Document version: 01 May 2020
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP13, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP13_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
com.axway.apimanager.api.data.cache
Java system property to true
.New properties have been added to the "XMLRedactor" tag in the XML redaction configuration
<XMLRedactor maxBufferSize="32768" maxDepth="1024"> <RedactMime mimeType="application/xml"/> ... </XMLRedactor>
Those properties are defined by:
Name | Type | Default value | Description |
---|---|---|---|
maxBufferSize | number | 32768 | Maximum memory size (in bytes) used by XML redaction. |
maxDepth | number | 1024 | Maximum depth of XML nested nodes. |
The XML redactor does not perform XML validation, it only scans data that will be stored in Traffic Monitor to remove the XML parts matching the configuration.
The XML redactor uses a cautious approach. In the case of an error during the redaction process (including "maxBufferSize" or "maxDepth" reached) it will redact the rest of the XML data being processed to avoid writing any sensitive data to the logs. This means that, in such error cases, data stored in Traffic Monitor will be truncated.
redactAttributes | Removes the specified attributes |
That redactAttributes directive is the default value if redactionDisposition is not present on a XMLRedactedElement configuration node.
com.axway.apimanager.csrf
to false
. The default is true
. Related issues: RDAPI-14363, RDAPI-16582, IAP-1592
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-17536 | 01095306 |
Issue: Dojo 1.10.4 has a security vulnerability
Resolution: Upgraded to Dojo 1.10.10 where the vulnerability is fixed |
|
RDAPI-17972 | 01096489 |
Issue: A malicious user can use a bad scope to force the authentication request to redirect the error message to an non validated URI.
Solution: Redirect URIs are validated before the scopes and an invalid request response is sent if the URI is invalid. This ensures that in the event of a bad scope, the error information will be redirected to a legal URI. |
|
RDAPI-19003 | 01115803 |
Issue: In API Gateway, an header with an empty value was incorrectly subjected to RFC 7230 "obs-fold" parsing, concatenating it with the next header.
Resolution: API Gateway now conforms to RFC 7230 and empty headers are left unchanged. |
|
RDAPI-19894 | 01155074 |
Issue: Proxy authorization appears in product traces.
Resolution: Authentication information has been removed from traces. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-15529 | 01027622, 01027524 |
Issue: Incorrect timestamps in file names of scheduled reports from API Gateway Analytics.
Resolution: Timestamps in file names are set correctly to the report generation time. |
RDAPI-16215 | 01051451, 01089908, 01111214, 01056297, 01068051 | Issue: Documentation to restore Cassandra snapshot backup was incorrect. Resolution: The documentation has been updated with a script to reload indexes in Cassandra. |
RDAPI-16756 | 01041571 |
Issue: User's mobile number is not synchronized when sent in policy during API Manager master/slave synchronization.
Resolution: User's mobile number is gathered and saved in slave. |
RDAPI-17262 | 01055643 |
Issue: Message body is lost in case of OAuth token and refesh token expiry case.
Resolution: Message body is preserved in case of OAuth token and refresh token expiry. |
RDAPI-17341 | 01088090 |
Issue: Get OAuth Client Access Token doesn't handle array data on the JSON returned by the OAuth server
Resolution: OAuth Client Access Token JSON can now contain arrays as additional information. |
RDAPI-17409 | 01090929 |
Issue: Failed login attempts to API Manager are not in audit log
Resolution: Failed login attempts to API Manager are properly logged in audit log now. |
RDAPI-17569 | 01078776, 01109328, 01110676 |
Issue: Nested relative path behavior changed, causing customer policies to fail.
Resolution: The invocation of policies for nested relative paths in API Gateway has been corrected according to Axway API Gateway documentation. |
RDAPI-17666 | 01089014 |
Issue: In the Export Dialog tree, for Environment Settings, all Filter items were named as "Environmentalized Fields" so the user does not know what is being selected.
Resolution: Updated the labeling to replace "Environmentalized Fields" with a description of the associated filter. |
RDAPI-17675 | 01026796, 01046656 |
Issue: SFTP client filter shows intermittent handshake failure when uploading files to an API Gateway SFTP Server.
Resolution: Intermittent handshake failures are fixed after SFTP implementation is upgraded from using mina-sshd v0.6.0 to v2.2.0. Note: The log4j.properties was changed in order to add logging for the SFTP Server. Then, when applying a patch/upgrade, you must merge your changes back to the updated log4j.properties file. |
RDAPI-17770 | 01096567 |
Issue: Content-types in API requests cause incorrect path matching for multiple ambiguous API matches.
