Download

 Axway API Gateway 7.4.1 SP 1 Readme

Axway API Gateway 7.4.1 SP 1 Readme

Document version: 19 November 2015


Readme for 7.4.1 SP 1

This Readme applies to Axway API Gateway 7.4.1 SP 1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.4.1_SP1_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements.

Case ID Internal ID Description
789954 RDAPI-125

Issue: API Gateway sends garbage data when both sides of a WebSocket send frames at the same time
Resolution: Previously, API Gateway was not always correctly processing WebSocket messages causing payload corruption and premature connection close. Now, API Gateway processes all data sent using a WebSocket correctly.

774850 RDAPI-128

Issue: The do not use SSLv2 and SSLv3 flags on a port do not prevent the use of SSLv2/3
Resolution: Previously, SSL options for interface were not always correctly loaded from the HTTPS Listener configuration in API Gateway. Now, SSL options correctly loaded from the HTTPS Listener configuration in API Gateway.

787659 RDAPI-155

Issue: Decode Extracted Attributes still decoding even if not selected (Extract REST Request Attributes filter)
Resolution: Previously, the Extract REST Attributes filter was incorrectly overwriting the http.raw.querystring message attribute. Now, the Extract REST Attributes filter does not overwrite the http.raw.querystring message attribute.

780484 RDAPI-156

Issue: XPath not visible after upgrade from v7.1.1 to v7.4.1 SP 1 (via 7.3.0 SP 1)
Resolution: Previously, in Policy Studio when editing the Retrieve attributes from message filter, custom XPath expressions may not display in the XPath expression pop-up menu. Now, in Policy Studio when editing the Retrieve attributes from message filter, all available XPath expressions are displayed in the XPath expression tree view dialog for selection.

779817 RDAPI-159

Issue: API Gateway port 8090 vulnerable to XSRF attack
Resolution: Previously, the API Gateway Manager web console was vulnerable to potential CSRF attacks. Now, when upgrading API Gateway configuration, the migrated API Gateway Manager web console has a Referer Header check enabled. For existing 7.4.1 installations, the following manual step is required to enable the Referer Header check:

Enable protection for the API Gateway Manager web app (8090) by adding the following Jersey property to the RBACServletContainer configuration (in $VDISTDIR/conf/fed/configs.xml):

Name: com.sun.jersey.spi.container.ResourceFilters
Value: com.vordel.common.apiserver.filter.CsrfProtectionFilterFactory

For more details, see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.

- RDAPI-160

Issue: XSS/Session hijack/CSRF vulnerability on registration name
Resolution: Previously, a user could enter script in the user name field when registering. This script was delivered unescaped in the email notification, and was displayed unescaped on the delete user confirmation dialog. Now, user input is escaped when registering.

784222 RDAPI-237

Issue: Large native memory leak from vshell process
Resolution: Previously, if XML redaction was used in any policy, the vshell process would grow in memory size. This would require a restart of the API Gateway to resolve. Now, use of XML redaction on any messages does not cause permanent growth in message size, and does not require an API Gateway restart after periodic use.

775282 RDAPI-238

Issue: LDAP character conversion issue
Resolution: Previously, an LDAP repository for connecting to the IBM Resource Access Control Facility (RACF) was unable to properly format the Base Criteria to include the User Search Attribute. Now you can specify this additional formatting by including the keyword {basecriteria} in the User Search Attribute field (for example, User Search Attribute: {basecriteria}racfid).

786131 RDAPI-239

Issue: Gateway runs out of heap space
Resolution: Previously, if a large number of files were in <install-dir>/apigateway/events, and the sum of the size of those files exceeded the directory size limit (default 1GB), and a large number of files had to be deleted to reduce the directory disk consumption to less than this limit, API Gateway could use a lot of memory and run out of heap space. Now the file delete strategy has been fixed so that it does not require so much memory to delete a large number of small files for the events directory.

