API Gateway and API Manager 7.7 August 2022 Release Notes

16 minute read

API Gateway and API Manager updates are cumulative, comprising new features and changes delivered in previous updates unless specifically indicated otherwise in the Release notes.

In this release, we’re adding some user interface (UI) and user experience (UX) improvements, additional support for YAML, externalisation of the configuration for the Admin Node Manager, and the capability to use FIPS with Open SSL 3.0. We keep working to make Amplify API Management a top solution that helps you to control of all your APIs and events across gateways, vendors, and environments!

Installation

Update a container deployment

Any custom .fed files deployed to a container must be upgraded using upgradeconfig or projupgrade. They must be upgraded the same way, regardless of whether they are API Manager enabled or not. The .fed files contain the updates for the API Manager configuration and can be used to build containers.

New features and enhancements

The following new features and enhancements are available in this update.

Configure a Node Manager Docker container to use a persisted volume for Node Manager configuration

This feature enhancement allows a Node Manager in container mode to be reconfigured without the need to rebake its Docker image. Configuration updates such as policy changes, JVM system properties, environment properties and so on, can now be mounted on a Docker Volume and made available to a Node Manager container. For more information, see Create an API Gateway with Docker volumes.

YAML and Policy Studio

As part of our work to facilitate YAML configuration, with this update YAML is now supported in Policy Studio with specific enhancements made in Environmentalisation.

Important changes

It is important, especially when upgrading from an earlier version, to be aware of the following changes in the behavior or operation of the product in this update, which may impact your current installation.

Reintroduction of Federal Information Processing Standards (FIPS)

FIPS capabilities have been reintroduced into API Gateway combined with an upgrade of OpenSSL 3.0.5.

Enabling FIPS restricts cryptographic cipher options pertaining to message encryption and decryption and signature and verification, and it also increases the minimum key length size to those approved by the Federal Information Processing Standard (140-2).

For more information, see Restrictions when running in FIPS mode.

Reintroducing FIPS also resulted in changes to the openssl.cnf file. The default_sect and legacy_sect options are now disabled by default in the INSTALL_DIR/apigateway/conf/openssl.cnf file.

The bundled XML Security Library does not contain the changes required to use the OpenSSL 3.0 FIPS module. As a consequence, XML encryption and signing are not guaranteed to be FIPS compliant.

Hardware Security Module (HSM) usage is not supported in FIPS mode. It is intended that support will be introduced in a future release.

Policy Studio and Configuration Studio update process

During the Policy Studio and Configuration Studio update process, the plugins directory is deleted and then recreated with the new plugins. Therefore, any custom plugins added to this directory is removed.

For more information, see Install a Policy Studio update and Install a Configuration Studio update.

API Gateway validates HTTP cookies as per RFC 6265. A new com.axway.apigw.cookie.validation.ignore Java system property has been added to bypass cookie validation introduced in API Gateway May 2021 release. When the property is set to true, API Gateway skips cookie validation.

For more information, see System property changes.

HTTP Redirect and Connect to URL filters fail URLs containing non-encoded characters

The HTTP Redirect filter now fails URLs containing non-encoded CRLF characters with an Internal Server Error instead of passing with a 301 Moved Permanently response with no location header.

The Connect to URL filter now fails URLs containing non-encoded trailing CRLF characters with an Internal Server Error instead of passing the trimmed URL without the trailing CRLF characters to the server.

For more information, see HTTP redirect filter and Connect to URL filter.

Organization administrator self-service API publishing

When Self-service API publishing is enabled, Organization administrators can access APIs for the organizations they are a member of or have been granted access to. Previously, when self-service was enabled, API Manager incorrectly allowed access to APIs in other organizations even when no API access was granted.

Customer’s scripts or client applications might now fail to get APIs from other organizations if the Organization administrators have not been granted access to these APIs.

For more information, see API Manager access control, Organization administrator.

API Gateway expression language resolver changed

The expression language resolver, which is used to resolve selector statements, was loading multiple expression resolvers into the API Gateway instance, leading to unpredictable behavior. This has been fixed to always use the JUEL API resolver.

CSP header updated

The default CSP header has been changed to improve security and remove references to unused Axway assets. If you have a custom CSP header defined, see the new defaults.

For API Manager

script-src 'self' 'unsafe-eval'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data: blob:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://*:8075 https://*:8065 https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'

For API Gateway Manager

script-src 'self' 'unsafe-eval'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data: blob:; object-src 'self'; media-src 'self'; frame-src 'self';frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'

For API Gateway Analytics

script-src 'self' 'unsafe-eval'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data: blob:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self'; form-action 'self'; prefetch-src 'none'

For more information, see Define a restrictive Content Security Policy.

