Document version: 06 December 2013
This Readme applies to Axway API Gateway 7.2.0 SP2, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.
The main aim of this service pack is to provide fixes for a number of reported defects.
This service pack contains updates for:
Note
File Packages: An installation archive is provided for all platforms, for example,
APIGateway_7.2.0_SP2_Core_win-x86-32_BN20131206.zip
for Windows.
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
This service pack provides the following corrections and enhancements.
Case ID | Internal ID | Description |
---|---|---|
— | — | Upgrade McAfee Anti-Malware Engine to version 5600 Previously, API Gateway used version 5400 of the McAfee Anti-Malware Engine. Now, it uses version 5600 of the McAfee Anti-Malware Engine. |
— | — | Changes to OAuth Application Scope Management Previously, scopes were associated with client applications implicitly by adding OAuth protected APIs during client registration. Now, scopes are added explicitly from a list of available scopes, where the list of available scopes is generated from static scopes defined in OAuth Security Devices attached to APIs. It is also possible to add freeform scopes to client applications to cater for dynamic scopes (selectorized scopes in Security Devices). Existing applications can be updated with the migrateScopes.py script. |
686639 | 109025 | Upgrading 7.1.1 configuration to 7.2 imports KPS with same names Previously, the alias ClientApplicationRegistry was not unique. Aliases must be unique in group configuration. Alias pointed at Imported_ClientApplicationRegistry after the upgrade, which was not unique. Now, after the upgrade the alias Imported_ClientApplicationRegistry is unique and the duplicate no longer exists. |
16400 | 109039 | Policy Studio will not allow blank entry for Authorization Attribute in an LDAP
Authentication Repository Previously, when adding an LDAP repository under the Authentication Repository in External Connections in Policy Studio, the Authorization Attribute in the configuration dialog could not be left blank, and an error dialog was displayed: "You must enter a value for authorization attribute." Now, the Authorization Attribute of the Authentication Repository configuration dialog in Policy Studio can be left blank. |
— | 109042 | Adding a port as a filter option in Traffic Monitor inserts a comma after the
first digit Previously, when adding a port as a filter option in Traffic Monitor it inserted a comma after the first digit. This was not visible when the filter was added, but visible when you clicked to edit the port number. Now, the formatting parameters have been updated, and no commas are used. |
— | 109061 | Sending a report to an email address specified in the Analytics GUI does not take
effect Previously, when you entered an email address to send a report to in the Analytics GUI, it did not take effect. Instead, the email address specified in the configureserver command was always used.Now, the email address used in configureserver is an optional global default to which all reports are
sent, that is, it can be unset. |
— | 109071 | SFTP poller causes thread leak and resource consumption Previously, the FTP poller did not terminate threads for each poll session when finished. These threads accumulated until the system resources were exhausted. Now, the FTP poller correctly terminates threads for each poll session when finished. |
685192 | 109105 | Policy package does not add the variables used within the Compare Attribute
filter to create the package Previously, the Compare Attribute filter did not create the required attributes used in the filter, and they did not come up as an option when creating the policy package . Now, the Compare Attribute filter generates the list of required attributes used in the filter. |
690989 | 110455 | OAuth database schemas listed in the API Server User Guide for 7.2 are missing
table names for oauth_authz_code Previously, the API Server User Guide was missing database table names required for the OAuth database schema. Now, the OAuth User Guide includes the required details on database tables. |
690423 | 110461 | Customer wants to upgrade a KPS using a DB back-end from 7.1 to 7.2 Previously, there was no documented upgrade process and there were entity store upgrade bugs for DB upgrade. Now, the upgrade process is documented in the KPS Migration Guide and the bugs have been fixed. |
689377 | 110652 | libxml warning at line 0: XPath complexity limit exceeded Previously, the System Setting entities in multiple NetServices did not migrate correctly to single Default System Settings from 5.2.8 to 7.2.1. This meant that any changes made in the Policy Studio > Settings were not reflected in the Default System Settings. Now, the System Settings values in multiple NetServices are correctly transfered to Default System Settings when migrating federated store to 7.2.2. Also Policy Studio updates the Default System Settings as required. |
