Axway API Gateway and API Manager 7.5.3 SP 5 Readme
Document version: 22 January 2018
Readme for 7.5.3 SP 5
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 5 on all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
- API Gateway Core Server
- API Manager
- API Gateway Analytics
- Policy Studio
- Configuration Studio
The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP5_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Fixed issues
Fixed security vulnerabilities
Key | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-11672 |
00925709 |
CWE-79 | Issue: Cross-site scripting (XSS) vulnerability in API Manager quota.
Resolution: Previously, APIs in API Manager that exceeded their quotas reflected the original message body back to the client, causing a reflected XSS vulnerability. API Gateway was also sending an HTTP 403 response code when a resource path was not found. Now, when the API quota is exceeded, APIs do not send the message body back to the client, and API Gateway correctly sends an HTTP 404 response code. |
RDAPI-11680 | 00930798, 00934748 | CVE-2017-3735, CVE-2017-3736, CWE-928 | Issue: OpenSSL CVE-2017-3735 / CVE-2017-3736
Resolution: Previously, API Gateway included OpenSSL v1.0.2k-fips , which is affected by CVE-2017-3735 and CVE-2017-3736. Now, API Gateway includes OpenSSL 1.0.2m-fips .
|
RDAPI-11855 | 00895727 | CVE-2016-7103, CWE-79 | Issue: Security vulnerability in JQuery.
Resolution: Previously, API Gateway Manager and API Manager used JQuery 1.1.7, which is susceptible to a security vulnerability. Now, JQuery has been upgraded to JQuery 2.2.4, which is not susceptible to this security vulnerability. |
RDAPI-12002 | 00938978 | CVE-2017-9801 | Issue: Security vulnerability in commons-email-1.2.jar.
Resolution: Previously, API Gateway used commons-email-1.2.jar , which contains a security vulnerability. When a call-site passed a subject for an email containing line-breaks, the caller could add arbitrary SMTP headers. Now, API Gateway uses commons-email-1.5.jar instead to fix this issue.
|
RDAPI-12092 | 00943503 | CWE-923 | Issue: Oracle Critical Patch Update, January 2018
Resolution: Previously, API Gateway did not include the Oracle Critical Patch Update, 16 January 2018. Now , API Gateway includes this update from Oracle. |
Other fixed issues
Key | Case ID | Description |
---|---|---|
RDAPI-10211 | 00903673 | Issue: Cannot unpublish an API with pending API access in API Manager.
Resolution: Previously, in API Manager, you could not unpublish an API that had pending API access against an application. Now, you can unpublish an API that has pending API access against an application. |
RDAPI-10306 | 00884582 | Issue: Improve user registration flow in API Mgr doc.
Resolution: Previously, the API Manager User Guide did not provide sufficiently clear information on user registration workflows. Now, this guide has been updated with clarification on the registration workflows. |
RDAPI-10511 | 00906226 | Issue: JSON Path filter generated attributes not shown with Show All Attributes.
Resolution: Previously, the generated attributes for the JSON Path filter were not shown when using Show All Attributes. Now, the generated attributes are shown when Show All Attributes is enabled. |
RDAPI-10853 | 00910357 | Issue: Secure WebSocket communication may freeze when transferring large payload.
Resolution: Previously, API Gateway could stop reading a large payload over WebSockets when SSL security was used. Now, the WebSocket layer no longer directly relies on socket events when receiving payload data. |
RDAPI-11072 | 00918621 | Issue: POST method in API Manager REST API ignores the user type.
Resolution: Previously, when you invoked the POST method in an API Manager REST API to call /api/portal/v1.3/users/ , the method ignored the user type (internal or external ) that you specified, and set the type to internal . Now, the POST method correctly sets the user type that you specify. The default user type is internal .
|
RDAPI-11188 | 00920016, 00922717 | Issue: Logging into API Gateway Analytics with LDAP authentication makes browser prompt login twice.
Resolution: Previously, an API Gateway Analytics API was incorrectly requesting login when the user was not found in the local user store. Now, login is requested only once. |
RDAPI-11226 | 00917255, 00902613 | Issue: Environment issues starting API Gateway instances as Linux services.
