Akana API Platform Release Notes 2019.1

 

January, 2020

Version 2019.1.5

Document updated on: 2020-01-20 08:49, Pacific Standard Time

Akana 2019.x System Requirements

Upgrading the Akana API Platform from 2018.0.x to 2019.0.x

 

ZIP distribution updated for 2019.1.0

Product packaging is simplified for this release, to include a single ZIP file containing the latest release, as follows:

  • API Platform ZIP (no JRE): The latest version for both the Akana API Platform and Platform
  • Windows JRE API Platform ZIP: The latest version for both the Akana API Platform and Platform, including the Java Runtime Environment (JRE) for Windows
  • Linux JRE API Platform ZIP: The latest version for both the Akana API Platform and Platform, including the Java Runtime Environment (JRE) for Linux

Hermosa Theme header UI redesigned

See Hermosa Theme header UI redesigned below.

 

Version 2019.1.5

Enhancements: 2019.1.5

Database support: MongoDB 3.6.16

MongoDB 3.6 support has been extended to include 3.6.16.

Support ticket: No related support tickets.

Database support: Oracle 19c

With this release, support has been added for Oracle 19c.

Support ticket: SUPPORT-27807, SUPPORT-29789, SUPPORT-29790, SUPPORT-30531

Generated OpenAPI 3.0 documentation

Generated API documentation can now be based on OpenAPI 3.0, as well as Swagger, with the option to switch between Swagger 2.0 and OpenAPI 3.0.

Support ticket: No related support tickets.

New jetty configuration property to control general errors written to the container log file

A new configuration property, default.error.handler.logError, has been added to com.soa.platform.jetty. A value of true adds general errors to the container log file. The default is false.

Support ticket: SUPPORT-25390

Error messages are uppercased appropriately for UK Open Banking 3.1 specification

To comply with the UK Open Banking 3.1 specification, error message field names are now properly uppercased.

Support ticket: SUPPORT-29912

Trusted CA services enhanced

Trusted CA services have been enhanced to support expiration dates for certificates and to allow their removal.

Support ticket: SUPPORT-1001

Bug Fixes: 2019.1.5

Audit Message Policy did not capture partial messages for basic auditing

Partial message capture using the Audit Message Policy was not appearing in the Policy Manager Console unless detailed auditing was enabled. Partial messages will now be captured for basic auditing as well.

Support ticket: No related support tickets.

Tenant cache refresh could result in portal containers going offline

On refresh of the tenant cache, the portal containers could go offline in certain circumstances. Now, refresh works as expected, and any change to tenant or tenant business properties is immediately reflected.

Support ticket: No related support tickets.

Possible race condition in SNI certificate deployment

A potential race condition in the Server Name Indication (SNI) certificate deployment logic has been resolved. This could result in the container certificate being sent to clients, instead of sending the service certificate.

Support ticket: SUPPORT-30451

Cross-Site Scripting security vulnerability

To address a potential XSS scripting vulnerability, support for X-Frame-Options response headers has been added to requests with /content/ application paths. This is controlled using the xFrameOptions on the XSS configuration, com.soa.admin.console.xss.

Support ticket: SUPPORT-28390

Network Director could process an invalid JSON payload

If extra characters appeared at the end of the JSON payload in the request body, Network Director processed and passed on the message, even though it contained invalid JSON. Now, if there is any extra content after the initial JSON object, an error is returned or the content is ignored, depending on a new setting "Ignore extra JSON in payload" in the HTTP Message Validation Policy. See https://docs.akana.com/ag/policies/policy_op_http_message_validation.htm for details.

Support ticket: SUPPORT-28722

Version 2019.1.4

Enhancements: 2019.1.4

DevOps theme supports external logins using LDAP

The DevOps theme now supports external logins when the Active Directory Identity System is configured to use LDAP.

Support ticket: SUPPORT-29403

All detailed auditing data limited by default to avoid out of memory problems

All detailed logging data from messages/responses, scripts, and processes are limited by the Administration Console configuration setting in com.soa.policy.handler.audit -> audit.maxContentSize. The default is 500,000. This setting helps avoid out of memory problems or exceeding data limits in MongoDB or other databases.

Support ticket: No related support tickets.

