Download



Axway API Gateway 7.4.1 SP 3 Readme

Document version: 1 July 2016


Readme for 7.4.1 SP 3

This Readme applies to Axway API Gateway 7.4.1 SP 3, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.4.1_SP3_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements.

Internal ID Case ID Description
RDAPI-1176 00808783

Issue: Traffic monitoring trace level not in sync with system trace level.
Resolution: Previously, Traffic Monitor displayed data level records in the trace output panel regardless of what trace level you had set in the corresponding interface or global settings.

Now, Traffic Monitor displays data in the trace output panel and the request/response panel like you define in the corresponding interface or global settings.

RDAPI-2325 776780 Issue: When the Connect to URL filter reaches the Max Received Bytes limit, it returns a truncated result instead of an error.

Resolution: Previously, the policy would not trap exceptions encountered when streaming the response to the client.

Now, the policy buffers the response in the Reflect Message filter and ensures that the Fault Handler is invoked if maximum response length is reached.

RDAPI-2559 00825167

Issue: Valid JSON Path incorrectly returns no matches.
Resolution: Previously, the JSON Path filter was unable to handle certain filter expressions due to limitations in the underlying 3rd party JSON path library.

Now, the JSON Path filter handles these filter expressions. The underlying 3rd party library has been updated to fix the problem.

Before installing the service pack, you must remove the old JSON path file ($VDISTDIR/system/lib/modules/json-path-1.2.0.jar). Installing the service pack installs a JSON path file (json-path-2.2.0.jar) in the same directory.

In addition, Policy Studio uses the JSON path file to validate path expressions. Before installing the service pack, you must also remove the file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_7.4.1._DATE/lib/json-path-1.2.0.jar). Installing the service pack installs a JSON path file (json-path-2.2.0.jar) in the same directory.

RDAPI-2632 00822359 Issue: Schema validation is failing in API Gateway v7.4.1 when comparing to v7.2.2.

Resolution: Previously, schema-full-checking was disabled in XSD validation to provide stronger validation, but no toggle was made to disable schema-full-checking.

Now, you can disable schema-full-checking using a configuration fragment <VMArg name="-DschemaFullChecking=false"/>.

RDAPI-2636 00823330 Issue: Cannot access a renamed web service after it is upgraded.

Resolution: Previously, if you upgraded an older (v7.3.0 or earlier) configuration that contained a web service you had renamed, requests sent to the web service failed to resolve. This happened because API Gateway tried to match the new web service name against the <wsdl:Service> name in the WSDL, but the WSDL still had the old name.

Now, you can upgrade a configuration containing a renamed web service, and requests to the web service resolve normally after the upgrade.

RDAPI-2666 00814952

Issue: KPS is failing for Map<String, Boolean>.

Resolution: Previously, you could not update a property of the type Map<String, Boolean> in the KPS browser in API Gateway Manager.

Now, you can update a Map<String, Boolean> property in the KPS browser in API Gateway Manager.

RDAPI-2698 00810590

Issue: Extract MTOM filter returns incorrect Content-Type for SOAP 1.2

Resolution: Previously, when a SOAP 1.2 request was sent to the Extract MTOM filter, the startinfo parameter in the content-type header of the outer package and the type parameter in the content-type header of the root part were text/xml.

Now, when a SOAP 1.2 request is sent to the Extract MTOM filter, the startinfo parameter in the content-type header of the outer package and the type parameter in the content-type header of the root part are application/soap+xml, as required in the SOAP Message Transmission Optimization Mechanism specification.

RDAPI-2768 00827079 Issue: Connecting to back-end API with an SSL certificate.

Resolution: Previously, if you tried to import a PKCS#12 to be used in two-way SSL in the front-end API, you got an Invalid certificate/password error.

Now, you can successfully import a PKCS#12 with a valid password.

RDAPI-2811 00816118

Issue: API Gateway becomes unresponsive after a deployment failure.

Resolution: Previously, API Gateway might become unresponsive when a client (Node Manager) initiated a deployment request while API Gateway was serving long traffic request.

Now, when you set a timeout value in milliseconds to the V_DEPLOY_INSTANCE_TIMEOUT environment variable, in case of a deployment failure, API Gateway times out, reports a deployment timeout error, and is available for new requests.

RDAPI-2843 00821733 Issue: Creating policy assembly fails with DuplicateKeysException.

Resolution: Previously, when you created a policy assembly for a policy, you got a DuplicateKeysException error.

Now, you can successfully create a policy assembly for a policy.

RDAPI-2893 00829447 Issue: PGP key not updated after reconnecting Policy Studio to API Gateway.

