Axway API Gateway and API Manager 7.5.3 SP 7 Readme

Axway API Gateway and API Manager 7.5.3 SP 7 Readme

Document version: 18 May 2018


Readme for 7.5.3 SP 7

This Readme applies to Axway API Gateway and API Manager 7.5.3 SP 7, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.5.3_SP7_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Key Case ID CVE Identifier Description
RDAPI-12772 00963339 CVE-2018-7489 Issue: Jackson-databind CVE-2018-7489
Resolution: Previously, the FasterXML jackson-databind component allowed unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. Now, this component has been updated to v2.9.5 to fix this vulnerability.
RDAPI-13040 00970806 CVE-2018-2815;CVE-2018-2814;CVE-2018-2811;CVE-2018-2800;CVE-2018-2799;CVE-2018-2798;CVE-2018-2797;CVE-2018-2796;CVE-2018-2795;CVE-2018-2794;CVE-2018-2790 Issue: Security vulnerability in Java SRE 1.8.0.
Resolution: Previously, API Gateway used a JRE version that included a security vulnerability. Now, the JRE version has been updated to JRE 8u172, which fixes this vulnerability.
RDAPI-13173 00972709 CVE-2018-0739 Issue: OpenSSL upgrade.
Resolution: Previously, OpenSSL 1.0.2n was used. Now, product ships with OpenSSL 1.0.2o

Other fixed issues

Key Case ID Description
RDAPI-11229 00922991 Issue: API Manager missing fields to API List on Application page.
Resolution: Previously, the API's Version and State attributes would not be displayed in the API's List of the Applications screen in the API Manager. Now, these 2 attributes are displayed in the API's List on the Application screen.
RDAPI-11606 00928470 Issue: OAuth-Services requests allows directory listing for non-logged users.
Resolution: Previously: For the OAuth 2.0 Services listener it was possible to get a directory listing for common folder content and retrieve some html files. Now: Only files associated with the login process are available if the user has not logged in. Additional files are available after the user has logged in.
RDAPI-11896 00930932 Issue: Response code duplicated when importing APIs.
Resolution: Previously, default response codes would be added during the API import process, even if they already existed. Now, default response codes are only added if it does not currently exist for the method.
RDAPI-12141 00941934 Issue: Failure to re-import an API collection that includes cloned APIs with some methods deleted.
Resolution: Previously, re-importing an API collection that included cloned APIs with some methods deleted failed to import. Now, re-importing the API collection succeeds.
RDAPI-12187 00941239 Issue: FTP File Download Filter stuck till active timeout (30 sec) when non-existing file is set
Resolution: Previously, the File Download filter did not fail immediately if the target file was not present on the FTP server. Now, the filter fails immediately if the target file is not found.
RDAPI-12455 00953858 Issue: Java exception when deploying a configuration containing a directory scanner
Resolution: Previously, when API Gateway was shutting down or a new configuration was deployed, a Java exception was sometimes logged from Directory Scanner. Now, this error no longer occurs.
RDAPI-12499 00956041 Issue: Audit log is not generating entries for some events.
Resolution: Previously, Audit log events were not logged correctly for CRUD events of Remote Host, Backend, and Frontend APIs. Now, Audit logs are created for these CRUD events.
RDAPI-12505 00962369, 00956154 Issue: Methods with multiple body parameters don't launch the Edit Proxy dialog.
Resolution: Previously, the would not open for methods with multiple body parameters. Now, the dialog opens for method with multiple body parameters. However, only the first body parameter is displayed, along with a warning message.
RDAPI-12521 Issue: Diagnostics for the API Gateway kpsadmin command
Resolution: Previously, the kpsadmin command did not output diagnostic information. Now, a new diagnostics option has been added to kpsadmin to help diagnose common KPS and Cassandra configuration issues. For more details, run kpsadmin --help.
RDAPI-12531 00954793 Issue: A Logo image is attached to the API developer registration email even when the logo is removed from the email template.
Resolution: Previously, a Logo image was attached to the email registration even when it wasn't in the Velocity template. Now, if the template doesn't have an image, the logo isn't attached to the email anymore.
RDAPI-12536 00955133 Issue: Message Size filter - error: Bad parameters passed
