Axway API Gateway 7.5.2 Release Notes

Document version: 2 November 2016

Summary

API Gateway is available as a software installation, a physical or virtual appliance, or as a managed service on Axway Cloud.

The software installation is available on Windows and Linux. For more details on supported platforms for software installation, see the API Gateway Installation Guide.

The physical appliance is a pre-hardened appliance running the API Gateway runtime delivered on a Dell PowerEdge server. The virtual appliance is a prehardened appliance running the API Gateway runtime and is available as VMware and as an Amazon Machine Image (AMI).

For more details on appliance options, see the API Gateway Appliance Installation and Administration Guide.

For best performance, after installing or upgrading to API Gateway 7.5.2, it is mandatory to install the patch APIGateway_7.5.2_Patch5885_allOS_BN20161018.

New features and enhancements

The following new features and enhancements are available in this release.

Axway documentation

You can find the latest information and up-to-date user guides under the Documentation link on Axway website.

Swagger 2.0 definitions for API Management REST APIs

Swagger 2.0 definitions for API Management REST APIs provide a consistent way to document the REST APIs across Axway platform products.

You can import these REST APIs in API Manager and publish them to the API Catalog, facilitating secure self-service consumption of API Management REST APIs.

For more details, see API Manager API Management Guide.

Enhanced upgrade

Upgrading existing API Gateway installations has been simplified further:

  • When upgrading from API Gateway 7.5.1, you can use your existing external Apache Cassandra database instead of installing a new database and migrating data.
  • When upgrading from API Gateway 7.5.1, Apache Cassandra can remain running throughout the upgrade, serving any upgraded API Gateways when they come online.

For more details, see the API Gateway Upgrade Guide.

Vordel appliance migration

You can upgrade from an Oracle Enterprise Linux (OEL) hardware appliance (Vordel appliance) to the Axway Appliance Platform, a SuSE Linux Enterprise hardware appliance, and migrate your data to API Gateway version 7.5.2.

For more details, see API Gateway Appliance Installation and Administration Guide.

Visual Mapper (General Availability)

Visual Mapper transitions from Restricted Availability to General Availability status. In addition, new capabilities have been added to improve the mapping experience when creating APIs that integrate with back-end applications.

  • If you have a good understanding of XSLT code and the existing functions do not meet your needs, you can use the CustomXsltCode option in the Visual Mapper palette to enrich the transformation using expressions.
  • You can define a function parameter as a complex expression in Extensible Stylesheet Language Transformations (XSLT) code functions.
  • You can now use new string functions (such as compare, contains, ends-with, starts-with, and matches, to name but a few) and math functions (like ceiling, floor, round, and sum) to modify values.
  • You can now configure functions in the Edit dialog.
  • You can reload different versions of the XSD schema in API Gateway.
  • JSON combined schemas, such as allOf, oneOf, and anyOf, are now supported.
  • The available functions are now added to the parameter function editor and Custom XSLT code editor.

For more details on data maps, see the API Gateway Policy Developer Guide. For more details on Visual Mapper, see the API Gateway Visual Mapper User Guide.

Kerberos Constrained Delegation

This release provides support for Kerberos Constrained Delegation (KCD):

  • Expose and secure applications, such as SharePoint, using API Gateway and API Manager.
  • Expose APIs protected with Kerberos authentication to users trying to access them either with application that does not support Kerberos or from outside the Kerberos domain.
  • Mediate authentication between Kerberos authentication and other identity mechanisms, such as SAML or OAuth.

For more details, see the API Gateway Kerberos Integration Guide and the API Gateway Policy Developer Guide.

Docker container support

API Gateway and API Manager now support Docker containers:

  • Deploy containerized API Gateway and API Manager to any OS or cloud platform supporting Docker (for example, IBM Bluemix).
  • Docker files and compose scripts are provided to enable you to create Docker containers for API Gateway, API Manager, and Cassandra.
  • Use CentOS 7 as the base image and automatically create a multi-container environment.