Resolution: Path matching now determines the best path by comparing API matches with and without content-type equally. |
RDAPI-17801 | 01101486 |
Issue: In API Manager, API Access could not be revoked from an Application through the api-promote script.
Resolution: A new property (app.apis.remove) has been added to the script to allow users to remove API Access from an Application. |
RDAPI-17804 | 01100006, 01130690 |
Issue: API Gateway Analytics throws an error when values greater than the limit for a signed Integer are returned by the Database.
Resolution: Analytics now handles Database response values as Long data types. |
RDAPI-17917 | 01102301 |
Issue: False positives in security scans due to inclusion of this.py in the Jython distribution. Code is harmless and not used by API Gateway.
Resolution: this.py was removed. |
RDAPI-17921 | 01102542 |
Issue: Running KPSAdmin with the diagnostic option results in 410 GONE error message while attempting to retrieve data that did not exist.
Resolution: The KPSAdmin script has been updated to exit when all data is retrieved. |
RDAPI-17991 | 01104282 |
Issue: In API Gateway, when a JSON message containing an empty message goes through redaction, an error occurs and API Gateway fails to log the correct data in the Traffic Monitor.
Resolution: In API Gateway, JSON Redaction accepts empty objects in messages and logs the result to the Traffic Monitor. |
RDAPI-17992 | 01102029, 01104054 |
Issue: Invocation of filters "Store Message" and "Restore Message" might result in an empty message body when the message body content is too large.
Resolution: The filters correctly process large message body content. |
RDAPI-18048 | 01105501 |
Issue: Editing of application sharing details prevents further editing of other application details.
Resolution: Editing of application details is not interrupted anymore. |
RDAPI-18090 | 01104104 |
Issue: In a API Manager, setting a custom subject inside the E-mail templates has no effect and E-mails are sent with their default subject.
Resolution: In API Manager, E-mails are now sent with custom subject if set in the templates, default subjects are used otherwise. |
RDAPI-18097 | 01122840, 01102901 |
Issue: Projpack is extremely slow to process large numbers of projects as it merges the same dependent projects multiple times.
Resolution: Duplicate dependent projects are removed from the projects to be merged and this reduces the merge time. |
RDAPI-18132 | 01108034 |
Issue: Get requests for WSDLs are not validating that the request path contains ?WSDL before path matching.
Resolution: Get requests for WSDLs now check for ?WSDL before path matching. |
RDAPI-18149 | 01112434, 01108109 |
Issue: Running the post install script against an apigateway, that is already up to date, returned an exit code of 1.
Resolution: Updated the script so that, when the apigateway is already up to date, it will return a successful exit code of 0. |
RDAPI-18171 | 01093982 |
Issue: Description field is missing in Method edit page of Backend API in API Manager.
Resolution: Description field returned to Method edit page of Backend API in API Manger. |
RDAPI-18175 | 01096753, 01111767, 01094639 |
Issue: In Policy Studio or Configuration Studio, the KPS Table Structure view shows black check-boxes for table rows on Windows.
Resolution: The KPS Table Structure view correctly shows check-boxes for table rows. |
RDAPI-18271 | 01111969 |
Issue: A user with the user role encounters a permission error when creating an application.
Resolution: A user with the user role no longer encounters unexpected errors when creating an application. |
RDAPI-18307 | 01085199, 01082725 |
Issue: API Manager blocks API Manager traffic when processing virtualized API updates.
Resolution: API Manager no longer blocks API Manager traffic. |
RDAPI-18319 | 01111766 |
Issue: A generic "Invalid Data" error message is displayed upon entering an invalid Security Certificate URL.
Resolution: A detailed error message is displayed in this scenario. |
RDAPI-18324 | 01110362 |
Issue: Wildcard username and password database configuration does not work when used for OAuth access token store.
Resolution: Database connector fixed to support wildcard username and password when used in OAuth access token store. |
RDAPI-18355 | 01111271 |
Issue: Extract REST Request Attribute incorrectly validating the URI path as a host when attempting to decode the extracted attribute.
