Axway API Gateway and API Manager 7.5.3 SP9 Readme

Document version: 15 November 2018


Readme for 7.5.3 SP9

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP9, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP9_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE ID Description
RDAPI-13282

00946657,

00988077,

01002570,

00965605

Issue: Requiring an encryption password when exporting an API or application collection fails the apimanager-promote script because it is not possible to provide a decryption password or passfile.
Resolution: apimanager-promote script now requires decryption password or passfile.
RDAPI-13297

00976396,

00933466

Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application.
Resolution: Set the JVM property <VMArg name="-Dcom.apimanager.application.oauth.restrictScopes=true"/> to return only those scopes which have been added to the application as Application Level scopes and marked as default.
RDAPI-13437 00982967 Issue: Privilege escalation vulnerability, where an API Manager user could give themselves an elevated role using a PUT request.
Resolution: API Manager now validates that a user can only change roles if they have that role or a higher role. For example, an organization admin can give users the organization admin role, but they cannot give the API Manager admin role.
RDAPI-13510

00993607,

00984372

Issue: The URL input field on Add Certificate page can be exploited to check for the existence of files on the server, or to map open ports on local network of API Gateway.
Resolution: The URL input field is validated (it must be an HTTP URL, and only public domains are allowed). Also, the same error output is now returned in all cases when no certificate is found.
RDAPI-13511

00984372,

00993594

Issue: Security vulnerability when entering a file name for export of application where response headers could be changed by entering special characters.
Resolution: Introduced a server-side check where the file name must match a REGEX allowing only valid characters.
RDAPI-13512

00993605,

00984372

Issue: Security vulnerability issue in image upload feature allows not supported image format upload (for example, Flash) which can be used to initiate attacks.
Resolution: Introduced validation checks for image upload to check file name and image format. Image is always processed now, which will reduce attacks where file content does not match type.
RDAPI-13514

00983725,

01003668,

00984372

Issue: API Manager users could embed malicious code in client OAuth redirect URLs.
Resolution: This security vulnerability is now fixed in API Manager.
RDAPI-13883 00989858 CVE-2014-3566

Issue: API Gateway included IBM MQ JARs version 7.5.0.2 that are vulnerable to POODLE CVE-2014-3566.

Resolution: API Gateway now includes version 7.5.0.8 of the IBM MQ JARs and is no longer vulnerable.

RDAPI-13977

00999092,

01002567

CVE-2018-0737
CVE-2018-0732
Issue: API Gateway shipped with OpenSSL 1.0.2o-fips.
Resolution: API Gateway ships with OpenSSL 1.0.2p-fips, addressing the following security vulnerabilities: CVE-2018-0732, CVE-2018-0737.
RDAPI-14061 00949535 Issue: Path traversal security vulnerability in API Gateway Manager.
Resolution: The security vulnerability has been fixed.
RDAPI-14166 01004262 Issue: URL with "many slashes" causes crash in API Gateway.
Resolution: API Gateway handling of long URLs in memory has been corrected.
RDAPI-14363

00993599,

00984372

Issue: API Manager Management APIs are not CSRF protected.
Resolution: CSRF protection has been added to API Manager Management APIs. Set the com.axway.apimanager.csrf Java system property to false to turn off the CSRF checks by API Manager. The default is true.
RDAPI-14504 01011534 CVE-2018-3183 Issue: The Java version shipped with API Gateway contained security vulnerabilities.
Resolution: The API Gateway Java version has been upgraded to:
Java version "1.8.0_191"
Java (TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot (TM) 64-Bit Server VM (build 25.191-b12, mixed mode)

Other fixed issues

Internal ID Case ID Description
RDAPI-12142 00942402 Issue: When a front-end API is secured using an invoked policy that contains a Connect to URL filter, and the connection to the API fails, API Manager returns 200 or 204 HTTP status instead of 500 Internal Server Error.
Resolution: API Manager now returns 500 Internal Server Error in this scenario.
RDAPI-12305 00948031 Issue: The Save button is not enabled in Policy Studio when you select Server Settings > General > Input Encodings or Output Encodings for environmentalization.
Resolution: The Save button is enabled when you select these fields for environmentalization.
RDAPI-12759

