Version 2019.1.36
Akana 2019.x System Requirements
Upgrading Akana API Platform to Version 2019.1.x
Product packaging is simplified for this release, to include a single ZIP file containing the latest release, as follows:
The Akana API Platform and other Akana products will change versioning schemes with the first major release of 2020. All major releases will now follow the scheme "xxxx.1.0" rather than "xxxx.0.0". As a result, the upcoming major release for 2020 will be 2020.1.0, updated in all entries in these release notes as appropriate.
If you have UI customizations, rebuild styles after upgrade (Admin > Config > Rebuild Styles), then test your customizations.
See Hermosa Theme header UI redesigned below.
Default Theme will be deprecated in 2020.1.0, and will be removed completely in a later version. The current customizations and use of Default Theme will be supported during upgrades to newer versions, until version 2020.1.0. All customers using Default Theme should move to the Hermosa Theme as soon as possible, and migrate any customizations. For example, port header customizations according to Community Manager: Migration Guide and Community Manager: Customizing the User Interface. Other customizations should continue to work, but style customizations are likely to be required.
jQuery will be upgraded to v3.4.1 from v1.8.3, with the 2020.1.0 release. This version of jQuery will impact all Developer pages in all themes, requiring any customizations to be tested with jQuery v3.4.1. For migration information, see jQuery Core 1.9 Upgrade Guide and jQuery Core 3.0 Upgrade Guide.
Date/release version |
Changes |
| April 1,2022 2019.1.29 |
Removing the claim to support MongoDB 4.2, which was incorrectly stated for 2019.1.29 when MongoDB 4.0 support was added. See the updated entry, Support added for MongoDB 4.0. |
| April 14, 2021 2019.1.31 |
New entry added for Adding a new version to an API could fail |
| January, 2020 2019.1.4 |
New entry added for Improperly formatted error code for Open Banking 3.1 could be returned for requests that contained undefined fields |
| March, 2020 2019.1.9 |
New entry added for bug fix Uploading license and documentation content was not verified. |
| July, 2020 2019.1.12 |
Note regarding behavior added to Removed members of a group could still edit the app, SUPPORT-34630. |
| November, 2020 2019.1.26 |
Clarification added to the Deprecation notice on API operation changes to come in 2020.2, SUPPORT-36137. |
| Feb.1, 2023 2019.1.36 |
Removed all enhancements entries regarding the previous major version 2019.0.x to avoid duplication and simplify these notes. These enhancements are still listed in the 2019.0.x release notes. |
August 13, 2021
The API search box in the Hermosa theme now has a descriptive tooltip for entering search tags, displayed when clicking in the search box. This tooltip is also available in the general search box in the filter on the search results page.
Support ticket: SUPPORT-43887
When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).
To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.
Support ticket: SUPPORT-43303
September 2, 2021
The API search box in the Hermosa theme now has a descriptive tooltip for entering search tags, displayed when clicking in the search box. This tooltip is also available in the general search box in the filter on the search results page.
Support ticket: SUPPORT-43887
When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).
To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.
Support ticket: SUPPORT-43303
July 13, 2021
Third-party domain users can be assigned a registered state when logging into the Community Manager for the first time via a new initial action @AllowMarkUserAsRegistered. This is implemented through a custom workflow and overrides the default behavior which first assigns a pending_validation state to external domain users. See @AllowMarkUserAsRegistered on the Akana documentation website for more information.
Support ticket: SUPPORT-43689
The newest Chrome browser has changed the default setting it applies to the SameSite attribute, which defends against CSRF attacks. This was resulting in a failure to display API documentation inside an iframe from a third-party portal running on a domain other than the portal domain, in which case, an HTTP "401 Unauthorized" exception could occur.
To ensure the display of API documentation in this situation, there is a new setting on the Security Settings page (Admin > Settings > Security): set the Authentication CSRF Token Cookie Attribute - SameSite field to "None." An existing setting to control the Domain attribute, Authentication and CSRF Token Cookie Attribute - Domain, was also added to this page.
For more information, see "How do I configure settings for business security?" on the Akana documentation site.
Support ticket: No related support tickets.
A file with a content type that was not allowed for uploading to the developer portal could bypass this limitation if its name was changed.
Support ticket: SUPPORT-41553
New users invited to create an account in the Community Manager developer portal could fail to be listed under Admin > Users, due to a problem with Elasticsearch indexing.
Support ticket: SUPPORT-43158
Due to a regression introduced in 2019.1.34, Process Editor display errors could occur in the Community Manager developer portal. When Policy Manager was running on a different context path than root ("/"), the Process Editor did not display on the API Details and API Implementation Details pages.
Support ticket: No related support tickets.
June 23, 2021
Searching APIs for keywords using "AND" returns only those APIs that have both elements present. Prior, a search using AND did not properly narrow the results, returning APIs with just one element present.
Support ticket: SUPPORT-40632, SUPPORT-40951
The Community Manager developer portal Auth Token validity is now configurable via the Active Login Session Timeout setting. If the Active Login Session Timeout is set to 0, then the Auth Token validity defaults to 30 minutes, as was the default before this update.
Support ticket: SUPPORT-43293
When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2019.1.31), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).
To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.
Support ticket: SUPPORT-43303
When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2019.1.31), a non-library dependent design is now supported, for example, a design without use of JavaScript. Note that, this case, the UI's display may be impacted, including scroll bars or a failure to display a loader message while API documentation is in progress.
Support ticket: SUPPORT-43304
In the Community Manager developer portal, an API's documentation page (APIs > My APIs > choose API > Documentation) now features a Download button so users can download the corresponding Interface Description Language file.
Support ticket: SUPPORT-43002
A new workflow function, addRoleToUser, is available for custom workflow to modify the default platform behavior so that a new user, logging in for the first time with a specific login domain, is automatically assigned to a specific role.
Support ticket: SUPPORT-41444
For the Detailed Auditing Policy, the downstream request headers were not logged for a HTTP 504 Timeout error; other errors were logged. This could occur after an upgrade from 8.4 to 2019.1.x.
Support ticket: SUPPORT-42805
Calls between virtual services could fail if the normalized response contained invalid XML.
Support ticket: SUPPORT-42841
In the Community Manager developer portal, changing an app's visibility from public to private could return an error if some public app settings were disabled.
Support ticket: SUPPORT-42717
In the Community Manager developer portal, some API policy and process pages were not loading if CSRF was enabled in the Akana Administration Console (when com.soa.console.csrf > org.owasp.csrfguard.Enabled was set to "true".)
Support ticket: SUPPORT-39230
May 20, 2021
This release includes no enhancements.
By default, with a few exceptions, if a user is on a page in the Community Manager developer portal and then logs in from that page, the user is taken back to the same page after login.
When creating a new static page, customers can now override this default login behavior so that if the user is on the static page, and then logs in, the user is taken to the Action Dashboard. For details and instructions, see Creating a New Static View in Hermosa Theme, with override of default redirect behavior.
Support ticket: SUPPORT-40635
May 4, 2021
When searching for APIs, apps, or groups, each entry in the search results includes a list of tags defined for that resource, if they exist. Each tag is now a hyperlink; clicking a tag in a search results entry returns a list of resources that use that tag. The list is specific to the type of resource. For example, on the All APIs page, clicking a tag in a search results entry gives a list of all APIs with that tag. To return a list of all resources that have a specific tag (APIs, apps, and groups), use the top general search bar.
Support ticket: SUPPORT-40634
Community Manager developer portal search returns and displays results for both an API's summary and its description, given a keyword. Previously, only results based on an API's description were returned and displayed.
