Axway API Gateway and API Manager 7.6.2 SP1 Readme

Document version: 02 November 2018



Readme for 7.6.2 SP1

This Readme applies to Axway API Gateway and API Manager 7.6.2 SP1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.

The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:

The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.

File packages: An installation archive is provided for all platforms (for example, APIGateway_7.6.2_SP1_Core_win-x86-32_BNYYYYMMDDn.zip for Windows).

Size: The file size differs for each platform. The MD5 checksum is provided for each file.

Fixed issues

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-13150 CVE-2018-1199 Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of non-addressed vulnerabilities.
Resolution: API Gateway now includes Spring framework version 4.3.18.RELEASE.
RDAPI-13547 00981086 Issue: If logged in as an organization administrator, you could access, edit, or delete the application owned by a different organization by changing the application ID in the URL.
Resolution: Now, when authenticated, you can only manage the applications which you are authorized to access.
RDAPI-13597 00976711 Issue: API Gateway does not fail the decryption of a PGP-encrypted signed message when the Verify option is selected in the filter.
Resolution: You can use the new -DpgpFailDecryptNoSignature=true system property to configure whether the message is decrypted in this case.
RDAPI-13728 00977621 Issue: The Username field has no input validation. Also, special characters are not escaped in emails.
Resolution: The Username field validates against a whitelist of allowed characters. Special characters are correctly escaped within emails.
RDAPI-13769 00969445 Issue: It is not possible to trigger a policy when a WebSocket connection is closed.
Resolution: You can now configure a WebSocket listener with a policy to trigger when the connection is closed.
RDAPI-13887 00949535 Issue: API Gateway Manager UI allowed non logged user to access source files.
Resolution: It is not possible to access source files without a successful login.
RDAPI-14076 00982967 Issue: You could grant a role access to a higher level than your own using a PUT request.
Resolution: You can only grant role access to a level lower than your own.
RDAPI-14078 00999092, 01002567 CVE-2018-0737 CVE-2018-0732 Issue: API Gateway shipped with OpenSSL 1.0.2o-fips, which is vulnerable to CVE-2018-0732 and CVE-2018-0737.
Resolution: API Gateway ships now with OpenSSL 1.0.2p-fips, which addresses CVE-2018-0732 and CVE-2018-0737 security vulnerabilities.
RDAPI-14181 01004262 Issue: API Gateway crashes because of string length miscalculation and memory corruption in libHTTP.so due to URL with too many slashes.
Resolution: API Gateway handling long URLs in memory has been corrected.
RDAPI-14183 00983725, 01003668, 00984372 Issue: API Manager users could embed malicious code in client OAuth redirect URLs.
Resolution: This security vulnerability is now fixed in API Manager.
RDAPI-14189 00976396, 00933466 Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application.
Resolution: Set the JVM property <VMArg name="-Dcom.apimanager.application.oauth.restrictScopes=true"/> to return only those scopes which have been added to the application as Application Level scopes and marked as default.
RDAPI-14378 00993607, 00984372 Issue: The URL input field on the Add new trusted certificate dialog in API Manager can be exploited to check for the existence of files on the server, or to map open ports on local network of API Gateway.
Resolution: The URL input field is validated: it must be an HTTP URL, and only public domains are allowed. Also, the same error output is now returned in all cases when no certificate is found.
RDAPI-14457 00981694 CVE-2016-1000338, CVE-2016-1000339,
CVE-2016-1000340, CVE-2016-1000341,
CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098
Issue: Bouncy Castle library 1.55 causes security vulnerabilities.
Resolution: API Gateway now ships with Bouncy Castle library version 1.60.
RDAPI-14539 01011534 CVE-2018-3183

