Axway API Gateway and API Manager 7.6.2 SP 5 Readme

Document version: 17 July 2020


Readme for 7.6.2 SP 5

This Readme applies to Axway API Gateway and API Manager 7.6.2 SP 5, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for these products.

This service pack provides fixes for a number of reported defects. It includes updates for the following:

The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for supported platforms (for example,  APIGateway_7.6.2_SP5_Core_linux-x86-64_BNYYYYMMDDn.tar.gz).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Feature notes

General

API Manager

API Gateway

XML redactor

New properties have been added to the "XMLRedactor" tag in the XML redaction configuration

<XMLRedactor maxBufferSize="32768" maxDepth="1024">


   <RedactMime mimeType="application/xml"/>
   ...
</XMLRedactor>

Those properties are defined by:

NameTypeDefault valueDescription
maxBufferSizenumber32768Maximum memory size (in bytes) used by XML redaction.
maxDepthnumber1024Maximum depth of XML nested nodes.


The XML redactor does not perform XML validation, it only scans data that will be stored in Traffic Monitor to remove the XML parts matching the configuration.
The XML redactor uses a cautious approach. In the case of an error during the redaction process (including "maxBufferSize" or "maxDepth" reached) it will redact the rest of the XML data being processed to avoid writing any sensitive data to the logs. This means that, in such error cases, data stored in Traffic Monitor will be truncated.

New XML redaction directive


redactAttributesRemoves the specified attributes

That redactAttributes directive is the default value if redactionDisposition is not present on a XMLRedactedElement configuration node.

Policy Studio/Configuration Studio

Security

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-17325 01052413 Issue: "openid" is always accepted as a valid scope in all OAuth configurations. There are circustances where customes do not want "openid" to be a valid scope.
Resolution: A system variable "com.axway.oauth.scopes.openid.allow" can be set to "false" when customers do not want "openid" to be valid.
RDAPI-17767 01083881 Issue: The response to a HTTP OPTIONS request contains the HTTP OPTIONS request headers.
Resolution: The response to a HTTP OPTIONS request no longer contains the HTTP OPTIONS request headers.
RDAPI-18100 00963339, 01123654 CVE-2019-14379 Issue: Jackson-databind version 2.9.5 has security vulnerabilities.
Resolution: This component has been updated to 2.9.10 which does not have these security vulnerabilities.
RDAPI-18240 01096489 Issue: A malicious user can use a bad scope to force the authentication request to redirect the error message to a non-validated URI.
Solution: Redirect URIs are validated before the scopes, and an invalid request response is sent if the URI is invalid. This assures that in the event of a bad scope, the error information will be redirected to a legal URI.
RDAPI-18264 01095306 Issue: Dojo 1.10.4 has a security vulnerability
Resolution: Upgraded to Dojo 1.10.10 where the vulnerability is fixed
RDAPI-19850 01155074 Issue: Proxy authorization appears in product traces.
Resolution: Authentication information has been removed from traces.

