Document version: 25 October 2019
This Readme applies to Axway API Gateway and API Manager 7.5.3 SP12, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new API Gateway binaries and does not overwrite the existing API Gateway configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP12_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
com.axway.apimanager.api.data.cache
Java system property to true
.com.axway.apimanager.csrf
to false
. The default is true
. Related issues: RDAPI-14363, RDAPI-16582, IAP-1592
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-16204 | 01046587, 01052413 |
Issue: "openid" is always accepted as a valid scope in all OAuth configurations.
Resolution: A system variable "com.axway.oauth.scopes.openid.allow" can be set to "false" to make "openid" invalid. |
|
RDAPI-17216 | 01083881 |
Issue: The response to a HTTP OPTIONS request contains the HTTP OPTIONS request headers.
Resolution: The response to a HTTP OPTIONS request no longer contains the HTTP OPTIONS request headers. |
|
RDAPI-17362 | 00963339 | CVE-2019-14379 |
Issue: Jackson-databind version 2.9.5 has security vulnerabilities.
Resolution: This component has been updated to 2.9.10 which does not have these security vulnerabilities. |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-13971 | 01080378, 00999364 |
Issue: ModSecurity status code was harcoded to 403
Resolution: It can now be configured in ModSecurity configuration. |
RDAPI-15163 | 01019805 |
Issue: API Gateway cannot configure group passphrase with $ character in the password.
Resolution: API Gateway allows to configure group passphrase containing $ character. |
RDAPI-15793 | 01040133 |
Issue: Parallel deletion of APIs caused issues in updates of quota relations in tables
Resolution: Parallel deletion of APIs is fixed by removing caching of the quota relations. Only a delete on database is required when removing information about quota. |
RDAPI-16472 | 01064024, 01063687, 01072862 |
Issue: Frontend API creation fails when using https and unavailable host
Resolution: Frontend API creation does not fail when backend host is not available |
RDAPI-16649 | 01051063 |
Issue: The 'sha256' digest algorithm, used by the SMIME Sign filter in API Gateway 7.5.3 onward, incorrectly generates SMIME Content-Type header with micalg="sha1" attribute.
Resolution: You can change the default SMIME digest algorithm with the Java system property 'com.axway.apigw.smime.sign.md' in the jvm.xml file, or via the policy message attribute, for example, 'com.axway.apigw.smime.sign.md=sha1'. The policy message attribute supersedes the Java system property. The following digest algorithms are supported: sha1, sha224, sha256, sha384, and sha512. The corresponding SMIME Content-Type header 'micalg' attribute is set accordingly. |
RDAPI-16792 | 01064543, 01078637 |
Issue: No option to prevent API Manager adding a forward slash "/" to back-end API calls.
Resolution: Add the "com.vordel.apimanager.swagger.method.singleslash.ignore=true" Java system property to the file jvm.xml in the directory conf/ of the instance to disable passing a single slash method path to the back-end. For example: <ConfigurationFragment> <VMArg name="-Dcom.vordel.apimanager.swagger.method.singleslash.ignore=true" /> </ConfigurationFragment> |
RDAPI-16882 | 01059408 |
Issue: An assertion is triggered when thread cannot be started.
Resolution: Threads will no longer terminate process when they could not be started. |
RDAPI-16890 | 01103775, 01073101 |
Issue: XML redaction is very slow when processing large XML files.
Resolution: XML redaction has been fully re-written to be performant and have a low memory foot print: the maximum memory size and the maximum XML nodes' depth accepted can be controlled using properties <XMLRedactor maxBufferSize="32768" maxDepth="1024">. Issue: XML redaction with disposition "redactDescendants" is only removing children nodes. Resolution: XML redaction with disposition "redactDescendants" now correctly removes both text and children nodes. |
RDAPI-16896 | 01064774 |
Issue: API Manager kept user registration data in the database for invalid or expired registrations.
Resolution: User data entered during registration are now entered using "time to live" parameter, which will deleted the data in case user is not validated. |
RDAPI-16900 | 01072496 |
Issue: Trailing slash is incorrectly added to Per-Method Override Back-end Paths for WSDL APIs.