Support ticket: SUPPORT-40847
When an API description used the Markdown language, the API Details and Overview pages processed the Markdown and displayed it correctly, but the search displayed the Markdown syntax without processing it. Now, the Markdown is converted to plain text and displayed in the search results. The API Details and Overview pages still display the processed Markdown.
Support ticket: SUPPORT-41836
Site Admins can control whether the Access button to create a contract between an API and an app appears or not, by implementing a custom API workflow that uses a new workflow action @DisallowApiAccess.
Support ticket: SUPPORT-40443
In the Community Manager developer portal, the height of static pages can now be resized dynamically when there are expand/collapse sections. This enhancement applies to these pages:
Hermosa theme:
Simple Dev theme:
Bonita theme:
Support ticket: SUPPORT-40842
The search filters in the Community Manager Developer Portal now support searching by an API or app's tag.
Support ticket: SUPPORT-40632, SUPPORT-41146
After configuring custom claim names in a OpenID Connect Relying Party domain in the Community Manager developer portal, default claim names were still used. Custom claim names are now used as expected, but any existing OpenID Connect Relying Party domains with claim names need to be saved for the changes to take effect. If, however, an existing OpenID Connect Relying Party domain, or one without custom claim names, is working without any issues, no action is required.
Support ticket: SUPPORT-41815
In the Community Manager developer portal, a Site Admin was able to modify a user's email even when the security setting "Allow Site Admin to initiate user email address update" option was set to Disabled.
Support ticket: SUPPORT-41472
The API Details page in the Community Manager Developer Portal was not displaying all sample properties when the allOf property was included in the schema definition.
Support ticket: SUPPORT-41583
In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App Details page.
Support ticket: SUPPORT-41144, SUPPORT-41168
March 25, 2021
When searching for APIs, apps, or groups on their respective "details" pages, each returned entry includes a list of tags used for that resource, if they exist. These tags are now each hyperlinks, so that clicking on a tag returns a list of all APIs, apps, or groups with that tag.
Support ticket: SUPPORT-40634
For a role with permissions to delete a notification, multiple dashboard notifications can now be deleted, either by selecting all or some, then selecting "Delete Checked."
Support ticket: SUP-10607, SUPPORT-40289
The Community Manager developer portal has added support for selecting a search scope, available from the API's Manage Licensing page when "Enable Licensing for API" is selected.
Support ticket: SUPPORT-41169
The generated API documentation currently displayed in the developer portal, either OpenAPI or Swagger, can now also be embedded in a third-party portal. If the generated API documentation includes the embedded Test Client functionality currently supported in the developer portal, embedded Test Client also works in the third-party portal.
Support for this feature includes a new library and a new working customization example in the customization ZIP file. If you do not have the customization ZIP file, ask Technical Support.
Authentication/authorization for the user's access to the API documentation from the third-party portal can be handled by the developer portal's SSO login functionality; for example, with SAML Web SSO or OpenID Connect.
Support ticket: SUPPORT-40315
Importing a modified Swagger or OpenAPI 3.0 document using the API Designer Edit page did not update some parts of the document, specifically the info.version element. Support has been added for updating the API version if the info.version element in an updated design document changes.
Support ticket: SUPPORT-39972
Adding a new version to an API with a descriptor could fail in some cases.
Support ticket: SUPPORT-41446
In Policy Manager's Real-Time Charts, selecting the View Data button could fail to populate the start and end date and time, resulting in an intermittent failure to display the logs via the Logs tab.
Support ticket: SUPPORT-40247
For operation-level tags, the tag name was used for both the name and description if no description was defined, resulting in the display of a duplicated tag name on the API Details and API Documentation pages. Now, just the name is displayed if there is no description.
Support ticket: SUPPORT-41166
Elasticsearch indexing could fail when parsing a JSON object with a property value of JSONNull.
Support ticket: No related support tickets.
While importing a package into either Policy Manager or the Community Manager developer portal, if the package file included a script, sometimes the script did not get added and the service would not get deployed, resulting in an HTTP 404 "Not Found" error.
Support ticket: SUPPORT-39727
Due to the inclusion of some special characters, some URLs in the Community Manager developer portal could result in a Cross-Site Scripting (XSS) vulnerability.
Support ticket: SUPPORT-41131
Adding an API could return an error while validating the uniqueness of the API endpoint.
Support ticket: SUPPORT-40661
Accessing an API with an expired security certificate using the API Consumer Application Security policy with an SHA256RSA algorithm could still verify the signature. If the certificate is expired, an API request in this situation now returns "Certificate is Expired" with a 401 status code.
Support ticket: SUPPORT-38755
When configured behind a reverse proxy that terminates SSL (HTTPS), the real-time charts could fail to display.
Support ticket: SUPPORT-40188, SUPPORT-39230
An API call could return a "Service not configured with allow rules" error even when no Denial of Service (DoS) rules are configured. This occured due to a race condition while adding and retrieving a service for DoS rule execution.
Support ticket: SUPPORT-36386
February 26, 2021
A widget to display "APIs I'm Following" can now be added to the Community Manager developer portal's tenant Action Dashboard or any other page. Previously, this was found only under the My APIs page.
Support ticket: SUPPORT-40444
In the Community Manager developer portal, the Endpoints section on the API Overview page has been removed.
Support ticket: SUPPORT-40340
When importing an API into the Community Manager developer portal, a schema description containing special characters was displayed as invalid characters.
Support ticket: SUPPORT-40296
For Microsoft SQL Server 2012, when installing the Akana API Platform version 2019.1.22 or later, database schema installation for dropping a view could fail.
Support ticket: SUPPORT-40526
On an API's Details > Design page, the Request body's "Value" field and the Response body's "Sample" field could fail to display for some compound schemas using Open API Specification 3.0 or Swagger 2.0. Support has been added for the field "Sample" for compound schemas in Swagger and Open API documentation.
Support ticket: SUPPORT-40257
For some Request body content-types, an API's documentation page, at API > Documentation, could fail to display operations when expanded, and report an error.
Support ticket: SUPPORT-40254
Updates to the UI have been made to improve performance and to support compound schemas with cyclic references.
Support ticket: SUPPORT-40095
A concurrency issue in the Java DOM (Document Object Model) could lead to errors when reading data from WSDL documents in a multi-threaded environment. This was intermittently causing the HTTP method defined in the WSDL to be returned as null.
Support ticket: SUPPORT-39326, SUP-18819, SUP-18551,SUPPORT-22779,SUPPORT-22567, SUPPORT-24784, SUPPORT-27207, SUPPORT-34085
January 22, 2021
For API, App and User extensible properties, Community Manager now supports the configuration of a single value or multiple values. A multi-value list can include free-form values added by the user.
Support ticket: No related support tickets.
The Akana Platform 2019.1.29 adds support for MongoDB 4.0.
Support ticket: SUPPORT-36277, SUPPORT-32929, SUPPORT-37982
The authentication protocol NT LAN Manager version 1 (NTLMv1) is deprecated; the platform now supports NTLMv2.
Support ticket: SUPPORT-37466
When an LDAP user assigned to a group in LDAP signed in to the Community Manager developer portal, sometimes the privileges from the role that the LDAP group was mapped to were correctly assigned for the LDAP user but in some instances they were not.
Support ticket: SUPPORT-39971
When trying to open the Sign Up page by clicking the Create Account button in the Community Manager developer portal, the page could fail to load and would display an error if images or logos were in use for any enabled login domains.
Support ticket: SUPPORT-36489
In both the Community Manager developer portal and Policy Manager, the Process Editor's Invoke Activity could display empty Interface and Operation drop-down menus.
Support ticket: No related support tickets.