Resolution: Previously, PGP key configuration was not updated in Policy Studio after you reconnected Policy Studio to an API Gateway instance.

Now, PGP key configuration is updated correctly in Policy Studio.

RDAPI-2895 00818438 Issue: Cache attribute filter does not fail when unable to set key in cache

Resolution: Previously, the Cache Attribute filter did not return false when adding the object to cache failed.

Now, the Cache Attribute filter returns false when adding the object to cache failed.

RDAPI-2902 00827354 Issue: The option Choose Issuer Certificate is not working.

Resolution: Previously, when you clicked Choose Issuer Certificate, the certificate you selected was not taken into account when building the certification chain in Policy Studio.

Now, the issuer certificate is correctly displayed in the certificate chain in Policy Studio.

RDAPI-2906 00829293 Issue: Connection filters are no longer working after applying OpenSSL 1.0.1s-fips.

Resolution: Previously, API Gateway with OpenSSL 1.0.1s-fips was disregarding settings to enable SSLv2 protocol.

Now, API Gateway respects configuration of SSLv2 protocol with OpenSSL 1.0.1s-fips.

RDAPI-2984 00827134 Issue: managedomain --deploy return code set to 0 in case of error.

Resolution: Previously, if an error occurred during deployment, the managedomain script returned a status code 0.

Now, if an error occurs during deployment, managedomain returns a status code 1.

RDAPI-3002 00830624

Issue: JSON Remove Node fails if the value of the node to remove is null.

Resolution: Previously, the JSON Remove Node filter failed if the value of the node to be removed was set to null.

Now, the JSON Remove Node filter removes the node containing the value null.

RDAPI-3052 00831687

Issue: PGP Encrypt and Sign symmetric key algorithm does not take into account if Encrypt and Sign in Two Passes is selected.

Resolution: Previously, the PGP Encrypt and Sign filter was using CAST5 instead of the user-defined symmetric-key algorithm for processing.

Now, the PGP Encrypt and Sign filter always uses the user-defined symmetric-key algorithm.

RDAPI-3290 00805574 Issue: Script injection into timeline on port 8090.

Resolution: Previously, the Monitoring API in API Gateway did not validate the metric group type parameter, so it might return metrics data for an unknown group type.

Now, the Monitoring API validates the metric group type parameter. The API responds with a 404 message status if the metric group type is unknown.

RDAPI-3342 00830013

Issue: Cannot handshake anymore with SSL_RSA_WITH_3DES_EDE_CBC_SHA.

Resolution: Previously, the API Gateway FTPS server did not accept an SSL client connection with the SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher.

Now, the FTPS server accepts an SSL client connection with RSA ciphers.

RDAPI-3358 00835093 Issue: Requests that fail (HTTP Status code 500) shown as successes in Traffic Monitor in the API Gateway Manager.

Resolution: Previously, in Traffic Monitor, the HTTP Traffic was incorrectly showing the orange warning icons for transactions with the status Pass.

Now, the HTTP Traffic shows the green success icons for transactions with the status Pass.

RDAPI-3374 00835645

Issue: Unable to migrate Client Application Registry data from API Gateway v7.1.1.

Resolution: Previously, migrating Client Application Registry data from API Gateway v7.1.1 failed, because the upgrade script migrateFrom71.py did not run due to syntax errors.

Now, the API Gateway upgrade script migrateFrom71.py runs successfully.

RDAPI-3388 Issue: Success and failure errors in LDAP communication not logged in the message attributes.

Resolution: Previously, it was not possible to see the success and failure errors when communicating with an LDAP server.

Now, the reason for success or failure when connecting to an LDAP server is stored in ldap.connection.success and ldap.connection.failure message attributes.

RDAPI-3396 Issue: The script to migrate OAuth from v7.1.x no longer works.

Resolution: Previously, the API Gateway upgrade script migrateFrom71.py could not run, because it was referring to packages not available in v7.1.1.

Now, the API Gateway upgrade script migrateFrom71.py runs successfully.

RDAPI-3401 Issue: The information on Node Manager connection in the audit logs is insufficient.

Resolution: Previously, API Gateway Node Manager did not audit connection events when communicating with the remote audit offload server.

Now, API Gateway Node Manager audits two additional events: Connection to remote audit log server established and Connection to remote audit log server failed.

RDAPI-3432 Issue: SOAP Fault Processor: Soap Fault always returns SOAP 1.2

Resolution: Previously, the trace output at DEBUG level for SOAP Fault Processor was insufficient for you to determine, why SOAP version in the response did not match the version in the request in some cases.

