This Readme applies to Axway API Gateway and API Manager 7.6.2 SP 3, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for these products.
This service pack provides fixes for a number of reported defects. It includes updates for the following:
The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
Important: API Gateway and API Manager 7.6.2 SP3 and later support OpenJDK JRE, and this service pack includes Zulu OpenJDK 1.8 JRE instead of Oracle JRE 1.8.
File packages: An installation archive is provided for supported platforms (for example, APIGateway_7.6.2_SP3_Core_linux-x86-64_BNYYYYMMDDn.tar.gz
).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-13802 | 01025418, 00989754, 00989774 |
Issue: There is no CSRF token protection for API Gateway Manager calls.
Resolution: Add CSRF token protection for API Gateway Management APIs. |
|
RDAPI-14660 | 01010153 |
Issue: When JWT Verify filter executed in Policy Studio, JWT token payload was visible in plain text logs at INFO trace level, causing a Medium CVSS security risk Resolution: JWT token payload is now redacted from tracing at all levels. |
|
RDAPI-14694 | 01010245 |
Issue: Threatening Content filter only scanned the value of the first query string parameter with a specific name, allowing it to be bypassed using multiple parameter values of the same name.
Resolution: Threatening Content filter now scans every query string parameter value regardless of name. |
|
RDAPI-15052 | 01012736 |
Issue: Input for phone, mobile, email, and description was not properly validated in the API Manager User API.
Resolution: Input validation for phone and mobile fields and improved email validation have been added. |
|
RDAPI-15062 | 01025419 |
Issue: API Gateway shipped with jQuery 2.2.4, which was vulnerable to Cross-Site Scripting (XSS) attacks when a cross-domain Ajax request was performed without the dataType option, causing text/javascript responses to be executed.
Resolution: API Gateway has been upgraded to jQuery 3.3.1. |
|
RDAPI-15091 | 01019129 |
Issue: OAuth authorization code flow did not check that authorization code corresponds to client when generating authorization token.
Resolution: API Gateway checks that authorization code corresponds to client requesting the authorization token and rejects token creation if it does not. |
|
RDAPI-15149 | 01028183 |
Issue: API Manager XSS security vulnerability with old versions of Internet Explorer.
Resolution: Code supporting old browsers has been removed because it contained an XSS security vulnerability. Internet Explorer versions 8.0 and 9.0 are no longer officially supported by API Gateway v7.5.x or later, as stated in the user documentation. |
|
RDAPI-15352 | 01032508 |
Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to JRE 1.8.0_202. For more information, see: https://www.oracle.com/technetwork/java/javase/8u202-relnotes-5209339.html |
|
RDAPI-15556 | 01032720 |
Issue: API Gateway binaries are not delivered with stack protection and could be vulnerable to stack-based buffer overflow attacks.
Resolution: Native code is now built with stack canaries enabled and API Gateway is no longer vulnerable. |
|
RDAPI-15568 | 01030134 |
Issue: API Manager API traffic could suffer from Timing Attack.
Resolution: API Manager applies countermeasures against Timing Attack for API traffic. |
|
RDAPI-15684 | 01039208 |
Issue: Security vulnerability present by not checking the filename parameter for downloading original API file.
Resolution: Filename parameter is checked and vulnerability is not present anymore. |
|
RDAPI-15816 | 01038716 |
Issue: Malicious user can overwrite the OAuth scopes passing extra scopes as a form param.
Resolution: If application finds that a scope is present as a form param the request is rejected as invalid. |
|
RDAPI-15900 | 01028530 |
Issue: API Manager reveals the existence of a user's email address through the response of the Users API /forgotpassword method.
Resolution: The API Manager Users API /forgotpassword method response no longer shows the distinction between valid and invalid emails. |
|
RDAPI-15927 | 01048313 | CVE-2019-1559 |
Issue: API Gateway included OpenSSL 1.0.2p-fips, which contained vulnerabilities.
Resolution: API Gateway now includes OpenSSL 1.0.2r-fips, addressing the following security vulnerabilities: CVE-2019-1559 |
RDAPI-15929 | 01043569, 01043657 |
Issue: API Manager OAuth implementation allows different client ids in header and body with the posibility of the wrong one being used.
Resolution: Client id is taken from body or header depending on Policy configuration. Additional client ids are ignored. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-14095 | 00999714 |
Issue: In API Manager, importing a WSDL from an SSL-protected endpoint with a self-signed certificate failed.
