote script now requires decryption password or passfile.
|
|
RDAPI-13297 |
00976396, 00933466 |
Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application.
Resolution: Set the JVM property <VMArg name="-Dcom.apimanager.application.oauth.restrictScopes=true"/> to return only those scopes which have been added to the application as Application Level scopes and marked as default.
|
|
RDAPI-13437 | 00982967 | Issue: Privilege escalation vulnerability, where an API Manager user could give themselves an elevated role using a PUT request.
Resolution: API Manager now validates that a user can only change roles if they have that role or a higher role. For example, an organization admin can give users the organization admin role, but they cannot give the API Manager admin role. |
|
RDAPI-13510 |
00993607, 00984372 |
Issue: The URL input field on Add Certificate page can be exploited to check for the existence of files on the server, or to map open ports on local network of API Gateway.
Resolution: The URL input field is validated (it must be an HTTP URL, and only public domains are allowed). Also, the same error output is now returned in all cases when no certificate is found. |
|
RDAPI-13511 |
00984372, 00993594 |
Issue: Security vulnerability when entering a file name for export of application where response headers could be changed by entering special characters.
Resolution: Introduced a server-side check where the file name must match a REGEX allowing only valid characters. |
|
RDAPI-13512 |
00993605, 00984372 |
Issue: Security vulnerability issue in image upload feature allows not supported image format upload (for example, Flash) which can be used to initiate attacks.
Resolution: Introduced validation checks for image upload to check file name and image format. Image is always processed now, which will reduce attacks where file content does not match type. |
|
RDAPI-13514 |
00983725, 01003668, 00984372 |
Issue: API Manager users could embed malicious code in client OAuth redirect URLs.
Resolution: This security vulnerability is now fixed in API Manager. |
|
RDAPI-13883 | 00989858 | CVE-2014-3566 |
Issue: API Gateway included IBM MQ JARs version 7.5.0.2 that are vulnerable to POODLE CVE-2014-3566. Resolution: API Gateway now includes version 7.5.0.8 of the IBM MQ JARs and is no longer vulnerable. |
RDAPI-13977 |
00999092, 01002567 |
CVE-2018-0737 CVE-2018-0732 |
Issue: API Gateway shipped with OpenSSL 1.0.2o-fips.
Resolution: API Gateway ships with OpenSSL 1.0.2p-fips, addressing the following security vulnerabilities: CVE-2018-0732, CVE-2018-0737. |
RDAPI-14061 | 00949535 | Issue: Path traversal security vulnerability in API Gateway Manager.
Resolution: The security vulnerability has been fixed. |
|
RDAPI-14166 | 01004262 | Issue: URL with "many slashes" causes crash in API Gateway.
Resolution: API Gateway handling of long URLs in memory has been corrected. |
|
RDAPI-14363 |
00993599, 00984372 |
Issue: API Manager Management APIs are not CSRF protected.
Resolution: CSRF protection has been added to API Manager Management APIs. Set the com.axway.apimanager.csrf Java system property to false to turn off the CSRF checks by API Manager.
The default is true. |
|
RDAPI-14504 | 01011534 | CVE-2018-3183 | Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to: Java version "1.8.0_191" Java (TM) SE Runtime Environment (build 1.8.0_191-b12) Java HotSpot (TM) 64-Bit Server VM (build 25.191-b12, mixed mode) |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-12142 | 00942402 | Issue: When a front-end API is secured using an invoked policy that contains a Connect to URL filter, and the connection to the API fails, API Manager returns 200 or 204 HTTP status instead of 500 Internal Server Error.
Resolution: API Manager now returns 500 Internal Server Error in this scenario. |
RDAPI-12305 | 00948031 | Issue: The Save button is not enabled in Policy Studio when you select Server Settings > General > Input Encodings or Output Encodings for environmentalization.
Resolution: The Save button is enabled when you select these fields for environmentalization. |
RDAPI-12759 |
00946314, 00961189 |
Issue: A front-end API is configured with OAuth or OAuth (external) Inbound Security with setting "Scopes must match" set to "All". A request to the front-end API will fail if the request's access token contains more scopes than is configured for the front-end API.
Resolution: A request with an access token containing more scopes than is configured for the front-end API will not fail. |
RDAPI-12774 | 00962018 | Issue: API Manager REST API HTTP Basic Authentication fails when user password contains colon character (:).