For more details, see the API Gateway Installation Guide.

IBM Bluemix support

IBM Bluemix support enables deploying Docker containers for API Gateway, API Manager, and Cassandra to IBM Bluemix cloud platform.

Enhanced security

General enhancements ensure API Management continues to provide best-in-class solution to secure APIs:

  • API Gateway and API Manager are upgraded to OpenSSL 1.0.2.
  • The ability to block TLS v1.1 and v1.2 has been added, and the existing ability has been extended to block SSL v2, SSL v3, and TLS v1.

Performance

  • The performance benchmarks have been updated to reflect real-life scenarios.
  • The performance benchmarks for the API Manager REST API have been included.

Deprecated features

The following features have been deprecated in this release:

  • The API Tester tool has been deprecated and will be removed in a future release. API Tester is no longer installed in a Standard or Complete setup type, and is only installed in a Custom setup type. For more details, see the API Gateway Installation Guide.

Removed features

The following features have been removed in this release:

  • In Policy Studio, under Environment Configuration > Listeners, when editing SSL settings for a selected port, the Use EDH Key once only option has been removed from the Configure HTTPS Interface dialog.
  • This option is no longer available because it is permanently enabled from OpenSSL 1.0.1s onwards. The EDH key is now always used only once to guarantee perfect forward secrecy, which may have an impact on performance.

Fixed issues

The fixes for issues included in API Gateway v7.5.1 SP 1 are also included in API Gateway 7.5.2.

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI‑5430 CVE-2016-3720

Issue: Jackson dependency in third party libraries.

Resolution: Previously, API Gateway Manager included JAR files provided by Restlet that had a dependency on Jackson version with a known security issue (CVE-2016-3720).

Now, these JAR files have been updated to remove the dependency.

RDAPI‑4962,

RDAPI‑4963,

RDAPI‑4964

00852454

CVE-2016-3485, CVE-2016-3500, CVE-2016-3508,

Issue: Vulnerabilities in Java 8u92
Resolution: Previously, there were known vulnerabilities (CVE-2016-3485, CVE-2016-3500, CVE-2016-3508) in the Java version (Java 8u92) shipped with API Gateway.

Now, the Java version has been upgraded to Java 8u102, and these vulnerabilities are no longer present in API Gateway.

Other fixed issues

Internal ID Case ID Description
RDAPI‑874 785901 Issue: Files created using SpillToDisk are not deleted and cause exceptions.

Resolution: Previously, if a connection timeout during a big file transfer activated the SpillToDisk option, an exception was thrown and the temporal file was not removed. Because of this, you could not attempt a new file transfer.

Now, the exception is handled and the temporal file is removed, and you can attempt the file transfer again.

RDAPI‑1866 00846285

Issue: Broken link for the Javadoc for JsonNode class.

Resolution: Previously, API Gateway Developer Guide contained a broken and incorrect link to the Javadoc for the com.fasterxml.jackson.databind.JsonNode class.

Now, the guide contains a correct working link to the Javadoc for this class.

RDAPI‑2327 776780

Issue: When the Connect to URL filter receives a response larger than the Max Received Bytes limit, it returns a truncated result instead of an error.

Resolution: Previously, the policy did not trap exceptions encountered while streaming the response to the client.

Now, the policy buffers the response in the Reflect Message filter, and ensures that the fault handler is invoked if maximum response length is reached.

RDAPI‑2408 00822930 Issue: API Gateway does not start because library list is wrong.

Resolution: Previously, in API Gateway Administrator Guide, a path was missing from the list of paths to add to the ld.so.conf file when running API Gateway as unprivileged user on UNIX/Linux. Because of this, API Gateway instance failed to start.

Now, the missing path /opt/axway/Axway-7.4.1/Linux.x86_64/jre/lib/amd64/jli has been added to list of paths to add to the ld.so.conf file.

RDAPI-2422 00808078 Issue: SuSE Appliance environment is picking up API Gateway's libz.so.1.