For APIs created with JSON files that had a large number of operations, the API Designer's Import and Cancel buttons were sometimes unresponsive.
Support ticket: SUPPORT-39813
In the Community Manager developer portal, the API Overview page intermittently failed to display the endpoint in the Implementations section.
Support ticket: SUPPORT-39954
When using OpenAPI 3.0 or Swagger 2.0, an API description document with complex, compound schemas containing keywords allOf, anyOf, or oneOf could result in a malformed display of operation details.
Support ticket: SUPPORT-39524
December 23, 2020
The Policy Manager's Dependency Map has been removed from the UI, previously available at Services > Monitoring > Dependency chart.
Support ticket: No related support tickets.
The Real Time Charts and Historical Charts in Policy Manager no longer use the Adobe Flash Player, which Adobe won't support after December 31, 2020. The new, improved versions display similarly to earlier, Flash-based charts.
Support ticket: SUPPORT-31149, SUPPORT-38000, SUPPORT-38290, SUPPORT-39225
Exporting App Analytics logs for a timeframe more than a day could fail and return the error "General System error. Contact System Administrator."
Support ticket: SUPPORT-38423
A vulnerability was addressed in the Akana Administration Console that could have resulted in a Server Side Request Forgery (SSRF) attack.
Support ticket: SUPPORT-37566
Some URLs in Community Manager containing special characters resulted in a Cross-Site Scripting (XSS) vulnerability. This issue has been addressed.
Support ticket: SUPPORT-38469
When using OpenAPI 3.0 or Swagger 2.0, an API description document with complex, compound schemas containing keywords allOf, anyOf, or oneOf could result in a malformed display of operation details.
Support ticket: SUPPORT-38857
December 1, 2020
This release includes no enhancements.
When using the PS algorithms (PS256, PS384, and PS512) as the signing algorithm for the OAuth/OIDC provider, the null c_hash claim is returned in the ID token.
Support ticket: SUPPORT-37671
November 4, 2020
This release includes no enhancements.
Version 2020.2.0 will add a new feature that allows policies to be attached at the operation level as well as at the service level. This requires some changes in the request and/or response to some existing operations that manage information about policies attached to an API.
Previously, these operations used the Policies model object, whether directly or nested within another model object. The Policies object includes an array of information about one or more policies attached to the service. In 2020.2.0, these operations will use additional information, to accommodate policy attachments at the operation level in the developer portal and the APIs:
Modified operations include:
ApiVersion:
TargetAPI:
APIImplementation:
Support ticket: SUPPORT-36137
A regression in the deployment of physical service certificates could cause failures in next hop security policies. The failure was triggered by configuring a security policy, such as the WS-Security Asymmetric Binding Policy, on a physical service, using an X.509 token with a subject category of "service".
Support ticket: SUPPORT-37151, SUPPORT-37806
October 16, 2020
The JOSE Security Policy v2 now supports OBSeal certificates for UK Open Banking 3.1.
Support ticket: SUPPORT-37560
October 9, 2020
This release includes no enhancements.
Due to errors that occurred when adding namespaces in the configuration page, the details page could not be reached, and the claim configuration could not be completed.
Support ticket: SUPPORT-37317
A new configuration property has been added to Akana Administration Console's Configuration tab to remove the idle user authorization tokens from the cache. The new property is available under Configuration > com.soa.atmosphere >
atmosphere.config.authTokenTimeToIdleTimeInSeconds.
The default idle time is 62 seconds. The tokens were previously cached for 30 minutes regardless of their usage, and thus could use a large chunk of memory and cause out-of-memory errors on portal containers.
Support ticket: SUPPORT-36309
October 1, 2020
This release includes no enhancements.
WS-Auditing Service Policy did not save transaction logs.
Support ticket: SUPPORT-36770
In the tenant security settings, a new setting "Strict Policy" has been added to "Limit file types allowed for upload" under Settings > Security. Enabling Strict Policy allows only the media types specified in the allowed file types. If disabled, the supertypes of the media types specified will also be allowed. For example, a selection of "text/plain" in the allowed file types would also allow html, application/json, etc. media types.
Support ticket: SUPPORT-29653
When sending a request to an API resulted in an error, and detailed auditing was enabled for an Auditing Service policy, the request body and header data for the SOAP service was not saved.
Support ticket: SUPPORT-36155
The API Consumer Application Security Policy was returning HTTP 500 "Internal Server Error" instead of HTTP 401 "Unauthorized" when the required header was missing.
Support ticket: SUPPORT-35955
September 17, 2020
With this release, support has been added for mySQL 8.0. For a full list of product requirements, see System Requirements for Akana Platform 2019.x.x.
Support ticket: SUPPORT-34782
August 31, 2020
The JOSE Security Policy's Appendix F option, as defined in the Appendix F (Detached Content) section of the JWS specification (RFC-7515), now enforces a Base64URL encoding on the payload when signing.
Support ticket: No related support tickets.
This release includes no bug fixes.
August 14, 2020
This release includes no enhancements.
July 16, 2020
A new configuration option has been added in the Administration Console to allow the SO_LINGER time to be set for a listener. This controls how long connections will wait to purge all data when closing. The default was previously set to 30 seconds, which could be too long in some scenarios.
The new property is com.soa.platform.jetty > http.incoming.transport.config.linger. The default is set to 10 seconds.
Support ticket: No related support tickets.
When the Anti-Virus policy was attached to services in the Policy Manager or the developer portal and files were uploaded using a platform-based REST API service such as BoardAPI, only one attachment was scanned.
Support ticket: No related support tickets.
If an API was imported to a wrong tenant accidentally, deleting the API version could fail.
Support ticket: SUPPORT-31886, SUPPORT-34397
Exception error message detail was sometimes missing in the Policy Manager user interface.
Support ticket: SUPPORT-35094, SUPPORT-33222
The use of whitelist characters in certain user input is enforced by default for new tenants, to prevent cross-site scripting (XSS) attacks. Please see More > Admin > Settings > Security from the developer portal for details.
Support ticket: No related support tickets.
The default password rules now require strong passwords by default for new tenants. In previous versions, strong passwords requirements was a manual configuration option. See More > Admin > Settings > Password in the developer portal for the password rules.
Support ticket: No related support tickets.
New tenants in the developer portal are automatically restricted to a default list of allowable media types for file uploads., configurable at More > Admin > Settings > Security These are: text/plain,image/png,image/jpeg,application/pdf,application/zip
These settings can be changed per tenant.
Support ticket: No related support tickets.
When debug mode is enabled in the developer portal or Configure Message Processing is set to "debug" in the Policy Manager, a null value in an audit log's debug message could cause a request to fail.
Support ticket: SUPPORT-34954
July 1, 2020
Auditing Service policies that have "Audit Transport" enabled now capture transport headers even if message content auditing is not enabled. Previously, only the transport status code and method were captured.
Support ticket: SUPPORT-22109
This release includes no bug fixes.
June 12, 2020
A new HTTP Headers Injection policy allows you to automatically add specific headers on messages processed by the platform and relayed to the client. These headers can be used to enforce security restrictions. See Using the HTTP Headers Injection Policy on the Akana documentation site.
Support ticket: SUPPORT-28645, SUPPORT-3147
Three new properties on the Jetty transport manage connections, allowing finer control over connection lifetime when processing resources are low. These properties are on the com.soa.platform.jetty configuration category:
| Property | Description |
|---|---|
| http.incoming.transport.config.maxIdleTime | The default maximum number of milliseconds that a connection can remain idle before it is closed. Default: 200000 |
| http.incoming.transport.config.lowResourceIdleTime | The number of milliseconds that a connection can remain idle when server resources are low. A value of -1 disables low resource checking. This is triggered when the number of active connections reaches the limit set by lowResourcesConnections. Default: -1 |
| http.incoming.transport.config.lowResourceConnections | The number of connections that will result in a low resource condition, expressed as a percentage of the listener thread pool size. This is used only when lowResourceIdleTime is > 0. Default: 100 |
Support ticket: No related support tickets.