00946314,

00961189

Issue: A front-end API is configured with OAuth or OAuth (external) Inbound Security with setting "Scopes must match" set to "All". A request to the front-end API will fail if the request's access token contains more scopes than is configured for the front-end API.
Resolution: A request with an access token containing more scopes than is configured for the front-end API will not fail.
RDAPI-12774 00962018 Issue: API Manager REST API HTTP Basic Authentication fails when user password contains colon character (:).
Resolution: You can now include the colon character in the password.
RDAPI-12780 00963367 Issue: When importing applications with quota overrides that were exported using API Manager or its REST API with Export quota overrides
selected, the API with quota overrides changed to undefined.
Resolution: Locating APIs in quota settings during application import is now fixed. Also added error messages for scenarios such as API or method not found.
RDAPI-12964 00956029 Issue: When the metrics database was changed for API Manager in Policy Studio, the change was not being saved.
Resolution: When the metrics database is changed, the user is prompted to save the change before continuing.
RDAPI-13060 00969324 Issue: There was an inconsistency between long-term and short-term views in the API Gateway Analytics UI.
Resolution: This inconsistency no longer occurs.
RDAPI-13113 00968288 Issue: When tokens received by the API Gateway as an OAuth client were malformed, the API Gateway failed to throw an error and stored the token as null.
Resolution: Token parsing now fails with an error message in the trace.
RDAPI-13121 00970289 Issue: Inconsistent data in the audit log for API access and applications in API Manager.
Resolution: Inconsistencies in audit log messages for API access and application CRUD operations have been removed. Now the _message_ field contains human readable object names, and object UUIDs are written to the _metadata_ field. Inconsistencies in audit log messages for organizations and permissions have also been consolidated.
RDAPI-13202 00973925 Issue: apimanager-promote script does not update an application with the same name if the application ID is different.
Resolution: apimanager-promote now updates an application with the same name irrespective of application ID.
RDAPI-13325 00978019 Issue: Duplicate claim error when adding a "sub" claim as an additional JWT claim in the OAuth client (External Connections > Client Credentials > OAuth2). Adding a "kid" claim to be included in the JWT header was not supported.
Resolution: Additional JWT claims for "sub" and "kid" are fully supported and work as expected.
RDAPI-13328 00966823 Issue: API Gateway JMS Service threads get locked when trying to reconnect after an external JMS server outage.
Resolution: JMS threads now reconnect automatically after an external JMS server outage.
RDAPI-13351 00973390 Issue: Cannot environmentalize the Enable Embedded Active MQ Broker checkbox in Policy Studio under Server Settings > Embedded Active MQ configuration.
Resolution: You can environmentalize both the enable Active MQ and the policy selection settings separately.
RDAPI-13368 00977062 Issue: Invalid file name error in API Manager when downloading the Swagger for an API if the API name contains unsupported characters (for example, ':', '@', '*', '~').
Resolution: API Manager replaces unsupported characters in the name with underscores, and the Swagger file can be downloaded as expected.
RDAPI-13411 00977732 Issue: Using API Manager with Internet Explorer or Edge browsers to import a back-end API, you had to click Select file twice before it worked.
Resolution: The Select file button works properly now on first click.
RDAPI-13503

01016432,

00983879

Issue: Cannot environmentalize open traffic event log settings (Server Settings > Logging > Open Traffic Event Log) in Policy Studio.
Resolution: Open traffic event log settings can be environmentalized directly under Server Settings > Logging > Open Traffic Event Log or by navigating to the configuration from Environment Configuration > Environment Settings.
RDAPI-13516 00980228 Issue: UI performance issues when adding or removing users from an application in API Manager when a large number of applications and users exist.
Resolution: UI performance issues have been resolved.
RDAPI-13540 00977040 Issue: When threat protection was enabled, response body rules were triggered depending on the input content-type.
Resolution: The content-type used to triggered the response body check is correctly taken from response header.
RDAPI-13552 00983915 Issue: In Visual Data Mapper there was an error transforming XML to JSON when XML reference types were used.
Resolution: The error no longer occurs when transforming XML to JSON using XML reference types.
RDAPI-13556 00957205 Issue: apimanager-promote script returns 0 even when the deployment fails.
Resolution: The script now returns 0 for success and 1 if the deployment fails.
RDAPI-13651 00987083 Issue: You could not create a certificate with expiry date after 2037 in Policy Studio on Windows.
Resolution: You can create a certificate with expiry date after 2037.
RDAPI-13670 00979243 Issue: Incoming requests for URLs containing encoded extended ASCII characters could result in error when writing Traffic Monitoring records and cause memory leak.
Resolution: The extended ASCII characters are no longer treated as a malformed UTF-8 string, and the memory leak no longer happens.
RDAPI-13688 00987739 Issue: Import of a WSDL into API Manager was hanging.
Resolution: The import completes successfully now.
RDAPI-13735 00986597 Issue: You cannot create API Manager users with commas in their name. The validation failure was not being written to the trace log.
Resolution: Commas are permitted in the names of API Manager users, and validation errors for new users are logged correctly.
RDAPI-13777 00980797 Issue: OAuth Clients configured using selectors failed to trace an appropriate error message
Resolution: Now trace contains message "OAuth client application is not properly configured. Basic Client application properties are not set."
RDAPI-13835 00988153 Issue: In OAuth Client requests if a token refresh request failed, the process would fall back to a regular token request but would fail to make the new token available to the outbound API call.
Resolution: The new token is now used as expected.
RDAPI-13842 00993963 Issue: managedomain displayed an Invalid group passphrase error when Submit externally signed certificate was used.
Resolution: Using Submit externally signed certificate option does not result in error anymore.
RDAPI-13865 00983348 Issue: Unexpected 403 response when sending a POST request with default profiles to /proxies to virtualize an API.
Resolution: Default profiles are accepted when sending a POST request to /proxies in order to virtualize an API.
RDAPI-13874 00992660 Issue: Using the Find Certificate filter causes memory leak.
Resolution: Native components are now correctly freed when an error is raised.
RDAPI-13884