Resolution: Previously, the OS binaries, such as sshd, on the SuSE appliance (Axway appliance) were picking up the libraries shipped with API Gateway.

Now, the library search path has been fixed, and the OS binaries on the appliance reference the correct libraries.

RDAPI-2842 00820006 Issue: Schema validation not working as expected for SOAP 1.1 envelope.

Resolution: Previously, when using a Schema Validation filter, you could only define a schema explicitly or using a WSDL context.

Now, you can configure the Schema Validation filter to use both the WSDL of a web service and XML schemas. In addition, you can select multiple XML schemas to validate the request.

RDAPI-2932 00830393 Issue: Unable to use the $http.response.time attribute on the Connect to URL filter.

Resolution: Previously, using the $http.response.time attribute after a Connect to URL filter resulted in the error [invalid field].

Now, the attribute returns the response time of the Connect to URL filter.

RDAPI-2970 00830828 Issue: Blank lines added to header after the XML Signature Generation filter.

Resolution: Previously, the XML Signature Generation filter was adding two blank lines before the SOAP signature header.

Now, the XML signature is added right next to the SOAP security opening tag.

RDAPI-3510 00836121 Issue: The XML to JSON filter converts Unicode characters to ?.

Resolution: Previously, the XML to JSON filter used the system's default encoding when converting the message.

Now, the XML to JSON filter uses UTF-8 encoding.

RDAPI-3577 00838339 Issue: Delay in outgoing requests from API Gateway while under load.

Resolution: Previously, the transaction access logging was doing a reverse DNS lookup with the source IP address to obtain the source host name required to print %h.

Now, the transaction access logging uses the message attributes to retrieve the source host name required to print %h macro.

RDAPI-3600 00825167

Issue: A valid JSON Path incorrectly returns no matches.
Resolution: Previously, the JSON Path filter was unable to handle certain filter expressions due to limitations in the underlying 3rd party JSON path library.

Now, the JSON Path filter handles these filter expressions. The underlying 3rd party library has been updated to fix the problem.

See also the known issue with JSON path version change.

RDAPI-3649 00835705

Issue: Tight loop reading from closed JMS (IBM MQ) connection filling logs.
Resolution: Previously, you could re-deploy a JMS configuration when a JMS reconnection success was initializing JMS connections and consumers. This raised a concurrent access exception.

Now, a concurrent access is no longer triggered.

Previously, when a JMS read error occurred, the read operation was repeated immediately and errors were printed out in the traces.

Now, same consecutive errors are no longer printed out, and an increasing delay between retrying operations has been added.

RDAPI-3785 00840339 Issue: The Admin User Rest API documentation is empty.

Resolution: Previously, the documentation for the Admin User REST API was missing.

Now, the documentation is available online at https://support.axway.com/htmldoc/1433379.

RDAPI-3830 00842294 Issue: Leg durations do not work as documented.

Resolution: Previously, the leg duration for non-redirect responses was calculated at the end of the entire message. This caused some leg durations to include the duration of subsequent legs.

Now, the duration of each individual leg is calculated when the response is received, so the duration accurately reflects just the time spent contacting and receiving a response from the remote connection.

RDAPI-3928 00843534 Issue: Data missing from the access log.

Resolution: Previously, the size of the response body was evaluated before processing the request. This caused several variables in the access log, such as bytes sent to the client, to always appear blank.

Now, the bytes sent to the client logged in the access log correctly reflect the size of the content body.

RDAPI-4099 00840564 Issue: Unclear how the option When policy completes without error in JMS message removal works.

Resolution: Previously, when configuring a JMS session, it was not clear how setting the option Remove message from source to When policy completes without error behaved in practice.

Now, the instructions in the API Gateway Policy Developer Guide have been clarified. In addition, a note was added on configuring an error path to prevent poison message loop when selecting the option When policy completes and property below evaluates to true.

RDAPI-4148 00839875

Issue: The XML Signature Generation filter throws a NullPointerException when configured for SAMLAssertionID security token reference.