Resolution: Previously, there were environment issues when starting an API Gateway instance as a Linux service (non root), which meant that you could no longer log in using SSH. Now, the API Gateway vshell binary comes with predefined static library paths to enable API Gateway to run with root privileges while not modifying the global system library configuration (ldconfig ).
|
RDAPI-11256 | 00915348, 00931270 | Issue: StatusCode 0 error when calling API in API Manager UI.
Resolution: Previously, when you used the Try Method button in API Manager for an API-key protected front-end API where no JavaScript origins were configured, a StatusCode 0 error occurred due to a CORS-related issue. Now, when you use the Try Method button in API Manager for an API-key protected front-end API, you are prompted to select an application and corresponding API key, which is validated before testing the API. If no JavaScript origin is configured, you are cannot invoke the API. This prevents the StatusCode 0 error from occurring.
|
RDAPI-11400 | 00908256 | Issue: API administrator not notified on an unreachable email address in self-registration.
Resolution: Previously, if a new user entered an unreachable email address when self-registering to API Manager or API Portal, the API administrator was not notified on the failed registration email. Now, the API administrator receives a notification if sending the registration email to the newly registered user fails. |
RDAPI-11439 | 00923314 | Issue: Domain audit log does not log all events selected in its configuration.
Resolution: Previously, the user events for updating or deleting a user and updating a password were not included in the domain audit log even if you had enabled logging them in the log settings. Now, all selected user events are correctly reported in the domain audit log. |
RDAPI-11474 | 00921196 | Issue: Setting up Cassandra on a remote node with encryption fails with errors.
Resolution: Previously, when you ran the setup-cassandra script on a remote node with the --enable-server-encryption and --enable-client-encryption options, the script failed with errors and did not show the instructions for keystore and truststore management. Now, the script on the remote node succeeds and shows the management instructions.
|
RDAPI-11493 | 00926874 | Issue: Password management: insecure password submissions.
Resolution: Previously, API Manager static files such as registration-failed , request-forgotten-pw-failed , and so on, were accessible with all HTTP methods reported as Insecure Password Submissions during vulnerability testing.
Now, to protect static content in existing API Manager configuration, you must run the posix/bin/update-apimanager script for each group in your topology to apply the protection configuration. Note: You must back up your configuration before running the script.
|
RDAPI-11594 | 00926945 | Issue: The HTTP method is not correctly checked when using a CORS profile with an API listener.
Resolution: Previously, if you set a CORS profile to an API listener, the HTTP method was not checked against the value you had configured in the API listener. Now, the HTTP method is checked against the value you configure in the API listener both with and without the CORS profile. |
RDAPI-11618 | 00918072 | Issue: Internal server error when creating a front-end API.
Resolution: Previously, when you created a front-end API from an imported Swagger definition that did not have the host and base path set, API Manager displayed an internal server error, and the created API was only visible after a refresh. Now, there is no internal server error and the front-end API is visible in API Manager right away. |
RDAPI-11627 | 00928619 | Issue: Visual Mapper conversion of XML with array to JSON array did not work. Resolution: Previously, Visual Mapper conversion of XML with an array to a JSON array produced a blank JSON array. Now, Visual Mapper conversion of XML with an array to a JSON array produces a correct JSON array. |
RDAPI-11639 | 00906442 | Issue: Cross-Site Scripting (XSS) in advisory banner.
Resolution: Previously, updating the advisory banner text field was subject to a Cross-Site Scripting (XSS) attack. Now, the advisory banner text field output is encoded to eliminate any cross-site scripting attack. |
RDAPI-11711 | 00927783 |
Issue: Korean characters broken in API Manager registration email.
|
RDAPI-11761 | 00932339 | Issue: Policy Studio help on changing project passphrase is out of date.
Resolution: Previously, the Policy Studio help on changing the encryption passphrase for a Policy Studio project was out of date. Now, the Policy Studio help on changing a project passphrase has been updated to reflect the latest behavior. |
RDAPI-11843 | 00895146, 00887470 | Issue: No version number on an imported API.
Resolution: Previously, when you re-imported an API collection that contained versioned APIs, API Manager did not correctly reflect the versioning after the re-import. Now, the correct API version is shown after the re-import. |
RDAPI-11876 | 00929803 | Issue: KPS Cassandra consistency levels not working correctly in API Gateway Manager.