Now, the trace messages generated at DEBUG level have been made clearer. For example:

  • Content-Type is application/soap+xml. Creating a soap 1.2 fault.
  • SOAPAction header is present. Creating a soap 1.1 fault.
  • SOAPAction header not present. Request does not appear to be soap 1.1.
RDAPI-3502 00829256

Issue: HTTP Session cookies distributed cache error.
Resolution: Previously, the initial authorization request parameters were stored in a cache. The object used to represent the parameters was not serializable, so it failed in a distributed cache environment.

Now, the parameters are maintained in the redirects of the canonical OAuth set up, so the initial request does not need to be searched from cache. The fix defers to the query string in the event of a cache failure.

RDAPI-3508 00835154

Issue: Security vulnerabilities identified in OpenSSL Security Advisory [3rd May 2016].

Resolution: Previously, included OpenSSL 1.0.1p-fips that included security vulnerabilities, such as:

  • Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
  • Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Now, includes OpenSSL 1.0.1t-fips that addresses known security vulnerabilities. For more details, see OpenSSL Security Advisory [3rd May 2016].

RDAPI-3513 00835705

Issue: Tight loop reading from closed JMS (IBM MQ) connection. filling logs
Resolution: Previously, you could raise a concurrent access exception by re-deploying a JMS configuration when a JMS reconnection success was initializing JMS connections and consumers.

Now, a concurrent access is no longer triggered.

Previously, when a JMS read error occurred, the read operation was repeated immediately and errors were printed out in the traces.

Now, same consecutive errors are no longer printed out, and an increasing delay between retrying operations has been added.

RDAPI-3731 751232

Issue: Unable to configure SSL options for outgoing connections.

Resolution: Previously, you could not configure SSL/TLS protocols for outbound connections in the Connect To URL filter in API Gateway.

Now, you can configure default SSL/TLS protocols for outbound connections in the Connect To URL filter using the system/conf/ssloptions.xml settings file.

<ConfigurationFragment> 
    <SystemSettings> 
        <!-- SSL options for outgoing connections --> 
... 
        <!-- Do not use the TLSv1.1 protocol --> 
        <!-- <attribute key="ssloptions">notlsv1_1</attribute> --> 

        <!-- Do not use the TLSv1.2 protocol --> 
        <!-- <attribute key="ssloptions">notlsv1_2</attribute> --> 
    </SystemSettings> 
</ConfigurationFragment> 

Known issues

The following issues are known and scheduled for correction in a future release.

Internal ID Case ID Description
RDAPI-1167 00807346 How to hide internal server endpoints in exposed WSDL?
RDAPI-2505 00813773 When the logged-in user changes password on API Gateway Manager, they lose all their roles.
RDAPI-2545 00824002 The Retrieve from or write to database filter fails with NullPointerException when the Date column contains null.
RDAPI-2927 00822328 API Gateway intermittently resetting the connection to the Apache server.
RDAPI-3154 00832311 Wrong behavior in legacy attribute naming for the Retrieve attributes from directory server filter, if the filter is called several times.
RDAPI-3162 00827846 SIGSEGV in Java_com_vordel_dwe_NativeContentSource_buffer.
RDAPI-3216 00833619 API Gateway instance constantly crashing.
RDAPI-3454 00832678 The Retrieve from or insert to database failed when trying to insert a null value.
RDAPI-3570 00837700 Salesforce tokens are not automatically refreshed on expiry.
RDAPI-3578 00838339 Delay seen in outgoing requests when API Gateway is under load.
RDAPI-3878 00840339 The Admin User Rest API documentation is empty.

Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. Remove the old JSON path file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_7.4.1._DATE/lib/json-path-<version>.jar).
  5. If FIPS mode is enabled, you must perform the following steps:
    1. Run togglefips --disable to turn FIPS mode off.

    2. Start the nodemanager to move the JARs.

    3. Stop the nodemanager.

    4. Install API Gateway 7.4.1 SP 3.

    5. Start the nodemanager.

    6. Stop the nodemanager.

    7. Run togglefips --enable to turn FIPS on again.

    8. Start the nodemanager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

Note

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.4.1 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 3 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP3_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/apigateway/

Note

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.4.1 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.1 SP 3 Analytics over the analytics directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP3_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/analytics/

Note

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 3 Policy Studio over the policystudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP3_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/policystudio/

Note

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.4.1 SP 3 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.4.1 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.1_SP3_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.1/configurationstudio/

Note

After installation

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file.
  2. 64-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Note


Documentation

Go to Axway Sphere at https://support.axway.com to find all documentation for this product version.

For information about how API Gateway is used in Axway 5 Suite, refer to:

All Axway documentation is available from Axway Sphere at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Sphere at https://support.axway.com.


Copyright © 2016 Axway. All rights reserved