Resolution: Previously, the XML Signature Generation filter generated a NullPointerException when it was configured for SAMLAssertionID security token reference, and the saml.assertion.id message property had not been specified.

Now, the XML Signature Generation filter generates a CircuitAbortException with the following message:

Use a filter to insert a saml.assertion.id into the message before calling the XML Signature Generation filter for this use case.

RDAPI-4198 00840012 Issue: Fault handler policy not called on failure.

Resolution: Previously, the Read API Proxy filter was not handling exceptional circumstances correctly, and the fault handler was not called in case of a failure.

Now, the Read API Proxy filter correctly handles exceptional circumstances and ensures that the fault handler is called.

RDAPI-4221 00844652

Issue: SAML2 Authentication Assertion fails with a null pointer exception.
Resolution: Previously, setting a null value in an assertion resulted in a null pointer exception error.

Now, a null value produces an assertion with the following value:

<saml:Attribute Name="attrib1" NameFormat="">

<saml:AttributeValue *xsi:nil="true"*/>

<saml:AttributeValue>value1</saml:AttributeValue>

RDAPI-4325 00845637 Issue: Cannot add a Policy Assembly filter to a policy.

Resolution: Previously, you could not add a Policy Assembly filter to a policy.

Now, you can add a Policy Assembly filter to a policy.

RDAPI-4336 00846257 00842837

Issue: When a JSON Path expression is not matched, neither the failure path nor the fault handler is invoked.
Resolution: Previously, when a JSON Path expression you had configured in Policy Studio was not matched in a JSON document, neither the failure path nor the fault handler was invoked.

Now, when there is no match, the JSON Path filter executes a failure path or fault handler.

RDAPI-4411 00845501

Issue: Cannot run nodetool due to missing JRE.
Resolution: Previously in API Gateway v7.5.1, after installing Cassandra, it was not possible to run Cassandra tools (such as nodetool in the INSTALL_DIR/cassandra/bin directory) because JAVA_HOME was not set in the cassandra/bin/cassandra.in.sh and cassandra/bin/cassandra.in.bat files.

Now, setting JAVA_HOME has been included in the service pack installation instructions, so after installation the Cassandra tools work as expected.

RDAPI-4415 00847177 Issue: Unclear what is encrypted with PGP Encrypt & Sign filter.

Resolution: Previously, it was not clear that PGP Encrypt & Sign filter only encrypts the message body and not any files attached to the message.

Now, the instructions in the API Gateway Policy Developer Guide have been clarified.

RDAPI-4545 00847780 Issue: Path parameter data type cannot be changed.

Resolution: Previously, in the Rest API Wizard in Policy Studio, the path parameters had the fixed type string.

Now, it is possible to specify a different type for the path parameters.

RDAPI-4560 00841589 Issue: OAuth expired token purge reports a cardinality violation.

Resolution: Previously, when you removed a token, the lock type used to remove the token in to the database was readLock.

Now, when you remove a token, the lock type used to remove the token in to the database is writeLock.

RDAPI-4578 00848648 Issue: Key Property Store (KPS) selectors not working in the Throttling filter.

Resolution: Previously, a regression to number attribute validation in Policy Studio was introduced in v7.5.1, so you could not use KPS selectors in the Throttling filter.

Now, the number attribute validation supports dynamic and complex values. You can again use KPS selectors in the Throttling filter.

RDAPI-4598 00848902 Issue: The API Gateway OAuth User Guide mentions other guides that cannot be found.

Resolution: Previously, the API Gateway OAuth User Guide referred to two integration guides that are not publicly available.

Now, the reference has been removed.

RDAPI-4606 00832311 Issue: Wrong behavior on the Retrieve Attributes from Directory Server filter if the directory is called several times.

Resolution: Previously, in the Retrieve Attributes from Directory Server filter, if you selected Enable the legacy attribute naming for retrieved attributes and called the directory more than once, the previously retrieved attribute values were overwritten with each call.

