Download



32-bit installation

Axway API Gateway 7.4.1 SP 4 Readme

Document version: 2 December 2016


Readme for 7.4.1 SP 4

This Readme applies to Axway API Gateway 7.4.1 SP 4 on all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product. This service pack is cumulative and includes all updates from previous API Gateway 7.4.1 service packs.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.4.1_SP4_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements:

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI‑5877 CVE-2016-0800, CVE-2016-2107

Issue: Update to OpenSSL version.
Resolution: Previously, API Gateway included OpenSSL version 1.0.1 that ceases to be supported on 31 December 2016.

Now, API Gateway uses OpenSSL 1.0.2j-fips that is supported until 31 December 2019. This version also addresses known security vulnerabilities, such as DROWN (CVE-2016-0800) and padding-oracle in AES-NI CBC MAC check (CVE-2016-2107).

The SSLv2 40-bit EXPORT ciphers and SSLv2 56-bit DES are no longer available, and DH handshakes with parameters shorter than 1024 bits are now rejected. For more details, see OpenSSL Security Advisory [26 Sep 2016] and OpenSSL CHANGES.

Other fixed issues

Internal ID Case ID Description
RDAPI-1063 00807182

Issue: No HTTP header information in Traffic Monitor in API Gateway Manager.
Resolution: Previously, the response headers were not available in Response From API Gateway in Traffic Monitor when the response started with HTTP 100 Continue.

Now, all the headers are correctly shown.

RDAPI-1167 00807346

Issue: How to hide internal server endpoints in exposed WSDL?
Resolution: Previously, API Gateway exposed an external location in the WSDL and XSD import instructions.

Now, API Gateway replaces external locations with locations identified by their fingerprint that API Gateway can render.

RDAPI-2545 00824002

Issue: The Retrieve from or write to database filter fails with NullPointerException when the Date column contains null.

Resolution: Previously, if you ran a query on Retrieve from or write to database filter that retrieved the Date column, the filter failed with a NullPointerException if the column in the database contained the field value null.

Now, if you run a query that retrieves the Date column containing the value null, the Retrieve from or write to database filter proceeds. If you have set the system property ALLOW_NULL_VALUES_FROM_DB to false (the default value), the field is not added to the list of attributes the filter generates. If you have set the property to true, the filter adds the field to the list of attributes with the value of "".

RDAPI-2638 00821003

Issue: The Read Application filter does not return image property.
Resolution: Previously, you could not export the image property in the application object, because the property was not defined as persistent or public, so the Read Application filter could not export it.

Now, the image property has been defined both as public and persistent, and the Read Application filter can correctly export it.

RDAPI-3154 00832311

Issue: Wrong behavior on the Retrieve Attributes from Directory Server filter if the directory is called several times.

Resolution: Previously, in the Retrieve Attributes from Directory Server filter, if you selected Enable the legacy attribute naming for retrieved attributes and called the directory more than once, the previously retrieved attribute values were overwritten with each call.

Now, the retrieved values are no longer overwritten and correctly match the values in the directory.

RDAPI-3216 00833619 Issue: The Connect to URL filter fails with a short hostname alias.

Resolution: Previously, the Connect to URL filter might cause API Gateway to crash if the hostname alias of the URL was very short, for example, http://loc:80 instead of http://localhost:8080.

Now, API Gateway handles these requests without crashing.

RDAPI-3570 00839714

Issue: Issue with refreshing Salesforce tokens.
Resolution: Previously, an outbound OAuth connector in API Manager could use a token that seemed to be valid but that was yet rejected by the service provider. As a result, API Manager deleted the token and reported a failure.

Now, you can configure the default routing policy to retry the request, if API Manager receives a 401 response. API Manager then attempts to acquire a new token before retrying the original request.

RDAPI‑3608 00859686

Issue: Scriptable kpsadmin tool.
Resolution: Previously, you had to manually administer each KPS collection, and you could not script and automate important operations, such as backing up. In addition, error handling did not return useful information from the server, and error handling was inconsistent.

Now, group level operations have been added to manage KPS collections, and you can use scripts in the kpsadmin tool. In addition, server information is now returned to the user, and error handling is now consistent.

For more details, run kpsadmin -h in the kpsadmin tool.

It is recommended to try out these features in the development environment before using them in the production environment.

For more details, see the API Gateway Key Property Store User Guide.

RDAPI-3878

00840339

Issue: The Admin User Rest API documentation is empty.

Resolution: Previously, the documentation for the Admin User REST API was missing.

Now, the documentation is available online at https://support.axway.com/htmldoc/1433379.

RDAPI-3880 00836121 Issue: The XML to JSON filter converts Unicode characters to ?.

Resolution: Previously, the XML to JSON filter used the system's default encoding when converting the message.

Now, the XML to JSON filter uses UTF-8 encoding.

RDAPI-4106 00841372 Issue: Applying a service pack breaks the Policy Studio help.

Resolution: Previously, after applying a service pack, the Policy Studio help contents were missing, and the help was blank.

Now, after applying a service pack, the Policy Studio help is displayed normally.

RDAPI-4195 00840012 Issue: Fault handler policy not called on failure.

Resolution: Previously, the Read API Proxy filter was not handling exceptional circumstances correctly, and the fault handler was not called in case of a failure.

Now, the Read API Proxy filter correctly handles exceptional circumstances and ensures that the fault handler is called.

RDAPI-4324 00845637

Issue: Cannot add a Policy Assembly filter to a policy.
Resolution: Previously, you could not add a Policy Assembly filter to a policy.

Now, you can add the Policy Assembly filter to a policy.

