Axway API Gateway and API Manager 7.5.3 SP 11 Readme

Document version: 25 June 2019



Readme for 7.5.3 SP11


This Readme applies to Axway API Gateway and API Manager 7.5.3 SP11, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP11_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Feature Notes

General

API Manager

Security


Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE ID Description
RDAPI-13393 01012712, 01012734, 00906442, 01028593, 00982074 Issue: User information was leaked because cache headers were not set
Resolution: Updated cache headers so that user information will not be leaked.

Note: The existing configurations of API Manager should be updated with update-apimanager script in order to avail of the feature. New setup of API Manager should have feature by default.
RDAPI-15201 01030134 Issue: API Manager API traffic could suffer from Timing Attack.
Resolution: API Manager applies countermeasures against Timing Attack for API traffic.
RDAPI-15217 01027478 Issue: Error handling exposed information in API Gateway Manager if you issued a PUT request with invalid data in the request body to the advisorybanner API.

Resolution: If you try to update the advisorybanner using invalid data, API Gateway Manager now displays the correct error message, and no information is exposed.
RDAPI-15218 01028530 Issue: API Manager reveals the existence of a user's email address through the response of the Users API /forgotpassword method.
Resolution: The API Manager Users API /forgotpassword method response no longer shows the distinction between valid and invalid emails.
RDAPI-15301 01032720 Issue: API Gateway binaries are not delivered with stack protection and could be vulnerable to stack-based buffer overflow attacks.
Resolution: Native code is now built with stack canaries enabled and API Gateway is no longer vulnerable.
RDAPI-15505 01039208 Issue: Security vulnerability present by not checking the filename parameter for downloading original API file.
Resolution: Filename parameter is checked and vulnerability is not present anymore.
RDAPI-15562 01037073 CVE-2018-0734 Issue: API Gateway shipped with OpenSSL 1.0.2p-fips.
Resolution: API Gateway ships with OpenSSL 1.0.2q-fips, addressing the following security vulnerabilities: CVE-2018-0734, CVE-2018-5407
RDAPI-15692 01043569, 01043657 Issue: API Manager OAuth implementation allows different client ids in header and body with the possibility of the wrong one being used.
Resolution: Client id is taken from body or header depending on policy configuration. Additional client ids are ignored.
RDAPI-15740 01038716 Issue: You can overwrite the OAuth scopes passing extra scopes as a FormParam.
Resolution: API Gateway rejects the request if it finds that an extra scope is present as a FormParam.
RDAPI-15752 01025418, 00989754, 00989774 Issue: There is no CSRF token protection for API Gateway Manager calls.
Resolution: Add CSRF token protection for API Gateway Management APIs.

Note: The com.axway.apimanager.csrf Java system property (true by default) can be set to false to turn off the CSRF checks by API Manager, API Gateway Manager and Client Application Registry.
RDAPI-15884 01047281, 01048422 Issue: Security headers are missing from responses.
Resolution: Missing security headers have been added.

Note: The existing configurations of API Manager should be updated with update-apimanager script in order to avail of the feature. New setup of API Manager should have feature by default.
RDAPI-15885 01048313 CVE-2019-1559 Issue: API Gateway included OpenSSL 1.0.2p-fips, which contained vulnerabilities.
Resolution: API Gateway now includes OpenSSL 1.0.2r-fips, addressing the following security vulnerabilities: CVE-2019-1559
RDAPI-16083 01054123 Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to Open JDK 1.8.0_212.
RDAPI-16084 01054493 Issue: JQuery version 3.3.1 has introduced a security vulnerability in API Manager.
Resolution: JQuery version is now at 3.4.0 where the security vulnerability is not present.
RDAPI-16179 01056395 Issue: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, an OAuth client_id different than the one represented by the JWT token can be passed as a body parameter and injected in the Access Token.
Resolution: In API Gateway, when requesting an Access Token using the OAuth 2.0 JWT flow, the Gateway only use the OAuth client_id from the JWT token and disregard any value passed as a body parameter.
RDAPI-16582 01067185 Issue: The CSRF Token was not being sent with the deployment service call.
Resolution: The CSRF Token is being sent with the deployment service call and the deployment succeeds.