Resolution: Previously, the Message Size filter did not allow a selector to be used for minimum or maximum size. It also did not allow the user to specify sizes greater than 2GB. Now, minimum or maximum size can be a selector, and sizes greater than 2GB can be specified.
RDAPI-12537 00950692 Issue: Configuration deploy breaks distributed ehcache operations.
Resolution: Previously, Configuration deploy broke distributed ehcache operations. Now, a delay is introduced between re-creating the ehcache manager and the caches to resolve this issue. The default value of the delay is 5 seconds, and it can be configured by setting the system property: distributed.ehcache.cache.reload.pause.secs.
RDAPI-12706 00956525 Issue: Throttling filter not returning remaining limit.
Resolution: Previously, the throttling filter sometimes failed to return the HTTP headers showing the remaining limit. Now, these headers are always returned if requested.
RDAPI-12708 00960972 Issue: API Manager alert policies can't be environmentalized
Resolution: Previously, selecting API Manager Alert Policies to be environmentalized did not environmentalize the Alert Policy. Now, the Alert Policy is environmentalized and the Environment Settings has an entry for the Alert Policy.
RDAPI-12709 00951136, 00952492 Issue: API Gateway server crash when an empty transaction stream is viewed from API Gateway Manager interface.
Resolution: Previously, an empty steam of data could cause a server crash when the record was accessed using the REST API. Now, the REST API returns an empty response.
RDAPI-12740 00950845 Issue: A segmentation fault can occur when re-deploying a configuration using Remote Hosts configured to cover subnet.
Resolution: Previously, when deploying new configuration, remote hosts were deleted but not removed from internal search subnet search tree. Now, deleted entries are correctly removed from internal search tree.
RDAPI-12746 00957296 Issue: Enabling ZDD in Studio breaks project with dependencies.
Resolution: Previously, it was not possible to update zero-downtime settings in a Policy Studio project with dependencies. Now, zero-downtime settings can be updated.
RDAPI-12816 00964971, 00964501 Issue: API Manager configuration settings are accidentally overwritten.
Resolution: Previously, API Manager configuration settings could be accidentally overwritten with the default settings when the process failed to read them. Now, API Manager reports an error when it fails to read configuration settings.
RDAPI-12903 00966762 Issue: Can't activate debug on NodeManager fed with Policy Studio 7.5.3_SP5 (and SP6).
Resolution: Previously, it was not possible to change the trace level for Node Manager or Analytics configurations. Now, the trace level can be modified.
RDAPI-12913 00964592 Issue: Java exception when using JSON add node filter with replace options.
Resolution: Previously, the JSON add node filter with replace options was throwing an error when applied to a document root ($). Now, the specified content is successfully applied to root.
RDAPI-12967 00966062 Issue: Remote host connection isn't released at the end of processing requests.
Resolution: Previously, when using the Connect To URL filter to connect to a remote host in an External Identity Provider circuit, the connections would never be released back to the connection pool once the processing was completed. Now, the remote host connections are released correctly at the end of processing requests to an External Identity Provider.
RDAPI-12975 00970764, 00958733, 00969827, 00955055 Issue: Product crash when performing XML Redaction.
Resolution: Previously, XML redaction crashed when a XML tag attribute had an empty value. Now, empty attributes' values (either '' or "") are correctly handled.
RDAPI-13000 00976884, 00960521 Issue: Unable to remove Headers for the throttled APIs.
Resolution: Previously, API Manager reflected the request headers in response on HTTP 429 Too Many Requests error. Now, API Manager doesn't reflect request headers in response when the 'com.axway.apimanager.fault.resetHeaders.http429' Java property is set to true.
For example, in jvm.xml: <VMArg name="-Dcom.axway.apimanager.fault.resetHeaders.http429=true"/>
RDAPI-13068 00923495 Issue: OCSP filter uses incorrect date logic to validate OCSP responses.
Resolution: Previously, the time validation relied on the time the OCSP response was produced at with an allowed clock skew.
Now: The OCSP response is validated against the time it was updated (thisUpdate time) with a clock skew and the recommended expiration time (nextUpdate time). The expiration time may be overridden by specifying the "valid until" period. Responses with no expiration time are "valid for" the configured period of time.