Now, the retrieved values are no longer overwritten and correctly match the values in the directory.

RDAPI-4611 00848503 Issue: No information how to get a symmetric key for XML Encryption Settings filter.

Resolution: Previously, the API Gateway Policy Developer Guide did not provide information how to populate the symmetric.key message attribute for XML Encryption Settings filter.

Now, this information has been added to the API Gateway Policy Developer Guide.

RDAPI-4637 00849495 Issue: JSON Remove node filter not working as expected.

Resolution: Previously, the value of check box Fail if no nodes returned from JSON Path in the JSON Remove Node filter was ignored.

Now, the JSON Remove Node filter follows the success path if this check box is selected and the JSON Path expression does not return any nodes.

RDAPI-4694 00807182 Issue: No HTTP header information in Traffic Monitor in API Gateway Manager.

Resolution: Previously, the response headers were not available in Response From API Gateway in Traffic Monitor when the response starts with HTTP 100 Continue.

Now, all the headers are correctly shown.

RDAPI-4709 00850244, 00849861

Issue: Cassandra connection needed at startup on a system not using Cassandra.

Resolution: Previously, if you upgraded from a system that was not using Cassandra, API Gateway tried to establish a connection to a Cassandra server, resulting in an error.

Now, you no longer need to have a running Cassandra if your system does not use Cassandra.

RDAPI-4725 00847255 Issue: Variable cannot be entered in the Port field for a File Transfer Service listener.

Resolution: Previously, when configuring a File Transfer Service listener in Policy Studio, you could not set the port value to use a selector.

Now, you can set the port value to use a selector.

RDAPI-4780 00850244 Issue: sysupgrade apply fails without Cassandra.

Resolution: Previously, sysupgrade apply required a running Cassandra instance, or it failed. This meant that even though your deployment itself might not need Cassandra, you needed Cassandra to upgrade.

Now, if the upgraded deployment does not need Cassandra, the upgrade process no longer requires a running Cassandra instance to succeed.

RDAPI-4793 00851001 Issue: Cross-site scripting (XSS) vulnerability in API Gateway Manager.

Resolution: Previously, API Gateway Manager was vulnerable to XSS attacks. In case of repeated failed login attempts to API Gateway Manager, an error message containing the unescaped user name was displayed.

Now, the error message displayed no longer contains the user name.

RDAPI-4842 00851284

Issue: Cannot deserialize an instance of java.lang.String out of a START_ARRAY token in Open ID Connect.

Resolution: Previously, in the Verify ID Token filter, the presence of an Authentication Methods References (amr) claim in an ID Token resulted in a token deserialization failure.

Now, amr claims are deserialized correctly without failures.

RDAPI-4930 00851377 Issue: The Create ID Token filter creates an incorrect at_hash value.

Resolution: Previously, generating and verifying the at_hash and c_hash claims was implemented incorrectly in the Create ID Token and Verify ID Token filters.

Now, the at_hash and c_hash claims are both generated and verified correctly.

RDAPI-5271 00852989 Issue: Environmentalized Certificate Chain filter only shows certificates with private key.

Resolution: Previously, when automatically environmentalizing a Certificate Chain filter in Policy Studio, you could only see a small set of certificates in Configuration Studio.

Now, you can see all certificates in Configuration Studio.

RDAPI-5313 00855744 Issue: WebSocket policies not working after upgrading to API Gateway v7.5.1.

Resolution: Previously, when you configured a WebSocket handler in Policy Studio and selected a policy for Websocket communication from client or Websocket communication from server, the websock.context message attribute was not available for the selected policy to consume.

Now, the websock.context attribute is correctly set before API Gateway invokes the selected policy.

Known issues

The following are known issues for this release of API Gateway:

Defect in the Reflect filter

Fixing an issue with the Connect to URL filter inadvertently caused a major defect in the Reflect filter. This defect manifests as a memory leak causing API Gateway to crash.

