Download



Axway API Gateway 7.5.2 SP 1 Readme

Document version: 12 January 2017


Readme for 7.5.2 SP 1

This Readme applies to Axway API Gateway 7.5.2 SP 1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

  • API Gateway Core Server
  • API Gateway Analytics
  • Policy Studio
  • Configuration Studio

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.2_SP1_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements:

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-6581 CVE-2016-0782
CVE-2016-0734
CVE-2015-5254

Issue: Upgrade Apache ActiveMQ dependencies to latest version (5.14.1).
Resolution: Previously, API Gateway included Apache ActiveMQ version 5.12, which is vulnerable.

Now, API Gateway includes Apache ActiveMQ 5.14.3, which addresses known vulnerabilities.

Note: Apache ActiveMQ 5.14.3 has restriction on object message types. To allow serialization/deserialization of object messages, you must add the impacted packages to the system property in the jvm.xml file.

To configure globally, add the following to <API_GW_INSTALL_DIR>/system/conf/jvm.xml:
<VMArg name="-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=<comma separated list of packages>"/>
For example:
<VMArg name="-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=myorg.data,myorg2.data2">

To configure an API Gateway instance, add the following to <API_GW_INSTALL_DIR>/groups/<group-N>/<instance-N>/conf/jvm.xml):
<ConfigurationFragment>
<VMArg name="-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=<comma separated list of the packages>"/>
</ConfigurationFragment>

Other fixed issues

Internal ID Case ID Description
RDAPI-2452

Issue: IBM Tivoli Access Manager for e-business v6.1 support.
Resolution: Previously, API Gateway integrated with IBM Tivoli Access Manager for e-business versions 5.0 and 6.0. IBM no longer supports these versions.

Now, API Gateway integrates with IBM Tivoli Access Manager for e-business v6.1. The integration is only supported on Windows. For more details, see the API Gateway Authentication and Authorization Integration Guide.

RDAPI-4009 00833374

Issue: Reconnecting to hardware security module (HSM) not working.
Resolution: Previously, if API Gateway lost the connection to a SafeNet Network HSM server, API Gateway did not handle cryptokey errors properly to re-establish the session.

Now, API Gateway re-establishes the session and continues to work properly with the HSM server.

RDAPI-5062 00852304

Issue: Cannot use keys for SFTP user authentication without user public and private key.
Resolution: Previously, if you tried to store a public key and a dummy private key (because private key is not required for SFTP user authentication), the sample authentication script failed when attempting to connect to use the matching private key.

Now, you can store a public key and a dummy private key, and the updated sample script correctly authenticates when connecting using the matching private key.

RDAPI-5535 00856560

Issue: Kicked out of logged in user if a different login for that user fails six times.
Resolution: Previously, the user session was terminated after six or more failed attempts to log in with the same user name.

Now, the user remains logged in regardless of failed authentication attempts.

RDAPI-5537 00855363

Issue: The Throttling filter is unreliable under heavy load using distributed cache.
Resolution: Previously, if the API Gateway instance was under heavy load, the accuracy of the Throttling filter decreased.

Now, the Throttling filter works reliably even under heavy load, without letting through more messages than specified.

RDAPI-5544 00854184

Issue: Service name never shows for JMS requests in traffic monitoring.
Resolution: Previously, the values for JMS attributes (Service, Operation, and Subject) were stored in the message after the event was written to the opsdb.d directory.

Now, these attribute values are written to opsdb.d and are displayed in the corresponding columns in the JMS section of the Traffic monitoring screen in API Gateway Manager.

RDAPI-5546 00855750

Issue: API Gateway Manager shows Undefined API Gateway server values.
Resolution: Previously, when real time monitoring was disabled, the Host, Group, and Management Port fields for each instance displayed in the API Gateway Manager web console had values of Undefined, and the traffic charts showed no messages being processed.

Now, the Host, Group, and Management Port fields are populated correctly, and the traffic charts are replaced by the text No Data.

RDAPI-5898 00859112

Issue: Redaction not complete for HTTPRedactor (redacted at DATA level but still shows in API Gateway Manager).
Resolution: Previously, the API Gateway Manager web console displayed non-redacted query strings for outgoing HTTP requests.

Now, non-redacted query strings are no longer stored. The redacted version of the query is still available in stored data.

RDAPI-6009

Issue: Memory leak in the Reflect filter.
Resolution: Previously, the Reflect filter did not always release resources required for the response correctly.

Now, after creating the response, the Reflect filter now cleans memory and releases the resources.

RDAPI-6038 00860536

Issue: API Gateway Analytics exploitable issue returning data (HTTP 500 server error).
Resolution: Previously, the API Gateway Analytics Reports REST API was vulnerable to Cross-Site Scripting (XSS) attacks.