Resolution: WSDL import from an SSL-protected endpoint with a self-signed certificate now succeeds. |
RDAPI-14321 | 00985086 |
Issue: WSDL with more than one endpoint per binding (for example, HTTP and HTTPS) only displayed the first endpoint when imported in API Manager.
Resolution: API Manager now displays all the endpoints of each imported WSDL. |
RDAPI-14331 | 01006999 |
Issue: allOf was not supported, and it was not documented as a limitation
Resolution: allOf is now supported in models and as a response schema |
RDAPI-14465 | 01008197 |
Issue: get scope by calling a policy does not trigger assigned policy.
Resolution: Policy is now properly trigger and scope retrieved. |
RDAPI-14470 | 01010010 |
Issue: Adding a value to an API Gateway cache configured with a First-In-First-Out eviction policy incorrectly removes the value if it already exists in the cache. And if the Persist to Disk setting is selected when the cache is full, no eviction policy is executed when adding data.
Resolution: The existing value is no longer removed from the cache, and is updated when required. If Persist to Disk is selected when the cache is full, the eviction policy supported by the cache persistence store is executed when adding data. |
RDAPI-14661 | 01012632 |
Issue: Performance of API Gateway File Upload filter was up to 20 times faster with File Type of ASCII and Connection Type of FTP or FTPS, when compared to File Type of Binary.
Resolution: File Upload filter now calls a more efficient OutputStream to improve performance when File Type is Binary and Connection Type is FTP or FTPS. |
RDAPI-14666 | 01007579 |
Issue: KPS Admin commands are long by design, however they easily timeout in a standard transaction.
Resolution: Wrap KPS Admin commands in their own thread, without a timeout. Add functionality to check on status on current job. |
RDAPI-14673 | 01015430, 01031170 |
Issue: Calls to API Manager User and Application APIs were very slow when large numbers of users and/or applications were created.
Resolution: Set the com.axway.apimanager.api.data.cache system property to true to cache users and applications in memory at startup. In-memory cache is kept up-to-date using the API Manager events mechanism. |
RDAPI-14689 | 01001297 |
Issue: When using an OCSP Client filter with multiple response validation options selected, the client aborted and would not execute subsequent validation if the first option failed.
Resolution: The client now tries every selected validation option before aborting. |
RDAPI-14702 | 01044754, 00999170, 01048001, 00998920 |
Issue: API Gateway sometimes shows cardinality violation exceptions in error traces.
The errors indicate that the loaded configuration of some entities has been corrupted in-memory, and no new configuration values can be set for such entities, which can lead to undefined behavior. Resolution: API Gateway was affected with a race condition accessing and setting the loaded entity store configuration values. This issue is resolved and API Gateway now can update the entity store configuration values in-memory successfully. |
RDAPI-14722 | 01012742 |
Issue: Policy Studio failed to retrieve a node manager instance over a proxy connection.
Resolution: Client used to retrieve the node manager instance has been updated to route through a proxy when proxy settings exist. |
RDAPI-14753 | 01018727 |
Issue: A virtualized API must be published to be assigned to a virtual host.
Resolution: Now, a virtualized API can be assigned to a virtual host before being published. |
RDAPI-14756 | 01014855, 01013012 |
Issue: It is possible to create an application with no name through REST API of API Manager.
Resolution: API Manager now checks that the name is not empty when creating an application through REST API. |
RDAPI-14767 | 01002805, 01009406 |
Issue: The Update Organization API (PUT /api/portal/v.1.3/organizations/{id}) was failing to do basic checks to prevent corrupted data, allowing for broken links between KPS tables, invalid email addresses, and setting flags that are usually unavailable in the UI.
Resolution: Enforce stronger validation, similar to the Create Organization API. |
RDAPI-14867 | 01020923 |
Issue: API Gateway crashed on reaching maximum connections when sending HTTPS requests through an HTTP proxy.
Resolution: The connections counter has been fixed and connection attempts that exceed the maximum now fail with an error message. |
RDAPI-14869 | 00987150 |
Issue: Virtualized API with path that contained trailing unencoded whitespace was not matched by the matching filter.
Resolution: Front-end regex validation and back-end import validation now remove the invalid whitespace and warn the user. |
RDAPI-14880 | 01021192 |
Issue: Retired api is able to add to organization through organization view. Also "retired" and "deprecated" APIs are shown as "published" in Organization view.