Other fixed issues

Internal ID Case ID Description
RDAPI-12324 00942402 Issue: When a front-end API is secure using an invoked policy that contains a Connect to URL filter, and the connection to the API fails, API Manager returns 200 or 204 HTTP status instead of 500 Internal Server Error.
Resolution: API Manager now returns 500 Internal Server Error in this scenario.
RDAPI-13273 00976057 Issue: Granting API access to an organization does not generate an alert during POST requests to /proxies/grantaccess endpoint.
Resolution: Any POST request to this endpoint now generates an alarm for organization API access.
RDAPI-13280 00969687 Issue: Policy Studio fails for Data Map creation when importing an XSD file, which has other XSDs included, under Resources > XML Schema Document Bundles > User-defined.
Resolution: An XSD schema, which contains other XSDs, now imports correctly for Data Map creation in Policy Studio.
RDAPI-13287 00946657 Issue: Requiring an encryption password when exporting an API or application collection fails the apimanager-promote script because it is not possible to provide a decryption password or passfile.
Resolution: apimanager-promote script now requires decryption password or passfile.
RDAPI-13557 00957205 Issue: apimanager-promote script returns 0 even when the deployment fails.
Resolution: The script now returns 0 for success and 1 if the deployment fails.
RDAPI-13805 00989086 Issue: After adding a second node manager to a group, the two node managers would have different topology versions.
Resolution: When a second node manager is added, both node managers have the same topology version.
RDAPI-13849 00974976, 00982285, 00975245 Issue: Trailing slashes not always processed correctly for inbound requests in SOAP and REST APIs.
Resolution: You can set the new com.vordel.apimanager.uri.path.trailingSlash.preserve Java property to 'true' to allow inbound API requests with trailing slash to match API path with no trailing slash.
RDAPI-13871 Issue: API Gateway Manager user and password audit events were missing information that is useful from an audit perspective.
Resolution: User events (create, delete, and update) and Password (change and reset) events now show the relevant information for an audit.
RDAPI-13882 00968176 Issue: Using the implicit OAuth flow, the token response did not include scopes for the token in the location header of the response, even when the scopes were different to the request, as required by the specification.
Resolution: The implicit OAuth token response always contains the scopes whether they are different from the requested scopes or not.
RDAPI-13906 01005883, 00998723, 00997199 Issue: You could not successfully create OCSP Client, Security Token Service Client, or XACML PEP filters in Policy Studio due to a missing resource.
Resolution: The filters can now be created successfully in Policy Studio.
RDAPI-13930 00966823 Issue: API Gateway JMS Service threads get locked when trying to reconnect after an external JMS server outage.
Resolution: JMS threads now reconnect automatically after an external JMS server outage.
RDAPI-13938 00994951, 00990926 Issue: Each API Manager instance was showing metrics for all groups in the domain, not just its own.
Resolution: Each API Manager instance only shows metrics for its own group.
RDAPI-13945 Issue: HTTP Status Codes are incorrect in API Manager specific fault response. 500 error is always returned. Also SOAP error response needs to respect HTTP error code.
Resolution: API Manager specific fault response now sends the correct status code, and the SOAP fault code is returned respecting the HTTP error response.
RDAPI-13947 Issue: For a given fault handler filter, if the Show detailed explanation of error option was selected, the custom error message set was not populated in the HTTP response, and a generic error was displayed instead.
Resolution: The custom error message is now displayed in the response if this option is selected. In addition, some improvements were made including rendering a correct SOAP version fault body based on the option set in the SOAP fault handler.
RDAPI-13964 00989460 Issue: API Manager did not import or show the correct response definitions, or would fail to display the API method.
Resolution: API Manager imports and displays the response definitions correctly.
RDAPI-13974 00956029 Issue: When the metrics database was changed for API Manager in Policy Studio, the change was not being saved.
Resolution: When the metrics database is changed, the user is prompted to save the change before continuing.
RDAPI-13982 00961953 Issue: Deleting an API Manager front-end API in a system with many APIs and quotas took too long because the application hit the database with many unnecessary CRUD operations.
Resolution: Only necessary operations are performed now, and deleting a front-end API should only take a few seconds, depending on how close API Gateway is to the Apache Cassandra cluster.
RDAPI-13987 00987739 Issue: Import of a WSDL into API Manager was hanging.
Resolution: The import completes successfully now.
RDAPI-14003 00979243 Issue: Incoming requests for URLs containing encoded extended ASCII characters could result in error when writing Traffic Monitoring records and cause memory leak.
Resolution: The extended ASCII characters are no longer treated as a malformed UTF-8 string, and the memory leak no longer happens.
RDAPI-14006 00979478 Issue: When a method overriding points to a back-end API or method other than the default option, set at virtualization time, the proxy associated with the method overriding, once persisted, cannot be edited anymore.
Resolution: The proxy associated with the method overriding can now be edit after being persisted in API Manager.
RDAPI-14007 00966062 Issue: When using the Connect To URL filter to connect to a remote host in an External Identity Provider circuit, the connections would never be released back to the connection pool once the processing was completed.
Resolution: The remote host connections are released at the end of processing requests to an External Identity Provider.
RDAPI-14011 00999506 Issue: When the API settings content types check is enabled with application/json, API Gateway returns error 404 for REST API methods designed to consume content types.
Resolution: The API Gateway REST API method content types check option now works as expected.
RDAPI-14016 00996887 Issue: Traffic Monitoring UI fails to display non-HTTP transactions if the API Gateway instance did not have any HTTP traffic yet.
Resolution: The absence of HTTP schema in OpsDB configuration is now correctly handled.
RDAPI-14018 00993963 Issue: managedomain displayed an Invalid group passphrase error when Submit externally signed certificate was used.
Resolution: Using Submit externally signed certificate option does not result in error anymore.
RDAPI-14021 00992660 Issue: Using the Find Certificate filter causes memory leak.