If the time frame wasn't specified, or if there is an error getting the property value the following Java System properties may be used to configure the OCSP response valid time frame with the following default values:
 - OCSP_RSP_VALID_UNTIL_EXPIRATION, default "true" (true/false)
 - OCSP_RSP_VALID_UNTIL, default "0"
 - OCSP_RSP_VALID_UNTIL_UNITS, default "days" (days, hours, minutes, seconds)
 - OCSP_RSP_VALID_FOR, default "6"
 - OCSP_RSP_VALID_FOR_UNITS, default "hours" (days, hours, minutes, seconds)

These values may be specified for each API Gateway instance by providing a jvm.xml file at <INSTALL_DIR>/apigateway/groups/<group-id>/<instance-id>/conf folder. For example:
<ConfigurationFragment>
    <VMArg name="-DOCSP_RSP_VALID_UNTIL_EXPIRATION=false"/>
    <VMArg name="-DOCSP_RSP_VALID_UNTIL=15"/>
    <VMArg name="-DOCSP_RSP_VALID_UNTIL_UNITS=minutes"/>
    <VMArg name="-DOCSP_RSP_VALID_FOR=1000"/>
    <VMArg name="-DOCSP_RSP_VALID_FOR_UNITS=seconds"/>
</ConfigurationFragment>
RDAPI-13101 00930069, 00967330, 00901347 Issue: Java exception when sending a PATCH request containing a JSON array.
Resolution: Previously, when API Manager tried to process a request that contained JSON payload with a root array element, API Manager threw a JSONException and logged an error in the trace file. Now, API Manager correctly processes JSON payloads that contain a root array element.
RDAPI-13125 00967883, 00949233, 00950615 Issue: API Manager, 64-bit integer path parameter validation fails
Resolution: Previously, 64 bit integer path paramaters were incorrectly validated as 32 bit integers and rejected. Now, 64 bit integer path parameters are correctly validated and passed through to the backend.
RDAPI-13127 00967330 Issue: Java NullPointerException in API Broker when sending a request with JSON content.
Resolution: Previously, when API Manager tried to process a request that contained a JSON payload when an API method body parameter was not required, API Manager threw a NullPointerException and logged an error in the trace file. Now, API Manager correctly processes JSON payloads when an API method body parameter is optional.
RDAPI-13204 00974936 Issue: API Manager reflects request body in the response for 404 HTTP error.
Resolution: Previously, API Manager reflected the request body in generated responses for 400, 404, 405, and 429 HTTP errors which were not handled by Global Fault handlers. Now, API Manager removes the request body from generated responses for all of these HTTP errors when the new com.axway.apimanager.fault.removeContentBody Java system property is set to true.
RDAPI-13242 00976475 Issue: JWT filter doesn't support JWK-Sets with multiple certificates.
Resolution: Previously, the JWT Verify filter didn't support JWK-Sets having multiple certificates. Now, the filter supports JWK-Sets with multiple certificates.

Known issues

This service pack has the following known issues, which are planned for a future release.

Reverted issues

Install the service pack

Note: If you are using API Manager, before you can install this service pack, you must have run the setup-apimanager script on your installation.

Prerequisites

This service pack has the following prerequisites in addition to the prerequisites specified for the main product release:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Cassandra installation, ensure JAVA_HOME is set correctly in cassandra.in.sh and cassandra.in.bat to ensure Cassandra tools are launched successfully.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on an existing installation of API Gateway. If you have API Manager, installing the API Gateway Core Server service pack automatically installs the fixes for API Manager as well.

Note:

Install the API Gateway Core Server service pack

Note: If you have API Manager installed, installing the API Gateway Core Server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.5.3 Core Server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Note: On Windows, if you are running in a console in the foreground, you should also close the console. If Cassandra is collocated with API Gateway, you must also stop Cassandra and close the Cassandra console. If there are any open file locks, this may prevent apigw_sp_post_install.bat from completing successfully.
  3. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  4. Unzip and extract API Gateway 7.5.3 SP 7 Core over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP7_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/apigateway/
  5. Change to the apigateway directory in your installation: 
    WindowsINSTALL_DIR\apigateway
    LinuxINSTALL_DIR/apigateway
  6. Run the following script:
    Windowsapigw_sp_post_install.bat
    Linux: apigw_sp_post_install.sh

    Note: On Linux, run the script using the bash command.

    API Gateway Appliance only
    Perform the following additional steps as the root user on the appliance before starting the Node Manager or API Gateway:

  7. Run the following command:
    # [ -f /etc/apigateway/ssl-engines.xml ] && mv /etc/apigateway/ssl-engines.xml /etc/apigateway/ssl-engines.xml.1
  8. Run the following:
    # chown -R admin:admin /opt/gateway/
    # grep "java.library.path" /opt/gateway/system/conf/jvm.xml || sed -i.bak -e '/<JVMSettings/a\\n <!-- Set to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /opt/gateway/system/conf/jvm.xml
    # setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' /opt/gateway/platform/bin/vshell
    # ldconfig

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.5.3 installation, perform the following
steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway 7.5.3 SP 7 Analytics over the analytics directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP7_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/analytics/
  3. Change to the analytics directory in your installation: 
    WindowsINSTALL_DIR\analytics
    LinuxINSTALL_DIR/analytics
  4. Run the post-install script for API Gateway Analytics:
    Windowsapigw_analytics_sp_post_install.bat
    Linuxapigw_analytics_sp_post_install.sh

    Note:On Linux, run the script using the bash command.

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 7 Policy Studio over the policystudio directory within your existing API Gateway 7.5.3 installation directory. For example:
    tar -xzvf APIGateway_7.5.3_SP7_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract API Gateway 7.5.3 SP 7 Configuration Studio over the configurationstudio directory within your existing API Gateway 7.5.3 installation directory. For example: 
    tar -xzvf APIGateway_7.5.3_SP7_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.5.3/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

API Gateway

Note: On the API Gateway Appliance, you can skip the following steps if you already ran the code in steps 5 and 6 in Install the API Gateway Core Server service pack.

To allow an unprivileged user to run the API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file:
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.

  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib

  4. Run the following command to reload the library cache file:
    ldconfig

API Manager

Note: When API Manager is installed, you also must run the update_apimanager script after the API Gateway post-install script to that ensure all paths are up-to-date.

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com.


Copyright © 2018 Axway. All rights reserved.