Note: The com.axway.apimanager.csrf Java system property (true by default) can be set to false to turn off the CSRF checks by API Manager, API Gateway Manager and Client Application Registry.

Other fixed issues

Internal ID Case ID Description
RDAPI-12338 00949172, 00951645 Issue: In the API Manager exported Swagger 2.0 file the security field scopes were incorrectly formatted for scope must match Any.
Resolution: Now, in the API Manager exported Swagger 2.0 file the security field scopes are correctly formatted for scope must match Any.
RDAPI-12747 00949050, 01061340 Issue: First problem was the traffic type was not being aggregated correctly, so the client was assuming Websocket in these cases. The second issue was a 1 hour default time interval was being applied for the performance restful call on the server side.
Resolution: The traffic type is now aggregated with the rest of the data, and the 1 hour default time interval was changed to 'all-time'
RDAPI-12891 00965063 Issue: API Gateway does not forward all headers for HTTP HEAD request.
Resolution: HEAD requests are now managed the same way than GET or POST requests.

Note: When relaying HEAD response that do not contains content length, product replaces 200 response code by 204. This behavior can be disabled by setting system property "-Dcom.vordel.dwe.auto204response=false" in product configuration.
RDAPI-13187 00973391, 00987292, 00992534, 01032122 Issue: When enabling CORS handling on a REST API configured in Policy Studio, OPTIONS requests were always returning every methods. In addition OPTIONS requests were invoking policy and returning a body when CORS profile was configured on Service.
Resolution: CORS handling is now performed on the REST API method level so only allowed methods are returned in the header. And it now makes sure that correct profile is accessed when performing preflight requests to prevent from calling policy and returning a body.
RDAPI-13481 00970706 Issue: Query parameter "from" in Monitoring Metrics Summary REST call does not change result.
Resolution: The query parameter, that did not have any effect on the call has been removed from the API.
RDAPI-14506 01006325 Issue: No flag available in managedomain to allow user to regenerate certs without regeneraing domain cert. Instead need to manually regenerate by using the --menu option
Resolution: New flag --retain_domain_cert added, this can be used with --regencerts to ignore domain certs.
RDAPI-14612 01002253 Issue: Policy Studio failed to retrieve a WSDL file over a proxy connection.
Resolution: The Client that is used to retrieve the WSDL has been updated to route through a proxy when proxy settings exist.
RDAPI-14613 01010747 Issue: When importing a Config Fragment, unselected nodes were still added to the project
Resolution: The algorithm for analysing these nodes was updated so that the selection would be retained and unselected nodes would not be added to the project.
RDAPI-14638 01012757, 01016261, 01052725 Issue: User name checks are too strict for some customers.
Resolution: User name regular expression is configurable in Settings of API Manager UI.
RDAPI-14707 01012722 Issue: PGP Decrypt and Verify filter does not verify messages signed using a sign-only key.
Resolution: Added JVM SecurityProperty to configure PGP to allow verification of messages using sign-only keys:
<ConfigurationFragment>
<SecurityProperty name="com.axway.apigateway.security.pgpsignkeyalgorithmids" value="RSA_GENERAL,RSA_SIGN,DSA,ECDSA,EDDSA" />
</ConfigurationFragment>
Default PGP algorithms: RSA_GENERAL,RSA_ENCRYPT,ELGAMAL_ENCRYPT,ELGAMAL_GENERAL,ECDH
RDAPI-14900 01006999 Issue: allOf was not supported, and it was not documented as a limitation.
Resolution: allOf is now supported in models and as a response schema.
RDAPI-15048 01012616 Issue: When a reported is generated in API Gateway Analytics the values inside the report differ when the file type changes from PDF to CSV.
Resolution: Generated PDF and CSV reports in API Gateway Analytics now have the same values when reports have the same date range.
RDAPI-15253 01028639 Issue: API Manager changed JSON formatting every time it processed JSON.
Resolution: API Manager does not reformat JSON payload unless it has been modified by custom policies.