If the OAuth Client Policy was configured with an invalid scope, the response came back invalid, but the request was still sent downstream. Now the request is rejected, and an error is returned.
Support ticket: No related support tickets.
This release includes no enhancements.
The API Consumer Application Security Policy was not working as expected if the message included certain ISO 8859 characters.
This policy now supports a user-configured character set for decoding query parameter values. If a user-configured character set is not provided, the policy uses UTF-8.
Support ticket: SUPPORT-33766
This release includes no enhancements.
APIs with the same context path in both Policy Manager and the developer portal were not being correctly targeted. To address this problem, the following properties have been removed from the Akana Administration Console > Configuration page:
| Configuration category | Removed property |
|---|---|
| com.soa.binding.http | http.in.binding.virtualhost.endpoint.selection.strict |
| com.soa.binding.soap | soap.in.binding.virtualhost.endpoint.selection.strict |
Support ticket: SUPPORT-33428
The OAuth Client Policy has been enhanced to save the error returned by the downstream token provider in the container log.
Support ticket: SUPPORT-24799
A new recipe is now included by default in the recipes directory, admin-console.json, including the following properties:
ADMIN_CONSOLE_LOCALHOST_ONLY
|
ADMIN_CONSOLE_ACCESS_RESTRICTED
|
ADMIN_CONSOLE_DOMAIN_ENABLED
|
ADMIN_CONSOLE_BASICAUTH_ENABLED
|
Support ticket: No related support tickets.
The metrics API that returns metrics for a specified API version, GET /api/apis/versions/{APIVersionID}/metrics, now returns totalRequestSize and totalResponseSize for the response message, representing the aggregated request and response size.
Support ticket: SUPPORT-22176
When a user is testing in Test Client, in the context of the app, the API, or the API documentation, Test Client no longer prompts for authentication credentials.
Support ticket: SUPPORT-30657
A new checkbox “Enforce Appendix F” is displayed when choosing Unencoded Detached Payload as the Provider role in the JOSE Security Policy v2. Selecting this checkbox applies Base64 encoding to the payload and removes the Base64 JWS header, as defined in the Appendix F (Detached Content) section of the JWS specification (RFC-7515).
Support ticket: SUPPORT-27722
In the developer portal, searching APIs, apps, and users now indexes Lifecycle Repository metadata. To enable metadata search for existing data, delete the indices for APIs, apps, and users and then reindex the objects.
For example, assuming localhost:9200, first delete the indices:
$ curl -XDELETE 'localhost:9200/default_api'
|
$ curl -XDELETE 'localhost:9200/default_app'
|
$ curl -XDELETE 'localhost:9200/default_user'
|
$ curl -XDELETE 'localhost:9200/default_metadata'
|
Then, run the query:
delete from INDEX_STATUS where OBJECTTYPE in ('api', 'app', 'user');
|
Support ticket: No related support tickets.
The legacy functions ApplicationAPI#saveAppOAuthClient71Properties and ApplicationAPI#getAppOAuthClient71Properties are deprecated with this release and will be removed from the product in 2020.1.0. Clients should instead use functions ApplicationAPI#saveAppOAuthClientProperties and ApplicationAPI#getAppOAuthClientProperties.
Support ticket: SUPPORT-32433
When choosing the implementation for API access, a selection of either Sandbox or Live both resulted in the creation of a live connection. Selecting Sandbox now works as expected.
Support ticket: SUPPORT-33334
Some special characters in API tags could return errors when conducting a search. For example, using "&" in a tag, then attaching the tag to an API and running a search for that API would return a search error. Special characters are now escaped in tags.
Support ticket: SUPPORT-32890
The OAuth Client Policy could send expired security tokens downstream. This policy now works as expected, and an unused property com.akana.oauth.client.server.config.cacheInvalidateTime has been removed.
Support ticket: SUPPORT-32528
For the HTTP Message Validation Policy, query parameters with leading zeros are now treated as a string if defined as a string in the schema.
Support ticket: SUPPORT-27423
Large JavaScript files could return code generation and compiler evaluation errors
Very large JavaScript files could result in evaluation error "generated bytecode for method exceeds 64K limit."
JavaScript issues after upgrading from 8.2
After an upgrade from Akana Platform 8.2, issues could occur when setting downstream request query parameters, as the parameters must be of type String[]. To address this, the configuration properties com.soa.rhino.scriptengine and rhino.java.class.shutter.blacklist now allow access to the class java.lang.reflect.Array.
Support ticket: SUPPORT-33294
Any endpoint response with a status code less than 300 is now considered a "Success" rather than an "Error" when the Business Metrics Policy is attached to the API and a dimension that pulls the HTTP Status operational metric. Previously, only 200 response codes were considered "Success."
Support ticket: SUPPORT-31550
When a new version of an API was created, even if the existing API had a visibility setting of “private,” the new version had a default visibility of “public." The appropriate visibility based on the tenant API settings is now used.
Support ticket: SUPPORT-31062
API policy assignments could occur across tenants in some cases. To avoid accidental policy assignment outside of a tenant, a policy visibility check has been added to an API before policy assignment.
Support ticket: SUPPORT-30530
Alerts were not always sent to all members of a configured email group and could sometimes generate an error.
Support ticket: SUPPORT-32876
Creating a SOAP-based API in the developer portal could fail when an API had been deleted and then recreated. This was caused by a SOAP service's nested aggregate policy configuration that was not being deleted.
Support ticket: SUPPORT-30607
Invalid property keys could result in an incorrect timeout setting in Elasticsearch. The property keys have been updated as follows:
| Previous value | Updated value |
|---|---|
| elastic.rest.client.socketTimeout | elastic.client.socketTimeout |
| elastic.rest.client.connectTimeout | elastic.client.connectTimeout |
Support ticket: No related support tickets.
When using the Business Metrics Policy in Envision, creating custom data sets to capture the StatusCode dimension was returning a constant (OPSMAPPING#request.statuscode) value rather than an actual numeric status code, such as 200 or 500. Now, the StatusCode operational dimension correctly returns the numeric HTTP Status Code.
Support ticket: SUPPORT-31450
This release includes no enhancements.
The Akana OAuth Provider Agent feature is deprecated as of this release, and will be removed from the product in 2020.1.0.
Support ticket: No related support tickets.
When viewing notifications in the developer portal, clicking "See all ... notifications" displayed only the first 100. Now, the UI has an infinite scrollbar to view any number.
Support ticket: SUPPORT-30184
In the Test Client, authorization headers that contained multiple authentication schemes were being stripped, causing downstream APIs to reject the request.
Support ticket: SUPPORT-32731
When uploading more than 1,000 certificates to the platform's trust store, an Oracle error ORA-01795 was returned. Now, uploading a large number of certificates works as expected.
Support ticket: SUPPORT-32524
Some group constants used in the team workflow template were modified to match the values expected by the backend:
| Previous value | Updated value |
|---|---|
| <!ENTITY GroupLeaders "role.group.leader" > | <!ENTITY GroupLeaders "role.group.leaders" > |
| <!ENTITY GroupAdmins "role.group.admin" > | <!ENTITY GroupAdmins "role.group.admins" > |
| <!ENTITY GroupMembers "role.group.member" > | <!ENTITY GroupMembers "role.group.members" > |
Support ticket: SUPPORT-30688
Support has been added for both partial endpoint and complete endpoint search. To search for a complete endpoint, use surrounding double quotes, i.e., "https://example.com/v1".