Resolution: Extract REST Request Attribute now treats the URI path correctly when decoding the extracted attribute. |
RDAPI-18372 | 01141489, 01103876, 01058292 |
Issue: When redaction is enabled, floating-point numbers in JSON body display in exponential format.
Resolution: The format of the floating-point numbers in JSON body is preserved. |
RDAPI-18428 | 01116180 |
Issue: In API Gateway, when using an ICAP Filter, sending a file larger than the "Maximum Sent Bytes per Transaction" results in a crash.
Resolution: In API Gateway, sending a file larger than the "Maximum Sent Bytes per Transaction" to an ICAP server will stop the transaction and log that the limit has been reached. |
RDAPI-18442 | 01109440 |
Issue: Validation in UI allows zero and decimal values, but service is not able to handle them.
Resolution: Improved validation in UI does not allow zero or decimal values in quota settings. |
RDAPI-18443 | 01109437 |
Issue: UI Validation of quotas gets stuck in invalid state even when correct values are entered again.
Resolution: Validation gets correctly triggered on quota changes and behaves as it should. |
RDAPI-18538 | 01057664, 01058079 |
Issue: Swagger 2.0 of type integer and format int64 is handled as integer on import, although it should be handled as long.
Resolution: Swagger 2.0 import of type integer with format int64 is handled as long now. |
RDAPI-18547 | 01114559 |
Issue: In API Gateway, calling the function "removeAttribute" on an XML Element in a Scripting Filter leads the Gateway to crash.
Resolution: The attribute is removed correctly. |
RDAPI-18553 | 01103156 |
Issue: In API Gateway, use of the method getContent from a NodeImpl object results in a crash when content is null.
Resolution: The method has been fixed to handle null content correctly. |
RDAPI-18598 | 01121284 |
Issue: Event logging was not writing the required application ID to the service context "client" field when OAuth was in use.
Resolution: A new attribute "authentication.application.id" has been added, which can be used to set the client value correctly in the event logs for OAuth. A Java system property must also be added to the jvm.xml file in the conf/ directory of the instance to disable writing username to the service context in the event logs, which is a requirement for Embedded Analytics for API Manager to work correctly. For example: <ConfigurationFragment> <VMArg name="-Dcom.axway.coreapi.method.servicecontext.clientattr=true" /> </ConfigurationFragment> |
RDAPI-18860 | 01124812 |
Issue: In API Gateway Policy Developer Filter Reference, the XML signature generation filter has an undocumented option "Include Transforms".
Resolution: In API Gateway Policy Developer Filter Reference, "Include Transforms" option is now part of the the XML signature generation filter documentation. |
RDAPI-18881 | 01128662 |
Issue: When using the XML to JSON filter and enabling "Convert number/boolean/null elements" to "primitives" in a policy, the XML to JSON filter treats certain strings incorrectly, as Big Decimals.
Resolution: The third party de.odysseus.staxon jar has been updated to address this issue. |
RDAPI-18890 | 01121197 |
Issue: Application Export DAT file is encrypted if the password field in the UI dialog contains data. Encrypt option is ignored if a password was previously set.
Resolution: Application Export DAT file will only be encrypted if the encrypt option is set and a password is provided. |
RDAPI-19043 | 01080989, 01122354 |
Issue: API Gateway Analytics metrics include the start and end time data point, causing an overlap when combining consecutive time frames.
Resolution: Reports exclude the end time data point so that consecutive reports' metrics match the combined report totals. |
RDAPI-19103 | 01127538 |
Issue: Performance issues with Dashboard of API Gateway Manager UI caused by huge amounts of unnecessary data sent to the UI.
Resolution: Performance has been improved by reducing the amount of data sent to the UI. |
RDAPI-19239 | 01138607, 01139565, 01139664 |
Issue: Large number of open socket descriptors on Linux 64-bit may cause API Gateway to crash.
Resolution: API Gateway can now handle large number of socket descriptors on Linux 64-bit. |
RDAPI-19428 | 01142622 |
Issue: When redaction is enabled, HTTP response stored in Traffic Monitor is truncated after first "100 Continue" header.
Resolution: "100 Continue" support has been added to the HTTP redaction layer and fully redacted HTTP responses are stored in traffic monitor. |
RDAPI-19448 | 01139463 |
Issue: When all methods of an API have their inbound security profile overriden, an invocation of an non-exiting method returns 500 Authentication Not Configured. This can allow a malicious user to guess the methods of a secure API.