Resolution: Native components are now correctly freed when an error is raised.
RDAPI-14023 00983348 Issue: Unexpected 403 response when sending a POST request with default profiles to /proxies to virtualize an API.
Resolution: Default profiles are accepted when sending a POST request to /proxies in order to virtualize an API.
RDAPI-14043 00949984 Issue: API Gateway Authorization Request filter had limited diagnostic output in traces for troubleshooting.
Resolution: API Gateway Authorization Request filter produces more diagnostic output information in traces.
RDAPI-14068 00986597 Issue: You could not create API Manager users with commas in their name. The validation failure was not being written to the trace log.
Resolution: Commas are permitted in the names of API Manager users, and validation errors for new users are logged correctly.
RDAPI-14085 00973925 Issue: apimanager-promote script does not update an application with the same name if the application ID is different.
Resolution: apimanager-promote now updates an application with the same name irrespective of application ID.
RDAPI-14088 00983879 Issue: You could not environmentalize open traffic event log settings in Policy Studio.
Resolution: Open traffic event log settings can be environmentalized directly under Server Settings > Logging > Open Traffic Event Log or by navigating to the configuration from Environment Configuration > Environment Settings.
RDAPI-14102 01000980 Issue: Content-Type of the Consumes and Produces type is missing in API Manager for PATCH methods imported from Swagger.
Resolution: Content-Type of the Consumes and Produces type is displayed in API Manager.
RDAPI-14121 00978019 Issue: Duplicate claim error when adding a sub claim as an additional JWT claim in the OAuth client (External Connections > Client Credentials > OAuth2). Adding a kid claim to be included in the JWT header was not supported.
Resolution: Additional JWT claims for sub and kid are fully supported and work as expected.
RDAPI-14137 00977062 Issue: Invalid file name error in API Manager when downloading the Swagger for an API if the API name contains unsupported characters (for example, ':', '@', '*', '~').
Resolution: API Manager replaces unsupported characters in the name with underscores, and the Swagger file can be downloaded as expected.
RDAPI-14149 00977732 Issue: Using API Manager with Internet Explorer or Edge browsers to import a back-end API requires to click the Select file button twice before it worked.
Resolution: The Select file button works properly now on first click.
RDAPI-14151 00996951 Issue: API Gateway license error when do not have permission to access log files in /tmp directory.
Resolution: API Gateway no longer generates log files in /tmp. The API Gateway event log (Log4j 2) configuration file is now at /system/conf/loggers/eventLog.xml. The API Gateway Open traffic log (Log4j 2) configuration file is now at /system/conf/loggers/openTrafficLog.xml.
RDAPI-14156 00973390 Issue: You could not environmentalize the Enable Embedded Active MQ Broker checkbox in Policy Studio under Server Settings > Embedded Active MQ configuration.
Resolution: You can environmentalize both the enable Active MQ and the policy selection settings separately.
RDAPI-14164 00948031 Issue: The Save button is not enabled in Policy Studio when you select Server Settings > General > Input Encodings or Output Encodings for environmentalization.
Resolution: The Save button is enabled when you select these fields for environmentalization.
RDAPI-14209 00963367 Issue: When reimporting applications that have quota overrides exported using 8075 UI or the REST API with option Export quota overrides selected, the override quota API changed to Undefined.
Resolution: Locating API in quota settings during application import is fixed now. Also, added error messages for scenarios like method within API was not found, or API was not found.
RDAPI-14232 00991420 Issue: In the API Gateway access log, the time zone is not correct if daylight savings is in effect.
Resolution: The time zone is always correct and includes daylight savings if applicable.
RDAPI-14289 00980228 Issue: API Manager UI hangs when adding user to application.
Resolution: UI performance issue when adding or removing users from an application in API Manager is fixed now.
RDAPI-14294 00987083 Issue: You could not create a certificate with expiry date after 2037 in Policy Studio on Windows.
Resolution: You can create a certificate with expiry date after 2037.
RDAPI-14322 00987708 Issue: API Gateway crash when sending request to ICAP server.
Resolution: The JSON document body object was closing the connection before sending data.
RDAPI-14330 00970289 Issue: Inconsistent data in the audit log for API access and applications in API Manager.
Resolution: Inconsistencies in audit log messages for API access and application CRUD operations have been removed. Now the _message_ field contains human readable object names, and object UUIDs are written to the _metadata_ field. Inconsistencies in audit log messages for organizations and permissions have also been consolidated.
RDAPI-14332 Issue: Key Property Store (KPS) does not cache the identifier of a record that does not exist. This results in unnecessary database requests and poor performance.
Resolution: API Gateway now caches the request to a record that does not exist, which reduces database hits and improves performance.
RDAPI-14336 00976755, 00976945 Issue: I/O streams were not closed in case of errors during CRL processing. Also, some memory allocations related to OpenSSL function calls were not required.
Resolution: I/O streams are closed when they are no longer needed, and extra memory is not allocated when calling OpenSSL functions.
RDAPI-14393 00969324 Issue: Data inconsistency in API Gateway Analytics UI when changing views from long term to short term
Resolution: The inconsistency no longer occurs.
RDAPI-14413 00978229 Issue: When HTTP requests failed, request paths were not recorded correctly in the Transaction Event Log.
Resolution: Request paths are always recorded correctly.
RDAPI-14449 01005122, 01000908, 01001167 Issue: API Gateway Service Pack 8 post install script was overwriting the conf/acl.json file. Changes made by customers to this file were lost.
Resolution: Post install script now only changes the affected line in the acl.json file.
RDAPI-14454 01006639 Issue: Adding a query string to a front-end API using Outbound > Advanced > Per Method Override > Edit API proxy results in the wrong query string if the front-end API back-end service URL already had a query string.
Resolution: The query string is correctly added now.
RDAPI-14455 01008564 Issue: The Cassandra Throttling settings section was missing in API Gateway documentation.
Resolution: The Cassandra Throttling settings section can be found in the API Gateway Administrator Guide.