Resolution: Correctly show "retired" and "deprecated" APIs in Organization view and disable adding of "retired" API to Organization. |
RDAPI-14885 | 01018773, 01016524 |
Issue: API method parameters without Data Type value in API Manager caused issues when attempting to view API definition in API Catalog.
Resolution: Added validation on method import and in API Manager UI, and a default value for missing Data Type. Note: You must reimport existing APIs with this behavior to resolve missing data types with a default of 'string'. |
RDAPI-14942 | 01023672 |
Issue: In EMT mode, API Gateways were unable to register with the Admin Node Manager when its management interface was protected with the 'Protect Management Interfaces (LDAP)' policy.
Resolution: The 'Protect Management Interfaces (LDAP)' policy has been updated to allow API Gateways to register successfully. |
RDAPI-14982 | 01022533 |
Issue: HTTP redaction could generate invalid documents when parsing chunked bodies.
Resolution: HTTP redaction has been fixed. Issue: Crash could occur when redacting unbalanced XML documents. Resolution: Unbalanced XML documents are now handled correctly. |
RDAPI-15009 | 01019448 |
Issue: When importing or updating OAuth client credentials, API Gateway checked that the redirectUrls value was a URL, and included validation against empty strings.
Resolution: API Gateway now omits empty and whitespace-only values, and only checks that values are URLs and imports them when they have content. |
RDAPI-15029 | 01023688 |
Issue: When a global fault handler is defined in API Manager, if a request come on an existing path/method but with a verb that is not handled, the Global Fault Handler doesn't receive the http.response.info nor http.response.status attribute
Resolution: When a global fault handler is defined in API Manager, the response status is always accessible from the fault handler. |
RDAPI-15054 | 01023427, 01024783 |
Issue: Additional validation made it impossible to upload an outbound SSL certificate for a virtualized API.
Resolution: This validation has been updated to allow the upload of .p12 certificate files. |
RDAPI-15058 | 00995523 |
Issue: AWS Signing (Authorization Header) security device in API Manager did not validate the request timestamp, which did not comply with Amazon documentation.
Resolution: The security device now validates the request timestamp and complies with Amazon requirements. |
RDAPI-15064 | 00966372 |
Issue: Exception could be triggered when signing XML elements for which namespace prefix does not exist.
Resolution: XML exception is no longer triggered when a namespace prefix is not required. |
RDAPI-15068 | 01022178 |
Issue: When updating an image for any user, the API Manager user panel at the top right was updated to show you connected as that user, regardless of who was logged in.
Resolution: The API Manager user panel is only updated when the image for the logged-in user is updated. |
RDAPI-15070 | 01003624, 01003697 |
Issue: In some rare cases, for HTTP requests with a body, the API Gateway Send to ICAP filter duplicated the Content-Type header.
Resolution: The Send to ICAP filter now ensures that content headers are not duplicated. |
RDAPI-15074 | 00982276 |
Issue: Partial and inconsistent validation was performed on the Backend URL field in API Manager. The URL validation was implemented correctly, but the HTTPS/certificate validation was not, and invalid field information disappeared on losing focus of the field.
Resolution: Both types of validation are now done in a consistent manner, and both errors have the same look and feel when triggered. |
RDAPI-15089 | 01013406 |
Issue: API Manager did not respect trailing slash when sending request to back-end with API method exposed on "/" only and Java system property set to preserve trailing slash.
Resolution: Trailing slash is now preserved when sending request to back-end with the com.vordel.apimanager.uri.path.trailingSlash.preserve Java system property set to true. |
RDAPI-15101 | 01028015 |
Issue: Adding a new Policy with 'Set Message' filter, if one attribute was missing in the statement this caused null pointer exception in JUEL, and not all attributes were displayed from 'Set Message' filter.
Resolution: Selector Coercers now handles an empty Structure and all attributes are displayed. |
RDAPI-15117 | 01004743 |
Issue: When publishing an API on a virtual host in API Manager, the virtual host matching is case sensitive and will result in an error if a different case is presented.
Resolution: The virtual host matching is case insensitive. |
RDAPI-15143 | 01020707 |
Issue:
When a Multipart Content Type is used in the Email Alert filter, the policy completes but the email is not sent and an exception is written in the Trace logs. Resolution: Selecting any Multipart Content Type in the Email Alert filter now sends the email successfully and no exception is written to the Trace logs. |
RDAPI-15158 | 01026760 |
Issue: Huge data in description cause design to behave wrong and shifts the fields like "Description" and "Method name" outside of visible area.