Resolution: You can now include the colon character in the password. |
RDAPI-12780 | 00963367 | Issue: When importing applications with quota overrides that were exported using API Manager or its REST API with Export quota overrides
selected, the API with quota overrides changed to undefined. Resolution: Locating APIs in quota settings during application import is now fixed. Also added error messages for scenarios such as API or method not found. |
RDAPI-12964 | 00956029 | Issue: When the metrics database was changed for API Manager in Policy Studio, the change was not being saved.
Resolution: When the metrics database is changed, the user is prompted to save the change before continuing. |
RDAPI-13060 | 00969324 | Issue: There was an inconsistency between long-term and short-term views in the API Gateway Analytics UI.
Resolution: This inconsistency no longer occurs. |
RDAPI-13113 | 00968288 | Issue: When tokens received by the API Gateway as an OAuth client were malformed, the API Gateway failed to throw an error and stored the token as null.
Resolution: Token parsing now fails with an error message in the trace. |
RDAPI-13121 | 00970289 | Issue: Inconsistent data in the audit log for API access and applications in API Manager.
Resolution: Inconsistencies in audit log messages for API access and application CRUD operations have been removed. Now the _message_ field contains human readable object names, and object UUIDs are written to the _metadata_ field. Inconsistencies in audit log messages for organizations and permissions have also been consolidated. |
RDAPI-13202 | 00973925 | Issue: apimanager-promote script does not update an application with the same name if the application ID is different.
Resolution: apimanager-promote now updates an application with the same name irrespective of application ID.
|
RDAPI-13325 | 00978019 | Issue: Duplicate claim error when adding a "sub" claim as an additional JWT claim in the OAuth client (External Connections > Client Credentials > OAuth2). Adding a "kid" claim to be included in the JWT header was not supported.
Resolution: Additional JWT claims for "sub" and "kid" are fully supported and work as expected. |
RDAPI-13328 | 00966823 | Issue: API Gateway JMS Service threads get locked when trying to reconnect after an external JMS server outage.
Resolution: JMS threads now reconnect automatically after an external JMS server outage. |
RDAPI-13351 | 00973390 | Issue: Cannot environmentalize the Enable Embedded Active MQ Broker checkbox in Policy Studio under Server Settings > Embedded Active MQ configuration.
Resolution: You can environmentalize both the enable Active MQ and the policy selection settings separately. |
RDAPI-13368 | 00977062 | Issue: Invalid file name error in API Manager when downloading the Swagger for an API if the API name contains unsupported characters (for example, ':', '@', '*', '~').
Resolution: API Manager replaces unsupported characters in the name with underscores, and the Swagger file can be downloaded as expected. |
RDAPI-13411 | 00977732 | Issue: Using API Manager with Internet Explorer or Edge browsers to import a back-end API, you had to click Select file twice before it worked.
Resolution: The Select file button works properly now on first click. |
RDAPI-13503 |
01016432, 00983879 |
Issue: Cannot environmentalize open traffic event log settings (Server Settings > Logging > Open Traffic Event Log) in Policy Studio.
Resolution: Open traffic event log settings can be environmentalized directly under Server Settings > Logging > Open Traffic Event Log or by navigating to the configuration from Environment Configuration > Environment Settings. |
RDAPI-13516 | 00980228 | Issue: UI performance issues when adding or removing users from an application in API Manager when a large number of applications and users exist.
Resolution: UI performance issues have been resolved. |
RDAPI-13540 | 00977040 | Issue: When threat protection was enabled, response body rules were triggered depending on the input content-type.
Resolution: The content-type used to triggered the response body check is correctly taken from response header. |
RDAPI-13552 | 00983915 | Issue: In Visual Data Mapper there was an error transforming XML to JSON when XML reference types were used.
Resolution: The error no longer occurs when transforming XML to JSON using XML reference types. |
RDAPI-13556 | 00957205 | Issue: apimanager-promote script returns 0 even when the deployment fails.
Resolution: The script now returns 0 for success and 1 if the deployment fails. |
RDAPI-13651 | 00987083 | Issue: You could not create a certificate with expiry date after 2037 in Policy Studio on Windows. Resolution: You can create a certificate with expiry date after 2037. |
RDAPI-13670 | 00979243 | Issue: Incoming requests for URLs containing encoded extended ASCII characters could result in error when writing Traffic Monitoring records and cause memory leak.
Resolution: The extended ASCII characters are no longer treated as a malformed UTF-8 string, and the memory leak no longer happens. |
RDAPI-13688 | 00987739 | Issue: Import of a WSDL into API Manager was hanging.
Resolution: The import completes successfully now. |
RDAPI-13735 | 00986597 | Issue: You cannot create API Manager users with commas in their name. The validation failure was not being written to the trace log.