To enable endpoint searching, delete the indices for "api" and "metadata", then reindex the api objects. For example, using localhost:9200:
1. |
$ curl -XDELETE 'localhost:9200/default_api' |
2. |
$ curl -XDELETE 'localhost:9200/default_metadata' |
3. Run query |
"delete from INDEX_STATUS where OBJECTTYPE ='api';" |
Support ticket: SUP-16590
Messages can now be customized dynamically for internationalization or localization.
Place relevant properties files into the deploy directory of a container named according to the pattern com.akana.messages-<qualifier>.cfg, where <qualifier> is a unique string used to identify this particular file. The file is a normal Java properties file containing <key>=<string> pairs. A special key named "_locale" can be used to specify the locale for the messages.
Support ticket: No related support tickets.
For batch messages processed asynchronously, reply message processing could experience a slowdown with overhead limit errors. This could occur when configuration limits were reached, which would result in connections being closed. The behavior has been changed to reduce the likelihood that connections will be closed unnecessarily.
Support ticket: No related support tickets.
When the Hazelcast framework is disabled (the default), the HTTP Caching Policy resulted in errors "timeToIdle can't be negative" and "MaxEntriesLocalHeap is not compatible with MaxBytesLocalHeap set on cache."
These occurred because, when Hazelcast is disabled, the platform falls back to using EhCache for local node caching, which requires that the TimeToIdle attribute be -1 by default. Now the HTTP Caching Policy works as expected when Hazelcast is disabled.
Support ticket: SUPPORT-32438, SUPPORT-31249
When a Site Admin creates a new user, the admin cannot set the field AcceptedAgreementID; rather, the user accepts the agreement and the value of this property is returned in the response message. If an attempt is made to explicitly set this value during new user creation, an HTTP error message "Status 400 (Bad Request)" is returned.
Support ticket: SUPPORT-32224
A removed member of a group could continue to access and modify an app if currently logged on during and after having been removed. Now, an "Unauthorized" error is returned if the removed user tries to modify or delete the app.
Note: When user groups are modified, all the access tokens for the user are invalidated and the portal's API response returned to the client includes header Atmo-Renew-Token: renew. In this case, API REST clients should renew the token using the POST /api/login/renewToken operation.
Support ticket: SUPPORT-22375, SUPPORT-34630
For APIs using Open API Specification 3.0, a request body with a Content-type of form-urlencoded did not correctly display in the API Designer, JSON Schema Editor, or the Documentation page of an API.
Support ticket: SUPPORT-29018
The API Access Wizard has been redesigned to improve performance. Now, on the Select App tab, the table displaying all apps has been replaced by a text box in which you can enter the app name.
Support ticket: No related support tickets.
Two new settings have been added in the developer portal (Admin > Settings > Security) as a security feature. The first allows the Site Admin to restrict characters that are allowed in certain platform input fields such as app, API, and group Name, Summary, and Description fields and forum discussions and tickets, to help prevent cross-site scripting attacks.
If this setting is enabled, default characters that are always allowed are: alphanumeric characters, comma, period, hyphen, and space. The second field allows the Site Admin to specify additional characters that are allowed.
Support ticket: No related support tickets.
A configuration property has been added to enforce strict ordering of cipher suites in HTTPS listeners. This allows the server to dictate the order of cipher suites offered to clients, improving the security profile of these listeners.
The new property, in the com.soa.platform.jetty configuration category, is: http.incoming.transport.config.useCipherSuitesOrder.
Support ticket: SUPPORT-26735
The ability to block outbound traffic to classes of addresses has been added. There are two new configuration properties for this, in the com.soa.http.client.core configuration category:
Support ticket: SUPPORT-31243
A new classifier, preserve-existing-policies, has been added to Runtime Configuration.
In previous versions, if the run-on-updates classifier was set to true, and there were updates to the API's properties, existing policies were not overwritten. With the new classifier included and set to false, the policies attached to the API are overwritten.
Support ticket: No related support tickets.
Test Client returned an error when testing an API that used the PATCH HTTP method.
Support ticket: SUPPORT-29669
When a new theme was created based on the out-of-the-box Hermosa theme, deleting the out-of-the-box Hermosa theme caused errors.
Support ticket: No related support tickets.
If a new custom theme was created based on out-of-the-box Hermosa theme, URLs included in notification emails, such as "forgot password" links, were not correct for the theme.
Support ticket: No related support tickets.
This release includes no enhancements.
In 2019.1.8, a regression was introduced affecting external keystores (HSM). As a result, when trying to provision a service with PKI information in the external keystore, an attempt was being made to retrieve the private key, causing an exception and failure to deploy the associated service.
Support ticket: SUPPORT-32189
This release includes no enhancements.
Errors could occur during the export of usage data filtered for a long duration or interval, resulting in the inability to cancel a pending report. Performance improvements have been made to address this, changing the default values of two config com.soa.reports.export properties in the Administration Console as follows:
| Configuration | Previous Default | Current default |
|---|---|---|
| usagelog.export.dao.blockSize | 10000 | 200 |
| usagelog.export.dao.nosql.blockSize | 10000 | 200 |
Support ticket: SUPPORT-9927, SUPPORT-11041,SUPPORT-23930,SUPPORT-24819
When the setting action.auto_create_index is true (the default) for REST-based APIs, Elasticsearch's first-time index creation was using default template mappings rather than the defined mappings. Now, the product checks to see if an index has already been created before indexing any objects, regardless of this auto-creation setting.
Support ticket: No related support tickets.
Uploaded file types were not restricted in the license and documentation sections of an API. Now uploading files in any area of the platform validates the content type against a whitelist of allowable media types defined under More > Admin > Settings > Security.
Support ticket: SUPPORT-29653
A new logging category has been introduced to capture internally generated HTTP request errors that may occur when matching a request to an operation or service. The default name for the new category is http.request.error.
When this category is set to WARN, the container application log will contain an entry for every generated error in NCSA Common log format. Note that the previous Jetty-specific configuration (com.soa.platform.jetty > default.error.handler.logError) is no longer used.
Support ticket: SUPPORT-25390
The developer portal migrated from OpenID to OpenID Connect in a much earlier version, 7.2.3. Support of the legacy OpenID Relying Party domain will be completely removed in 2020.1.0. Any existing legacy domains should be migrated appropriately.
Support ticket: No related support tickets.
Services that have multiple ports (access points) can have different connection properties on each one. In a scenario where a service had multiple HTTPS endpoints but only one had the use.service.identity.for.inbound configuration property set, the SNI configuration was not picked up, because the SNI deployer code was only checking the first HTTPS port for the configuration setting.
The platform now deploys SNI information if any port has this configuration set to true.
Support ticket: No related support tickets.
An Oracle IN condition query could return Oracle Database Error ORA-01795. This occurred during requests to access an API or its board, when requesting monitoring details for more than 1,000 organizations.
Support ticket: SUPPORT-30923, SUPPORT-31576
A UserName field is now available for Elasticsearch, addressing errors in search logs pertaining to "Cannot search on field [Name] since it is not indexed."
To enable the UserName search and clear the errors in the Elasticsearch logs, delete the indices for user, apiversion, and app-versions, and then reindex the objects. An example of the steps, using localhost:9200, is shown below:
1. $ curl -XDELETE 'localhost:9200/default_user'
2. $ curl -XDELETE 'localhost:9200/default_apiversion'
3. $ curl -XDELETE 'localhost:9200/default_app-version'
4. Run query "delete from INDEX_STATUS where OBJECTTYPE in ('user', 'apiversion', 'app-version');"
Support ticket: No related support tickets.
