Document version: 24 August 2018
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP8, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP8_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-13387 | 00981694 |
CVE-2016-1000338 CVE-2016-1000339 CVE-2016-1000340 CVE-2016-1000341 CVE-2016-1000342 CVE-2016-1000343 CVE-2016-1000344 CVE-2016-1000345 CVE-2016-1000346 CVE-2016-1000352, CVE-2017-13098 |
Issue: Bouncy Castle library 1.55 causes security vulnerabilities.
Resolution: API Gateway now ships with Bouncy Castle library version 1.60. |
RDAPI-13616 | 00987148 | CVE-2018-1199 | Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of vulnerabilities, including CVE-2018-1199.
Resolution: API Gateway includes Spring framework version 4.3.17.RELEASE, which addresses known vulnerabilities. |
RDAPI-13699 | 00991632, 00989952 | See Oracle Critical Patch Update Advisory - July 2018 | Issue: API Gateway used a JRE version that included security vulnerabilities.
Resolution: The API Gateway JRE version has been updated to JRE 8u181, which fixes these vulnerabilities. For more information, see: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html |
Internal ID | Case ID | CVE Identifier |
---|---|---|
RDAPI-12034 | 00930007 | Issue: Missing Generic Error exception message not provisioned. For a given fault handler, if the Show detailed explanation of error option was selected, the custom error message set was not populated in the HTTP response, and a generic error was displayed instead.
Resolution: The custom error message is now set in the response if this option is selected. In addition, some improvements were made including rendering a correct SOAP version fault body based on the option set in the SOAP fault handler (previously, in some cases, a default SOAP version 1.1 fault body was rendered). |
RDAPI-12344 | 00976884, 00991615, 00932805, 00984330 | Issue: API Manager reflected the request body in generated responses for 400, 404, 405, and 429 HTTP errors, which were not handled by Global Fault handlers.
Resolution: API Manager now removes the request body from generated responses for all of these HTTP errors when the new com.axway.apimanager.fault.removeContentBody Java system property is set to true .
There is also new fault handling for these API Manager-specific errors. The fault is routed to the GenericFaultProcessor to generate a response body. This is controlled by the com.axway.apimanager.fault.legacy Java system property, which is set to false by default. This allows the old behavior of the API Manager-specific errors to be used if required.
|
RDAPI-12798 | 00959616 | Issue: API Manager crash when deleting a remote host created on another instance in the same group.
Resolution: The API Manager crash has been fixed, and debug traces are logged when remote hosts are not found. |
RDAPI-13115 | 00971103 | Issue: Downloading Swagger for different APIs with the same name results in the same download file.
Resolution: Each Swagger download file is now unique for each API, including when APIs have the same name. |
RDAPI-13176 | 00969687 | Issue: Importing an XSD that includes other XSDs (by <include> ) under Resources > XML Schema Document Bundles > User-defined Catalog in Policy Studio fails for Data Map creation.
Resolution: The XSD for Data Map creation imports correctly in Policy Studio under Resources > XML Schema Document Bundles > User-defined Catalog. |
RDAPI-13188 | 00972252 | Issue: WebSocket traffic is not logged to the Transaction Access Log when this is enabled.
Resolution: HTTP connections upgraded to WebSockets are now recorded in the server access log. WebSockets calls are rejected when an incoming remote host is explicitly configured to forbid HTTP 1.1. |
RDAPI-13206 | 00961953 | Issue: Deleting an API Manager front-end API in a system with many APIs and quotas took too long. This was because the application hit the database with too many unnecessary CRUD operations.
Resolution: Only necessary operations are performed, and deleting a front-end API should only take a few seconds, depending on how close API Gateway is to the Apache Cassandra cluster. Note: You must back up your data (Cassandra and kpsadmin ) before applying this service pack.
|
RDAPI-13212 | 00974976, 00982285, 00975245 | Issue: Trailing / added after applying SP6 for SOAP APIs. Trailing slashes were not always processed correctly for API Manager inbound requests in SOAP and REST APIs.