Resolution: Previously, consistency levels specified in Policy Studio for Cassandra were ignored. Now, consistency levels are considered for KPS and quota on a per-table basis. |
RDAPI-11887 | 00906442 | Issue: CRLF Injection in /api/portal/v1.3/discovery/ on the filename parameter.
Resolution: Previously, API Manager API allowed a CRLF Injection in /api/portal/v1.3/discovery/ on the filename parameter. Now, there is no CRLF Injection allowed on the filename parameter in /api/portal/v1.3/discovery/ .
|
RDAPI-11893 | 00933271 | Issue: API Gateway crash occurs during redaction of XML content.
Resolution: Previously, a crash might occur when executing multiple XML redactions simultaneously. Now, multi-threading operations are fully supported by XML redaction. |
RDAPI-11894 | 00922245 | Issue: API Manager not forwarding uppercase Origin header to back-end API.
Resolution: Previously, CORS headers were forwarded to back-end APIs by API Manager in some cases. Now, API Manager always removes CORS headers and does not send them to back-end APIs. |
RDAPI-11897 | 00906442 | Issue: Insufficient validation in /api/portal/v1.3/users/register on the user name parameter.
Resolution: Previously, the API Manager API allowed a CRLF Injection in /api/portal/v1.3/users/register on the username parameter. Now, there is no CRLF Injection allowed on the username parameter in /api/portal/v1.3/users/register .
|
RDAPI-11914 | 00934883 | Issue: XML Signature Generation filter is not compliant with WS-I Basic Security Profile 1.0.
Resolution: Previously, the X.509 TokenType was not set in the SecurityTokenReference tag. Now, the X.509 TokenType is set if requested.
|
RDAPI-11924 | 00934310 | Issue: PGP signing produces intermittent error.
Resolution: Previously, an intermittent PGP decryption error occurred while doing load testing. Now, there are no intermittent errors. |
RDAPI-11928 | 00933410 | Issue: Environmentalized fields not migrated to 7.5.3 SP4.
Resolution: Previously, you could environmentalize a field with no values, or set no values for an environmentalized field. Now, you cannot environmentalize a field with no values, or set no values for an environmentalized field (the field's default values are set when available). |
RDAPI-11975 | 00937985 | Issue: Documentation for configuring metrics database contains incorrect dbsetup output.
Resolution: Previously, the example output from the dbsetup command in the API Gateway Installation Guide was incorrect. Now, the documentation has been updated with the correct output.
|
RDAPI-11989 | 00929436 | Issue: API Gateway freeze during startup.
Previously, during startup, instantiation of several JMS sessions and JMS consumers at the same time could cause a dead lock. Now, locks used by JMS sessions have been removed. |
RDAPI-12057 | 00923675 | Issue: Policy Studio very slow to load or modify a particular exported policy.
Resolution: Previously, loading a policy containing a large number of filters and multiple paths to several filters might take a long time. Now, you can use a hidden Java property to speed up the policy loading at the cost of a potentially inaccurate list of filter attributes. You can add the -DfastCoverage=true property to the policystudio.ini file to skip revisiting filter success and failure paths.
|
RDAPI-12059 | 00909499 | Issue: API Manager returns 500 Internal Server Error for timeout instead of 504 Gateway Timeout.
Resolution: Previously, when the Connect To URL filter timed out, an HTTP code 500 General Server Error was returned to client. Now, it returns an HTTP code 504 Gateway Timeout error.
|
RDAPI-12101 | 00930827 | Issue: API Manager application image compression
Resolution: Previously, after importing an application, or API, image in API Manager, the image became blurred. Now, after importing in API Manager, these images are no longer blurred. |
Known issues
This service pack has the following known issues, which are planned for a future release:
- RDAPI-10909: Sorting and filtering issues in API Manager
- RDAPI-11131: API Manager application image disappears after edit
- RDAPI-11229: API Manager missing fields to API list on Application page
- RDAPI-11703: API Manager misbehavior when receiving a wrongly encoded request
- RDAPI-11960: API Manager application override of default quota saved but not showing in UI
- RDAPI-11974: API Gateway—missing
Generic Error
exception message is not provisioned - RDAPI-12024: API Gateway
MalformedURLException
log error - RDAPI-12077: API Manager custom routing policy does not use front-end API settings
- RDAPI-12105: API Gateway—OpenSSL Security Advisory, 07 Dec 2017 (CVE-2017-3737/CVE-2017-3738)
Install the service pack
Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager
script on your installation.