— | 110962 | PGP help looks like it is not current Previously, the API Server online help and documentation for the PGP filters did not reflect the latest user interface. Now, the PGP help and documentation has been updated to reflect the latest screens. |
692960 | 111247 | startinstance -s is starting an instance instead of just checking status Previously, options for the startinstance command were not documented in the API Server User
Guide.Now, these options are documented in the API Gateway User Guide. |
693221 | 111499 | Save file crashes with large file from FTP poller Previously, the Save To File filter failed to save large files and caused the API Server to crash. Now, the Save To File filter correctly processes large files and the file size limit is set by the user. |
694525 | 111872 | POP3 Mail Server listener Poll Rate Limit Previously, the POP Mail Server dialog in Policy Studio had a poll rate limit of 65535 milliseconds, which is much too low. Now, the poll rate limit can be much higher. |
— | 112291 | API Server-File Transfer: Directory expiry cannot be set to never expire Previously, the File Transfer Service dialog in Policy Studio presented the user with the following error when they attempted to set the directory expiry to 0 seconds: "You
must enter a value for fileExpiry." Now, you can set a value of 0 seconds for directory expiry in the File Transfer Service dialog. This means that the directory never expires. |
695033 | 112394 | Reflect Message only changes the response status but not the information Previously, the Reflect Message filter was not setting the HTTP status message to match the response code set by the user. For example, changing a 200 OK response from the back-end to a 500 error caused it to return 500 OK to the client.Now, the Reflect Message filter always sets the status message to match the response code set by the user. Also the http.response.info message attribute is set respectively. |
— | 112422 | Jython file diskinstancemanager.py contains an invalid file for Oracle API
Gateway edition Previously, diskinstancemanager used an invalid file reference in Oracle API Gateway edition ( /posix/samples/etc/init.d/enterprisegateway ).Now, diskinstancemanager references the correct file in Oracle API Gateway edition ( /posix/samples/etc/init.d/apigateway ). |
695838 | 112450 | Add XML Node filter crashes API Server when using attribute saved and trace @
DATA or DEBUG Previously, a crash was caused by message content being purged too early. This issue was brought to light by the invocation of the StringToBody coercer (converting ${bgc.content.body} from com.vordel.mime.XMLBody to java.lang.String) which was attempting to access message content that no longer existed. This was only an issue at DATA trace. Now, content is reference-counted so that it is no longer purged too early. This prevents the crash from occurring. |
694726 | 112564 | Connecting to the API Server Analytics browser home when the DB back-end is MS SQL results in
a CONCAT error Previously, API Server Analytics reported a CONCAT error with MS SQL Server 2012 and earlier versions. Now, API Gateway Analytics no longer produces a CONCAT error for MS SQL Server 2012 and earlier versions. |
693747 | 112610 | Vordel XML Gateway type present in configuration after upgrade from 5.2.8 to
7.2.0 Previously, the System Setting entities in multiple NetServices did not migrate correctly to single Default System Settings from 5.2.8 to 7.2.1. This meant that any changes made in the Policy Studio > Settings were not reflected in the Default System Settings. Now, the System Settings values in multiple NetServices are correctly transferred to Default System Settings when migrating federated store to 7.2.2. Also Policy Studio updates the Default System Settings as required. |
696310 | 112614 | Windows install of API Server crashes when deselecting certain Traffic Monitor
options and viewing transactions Previously, accessing the Traffic Monitor UI for trace on transactions that had not recorded HTTP trace information could cause the server to crash due to a bug in the REST interface. Now, the absence of trace and data in the datastore is safely ignored by the transaction monitor REST interface. |
696293 | 112627 | The group level metrics of analytic report is doing sum instead of averages Previously, Metrics Processing Time Average used the maximum average processing time for a service. Furthermore, when finding the maximum over several services, it used the maximum from each service. Now, the Metrics Processing Time Average computes the average processing time for a single service, and computes the average when looking at multiple services. |
