API Portal 7.7 November 2020 Release Notes

7 minute read

Summary

API Portal provides an API consumer-facing interface that you can customize to match your corporate brand. API Portal is a layered product linked to API Manager, and requires both API Manager and API Gateway. For more information, see the API Gateway and API Manager documentation.

Installation

API Portal is available as a software installation or a virtualized deployment in a Docker container. For more information, see the following options:

New features and enhancements

Production-ready Docker container

In this update, we are releasing the phase 1 of API Portal production-ready Docker container image, which involves the following:

  • Internal security review completed.
  • Support for CentOS 8.
  • Build and run docker as non-root user.
  • The container is upgradable.

Red Hat Enterprise 8 support

  • Official support added for RHEL 8 for the standalone (non-docker) API Portal.
  • Supported platform matrix updated to include RHEL 8.

Security improvements

  • Virus scanning of uploaded files via API Portal interface.
  • Personally identifiable information (PII) is now protected using Global Unique Identifiers (GUIDs) in all log files generated by API Portal. Each user in API Portal is associated to a GUID, which is used instead of the user name to protect the user data in compliance with General Data Protection Regulation (GDPR).

Cumulative upgrade script

We had previously released a cumulative upgrade script to help customers to upgrade from 7.5.5 and 7.6.2 to the 7.7 July 2020​ update. This script has been updated to upgrade customers to the 7.7 November 2020 update in line with the end of support for the 7.5.x and 7.6.x product lines​ in November 2020.

For more information, see Upgrade API Portal using the cumulative upgrade script.

User experience improvements

Sort API catalog by newest or oldest APIs​ in the API Catalog.

Sort API catalog

Configuration setting in the Joomla Administration Interface (JAI) to show or hide APIs, by status, in the catalog.

Show or hide APIs

Limitations of this update

This update has the following limitations:

  • API Portal 7.7.20201130 is compatible with API Gateway and API Manager 7.7.20201130 only.
  • Upgrade to API Portal 7.7.20201130 is supported from API Portal 7.7 only.
  • This update is not available as a virtual appliance or as a managed service on Axway Cloud.
  • Upgrading from previous API Portal Docker image is not supported.

Important changes

There are no major changes in this update.

Deprecated features

As part of our software development life cycle we constantly review our API Management offering. In this update, the following capabilities have been deprecated:

  • API Portal versions 7.5.x and 7.6.x reached end of support (EOS) in November 2020.

Removed features

Enable user listing configuration

After a recent security fix in API Manager, the Enable user listing option is no longer needed in API Portal, and has been removed.

For previous versions of API Portal, which still use the Enable user listing option, see API Portal - Customize application sharing settings.

Related Issues: IAP-3616, RDAPI-17343

Fixed issues

This version of API Portal includes:

  • Fixes from all 7.5.5, 7.6.2, and 7.7 service packs released prior to this version. For details of all the service pack fixes included, see the corresponding SP Readme attached to each service pack on Axway Support.
  • Fixes from all 7.7 updates released prior to this version. For details of all the update fixes included, see the corresponding release note for each 7.7 update.

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
IAP-3180 Issue: PII (Personally identifiable information) appearing in log files. Resolution: PII such as user name is replaced with associated GUID in log files.
IAP-3179 Issue: Insufficient logging for successful logins, access control failures, failed input validation attempts. Resolution: Now each log entry includes the necessary information that would help in a detailed investigation of the timeline when an event has happened.
IAP-3579 1195741 Issue: XSS was possible on TryIt page. Resolution: The `apiId` query param is now sanitized before outputted.
IAP-3175 Issue: When SSO is configured, log information coming from untrusted sources is not sanitized in any way, making it possible for an attacker to inject new lines in the logs. Resolution: The data now is sanitized.
IAP-3652 1195741 Issue: HTTP Host header can be controlled by an attacker. Resolution: Documentation was update whith information on how to prevent this. For more information, see Prevent host header attack.
IAP-3178 Issue: Passwords containing leading or trailing spaces were trimmed. Resolution: Leading or trailing spaces are considered as legitimate characters in password.

Other fixed issues

Internal ID Case ID Description
IAP-3559 1190447 Issue: Generated authentications do not appear when Applications page is disabled. Resolution: Generated authentications are now displayed regardless Applications page status.
IAP-3564 1190447 Issue: ‘Create Application’ button remains on Try-It page even when it is disabled in JAI. Resolution: JAI config option is taken into account.
IAP-3730 1207734 Issue: SQL query that is supposed to run only on upgrade, was also executed on installation. Resolution: The query is now executed only on upgrade.

Known issues

The following are known issues for this update.

When Multi Manager feature is configured, API Portal users are no longer able to login

After a recent bug fix in API Manager (RDAPI-20021), the Authenticate to Master policy is no longer working in releases earlier than API Portal July 2020. To fix this, perform the following steps:

  1. Open all slave managers configurations in Policy Studio, and click to Edit the AuthenticateToMaster policy.
  2. Click the Login to Master (Connect to URL) filter, and enter Accept: */* for the Request Protocol Header.
  3. Click the Enter key twice to create two blank lines after Accept: */*.

Related Issue:IAP-3435

Page layout and alignment for Arabic language

Changing the API Portal language to Arabic (or any other right to left language) results in issues with page layout and alignment on the API Portal Home and Pricing pages, and some buttons are not visible. As a workaround, you can turn on the development mode in JAI. Follow these steps:

  1. Log in to Joomla! Admin Interface (JAI).
  2. In the JAI top navigation bar, click Extensions > Templates.
  3. Click your template style (for example, purity_III * Default) to open it.
  4. Click the General tab.
  5. Change Development Mode to ON.
  6. Click Save and click Close to close the template style.

Related Issue: IAP-308

Documentation

This section describes documentation enhancements and related documentation.

Documentation enhancements

The latest version of API Gateway, API Manager, and API Portal documentation has been migrated to Markdown format and is available in a public GitHub repository to prepare for future collaboration using an open source model. As part of this migration, the documentation has been restructured to help users navigate the content and find the information they are looking for more easily.

Documentation change history is now stored in GitHub. To see details of changes on any page, click the link in the Last modified section at the bottom of the page.

To find all available documentation for this product version:

  1. Go to Manuals on the Axway Documentation portal.
  2. In the left pane Filters list, select your product or product version.

Customers with active support contracts need to log in to access restricted content.

The following reference documents are also available:

  • Supported Platforms - Lists the different operating systems, databases, browsers, and thick client platforms supported by each Axway product.
  • Interoperability Matrix - Provides product version and interoperability information for Axway products.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support.

See Get help with API Gateway for the information that you should be prepared to provide when you contact Axway Support.