Resolution: Trailing slash is no longer incorrectly added to Per-Method Override Back-end Paths for WSDL APIs. |
RDAPI-16904 | 01075614 |
Issue: Projpack was failing to create a project if the run command contains --passfile and a string containing '-f'
Resolution: The script has been updated to properly handle the occurance of '-f' in a string |
RDAPI-16928 | 01074742 |
Issue: A missed impact in the advanced editing implementation leads to a blank entity reference overwriting the first in the list of node locations for the XML Signature Generation & Verification filters
Resolution: Valid node location references are not overwritten during save in advanced editing mode |
RDAPI-16929 | 01075694 |
Issue: The IP address authentication filter updates are very slow.
Resolution: The performance of IP address authentication filter is improved as the amount of disk I/O performed is significantly reduced. |
RDAPI-16951 | 01059408 |
Issue: Process termination is triggered when network connection cannot be instantiated.
Resolution: Connection instantiation errors are no longer triggering process termination. |
RDAPI-16952 | 01059408 |
Issue: In API Gateway, in some specific cases, the caching of SSL connections was producing memory leaks that could cause the gateway to crash.
Resolution: Memory handling has been reviewed and is now fixed for SSL connections caching. |
RDAPI-17007 | 01073806, 01074080 |
Issue: Event logging for API Manager was incorrectly overwriting the Application Id in the Service Context "client" field.
Resolution: API Manager no longer overwrites the Service Context "client" field from its initial value. |
RDAPI-17028 | 01079030 |
Issue: The apimanager-promote script only had capabilities to add API access to an organisation. There was no functionality to revoke access.
Resolution: 'organization.apis.remove' new property was added to the script to allow to revoke API access from organisations. |
RDAPI-17030 | 01074983 |
Issue: In API Gateway, when using OpenID Connect 1.0 on top of the OAuth 2.0 protocol, OpenId tokens generated by the hybrid flow do not contain the c_hash (code hash) value.
Resolution: OpenID tokens generated by the hybrid flow now include c_hash. |
RDAPI-17068 | 01067999 |
Issue: In API Manager, sending requests with invalid Content-Type headers to a Virtual API results in an error with HTTP status code 403 which doesn't represent the error correctly.
Resolution: Sending requests with invalid Content-Type headers to a Virtual API now results in an error response with the HTTP status code 415 and status message "Unsupported Media Type". |
RDAPI-17085 | 01084300, 01056692 |
Issue: OAuth server does not return 401 in compliance with the RFC for certain "invalid_client" errors.
Resolution: It now returns 401 as per RFC. |
RDAPI-17168 | 01080317 |
Issue: JSON to XML filter was crashing in some specific cases for valid input
Resolution: JSON to XML filter is fixed now and should work properly for valid inputs |
RDAPI-17283 | 01087893, 01088304 |
Issue: The browser is unable to process the number of External Clients, OAuth Clients and API Keys that API Gateway is returning - upwards of a 100mb payload in the response payload.
Resolution: Server side pagination is implemented for GET requests for Apikeys, OAuth Clients and External Clients resulting in much smaller payloads being returned to the client. |
RDAPI-17284 | 01087893, 01100357, 01088304 |
Issue: After deploying to a Gateway a new Api Client Cache is created, but all references to the old cache are not removed so the memory it consumes is not made available again.
Resolution: All references to the discarded Api Client Cache are removed, so the memory it was consuming is made available again right after deployment completes. |
RDAPI-17302 | 01094845, 01065335, 01066017, 01087748, 01100629 |
Issue: Error on formatting in Traffic Monitor GUI and Trace Files
Resolution: The alignment of trace output has been corrected. The trace indentation error is now reported per processing thread, and if reported, the trace indentation stays intact in unaffected threads. |
RDAPI-17333 | 01048992, 01049266 |
Issue: As an User a getApplications call results in an individual call to KPS for every application to look up permissions
Resolution: The permissions are already cached, we are now using the cached permissions rather than reading from KPS for each application |
RDAPI-17394 | 01091120, 01087893 |
Issue: Requests return status code 401 while the API Client Cache is still updating.