Other fixed issues

Internal ID Case ID Description
RDAPI-14622 01009409 Issue: Some HTTP response headers (like 'Via' or 'Server') are not logged in the Transaction Access Log when configured to do so.
Resolution: All the HTTP headers sent as response are now accessible from the Transaction Access Log layer.
RDAPI-16365 01054344, 01070938 Issue: Custom attributes added during invocation of a policy during the OAuth External inbound security authentication were discarded upon failed authentication, and thus were not available to the Fault Handler.
Resolution: Upon failed OAuth External authentication all custom attributes created during policy invocation are retained, and are available to be used in the Fault Handler.
RDAPI-16490 01063687 Issue: Frontend API creation fails when using https and unavailable host
Resolution: Frontend API creation does not fail when backend host is not available
RDAPI-16633 01068308, 01100492 Issue: Backend invocation failing with 500 when outbound OAuth is used and Trace level is set to DATA.
Resolution: Backend invocation when outbound OAuth is used works with all trace levels.
RDAPI-16648 01051063 Issue: In API Gateway 7.5.3 and later, the SMIME Sign filter uses 'sha256' digest algorithm by default, but it incorrectly generates SMIME Content-Type header with micalg="sha1" attribute.
Resolution: You can change the default SMIME digest algorithm with the Java system property 'com.axway.apigw.smime.sign.md' in the jvm.xml file, or via the policy message attribute, for example, 'com.axway.apigw.smime.sign.md=sha1'. The policy message attribute supersedes the Java system property.
The following digest algorithms are supported: sha1, sha224, sha256, sha384, and sha512. The corresponding SMIME Content-Type header 'micalg' attribute is set accordingly.
RDAPI-16777 01072496 Issue: Trailing slash is incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
Resolution: Trailing slash is no longer incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
RDAPI-17025 00999364 Issue: ModSecurity status code was harcoded to 403
Resolution: It can now be configured in ModSecurity configuration.
RDAPI-17031 01059408 Issue: An assertion is triggered when thread cannot be started.
Resolution: Threads will no longer terminate process when they could not be started.
RDAPI-17036 01075614 Issue: Projpack was failing to create a project if the run command contains --passfile and a string containing '-f'
Resolution: The script has been updated to properly handle the occurrence of '-f' in a string
RDAPI-17043 01059408 Issue: Process termination is triggered when network connection cannot be instantiated.
Resolution: Connection instantiation errors are no longer triggering process termination.
RDAPI-17074 01075780, 01078365, 01064036 Issue: API Manager is validating the encoding attribute as well as the MIME Type.
Resolution: Swagger import validation in API Manager validates only the base MIME type.
RDAPI-17080 01036528 Issue: In API Catalog, the metrics tooltip for an API is kept on screen even after user clicks any other place on the screen.
Resolution: If metrics tooltip for an API is shown, and user clicks anywhere else on the screen, the metrics tooltip is closed.
RDAPI-17095 01064543, 01078637 Issue: No option to prevent API Manager adding a forward slash "/" to back-end API calls.
Resolution: Add the "com.vordel.apimanager.swagger.method.singleslash.ignore=true" Java system property to the file jvm.xml in the directory conf/ of the instance to disable passing a single slash method path to the back-end. For example:
<ConfigurationFragment>
    <VMArg name="-Dcom.vordel.apimanager.swagger.method.singleslash.ignore=true" />
</ConfigurationFragment>
RDAPI-17120 01082134, 01130919, 01121664 Issue: Failure occured when executing the managedomain script with the '--topology_synch' option. This was due to incorrect processing of query parameters passed to the updateTopology API.
Resolution: The logic for processing the query parameters has been updated so that updateTopology API will interpret them correctly.
RDAPI-17127 01064774 Issue: API Manager keeps user registration data for non-activated user accounts.
Resolution: User registration data for an account that is not activated will be automatically deleted after a period of time. The period of time can be configured by system property com.axway.apimanager.queue.ttl. The default period is 604800 seconds (7 days).
RDAPI-17131 01040133 Issue: Parallel deletion of APIs caused issues in updates of quota relations in tables