Resolution: Design fixed so huge data will not cause wrong behavior. |
RDAPI-15181 | 01028025 |
Issue: In Import Project in Policy Studio, if a project is selected before browsing, the file browser window opens on a list of most recent projects instead of the location of the specified project.
Resolution: When a project is chosen, Browser Window opens on the location of that project, otherwise it will open in root project location i.e. apiprojects |
RDAPI-15209 | 01039041, 00947773, 01043979, 01027257 |
Issue: A default switch value was not implemented for custom properties, so if the switch was not interacted with then the field and corresponding value was not sent to the server on save
Resolution: A default switch value is now set |
RDAPI-15259 | 01001883 |
Issue: Visual Mapper incorrectly creates an Any tag when mapping an XSD element without a type defined.
Resolution: Now Visual Mapper does not create an Any tag when mapping an XSD element without a type defined. |
RDAPI-15272 | 01019887 |
Issue: API Gateway instance could crash when trying to log a trace message during shutdown.
Resolution: API Gateway trace logging has been fixed. |
RDAPI-15274 | 01029757 |
Issue: API Gateway crashed when writing data to a corrupt traffic monitor file.
Resolution: File corruption is now detected before trying to add data to it. |
RDAPI-15280 | 01021932, 01022277 |
Issue: Jersey GlassFish library consumed semicolons as MatrixParam instead of a regular delimiter.
Resolution: Semicolon is no longer treated as the beginning of a matrix parameter, and it is processed as a reserved character. |
RDAPI-15294 | 01026334 |
Issue: "No Match For Request" error when Content-Type was not equal to the API method MIME type.
Resolution: Use the "com.coreapireg.apimethod.contenttype.legacy=true" system property to disable this Content-Type check for single API method exact matching and to allow legacy API method matching. For example: <ConfigurationFragment> <VMArg name="-Dcom.coreapireg.apimethod.contenttype.legacy=true" /> </ConfigurationFragment> The default value is "false". |
RDAPI-15320 | 01028639 |
Issue: API Manager changed JSON formatting every time it processed JSON.
Resolution: API Manager does not reformat JSON payload unless it has been modified by custom policies. |
RDAPI-15377 | 01023734 |
Issue: API Gateway XSLT Transformation filter incorrectly alters some UTF-8 characters.
Resolution: API Gateway XML parser has been fixed. However, the Apache Xalan transformer may still cause invalid output. You can solve this issue by configuring XML output or changing the provider (for example, to net.sf.saxon.TransformerFactoryImpl) in the filter's Advanced settings. Note: Your system must now also be configured for UTF-8. You can do this by defining a system locale supporting UTF-8 (for example, "en_US.UTF-8"), or adding the "-Dfile.encoding=UTF-8" JVM startup parameter. |
RDAPI-15388 | 01023041 |
Issue: During update and refresh operations we "deactivate" listeners on all of our APIs which are listening for changes. If the list is long enough the UI can begin listening for changes before the refresh operation is complete, resulting in perceived update to the APIs and many PUT requests being sent to the backend.
Resolution: The listener handling is fully verbose now, this race condition cannot be encountered |
RDAPI-15422 | 01014764 |
Issue: The Access Token using Client Credentials Filter is failing on execution if a Token Type other than 'Bearer' is used in requests, even if the Access Token Type field is correctly set in Policy Studio.
Resolution: The Access Token using Client Credentials Filter accepts and validate custom Access Token Type. |
RDAPI-15429 | 01023087 |
Issue: If the folder containing data (api-export.dat and promotion.properties files) also contains sub folders or empty files, an exception is thrown.
Resolution: Sub folders and empty files are now ignored. |
RDAPI-15468 | 01021772 |
Issue: The Conversation field for a Hardware Security Module (HSM) was removed from the Private Internal ID dialog in Policy Studio v7.5.3.
Resolution: The content of the Conversation field can now be added to the Internal ID Id field and separated by ';' in the HSM configuration in Policy Studio. |
RDAPI-15492 | 01031369 |
Issue: When an API Project is upgraded a CassandraSettings entity is created. This entity should not be created for an API Project.