Known issues

This service pack has the following known issues, which are planned for a future release.

Internal ID Description
RDAPI-13123 External Oauth scopes will not match if extra scopes present
RDAPI-13433 API Manager generates wrong top-level OAuth security requirements in Swagger
RDAPI-13933 Data Mapper in Policy Studio not working XML to JSON
RDAPI-14044 API Manager/Portal self registration fails for emails containing '+' sign
RDAPI-14070 apimanager-promote fails password with ":" in it
RDAPI-14095 SSL handshake failing HTTPS WSDL import in API Manager
RDAPI-14203 Issue with qualified schema in Visual Data Mapper
RDAPI-14225 Stored XSS in the application's Oauth Redirect URL. Encode OAuth Redirect URLs on output
RDAPI-14241 Issues importing Swagger 1.2 files
RDAPI-14321 Improper handling of SOAP WSDL with several service ports
RDAPI-14388 Impossible to import same WSDL twice
RDAPI-14403 FTP Poller - Remote file delete in case of failure when poller is configured to "do nothing"
RDAPI-14405 Error with OAuth2 Application Settings using selectors
RDAPI-14426 Content theft using Image Upload and Flash
RDAPI-14470 First In First Out eviction, adding existing data remove the original instead of updated it.
RDAPI-14472 First In First Out eviction policy doesn't work as expected with Persist to disk option Undo
RDAPI-14484 Environmentalized field is missing after upgrade from 7.5.3 to 7.6.2
RDAPI-14543 Missing token check with outbound OAuth client credentials flow Description
RDAPI-14546 ZDD API unpublish mechanism doesn't work correctly
RDAPI-14555 Incorrect handling with expired refresh token - outbound OAuth
RDAPI-14557 Inconsistent error messages between GET and POST requests in case of "no match found for request"

Install the service pack

These instructions apply to both API Gateway and API Manager.