When editing a non-body request parameter type (such as a query, header, or path), all defined types, including complex types, are now available from the data type dropdown. Previously, the dropdown displayed only primitive types.
Support ticket: No related support tickets.
The tooltip and UI label for "Limit file types allowed for upload" on the site setting's Security Settings page has been updated to clarify that this setting is relevant to all uploaded files, not just those uploaded to Comments.
Support ticket: No related support tickets.
To avoid long-running provisioning tasks from timing out, default timeouts have been increased. This will prevent timeout errors while using various automation scripts.
Support ticket: SUPPORT-30328
In some cases, users could access the workflow of an object, even if the user was not authorized to see the object itself. Now, a user can retrieve the workflow document or actions only if that user is authorized to see the object it's associated with.
Support ticket: SUPPORT-25079
Some APIs were experiencing latency in the developer portal. To address these issues, new caching mechanisms and indices have been added to the product, and some redundant calls to the federation support have been removed.
Support ticket: SUPPORT-30524
Site administrators were unable to view or edit the profiles of other tenant users, a regression introduced in 2019.1.6. Site admins now have proper permissions.
Support ticket: SUPPORT-31774
Analysis of the code base and subsequent improvements to remove XSS (Cross-site Scripting) vulnerabilities is ongoing. This release includes extra XSS validations to API Implementation updates, either through the direct use of an API or through the UI.
Support ticket: SUPPORT-29654
A "Forgot Password?" workflow is now supported in the DevOps Theme. The feature follows the standard "forgot password" flow, prompting the user for an email address, sending the user a code, then providing a way for the user to reset the password.
Support ticket: No related support tickets.
Automatic container registration combined with cluster creation is now supported in the Network Director. Prior to this, using the register.container recipe to register a container and create a cluster could fail if the cluster already existed.
Support ticket: SUPPORT-27439
In order to reduce system overhead when not in use, the Hazelcast framework is now disabled by default. To enable Hazelcast, set hazelcast.instance.manager.enable to true in the configuration com.soa.grid.
Support ticket: No related support tickets.
When the Site Admin activates user accounts, a new reserved action @UserActivated has been added to send the activated user a notification.
Notifications are not sent by default, however. To take advantage of this action, uncomment line 834 in the default user workflow:
<!-- <common-action id="19" /> --> |
For specifics, see http://docs.akana.com/cm/workflow/08_user_wf.htm#user_ra_18.
Support ticket: SUPPORT-29675
Error responses generated by policy enforcement violations in the developer portal now include the character set in the response content-type header. In addition, if a matching accept header includes a character set, that character set will be used in the response. If that character set is unsupported, then UTF-8 will be used.
Support ticket: SUPPORT-29960
If Audit is checked in the Process Editor's Invoke Activity dialog and the API is set for detailed auditing, the downstream auditing logic was not properly handling faults. This could cause detailed auditing to fail to record any data for an exchange with a fault response.
Support ticket: SUPPORT-30854, SUPPORT-30943
A cross-site scripting security vulnerability was possible for HTML-encoded hexadecimal and decimal numbers that appeared in a Markdown link.
Now, existing HEX and DEC numbers are no longer converted to clickable Markdown links, and, if edited and saved, will return a validation error.
Validation is performed against the keywords in the "Keywords for cross-site scripting prevention" list in Admin Security Settings.
Support ticket: SUPPORT-24490
Deleting SOAP-based APIs with aggregate policies in the developer portal was failing in certain scenarios.
Support ticket: SUPPORT-30836
The universally unique identifiers (UUIDs) in referer headers are all based on randomly generated keys following the UUID, version 4 standard, for improved security. The previous UUID version could leak sensitive information.
Support ticket: SUPPORT-28639
Support was added in 2019.1.5 for API documentation based on OpenAPI 3.0, in addition to Swagger 2.0. OpenAPI 3.0 schemas of type allOf, oneOf, and anyOf were not being handled correctly, in addition to references to primitive types with enums. Now, generated API documentation based on OpenAPI 3.0 works as expected.
Note: The API documentation supports properties specific to the selected version, either OpenAPI 3.0, or Swagger 2.0. Any property not supported in a particular version will also not be supported in that version of the API documentation.
Support ticket: No related support tickets.
MongoDB 3.6 support has been extended to include 3.6.16.
Support ticket: No related support tickets.
With this release, support has been added for Oracle 19c.
Support ticket: SUPPORT-27807, SUPPORT-29789, SUPPORT-29790, SUPPORT-30531
Generated API documentation can now be based on OpenAPI 3.0, as well as Swagger, with the option to switch between Swagger 2.0 and OpenAPI 3.0.
Support ticket: No related support tickets.
A new configuration property, default.error.handler.logError, has been added to com.soa.platform.jetty. A value of true adds general errors to the container log file. The default is false.
Support ticket: SUPPORT-25390
To comply with the UK Open Banking 3.1 specification, error message field names are now properly uppercased.
Support ticket: SUPPORT-29912
Trusted CA services have been enhanced to support expiration dates for certificates and to allow their removal.
Support ticket: SUPPORT-1001
Partial message capture using the Audit Message Policy was not appearing in the Policy Manager Console unless detailed auditing was enabled. Partial messages will now be captured for basic auditing as well.
Support ticket: No related support tickets.
On refresh of the tenant cache, the portal containers could go offline in certain circumstances. Now, refresh works as expected, and any change to tenant or tenant business properties is immediately reflected.
Support ticket: No related support tickets.
A potential race condition in the Server Name Indication (SNI) certificate deployment logic has been resolved. This could result in the container certificate being sent to clients, instead of sending the service certificate.
Support ticket: SUPPORT-30451
To address a potential XSS scripting vulnerability, support for X-Frame-Options response headers has been added to requests with /content/ application paths. This is controlled using the xFrameOptions on the XSS configuration, com.soa.admin.console.xss.
Support ticket: SUPPORT-28390
If extra characters appeared at the end of the JSON payload in the request body, Network Director processed and passed on the message, even though it contained invalid JSON. Now, if there is any extra content after the initial JSON object, an error is returned or the content is ignored, depending on a new setting "Ignore extra JSON in payload" in the HTTP Message Validation Policy. See https://docs.akana.com/ag/policies/policy_op_http_message_validation.htm for details.
Support ticket: SUPPORT-28722
The DevOps theme now supports external logins when the Active Directory Identity System is configured to use LDAP.
Support ticket: SUPPORT-29403
All detailed logging data from messages/responses, scripts, and processes are limited by the Administration Console configuration setting in com.soa.policy.handler.audit -> audit.maxContentSize. The default is 500,000. This setting helps avoid out of memory problems or exceeding data limits in MongoDB or other databases.
Support ticket: No related support tickets.
Network Director can now validate dynamic scopes at runtime. This support allows a single asterisk. The asterisk can be included as a prefix, in the middle, or as a suffix.
Support ticket: SUPPORT-28507
Automation recipes now include the ability to remove features using the Feature Administration service API {urn:com.soa.admin.service.features.jaxrs} FeatureService's endpoint DELETE/admin/features/installed/{id}.
Support ticket: No related support tickets.
For the Http Message Validation Policy, more specific error codes were added to comply with the UK Open Banking 3.1 specification, when OB 3.1 is selected on the Options page. For example, any field of type "date" that is in error will result in a UK.OBIE.Field.InvalidDate error code. Previously, the policy was returning UK.OBIE.Field.Invalid error code. New error codes were also added to handle JSON parsing errors and invalid account and secondary account ids.
