Document version: 2 November 2016
API Gateway is available as a software installation, a physical or virtual appliance, or as a managed service on Axway Cloud.
The software installation is available on Windows and Linux. For
more
details
on
supported
platforms for software installation,
see
the
The physical appliance is a pre-hardened appliance running the API Gateway runtime delivered on a Dell PowerEdge server. The virtual appliance is a prehardened appliance running the API Gateway runtime and is available as VMware and as an Amazon Machine Image (AMI).
For more details on appliance options, see the
For best performance, after installing or upgrading to API Gateway 7.5.2, it is mandatory to install the patch APIGateway_7.5.2_Patch5885_allOS_BN20161018
.
The following new features and enhancements are available in this release.
You can find the latest information and up-to-date user guides under the Documentation link on Axway website.
Swagger 2.0 definitions for API Management REST APIs provide a consistent way to document the REST APIs across Axway platform products.
You can import these REST APIs in API Manager and publish them to the API Catalog, facilitating secure self-service consumption of API Management REST APIs.
For more details, see
Upgrading existing API Gateway installations has been simplified further:
For more details, see the
You can upgrade from an Oracle Enterprise Linux (OEL) hardware appliance (Vordel appliance) to the Axway Appliance Platform, a SuSE Linux Enterprise hardware appliance, and migrate your data to API Gateway version 7.5.2.
For more details, see
Visual Mapper transitions from Restricted Availability to General Availability status. In addition, new capabilities have been added to improve the mapping experience when creating APIs that integrate with back-end applications.
CustomXsltCode
option in the Visual Mapper palette to enrich the transformation using expressions.compare
, contains
, ends-with
, starts-with
, and matches
, to name but a few) and math functions (like ceiling
, floor
, round
, and sum
) to modify values.allOf
, oneOf
, and anyOf
, are now supported.For more details on data maps, see the
This release provides support for Kerberos Constrained Delegation (KCD):
For more details, see the
API Gateway and API Manager now support Docker containers:
For more details,
see
the
IBM Bluemix support enables deploying Docker containers for API Gateway, API Manager, and Cassandra to IBM Bluemix cloud platform.
General enhancements ensure API Management continues to provide best-in-class solution to secure APIs:
The following features have been deprecated in this release:
The following features have been removed in this release:
The fixes for issues included in API Gateway v7.5.1 SP 1 are also included in API Gateway 7.5.2.
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI‑5430 | — | CVE-2016-3720 |
Issue: Jackson dependency in third party libraries. Resolution: Previously, API Gateway Manager included JAR files provided by Restlet that had a dependency on Jackson version with a known security issue (CVE-2016-3720). Now, these JAR files have been updated to remove the dependency. |
RDAPI‑4962, RDAPI‑4963, RDAPI‑4964 |
00852454 |
CVE-2016-3485, CVE-2016-3500, CVE-2016-3508, |
Issue: Vulnerabilities in Java 8u92
Now, the Java version has been upgraded to Java 8u102, and these vulnerabilities are no longer present in API Gateway. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI‑874 | 785901 | Issue: Files created using SpillToDisk are not deleted and cause exceptions.Resolution: Previously, if a connection timeout during a big file transfer activated the Now, the exception is handled and the temporal file is removed, and you can attempt the file transfer again. |
RDAPI‑1866 | 00846285 |
Issue: Broken link for the Javadoc for JsonNode class. Resolution: Previously, Now, the guide contains a correct working link to the Javadoc for this class. |
RDAPI‑2327 | 776780 |
Issue: When the Connect to URL filter receives a response larger than the Max Received Bytes limit, it returns a truncated result instead of an error. Resolution: Previously, the policy did not trap exceptions encountered while streaming the response to the client. Now, the policy buffers the response in the Reflect Message filter, and ensures that the fault handler is invoked if maximum response length is reached. |
RDAPI‑2408 | 00822930 | Issue: API Gateway does not start because library list is wrong. Resolution: Previously, in Now, the missing path |
RDAPI-2422 | 00808078 | Issue: SuSE Appliance environment is picking up API Gateway's libz.so.1 .Resolution: Previously, the OS binaries, such as Now, the library search path has been fixed, and the OS binaries on the appliance reference the correct libraries. |
RDAPI-2842 | 00820006 | Issue: Schema validation not working as expected for SOAP 1.1 envelope. Resolution: Previously, when using a Schema Validation filter, you could only define a schema explicitly or using a WSDL context. Now, you can configure the Schema Validation filter to use both the WSDL of a web service and XML schemas. In addition, you can select multiple XML schemas to validate the request. |