Network Director: Support for dynamic scopes at runtime

Network Director can now validate dynamic scopes at runtime. This support allows a single asterisk. The asterisk can be included as a prefix, in the middle, or as a suffix.

Support ticket: SUPPORT-28507

Automation recipes support removing features

Automation recipes now include the ability to remove features using the Feature Administration service API {urn:com.soa.admin.service.features.jaxrs} FeatureService's endpoint DELETE/admin/features/installed/{id}.

Support ticket: No related support tickets.

Http Message Validation Policy: Error codes enhanced to comply with UK Open Banking 3.1 specification

For the Http Message Validation Policy, more specific error codes were added to comply with the UK Open Banking 3.1 specification, when OB 3.1 is selected on the Options page. For example, any field of type "date" that is in error will result in a UK.OBIE.Field.InvalidDate error code. Previously, the policy was returning UK.OBIE.Field.Invalid error code. New error codes were also added to handle JSON parsing errors and invalid account and secondary account ids.

Support ticket: SUPPORT-25653

Bug Fixes: 2019.1.4

Elasticsearch log reported errors regarding unindexed fields

The Elasticsearch log could return the error "Cannot search on field [Name] since it is not indexed." Elasticsearch queries now return results as expected.

Support ticket: SUPPORT-29332

Lifecycle Coordinator: LDAP authentication issue when adding new users

Adding new users to the tenant using LDAP authentication sometimes failed to find a match when searching for a name on the Admin > Users > New dialog. Now, the filtering logic when adding a new user finds matches that start with the entered text rather than contain the entered text.

Support ticket: SUPPORT-29889

HTTP 404 error returned intermittently for OAuth Token Endpoint

For OAuth 2.0, the Token Endpoint intermittently returned an HTTP 404 "Page Not Found" error.

Support ticket: SUPPORT-29636

Swagger 2.0 documents could validate incorrectly when "Allow Empty Value" was set

For Swagger 2.0 documents with operation parameters that contained arrays with the allowEmptyValue attribute set, messages using this parameter would not validate correctly.

Support ticket: SUPPORT-28206

Developer Portal board comments were missing some workflow actions

An API's board comments were not displaying permissible workflow actions for users; for example, there was no "Approve" button for Site Admins.

A new includeCommentActions flag has been added to several board APIs, which, if set to true, will return any available workflow actions for each comment in the response.

Support ticket: SUPPORT-1220

HTTP Message Validation Policy: Error messages for unallowed headers now formatted for UK Open Banking 3.1 specification

When UK Open Banking version 3.1 is selected on the HTTP Message Validation Policy Options page, any error messages regarding unallowed headers now conform to the OB 3.1 specification, with an HTTP status code of 400.

Support ticket: SUPPORT-25439, SUPPORT-28782

Network Director: HTTP operation method cannot be found

In certain cases, in particular when Network Director was under high load and then left idle for a period of time, an error "Cannot find http method for operation" could occur.

Support ticket: SUPPORT-22779, SUPPORT-24784, SUPPORT-27207, SUPPORT-3174, SUPPORT-3442, SUPPORT-22567, SUP-18819, SUP-18551,SUPPORT-22779,SUPPORT-22567

Automation recipes under Windows now restart Akana

Support has been added to automation recipes to restart an Akana instance running on Windows in the background.

New command to stop a Windows Akana instance

A new command bin\shutdown.bat <name> shuts down an Akana instance running on Windows in the background.

Support ticket: No related support tickets.

Version 2019.1.3

Enhancements: 2019.1.3

Lifecycle Manager: New automation recipe to synchronize data

A new recipe is available to automate the Synchronize Lifecycle Manager Data configuration task in the Akana Administration Console, which helps support the automation of promotion testing.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.3

OpenID Connect Relying Party domain was not editable in some cases

The OpenID Connect Relying party domain can now be viewed, modified, or deleted, as expected.

Support ticket: SUPPORT-29344

Missing X-Frame-Options in response header could result in a security vulnerability

Calls to resource URLs did not always set the X-Frame-Options header on the HTTP response when XFrameOptions was configured for the atmosphere.console.config.xFrameOptions property in the com.soa.atmosphere.console configuration and the new uif.config.xFrameOption property in the com.soa.uif configuration.