Resolution: Parallel deletion of APIs is fixed by using caching of the quota relations, removing the need to do update and doing only delete on database when removing information about quota
RDAPI-17149 01076160 Issue: Malformed JSON content may bypass API request payload validation in some cases.
Resolution: API request payload validation strictly verifies all tokens in JSON payload for Objects and Arrays. To enable relaxed JSON parsing, set the Java system property com.axway.json.parser.legacy to true. The default is false.
RDAPI-17169 01075542 Issue: When a REST API is created in Policy Studio and then deployed to an API Gateway, the base path appears duplicated in Dynamic Settings of API Gateway Manager.
Resolution: In API Gateway Manager, Dynamic Settings now lists REST APIs created in Policy Studio only once.
RDAPI-17197 01085118 Issue: An organization's read-only createdOn field can be reset using a PUT request.
Resolution: An organization's createdOn field can no longer be changed using a PUT request.
RDAPI-17249 01084300, 01056692 Issue: OAuth server does not return 401 in compliance with the RFC 6749 for certain "invalid_client" errors.
Resolution: It now returns 401 as per RFC 6749. See https://tools.ietf.org/html/rfc6749#section-5.2
RDAPI-17275 01074983 Issue: In API Gateway, when using OpenID Connect 1.0 on top of the OAuth 2.0 protocol, OpenId tokens generated by the hybrid flow do not contain the c_hash (code hash) value.
Resolution: OpenID tokens generated by the hybrid flow now include c_hash.
RDAPI-17319 01083828 Issue: Transaction access logger is doing a reverse DNS lookup with the source IP address even when "%h" is not used.
Resolution: A DNS lookup has been removed from policy pre-execution phase.
RDAPI-17329 01080317 Issue: JSON to XML filter was crashing in some specific cases for valid input
Resolution: JSON to XML filter is fixed now and should work properly for valid inputs
RDAPI-17384 01059408 Issue: In API Gateway, in some specific cases, the caching of SSL connections was producing memory leaks that could cause the gateway to crash.
Resolution: In API Gateway, memory handling has been reviewed and is now fixed for SSL connections caching.
RDAPI-17404 01088304 Issue: After deploying to a gateway a new API Client Cache is created, but all references to the old cache are not removed so the memory it consumes is not made available again.
Resolution: All references to the discarded API Client Cache are removed, so the memory it was consuming is made available again right after deployment completes.
RDAPI-17473 01069445, 01065952 Issue: Deployment REST API envsettings/service/{serviceId} returns 500 Internal server error when instance is remote.
Resolution: It now returns the environment settings of the remote instance as requested.
RDAPI-17478 01091120 Issue: Requests return status code 401 while the API Client Cache is still updating.
Resolution: Requests will now return status code 503 unless the "com.axway.apimanager.apiclient.cache.response.legacy" Java system property is set to "true".
RDAPI-17491 01091555 Issue: API Gateway ehcache filters fail to store unserializable class to disk.
Resolution: The com.vordel.circuit.cert.ocsp.CacheObject class is now serializable.
RDAPI-17538 01075694 Issue: The IP address authentication filter updates are very slow.
Resolution: The performance of IP address authentication filter is improved as the amount of disk I/O performed is significantly reduced.
RDAPI-17549 01093544, 01127717, 01119771 Issue: RegEx pattern for email validation was incorrect.
Resolution: RegEx pattern for email validation changed to comply with rfc5322.
RDAPI-17621 01095012, 01094618 Issue: : "Retrieve OAuth Client Access Token From Token Storage" filter requires a hard-coded Client-Credential profile.
Resolution: : "Retrieve OAuth Client Access Token From Token Storage" can now read the Client-Credential profile from the whiteboard in the same way as "Get OAuth Access Token" filter.
RDAPI-17650 01097471 Issue: Trace: Error traces not provided when an error is triggered when an OAuth scope is added as form paramter.
Resolution: Error traces are now shown in logs.
RDAPI-17758 01093982 Issue: Description field is missing in Method edit page of Backend API in API Manager.
Resolution: Description field returned to Method edit page of Backend API in API Manger.
RDAPI-17773 01094845, 01065335, 01066017, 01087748, 01100450 Issue: Error on formatting in Traffic Monitor GUI and Trace Files
Resolution: The alignment of trace output has been corrected. The trace indentation error is now reported per processing thread, and if reported, the trace indentation stays intact in unaffected threads.