RDAPI-2932 | 00830393 | Issue: Unable to use the $http.response.time attribute on the Connect to URL filter.Resolution: Previously, using the Now, the attribute returns the response time of the Connect to URL filter. |
RDAPI-2970 | 00830828 | Issue: Blank lines added to header after the XML Signature Generation filter. Resolution: Previously, the XML Signature Generation filter was adding two blank lines before the SOAP signature header. Now, the XML signature is added right next to the SOAP security opening tag. |
RDAPI-3510 | 00836121 | Issue: The XML to JSON filter converts Unicode characters to ? .Resolution: Previously, the XML to JSON filter used the system's default encoding when converting the message. Now, the XML to JSON filter uses UTF-8 encoding. |
RDAPI-3577 | 00838339 | Issue: Delay in outgoing requests from API Gateway while under load. Resolution: Previously, the transaction access logging was doing a reverse DNS lookup with the source IP address to obtain the source host name required to print Now, the transaction access logging uses the message attributes to retrieve the source host name required to print |
RDAPI-3600 | 00825167 |
Issue: A valid JSON Path incorrectly returns no matches. Now, the JSON Path filter handles these filter expressions. The underlying 3rd party library has been updated to fix the problem. See also the known issue with JSON path version change. |
RDAPI-3649 | 00835705 |
Issue: Tight loop reading from closed JMS (IBM MQ) connection filling logs. Now, a concurrent access is no longer triggered. Previously, when a Now, same consecutive errors are no longer printed out, and an increasing delay between retrying operations has been added. |
RDAPI-3785 | 00840339 | Issue: The Admin User Rest API documentation is empty. Resolution: Previously, the documentation for the Admin User REST API was missing. Now, the documentation is available online at https://support.axway.com/htmldoc/1433379. |
RDAPI-3830 | 00842294 | Issue: Leg durations do not work as documented. Resolution: Previously, the leg duration for non-redirect responses was calculated at the end of the entire message. This caused some leg durations to include the duration of subsequent legs. Now, the duration of each individual leg is calculated when the response is received, so the duration accurately reflects just the time spent contacting and receiving a response from the remote connection. |
RDAPI-3928 | 00843534 | Issue: Data missing from the access log. Resolution: Previously, the size of the response body was evaluated before processing the request. This caused several variables in the access log, such as bytes sent to the client, to always appear blank. Now, the bytes sent to the client logged in the access log correctly reflect the size of the content body. |
RDAPI-4099 | 00840564 | Issue: Unclear how the option When policy completes without error in JMS message removal works. Resolution: Previously, when configuring a JMS session, it was not clear how setting the option Remove message from source to When policy completes without error behaved in practice. Now, the instructions in the |
RDAPI-4148 | 00839875 |
Issue: The XML Signature Generation filter throws a Resolution: Previously, the XML Signature Generation filter generated a Now, the XML Signature Generation filter generates a
|
RDAPI-4198 | 00840012 | Issue: Fault handler policy not called on failure. Resolution: Previously, the Read API Proxy filter was not handling exceptional circumstances correctly, and the fault handler was not called in case of a failure. Now, the Read API Proxy filter correctly handles exceptional circumstances and ensures that the fault handler is called. |
RDAPI-4221 | 00844652 |
Issue: SAML2 Authentication Assertion fails with a Now, a
|
RDAPI-4325 | 00845637 | Issue: Cannot add a Policy Assembly filter to a policy. Resolution: Previously, you could not add a Policy Assembly filter to a policy. Now, you can add a Policy Assembly filter to a policy. |
RDAPI-4336 | 00846257 00842837 |
Issue: When a JSON Path expression is not matched, neither the failure path nor the fault handler is invoked. Now, when there is no match, the JSON Path filter executes a failure path or fault handler. |
RDAPI-4411 | 00845501 |
Issue: Cannot run Now, setting |
RDAPI-4415 | 00847177 | Issue: Unclear what is encrypted with PGP Encrypt & Sign filter. Resolution: Previously, it was not clear that PGP Encrypt & Sign filter only encrypts the message body and not any files attached to the message. Now, the instructions in the |
RDAPI-4545 | 00847780 | Issue: Path parameter data type cannot be changed. Resolution: Previously, in the Rest API Wizard in Policy Studio, the path parameters had the fixed type Now, it is possible to specify a different type for the path parameters. |