— | 112660 | Error setting up database metrics (apiserver) is cryptic and unhelpful Previously, if the API Server connected to an existing database that was used with a different topology, the error returned was "Domain ID mismatch; check your database connection." Now, the error returned is "Cannot connect to the configured database with your
current topology because the database already contains data from a different topology." |
696281 | 112717 | Add XML Node filter fails when inserting node that was removed earlier in the
policy Previously, the Add XML Node filter failed when inserting a node that was removed earlier in the policy. Now, the Add XML Node filter correctly inserts a node that was removed earlier in the policy. |
— | 112957 | API Server Analytics email subject line contains a variable for the date and not the actual
date Previously, reports were emailed with a subject line containing a replacement string, for example, Subject: systems-1day-${yyyyMMdd}.pdf .Now, reports are emailed with a subject line containing the friendly name of the report, for example, System Resources . |
697445 | 113125 | Patch upgrade should remove previous patches, also no need to migrate
configuration coming from 7.2.0 Previously, the API Server Installation Guide did not include enough information on patching existing installations. Now, the Release Notes and Readme include more detail on patching (for example, you must remove previous patches and do not need to upgrade configuration). |
697587 | 113160 | Gateway stops responding after repeated requests Previously, when a large number of services were present, generating statistical information via the reporting REST interfaces could take inordinate amounts of time and hold up other server operations during request processing, due to inefficiencies in the algorithms used. Now, the processing of these requests is handled in a much more efficient way and works well for previously pathological workloads. |
698115 | 113426 | SSLException: 536 Data connection protection clear not supported Previously, the FTPS Poller and the File Upload/File Download filters supported only the PROT C command and failed to connect to a FTPS server where a different PROT command was required. Now, the FTPS clients support all PROT commands according to RFC2228. Users can also specify values for both PROT and PBSZ commands in the API Gateway FTPS Poller and the File Upload/File Download filters. |
— | 113588 | API Service Manager support for parameters has changed, need to update User
Guide with workaround Previously, the Getting Started section in the API Server User Guide did not include how to create a policy package to handle parameters. Now, the Getting Started section has been updated with these steps. |
696625 | 114048 | Filter LDAP RBAC never fails Previously, the Retrieve From Directory Server filter returned true by default when no results were returned from LDAP. Now, the Retrieve From Directory Server filter returns false when no results are returned from LDAP. |
— | 114265 | OCSP: Incorrect serial number sent by API Server to OCSP responder Previously, some X.509 certificates appeared to have a negative serial number under certain circumstances, including when presented to an OCSP responder. Now, serial numbers with high bits set are handled properly, and serial numbers are properly forwarded and displayed from the native cryptographic provider. |
— | 114548 | Add online help to Configure Regular Expression Previously, online help was missing for the Configure Regular Expression dialog in the Validate Selector Expression filter. Now, online help is available for this feature. |
— | 114681 | Amazon EC2 Instance loses connectivity after applying software updates Previously, if software updates were applied to the AMI image, the details of the kernel location were also updated as per hardware appliance functionality. This update was not required for the AMI image and in fact caused an issue where the system did not boot. Now, the update mechanism checks if the updates are being carried out on an AMI image, and does not alter grub configuration in this case. |
698926 | 114764 | FTP connections are blocked and the server has to be restarted to resume
transactions Previously, all the JMS consumer threads could get into a blocked state if the network was shutdown with all threads processing. There was no timeout set in the FTP client socket to handle this situation. Now, the FTP/FTPS/SFTP client connect timeout is set to a value defined in the active timeout attribute of the API Gateway system settings. |
701757 | 114767 | Reflect Message does not have an option to update the HTTP reason phrase Previously, the Reflect Message filter was not setting the HTTP status message to match the response code set by the user. For example, changing the 200 OK response from the back-end to a 500 error caused it to return 500 OK to the client.Now, the Reflect Message filter always sets the status message to match the response code set by the user. Also, the http.response.info message attribute is set respectively. |