RDAPI-15278 01023059 Issue: Checks on Application that all the APIs are accessible for assigned Organization are triggered during Organization refresh and causing unexpected dialog "Inconsistent API"
Resolution: UI is fixed to not trigger the checks on Application during Organization refresh and the unwanted "Inconsistent API" dialog is not shown as a result
RDAPI-15322 01024906 Issue: API Manager does not allow special characters . and ~ in name of parameter, although these are allowed by swagger definition.
Resolution: API Manager now allows . and ~ as parameter name.
RDAPI-15353 01032245 Issue: Redeployment from Policy Studio causes the SSO login to fail as object maps are not correctly cleared.
Resolution: The SSO-enabled API Gateway with API Manager configured now clears the object maps correctly on redeployment.
RDAPI-15453 01036528 Issue: This Metrics tooltip from API Catalog sends a request to the server when created, this takes time so the code to hide the tooltip can complete before the server responds.
Resolution: This tooltip now sends a request to the server once when the page loads, and saves the response, so there is no longer a race condition.
RDAPI-15456 01018119 Issue: Database connections established with the Wildcard Credentials feature do not close during deployment to a gateway.
Resolution: Database connections now close during deployment to a gateway regardless of how they are established.
RDAPI-15518 01032340 Issue: Profiles and policies with long names are not fully displayed in drop downs in API Manager.
Resolution: Hovering over a drop down component display a tootip when the selected value is too long to display.
RDAPI-15520 01039895 Issue: The Cache attribute filter failed to update a previously cached attribute with a new attribute value when using a distributed cache.
Resolution: The Cache attribute filter now updates previously cached attributes with new attribute values.
RDAPI-15542 00975056 Issue: Metrics monitoring can show negative values for response time
Resolution: Invalid calculation for some HTTP requests has been corrected.
RDAPI-15595 01036400 Issue: API Gateway does not set Cassandra's cluster port property.
Resolution: API Gateway will now set the Cassandra cluster port correctly, rather than always using the default.
RDAPI-15652 01043037, 01042746 Issue: OAuth Refresh flow only returns JSON output. "format" header is ignored.
Resolution: "format" header is now honoured. Other outputs such as XML are returned.
RDAPI-15682 01038361, 01047751 Issue: Remote Host Load Balancer algorithm excludes previously failed address for non-configurable duration of one minute. This may lead to condition when all connection attempts to the listed Load Balancer addresses will fail.
Resolution: The exclusion time period for failed addresses listed in Load Balancer can now be configured to reduce risks of all connections failures. The following system environment variable should set to desirable downtime in milliseconds, AXWAY_LB_ALG_ADDR_DOWNTIME, default is 60000.
RDAPI-15739 01043924 Issue: OAuth Authorization Code Flow Filter throws an exception when an invalid value of the "prompt" parameter is passed resulting in potentially harmful information being written to the logs.
Resolution: OAuth Authorization Code Flow Filter now validates the prompt parameter prior to any authorization logic and gracefully fails without revealing any information about the technology used.
RDAPI-15840 01037992 Issue: Some columns are hidden in the table on page API Catalog, when values of name and url are too long
Resolution: Columns are always visible now, because there is limit of size for name and url and also scroll bar appears when values of the table are big
RDAPI-15867 01047674 Issue: When the help for the Trace Filter was selected it showed "Topic not found".
Resolution: When the help for the Trace Filter is selected the help is shown.
RDAPI-15916 01047627, 01039356 Issue: When using Open Traffic Event log, disabling recording of incoming transaction while enabling recording of outgoing transaction result in product crash.
Resolution: Open Traffic Event Log has been corrected.