RDAPI-17805 01080989 Issue: API Gateway Analytics metrics include the start and end time data point, causing an overlap when combining consecutive time frames.
Resolution: Reports exclude the end time data point so that consecutive reports' metrics match the combined report totals.
RDAPI-17811 01090822 Issue: API Gateway doesn't check OA Authz codes' expiry times when stored in an SQL DB. Purge thread is responsible to delete expired codes. This caused a potential delay, as API Gateway treated all available codes as valid.
Resolution: API Gateway now checks OAuth Authz codes expiry time when uses it. Purge thread behaves as before.
RDAPI-17916 01122859, 01132092, 01133854, 01064716 Issue: Changes to an Organization Name or Organization that an Application is associated with causes duplication in the API Manager Metrics reports.
Resolution: API Manager Metrics reports now restrict report totals using the Organization name the Application is associated with.
RDAPI-17931 01101884, 01100259 Issue: The SMTP connection security setting (SSL or TLS) that API Manager uses for sending emails is not applied to the API Manager SMTP SSL port.
Resolution: The SMTP connection security setting is now applied to the API Manager SSL SMTP port.
RDAPI-18033 01104323, 01080681, 01084375 Issue: The deployment time for API Manager is too slow when there are many APIs and methods defined in KPS.
Resolution: Improved caching in API Manager while loading API method data stored in KPS. Reuse compiler when loading the Script filters.
RDAPI-18036 01094555, 01094399 Issue: API Manager startup time slows down considerably in HA environments when the number of organizations increase.
Resolution: Organizations are cached in memory so the calls to DB are reduced. This makes the startup process faster.
RDAPI-18044 01019805 Issue: API Gateway cannot configure group passphrase with $ character in the password.
Resolution: API Gateway allows to configure group passphrase containing $ character.
RDAPI-18102 01074742 Issue: A missed impact in the advanced editing implementation leads to a blank entity reference overwriting the first in the list of node locations for the XML Signature Generation & Verification filters
Resolution: Valid node location references are not overwritten during save in advanced editing mode
RDAPI-18105 01088304 Issue: The browser is unable to process the number of External Clients, OAuth Clients and API Keys that API Gateway is returning - upwards of a 100mb payload in the response payload.
Resolution: Server side pagination is implemented for GET requests for Apikeys, OAuth Clients and External Clients resulting in much smaller payloads being returned to the client.
RDAPI-18108 01048992, 01049266 Issue: As a User, a getApplications call results in an individual call to KPS for every application to look up permissions
Resolution: The permissions are already cached, we are now using the cached permissions rather than reading from KPS for each application
RDAPI-18112 01073806, 01074080 Issue: Event logging for API Manager was incorrectly overwriting the Application Id in the Service Context "client" field.
Resolution: API Manager no longer overwrites the Service Context "client" field from its initial value.
RDAPI-18116 01079030 Issue: The apimanager-promote script only had capabilities to add API access to an organisation. There was no functionality to revoke access.
Resolution: 'organization.apis.remove' new property was added to the script to allow to revoke API access from organisations.
RDAPI-18120 01090932 Issue: Dollar Sign ($) is being treated as an invalid character in the API Resource Path.
Resolution: Validation of the Resource Path now accepts characters specified in RFC3986.
RDAPI-18134 01107890 Issue: One disabled OAuth credential makes the rest of OAuth credentials not usable.
Resolution: Disabling/Enabling one OAuth credential will not affect the rest of OAuth credentials.
RDAPI-18246 01104282 Issue: In API Gateway, when a JSON message containing an empty message goes through redaction, an error occurs and API Gateway fails to log the correct data in the Traffic Monitor.
Resolution: In API Gateway, JSON Redaction accepts empty objects in messages and logs the result to the Traffic Monitor.
RDAPI-18259 01026796, 01046656 Issue: SFTP client filter shows intermittent handshake failure when uploading files to an API Gateway SFTP Server.
Resolution: Intermittent handshake failures are fixed after SFTP implementation is upgraded from using mina-sshd v0.6.0 to v2.2.0.

