Download



Axway API Gateway 7.4.0 SP 5 Readme

Document version: 29 October 2016


Readme for 7.4.0 SP 5

This Readme applies to Axway API Gateway 7.4.0 SP 5 on all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the product. This service pack is cumulative and includes all updates from previous API Gateway 7.4.0 service packs.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

  • API Gateway Core Server
  • API Gateway Analytics
  • Policy Studio
  • Configuration Studio

The service pack contains new binaries only and does not overwrite the existing configuration.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.4.0_SP5_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Corrections and enhancements

This service pack provides the following corrections and enhancements:

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI‑3332 00835140 CVE-2016-0800, CVE-2016-2107

Issue: Security vulnerabilities in OpenSSL 1.0.1p-fips.
Resolution: Previously, API Gateway included OpenSSL 1.0.1p-fips that had security vulnerabilities, such as cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800), and padding-oracle in AES-NI CBC MAC check (CVE-2016-2107).

Now, the OpenSSL 1.0.2j-fips included in API Gateway addresses these known security vulnerabilities. For more details, see OpenSSL Security Advisory [3rd May 2016].

Other fixed issues

Internal ID Case ID Description
RDAPI-2087 00820033

Issue: The Analytics configureserver script does not permit blank SMTP username/password.
Resolution: Previously, the configureserver script did not accept an empty value for parameter smtpuser.

Now, the script accepts an empty value for smtpuser.

RDAPI‑3356 00835645

Issue: Unable to migrate Client Application Registry data from API Gateway v7.1.1.
Resolution: Previously, the API Gateway upgrade script migrateFrom71.py could not run due to syntax errors.

Now, API Gateway upgrade script migrateFrom71.py runs successfully.

RDAPI‑3569 00838171

Issue: Content-Type Encoding (CTE) headers removed from MTOM Traffic.
Resolution: Previously, the CTE header was removed from multipart/related bodies.

Now, the CTE header is kept if a XMLBody of content type application/xop+xml including xop:Include elements is found in a multipart/related body.

RDAPI-3673 00839714

Issue: Cannot export from the Client Application Registry web interface on 8089.
Resolution: Previously, when you upgraded to API Gateway v7.4.0 from an earlier version, some OAuth configuration was not correctly upgraded. This resulted in a bad request error when exporting from the Client Application Registry on 8089.

Now, when you upgrade to API Gateway v7.4.0, the correct OAuth paths are added, and you can export from the Client Application Registry.

RDAPI-3710

00811590

Issue: Test McAfee Anti-Malware Engine 5800.
Resolution: Previously, API Gateway was including the McAfee 5700 version.

Now, API Gateway includes the McAfee 5800 version.

RDAPI‑3784

00841589

Issue: OAuth expired token purge reports a cardinality violation.
Resolution: Previously, when you removed a token, the lock type used to remove the token in to the database was readLock. This caused the internal OAuth expired token purge process to report exceptions.

Now, when you remove a token, the lock type used to remove the token in to the database is writeLock, and the exceptions no longer occur

RDAPI-3962 00843534 Issue: Data missing from the access log.
Resolution: Previously, the size of the response body was evaluated before processing the request. This caused several variables in the access log, such as bytes sent to the client, to always appear blank.

Now, the bytes sent to the client logged in the access log correctly reflect the size of the content body.

RDAPI-3980 00843534 Issue: XML Signature Generation filter throws a NullPointerException when configured for SAMLAssertionID Security token reference.
Resolution: Previously, the XML Signature Generation filter generated a NullPointerException when it was configured for SAMLAssertionID security token reference, and the saml.assertion.id message property had not been specified.

Now, the XML Signature Generation filter generates a CircuitAbortException with the following message:

Use a filter to insert a saml.assertion.id into the message before calling the XML Signature Generation filter for this use case.

RDAPI-4309 00845637

Issue: Cannot add a Policy Assembly filter to a policy.
Resolution: Previously, you could not add a Policy Assembly filter to a policy.

Now, you can add the Policy Assembly filter to a policy.

RDAPI-4467 00839875

Issue: XML Signature Generation filter throws a NullPointerException when configured for Symmetric Key.
Resolution: Previously, if the XML Signature Generation filter was configured to use a Symmetric Key and insert a SAML ID, the policy failed with a null pointer error.

Now, the policy passes.

RDAPI-4924 00851377

Issue: In OpenID Connect, creating a token with Create ID Token filter creates incorrect at_hash value.
Resolution: Previously, the generation and verification of the at_hash and c_hash claims was implemented incorrectly in the Create ID Token and Verify ID Token filters.

Now, both the at_hash and c_hash claims are generated and verified correctly.

RDAPI-5296 00855566

Issue: Cannot import a web service.
Resolution: Previously, you could not export or import a web service in Policy Studio, because the WSDL associated with the web service was not available after import.

Now, you can export and import a web service, and the WSDL associated with the web service is preserved on import.

RDAPI-5312 00855750

Issue: API Gateway Manager shows Gateway Server values as undefined.
Resolution: Previously, when Real Time Monitoring was disabled, the Host, Group, and Management Port fields for each instance displayed in the API Gateway Management UI had the value undefined. In addition, the traffic charts showed no messages being processed.