RDAPI-16028 01053244, 01053278, 01048495 Issue: Amendments to trailing slash behaviour for REST APIs in API Manager runtime caused path matching to fail for WSDL APIs due to an additional trailing slash.
Resolution: API Manager WSDL API path processing is corrected for SOAP requests sent to back-end server as defined in the corresponding WSDL binding port.
RDAPI-16041 01039041, 00947773, 01043979, 00999332, 01027257 Issue: A default switch value was not implemented for custom properties, so if the switch was not interacted with then the field and corresponding value was not sent to the server on save.
Resolution: A default switch value is now set.
RDAPI-16058 01044333 Issue: Changing dynamic traffic monitoring configuration of a HTTP interface enables recording of payload data.
Resolution: Recording of payload data is now part of UI configuration, making it no longer re-enabled systematically.
RDAPI-16080 01053421, 01045179, 01047139 Issue: API Gateway fails to handle correctly required Form Parameters on a back-end API when sent in a multi part request or if an additional attribute is present in the Content-Type header (for example "application/x-www-form-urlencoded; charset=UTF-8")
Resolution: API Gateway now handles required parameters when sent in a multi part request and accepts additional attributes in Content Types.
RDAPI-16081 01036949, 01050479 Issue: OAuth devices were restricted to 1 device per Security Profile in the client side, but no such restriction existed on the server side. The client side should not have had this restriction in place.
Resolution: The client side restriction has been removed, and all security devices are displayed correctly in the API Catalog view.
RDAPI-16114 01054182 Issue: No way to run update-apimanager when a group was protected by a passphrase
Resolution: Updated update-apimanager so that a group passphrase can be passed in using --passphrase.
RDAPI-16145 01052320 Issue: Some "SSL shutdown" errors can be triggered when reading or writing data to or from network.
Resolution: An SSL error status, that could remain in memory from a previous un-finished SSL handshake, is now cleared. Additional OpenSSL debug traces are now logged when the variable"V_SSL_SESS_DEBUG" is in use.
RDAPI-16148 01051869, 01050675 Issue: In API Gateway, XML message content redaction causes the instance to crash when the message contains Multi-Byte encoded characters and requires a restart.
Resolution: API Gateway now handles correctly XML message content redaction with Multi-Byte encoded characters.
RDAPI-16149 01025370, 01007245 Issue: In API Manager when configured Traffic Monitor Subject can be set for use in Metrics, a prefix of "Pass Through" is required for this type of client traffic data to be seen in API Manager Monitoring.
Resolution: Now all client traffic data is shown in API Manager Monitoring as relevant to the filter selected and user permissions.
RDAPI-16162 01041751, 01062343, 01062472, 01026467 Issue: When API Manager has many applications, the deployment and startup are too slow. Also, API management requests can interfere with 8065 traffic.
Resolution: API Manager no longer interferes with the deployment of API Gateway configurations when processing large amounts of application data. The API requests to API Manager traffic port 8065 now respond with the HTTP status '401 Unauthorized' when the API Client Cache is updating, instead of timing out.
RDAPI-16232 01049408 Issue: API Manager actions requiring many writes are too slow when the Cassandra node's CPU usage is too high.
Resolution: Reduce the number of reads when writing new objects into Cassandra.
RDAPI-16361 01057321 Issue: Policy studio does not have the appropriate launch configuration or dependent jars for jython scripting filters to fully function after install.
Resolution: Policy studio has all required dependencies and is configured correctly, and jython scripting filters function directly after install.
RDAPI-16396 01062392 Issue: In API Gateway, when HTTP redaction is enabled, API Gateway automatically turns on XML redaction for XML messages. This can result in performance issues, especially on larger XML messages.
Resolution: In API Gateway, enabling HTTP redaction will not perform XML redaction on XML messages unless it is specifically configured.