Support ticket: SUPPORT-28390

Swagger API documentation page for a private API displayed operations to users without permissions

When viewing the Swagger documentation for an API, users with limited visibility based on the settings in a private API's licenses and scopes can no longer see operations for which they do not have permission.

Support ticket: SUPPORT-29302

Version 2019.1.2

Enhancements: 2019.1.2

Lifecycle Coordinator: Option to disable Runtime Configuration when editing an API

A new classifier, run-on-updates, provides the ability to disable the Runtime Configuration when modifying an API. This avoids the Runtime Configuration overwriting changes made to an API in the developer portal.

Support ticket: SUPPORT-29126

SimpleDev theme has new confirmation warning before deleting an app

When deleting an app, the SimpleDev theme now prompts the user for confirmation before deletion. Before, the app was immediately deleted without confirmation.

Support ticket: SUPPORT-1084

API Designer now supports examples for model objects

A new column has been added in several locations in the API Designer, for APIs based on Swagger 2.0 or Open API 3.0, to support model object examples. The new column appears after the Schema column in the Models sections, and in the Request and Response sections if a model object is specified.

Support ticket: SUP-16258

The developer portal's Home page redesigned for hermosa and default themes

The Home page for the hermosa and default themes has been redesigned to incorporate embedded videos and updated features.

Support ticket: No related support tickets.

API comments are visible only to users with read access

The API "/api/discussions/{DiscussionID}/comments" now checks that the user has read access to the requested discussion.

Support ticket: SUPPORT-22787

HTTP Message Validation Policy: only top-level validation errors are displayed

For the HTTP Message Validation Policy, only top-level validation errors display. Before, errors could display for each nested element when the error was actually triggered only on the last element.

Support ticket: SUPPORT-25648

Lifecycle Coordinator: OAuth version can be selected in the Runtime Configuration

Users can now select an OAuth version (1.0a, 2.0, or both) in the Runtime Configuration.

Support ticket: No related support tickets.

Users with Monitor permissions can view an API's or app's analytics

A user with Monitor permissions, but without Modify permissions, can view an app's or API's analytics and logs. Previously, only users with Modify permissions on an API or app could view its analytics.

Support ticket: No related support tickets.

Providing an APIVersionID when adding an API version is no longer allowed

The API to add an API version (POST /api/apis/{APIID}/version) now returns an HTTP 400 Bad Request error if an APIVersionID is passed in. Previously, the APIVersionID was accepted as input without throwing an error even though it is not a parameter to the API.

Support ticket: SUP-12292

Swagger-based new APIs will take the API version from the Swagger document, if not defined

New APIs based on Swagger documents will have the same version as the Swagger document if the API has no defined version; otherwise, the APIVersionInfo will be used.

Support ticket: SUP-14958, SUPPORT-1141

Enhanced SearchAPI now returns results changed after a certain date

The SearchAPI (/api/search) supports a new query parameter UpdatedFromDate to retrieve objects added or updated after a certain date, for example:

 /api/search?q=(type:app-version)&UpdatedDateFrom=2019-10-11T23:00:00

Support ticket: No related support tickets.

Lifecycle Coordinator: new PromotionProfile property to preseve an existing shared secret at promotion

A new PromotionProfile property, preserve-shared-secret, controls whether the shared secret of existing app in the target environment is retained at promotion.

The default is false, meaning that shared secret of an app in the target environment is overwritten by that in the source environment. For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_preserve_shared_secret.

Support ticket: SUPPORT-29124

Lifecycle Coordinator: new PromotionProfile property to control a consumer app's automatic promotion

A new PromotionProfile property, disable-consumer-app-check, controls the promotion of an API's corresponding consumer app, useful if you are using fanout and want to promote the consumer app to one environment but not another. A value of true prevents the automatic promotion of the corresponding consumer app (if any.)

For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_disable_consumer_app_check.

Support ticket: SUPPORT-22911

Bug Fixes: 2019.1.2

Lifecycle Coordinator: error trying to enforce unique context paths on import

On import, if the target API setting "Validate Unique Hostname/Context Path" is false, the target no longer tries to enforce uniqueness during promotion.

