Axway API Gateway and API Manager 7.6.2 SP 4 Readme

Document version: 13 November 2019



Readme for 7.6.2 SP 4

This Readme applies to Axway API Gateway and API Manager 7.6.2 SP 4, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for these products.

This service pack provides fixes for a number of reported defects. It includes updates for the following:

The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for supported platforms (for example,  APIGateway_7.6.2_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Feature notes

General

API Manager

Security

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-16078 01053630 Issue: Missing user name validation in API Manager when changing user name of currently logged in user.
Resolution: Validation added to check the user name change for currently logged in user in API Manager.
RDAPI-16110 01054493 Issue: JQuery version 3.3.1 contains a security vulnerability, which is fixed in version 3.4.0.
Resolution: JQuery version has been upgraded to 3.4.0.
RDAPI-16130 01054123 Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to Open JDK 1.8.0_212.
RDAPI-16438 01056395 Issue: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, an OAuth client_id different than the one represented by the JWT token can be passed as a body parameter and injected in the Access Token.
Resolution: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, the Gateway only use the OAuth client_id from the JWT token and disregard any value passed as a body parameter.
RDAPI-16666 01067185 Issue: The CSRF Token was not being sent with the deployment service call.
Resolution: The CSRF Token is being sent with the deployment service call and the deployment succeeds.
Note: The com.axway.apimanager.csrf Java system property (true by default) can be set to false to turn off the CSRF checks by API Manager, API Gateway Manager, and Client Application Registry.
RDAPI-16763 01047281, 01048422 Issue: Security headers are missing from responses.
Resolution: Missing security headers have been added.
Note: You must update existing configurations of API Manager using the update-apimanager script to avail of the feature. New setups of API Manager have the feature by default.

Other fixed issues

Internal ID Case ID Description
RDAPI-13433 00949172, 00951645 Issue: In the API Manager exported Swagger 2.0 file the security field scopes were incorrectly formatted for scope must match Any.
Resolution: In the API Manager exported Swagger 2.0 file the security field scopes are correctly formatted for scope must match Any.
RDAPI-14550 01012098 Issue: setup-cassandra script changes the default value of start_rpc property in casssandra,yaml file to true. This is no longer needed.
Resolution: setup-cassandra script respects the current value of start_rpc property in cassandra.yaml file.
RDAPI-14653 01012757 Issue: User name checks are too strict.
Resolution: User name regular expression is configurable in Settings of API Manager UI.
RDAPI-14882 01020261 Issue: API Key cache not detecting changes in Cassandra.
Resolution: Improved logging and reliability of the Cassandra module and API Manager data synchronization among multiple nodes.
RDAPI-15678 00970706 Issue: Query parameter "from" in Monitoring Metrics Summary REST call does not change result.
Resolution: The query parameter that did not have any effect on the call has been removed from the API.
RDAPI-15873 01037992 Issue: Some columns are hidden in the table on page API Catalog when values of name and url are too long.
Resolution: Columns are always visible now, because there is limit of size for name and url, and a scroll bar appears when values of the table are big.
RDAPI-15886 01012616, 01043799 Issue: When a report is generated in API Gateway Analytics the values inside the report differ when the file type changes from PDF to CSV.
Resolution: Generated PDF and CSV reports in API Gateway Analytics now have the same values when reports have the same date range.
RDAPI-15987 01043924 Issue: OAuth Authorization Code Flow Filter throws an exception when an invalid value of the "prompt" parameter is passed resulting in potentially harmful information being written to the logs.
Resolution: OAuth Authorization Code Flow Filter now validates the prompt parameter prior to any authorization logic and gracefully fails without revealing any information about the technology used.
RDAPI-16050 00965063 Issue: API Gateway does not forward all headers for HTTP HEAD request.
Resolution: HEAD requests are now managed the same way as GET or POST requests.
RDAPI-16053 01051981, 01044987 Issue: API Manager calls appear on monitoring dashboard of API Gateway.
Resolution: API Manager calls are not monitored by API Gateway and do not appear on dashboard.
RDAPI-16057 01044333 Issue: Changing dynamic traffic monitoring configuration of a HTTP interface enables recording of payload data.
Resolution: Recording of payload data is now part of UI configuration.
RDAPI-16092 01053832 Issue: Selector security scanning was running against non selectors for the outbound parameter value field.

