Download

 API Gateway and API Manager Readme

Axway API Gateway and API Manager 7.5.3 SP 4 Readme

Document version: 5 December 2017


Readme for 7.5.3 SP 4

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 4, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

  • API Gateway Core Server
  • API Manager
  • API Gateway Analytics
  • Policy Studio
  • Configuration Studio

The service pack contains new binaries only and does not overwrite the existing configuration.

Service packs are cumulative. You do not need to install earlier service packs because this SP includes all previous fixes for this product version. For a full list of fixed issues, consult the Readme for earlier service packs.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP4_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE identifier Description
RDAPI‑11168 00921329

CVE-2017-12972,

CVE-2017-12973,

CVE-2017-12974

Issue: Security vulnerabilities in the JWT library.
Resolution: Previously, API Gateway used the Nimbus JOSE+JWT library v4.27 that contained security vulnerabilities. Now, the version of the library has been upgraded to v4.41.2 that fixes these vulnerabilities.
RDAPI-11312 00925133

CVE‑2017‑10346, CVE‑2017‑10285,

CVE-2017-10388, CVE-2017-10309,

CVE-2017-10274, CVE-2017-10356,

CVE-2017-10293, CVE-2017-10342,

CVE-2017-10350, CVE-2017-10349,

CVE-2017-10348, CVE-2017-10357,

CVE-2016-9841, CVE-2016-10165,

CVE-2017-10355, CVE-2017-10281,

CVE-2017-10347, CVE-2017-10386,

CVE-2017-10380, CVE-2017-10295,

CVE-2017-10341, CVE-2017-10345

Issue: Security vulnerabilities in JRE.
Resolution: Previously, API Gateway used JRE version 1.8.0_141-b15 that contained several security vulnerabilities. Now, JRE has been upgraded to v1.8u152 that fixes these vulnerabilities.