785809 RDAPI-254

Issue: Problem on startup initializing the Luna HSM engine
Resolution: Previously, using HSM sessions in multiple threads could cause PKCS11 CK_RV=0x90 errors, and could cause the system to become unstable. Now, the HSM sessions are thread-safe.

- RDAPI-255

Issue: Changing name of XPath entity in Policy Studio leads to creation of duplicated entity
Resolution: Previously, in Policy Studio, XPath expression entity was duplicated when the XPath name is modified. Now, in Policy Studio, XPath expression name is updated correctly if modified, no duplicate XPath is created.

762257 RDAPI-257

Issue: Certificate check from Connection filter is case sensitive
Resolution: Previously, the Connect to URL filter reported that the host name in the request did not match the server's certificate subject, where the certificate subject name contains upper/lower-case characters. Now, the Connect to URL filter correctly matches the host name against the server's certificate subject containing upper/lower-case characters.

- RDAPI-378

Issue: WS-Policy is broken
Resolution: Previously, in Policy Studio, you could not configure the recipient WS-Policy that uses AsymmetricBinding with Encrypted UsernameToken with Message Level Policy set to Sign and Encrypt SOAP body for both request and policy. Now, in Policy Studio, you can configure the recipient WS-Policy.

779069 RDAPI-566

Issue: SSL connection WRITE_PENDING: bad write retry
Resolution: Previously, API Gateway might close the connection while sending a large payload in a response, due to a write failure caused by SSL I/O errors. Now, API Gateway handles SSL I/O errors and attempts to retry SSL read/write accordingly.

- RDAPI-587

Issue: API Gateway crashed parsing a SOAP request
Resolution: Previously, API Gateway could crash attempting to report an error with message containing percent-encoded characters while processing a SOAP request. Now, API Gateway successfully reports an error with message containing percent-encoded characters.

789992 RDAPI-627

Issue: Java crash—SIGSEGV in libc.so.6 at fclose()
Resolution: Previously, API Gateway was crashing if it could not create a file to store event logs. Now, API Gateway reports error when it fails to create a file to store event logs.

786897 RDAPI-628

Issue: sysupgrade script disregards branding
Resolution: Previously, the sysupgrade script was using only one brand in user prompts. Now, the sysupgrade script uses brand-aware user prompts.

772132-1 RDAPI-629

Issue: SIGSEGV from libvcommon.so in Vordel::BoundHeap::allocImpl
Resolution: Previously, API Gateway could crash allocating memory due to an incorrect check of available memory per transaction. Now, API Gateway correctly reports out of memory errors.

785760 RDAPI-630

Issue: sysupgrade script issues with Unicode in KPS tables
Resolution: Previously, the sysupgrade script failed to upgrade API Gateway configuration where an API Manager user pending approval had a name that contained Unicode characters. Now, the sysupgrade script succeeds upgrading API Gateway configuration where an API Manager user pending approval has a name that contains Unicode characters.

- RDAPI-671

Issue: OpenSSL FIPS mode updates
Resolution: Previously, API Gateway was including OpenSSL 1.0.1j-fips, which has security vulnerabilities. Now, API Gateway includes OpenSSL 1.0.1p-fips addressing known security vulnerabilities.

For more details, see http://openssl.org/news/secadv/20150709.txt

Known issues

The following issues are known and scheduled for correction in a future release.

Case ID Internal ID Description
- RDAPI-165 Upgrade adds Default Services to API Gateway configuration, which breaks the configuration.

Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

Note

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.4.1 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 1 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/apigateway/

Note

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.4.1 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 1 Analytics over the analytics directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/analytics/

Note

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 1 Policy Studio over the policystudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/policystudio/

Note

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 1 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/configurationstudio/

Note

After installation

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file.
  2. 64-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  3. 32-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/i386/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/i386:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Note


Documentation

Go to Axway Sphere at https://support.axway.com to find all documentation for this product version.

For information about how API Gateway is used in Axway 5 Suite, refer to:

All Axway documentation is available from Axway Sphere at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Sphere at https://support.axway.com.


Copyright © 2015 Axway. All rights reserved