Resolution: Non selectors are not scanned now, because they will be encoded on outbound request anyway. And selectors are validated correctly, ensuring that they are valid selectors and will not encounter exceptions during an outbound request
RDAPI-16101 01043037, 01042746 Issue: OAuth Refresh flow only returns JSON output. "format" header is ignored.
Resolution: "format" header is now honoured. Other outputs such as XML are returned.
RDAPI-16104 01036400 Issue: API Gateway does not set Cassandra's cluster port property.
Resolution: API Gateway will now set the Cassandra cluster port correctly, rather than always using the default.
RDAPI-16115 01054182 Issue: No way to run update-apimanager when a group was protected by a passphrase
Resolution: Updated update-apimanager so that a group passphrase can be passed in using --passphrase.
RDAPI-16150 01053244, 01055388, 01053278, 01048495 Issue: Amendments to trailing slash behaviour for REST APIs in API Manager runtime caused path matching to fail for WSDL APIs due to an additional trailing slash.
Resolution: API Manager WSDL API path processing is corrected for SOAP requests sent to back-end server as defined in the corresponding WSDL binding port.
RDAPI-16157 01038361, 01047751 Issue: Remote Host Load Balancer algorithm excludes previously failed address for non-configurable duration of one minute. This may lead to a condition where all connection attempts to the listed Load Balancer addresses will fail.
Resolution: The exclusion time period for failed addresses listed in Load Balancer can now be configured to reduce risks of all connections failing. Set the AXWAY_LB_ALG_ADDR_DOWNTIME system environment variable to the desirable downtime in milliseconds, the default is 60000.
RDAPI-16161 01056103, 01056255, 01057873, 01057553 Issue: Non-SSO users cannot use any API Portal functionality after log in because of a CSRF check error.
Resolution: The CSRF token is generated on API Portal log in, allowing non-SSO users to use API Portal functionalities.
RDAPI-16209 01053421, 01045179, 01047139 Issue: API Gateway fails to handle correctly required Form Parameters on a back-end API when sent in a multi part request or if an additional attribute is present in the Content-Type header (for example "application/x-www-form-urlencoded; charset=UTF-8")
Resolution: API Gateway now handles required parameters when sent in a multi part request and accepts additional attributes in Content Types.
RDAPI-16216 01056234 Issue: HTTP Basic Filter accepts only case-sensitive "Basic" for scheme name.
Resolution: HTTP Basic and HTTP Digest filters process the Basic Authentication scheme case-insensitively as per RFC 7617.
RDAPI-16283 01025370, 01007245 Issue: In API Manager when configured Traffic Monitor Subject can be set for use in Metrics, a prefix of "Pass Through" is required for this type of client traffic data to be seen in API Manager Monitoring.
Resolution: Now all client traffic data is shown in API Manager Monitoring as relevant to the filter selected and user permissions.
RDAPI-16317 01051869, 01050675 Issue: In API Gateway, XML message content redaction causes the instance to crash when the message contains Multi-Byte encoded characters and requires a restart.
Resolution: API Gateway now handles correctly XML message content redaction with Multi-Byte encoded characters.
RDAPI-16407 01069752 Issue: Content-Type validation does not permit WSDL requests with attachments of Content-Types other than the standard SOAP message request body.
Resolution: Content-Type validation now permits WSDL requests with attachments of varying Content-Types.
RDAPI-16477 01041751, 01062343, 01062472, 01026467 Issue: When API Manager has many applications, the deployment and startup are too slow. API management requests can interfere with 8065 traffic.
Resolution: API Manager no longer interferes with the deployment of API Gateway configurations when processing large amounts of application data. The API requests to API Manager traffic port 8065 now respond with the HTTP status '401 Unauthorized' when the API Client Cache is updating, instead of timing out. Caching is also non-blocking and more performant now.
RDAPI-16511 01064458, 01064765 Issue: In a Policy Studio project, when error reponse codes are added to a REST API method, the method becomes uneditable after the project is closed and reopened.
Resolution: Now in a Policy Studio project, when error response codes are added to a REST API method, the method remains editable after the project is closed and reopened.
RDAPI-16515 01052320 Issue: Some "SSL shutdown" errors can be triggered when reading or writing data to or from network.
Resolution: An SSL error status, that could remain in memory from a previous un-finished SSL handshake, is now cleared. Additional OpenSSL debug traces are now logged when the variable"V_SSL_SESS_DEBUG" is in use.
RDAPI-16543 01062392 Issue: In API Gateway, when HTTP redaction is enabled, API Gateway automatically turns on XML redaction for XML messages. This can result in performance issues, espcially on larger XML messages.
Resolution: In API Gateway, enabling HTTP redaction will not perform XML redaction on XML messages unless it is specifically configured.
RDAPI-16548 01067546, 01065718, 01042409 Issue: In a API Manager, setting a custom subject inside the E-mail templates has no effect and E-mails are sent with their default subject.
Resolution: In API Manager, E-mails are now sent with custom subject if set in the templates, default subjects are used otherwise.
RDAPI-16779 01052320 Issue: OpenSSL 'SSL_shutdown:shutdown while in init' error is reported for reused connection with previously failed handshake.
Resolution: Errors for the previous SSL handshake failure are now cleared.

