Download

 API Gateway and API Manager Readme

Axway API Gateway and API Manager 7.5.3 SP 3 Readme

Document version: 2 October 2017


Readme for 7.5.3 SP 3

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 3, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

  • API Gateway Core Server
  • API Manager
  • API Gateway Analytics
  • Policy Studio
  • Configuration Studio

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP3_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE identifier Description
RDAPI‑11109 00906442 CWE‑384 Issue: Fixed user sessions in API Manager.
Resolution: Previously in API Manager, it was possible to fix a user's session and once the user had logged in to API Manager use the predefined session to impersonate that user. Now, this is no longer possible, because API Manager regenerates the session ID for a user after the user logs in.

Other fixed issues

Internal ID Case ID Description
RDAPI‑6779 00870827 Issue: API Manager removes forward-slashes from requests.
Resolution: Previously, if you created a back-end API from a Swagger definition file that contained trailing forward-slashes (for example, because the back-end service expected them in the request), API Manager automatically trimmed the trailing forward-slashes from the requests to back-end services.
Now, you can preserve the trailing forward-slashes by setting the following system property:
<VMArg name="-Dcom.vordel.apimanager.uri.path.trailingSlash.preserve=true"/>
RDAPI-7403 00879231 Issue: Missing JSON exception message.
Resolution: Previously, the JSON Error filter sometimes did not include the failure reason in the response message. Now, if you select the option "Show detailed explanation of error", the failure reason is always included in the response error message.
RDAPI-9312 00896155 Issue: Errors with special characters in KPS tables.
Resolution: Previously in API Gateway Manager, if you entered a string containing a \ character in the Primary Key field in a KPS table, API Gateway Manager displayed an error. Now, API Gateway Manager displays the KPS table correctly even when the Primary Key field contains special characters.
RDAPI‑10322 00905760, 00911323 Issue: Problem publishing two APIs with the same resource path.
Resolution: Previously in API Manager, if you tried to create a front-end API duplicating a resource path already in use, API Manager displayed an error on invalid message and you could not save the front-end API. Now, you can save a front-end API with a duplicated resource path.
RDAPI-10368 00904790 Issue: Validating SAML assertion fails if there is no statement in the assertion.
Resolution: Previously, the Retrieve from SAML Attribute Assertion filter failed if the SAML assertion did not contain a statement. Now, this no longer happens, and the SAML assertion can be validated.
RDAPI-10414 00892900 Issue: Path defined on virtual hosts not in the Used by list of a global policy.
Resolution: Previously in Policy Studio, if you used a global request or response policy to expose a relative path on a virtual host, the path was not displayed in Used by list in the global policy edit dialog. Now, the Used by list of policy also includes the relative paths exposed on a virtual host.
RDAPI-10467 00907286 Issue: Attributes from RADIUS authentication request not parsed correctly.
Resolution: Previously, when you send an authentication request to RADIUS, some of the returned RADIUS attributes were not setup correctly. Now, all of the returned RADIUS attributes contain the correct values.
RDAPI-10592 00901498 Issue: No error when retrieving content exceeding the maximum transaction size.
Resolution: Previously, if the Connect to URL filter tried to retrieve content exceeding the maximum transaction size you had defined, API Gateway did not fail the policy or report an error. Instead it truncated data after the maximum received bytes was reached. Now, if the server returns the Content-Length header to API Gateway, API Gateway checks the returned size. If the size exceeds the configured value, API Gateway reports an error.
RDAPI-10593 00905427 Issue: NullPointerException when JMS message has no body.
Resolution: Previously, when API Gateway consumed a JMS message that contained only properties and no body from JMS queue, API Gateway threw a NullPointerException error, because traffic monitoring tried to log the JMS message body that did not exist. Now, traffic monitoring in API Gateway has been updated, and API Gateway can consume JMS messages that do not contain a body normally.
RDAPI-10598 00901619, 00916128, 00915269 Issue: Large query strings cause API Gateway to crash.
Resolution: Previously, the OpsDB component in API Gateway caused the API Gateway to crash if an HTTP request contained excessively long query string. Now, all attempts to write any type of data of any size to the OpsDB component that previously led to the crash or unexpected behavior in API Gateway are prevented. This also prevents data corruption and improves error handling when reading JSON data from the OpsDB.
RDAPI-10631 00907036 Issue: Nonce claim not part of the generated OpenID token.
Resolution: Previously, when an OpenID token was generated for the OpenID implicit grant type or the Authorization code grant type (if one was specified in the authentication request), the generated ID Token did not contain a nonce. Now, the ID Token contains a nonce claim.
RDAPI-10682 00902178 Issue: Long timeout for Cassandra connections.
Resolution: Previously, if the machine hosting a Cassandra instance crashed or had a network failure, the Cassandra-dependent traffic in API Gateway was almost completely blocked for up to 15 minutes. Now, the Datastax driver in API Gateway has been updated to the latest version. API Gateway correctly detects the failure, the outage window of the Cassandra traffic has been reduced to ~40 seconds, and API Gateway only rejects 33% of the Cassandra-dependent traffic.
RDAPI-10687 00909204, 00910061 Issue: Unable to import API Manager REST API to API Manager after installing 7.5.3 SP1.
Resolution: Previously, the changes introduced to Swagger validation in previous service pack caused importing the API Manager REST API to fail, because the check for duplicate paths proved to be too restrictive. Now, the implementation has been updated to differentiate between the different methods when checking duplicate paths, so no false positive are reported and the API import succeeds.
RDAPI-10698 00907041 Issue: OpenID request shown as Unknown type flow in API Gateway Manager.
Resolution: Previously, when you requested an OpenID token, API Gateway Manager logged the request with type token_id token as Unknown type flow type on the Traffic tab. Now, the OpenID request with type token_id token is logged as OpenIDConnect ID Token and Token Request.
RDAPI-10710 00908896 Issue: Application state marked optional, but is mandatory.
Resolution: Previously in API Manager 7.5.3, if you tried to update an application and did not include the state information (marked optional) in the request, the updating the application failed. Now, the state field has been updated to be optional, and you can update an application without filling the field.
RDAPI-10734 00902220 Issue: API Manager Swagger files are inaccurate.
Resolution: Previously, the query parameters that specific API Manager API endpoints accepted were not documented in the Swagger files. In addition, the Client Application Registry API was documented as part of the API Manager APIs. Now, the missing query parameters have been added to the Swagger files, and the Client Application Registry API is documented in its own Swagger file.
RDAPI-10781 00915509, 00911895 Issue: Runtime exceptions not captured by fault handlers.
Resolution: Previously, when a filter threw a runtime exception, the exception skipped all fault handlers and was propagated to the client. Now, all runtime exceptions are caught and logged to trace. If you include a specific fault handler in the policy, API Gateway calls that fault handler, otherwise the generic fault handler is used.
RDAPI-10954 00915443 Issue: Swagger APIs using regular expressions in paths fail after upgrading API Manager.
Resolution: Previously, after you upgraded from API Manager 7.3.1 to v7.5.3, requests to virtualized APIs were not correctly matched with the back-end API if the back-end API path contained regular expressions or multiple template variables. Now, API Manager correctly matches the requests with the back-end API.
RDAPI-10959 00913251 Issue: When calling many filters, Traffic Monitor crashes when logging the Circuit Path used by policies.
Resolution: Previously, if the Circuit Path string exceeded 524 KB (OpsDB page size), it could cause Traffic Monitor to crash. Now, API Gateway chunks the Circuit Path string into blocks that do not exceed 524 KB.
RDAPI-10963 00912469 Issue: Certificates generated in Policy Studio signed using a SHA1 algorithm.
Resolution: Previously, if you generated certificates in Policy Studio, they were signed using the algorithm SHA1withRSA that was considered to be a weak algorithm. Now, the algorithm has been updated, and certificates generated in Policy Studio are signed using the algorithm SHA256withRSA.
RDAPI-10964 00901696 Issue: Parameters path attribute cannot be use as a stylesheet parameter in the XSLT Transformation filter.
Resolution: Previously, if you used a params.path.XXX attribute as a stylesheet parameter in the XSLT Transformation filter, it caused a java.lang.IllegalArgumentException error. Now, the attribute evaluation has been updated to support non-string object types.
RDAPI-10993 00912679 Issue: Unimplemented function "compareDocumentPosition" triggered on some XSLT transformation.
Resolution: Previously, some XSLT transformations that used to work in API Gateway 7.3.1 could not be used in v7.5.3 because of a missing function that the new version of XSLT layer uses. Now, the missing function has been implemented in XML layer in v7.5.3.
RDAPI-11144 00920321 Issue: High number connections in CLOSE_WAIT status.
Resolution: Previously, API Gateway released all connections when the policy was fully executed.This meant that if the Connect to URL filter was called numerous times, the number of connections in the CLOSE_WAIT status ended up being very high. Now, you can configure the Connect to Url filter to release the previous connection when a new connection is created by setting the following system property:
<VMArg name="-DConnectToUrlFilter.removePreviousConnections=true"/>