Now, the Host, Group, and Management Port fields are populated correctly, and the traffic charts are replaced with the text "No Data".

RDAPI-5343

00854184 Issue: Leg durations do not work as documented.
Resolution: Previously, the leg duration for non-redirect responses was calculated at the end of the entire message. This caused some leg durations to include the duration of subsequent legs.

Now, the duration of each individual leg is calculated when the response is received, so the duration accurately reflects just the time spent contacting and receiving a response from the remote connection.

RDAPI-5375 00842294 Issue: Service name not displayed for JMS requests in traffic monitoring.
Resolution: Previously, the values for JMS attributes (Service, Operation and Subject) were being stored in the message after the event was written to the opsdb.d directory.

Now, these attribute values are being written to opsdb.d and appear in the corresponding columns in the JMS section of Traffic monitoring screen in API Gateway Manager.

RDAPI-5876 00856826

Issue: Update to OpenSSL version.
Resolution: Previously, API Gateway included OpenSSL version 1.0.1 that ceases to be supported on December 31, 2016.

Now, API Gateway uses OpenSSL 1.0.2j-fips, which is supported until December 31, 2019. This version also addresses known security vulnerabilities, such as DROWN (CVE-2016-0800) and padding-oracle in AES-NI CBC MAC check (CVE-2016-2107).

The SSLv2 40-bit EXPORT ciphers and SSLv2 56-bit DES are no longer available, and DH handshakes with parameters shorter than 1024 bits are now rejected. For more details, see OpenSSL Security Advisory [26 Sep 2016] and OpenSSL CHANGES.

Known issues

The following issues are known and scheduled for correction in a future release:

Internal ID Case ID Description
RDAPI-3429 00833374 HSM reconnection not working correctly after connection is lost.
RDAPI-4544 00848297 JSON path issues (valid JSONPath incorrectly returns no matches).

Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. You must back up any customized API Manager data in INSTALL_DIR/apigateway/webapps/apiportal/vordel/apiportal/app/app.config before applying API Gateway and API Manager service packs. You must then restore customized API Manager data manually in the new app.config file.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the nodemanager to move the JARs.
  3. Stop the nodemanager.
  4. Install API Gateway 7.4.0 SP 5.
  5. Start the nodemanager.
  6. Stop the nodemanager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the nodemanager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway.

To install a new API Gateway installation from scratch without an existing installation, or to upgrade from an earlier version to 7.4.0, see the API Gateway Installation Guide.

Install the API Gateway Core Server service pack

To install the service pack on your existing API Gateway 7.4.0 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.0 SP 5 Core over the apigateway directory in your existing installation directory. For example:
  4. tar -xzvf APIGateway_7.4.0_SP5_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.0/apigateway/
API Gateway Appliance only
  1. In addition, before starting the Node Manager or API Gateway, you must run the following command:
  2. # [ -f /etc/vordel/ssl-engines.xml ] && mv /etc/vordel/ssl-engines.xml /etc/vordel/ssl-engines.xml.1

  3. Run the following:
  4. # chown -R admin:admin /opt/gateway/

    # grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml

    # setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell

    # ldconfig

Note

  • If you have installed a licensed version of API Gateway 7.4.0, you do not require a new license to install service packs.
  • Unzip and extract the service pack as the same user who owns the API Gateway binaries. You can use the ls -l INSTALL_DIR/apigateway/posix/bin command to view the owner of the binaries.
  • If you have installed an existing version of API Gateway Analytics, you must apply a separate service pack for that component (see the next section).
  • If you have installed an existing version of API Manager, you must apply a separate service pack for that component (see the Readme for Axway API Manager 7.4.0 SP 5).

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.4.0 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib directory (or the ext/lib directory in an API Gateway Analytics instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.4.0 SP 5 Analytics over the analytics directory within your existing API Gateway 7.4.0 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.0_SP5_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.0/analytics/

Note

  • Unzip and extract the service pack as the same user who owns the API Gateway Analytics binaries. You can use the ls -l INSTALL_DIR/analytics/posix/bin command to view the owner of the binaries.
  • You must also install a service pack for your existing 7.4.0 Core Server.

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.4.0 SP 5 Policy Studio over the policystudio directory within your existing API Gateway 7.4.0 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.0_SP5_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.0/policystudio/

The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.4.0 SP 5 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.4.0 installation directory. For example:
  4. tar -xzvf APIGateway_7.4.0_SP5_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.4.0/configurationstudio/

The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

Note

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
  2. 64-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  3. 32-bit installation

    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/i386/server:
    $VDISTDIR/$DISTRIBUTION/jre/lib/i386:$VDISTDIR/$DISTRIBUTION/lib/engines:
    $VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:
    $VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

  1. Run the command setcap 'cap_net_bind_service=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

Documentation

Go to Axway Support at https://support.axway.com to find all documentation for this product version.

All Axway documentation is available from Axway Support at https://support.axway.com.


Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2016 Axway. All rights reserved