Other fixed issues

Internal ID Case ID Description
RDAPI‑5603 00912158 Issue: Application override quota not shown in API Manager.
Resolution: Previously, if you had configured API Manager to use a multi-node Cassandra cluster and you tried to add a new quota to an application, the quota was not always created correctly. Now, the new quota is created correctly and is visible in API Manager.
RDAPI‑10420 00905063 Issue: The JSON Path filter does not work as documented.
Resolution: Previously, the JSON Path filter could not be used with some legacy filters, like the Insert SAML Attribute Assertion filter, because the JSON Path filter did not extract the attributes in the format the legacy filters expected.
Now, you can extract all the attributes from the root JSON message and save them in an attribute.lookup.list element if you do not add any attributes on the JSON Path filter configuration.
RDAPI-10465 00907281 Issue: The API Gateway RADIUS client is a single-threaded.
Resolution: Previously, the API Gateway RADIUS client could not process user authentication asynchronously. For example, when a RADIUS server required a two-way authentication, the RADIUS client could process the second authentication only after completing the first authentication. Now, API Gateway RADIUS client can process user authentication asynchronously.
RDAPI-10620 00904604 Issue: Incorrect character encoding in API Gateway Manager.
Resolution: Previously, if an HTTP transaction containing UTF-8 characters in both the headers and message body was stored in the traffic monitor database, and you later viewed that transaction in API Gateway Manager, the UTF-8 characters in the message body were incorrectly encoded and displayed. Now, both headers and message bodies containing UTF-8 characters are displayed correctly in API Gateway Manager.
RDAPI-10860 00910246 Issue: Unable to add Cassandra entries in a .fed file using a script.
Resolution: Previously, you could not use the updateCassandraSettings.py script to add several Cassandra host:port entries in a .fed file, because the script could not change user names and passwords in the Cassandra instances.
Now, the script has been improved to accommodate this using the following new parameters:
  • Cassandra user name
  • Cassandra password
  • Cassandra keyspace
  • .fed file passphrase
RDAPI-11152 00913118 Issue: Policy errors showing up in deployment error log.
Resolution: Previously, if you were deploying a configuration from Policy Studio and at the some time something (for example, a misconfigured load balancer) was causing high number of errors in your environment, the policy deployment error log in Policy Studio might contain traces of these other errors that were completely unrelated to the your configuration update.
Now, the deployment error log no longer contains traces unrelated to your configuration update.
RDAPI-11200 00922129 Issue: Errors in Visual Mapper.
Resolution: Previously, when you tried opening a .fed file that had been saved in a particular state, Visual Mapper would give the error "Could not open the editor: Index: 1, Size: 1", and you could not view the map. Now, the map can be viewed.
RDAPI-11203 00919374 Issue: Error in the Swagger documentation.
Resolution: Previously, the Swagger documentation incorrectly stated that the type of the 'appIds' parameters for migrate/applications/export endpoints is query. Now, the Swagger documentation correctly states that the type is formData.
RDAPI-11218 00921529 Issue: Unable to verify payload with PEM certificate loaded from the Key Property Store (KPS).
Resolution: Previously, you could only use the JWT Verify filter with certificates in API Gateway's certificate store. Now, the Nimbus JOSE+JWT library has been upgraded to version 4.41.2, and you can use the JWT Verify filter with certificates from other locations (like KPS) as well.
For example, you can configure the filter to use a JWK for payload verification, and create the JWK from a certificate using a script:
X509Certificate certificate = message.get("client_certificate")
JWK jwk = JWK.parse(certificate)
message.put("jwk", jwk.toString())
RDAPI-11219 00921748 Issue: Importing a broken reference breaks the environment settings.
Resolution: Previously when importing data to Policy Studio, if you imported a broken reference that removed entities with environmentalized fields, it corrupted the environment settings of a project. Now, you see an error during the import operation if the import requires deleting entities with environmentalized fields.
RDAPI-11237 00921767 Issue: Unable to upgrade an API using API Manager REST API.
Resolution: Previously, if you tried to upgrade an API using the API Manager REST API, the code comments in the REST API to generate the API description incorrectly indicated that the back-end API ID should be used in the upgrade. Now, the code comments have been updated and correctly indicate that the front-end API ID should be used for the upgrade.
RDAPI-11279 00918713 Issue: Invalid request in the OCSP Client filter.
Resolution: Previously, the OCSP Client filter generated an invalid request if the OCSP Responder URL did not have a slash after the host name. Now, the OCSP Client filter ensures that the OCSP Responder URL has the slash after the hostname to ensure the POST request line is valid.

Known issues

There are no known issues in this service pack.

Install the service pack

Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager script on your installation.

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Note:

  • To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
  • To upgrade from an earlier version to v7.5.3, see the API Gateway Upgrade Guide.

Install the API Gateway Core Server service pack

If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.5.3 SP 4 Core over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/

  4. Change to the apigateway directory in your installation:
    Windows: INSTALL_DIR\apigateway
    Linux: INSTALL_DIR/apigateway
  5. Run the following script:
    Windows: apigw_sp_post_install.bat
    Linux: apigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:
  6. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  7. Run the following:
    chown -R admin:admin /opt/gateway/

    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    ldconfig

Note:

  • If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
  • Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the ls -l INSTALL_DIR/apigateway/posix/bin command to view the owner of the binaries.
  • If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
  • If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following
steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.3 SP 4 Analytics over the analytics directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP4_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  4. Change to the analytics directory in your installation:
    Windows: INSTALL_DIR\analytics
    Linux: INSTALL_DIR/analytics
  5. Run the post-install script for API Gateway Analytics:
    Windows: apigw_analytics_sp_post_install.bat
    Linux: apigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

Note:

  • Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the ls -l INSTALL_DIR/analytics/posix/bin command to view the owner of the binaries.
  • You must also install a service pack for your existing 7.5.3 Core Server.

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 4 Policy Studio over the policystudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP4_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 4 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP4_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  4. Run the following command to reload the library cache file:
    ldconfig

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

  • Axway Supported Platforms
  • Axway Interoperability Matrix

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2017 Axway. All rights reserved.