Resolution: Now when an API Project is upgraded, a CassandraSettings entity is not created. |
RDAPI-15527 | 01032374 |
Issue: API Methods' monitoring could display an empty timeline (whatever the selected period)
Resolution: The metrics' REST API has been corrected. |
RDAPI-15528 | 01033180 |
Issue: UTF-8 characters printed in product trace log are not displayed correctly in API Gateway Manager UI.
Resolution: Characters are now correctly encoded by Traffic Monitor REST API. |
RDAPI-15545 | 01039895 |
Issue: The Cache attribute filter failed to update a previously cached attribute with a new attribute value when using a distributed cache.
Resolution: The Cache attribute filter now updates previously cached attributes with new attribute values. |
RDAPI-15552 | 00975056 |
Issue: Metrics monitoring can show negative values for response time
Resolution: Invalid calculation for some HTTP requests has been corrected. |
RDAPI-15558 | 00973391, 00987292, 00992534, 01032122 |
Issue:
When enabling CORS handling on a REST API configured in Policy Studio, OPTIONS requests were always returning every methods. In addition OPTIONS requests were invoking policy and returning a body when CORS profile was configured on Service. Resolution: CORS handling is now performed on the REST API method level so only allowed methods are returned in the header. And it now makes sure that correct profile is accessed when performing preflight requests to prevent from calling policy and returning a body. |
RDAPI-15583 | 01038330 |
Issue: OAuth2 applications could not be configured to use API Gateway selectors to set client credentials.
Resolution: Selectors are now accepted and processed by OAuth2 applications. |
RDAPI-15596 | 01006325 |
Issue: No flag available in managedomain to allow user to regenerate certs without regeneraing domain cert. Instead need to manually regenerate by using the --menu option
Resolution: New flag --retain_domain_cert added, this can be used with --regencerts to ignore domain certs. |
RDAPI-15603 | 01009556 |
Issue: External Credentials were displayed in API Manager in a grid structure with no maximum rows or paging, which caused excessive memory use with large data sets.
Resolution: The display format has been changed from a grid structure to a list with paging and filtering functionality. |
RDAPI-15628 | 01024906 |
Issue: API Manager does not allow special characters . and ~ in name of parameter, although these are allowed by swagger definition.
Resolution: API Manager now allows . and ~ as parameter name. |
RDAPI-15631 | 01012722 |
Issue: PGP Decrypt and Verify filter does not verify messages signed using a sign-only key.
Resolution: Added JVM SecurityProperty to configure PGP to allow verification of messages using sign-only keys: <ConfigurationFragment> <SecurityProperty name="com.axway.apigateway.security.pgpsignkeyalgorithmids" value="RSA_GENERAL,RSA_SIGN,DSA,ECDSA,EDDSA" /> </ConfigurationFragment> Default PGP algorithms: RSA_GENERAL,RSA_ENCRYPT,ELGAMAL_ENCRYPT,ELGAMAL_GENERAL,ECDH |
RDAPI-15653 | 01031448, 01040469 |
Issue: In EMT mode, the topology did not display correctly in the API Gateway Manager UI if the domainID and groupID had the same value.
Resolution: Additional validation has been added to ensure that the domainID and groupID are not set to the same value. |
RDAPI-15788 | 01023059 |
Issue: Checks on Application that all the APIs are accessible for assigned Organization are triggered during Organization refresh and causing unexpected dialog "Inconsistent API"
Resolution: UI is fixed to not trigger the checks on Application during Organization refresh and the unwanted "Inconsistent API" dialog is not shown as a result |
RDAPI-15857 | 01032245 |
Issue: Redeployment from Policy Studio causes the SSO login to fail as object maps are not correctly cleared.
Resolution: The SSO-enabled API Gateway with API Manager configured now clears the object maps correctly on redeployment. |
RDAPI-15934 | 01047627, 01039356 |
Issue: When using Open Traffic Event log, disabling recording of incoming transaction while enabling recording of outgoing transaction result in product crash.
Resolution: Open Traffic Event Log has been corrected. |
RDAPI-15956 | 01047674 |
Issue: When the help for the Trace filter was selected it showed "Topic not found".