Support ticket: SUPPORT-25653
The Elasticsearch log could return the error "Cannot search on field [Name] since it is not indexed." Elasticsearch queries now return results as expected.
Support ticket: SUPPORT-29332
Adding new users to the tenant using LDAP authentication sometimes failed to find a match when searching for a name on the Admin > Users > New dialog. Now, the filtering logic when adding a new user finds matches that start with the entered text rather than contain the entered text.
Support ticket: SUPPORT-29889
For OAuth 2.0, the Token Endpoint intermittently returned an HTTP 404 "Page Not Found" error.
Support ticket: SUPPORT-29636
For Swagger 2.0 documents with operation parameters that contained arrays with the allowEmptyValue attribute set, messages using this parameter would not validate correctly.
Support ticket: SUPPORT-28206
An API's board comments were not displaying permissible workflow actions for users; for example, there was no "Approve" button for Site Admins.
A new includeCommentActions flag has been added to several board APIs, which, if set to true, will return any available workflow actions for each comment in the response.
Support ticket: SUPPORT-1220
When UK Open Banking version 3.1 is selected on the HTTP Message Validation Policy Options page, any error messages regarding unallowed headers now conform to the OB 3.1 specification, with an HTTP status code of 400.
Support ticket: SUPPORT-25439, SUPPORT-28782
In certain cases, in particular when Network Director was under high load and then left idle for a period of time, an error "Cannot find http method for operation" could occur.
Support ticket: SUPPORT-22779, SUPPORT-24784, SUPPORT-27207, SUPPORT-3174, SUPPORT-3442, SUPPORT-22567, SUP-18819, SUP-18551,SUPPORT-22779,SUPPORT-22567
Support has been added to automation recipes to restart an Akana instance running on Windows in the background.
A new command bin\shutdown.bat <name> shuts down an Akana instance running on Windows in the background.
Support ticket: No related support tickets.
If a Request payload contains a field that is not defined in the Swagger definition, a "field unexpected" error is now returned according to the proper Open Banking 3.1 format.
Support ticket: SUPPORT-29603
A new recipe is available to automate the Synchronize Lifecycle Manager Data configuration task in the Akana Administration Console, which helps support the automation of promotion testing.
Support ticket: No related support tickets.
The OpenID Connect Relying party domain can now be viewed, modified, or deleted, as expected.
Support ticket: SUPPORT-29344
Calls to resource URLs did not always set the X-Frame-Options header on the HTTP response when XFrameOptions was configured for the atmosphere.console.config.xFrameOptions property in the com.soa.atmosphere.console configuration and the new uif.config.xFrameOption property in the com.soa.uif configuration.
Support ticket: SUPPORT-28390
When viewing the Swagger documentation for an API, users with limited visibility based on the settings in a private API's licenses and scopes can no longer see operations for which they do not have permission.
Support ticket: SUPPORT-29302
A new classifier, run-on-updates, provides the ability to disable the Runtime Configuration when modifying an API. This avoids the Runtime Configuration overwriting changes made to an API in the developer portal.
Support ticket: SUPPORT-29126
When deleting an app, the SimpleDev theme now prompts the user for confirmation before deletion. Before, the app was immediately deleted without confirmation.
Support ticket: SUPPORT-1084
A new column has been added in several locations in the API Designer, for APIs based on Swagger 2.0 or Open API 3.0, to support model object examples. The new column appears after the Schema column in the Models sections, and in the Request and Response sections if a model object is specified.
Support ticket: SUP-16258
The Home page for the hermosa and default themes has been redesigned to incorporate embedded videos and updated features.
Support ticket: No related support tickets.
The API "/api/discussions/{DiscussionID}/comments" now checks that the user has read access to the requested discussion.
Support ticket: SUPPORT-22787
For the HTTP Message Validation Policy, only top-level validation errors display. Before, errors could display for each nested element when the error was actually triggered only on the last element.
Support ticket: SUPPORT-25648
Users can now select an OAuth version (1.0a, 2.0, or both) in the Runtime Configuration.
Support ticket: No related support tickets.
A user with Monitor permissions, but without Modify permissions, can view an app's or API's analytics and logs. Previously, only users with Modify permissions on an API or app could view its analytics.
Support ticket: No related support tickets.
The API to add an API version (POST /api/apis/{APIID}/version) now returns an HTTP 400 Bad Request error if an APIVersionID is passed in. Previously, the APIVersionID was accepted as input without throwing an error even though it is not a parameter to the API.
Support ticket: SUP-12292
New APIs based on Swagger documents will have the same version as the Swagger document if the API has no defined version; otherwise, the APIVersionInfo will be used.
Support ticket: SUP-14958, SUPPORT-1141
The SearchAPI (/api/search) supports a new query parameter UpdatedFromDate to retrieve objects added or updated after a certain date, for example:
/api/search?q=(type:app-version)&UpdatedDateFrom=2019-10-11T23:00:00
|
Support ticket: No related support tickets.
A new PromotionProfile property, preserve-shared-secret, controls whether the shared secret of existing app in the target environment is retained at promotion.
The default is false, meaning that shared secret of an app in the target environment is overwritten by that in the source environment. For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_preserve_shared_secret.
Support ticket: SUPPORT-29124
A new PromotionProfile property, disable-consumer-app-check, controls the promotion of an API's corresponding consumer app, useful if you are using fanout and want to promote the consumer app to one environment but not another. A value of true prevents the automatic promotion of the corresponding consumer app (if any.)
For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_disable_consumer_app_check.
Support ticket: SUPPORT-22911
On import, if the target API setting "Validate Unique Hostname/Context Path" is false, the target no longer tries to enforce uniqueness during promotion.
Support ticket: SUPPORT-29123
APIs on the same deployment zone and with multiple endpoints defined for an implementation were not being promoted correctly. Now, promoting APIs with multiple endpoints works as expected.
Support ticket: SUPPORT-29125
A regression caused by the upgrade to 2019.1.1 resulted in the failure of new user registration on the developer portal when the phone numbers field was enabled on the Sign Up page.
Support ticket: SUPPORT-28584
A Cross-site scripting (XSS) vulnerability in an API URL path's variables has been fixed.
Support ticket: SUPPORT-28390
When configuring an API's OAuth configuration, adding multiple Third Party OAuth providers was mistakenly allowed. Now, the Test Client allows only one Third Party OAuth Provider for an API in the API OAuth configuration.
Support ticket: No related support tickets.
Schemas using an older version of the Swagger standard (Draft03) were causing validation errors during Swagger generation.
Support ticket: SUPPORT-28378
Various updates have been made to the devops theme for improved usability and to address incorrect behavior, including:
Support ticket: No related support tickets.
A new validation policy has been added to support the Open Banking Mutual Authentication TLS (MATLS) specification. This policy, the Open Banking Client Validation Policy, uses MATLS rather than the client secret for authentication. This is required for the Open Banking Dynamic Client Registration for OAuth.
Support tickets: SUPPORT-23129, SUPPORT-3870, SUPPORT-24612, SUPPORT-26843
The Header for the Hermosa theme has been completely redesigned for improved look-and-feel and usability. Elements of the site are more easily accessible, with dropdown menus for the top-level items, among other improvements.
Note that this change impacts header customizations, which will need to be ported to the new header. For more information, see Community Manager: Customizing the User Interface and Community Manager: Migration Guide.
Support ticket: No related support tickets
Test Client has been enhanced to support multiple OAuth policies on a single API and the Aggregate policy.