Support ticket: SUPPORT-29123

Lifecycle Coordinator: Promotion for APIs with multiple access points was mishandled in some cases

APIs on the same deployment zone and with multiple endpoints defined for an implementation were not being promoted correctly. Now, promoting APIs with multiple endpoints works as expected.

Support ticket: SUPPORT-29125

After upgrading to 2019.1.1, the Sign Up page would not load when the phone numbers field was enabled

A regression caused by the upgrade to 2019.1.1 resulted in the failure of new user registration on the developer portal when the phone numbers field was enabled on the Sign Up page.

Support ticket: SUPPORT-28584

API URL path variables XSS vulnerability

A Cross-site scripting (XSS) vulnerability in an API URL path's variables has been fixed.

Support ticket: SUPPORT-28390

OAuth configuration: multiple Third Party OAuth Providers for an API was allowed

When configuring an API's OAuth configuration, adding multiple Third Party OAuth providers was mistakenly allowed. Now, the Test Client allows only one Third Party OAuth Provider for an API in the API OAuth configuration.

Support ticket: No related support tickets.

Swagger generation validation errors for older schemas

Schemas using an older version of the Swagger standard (Draft03) were causing validation errors during Swagger generation.

Support ticket: SUPPORT-28378

Lifecycle Coordinator: Usability updates to devops theme

Various updates have been made to the devops theme for improved usability and to address incorrect behavior, including:

  • The Promotion Requests page is launched when a logged-in user clicks the "home" button.
  • The Promotion Requests page's Environment filters display the correct filtered results.
  • The footer has been replaced to be the default footer which displays the copyright and year.
  • The API request Source API link correctly launches the API Details page.

Support ticket: No related support tickets.

Export logs in developer portal missing the App name

The App column has been added to the transaction usage logs export.

Support ticket: SUPPORT-26414, SUPPORT-1190, SUPPORT-24723, SUPPORT-24203

Mongo data usage stats were being reported incorrectly after upgrade

When upgrading to 2019.0.x, Mongo usage stats were being recorded as the size of the zipped content, rather than the unzipped size.

Support ticket: No related support tickets.

Version 2019.1.1

Bug Fixes: 2019.1.1

Exporting app transaction logs was working incorrectly

App transaction logs were not exporting properly. Now export works as expected.

Support ticket: No related support tickets.

Version 2019.1.0

Key Features: 2019.1.0

Note: The key features here are specific to 2019.1.0 and are not available in earlier 2019.0.x update releases. For features and enhancements also available in 2019.1.0 but delivered in previous update releases, see each update version below.

New Open Banking Client Validation policy to support Open Banking MATLS

A new validation policy has been added to support the Open Banking Mutual Authentication TLS (MATLS) specification. This policy, the Open Banking Client Validation Policy, uses MATLS rather than the client secret for authentication. This is required for the Open Banking Dynamic Client Registration for OAuth.

  • Supports validation of headers added by the load balancer
    For the UK Open Banking Client Validation Policy, the Network Director can now perform OAuth client authentication based on headers added by the load balancer, which routes incoming API requests to a load balancer cluster. The load balancer extracts details on client certification and adds them as headers, then routes the request to the Network Director.
  • Uses only certifications with "use" " "tls"
    The UK Open Banking Client Validation Policy with MATLS support uses only certifications with "use" : "tls" from the OB JSON Web Key Sets (JWKS) URL when validating the client certification.

Support tickets: SUPPORT-23129, SUPPORT-3870, SUPPORT-24612, SUPPORT-26843

Hermosa theme UI header redesigned

The Header for the Hermosa theme has been completely redesigned for improved look-and-feel and usability. Elements of the site are more easily accessible, with dropdown menus for the top-level items, among other improvements. 

Note that this change impacts header customizations, which will need to be ported to the new header. For more information, see Community Manager: Customizing the User Interface and Community Manager: Migration Guide.

Support ticket: No related support tickets

Test Client Enhancements

Test Client has been enhanced to support multiple OAuth policies on a single API and the Aggregate policy.

  • The Aggregate Policy
    The Test Client now includes support for testing APIs with an attached Aggregate Policy that includes policies supported by Test Client. Adding an Aggregate Policy to an API allows the API Admin to set up a scenario where multiple policies are combined into one. For more information, see Test Client security settings: Aggregate Policy on the Akana docs site.
  • Multiple OAuth policies
    If the API supports multiple OAuth providers, you can choose the provider you want to test against. See Test Client security settings: OAuth Policy: Multiple OAuth Provider.