Resolution: Commas are permitted in the names of API Manager users, and validation errors for new users are logged correctly. |
RDAPI-13777 | 00980797 | Issue: OAuth Clients configured using selectors failed to trace an appropriate error message
Resolution: Now trace contains message "OAuth client application is not properly configured. Basic Client application properties are not set." |
RDAPI-13835 | 00988153 | Issue: In OAuth Client requests if a token refresh request failed, the process would fall back to a regular token request but would fail to make the new token available to the outbound API call.
Resolution: The new token is now used as expected. |
RDAPI-13842 | 00993963 | Issue: managedomain displayed an Invalid group passphrase error when Submit externally signed certificate was used.
Resolution: Using Submit externally signed certificate option does not result in error anymore. |
RDAPI-13865 | 00983348 | Issue: Unexpected 403 response when sending a POST request with default profiles to /proxies to virtualize an API.
Resolution: Default profiles are accepted when sending a POST request to /proxies in order to virtualize an API. |
RDAPI-13874 | 00992660 | Issue: Using the Find Certificate filter causes memory leak.
Resolution: Native components are now correctly freed when an error is raised. |
RDAPI-13884 |
00983453, 00990270 |
Issue: When two APIs share back-end and front-end URLs, they are randomly chosen independently of their state.
Resolution: Now, the API that is published will take precedence. |
RDAPI-13885 |
00994951, 00990926 |
Issue: Each API Manager instance was showing metrics for all groups in the domain, not just its own.
Resolution: Each API Manager instance only shows metrics for its own group. |
RDAPI-13896 | 00991420 | Issue: In the API Gateway access log, the time zone is not correct if daylight savings is in effect.
Resolution: The time zone is always correct and includes daylight savings if applicable. |
RDAPI-13903 |
00989460, 01011522 |
Issue: API Manager did not import or show the correct response definitions or would fail to display the API method.
Resolution: API Manager imports and displays them correctly. |
RDAPI-13978 | 00999506 | Issue: API Gateway returns 404 error for REST API methods designed to consume content types.
Resolution: API Gateway REST API method content types check works as expected. |
RDAPI-14041 |
01005122, 01000908, 01001167 |
Issue: API Gateway SP8 post install script was overwriting the conf/acl.json file. Changes made by customers to this file were lost.
Resolution: Post install script now only changes the affected line in the acl.json file.
|
RDAPI-14042 | 01000080 | Issue: No Match For Request error occurs when Content-Type was not equal to the API method MIME type.
Resolution: Use the com.coreapireg.apimethod.contenttype.legacy=true system property to disable this Content-Type check for single API method exact matching and allow legacy API method matching. For example:
<ConfigurationFragment>
The default value is false. |
RDAPI-14054 |
01000648, 01000980 |
Issue: Content-Type of the Consumes and Produces type is missing in API Manager for PATCH methods imported from Swagger.
Resolution: Content-Type of the Consumes and Produces type is displayed in API Manager. |
RDAPI-14055 |
00997185, 00995508 |
Issue: Key Property Store (KPS) does not cache the identifier of a record that does not exist. This results in unnecessary database requests and poor performance.
Resolution: API Gateway now caches the request to a record that does not exist, which reduces database hits and improves performance. |
RDAPI-14064 | 00987708 | Issue: Memory exception in API Gateway when sending request to ICAP server.
Resolution: The issue was caused by the JSON document body object closing the connection before sending data. The issue has been resolved and the exception no longer occurs. |
RDAPI-14118 | 00999252 | Issue: The FTP Poller was not carrying out the correct action when the processing policy failed.
Resolution: The FTP Poller now carries out the correct action. |
RDAPI-14202 |
01004665, 01007289 |
Issue: Cannot import multiple WSDL back-end APIs with the same WSDL URL.
Resolution: You can import multiple WSDL back-end APIs with the same WSDL URL. |
RDAPI-14290 | 01006639 | Issue: Adding a query string to a front-end API in an outbound per-method override via API proxy resulted in the wrong query string if the front-end API effective back-end service URL already had a query string.
Resolution: The query string is correctly added. |
RDAPI-14292 | 00978229 | Issue: When HTTP requests failed, request paths were not recorded correctly in the transaction event log.
Resolution: Request paths are always recorded correctly. |
RDAPI-14313 | 00992660 | Issue: API Gateway memory consumption issue when displaying certificates.
Resolution: This memory leak has been fixed. Issue: Command line "sr" prints SSL debug information when quiet mode is set. Resolution: SSL information is no longer printed in quiet mode. |
RDAPI-14337 |
00976755, 00976945 |
Issue: Memory consumption issue due to I/O streams not being closed when errors occur during CRL processing.