RDAPI-4560 | 00841589 | Issue: OAuth expired token purge reports a cardinality violation. Resolution: Previously, when you removed a token, the lock type used to remove the token in to the database was Now, when you remove a token, the lock type used to remove the token in to the database is |
RDAPI-4578 | 00848648 | Issue: Key Property Store (KPS) selectors not working in the Throttling filter. Resolution: Previously, a regression to number attribute validation in Policy Studio was introduced in v7.5.1, so you could not use KPS selectors in the Throttling filter. Now, the number attribute validation supports dynamic and complex values. You can again use KPS selectors in the Throttling filter. |
RDAPI-4598 | 00848902 | Issue: The Resolution: Previously, the Now, the reference has been removed. |
RDAPI-4606 | 00832311 | Issue: Wrong behavior on the Retrieve Attributes from Directory Server filter if the directory is called several times. Resolution: Previously, in the Retrieve Attributes from Directory Server filter, if you selected Enable the legacy attribute naming for retrieved attributes and called the directory more than once, the previously retrieved attribute values were overwritten with each call. Now, the retrieved values are no longer overwritten and correctly match the values in the directory. |
RDAPI-4611 | 00848503 | Issue: No information how to get a symmetric key for XML Encryption Settings filter. Resolution: Previously, the Now, this information has been added to the |
RDAPI-4637 | 00849495 | Issue: JSON Remove node filter not working as expected. Resolution: Previously, the value of check box Fail if no nodes returned from JSON Path in the JSON Remove Node filter was ignored. Now, the JSON Remove Node filter follows the success path if this check box is selected and the JSON Path expression does not return any nodes. |
RDAPI-4694 | 00807182 | Issue: No HTTP header information in Traffic Monitor in API Gateway Manager. Resolution: Previously, the response headers were not available in Response From API Gateway in Traffic Monitor when the response starts with Now, all the headers are correctly shown. |
RDAPI-4709 | 00850244, 00849861 |
Issue: Cassandra connection needed at startup on a system not using Cassandra. Resolution: Previously, if you upgraded from a system that was not using Cassandra, API Gateway tried to establish a connection to a Cassandra server, resulting in an error. Now, you no longer need to have a running Cassandra if your system does not use Cassandra. |
RDAPI-4725 | 00847255 | Issue: Variable cannot be entered in the Port field for a File Transfer Service listener. Resolution: Previously, when configuring a File Transfer Service listener in Policy Studio, you could not set the port value to use a selector. Now, you can set the port value to use a selector. |
RDAPI-4780 | 00850244 | Issue: sysupgrade apply fails without Cassandra.Resolution: Previously, Now, if the upgraded deployment does not need Cassandra, the upgrade process no longer requires a running Cassandra instance to succeed. |
RDAPI-4793 | 00851001 | Issue: Cross-site scripting (XSS) vulnerability in API Gateway Manager. Resolution: Previously, API Gateway Manager was vulnerable to XSS attacks. In case of repeated failed login attempts to API Gateway Manager, an error message containing the unescaped user name was displayed. Now, the error message displayed no longer contains the user name. |
RDAPI-4842 | 00851284 |
Issue: Cannot deserialize an instance of Resolution: Previously, in the Verify ID Token filter, the presence of an Authentication Methods References ( Now, |
RDAPI-4930 | 00851377 | Issue: The Create ID Token filter creates an incorrect at_hash value.Resolution: Previously, generating and verifying the Now, the |
RDAPI-5271 | 00852989 | Issue: Environmentalized Certificate Chain filter only shows certificates with private key. Resolution: Previously, when automatically environmentalizing a Certificate Chain filter in Policy Studio, you could only see a small set of certificates in Configuration Studio. Now, you can see all certificates in Configuration Studio. |
RDAPI-5313 | 00855744 | Issue: WebSocket policies not working after upgrading to API Gateway v7.5.1. Resolution: Previously, when you configured a WebSocket handler in Policy Studio and selected a policy for Websocket communication from client or Websocket communication from server, the Now, the |
The following are known issues for this release of API Gateway:
Fixing an issue with the Connect to URL filter inadvertently caused a major defect in the Reflect filter. This defect manifests as a memory leak causing API Gateway to crash.
The patch APIGateway_7.5.2_Patch5885_allOS_BN20161018
fixes this issue. You must download and install the patch from Axway Support at https://support.axway.com.
Note | It is mandatory that you install this patch before you use API Gateway v7.5.2. |
Before upgrading API Gateway v7.5.2, you must remove the old JSON path file ($VDISTDIR/system/lib/modules/json-path-1.2.0.jar
). Upgrading v7.5.2 installs a JSON path file (json-path-2.2.0.jar
) in the same directory.