Resolution: Invoking a non-existing method of an API uses the default API inbound security profile defined in that API to validate the caller. |
RDAPI-19845 | 01155091, 01155089 |
Issue: In Policy Studio, configuration fragments were not imported correctly.
Resolution: Configuration fragments are imported correctly. |
v7.5.3 adds improved support for Apache Cassandra 2.2.12. However, the API Gateway Installation Guide and API Gateway Upgrade Guide incorrectly state that API Gateway supports Apache Cassandra versions 2.2.5 and 2.2.8 only. This user documentation will be updated to reflect support for Cassandra version 2.2.12 at a later date.
Related issues: RDAPI-14421
The following known issues are currently scheduled for the next service pack.
Internal ID | Description |
---|---|
RDAPI-16486 | Changes in the mapper always require a reload in the Execute Data Maps filter and once reloaded then providing values for the required parameters must be repeated |
RDAPI-16778 | Doc update, recommendations for Cassandra storage |
RDAPI-17282 | Connector for Salesforce APIs in API Manager doesn't work or is impossible to configure |
RDAPI-18431 | HTTP 409 Resource already exists in Applications - External Credentials |
RDAPI-19319 | HTTP 304 responses from backend are mis-handled when request goes thru APIMgr |
Internal ID | Description |
---|---|
RDAPI-14613 | In Policy Studio, when importing a policy fragment, deselected items are imported anyway |
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
Shut down any Node Manager or API Gateway instances on your existing installation.
Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
Note: Ensure to back up any customized files in your INSTALL_DIR
. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:
webapps/apiportal/vordel/apiportal
webapps/emc/vordel/manager/app
webapps/emc
system/conf/apiportal/email
system/conf
samples/scripts/
tools/filebeat-VERSION-PLATFORM
INSTALL_DIR/apigateway/system/lib/modules
INSTALL_DIR/analytics/system/lib/modules
INSTALL_DIR/apigateway/system/lib/jython
INSTALL_DIR/analytics/system/lib/jython
INSTALL_DIR/apigateway/platform/jre
INSTALL_DIR/apigateway/upgrade
kpsadmin
), and that the JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.setcap -r INSTALL_DIR/apigateway/platform/bin/vshell
If FIPS mode is enabled, you must also perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:
apigw_sp_post_install.bat
from completing successfully.Remove any previous patches from your INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
Unzip and extract API Gateway 7.5.3 SP13 server over the apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP13_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
apigateway
directory in your installation: INSTALL_DIR\apigateway
INSTALL_DIR/apigateway
apigw_sp_post_install.bat
apigw_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
API Gateway Appliance only
Perform the following additional steps as the root
user on the appliance before starting the Node Manager or API Gateway:
[ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
chown -R admin:admin /opt/gateway/
grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
ldconfig
Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP13_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
analytics
directory in your installation: INSTALL_DIR\analytics
INSTALL_DIR/analytics
apigw_analytics_sp_post_install.bat
apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.INSTALL_DIR/policystudio/jre
policystudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP13_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
policystudio -clean
Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.INSTALL_DIR/configurationstudio/jre
configurationstudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP13_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
configurationstudio
-clean
Note: The -clean option is needed the first time you start Configuration Studio after installing the service pack.
The following steps apply after installing the service pack.
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the API Gateway server service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.
Notes:
anon
from the jdk.tls.disabledAlgorithms
Java security property in the INSTALL_DIR/Linux.x86_64/jre/lib/security/java.security
file<VMArg
name="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"/>
line to the INSTALL_DIR/system/conf/jvm.xml
fileWhen API Manager is installed, you must run the update-apimanager
script after the API Gateway post-install script to ensure that all paths are up-to-date.
Caution: Before executing the update-apimanager script:
This script updates the active deployment in the API Manager group. After running the script, you must recreate the API Manager project (common project, containing Server Settings) from the deployment, so that you won't need to revert the changes the next time you perform a project deployment.
As an alternative to recreating the API Manager project, you can deploy only your common project to a development server and run the update-apimanager script against it, and create a new common project from this gateway instance. Then, you must deploy your updated policies to your API Manager group.
Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:
/opt/Axway-7
.5.3
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
The following command shows an example of running the update-apimanager
script when the Client Application Registry is installed:
/opt/Axway-7
.5.3
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
--productname=clientappreg
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at https://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2019 Axway. All rights reserved.