Note:
The log4j.properties was changed in order to add logging for the SFTP Server.
Then, when applying a patch/upgrade, you must merge your changes back to the updated log4j.properties file.
RDAPI-18296 01078776, 01109328, 01110676 Issue: Nested relative path behavior changed, causing customer policies to fail
Resolution: The invocation of policies for nested relative paths in API Gateway has been corrected according to documentation.
RDAPI-18302 01109290, 01071882, 01108056 Issue: Using the jvm property 'http.nonProxyHosts' in API Manager did not work as expected. It had no effect on the routing of requests through a Proxy Server.
Resolution: Enabled the use of the 'http.nonProxyHosts' property in API Manager. Now it can be used to define the hosts that should not be routed through a Proxy.
RDAPI-18306 01085199, 01082725 Issue: API Manager blocks API Manager traffic when processing virtualized API updates.
Resolution: API Manager no longer blocks API Manager traffic.
RDAPI-18374 01111969 Issue: API Manager shows permission error message when a 'User' role tries to create an application.
Resolution: 'User' role no longer encounters unexpected errors when creating an application.
RDAPI-18377 01105501 Issue: Editing of application sharing details prevents further editing of other application details.
Resolution: Editing of application details is not interrupted anymore.
RDAPI-18483 01055643 Issue: Message body is lost in case of OAuth token and refesh token expiry case.
Resolution: Message body is preserved in case of OAuth token and refresh token expiry.
RDAPI-18504 01114234, 01103799 Issue: API Gateway Analytics can't handle a time range greater than one year.
Resolution: Analytics has been updated to handle time ranges greater than one year.
RDAPI-18522 01114864, 01116592 Issue: The backend was not validating int query parameters
Resolution: The backend now validates int query parameters
RDAPI-18642 01121103, 01120682 Issue: In API Gateway, when using a "Execute External Process" filter, the timeout attribute can't be configured using a selector.
Resolution: In API Gateway, the timeout attribute of "Execute External Process" filter now accepts selectors.
RDAPI-18661 01120523 Issue: In Policy Studio, there was a broken link when clicking "Jump to Configuration" on an Environmentalized API Manager Setting.
Resoultion: Added link so that clicking "Jump to Configuration" on an Environmentalized API Manager Setting will correctly redirect to the API Manager Settings.
RDAPI-18670 01088090 Issue: Get OAuth Client Access Token doesn't handle array data on the JSON returned by the OAuth server
Resolution: OAuth Client Access Token JSON can now contain arrays as additional information.
RDAPI-18703 01103775, 01073101 Issue: XML redaction is very slow when processing large XML files.
Resolution: XML redaction has been fully re-written to be performant and have a low memory foot print: the maximum memory size and the maximum XML nodes' depth accepted can be controlled using properties <XMLRedactor maxBufferSize="32768" maxDepth="1024">.
Issue: XML redaction with disposition "redactDescendants" is only removing children nodes.
Resolution: XML redaction with disposition "redactDescendants" now correctly removes both text and children nodes.
RDAPI-18911 01129719, 01128960 Issue: Large numbers of Oauth authorizations (oauth_authorizations table) cause API Manager to become unresponsive.
Resolution: Support for pagination headers has been implemented in the api/portal/v1.3/authorizations API and API Manager UI.
RDAPI-18928 01129922, 01107031 Issue: API Manager Metrics reports group database results differently causing processing time averages calculated to differ between reports.
Resolution: Processing time averages are now processed independent of database grouping.
RDAPI-19031 01122840, 01102901 Issue: Projpack is extremely slow to process large numbers of projects as it merges the same dependent projects multiple times.
Resolution: Duplicate dependent projects are removed from the projects to be merged and this reduces the merge time.
RDAPI-19040 01127526, 01133840 Issue: API Manager was not encoding special characters when downloading a swagger definition
Resolution: API Manager is now encoding special characters when downloading a swagger definition
RDAPI-19071 01147692, 01129486, 01129357 Issue: In API Manager, ApiShunt isn't present in the message whiteboard when the fault handler is being executed.
Resolution: An 'api.error.reason' message attribute is now added to the message whiteboard prior to the fault handler policy being executed.
RDAPI-19244 01138607, 01139565, 01139664 Issue: Large number of open socket descriptors on Linux 64-bit may cause API Gateway to crash.
Resolution: API Gateway can now handle large number of socket descriptors on Linux 64-bit.
RDAPI-19366 01140925 Issue: API Manager API Service Context is missing in Open Traffic & Event logs in some scenarios.
Resolution: The API Manager Service Context is now available in Open Traffic & Event logs for failed API method requests. The failed API method requests are shown as blocked in the API Manager monitoring.
RDAPI-19524 01147261 Issue: CRL validation raised errors when there were multiple CAs with same DN in the certificate store.
Resolution: CRL validation will no longer raise error when multiple issuers are found for a certificate. In such case the certificate and its issuers must be filtered before invoking the right CRL filter.
RDAPI-19754 01143906, 01149148 Issue: Query Parameters are not validated correctly by API Manager
Resolution: Query Parameters are now validated correctly
RDAPI-19756 01096753, 01111767, 01094639 Issue: In Policy Studio or Configuration Studio, the KPS Table Structure view shows black check-boxes for table rows on Windows.
Resolution: The KPS Table Structure view correctly shows check-boxes for table rows.
RDAPI-19837 01154776 Issue: The Sentinel Event and Sentinel Link Event filters Tracked Object configuration did not work.
Resolution: The Sentinel Event and Sentinel Link Event filters Tracked Object configuration now works. Also validation is added to ensure that the Sentinel filters are configured correctly with a Sentinel Server and a Tracked Object.
RDAPI-19938 01102029, 01104054 Issue: Invocation of filters "Store Message" and "Restore Message" might result in an empty message body when the message body content is too large.
Resolution: The filters correctly process large message body content.
RDAPI-20256 01160271, 01143897, 01153011, 01160321, 01160146 Issue: API Manager was creating sessions incorrectly resulting in possible authentication issues during high traffic.
Resolution: API Manager now only creates a session upon successful login.
RDAPI-20463 01164345 Issue: The 'Applications' link on the edit user page in API Manager does not filter the correct applications from view
Resolution: The link now filters the correct applications from the view