Known issues

The following known issues are currently scheduled for the next service pack:

Internal ID Description
RDAPI-14225 Stored XSS in the application's OAuth redirect URL, encode OAuth Redirect URLs on output
RDAPI-14622 Value of 'Via' Header is not written to Transaction Access Log
RDAPI-15115 API Manager remote hosts not synchronized between instances
RDAPI-15297 Update trailing slash support in Jython scripts samples
RDAPI-15547 Cassandra Restore Script Fails from Docs
RDAPI-15608 Cant access NodeManager after submitting external CA signed certs
RDAPI-15675 API Manager: load Error "Map XXXX should be YYYY" after importing APIs
RDAPI-15758 Request headers reflected as response headers
RDAPI-15779 Swagger Generation Tool - Duplicate paths are not reported
RDAPI-16328 Maven 'clean' on install/pom.xml does not cleanup install/system/lib
RDAPI-16365 API Mgr, attributes set in Token information policy not available in fault policy
RDAPI-16490 Frontend API creation fails if WSDL host is invalid with a HTTPS scheme
RDAPI-16553 Regression: database connection leaks when client disconnects abnormally
RDAPI-16574 Duplicate headers returned when calling API Gateway Rest API
RDAPI-16633 Backend invocation failing with 500 when Outbound Oauth is used
RDAPI-16648 SMIME message policy calling SOAP request fails in backup after upgrade
RDAPI-16777 Trailing slash wrongly added to SOAP calls with method override
RDAPI-16811 [CWE-359] Password can be retrieved in GET /api/portal/v1.3/proxies
RDAPI-16915 Correct and improve test coverage for HEAD request forwarding
RDAPI-16953 API Manager event poller unnecessarily locks cache updates from Cassandra
RDAPI-17022 Multiple Authorization header forwarded to the backend
RDAPI-17025 modsecurity - "403 operation blocked" not possible to change this status in response
RDAPI-17031 Core file generated while stress testing websockets #1 "Thread::join()" (core.vshell.23985)
RDAPI-17036 projpack incorrect parsing for string containing '-f'
RDAPI-17039 Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut
RDAPI-17043 Core file generated while stress testing websockets #2 "__cxa_call_unexpected" (core.vshell.360)
RDAPI-17074 Unknown MimeType: "application/json;charset=UTF-8"
RDAPI-17080 Metrics pop-up doesn't disappeared
RDAPI-17095 Forward slash ("/") is being appended to the resource path by API Broker policy after upgrade from SP7
RDAPI-17120 Topologies fail to manually sync with managedomain
RDAPI-17127 User self-registration and Stored Personal Data - GDPR
RDAPI-17131 API Manager Traverse Error
RDAPI-17149 Malformed JSON content is forwarded to backend, when it should be blocked by APIMgr
RDAPI-17169 Rest API paths created by policy studio duplicated
RDAPI-17197 PUT /organizations/{{org-id}} resets the readOnly field, createdOn, to 0
RDAPI-17249 OAuth server does not return 401 in compliance with the RFC for certain "invalid_client" errors
RDAPI-17275 OpenID Connect tokens generated by the hybrid flow are missing c_hash
RDAPI-17319 Access log, if enabled, delays transactions by causing a DNS query even when unnecessary
RDAPI-17325 Access token is wrongly generated when the 'scope' field contains 'openid' along with a scope which is not valid for the client
RDAPI-17329 json to xml filter crashes with proper JSON escaped "\"
RDAPI-17339 Can't update client app registry after an sp is applied
RDAPI-17384 Core file generated while stress testing websockets #3 "<signal handler called>" (core.vshell.21451)
RDAPI-17404 Gateways are unresponsive after deployment in SP11, increased memory usage suspected
RDAPI-17473 Deployment REST API envsettings/service/{serviceId} returns 500 Internal server error when instance is remote
RDAPI-17478 Valid API credentials can give 401 error while API Manager cache loading
RDAPI-17491 NotSerializableException: com.vordel.circuit.cert.ocsp.CacheObject
RDAPI-17538 Policy Studio Slowness
RDAPI-17545 KPS Admin - List Rows return HTTP Status code 410 - GONE
RDAPI-17549 Api-manager does not accept '+' sign in email-address
RDAPI-17650 Provide meaningful error tracing when filter fails because scope is provided in form parameters when generating a token.
RDAPI-17678 Regex is incorrectly treating Resource Path of "/" as valid on import
RDAPI-17758 Backend Resource Description has disappeared from APIMgr UI in SP4
RDAPI-17767 Manager doesn't perform input validation with OPTIONS
RDAPI-17773 Error on formatting in Traffic Monitor GUI and Trace Files
RDAPI-17805 Analytics single day reports not matching multi day time range for same days
RDAPI-17811 API Gateway doesn't check Oauth authz codes' expiry times when stored in an SQL DB
RDAPI-17927 HTTP error when relaying a 204 (No Content) response of a HEAD request
RDAPI-17931 SMTP with STARTTLS not working for Manager password reset
RDAPI-17985 Invalid field name, 'schema' for type: CoreAPIMethodErrorResponse
RDAPI-18033 big times to start the API Manager instance -- 8 min
RDAPI-18036 Slow start of the product
RDAPI-18044 Issue when configuring passphrase on an API Gateway with $ character in the password
RDAPI-18102 Bug using Advanced edit mode (shift-double-click) in "XML Signature Generation" filter
RDAPI-18105 Unable to load Application's Authentication tab in API Manager, with many API Keys
RDAPI-18108 slowness in API Portal due to issue in API Manager
RDAPI-18112 Problem with event log Service Context Client field is updated incorrectly
RDAPI-18116 apimanager-promote can add but not remove granted organization
RDAPI-18218 Update API Gateway 7.6 with OpenJDK 8u232
RDAPI-18240 Open id redirect issue in OAuth flow
RDAPI-18246 JSON redaction can cause missing data in traffic monitor
70 issues