RDAPI-4463 00839882

Issue: SSL protocols from ssloptions.xml are not always enforced with Remote Host in API Gateway.
Resolution: Previously, the Connect to URL filter with Remote Host settings did not always enforce the SSL protocols configured in system/conf/ssloptions.xml.

Now, the Connect to URL filter always uses the SSL protocols configured in system/conf/ssloptions.xml.

RDAPI-4532 00847255 Issue: Variable cannot be entered in the Port field for a File Transfer Service listener.

Resolution: Previously, when configuring a File Transfer Service listener in Policy Studio, you could not set the port value to use a selector.

Now, you can set the port value to use a selector.

RDAPI-4684 00849495 Issue: JSON Remove node filter not working as expected.

Resolution: Previously, the value of check box Fail if no nodes returned from JSON Path in the JSON Remove Node filter was ignored.

Now, the JSON Remove Node filter follows the success path if this check box is selected and the JSON Path expression does not return any nodes.

RDAPI-4791 00851001 Issue: Cross-site scripting (XSS) vulnerability in API Gateway Manager.

Resolution: Previously, API Gateway Manager was vulnerable to XSS attacks. In case of repeated failed login attempts to API Gateway Manager, an error message containing the unescaped user name was displayed.

Now, the error message displayed no longer contains the user name.

RDAPI-4835 00851284

Issue: Cannot deserialize an instance of java.lang.String out of a START_ARRAY token in Open ID Connect.

Resolution: Previously, in the Verify ID Token filter, the presence of an Authentication Methods References (amr) claim in an ID Token resulted in a token deserialization failure.

Now, amr claims are deserialized correctly without failures.

RDAPI-4951 00841109, 00859658, 00847890, 00859498

Issue: Memory leak in Traffic Monitor.
Resolution: Previously, API Gateway might crash or report Out Of Memory errors due to a small memory leak in Traffic Monitor.

Now, this memory leak has been fixed.

RDAPI-5125 00857187, 00843534

Issue: Data missing from access log.
Resolution: Previously, the size of the response body was evaluated before processing the request. This caused several variables in the access log, such as bytes sent to the client, to always appear blank.

Now, the bytes sent to the client logged in the access log correctly reflect the size of the content body.

RDAPI-5386 00852989

Issue: Environmentalized Certificate Chain filter shows only certificates with private key.
Resolution: Previously, when a Certificate Chain filter was automatically environmentalized in Policy Studio, you saw only a small set of certificates (certificates with a private key) in Configuration Studio.

Now, you can see all certificates in Configuration Studio.

RDAPI-5588 00857893

Issue: Insufficient data logged when an error occurs in the JSON Schema Validation.
Resolution: Previously, when the JSON Schema Validation filter encountered an error when validating JSON, only the basic error message field was logged in the json.errors message attribute, and this information was not always sufficient.

Now, the JSON Schema Validation filter includes a new message attribute, json.errors.full. If the filter finds JSON not conforming to a given schema, this message attribute provides the full error context.

RDAPI-5882 00811590

Issue: Update to McAfee Anti-Malware Engine.
Resolution: Previously, API Gateway was using McAfee Anti-Malware Engine 5700.

Now, API Gateway has been updated to McAfee Anti-Malware Engine 5800.

RDAPI-6152 00863107

Issue: The Get OAuth Access Token filter is incorrectly encoding Authorizationheader.
Resolution: Previously, OAuth client applications that used the Authorization header to authenticate the app with the service provider incorrectly encoded the header with additional padding (base64 encoding).

Now, the Authorization header is properly encoded.

RDAPI-6217 00840941

Issue: A policy loads very slowly in Policy Studio.
Resolution: Previously, under certain conditions, a policy could take unusually long to load in Policy Studio because of the time taken to calculate the visibility of the required and generated message attributes.

Now, these conditions are handled correctly, and the message attribute calculations have returned to normal.

RDAPI-6251 00862127

Issue: Decryption fails when key on a hardware security module (HSM).
Resolution: Previously, there was a problem using the XML-Decryption filter on TripleDes keys. If the keys were wrapped using the XML encryption key wrap algorithm KwRsaOaep, the XML-Decryption filter failed with the error 0x70 (CKR_MECHANISM_PARAM_INVALID) when you attempted to unwrap the keys on SafeNet Network HSM.

Now, XML-Decryption OAEP unwrap works with SafeNet Network HSM.

Known issues

There are no known issues in this service pack.


Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. You must back up any customized API Manager data in INSTALL_DIR/apigateway/webapps/apiportal/vordel/apiportal/app/app.config before applying API Gateway and API Manager service packs. You must then restore customized API Manager data manually in the new app.config file.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the nodemanager to move the JARs.
  3. Stop the nodemanager.
  4. Install API Gateway 7.4.1 SP 4.
  5. Start the nodemanager.
  6. Stop the nodemanager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the nodemanager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

To install a new API Gateway installation from scratch without an existing installation, or to upgrade from an earlier version to 7.4.1, see the API Gateway Installation Guide.

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.4.1 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 4 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/apigateway/
API Gateway Appliance only
  1. In addition, before starting the Node Manager or API Gateway, you must run the following command:
  2. # [ -f /etc/vordel/ssl-engines.xml ] && mv /etc/vordel/ssl-engines.xml /etc/vordel/ssl-engines.xml.1

  3. Run the following:
  4. # chown -R admin:admin /opt/gateway/

    # grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    # setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    # ldconfig

Note

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.4.1 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 4 Analytics over the analytics directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP4_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/analytics/

Note

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 4 Policy Studio over the policystudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP4_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/policystudio/

The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 4 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP4_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/configurationstudio/

The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

Note

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
  2. 64-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Documentation

Go to Axway Support at https://support.axway.com to find all documentation for this product version.

All Axway documentation is available from Axway Support at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2016 Axway. All rights reserved