Resolution: When the help for the Trace filter is selected the help is shown. |
The following known issues are currently scheduled for the next service pack:
Internal ID | Description |
---|---|
RDAPI-13433 | API Manager generates wrong top-level OAuth security requirements in Swagger |
RDAPI-14225 | Stored XSS in the application's OAuth redirect URL, encode OAuth Redirect URLs on output |
RDAPI-14550 | 7.6.2 setup-cassandra still sets start_rpc=true, doc'ed manual setup says set to false |
RDAPI-14622 | Value of 'Via' Header is not written to Transaction Access Log |
RDAPI-14653 | [7.6.2] Error creating account for external identity provider with name containing special characters |
RDAPI-14882 | API Internal ID not authorized ERROR when calling API |
RDAPI-15115 | API Manager remote hosts not synchronized between instances |
RDAPI-15297 | Update trailing slash support in Jython scripts samples |
RDAPI-15305 | Imported SOAP definitions cannot handle requests containing attachments other than type text/xml |
RDAPI-15473 | Excessive logging at DEBUG level makes Gateway trace unusable |
RDAPI-15547 | Cassandra Restore Script Fails from Docs |
RDAPI-15608 | Cant access NodeManager after submitting external CA signed certs |
RDAPI-15675 | API Manager: load Error "Map XXXX should be YYYY" after importing APIs |
RDAPI-15678 | REST API Monitoring Metrics Description endpoint 'from' qparam not working |
RDAPI-15758 | Request headers reflected as response headers |
RDAPI-15770 | Swagger Generation Tool - Classes with duplicate names are not part of the Swagger model |
RDAPI-15779 | Swagger Generation Tool - Duplicate paths are not reported |
RDAPI-15873 | horizontal scrollbars in non maximized browser window |
RDAPI-15886 | API Gateway Analytics - CSV does not match PDF report for same time range |
RDAPI-15987 | OAuthAuthz filter throws a null pointer exception when invalid value of "prompt" is supplied |
RDAPI-16050 | API Gateway not compliant when HEAD request with Connect to URL filter, and Content-Range header in response |
RDAPI-16053 | API Manager Management transactions appear on Real Time Monitoring dashboard in API Gateway Manager |
RDAPI-16057 | Changing dynamic TM configuration of HTTP interface enables record of payload data (sent & received) |
These instructions apply to API Gateway and API Manager classic deployments only.For container deployments, follow the instructions for applying a service pack in the API Gateway Container Deployment Guide.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
Shut down any Node Manager or API Gateway instances on your existing installation.
Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
Note: Ensure to back up any customized files in your INSTALL_DIR
. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:
webapps/apiportal/vordel/apiportal
webapps/emc/vordel/manager/app
webapps/emc
system/conf/apiportal/email
system/conf
samples/scripts/
tools/filebeat-VERSION-PLATFORM
INSTALL_DIR/apigateway/system/lib/modules
INSTALL_DIR/analytics/system/lib/modules
INSTALL_DIR/apigateway/platform/jre
kpsadmin
), and that the JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.setcap -r INSTALL_DIR/apigateway/platform/bin/vshell
If FIPS mode is enabled, you must perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:
Remove any previous patches from your INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
Unzip and extract API Gateway 7.6.2 SP3 server over the apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.6.2_SP3_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/
apigateway
directory in your installation: INSTALL_DIR/apigateway
apigw_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.6.2 installation directory. For example:tar -xzvf APIGateway_7.6.2_SP3_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
analytics
directory in your installation: INSTALL_DIR/analytics
apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP3_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP3_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
The following steps apply after installing the service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.
Note: The JRE included into API Gateway disables undesirable cipher suites when using SSL/TLS by default. Users using RSA Access Manager (formerly known as RSA ClearTrust) with API Gateway may experience SSL/TLS handshake issues where no common cipher suites can be found. In this case, you should reconfigure SSL/TLS of the RSA Access Manager to support stronger cipher suits. Alternatively, you may want to re-enable the anonymous cipher suites in JRE for successful SSL/TLS connections with the RSA Access Manager as follows:
remove anon
from the jdk.tls.disabledAlgorithms
Java security property in the INSTALL_DIR/Linux.x86_64/jre/lib/security/java.security
file
When API Manager is installed, you must run the update-apimanager
script after the API Gateway post-install script to ensure that all paths are up-to-date.
Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:
/opt/Axway-7
.6.2
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
There is an known issue when running update-apimanager
script with --productname=clientappreg
. Please do not use this switch with the update-apimanager
script.
Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at https://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2019 Axway. All rights reserved.