New Cassandra user script

A new script has been added to help in creating new users in Cassandra. It is located at apigateway/samples/cassandrauser/scripts/createuser.sh. For more information, see Create a new Cassandra database user.

Disable connection cache for LDAP authentication using Auth Repository

Setting the cache refresh interval of a LDAP authentication via Auth Repository will now disable the cache altogether. For more information, see General settings in Policy Studio

OpenJDK JRE update to v8u345

API Gateway 7.7 and API Manager 7.7 support OpenJDK JRE. This update includes Zulu OpenJDK v8u345.

Deprecated features

No features have been deprecated in this update.

End of support notices

There are no end of support notices in this update.

Removed features

No features have been removed in this update.

Fixed issues

This version of API Gateway and API Manager includes:

  • Fixes from all 7.7 updates released prior to this version. For details of all the update fixes included, see the corresponding Release note for each 7.7 update.
  • Additional fixes might be delivered as patches up to 15 months after the release date. You can find the list of patches available on top of this update on Axway Support. If no patches were created for this release, the link will return “No search results found”.

Fixed security vulnerabilities

Internal ID Case ID Cve Identifier Description
RDAPI-27212 01362214 CVE-2016-9063 Issue: API Gateway libexpat version 1.95.7 is vulnerable to CVE-2021-45960. Resolution: libexpat version is now upgraded to 2.4.8, which is not vulnerable to CVE-2021-45960.
RDAPI-27290 01365642 Issue: When api.manager.orgadmin.selfservice.enabled, system property is set to true, an organization administrator can see APIs of other organizations. Resolution: When self-service is enabled, an organization administrator can only see APIs for organizations they are a member of or have been granted access to.
RDAPI-27638 01373636 01372464 CVE-2020-15250 Issue: A vulnerability has been found in old dependencies on nimbus-jose-jwt and json-smart. Resolution: Upgraded the dependencies to the latest version for json-smart and nimbus-jose-jwt.
RDAPI-27710 01379534 CVE-2020-13947 Issue: API Gateway is delivered with ActiveMQ 5.16.0, which is vulnerable to CVEs. Resolution: ActiveMQ version delivered is now 5.16.5
RDAPI-27711 01379534 CVE-2018-14721 Issue: Scans of Ehcache version 2.10.6 generates a false positive Security Vulnerability CVE-2018-14721. Resolution: Ehcache is now upgraded to version 2.10.9.2 to remove false positive scan results.
RDAPI-28116 01393767 01406653 CVE-2018-25032 CVE-2022-21426 CVE-2022-21434 CVE-2022-21443 CVE-2022-21449 CVE-2022-21476 CVE-2022-21496 CVE-2022-21540 CVE-2022-21541 CVE-2022-21549 CVE-2022-34169 Issue: These CVEs were reported against JRE 8u322. Resolution: This release includes JRE 8u345