00983453,

00990270

Issue: When two APIs share back-end and front-end URLs, they are randomly chosen independently of their state.
Resolution: Now, the API that is published will take precedence.
RDAPI-13885

00994951,

00990926

Issue: Each API Manager instance was showing metrics for all groups in the domain, not just its own.
Resolution: Each API Manager instance only shows metrics for its own group.
RDAPI-13896 00991420 Issue: In the API Gateway access log, the time zone is not correct if daylight savings is in effect.
Resolution: The time zone is always correct and includes daylight savings if applicable.
RDAPI-13903

00989460,

01011522

Issue: API Manager did not import or show the correct response definitions or would fail to display the API method.
Resolution: API Manager imports and displays them correctly.
RDAPI-13978 00999506 Issue: API Gateway returns 404 error for REST API methods designed to consume content types.
Resolution: API Gateway REST API method content types check works as expected.
RDAPI-14041

01005122,

01000908,

01001167

Issue: API Gateway SP8 post install script was overwriting the conf/acl.json file. Changes made by customers to this file were lost.
Resolution: Post install script now only changes the affected line in the acl.json file.
RDAPI-14042 01000080 Issue: No Match For Request error occurs when Content-Type was not equal to the API method MIME type.
Resolution: Use the com.coreapireg.apimethod.contenttype.legacy=true system property to disable this Content-Type check for single API method exact matching and allow legacy API method matching. For example:
<ConfigurationFragment>
    <VMArg name="-Dcom.coreapireg.apimethod.contenttype.legacy=true" />
</ConfigurationFragment>

The default value is false.
RDAPI-14054

01000648,

01000980

Issue: Content-Type of the Consumes and Produces type is missing in API Manager for PATCH methods imported from Swagger.
Resolution: Content-Type of the Consumes and Produces type is displayed in API Manager.
RDAPI-14055

00997185,

00995508

Issue: Key Property Store (KPS) does not cache the identifier of a record that does not exist. This results in unnecessary database requests and poor performance.
Resolution: API Gateway now caches the request to a record that does not exist, which reduces database hits and improves performance.
RDAPI-14064 00987708 Issue: Memory exception in API Gateway when sending request to ICAP server.
Resolution: The issue was caused by the JSON document body object closing the connection before sending data. The issue has been resolved and the exception no longer occurs.
RDAPI-14118 00999252 Issue: The FTP Poller was not carrying out the correct action when the processing policy failed.
Resolution: The FTP Poller now carries out the correct action.
RDAPI-14202

01004665,

01007289

Issue: Cannot import multiple WSDL back-end APIs with the same WSDL URL.
Resolution: You can import multiple WSDL back-end APIs with the same WSDL URL.
RDAPI-14290 01006639 Issue: Adding a query string to a front-end API in an outbound per-method override via API proxy resulted in the wrong query string if the front-end API effective back-end service URL already had a query string.
Resolution: The query string is correctly added.
RDAPI-14292 00978229 Issue: When HTTP requests failed, request paths were not recorded correctly in the transaction event log.
Resolution: Request paths are always recorded correctly.
RDAPI-14313 00992660 Issue: API Gateway memory consumption issue when displaying certificates.
Resolution: This memory leak has been fixed.
Issue: Command line "sr" prints SSL debug information when quiet mode is set.
Resolution: SSL information is no longer printed in quiet mode.
RDAPI-14337

00976755,

00976945

Issue: Memory consumption issue due to I/O streams not being closed when errors occur during CRL processing.
Resolution: I/O streams are correctly closed and extra memory is no longer allocated when calling OpenSSL functions.
RDAPI-14462

00981353,

00983915

Issue: In Visual Data Mapper there was an error transforming XML to JSON when XML reference types were used.
Resolution: The error no longer occurs when transforming XML to JSON using XML reference types.
RDAPI-14627 00988159 Issue: API Gateway Manager UI is very slow when managing a large number of instances.
Resolution: Performance of the API Gateway Manager UI has been improved.