Prerequisites
This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:
- Shut down any Node Manager or API Gateway instances on your existing installation.
- Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
- Remove any old third-party libraries. To do this, delete the
INSTALL_DIR/system/lib/modules
directory. - If you have an existing Cassandra installation, ensure
JAVA_HOME
is set correctly incassandra.in.sh
andcassandra.in.bat
to ensure Cassandra tools are launched successfully.
FIPS mode only
If FIPS mode is enabled, you must perform the following steps to install the service pack:
- Run
togglefips --disable
to turn FIPS mode off. - Start the Node Manager to move the JARs.
- Stop the Node Manager.
- Install the API Gateway service pack.
- Start the Node Manager.
- Stop the Node Manager.
- Run
togglefips --enable
to turn FIPS on again. - Start the Node Manager.
Installation
This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Note:
- To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
- To upgrade from an earlier version to v7.5.3, see the API Gateway Upgrade Guide.
Install the API Gateway Core Server service pack
Note: If you have API Manager installed, installing the API Gateway Core Server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:
- Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 5 Core over the
apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP5_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
- Change to the apigateway directory in your installation:
Windows:INSTALL_DIR\apigateway
Linux:INSTALL_DIR/apigateway
- Run the following script:
Windows:apigw_sp_post_install.bat
Linux:apigw_sp_post_install.sh
Note: On Linux, run the script using the bash
command.
API Gateway Appliance only
Perform the following additional steps as the root
user on the appliance before starting the Node Manager or API Gateway:
- Run the following command:
[ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
- Run the following:
chown -R admin:admin /opt/gateway/
grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
ldconfig
Note:
- If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
- Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the
ls -l INSTALL_DIR/apigateway/posix/bin
command to view the owner of the binaries. - If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
- If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.
Install the API Gateway Analytics service pack
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:
- Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
- Remove any previous patches from your
INSTALL_DIR/ext/lib
directory (or theext/lib
directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version. - Unzip and extract API Gateway 7.5.3 SP 5 Analytics over the
analytics
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP5_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
- Change to the
analytics
directory in your installation:
Windows:INSTALL_DIR\analytics
Linux:INSTALL_DIR/analytics
- Run the post-install script for API Gateway Analytics:
Windows:apigw_analytics_sp_post_install.bat
Linux:apigw_analytics_sp_post_install.sh
Note:On Linux, run the script using the
bash
command.
Note:
- Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the
ls -l INSTALL_DIR/analytics/posix/bin
command to view the owner of the binaries. - You must also install a service pack for your existing 7.5.3 Core Server.
Install the Policy Studio service pack
To install the service pack on your existing Policy Studio installation, perform the following steps:
- Shut down Policy Studio.
- Back up your existing
INSTALL_DIR/policystudio
directory. - Unzip and extract API Gateway 7.5.3 SP 5 Policy Studio over the
policystudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP5_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
Install the Configuration Studio service pack
To install the service pack on your existing Configuration Studio installation, perform the following steps:
- Shut down Configuration Studio.
- Back up your existing
INSTALL_DIR/configurationstudio
directory. - Unzip and extract API Gateway 7.5.3 SP 5 Configuration Studio over the
configurationstudio
directory within your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP5_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
After installation
API Gateway
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
- Add the following line to the
INSTALL_DIR/system/conf/jvm.xml
file:<VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
- Run the command
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports. - Create a file
/etc/ld.so.conf.d/gateway-libs.conf
that contains the following lines:INSTALL_DIR/platform/jre/lib/amd64/server
INSTALL_DIR/platform/jre/lib/amd64
INSTALL_DIR/platform/lib/engines
INSTALL_DIR/platform/lib
INSTALL_DIR/ext/lib
- Run the following command to reload the library cache file:
ldconfig
API Manager
Note: When API Manager is installed, you also must run the update_apimanager
script after the API Gateway post-install script to that ensure all paths are up-to-date.
Documentation
Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at http://docs.axway.com:
- Axway Supported Platforms
- Axway Interoperability Matrix
Support services
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2018 Axway. All rights reserved.