Other fixed issues

Internal ID Case ID Description
RDAPI-19293 01136738 Issue: API Catalog Try It only shows the first device in the security profile and is not configurable. Resolution: There is now an API Authentication widget on the Try It to allow the user to select which device they would like to use.
RDAPI-20742 01167184 Issue: Deleting containers of Environmentalized Settings is highly inconsistent when it has more the one child element. Resolution: The delete action is now removing all child elements.
RDAPI-23233 01233054 Issue: The user was not redirected to the login screen after clicking OK on the session timeout dialog. Resolution: The user is now redirected to the login screen after clicking OK on the session timeout dialog.
RDAPI-25159 01285629 Issue: There is no easy way for creating a non-superuser level account for Cassandra access. Resolution: You can now create a non-superuser with the required permissions using the script under VORDEL_ROOT/apigateway/samples/cassandrauser/scripts
RDAPI-25175 01286047 Issue: Inconsistent behavior of API Manager UI Swagger API Import with multiple user sessions. Resolution: API Manager UI now updates API Manager settings from the API Manager server periodically based on the configured polling_interval in <INSTALL_DIR>/apigateway/webapps/apiportal/vordel/apiportal/app/app.config file. Defaults to 15 seconds.
RDAPI-26254 01321275 Issue: API Key section of the API catalog was not displaying the correct information for API Key Location that was set on the inbound profile. Resolution: API Key section of the API catalog is now consistent with the location set on the inbound profile.
RDAPI-26696 01337399 Issue: An Axway Sentinel link event child-tracked object’s name is not the name configured in the Sentinel Cycle Link filter. Resolution: Now, an Axway Sentinel link event child tracked object’s name is updated to use the Sentinel Cycle Link filter configured name.
RDAPI-27000 01385492 01354167 01352724 01363181 01381794 01388240 Issue: OAS3 APIs cannot be imported due to the example field for parameters in date-time format. Resolution: OAS3 APIs with the example field set for parameters in date-time format are now successfully imported.
RDAPI-27073 01340727 Issue: Open traffic event logs "status":200 when recvHeader is null. Resolution: The open traffic event now logs the client transaction status code as ‘0’ and text as ‘Unexpected’ if no response is received from the server. If a response is received from the server, then the received status code and text are logged.
RDAPI-27084 01357449 Issue: When editing an Application, toggling the quota override when a constraint was in error caused the ‘Invalid field’ button to remain on screen, preventing the user from navigating back to the main Applications screen. Resolution: The validation and event handling for quota overrides have been updated so that the Back button correctly appears when quota overrides are OFF.
RDAPI-27394 01362984 Issue: A function that was called by managedomain when trying to submit a certificate signed by an External CA was missing an argument. Resolution: The missing argument was added, and Certificates can now be submitted successfully in this use-case.
RDAPI-27436 01354669 Issue: The refresh button on the API Manager > Frontend API screen becomes greyed out when it’s clicked in the case where new APIs are created without refreshing the page (such as through an API call), and the button is clicked Resolution: This is no longer an issue, and the button no longer becomes greyed out, loading new APIs as appropriate
RDAPI-27443 01369583 Issue: A Policy Studio/Configuration Studio update does not remove old plugins during the update. The old plugins are unused by Policy Studio and Configuration Studio, but jars in these unused plugins can still be picked up in security dependency scans. Resolution: A Policy Studio/Configuration Studio update now deletes and recreates the plugins folder during the update.
RDAPI-27448 01370121 Issue: The generated product OAS3 API definitions contain a default value for the LockUserAccount schema that is in an incorrect format (‘string’ rather than ‘object’). Resolution: The swagger libraries used to generate the product OAS API definitions have been upgraded so that the LockUserAccount default is of the correct format.
RDAPI-27556 01372754 Issue: In Policy Studio, when attempting to add a Remote Host Condition to an existing Interface (HTTP/S port) in a YAML configuration, an error was thrown, preventing the condition from being displayed. Resolution: In Policy Studio, the treenode decorator for the Ports editor has been updated to correctly retrieve the ‘alias’ field of the selected Remote Host, thus preventing the error from being thrown and successfully displaying the condition when editing a YAML configuration.
RDAPI-27557 01369680 Issue: The apigw-backup-tool script fails to restore the tables successfully but shows up the message “Restore Successful” Resolution: Fixed the apigw-backup-tool to show up an error message when user data is not populated after restoration.
RDAPI-27563 01367621 Issue: LDAP authentication via authentication repository does not allow disabling the cache. Resolution: LDAP authentication via the authentication repository now allows the cache to be disabled.
RDAPI-27599 01375300 Issue: Tabs in the WebSocket configuration dialog were missing. Resolution: The missing tabs in the WebSocket configuration dialog are now showing again.
RDAPI-27630 01377318 Issue: API Manager was encoding new lines when storing API tags in KPS. Resolution: API Manager now encodes tags without a line break.
RDAPI-27663 01376137 Issue: Decryption fails when decrypting multiple elements in an encrypted XML with “Removed the EncryptedKey Element used in Decryption” checked. Resolution: The encrypted key elements are removed from the DOM after decrypting all encrypted elements.
RDAPI-27707 01377113 Issue: API Manager API fails to fetch all APIs Swagger 2.0 representation with invalid parameter types in imported WADL APIs. Resolution: API Manager now fetches all APIs Swagger 2.0 representation where invalid parameter types are set to string.
RDAPI-27803 01367621 Issue: Axway doc says LDAP Connection “connectiontimeout” and “cachesize” can be set to zero, but that does not work as expected. Resolution: The documentation has been updated to be in sync with the code. The minimum values allowed for “connectiontimeout” and “cachesize are 2000ms and 1 connection, respectively. Anything set less than these values will trigger the default values of 300000 ms (5 mins) and 8 connections.
RDAPI-27804 01381544 Issue: Query parameter value containing trailing CRLF in HTTP Redirect and Connect to URL filters may be either discarded or set incorrectly. Resolution: HTTP Redirect filter now validates the destination URL and fails with an Internal Server Error response for non-encoded CRLF values. Connect to URL filter now fails with an Internal Server Error response for URL with non-encoded trailing CRLF value.
RDAPI-27888 01382791 01384839 Issue: API Gateway Get Cookie filter no longer allows RFC-invalid cookie values. Resolution: A new com.axway.apigw.cookie.validation.ignore Java system property has been added allowing to bypass the cookie validation in this filter. Defaults to false.
RDAPI-27895 01385143 Issue: The ‘Upgrade access to newer API’ feature in the API Manager UI does not list the available APIs as expected. Resolution: The available APIs are now listed when a user tries to upgrade the access of an API.
RDAPI-27974 01388854 Issue: API docs for Traffic Monitor Swagger was showing incorrect URLs. Resolution: API docs now show the updated Swagger with correct URLs.