In addition, Policy Studio uses the JSON path file to validate path expressions. Before upgrading v7.5.2, you must also remove the file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_VERSION_DATE/lib/json-path-1.2.0.jar
). Upgrading v7.5.2 installs a JSON path file (json-path-2.2.0.jar
) in the same directory.
Note | If any JSON Path filters are being used in a policy, the JSON path expression used must be checked for compatibility with json-path-2.2.0 . It is possible that a policy which worked in earlier versions contains an invalid JSON path expression in API Gateway v7.5.2. For example: |
$[?(@.virtualHost == <example>)]
|
$[?(@.virtualHost == '<example>')]
|
The sysupgrade export
command calls the old API Gateway version 7.x server to export Key Property Store (KPS) data to JSON files. On Windows, these JSON files are created successfully, but the locks on the JSON files are kept open because the old API Gateway server does not release the locks. For example, this means that if you try to delete the JSON file in Windows Explorer, you get a message that the file cannot be deleted because it is being used by another process. If you try to run sysupgrade export
again, the export will fail.
This is only an issue when upgrading API Gateway versions earlier than 7.5.1.
The workaround is to restart the old API Gateway instance after each sysupgrade export
, which releases the locks. To avoid downtime, you should restart each API Gateway instance after each export
one-by-one.
New users that were registered in API Manager before an upgrade, but who did not complete registration by activating their account with the link provided in email, cannot complete registration after the upgrade. The link in the email references the API Manager API v1.1 that is no longer available. For example:
https://<API Gateway IP address>/api/portal/v1.1/users/validateuser?email=s@s.com&validator=9a5addcb-e10c-499b-bf0a-0c70915f3862 |
The workaround is that the user copies the link address, pastes it to the address bar, and changes the API version v1.1
to v1.2
or v1.3
. After this, the activation link works, and the user can complete registration.
When installing Cassandra, you are prompted to specify a JRE for Cassandra. You can select the default 32-bit JRE bundled with API Gateway. However, this default RE has the following limitations on Windows:
It is recommended to download and install a separate 64-bit JRE before installing Cassandra on Windows, and select this JRE during Cassandra installation. Cassandra requires the latest version of JRE 8.
For more details, see the
Modern Windows versions support the new PowerShell command-line interpreter. The Cassandra installation provides both the old .bat and the new .ps1 startup files.
When you run the cassandra command in CASSANDRA_HOME\bin, it runs either in the legacy startup mode or the new startup mode depending on the PowerShell script execution policy setting. If this policy is set to Unrestricted, the new PowerShell startup script runs. Else, the legacy startup script runs.
The startup behavior and command line options are different depending on the type of startup. For more details, see the
If you select an alternative JRE instead of the default JRE during the installation and want to enable Cassandra to use TLS, you must install Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction policies for your JRE.
The cqlsh command is not supported on API Gateway Appliance. For more details, see
The jabber
and restJabber
code samples are missing from the INSTALL_DIR/apigateway/samples/developer_guide
directory. You can download these code samples from Axway Support at https://support.axway.com.
/etc/resolv.conf
is not reachable), the HTTP Long Polling connections have a time delay at the API Gateway. WebSocket connections are not affected.When you operate in FIPS mode, the implementation from the default, non-FIPS provider is invoked, if any of the following algorithms is selected in the JWT Signing filter:
To avoid this, disable the Bouncy Castle Crypto Provider in the /system/conf/jvm.xml file. When the JWT Signing filter with one of the above algorithms selected is called, the filter fails with the following error:
|
For more details, see the
3
so each node holds 100% of the data and you can tolerate the loss of one nodeFor more details, see
For best performance, do the following:
keep-alive
whenever possible to avoid creating and dropping connections for each individual request.initial latency(ms)* expected throughput (count) / 1000 ms = the number of threads (count)
. In HA deployment, you may want to account failure in one node. Note that the ratio of thread count and CPU cores impacts the latency. You may also want to consider horizontal scaling instead of vertical scaling.This section describes documentation enhancements and related documentation.
You can find the latest information and up-to-date user guides under the Documentation link on Axway website.
The following new user guides have been added in this release:
The following user guides have been updated in this release:
Axway API Gateway is accompanied by a complete set of documentation, covering all aspects of using the product. Go to Axway Support at https://support.axway.com to find all documentation for this product version.
For more information about API Gateway and how it is used in API Management, see the
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.