The patch APIGateway_7.5.2_Patch5885_allOS_BN20161018 fixes this issue. You must download and install the patch from Axway Support at https://support.axway.com.

Note   It is mandatory that you install this patch before you use API Gateway v7.5.2.

JSON path version change

Before upgrading API Gateway v7.5.2, you must remove the old JSON path file ($VDISTDIR/system/lib/modules/json-path-1.2.0.jar). Upgrading v7.5.2 installs a JSON path file (json-path-2.2.0.jar) in the same directory.

In addition, Policy Studio uses the JSON path file to validate path expressions. Before upgrading v7.5.2, you must also remove the file from Policy Studio (policystudio/plugins/com.vordel.rcp.filterbase_VERSION_DATE/lib/json-path-1.2.0.jar). Upgrading v7.5.2 installs a JSON path file (json-path-2.2.0.jar) in the same directory.

Note   If any JSON Path filters are being used in a policy, the JSON path expression used must be checked for compatibility with json-path-2.2.0. It is possible that a policy which worked in earlier versions contains an invalid JSON path expression in API Gateway v7.5.2. For example:
  • Worked in earlier versions:
  • $[?(@.virtualHost == <example>)]
  • Requires following syntax in v7.5.2:
  • $[?(@.virtualHost == '<example>')]

Export error holding on to KPS resources when upgrading API Gateway (Windows only)

The sysupgrade export command calls the old API Gateway version 7.x server to export Key Property Store (KPS) data to JSON files. On Windows, these JSON files are created successfully, but the locks on the JSON files are kept open because the old API Gateway server does not release the locks. For example, this means that if you try to delete the JSON file in Windows Explorer, you get a message that the file cannot be deleted because it is being used by another process. If you try to run sysupgrade export again, the export will fail.

This is only an issue when upgrading API Gateway versions earlier than 7.5.1.

The workaround is to restart the old API Gateway instance after each sysupgrade export, which releases the locks. To avoid downtime, you should restart each API Gateway instance after each export one-by-one.

API Manager users cannot complete registration after upgrading API Gateway

New users that were registered in API Manager before an upgrade, but who did not complete registration by activating their account with the link provided in email, cannot complete registration after the upgrade. The link in the email references the API Manager API v1.1 that is no longer available. For example:

https://<API Gateway IP address>/api/portal/v1.1/users/validateuser?email=s@s.com&validator=9a5addcb-e10c-499b-bf0a-0c70915f3862

The workaround is that the user copies the link address, pastes it to the address bar, and changes the API version v1.1 to v1.2 or v1.3. After this, the activation link works, and the user can complete registration.

Cassandra JRE bundled with API Gateway

When installing Cassandra, you are prompted to specify a JRE for Cassandra. You can select the default 32-bit JRE bundled with API Gateway. However, this default RE has the following limitations on Windows:

  • Running Cassandra with this 32-bit JRE limits the maximum amount of memory available to Cassandra on 64-bit systems
  • You cannot use this JRE to run Cassandra as a Windows Service

It is recommended to download and install a separate 64-bit JRE before installing Cassandra on Windows, and select this JRE during Cassandra installation. Cassandra requires the latest version of JRE 8.

For more details, see the API Gateway Installation Guide.

Powershell script execution policy

Modern Windows versions support the new PowerShell command-line interpreter. The Cassandra installation provides both the old .bat and the new .ps1 startup files.

When you run the cassandra command in CASSANDRA_HOME\bin, it runs either in the legacy startup mode or the new startup mode depending on the PowerShell script execution policy setting. If this policy is set to Unrestricted, the new PowerShell startup script runs. Else, the legacy startup script runs.

The startup behavior and command line options are different depending on the type of startup. For more details, see the API Gateway Installation Guide.

TLS for non-default JRE

If you select an alternative JRE instead of the default JRE during the installation and want to enable Cassandra to use TLS, you must install Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction policies for your JRE.

Cassandra on API Gateway Appliance

The cqlsh command is not supported on API Gateway Appliance. For more details, see API Gateway Appliance Installation and Administration Guide.