Support ticket: No related support tickets
Custom API version workflows now control the options available on the API Details page. This enhancement includes new API states for specified users to control permissions for specified users:
"@ModifyPolicies", "@ModifyDeployments", "@ModifyDebugOptions", "@ModifyOutboundIdentities", "@ModifyExtensionProperties", "@DeleteAPIImplementation", "@ModifyLegals"
Support ticket: No related support tickets
The Charts page within API Analytics now includes both charts and logs combined, with filters for viewing both API and App transaction logs and charts. For example, for a specific API, you can filter by all available operations, statuses, and response time. To view transaction log data, use the Load Logs button.
Note: Log information is available only if an auditing policy was attached to the API during the time period.
Support tickets: No related support tickets
New configuration properties are available in the Akana Administration Console to configure the Lifecycle Coordinator promotion feature. These are:
For detail, see Configuration properties for the Promotion Feature.
Support ticket: No related support tickets
Two new properties now support API and app version visibility when promoting to the target environment. For example, an API's or app's version might be set to Public in the source tenant and Private in the target tenant. These properties are appVersion.visibility and apiVersion.visibility.
Support ticket: No related support tickets.
The Runtime Configuration can now select an OAuth domain for use with an API. Then, when an API is created in the developer portal, the OAuth domain will be set on it. Note that OAuth domain scopes cannot be set within the Runtime Configuration.
Support ticket: SUPPORT-5628
A Runtime Configuration can now filter based on API implementation type, either SOAP or REST.
Support ticket: No related support tickets.
A new promotion profile property, preserve-outbound-identities, can be set on a topology to allow saving the existing outbound identities on the target during promotion.
Support ticket: SUP-17125, SUPPORT-1778
On a general HTTP 404 "Resource not found" condition, the error response now takes into account the HTTP Accept header from the client, generating a JSON, XML, or HTML (the default) response based on the desired content type. Previously, the error response was always HTML.
Support ticket: SUPPORT-22558, SUPPORT-3903
The jQuery library used in the Akana Administration Console has been updated to the latest stable and secure version, so that the entire platform now uses jQuery 1.11.3.
Support ticket: SUPPORT-21388
The Elasticsearch Scroll API has now been implemented to more effectively return large numbers of results. Previously, the platform iterated through the search results 100 at a time, making it possible to exceed the default index.max_result_window value of 10,000.
Support ticket: SUPPORT-24812, SUPPORT-23905
The Business Security settings page under Admin > Settings > Security now includes a new option to limit media types allowed for uploading to comments, discussions, tickets, alerts, or reviews. The default allows any media type.
Support ticket: SUPPORT-24292
JOSE v2 policies that conform to the Open Banking specification now support adding the character set compatible with the "application/json" in the Accept header, for example: "application/json;charset=utf-8." Previously, adding the character set (charset) to the Accept header resulted in an error.
Support ticket: SUPPORT-26263
Errors generated by an HTTP Message Validation Policy now support enumerated elements, in conformance with Open Banking Implementation Entity (OBIE) requirements.
Now, when a field is defined as an enum in the policy but there is no value for this enumerated field defined in the schema, the policy will return "UK.OBIE.Unsupported.<field_name>" where <field_name> is the supplied enum value that doesn't match the schema's list of valid enum values. Prior to this enhancement, the policy returned "UK.OBIE.Field.Unexpected."
Support ticket: SUPPORT-25161
The HTTP Message Validation Policy has a new option, "Allow additional properties by default," to control the behavior when an additionalProperties property in a Schema object is not explicitly specified in a Swagger schema. This is useful because the Swagger 2.0 specification is unclear regarding the default value for additionalProperties.
By default, this option is enabled so that all additional properties are allowed.
Support ticket: SUPPORT-25391
HTTP Message Validation policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.
For more information, see Creating an HTTP Message Validation Policy on the Akana docs site.
Support ticket: SUPPORT-25156
The Akana OAuth/OpenID Connect (OIDC) provider now includes the "state" and "openbanking_intent_id" claims in the id_token for the Open Banking consent Hybrid Flow. Prior to this enhancement, these claims were returned only in the access_token.
Support ticket: SUPPORT-25631
JOSE v2 policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.
For detail, see Configuring JOSE Security Policy v2 options on the Akana docs site.
Support ticket: SUPPORT-25156
The recipes provided to automate migration to newer versions now support the ability to skip major versions.
Support ticket: No related support tickets.
The Elasticsearch feature now supports the ability to save the Jetty transport access log to the Elasticsearch index. This is controlled through three new properties in the Administration Console under the configuration com.akana.log.elasticsearch:
| Property | Description | Default Value |
|---|---|---|
| requestLog.enabled | Enables or disables saving the Jetty log to the Elasticsearch index | false |
| requestDataSaver.elasticHost | The host location of the index | http://localhost:9200 |
| requestDataSaver.elasticIndex | The name of the index | request-log |
Support ticket: No related support tickets.
The deprecated Cluster Support plug-in (com.soa.feature.cluster) has been removed from the product distribution. Instead, use automation recipes for configuring clusters.
Support ticket: No related support tickets.
A new classifier API Group Visibility can be set for Runtime Configurations to invite user groups to view an API. For more detail, see "API Group Visibility" in the Runtime Configuration on the Akana docs site.
Support ticket: SUPPORT-5575
The Elasticsearch Transport Client deployment option is deprecated in version 2019.1.0, and will be removed in version 2020.1.0. It is recommended to use the REST Client which communicates to the Elasticsearch server or cluster by accessing a URL.
The Akana OAuth Provider Agent feature is deprecated in version 2019.1.0, and will be removed in version 2020.1.0.
It is recommended that customers have a dedicated OAuth container to manage OAuth tokens, as covered in the diagram of recommended deployment: http://docs.akana.com/sp/deployment/deployment_clustered.htm.
When all the tags associated with an API were removed using the UI, the tags were not being removed properly. Now, the UI supports deleting all tags.
Support ticket: SUPPORT-22984, SUPPORT-24248, SUPPORT-24385
The OAuth and AtmosphereApplicationSecurity Policies return the faultcode and faultstring in error responses. For example:
{ "faultcode": "Server", "faultstring": "1012116 - Invalid token." }. |
The previous format was:
{ 1012116 - Invalid token. } |
Support ticket: SUPPORT-28149
A regression, caused by the upgrade of a third-party library, caused masking of JSON audit data to fail in the Auditing Message Policy.
Support ticket: No related support tickets.
Usage log and error messages now display only generic information, in order to avoid potential security vulnerabilities. Specific errors, including detailed URI information, is still written to the log file for the container instance.
Support ticket: SUPPORT-25000
When a JWKS URL is used for a JOSE policy, the URL is validated against the forward proxy list on the Admin > Settings > Site page.
It is validated when saving a JWKS URL value on the App OAuth Details page, and also at runtime. Any errors returned at validation do not display the URI or any other information that could be used in a malicious way.
Support ticket: SUPPORT-24999
The API GET /api/tickets did not return tickets for private APIs for non-admin users with read access to the API.
Support ticket: SUPPORT-26404
Single-value enums used in parameters were being incorrectly handled in some cases, resulting in a failure to validate required parameters in the HTTP Message Validation Policy.
Support ticket: SUPPORT-25295
For users without modify or delete permissions on a domain, the Modify and Delete buttons were accessible, in some cases. Now, they are not displayed for users without write permissions, and a new "View" button has been added for users with read-only permissions.
Support ticket: SUPPORT-24869
In applications that incorporate the use of the X-Forwarded-Host header, it was possible for an attacker to manipulate the host header to forward the request to a different URL.
Now, the logic for getting the base URL for various sub-URLs (such as an avatar), checks that the request URL host matches a virtual host set on the tenant. If it does not match a virtual host, the simple request URL (which does not come from the X-Forwarded-host header) is used instead.
Support ticket: SUPPORT-20524