Known issues

Disable CSRF check if using API Manager Management APIs

If you are using the API Manager Management APIs you must disable the CSRF token check implemented in this service pack. To disable the check, set the Java system property com.axway.apimanager.csrf to false. The default is true.

Related issues: RDAPI-14363, IAP-1592

Other known issues

The following known issues are currently scheduled for the next service pack.

Internal ID Summary
RDAPI-9478 Path matching on listeners works incorrectly when the paths found are same.
RDAPI-12357 Issues importing Swagger 1.2 files
RDAPI-12891 HEAD request, Connect to URL and Content-Range header
RDAPI-13658 "No VAPI matched request" error in API Manager but it should match
RDAPI-13690 Environmentalization of CORS Profiles using Policy Studio
RDAPI-13975 API Manager\Portal self registration, problems with emails containing '+' sign
RDAPI-14065 SSL handshake failing, HTTPS WSDL import in API Manager
RDAPI-14142 PRD had shown Cardinality violation Error
RDAPI-14185 Continuation: Cassandra slowness in some environments
RDAPI-14380 KPS restore command failing in Production
RDAPI-14459 Inconsistent error messages between GET and POST requests in case of "no match found for request"
RDAPI-14461 First In First Out eviction, adding existing data remove the original instead of updated it.
RDAPI-14478 Issue with OCSP response validation, OCSP filter does not try all three options
RDAPI-14489 Policy Studio Data Map, incorect handling (Any) for node with undefined type
RDAPI-14491 WSDL schema cannot contain two global components, import error
RDAPI-14506 managedomain regen_certs in unattended mode always generates new domain certificate
RDAPI-14517 Create Thumbprint Filter SHA256 issue when thumbpring has leading zeros
RDAPI-14531 Automated deployment of policy with passphrase fails
RDAPI-14571 API Gateway Manager 7.5.3 does not show the product version
RDAPI-14588 File Upload filter performance is 20x better with ASCII rather than BINARY mode
RDAPI-14638 Error creating account for external identity provider with name containing special characters

Reverted issues

This service pack has no reverted issues.

Install the service pack

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin) and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note    

Install the API Gateway server service pack

Note   If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Note   On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is co-located with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  3. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  4. Unzip and extract API Gateway 7.5.3 SP9 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP9_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
  5. Change to the apigateway directory in your installation: 
  6. WindowsINSTALL_DIR\apigateway
  7. LinuxINSTALL_DIR/apigateway
  8. Run the following script:
  9. Windowsapigw_sp_post_install.bat
  10. Linuxapigw_sp_post_install.sh
  11. Note   On Linux, run the script using the bash command, and ensure that the correct permissions are set.
  12. API Gateway Appliance only:
  13. Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:
  14. Run the following command:
    [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  15. Run the following:
    chown -R admin:admin /opt/gateway/
    grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
    setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
    ldconfig
Note    

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway Analytics 7.5.3 SP9 over the analytics directory in your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP9_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  3. Change to the analytics directory in your installation: 
  4. WindowsINSTALL_DIR\analytics
  5. LinuxINSTALL_DIR/analytics
  6. Run the post-install script for API Gateway Analytics:
  7. Windowsapigw_analytics_sp_post_install.bat
  8. Linuxapigw_analytics_sp_post_install.sh
Note    

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract Policy Studio 7.5.3 SP9 over the policystudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP9_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/
Note   The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract Configuration Studio 7.5.3 SP9 over the configurationstudio directory in your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP9_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/
Note   The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

The following steps apply after installing the service pack.

API Gateway

Note   On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 6 and 7 in Install the service pack.

To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
  2. <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  3. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  4. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
  5. INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  6. Run the following command to reload the library cache file:
  7. ldconfig

API Manager

Note   When API Manager is installed, you must run the update-apimanager script (located in the bin directory) after the API Gateway post-install script to ensure that all paths are up-to-date.

Documentation

Go to the Axway Documentation portal at https://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Axway Documentation portal at https://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.

Copyright © 2018 Axway. All rights reserved.