Support ticket: No related support tickets

API version workflow now supports an optional, customized workflow

Custom API version workflows now control the options available on the API Details page. This enhancement includes new API states for specified users to control permissions for specified users:
"@ModifyPolicies", "@ModifyDeployments", "@ModifyDebugOptions", "@ModifyOutboundIdentities", "@ModifyExtensionProperties", "@DeleteAPIImplementation", "@ModifyLegals"

Support ticket: No related support tickets

The Charts page within API Analytics has new filters for viewing API and App transactions

The Charts page within API Analytics now includes both charts and logs combined, with filters for viewing both API and App transaction logs and charts. For example, for a specific API, you can filter by all available operations, statuses, and response time. To view transaction log data, use the Load Logs button.
Note: Log information is available only if an auditing policy was attached to the API during the time period.

Support tickets: No related support tickets

Lifecycle Coordinator includes new configuration parameters for the promotion feature

New configuration properties are available in the Akana Administration Console to configure the Lifecycle Coordinator promotion feature. These are:

  • com.soa.promotion: Controls how often Lifecycle Coordinator updates cached policy and organization information for tenants referenced in a topology.
  • com.akana.lifecyclemanager.apiplatform.remote: Controls how often Lifecycle Coordinator updates cached policy and organization information for tenants referenced in a topology.

For detail, see Configuration properties for the Promotion Feature.

Support ticket: No related support tickets

Enhancements: 2019.1.0

Lifecycle Coordinator: Now supports the ability to manage API and app version visibility during promotion

Two new properties now support API and app version visibility when promoting to the target environment. For example, an API's or app's version might be set to Public in the source tenant and Private in the target tenant. These properties are appVersion.visibility and apiVersion.visibility.

Support ticket: No related support tickets.

Lifecycle Coordinator: Runtime Configuration can now specify an OAuth domain for an API

The Runtime Configuration can now select an OAuth domain for use with an API. Then, when an API is created in the developer portal, the OAuth domain will be set on it. Note that OAuth domain scopes cannot be set within the Runtime Configuration.

Support ticket: SUPPORT-5628

Lifecycle Coordinator: Runtime Configuration can now filter by API implementation type

A Runtime Configuration can now filter based on API implementation type, either SOAP or REST.

Support ticket: No related support tickets.

Lifecycle Coordinator: New promotion profile property

A new promotion profile property, preserve-outbound-identities, can be set on a topology to allow saving the existing outbound identities on the target during promotion.

Support ticket: SUP-17125, SUPPORT-1778

The default HTTP 404 error response now considers the Accept header

On a general HTTP 404 "Resource not found" condition, the error response now takes into account the HTTP Accept header from the client, generating a JSON, XML, or HTML (the default) response based on the desired content type. Previously, the error response was always HTML.

Support ticket: SUPPORT-22558, SUPPORT-3903

Akana Administration Console JavaScript library has been updated

The jQuery library used in the Akana Administration Console has been updated to the latest stable and secure version, so that the entire platform now uses jQuery 1.11.3.

Support ticket: SUPPORT-21388

Elasticsearch Scroll API now used, for more effectively returning large numbers of results

The Elasticsearch Scroll API has now been implemented to more effectively return large numbers of results. Previously, the platform iterated through the search results 100 at a time, making it possible to exceed the default index.max_result_window value of 10,000.

Support ticket: SUPPORT-24812, SUPPORT-23905

New optional Business Security setting allows restriction of file types in attachments

The Business Security settings page under Admin > Settings > Security now includes a new option to limit media types allowed for uploading to comments, discussions, tickets, alerts, or reviews. The default allows any media type.

Support ticket: SUPPORT-24292

JOSE Policy v2 with Open Banking 3.1 option now supports adding the charset property to the Accept header

JOSE v2 policies that conform to the Open Banking specification now support adding the character set compatible with the "application/json" in the Accept header, for example: "application/json;charset=utf-8." Previously, adding the character set (charset) to the Accept header resulted in an error.