Resolution: Requests will now return status code 503 unless system variable is "com.axway.apimanager.apiclient.cache.response.legacy" is set to "true". |
RDAPI-17398 | 01090932 |
Issue: Dollar Sign ($) is being treated as an invalid character in the API Resource Path.
Resolution: Validation of the Resource Path now accepts characters specified in RFC3986. |
RDAPI-17412 | 01080681, 01084375 |
Issue: The deployment time for API Manager is too slow when there are many APIs and methods defined in KPS.
Resolution: Improved caching in API Manager while loading API method data stored in KPS. Reuse compiler when loading the Script filters. |
RDAPI-17432 | 01090822 |
Issue: API Gateway doesn't check OA Authz codes' expiry times when stored in an SQL DB. Purge thread is responsible to delete expired codes. This caused a potential delay, as API Gateway treated all available codes as valid.
Resolution: API Gateway now checks OAuth Authz codes expiry time when uses it. Purge thread behaves as before. |
RDAPI-17484 | 01091984 |
Issue: In Policy Studio Rest API Repository editing a method does not work if an error response is configured for the method.
Resolution: An API Rest method with an error response configured can now be edited. |
RDAPI-17493 | 01094555, 01094399 |
Issue: API Manager startup time slows down considerably in HA environments when the number of organizations increase.
Resolution: Organizations are cached in memory so the calls to DB are reduced. This makes the startup process faster. |
RDAPI-17700 | 01083828 |
Issue: Transaction access logger is doing a reverse DNS lookup with the source IP address even when "%h" is not used.
Resolution: A DNS lookup has been removed from policy pre-execution phase. |
RDAPI-17971 | 01101064 |
Issue: dbpurger and dbsetup python scripts fail to connect to the database.
Resolution: The dbpurger and dbsetup python scripts now connect to the database. |
RDAPI-18017 | 01105012 |
Issue: HTTP Basic Filter accepts only case-sensitive "Basic" for scheme name.
Resolution: HTTP Basic and HTTP Digest filters process the Basic Authentication scheme case-insensitively as per RFC 7617. |
v7.5.3 adds improved support for Apache Cassandra 2.2.12. However, the API Gateway Installation Guide and API Gateway Upgrade Guide incorrectly state that API Gateway supports Apache Cassandra versions 2.2.5 and 2.2.8 only. This user documentation will be updated to reflect support for Cassandra version 2.2.12 at a later date.
Related issues: RDAPI-14421
The following known issues are currently scheduled for the next service pack.
Internal ID | Description |
---|---|
RDAPI-13517 | Duplicate headers returned when calling API Gateway Rest API |
RDAPI-13723 | Policy called as REST API in Policy Studio, and local fault handler not catching unhandled false return from policy called by policy shortcut |
RDAPI-14501 | API Manager: load Error "Map XXXX should be YYYY" after importing APIs |
RDAPI-14552 | API Gateway libxml2 outdated and unsecured? |
RDAPI-15290 | Cant access NodeManager after submitting external CA signed certs |
RDAPI-15490 | Request headers reflected as response headers |
RDAPI-15529 | Analytics scheduled report filename doesn't change |
RDAPI-16183 | KPS caching seems to not use the table name as part of the cache-key, resulting in undesired behavior |
RDAPI-16215 | API Administrator is re-created after restoring a Cassandra snapshot backup |
RDAPI-16405 | unchecking the required field the parameter is not treated optional |
RDAPI-17282 | Connector for Salesforce APIs in API Manager doesn't work or is impossible to configure |
RDAPI-17395 | APIGW Analytics - no data in DB during DB unavailability |
RDAPI-17569 | Nested relative path behavior changed after SP9, causing customer policies to fail |
RDAPI-17666 | Policy Studio unclear about what environmentalized properties are being exported |
RDAPI-17770 | Path matching behaviour has changed between 7.5.3 SP3 and SP11 |
RDAPI-17917 | Remove this.py from the product |
RDAPI-17921 | KPS Run Diagnostic Check is failing with error "HTTP 410 Gone" |
RDAPI-17923 | API Manager Rest stats interface / DB error cuts connection without proper 500 return |
RDAPI-17972 | Open id redirect issue in OAuth flow |
This service pack has no reverted issues.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
Shut down any Node Manager or API Gateway instances on your existing installation.
Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
Note: Ensure to back up any customized files in your INSTALL_DIR
. You should merge updated files instead of copying them back directly to avoid any regex matching issues. For example, the following directories might contain customized files:
webapps/apiportal/vordel/apiportal
webapps/emc/vordel/manager/app
webapps/emc
system/conf/apiportal/email
system/conf
samples/scripts/
tools/filebeat-VERSION-PLATFORM
INSTALL_DIR/apigateway/system/lib/modules
INSTALL_DIR/analytics/system/lib/modules
INSTALL_DIR/apigateway/system/lib/jython
INSTALL_DIR/analytics/system/lib/jython
INSTALL_DIR/apigateway/platform/jre
INSTALL_DIR/apigateway/upgrade
kpsadmin
), and that the JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.setcap -r INSTALL_DIR/apigateway/platform/bin/vshell
If FIPS mode is enabled, you must also perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:
apigw_sp_post_install.bat
from completing successfully.Remove any previous patches from your INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
Unzip and extract API Gateway 7.5.3 SP12 server over the apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.5.3_SP12_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
apigateway
directory in your installation: INSTALL_DIR\apigateway
INSTALL_DIR/apigateway
apigw_sp_post_install.bat
apigw_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
API Gateway Appliance only
Perform the following additional steps as the root
user on the appliance before starting the Node Manager or API Gateway:
[ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
chown -R admin:admin /opt/gateway/
grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
ldconfig
Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.5.3 installation directory. For example:tar -xzvf APIGateway_7.5.3_SP12_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
analytics
directory in your installation: INSTALL_DIR\analytics
INSTALL_DIR/analytics
apigw_analytics_sp_post_install.bat
apigw_analytics_sp_post_install.sh
Note: On Linux, run the script using the bash
command, and ensure that the correct permissions are set.
Note:
ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.INSTALL_DIR/policystudio/jre
policystudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP12_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
policystudio -clean
Note: The -clean option is needed the first time you start Policy Studio after installing the service pack.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.INSTALL_DIR/configurationstudio/jre
configurationstudio
directory in your existing API Gateway 7.5.3 installation directory. For example: tar -xzvf APIGateway_7.5.3_SP12_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
configurationstudio
-clean
Note: The -clean option is needed the first time you start Configuration Studio after installing the service pack.
The following steps apply after installing the service pack.
Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the API Gateway server service pack.
To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports.
For more details on configuring API Gateway to run on privileged ports, see the API Gateway Administrator Guide.
Notes:
anon
from the jdk.tls.disabledAlgorithms
Java security property in the INSTALL_DIR/Linux.x86_64/jre/lib/security/java.security
file<VMArg
name="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"/>
line to the INSTALL_DIR/system/conf/jvm.xml
fileWhen API Manager is installed, you must run the update-apimanager
script after the API Gateway post-install script to ensure that all paths are up-to-date.
Tip: You can run this command once at the API Gateway group level, instead of on every API Gateway instance, for example:
/opt/Axway-7
.5.3
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
The following command shows an example of running the update-apimanager
script when the Client Application Registry is installed:
/opt/Axway-7
.5.3
/apigateway/posix/bin/update-apimanager
--username=admin --password=MY_PASSWORD --group=API_MGR_GROUP
--productname=clientappreg
If the API Gateway group is protected by a passphrase, you must append the above command with --passphrase=API_MGR_GROUP_PASSPHRASE
Go to the Documentation portal at https://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at https://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.
Copyright © 2019 Axway. All rights reserved.