Now, the XSS vulnerability has been addressed in the API Gateway Analytics Reports REST API.

RDAPI-6232 00864374

Issue: Display issue when Server Settings > Cassandra > Hosts > Port setting comes from envSettings.props
Resolution: Previously, any attempt to add selector strings to the Server Settings > Cassandra > Hosts > Port field would result in the editor becoming unusable for subsequent changes.

Now, you can persist selector strings and have the editor display and re-edit as expected.

RDAPI-6448 00841372

Issue: Applying a service pack breaks Policy Studio help.
Resolution: Previously, after applying a service pack, the Policy Studio help contents were missing, and the help was blank.

Now, after applying a service pack, the Policy Studio help is displayed normally.

RDAPI-6583 00865176

Issue: Connect to URL tunneling through proxy to HTTPS not ignoring host name certificate check.
Resolution: Previously, when using the Connect to URL filter and tunneling through an HTTP proxy to an HTTP back-end, the Server's SSL cert's name must match name of requested server setting in Server Settings > General was ignored, and the host name check was performed regardless. This caused SSL certificate verification errors if you tried to connect to the back-end using an IP address in the Connect To URL filter.

Now, the Server's SSL cert's name must match name of requested server in Server Settings > General is taken into account, and if turned off, the certificate match for the host name will not take place.

RDAPI-6690 00869225

Issue: setup-apimanager uses default value of environmentalized variable for Cassandra host.
Resolution: Previously, the setup-apimanager script did not use environmentalized values to connect to Apache Cassandra.

Now, this script respects environmentalized values (for example, an environmentalized Cassandra host when trying to connect to Cassandra).

 

Known issues

This service pack has no known issues.


Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. Remove the old JSON path file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_7.5.2._DATE/lib/json-path-<version>.jar).
  5. If you have an existing Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the nodemanager to move the JARs.
  3. Stop the nodemanager.
  4. Install API Gateway 7.5.2 SP 1.
  5. Start the nodemanager.
  6. Stop the nodemanager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the nodemanager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

  • To install a new API Gateway installation from scratch without an existing installation, see the API Gateway Installation Guide.
  • To upgrade from an earlier version of API Gateway to v7.5.2, see the API Gateway Upgrade Guide.

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.5.2 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.2 SP 1 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.5.2_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.2/apigateway/
  5. Run the following script:
    • LinuxINSTALL_DIR/apigateway/apigw_sp_post_install.sh
    • Windows: INSTALL_DIR\apigateway\apigw_sp_post_install.bat
API Gateway Appliance only
  1. In addition, before starting the Node Manager or API Gateway, you must run the following command:
  2. # [ -f /etc/vordel/ssl-engines.xml ] && mv /etc/vordel/ssl-engines.xml /etc/vordel/ssl-engines.xml.1

  3. Run the following:
  4. # chown -R admin:admin /opt/gateway/

    # grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    # setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    # ldconfig

Note

  • If you have installed a licensed version of API Gateway 7.5.2, you do not require a new license to install service packs.
  • Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the ls -l INSTALL_DIR/apigateway/posix/bin command to view the owner of the binaries.
  • If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
  • If you have installed an existing version of API Manager, you must apply a separate service pack for that component (see the Readme for Axway API Manager 7.5.2 SP 1).

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.2 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.2 SP 1 Analytics over the analytics directory within your existing API Gateway 7.5.2 installation directory. For example:
  4. tar -xzvf APIGateway_7.5.2_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.2/analytics/
  5. Run the following script:
    • LinuxINSTALL_DIR/analytics/apigw_analytics_sp_post_install.sh
    • Windows: INSTALL_DIR\analytics\apigw_analytics_sp_post_install.bat

Note

  • Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the ls -l INSTALL_DIR/analytics/posix/bin command to view the owner of the binaries.
  • You must also install a service pack for your existing 7.5.2 Core Server.

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.2 SP 1 Policy Studio over the policystudio directory within your existing API Gateway 7.5.2 installation directory. For example:
  4. tar -xzvf APIGateway_7.5.2_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.2/policystudio/

The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.2 SP 1 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.5.2 installation directory. For example:
  4. tar -xzvf APIGateway_7.5.2_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.2/configurationstudio/

The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

Note On API Gateway Appliance, you can skip the following steps if you already ran the code in steps 4 and 5 in Install the API Gateway Core Server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
  2. <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Documentation

Go to Axway Support at https://support.axway.com to find all documentation for this product version.

All Axway documentation is available from Axway Support at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2017 Axway. All rights reserved.