Support ticket: SUPPORT-26263

Open Banking 3.1 error codes now support enumerated elements in the HTTP Message Validation Policy

Errors generated by an HTTP Message Validation Policy now support enumerated elements, in conformance with Open Banking Implementation Entity (OBIE) requirements.

Now, when a field is defined as an enum in the policy but there is no value for this enumerated field defined in the schema, the policy will return "UK.OBIE.Unsupported.<field_name>" where <field_name> is the supplied enum value that doesn't match the schema's list of valid enum values. Prior to this enhancement, the policy returned "UK.OBIE.Field.Unexpected."

Support ticket: SUPPORT-25161

HTTP Message Validation Policy can now define default behavior for the additionalProperties schema property

The HTTP Message Validation Policy has a new option, "Allow additional properties by default," to control the behavior when an additionalProperties property in a Schema object is not explicitly specified in a Swagger schema. This is useful because the Swagger 2.0 specification is unclear regarding the default value for additionalProperties.

By default, this option is enabled so that all additional properties are allowed.

Support ticket: SUPPORT-25391

HTTP Message Validation Policy: Open Banking 3.1 error response can now be customized

HTTP Message Validation policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.

For more information, see Creating an HTTP Message Validation Policy on the Akana docs site.

Support ticket: SUPPORT-25156

Akana OAuth/OIDC provider id-token now includes state and openbanking_intent_id claims

The Akana OAuth/OpenID Connect (OIDC) provider now includes the "state" and "openbanking_intent_id" claims in the id_token for the Open Banking consent Hybrid Flow. Prior to this enhancement, these claims were returned only in the access_token.

Support ticket: SUPPORT-25631

JOSE Policy v2: Open Banking 3.1 error response can now be customized

JOSE v2 policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.

For detail, see Configuring JOSE Security Policy v2 options on the Akana docs site.

Support ticket: SUPPORT-25156

Automation recipes to perform upgrades have been improved

The recipes provided to automate migration to newer versions now support the ability to skip major versions.

Support ticket: No related support tickets.

Elasticsearch can be configured to save the Jetty access log

The Elasticsearch feature now supports the ability to save the Jetty transport access log to the Elasticsearch index. This is controlled through three new properties in the Administration Console under the configuration com.akana.log.elasticsearch:

Property Description Default Value
requestLog.enabled Enables or disables saving the Jetty log to the Elasticsearch index false
requestDataSaver.elasticHost The host location of the index http://localhost:9200
requestDataSaver.elasticIndex The name of the index request-log

Support ticket: No related support tickets.

Cluster Support plug-in has been removed from the product distribution

The deprecated Cluster Support plug-in (com.soa.feature.cluster) has been removed from the product distribution. Instead, use automation recipes for configuring clusters.

Support ticket: No related support tickets.

API group visibility now available for Runtime Configurations

A new classifier API Group Visibility can be set for Runtime Configurations to invite user groups to view an API. For more detail, see "API Group Visibility" in the Runtime Configuration on the Akana docs site.

Support ticket: SUPPORT-5575

Deprecations: 2019.1.0

Elasticsearch Transport Client option is deprecated

The Elasticsearch Transport Client deployment option is deprecated in version 2019.1.0, and will be removed in version 2020.0.0. It is recommended to use the REST Client which communicates to the Elasticsearch server or cluster by accessing a URL.

The Akana OAuth Provider Agent is deprecated

The Akana OAuth Provider Agent feature is deprecated in version 2019.1.0, and will be removed in version 2020.0.0.

It is recommended that customers have a dedicated OAuth container to manage OAuth tokens, as covered in the diagram of recommended deployment: http://docs.akana.com/sp/deployment/deployment_clustered.htm.

Bug Fixes: 2019.1.0

API tags were not being removed in some cases

When all the tags associated with an API were removed using the UI, the tags were not being removed properly. Now, the UI supports deleting all tags.

Support ticket: SUPPORT-22984, SUPPORT-24248, SUPPORT-24385

New error format for OAuth and AtmosphereApplicationSecurity Policies

The OAuth and AtmosphereApplicationSecurity Policies return the faultcode and faultstring in error responses. For example:

{ "faultcode": "Server", "faultstring": "1012116 - Invalid token." }.