Known issues

Apache Cassandra v2.2.12 support not documented in user guides

v7.5.3 SP11 adds improved support for Apache Cassandra 2.2.12. However, the API Gateway Installation Guide and API Gateway Upgrade Guide incorrectly state that API Gateway supports Apache Cassandra versions 2.2.5 and 2.2.8 only. This user documentation will be updated to reflect support for Cassandra version 2.2.12 at a later date.

Related issues: RDAPI-14421

Other known issues

The following known issues are currently scheduled for the next service pack.


Internal ID Description
RDAPI-13517 Duplicate headers returned when calling API Gateway Rest API
RDAPI-13723 Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut
RDAPI-13971 modsecurity - "403 operation blocked" not possible to change this status in response
RDAPI-14501 API Manager: load Error "Map XXXX should be YYYY" after importing APIs
RDAPI-14552 API Gateway libxml2 outdated and unsecured?
RDAPI-15163 Issue when configuring passphrase on an API Gateway with $ character in the password
RDAPI-15290 Cant access NodeManager after submitting external CA signed certs
RDAPI-15490 Request headers reflected as response headers
RDAPI-15529 Analytics scheduled report filename doesn't change
RDAPI-15793 API Manager Traverse Error
RDAPI-16183 KPS caching seems to not use the table name as part of the cache-key, resulting in undesired behavior
RDAPI-16204 Access token is wrongly generated when the 'scope' field contains 'openid' along with a scope which is not valid for the client
RDAPI-16296 When redaction is enabled, numbers in JSON Body display in exponential format
RDAPI-16472 Frontend API creation fails if WSDL host is invalid with a HTTPS scheme
RDAPI-16679 intermittent disconnections on SFTP protocol

Reverted issues

This service pack has no reverted issues.


Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.

  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
    Note: Ensure to back up any customized files in your INSTALL_DIR. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:

    webapps/apiportal/vordel/apiportal
    webapps/emc/vordel/manager/app
    webapps/emc

    system/conf/apiportal/email
    system/conf
    samples/scripts/
    tools/filebeat-VERSION-PLATFORM

    For details on API Manager customization, see the API Manager User Guide.
  3. Remove old third-party libraries by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/modules
    INSTALL_DIR/analytics/system/lib/modules
  4. Remove old Jython and JRE versions by deleting the following directories:
    INSTALL_DIR/apigateway/system/lib/jython
    INSTALL_DIR/analytics/system/lib/jython
    INSTALL_DIR/apigateway/platform/jre
    INSTALL_DIR/apigateway/upgrade
  5. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.
  6. On Linux, remove existing capabilities on product binaries (which may prevent overwriting files):
  7. setcap -r INSTALL_DIR/apigateway/platform/bin/vshell

FIPS mode only

If FIPS mode is enabled, you must also perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack as described in the Installation section.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
    Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is co-located with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.

  3. Unzip and extract API Gateway 7.5.3 SP11 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP11_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/

  4. Change to the apigateway directory in your installation: 
    WindowsINSTALL_DIR\apigateway
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Windowsapigw_sp_post_install.bat
    Linuxapigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:

  6. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  7. Run the following:
    chown -R admin:admin /opt/gateway/

    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    ldconfig

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.5.3 SP11 Analytics over the analytics directory in your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP11_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  3. Change to the analytics directory in your installation: 
    WindowsINSTALL_DIR\analytics
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Windowsapigw_analytics_sp_post_install.bat
    Linuxapigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP11 Policy Studio over the policystudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP11_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
  4. Start Policy Studio with policystudio -clean

Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP11 Configuration Studio over the configurationstudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP11_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
  4. Start Configuration Studio with configurationstudio -clean

Note: The -clean option is needed the first time you start Configuration Studio after installing the service pack.

After installation

The following steps apply after installing the service pack.

API Gateway

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the API Gateway server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.

Notes:

  1. The JRE included in API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you can re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
  2. The JRE included in API Gateway enables endpoint identification algorithms for LDAPS (secure LDAP over TLS) by default to improve the robustness of the connections. This may cause API Gateway LDAP filters to fail to connect to an LDAPS server. In this case, you can disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification:

API Manager

When API Manager is installed, you must run the update-apimanager script after the API Gateway post-install script to ensure that all paths are up-to-date.

Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:

/opt/Axway-7.5.3/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Client Application Registry

The following command shows an example of running the update-apimanager script when the Client Application Registry is installed:

/opt/Axway-7.5.3/apigateway/posix/bin/update-apimanager --username=admin --password=MY_PASSWORD --group=API_MGR_GROUP --productname=clientappreg

If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE

Documentation

Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2019 Axway. All rights reserved.