Code samples

The jabber and restJabber code samples are missing from the INSTALL_DIR/apigateway/samples/developer_guide directory. You can download these code samples from Axway Support at https://support.axway.com.

WebSocket protocol

  • If you use %h in the Access Log initial string and your DNS configuration is not correct (for example, a name server configured on /etc/resolv.conf is not reachable), the HTTP Long Polling connections have a time delay at the API Gateway. WebSocket connections are not affected.
  • Adding the same URL for a WebSocket path and a HTTP path is not supported. You get an error message, if you try this in Policy Studio.

JWT Filters

When you operate in FIPS mode, the implementation from the default, non-FIPS provider is invoked, if any of the following algorithms is selected in the JWT Signing filter:

  • RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  • RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  • RSASSA-PSS using SHA-512 and MGF1 with SHA-512

To avoid this, disable the Bouncy Castle Crypto Provider in the /system/conf/jvm.xml file. When the JWT Signing filter with one of the above algorithms selected is called, the filter fails with the following error:

ERROR 18/Apr/2016:16:24:39.275 [4a48:17e014570200451f205ec316] java exception:

com.vordel.circuit.jwt.JWTException: com.nimbusds.jose.JOSEException: Unsupported RSASSA algorithm: SHA512withRSAandMGF1 Signature not available

For more details, see the API Gateway Policy Developer Guide.

Tips and tricks

Upgrade

  • If you are upgrading API Gateway from v7.5.1 to v7.5.2, the Cassandra architecture is the same. You can continue using your existing Cassandra without any need to upgrade it.
  • If you are upgrading from API Gateway v7.4.1 or lower to v7.5.2, you should read the Release Notes for v7.5.1 as well. They contain important information on the key changes in previous release that may have an effect on your implementation, such as the externalized Cassandra architecture and improved WebSocket protocol implementation.

High availability

  • Cassandra is required for API Manager and optional for some API Gateway components (for example, OAuth, API keys, and custom KPS). If you have Cassandra installed, you must ensure that Cassandra is running before starting API Gateway.
  • To tolerate the loss of one Cassandra node and to ensure 100% data consistency, API Gateway requires the following cluster configuration in a HA production environment:
    • Three Cassandra nodes (with one seed node)
    • QUORUM consistency to ensure that you are reading from a quorum of Cassandra nodes (two) every time
    • Replication factor set to 3 so each node holds 100% of the data and you can tolerate the loss of one node
  • If you have a HA deployment (for example, two API Gateways and three Cassandra nodes), remember to start each node one at a time.

For more details, see Install Apache Cassandra in the API Gateway Installation Guide.

Performance

For best performance, do the following:

  • Always install the latest release and service packs to benefit from new improvements and features.
  • Use HTTP 1.1 instead of 1.0 whenever possible to enable persistent connections.
  • Use persistent connections throughout the entire stack, and overwrite the connection type with keep-alive whenever possible to avoid creating and dropping connections for each individual request.
  • Use Ehcache instead of KPS whenever possible, because data held in process memory is quicker to access.
  • Keep thread count reasonable. A good starting point to use as a rule of thumb is initial latency(ms)* expected throughput (count) / 1000 ms = the number of threads (count). In HA deployment, you may want to account failure in one node. Note that the ratio of thread count and CPU cores impacts the latency. You may also want to consider horizontal scaling instead of vertical scaling.

Documentation

This section describes documentation enhancements and related documentation.

Axway documentation

You can find the latest information and up-to-date user guides under the Documentation link on Axway website.

Documentation enhancements

The following new user guides have been added in this release:

The following user guides have been updated in this release:

Related documentation

Axway API Gateway is accompanied by a complete set of documentation, covering all aspects of using the product. Go to Axway Support at https://support.axway.com to find all documentation for this product version.

For more information about API Gateway and how it is used in API Management, see the API Management Concepts Guide.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.

Contents
Comments