The previous format was:

{ 1012116 - Invalid token. }

Support ticket: SUPPORT-28149

Regression impacted data masking in Audit Message Policy

A regression, caused by the upgrade of a third-party library, caused masking of JSON audit data to fail in the Auditing Message Policy.

Support ticket: No related support tickets.

Error messages and usage logs now suppress some details to avoid security vulnerabilities

Usage log and error messages now display only generic information, in order to avoid potential security vulnerabilities. Specific errors, including detailed URI information, is still written to the log file for the container instance.

Support ticket: SUPPORT-25000

A JOSE policy JSON Web Key Set URL is now validated against the forward proxy list

When a JWKS URL is used for a JOSE policy, the URL is validated against the forward proxy list on the Admin > Settings > Site page.

It is validated when saving a JWKS URL value on the App OAuth Details page, and also at runtime. Any errors returned at validation do not display the URI or any other information that could be used in a malicious way.

Support ticket: SUPPORT-24999

The List Tickets API did not return tickets for private APIs for some authorized users

The API GET /api/tickets did not return tickets for private APIs for non-admin users with read access to the API.

Support ticket: SUPPORT-26404

HTTP Message Validation Policy did not validate enums on required parameters

Single-value enums used in parameters were being incorrectly handled in some cases, resulting in a failure to validate required parameters in the HTTP Message Validation Policy.

Support ticket: SUPPORT-25295

Domain page was not enforcing Modify and Delete permissions in some cases

For users without modify or delete permissions on a domain, the Modify and Delete buttons were accessible, in some cases. Now, they are not displayed for users without write permissions, and a new "View" button has been added for users with read-only permissions.

Support ticket: SUPPORT-24869

X-Forwarded-Host header vulnerability

In applications that incorporate the use of the X-Forwarded-Host header, it was possible for an attacker to manipulate the host header to forward the request to a different URL.

Now, the logic for getting the base URL for various sub-URLs (such as an avatar), checks that the request URL host matches a virtual host set on the tenant. If it does not match a virtual host, the simple request URL (which does not come from the X-Forwarded-host header) is used instead.

Support ticket: SUPPORT-20524

Lifecycle Coordinator: Promoting large APIs could time out

When promoting an API with numerous operations, the process could appear to time out, although the API would be promoted successfully. Now, promotion works as expected.

Support ticket: No related support tickets.

Version 2019.0.4

Requires Akana Platform version: 2019.0.3

Enhancements: 2019.0.4

This release includes no enhancements.

Version 2019.0.3

Requires Akana Platform version: 2019.0.2

Deprecations and Requirements Changes

For updated requirements information, see System Requirements for Akana Platform 2019.0.x.

Mongo 3.2

As of this release, Mongo 3.2 is no longer supported.

MySQL 5.7

Announcement of future end of support: Akana support for MySQL 5.7 will end in October 2020.

Oracle 11g

Announcement of future end of support: Support for Oracle 11g will end in December 2020 when Oracle ends its “Extended Support.”

Enhancements: 2019.0.3

Automation scripts support for 2-way SSL authentication

Automation scripts have improved support for Secure Socket Layer (SSL) mutual authentication.

Support ticket: No related support tickets.

Version 2019.0.2

Requires Akana Platform version: 2019.0.1

Enhancements: 2019.0.2

Improvements in parameter schema handling

The platform has enhanced schema parameter processing for improved Swagger 2.0 support in the API Designer.

Support ticket: No related support tickets.

Version 2019.0.1

Requires Akana Platform version: 2019.0.1

Enhancements: 2019.0.1

New startup environment variable supports Java options

The script startup.sh now takes a new environment variable AKANA_OPTS as an argument, which can be used to configure the container JVM. For example, it can be used to configure AppDynamics, other agents, Java Management Extensions (JMX), Garbage Collector (GC) options, or to add JVM system properties.

Support ticket: SUPPORT-10961

JOSE Policy v2 for Open Banking 3.1 tan header now validates using policy configuration

A JOSE Policy v2 configured for OB 3.1 now validates the tan header using the value configured in the policy, if one exists. If no value for the tan header is provided in the policy configuration, then the header is validated using the static domain value openbanking.org.uk.

Support ticket: SUPPORT-23407