Known issues

The following are known issues for this update.

EdDSA certificates are not currently supported

TLS and PKI certificates using EdDSA signatures (ed25519 and ed448) for authentication are not currently supported within API Gateway. Certificates cannot be imported into the config file, and connections are not be established with external endpoints that use EdDSA certificates.

Related Issue: RDAPI-28033

API Analytics PDF reports do not display chart contents

In API Analytics, the PDF reports no longer correctly display the contents of the charts. This issue has arisen due to a security upgrade of the Highcharts.js charting library. We are working on the fix of this functionality, to be released in a future update of API Gateway.

Related Issue: RDAPI-27301

Scripting filter whiteboard attributes not preloaded for Jython scripts

The Scripting filter now uses a Jython 2.7 scripting environment (previously, Jython 2.5) to execute Jython scripts. As a result of this version change, the whiteboard attributes, such as http.request.uri and http.request.verb, are no longer preloaded for use by Jython scripts. However, you can run a Jython script to load these attributes before they are accessed as follows:

from com.vordel.trace import Trace

def invoke(msg):
    msg.forceGenerateAttributes()
    Trace.info("This trace statement was generated in script filter!  [" + str(msg.get("http.request.verb")) + "] [" + str(msg.get("http.request.uri")) + "]")
    return True

Related Issue: RDAPI-21363

API Gateway web service WSDL schema validation failure

If a web service is defined using multiple WSDLs, an error of ‘Cannot find the declaration of element’ might occur during the schema validation of a SOAP message. This might happen because of a duplication of the WSDLs types schema targetNamespace. To avoid this failure, you must change the types schema targetNamespace to be unique across the WSDLs.

Related Issue: RDAPI-26621

API Catalog Swagger 2.0 export issue when multiple API Manager traffic ports configured

When exporting Swagger 2.0 from API Manager Catalog with multiple traffic ports defined, if you try to subsequently reimport the generated document into another API Manager, the back-end URLs (HTTP and HTTPS) are correctly generated but the port will be incorrect for one of the URLs.

The issue is caused by an inherent flaw in Swagger 2.0 as it only permits one host to be specified. At export time, API Manager takes the first SSL-based basePath, if one exists, from the list of available basePaths (host:port) and applies that to the $.host field in the resultant Swagger 2.0 definition.

For example, if an HTTPS traffic port of 8065 and an HTTP traffic port of 8066 are configured, and the host IP address is 127.0.0.1, then the generated Swagger 2.0 definition will look like this:

{
  "swagger" : "2.0",
  "info" : {
    "description" : "",
    "version" : "1.0.3",
    "title" : "Test API"
  },
  "host" : "127.0.0.1:8065",
  "basePath" : "/api",
  "schemes" : [ "https", "http" ],
  "paths" : {...}
}

Note that the $.host field specifies a port of 8065. Importing this definition back into API Manager will result in the following back-end URLs, with the HTTP port being incorrect.

  • https://127.0.0.1:8065/api
  • http://127.0.0.1:8065/api

The recommendation is to use OpenAPI, which has the ability to specify multiple back-end hosts. For more information, see OpenAPI Specification, Server Object.

Related Issue: RDAPI-23379

When multiple API Manager traffic ports are configured, specifying a virtual host that contains a host and port can cause conflicting base path URLs to be displayed in API Catalog

In API Manager, if a virtual host (global default, organization level, or for a published API) is set to myhost and there are multiple traffic ports (mix of HTTP and HTTPS) configured, API Manager correctly displays https://myhost and http://myhost as base path URLs in the API Catalog.

An issue only arises when a port is specified as part of the virtual host. API Manager blindly takes the specified virtual host and appends it to the supported schemes for the configured traffic ports. So if a virtual host of myhost:9999 is set, then conflicting base paths of https://myhost:9999 and http://myhost:9999 are displayed in the API Catalog.

Related Issue: RDAPI-23379

Documentation

To find all available documentation for this product version:

  1. Go to Manuals on the Axway Documentation portal.
  2. In the left pane Filters list, select your product or product version.

Customers with active support contracts must log in to access restricted content.

For information on the different operating systems, databases, browsers, and thick client platforms supported by each Axway product, see Supported Platforms.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.

Email support@axway.com or visit Axway Support.

See Get help with API Gateway for the information that you should be prepared to provide when you contact Axway Support.

Last modified December 12, 2022: Merge developnov22 branch into master branch (#2511) (c285a3fd)