For API Gateway container deployments, follow the instructions for applying a Service Pack in the API Gateway Container Deployment Guide.

Prerequisites

This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:

  1. Shut down any Node Manager or API Gateway instances on your existing installation.
  2. Back up your existing installation. For details on backing up, see the API Gateway Administrator Guide.
  3. Remove any old third-party libraries. To do this, delete the INSTALL_DIR/system/lib/modules directory.
  4. If you have an existing Apache Cassandra installation, ensure that you back up your data (Cassandra and kpsadmin), and that the JAVA_HOME variable is set correctly in cassandra.in.sh and cassandra.in.bat.

FIPS mode only

If FIPS mode is enabled, you must perform the following steps to install the service pack:

  1. Run togglefips --disable to turn FIPS mode off.
  2. Start the Node Manager to move the JARs.
  3. Stop the Node Manager.
  4. Install the API Gateway service pack.
  5. Start the Node Manager.
  6. Stop the Node Manager.
  7. Run togglefips --enable to turn FIPS on again.
  8. Start the Node Manager.

Installation

This section describes how to install the service pack on existing installations of API Gateway or API Manager.

Note:

Install the API Gateway server service pack

Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.

To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:

  1. Ensure that your existing API Gateway instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Remove any previous patches from your INSTALL_DIR/ext/lib and INSTALL_DIR/META-INF directories (or the ext/lib directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.
  3. Unzip and extract API Gateway 7.6.2 SP1 server over the apigateway directory in your existing installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/
  4. Change to the apigateway directory in your installation: 
  5. LinuxINSTALL_DIR/apigateway
  6. Run the following script:
  7. Linuxapigw_sp_post_install.sh
  8. Note: On Linux, run the script using the bash command, and ensure that the correct permissions are set.
  9.  

Note:

Install the API Gateway Analytics service pack

To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:

  1. Ensure that your existing API Gateway Analytics instance and Node Manager have been stopped. For more details, see the API Gateway Administrator Guide.
  2. Unzip and extract API Gateway Analytics 7.6.2 SP1 over the analytics directory in your existing API Gateway 7.6.2 installation directory. For example:
    tar -xzvf APIGateway_7.6.2_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
  3. Change to the analytics directory in your installation: 
  4. LinuxINSTALL_DIR/analytics
  5. Run the post-install script for API Gateway Analytics:
  6. Linuxapigw_analytics_sp_post_install.sh

Note:

Install the Policy Studio service pack

To install the service pack on your existing Policy Studio installation, perform the following steps:

  1. Shut down Policy Studio.
  2. Back up your existing INSTALL_DIR/policystudio directory.
  3. Unzip and extract API Gateway 7.6.2 SP1 Policy Studio over the policystudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/

Note: The first time you start Policy Studio, you must use policystudio -clean.

Install the Configuration Studio service pack

To install the service pack on your existing Configuration Studio installation, perform the following steps:

  1. Shut down Configuration Studio.
  2. Back up your existing INSTALL_DIR/configurationstudio directory.
  3. Unzip and extract Configuration Studio 7.6.2 SP1 over the configurationstudio directory in your existing API Gateway 7.6.2 installation directory. For example: 
    tar -xzvf APIGateway_7.6.2_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/

Note: The first time you start Configuration Studio, you must use configurationstudio -clean.

After installation

The following steps apply after installing the service pack.

API Gateway

To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:

  1. Add the following line to the INSTALL_DIR/system/conf/jvm.xml file: 
    <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
  2. Run the command setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell to allow the API Gateway to listen on privileged ports.
  3. Create a file /etc/ld.so.conf.d/gateway-libs.conf that contains the following lines:
    INSTALL_DIR/platform/jre/lib/amd64/server
    INSTALL_DIR/platform/jre/lib/amd64
    INSTALL_DIR/platform/lib/engines
    INSTALL_DIR/platform/lib
    INSTALL_DIR/ext/lib
  4. Run the following command to reload the library cache file:
    ldconfig

API Manager

Note: When API Manager is installed, you also must run the update_apimanager script after the API Gateway post-install script to that ensure all paths are up-to-date.

Documentation

Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.

The following reference documents are available on the Documentation portal at http://docs.axway.com:

Support

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support at https://support.axway.com

Copyright © 2018 Axway. All rights reserved.