Known issues

There are no known issues in this service pack.

Install the service pack

Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager script on your installation.

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Note

  • To install a new API Gateway or API Manager installation from scratch without an existing installation, see the API Gateway Installation Guide.
  • To upgrade from an earlier version to v7.5.3, see the API Gateway Upgrade Guide.

Install the API Gateway Core Server service pack

If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.3 SP 3 Core over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP3_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
  4. Change to the apigateway directory in your installation:
    Windows: INSTALL_DIR\apigateway
    LinuxINSTALL_DIR/apigateway
  5. Run the following script:
    Windows: apigw_sp_post_install.bat
    Linux: apigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:
  6. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  7. Run the following:
    chown -R admin:admin /opt/gateway/

    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    ldconfig

Note

  • If you have installed a licensed version of API Gateway or API Manager 7.5.3, you do not require a new licenses to install service packs.
  • Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the ls -l INSTALL_DIR/apigateway/posix/bin command to view the owner of the binaries.
  • If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
  • If you have installed an existing version of API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.5.3 SP 3 Analytics over the analytics directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP3_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  4. Change to the analytics directory in your installation:
    Windows: INSTALL_DIR\analytics
    Linux: INSTALL_DIR/analytics
  5. Run the post-install script for API Gateway Analytics:
    Windows: apigw_analytics_sp_post_install.bat
    Linux: apigw_analytics_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

Note

  • Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the ls -l INSTALL_DIR/analytics/posix/bin command to view the owner of the binaries.
  • You must also install a service pack for your existing 7.5.3 Core Server.

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 3 Policy Studio over the policystudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP3_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 3 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP3_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  4. Run the following command to reload the library cache file:
    ldconfig

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

  • Axway Supported Platforms
  • Axway Interoperability Matrix

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2017 Axway. All rights reserved.