Resolution: Inbound API requests are processed as designed by an API developer. This allows inbound API requests with a trailing slash to match an API path with no trailing slash only when the com.vordel.apimanager.uri.path.trailingSlash.preserve Java property is set to true . The outbound API request paths are processed as designed by an API developer. In addition, the Content-Type of an API request, if present, is now taken into consideration for a single API path match.
|
RDAPI-13227 | 00968176 |
Issue: When using the implicit OAuth flow, the token response did not include scopes for the token in the location header of the response, even when the scopes were different to the request, as required by the specification. |
RDAPI-13229 | 00976057 |
Issue: Organization API access alerts were not triggered during |
RDAPI-13286 | 00971897 |
Issue: If Single Sign On (SSO) was enabled for an API Gateway with API Manager configured, the process did not terminate cleanly when |
RDAPI-13312 | 00976711 | Issue: When API Gateway decrypts a PGP-encrypted unsigned message with a PGP Decrypt and Verify filter set to verify signature, the message is decrypted.
Resolution: You can use the -DpgpFailDecryptNoSignature=true system property to configure whether the message is decrypted in this case.
|
RDAPI-13327 | 00987729, 00926473 | Issue: After registering WSDL in API Manager, downloading the WSDL from other API Manager instances requires restarting the servers.
Resolution: Downloading WSDL from multiple API Manager instances no longer requires restarting the servers. |
RDAPI-13396 | 00981358 | Issue: Validation in the API Manager Base Path URL field restricted the use of selector syntax characters (i.e., ${env.MY_VAR} )
Resolution: You can now use selector syntax characters in the Base Path URL field. Additional back-end validation has been added to ensure that the final URL is valid. |
RDAPI-13430 | 00969445 | Issue: Cannot limit the number of simultaneous open WebSockets for a client IP address.
Resolution: You can now configure the WebSocket listener with a policy to trigger when the connection is closed. You must configure a com.axway.websocket.policy.onclose Java global property in the jvm.xml file with the reference to the policy called.
|
RDAPI-13537 | 00981086 | Issue: Broken access control in API Manager. When logged in as organization admin, you could edit applications owned by other organizations by changing the application ID in the URL.
Resolution: When authenticated in API Manager, you can now only access the applications that you are authorized to access. |
RDAPI-13576 | 00980017 | Issue: In the Open Traffic Event Log, the Maximum disk space for logs setting in Policy Studio was not taken into account. This was limited to 2047 MiB due to a miscalculation.
Resolution: Higher values for the Maximum disk space for logs setting are now taken into account. |
RDAPI-13799 | - |
Issue: API Manager user and password audit events were missing information that is useful from an audit perspective.
|
This service pack has the following known issues, which are planned for a future release.
Internal ID | Description |
---|---|
RDAPI-9478 | Path matching on listeners works incorrectly when the paths found are same |
RDAPI-13121 | API Manager application updates are not logged in audit log |
RDAPI-13672 | Errors due to spill to disk files that are not cleaned up |
RDAPI-13681 | OAuth scope management issues in API Manager 7.5.3 |
RDAPI-13556 | DevOps - apimanager-promote returns zero on success or failure |
These instructions apply to both API Gateway and API Manager.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
INSTALL_DIR/system/lib/modules
directory.JAVA_HOME
is set correctly in cassandra.in.sh
and cassandra.in.bat
to ensure Cassandra tools are launched successfully.If FIPS mode is enabled, you must perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:
apigw_sp_post_install.bat
from completing successfully.INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF
directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP8_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
apigateway
directory in your installation: INSTALL_DIR\apigateway
INSTALL_DIR/apigateway
apigw_sp_post_install.bat
apigw_sp_post_install.sh
bash
command, and ensure that the correct permissions are set.root
user on the appliance before starting the Node Manager or API Gateway:[ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
chown -R admin:admin /opt/gateway/
grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
ldconfig
Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP8_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
analytics
directory in your installation: INSTALL_DIR\analytics
INSTALL_DIR/analytics
apigw_analytics_sp_post_install.bat
apigw_analytics_sp_post_install.sh
Note:
bash
command, and ensure that the correct permissions are set.ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP8_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP8_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
The following steps apply after installing the service pack.
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway server service pack.
To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports./etc/ld.so.conf.d/gateway-libs.conf
that contains the following lines:INSTALL_DIR/platform/jre/lib/amd64/server
INSTALL_DIR/platform/jre/lib/amd64
INSTALL_DIR/platform/lib/engines
INSTALL_DIR/platform/lib
INSTALL_DIR/ext/lib
ldconfig
Note: When API Manager is installed, you also must run the update_apimanager
script after the API Gateway post-install script to that ensure all paths are up-to-date.
Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at http://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com
Copyright © 2018 Axway. All rights reserved.