Known issues

The following known issues are currently scheduled for the next service pack:

Internal ID Description
RDAPI-19278 API access removed from app during org migration
RDAPI-19418 api.error.source not available in APIManager fault handler
RDAPI-19433 Line breaks in outbound parameter (type header) value not escaped
RDAPI-19849 OAuth2 Client Credential cache not considering the scope/user
RDAPI-20255 Application Quota not promoted by apimanger promote
RDAPI-21030 API Manager ignores dont.expect.100.continue flag if the Outbound Security is HTTP Basic

Reverted issues


Install the service pack

These instructions apply to API Gateway and API Manager classic deployments only. For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.

  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
    Note: Ensure to back up any customized files in your INSTALL_DIR. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:

    webapps/apiportal/vordel/apiportal
    webapps/emc/vordel/manager/app
    webapps/emc

    system/conf/apiportal/email
    system/conf
    samples/scripts/
    tools/filebeat-VERSION-PLATFORM

    For details on API Manager customization, see the API Manager User Guide.
  3. Remove old third-party libraries by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/modules
    INSTALL_DIR/analytics/system/lib/modules
  4. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/apigateway/platform/jre
    INSTALL_DIR/analytics/platform/jre
  5. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.
  6. On Linux, remove existing capabilities on product binaries (which may prevent overwriting files):
  7. setcap -r INSTALL_DIR/apigateway/platform/bin/vshell

FIPS mode only

If FIPS mode is enabled, you must also perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack as described in the Installation section.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.6.2 SP5 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP5_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/

  4. Change to the apigateway directory in your installation: 
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Linuxapigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.6.2 SP5 Analytics over the analytics directory in your existing API Gateway 7.6.2 installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP5_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
  3. Change to the analytics directory in your installation: 
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.6.2 SP5 Policy Studio over the policystudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP5_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
  4. Start Policy Studio with policystudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.6.2 SP5 Configuration Studio over the configurationstudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP5_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
  4. Start Configuration Studio with configurationstudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

After installation

The following steps apply after installing the service pack.

API Gateway

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.

Notes:

  1. The JRE included in API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you can re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
  2. The JRE included in API Gateway enables endpoint identification algorithms for LDAPS (secure LDAP over TLS) by default to improve the robustness of the connections. This may cause API Gateway LDAP filters to fail to connect to an LDAPS server. In this case, you can disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification:

API Manager

When API Manager is installed, you must run the update-apimanager script after the API Gateway post-install script to ensure that all paths are up-to-date.

Caution: Before executing the update-apimanager script:

This script updates the active deployment in the API Manager group. After running the script, you must recreate the API Manager project (common project, containing Server Settings) from the deployment, so that you won't need to revert the changes the next time you perform a project deployment.

As an alternative to recreating the API Manager project, you can deploy only your common project to a development server and run the update-apimanager script against it, and create a new common project from this gateway instance. Then, you must deploy your updated policies to your API Manager group.

Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:

/opt/Axway-7.6.2/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Client Application Registry

The following command shows an example of running the update-apimanager script when the Client Application Registry is installed: 

/opt/Axway-7.6.2/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP --productname=clientappreg

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Documentation

Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2020 Axway. All rights reserved.