Reverted issues


Install the service pack

These instructions apply to API Gateway and API Manager classic deployments only. For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.

  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
    Note: Ensure to back up any customized files in your INSTALL_DIR. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:

    webapps/apiportal/vordel/apiportal
    webapps/emc/vordel/manager/app
    webapps/emc

    system/conf/apiportal/email
    system/conf
    samples/scripts/
    tools/filebeat-VERSION-PLATFORM

    For details on API Manager customization, see the API Manager User Guide.
  3. Remove old third-party libraries by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/modules
    INSTALL_DIR/analytics/system/lib/modules
  4. Remove old JRE versions by deleting the following directories:
    INSTALL_DIR/apigateway/platform/jre
  5. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.
  6. On Linux, remove existing capabilities on product binaries (which may prevent overwriting files):
  7. setcap -r INSTALL_DIR/apigateway/platform/bin/vshell

FIPS mode only

If FIPS mode is enabled, you must also perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack as described in the Installation section.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.6.2 SP4 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP4_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/

  4. Change to the apigateway directory in your installation: 
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Linuxapigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.6.2 SP4 Analytics over the analytics directory in your existing API Gateway 7.6.2 installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP4_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
  3. Change to the analytics directory in your installation: 
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.6.2 SP4 Policy Studio over the policystudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP4_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
  4. Start Policy Studio with policystudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.6.2 SP4 Configuration Studio over the configurationstudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP4_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
  4. Start Configuration Studio with configurationstudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

After installation

The following steps apply after installing the service pack.

API Gateway

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.

Notes:

  1. The JRE included in API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you can re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
  2. The JRE included in API Gateway enables endpoint identification algorithms for LDAPS (secure LDAP over TLS) by default to improve the robustness of the connections. This may cause API Gateway LDAP filters to fail to connect to an LDAPS server. In this case, you can disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification:

API Manager

When API Manager is installed, you must run the update-apimanager script after the API Gateway post-install script to ensure that all paths are up-to-date.

Caution: Before executing the update-apimanager script:

This script updates the active deployment in the API Manager group. After running the script, you must recreate the API Manager project (common project, containing Server Settings) from the deployment, so that you won't need to revert the changes the next time you perform a project deployment.

As an alternative to recreating the API Manager project, you can deploy only your common project to a development server and run the update-apimanager script against it, and create a new common project from this gateway instance. Then, you must deploy your updated policies to your API Manager group.

Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:

/opt/Axway-7.6.2/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Client Application Registry

The following command shows an example of running the update-apimanager script when the Client Application Registry is installed: 

/opt/Axway-7.6.2/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP --productname=clientappreg

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Documentation

Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2019 Axway. All rights reserved.