Resolution: I/O streams are correctly closed and extra memory is no longer allocated when calling OpenSSL functions. |
RDAPI-14462 |
00981353, 00983915 |
Issue: In Visual Data Mapper there was an error transforming XML to JSON when XML reference types were used.
Resolution: The error no longer occurs when transforming XML to JSON using XML reference types. |
RDAPI-14627 | 00988159 | Issue: API Gateway Manager UI is very slow when managing a large number of instances.
Resolution: Performance of the API Gateway Manager UI has been improved. |
If you are using the API Manager Management APIs you must disable the CSRF token check implemented in this service pack. To disable the check, set the Java system property com.axway.apimanager.csrf
to false
.
The default is true
.
Related issues: RDAPI-14363, IAP-1592
The following known issues are currently scheduled for the next service pack.
Internal ID | Summary |
---|---|
RDAPI-9478 | Path matching on listeners works incorrectly when the paths found are same. |
RDAPI-12357 | Issues importing Swagger 1.2 files |
RDAPI-12891 | HEAD request, Connect to URL and Content-Range header |
RDAPI-13658 | "No VAPI matched request" error in API Manager but it should match |
RDAPI-13690 | Environmentalization of CORS Profiles using Policy Studio |
RDAPI-13975 | API Manager\Portal self registration, problems with emails containing '+' sign |
RDAPI-14065 | SSL handshake failing, HTTPS WSDL import in API Manager |
RDAPI-14142 | PRD had shown Cardinality violation Error |
RDAPI-14185 | Continuation: Cassandra slowness in some environments |
RDAPI-14380 | KPS restore command failing in Production |
RDAPI-14459 | Inconsistent error messages between GET and POST requests in case of "no match found for request" |
RDAPI-14461 | First In First Out eviction, adding existing data remove the original instead of updated it. |
RDAPI-14478 | Issue with OCSP response validation, OCSP filter does not try all three options |
RDAPI-14489 | Policy Studio Data Map, incorect handling (Any) for node with undefined type |
RDAPI-14491 | WSDL schema cannot contain two global components, import error |
RDAPI-14506 | managedomain regen_certs in unattended mode always generates new domain certificate |
RDAPI-14517 | Create Thumbprint Filter SHA256 issue when thumbpring has leading zeros |
RDAPI-14531 | Automated deployment of policy with passphrase fails |
RDAPI-14571 | API Gateway Manager 7.5.3 does not show the product version |
RDAPI-14588 | File Upload filter performance is 20x better with ASCII rather than BINARY mode |
RDAPI-14638 | Error creating account for external identity provider with name containing special characters |
This service pack has no reverted issues.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
INSTALL_DIR/system/lib/modules
directory.kpsadmin
) and that the JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.If FIPS mode is enabled, you must perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note |
Note | If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager. |
To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:
Note | On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is co-located with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully. |
INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF
directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP9_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
apigateway
directory in your installation: INSTALL_DIR\apigateway
INSTALL_DIR/apigateway
apigw_sp_post_install.bat
apigw_sp_post_install.sh
Note | On Linux, run the script using the bash command, and ensure that the correct permissions are set. |
root
user on the appliance before starting the Node Manager or API Gateway:[ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
chown -R admin:admin /opt/gateway/
grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
ldconfig
Note |
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP9_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
analytics
directory in your installation: INSTALL_DIR\analytics
INSTALL_DIR/analytics
apigw_analytics_sp_post_install.bat
apigw_analytics_sp_post_install.sh
Note |
bash
command, and ensure that the correct permissions are set.ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP9_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note | The first time you start Policy Studio, you must use policystudio -clean . |
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP9_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note | The first time you start Configuration Studio, you must use configurationstudio -clean . |
The following steps apply after installing the service pack.
Note | On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the service pack. |
To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports./etc/ld.so.conf.d/gateway-libs.conf
that contains the following lines:INSTALL_DIR/platform/jre/lib/amd64/server
INSTALL_DIR/platform/jre/lib/amd64
INSTALL_DIR/platform/lib/engines
INSTALL_DIR/platform/lib
INSTALL_DIR/ext/lib
ldconfig
Note | When API Manager is installed, you must run the update-apimanager script (located in the bin directory) after the API Gateway post-install script to ensure that all paths are up-to-date. |
Go to the Axway Documentation portal at https://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Axway Documentation portal at https://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2018 Axway. All rights reserved.