— | 114769 | Amazon LOCKDOWN AMI unable to run service command as root after using sudo -s Previously, it was not possible to run the service command as root if the admin user ran sudo -s .Now, it is possible to run the service command if the user specifies /sbin/service . |
— | 114839 | Deleting a group results in java.util.ConcurrentModificationException Previously, when managedomain was used to delete a group, an exception always occurred: Node
Manager error: Unexpected exception: java.util.ConcurrentModificationExcept . The Group was
still deleted successfully.Now, no exception occurs when deleting a group using managedomain. |
— | 114869 | Metrics Processing Time Average uses largest value as average Previously, in Analytics and API Server Manager, Metrics Processing Time Average used the largest value as the average value. Now, in both Analytics and Manager, the API services and remote hosts are properly aggregating processing time average. |
701231 | 114909 | Traffic Monitor: Specify detailed time interval filter does not
work (no results when there should be) Previously, numeric values in the Transaction Monitor REST interface were not compared correctly for the "<" and ">" arithmetic operations. Now, handling of numeric values is fixed, and they are correctly compared. |
— | 115222 | managedomain --remote-port option required for use of non-default management
port Previously, the managedomain --remote-port option was required to use a non-default management port to connect to the Admin Node Manager. Now, managedomain correctly reads and uses the management port from topology when connecting to the Admin Node Manager. |
700950 | 115243 | File Upload filter is not handling remote directories on virtual file systems
correctly Previously, the File Upload filter failed to upload files to some SFTP servers, because it incorrectly identified that a directory with the same name already existed. Now, the File Upload filter successfully uploads files with Java Secure Channel version 0.1.50 ( jsch-0.1.50.jar ). |
703818 | 115525 | Cannot use member.id in Resource Owner Credentials filter Previously, the callout policy to authenticate the resource owner in the OAuth resource owner password flow was not returning the subject to create the token with. Now, the callout policy correctly returns the authenticated subject, and the OAuth access token is generated for the returned subject. |
— | 115699 | Directory Scanner Null Pointer Exception with Traffic Monitor disabled Previously, if Traffic Monitor was disabled, the Directory Scanner threw a NullPointerException on processing a file. Now, files can be processed as normal by the Directory Scanner when the Traffic Monitor is disabled. |
704714 | 115884 | FTP connections are blocked and the server has to be restarted to resume
transactions Previously, all the JMS consumer threads could get into a blocked state if the network was shutdown with all threads processing. There was no timeout set in the FTP client socket to handle this situation. Now, the FTP/FTPS/SFTP client connect timeout is set to a value defined in the active timeout attribute of the API Gateway system settings. |
— | 115889 | SFTP load test memory leak Previously, when testing FTP services/pollers, the API Gateway process would leak memory and eventually terminate. Now, the memory leaks in the Save To File filter have been resolved, which prevents the API Gateway from running out of memory. |
— | 115910 | Invalid reference to Socket Connection Timeout in API Server User Guide Previously, the API Server User Guide mentioned the Socket Connection Timeout setting, which is no longer available in the user interface. Now, this setting has been removed from the API Gateway User Guide. |
704580 | 115928 | EncodingType attribute in wsse:Nonce element was not validated Previously, the API Gateway was not checking the EncodingType attribute in the wsse:Nonce element when validating a WS-Security Username Token. Now, the API Gateway checks the EncodingType attribute in the wsse:Nonce element and shows a warning if the attribute indicates an unknown encoding format. |
705744 | 116173 | Gateway core dumps in libvxml2 under heavy load Previously, the Attribute Extract XPath filter crashed under heavy load. Now, the Attribute Extract XPath filter correctly handles data in memory under heavy load. |
— | 116575 | managedomain --regen_certs option should handle a missing passphrase error better Previously, managedomain with the --regen_certs option showed a non-user friendly error message (exception with stack trace) caused by a missing or incorrect passphrase. Now, managedomain with the --regen_certs option shows a user friendly error message for a failure loading the PKCS12 file, where a passphrase is required or incorrect. |
— | 116944 | managedomain usability issues with option 24 (certificate regeneration) Previously, managedomain (option 24, certificate regeneration) checked if the Admin Node Manager was still running, and only interrupted after requesting an input from the user. Now, managedomain (option 24, certificate regeneration) checks if the Admin Node Manager is still running before requesting any input from the user. |
— | 117053 | Small Windows heap needs some help to load a JVM with a reasonable maximum
memory limit Previously, the API Gateway had a preset Java MaxHeapSize of 512MB, which is not sufficient for production deployments. Now, the JVM MaxHeapSize depends on the available system resources. If the API Gateway Windows executables fail to start, due to not being able to allocate their heap, add the setting <VMArg name="-Xmx512m"/> to the
file INSTALL_DIR/system/conf/jvm.xml . |
708228 | 117114 | Inconsistency for SAML issuer name list and trusted issuer list Previously, when editing the Insert SAML Attribute Assertion, Insert SAML Authentication Assertion, and Insert SAML Authorization Assertion filters, a list of the certificate aliases was shown in the Issuer Name drop-down menu in Policy Studio. Now, when editing the Insert SAML Attribute Assertion, Insert SAML Authentication Assertion, and Insert SAML Authorization Assertion filters, a list of the certificate subject DN names is shown in the Issuer Name drop-down menu in Policy Studio. |
— | 117168 | Files under instance-1/conf/opsdb.d are not being purged correctly Previously, when testing the FTP service, Traffic Monitor files were not being purged correctly and the API Gateway would eventually run out of memory. Now, disposers have been added to the FTP service to guarantee messages, and corresponding correlation IDs have been deleted. This prevents the API Gateway from leaking memory, and also fixes the purging of Traffic Monitor files. |
— | 117215 | No Help information on the Bind the Certificate at Runtime option for HTTPS
certificate option Previously, when configuring an HTTPS interface, the online help did not explain the Bind the certificate at runtime option. Now, this setting is documented in the online help. |
This section describes how to install the service pack on an existing installation of API Gateway.
To install a new API Gateway installation from scratch without an existing installation, see the API Gateway Installation and Configuration Guide.
To install the service pack, follow these general guidelines:
To install the service pack on your existing API Gateway 7.2.0 Core Server installation, perform the following steps:
INSTALL_DIR/ext/lib
directory (or ../ext/lib
directory in an API Gateway instance). These patches have already been included in this service
pack. You do not need to copy patches from a previous version.
apiserver
directory
within your existing installation directory. For example:
tar -xzvf APIGateway_7.2.0_SP2_Core_linux-x86-64_BN20131206.tar.gz -C
/opt/Axway-7.2.0/apiserver/
Note
ls -l INSTALL_DIR/apiserver/posix/bin
command to view the owner of
the binaries.
To install the service pack on your existing API Gateway Analytics 7.2.0 installation, perform the following steps:
INSTALL_DIR/ext/lib
directory (or ../ext/lib
directory in an API Gateway Analytics instance). These patches have already been included in this service
pack. You do not need to copy patches from a previous version.
analytics
directory within your existing API Gateway 7.2.0 installation directory. For example:
tar -xzvf APIGateway_7.2.0_SP2_Analytics_linux-x86-64_BN20131206.tar.gz -C
/opt/Axway-7.2.0/analytics/
Note
ls -l INSTALL_DIR/analytics/posix/bin
command to view the owner of
the binaries.
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR\policystudio
).
Note
To install the service pack on your existing API Tester installation, perform the following steps:
INSTALL_DIR\apitester
).
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR\configurationstudio
).
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file.
<VMArg
name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
<VMArg
name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/i386/server:$VDISTDIR/$DISTRIBUTION/jre/lib/i386:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
setcap 'cap_net_bind_service=+ep'
INSTALL_DIR/platform/bin/vshell
to to allow the API gateway to listen on privileged ports.
Note
Axway API Gateway is accompanied by a complete set of documentation, covering all aspects of using the product. These documents include the following:
All Axway documentation is available from Axway Sphere at https://support.axway.com.
The Axway Global Support team provides worldwide support 24/7. You can find all support numbers by country on Axway Sphere at https://support.axway.com.
In addition, you can download the latest information from Axway Sphere relating to Axway API Gateway including:
For more information about Axway training services, go to: www.axway.com.
Copyright © Axway Software 2013
All rights reserved