Akana API Platform Release Notes 2019.1


July, 2020

Version 2019.1.19

Document updated on: 2020-07-20 04:38, Pacific Standard Time

Akana 2019.x System Requirements

Upgrading the Akana API Platform from 2018.0.x to 2019.0.x


ZIP distribution updated for 2019.1.0

Product packaging is simplified for this release, to include a single ZIP file containing the latest release, as follows:

  • API Platform ZIP (no JRE): The latest version for both the Akana API Platform and Platform
  • Windows JRE API Platform ZIP: The latest version for both the Akana API Platform and Platform, including the Java Runtime Environment (JRE) for Windows
  • Linux JRE API Platform ZIP: The latest version for both the Akana API Platform and Platform, including the Java Runtime Environment (JRE) for Linux

Product versioning to change with first release of 2020

The Akana API Platform and other Akana products will change versioning schemes with the first major release of 2020. All major releases will now follow the scheme "xxxx.1.0" rather than "xxxx.0.0". As a result, the upcoming major release for 2020 will be 2020.1.0, updated in all entries in these release notes as appropriate.

UI customizations

Test all customizations when upgrading.

Hermosa Theme header UI redesigned

See Hermosa Theme header UI redesigned below.

Support for Default Theme to end in 2020.1.0 (first major release of 2020)

Default Theme will be deprecated in 2020.1.0, and will be removed completely in a later version. The current customizations and use of Default Theme will be supported during upgrades to newer versions, until version 2020.1.0. All customers using Default Theme should move to the Hermosa Theme as soon as possible, and migrate any customizations. For example, port header customizations according to Community Manager: Migration Guide and Community Manager: Customizing the User Interface. Other customizations should continue to work, but style customizations are likely to be required.

jQuery to upgrade in 2020.1.0, impacting all Developer Portal pages

jQuery will be upgraded to v3.4.1 from v1.8.3, with the 2020.1.0 release. This version of jQuery will impact all Developer pages in all themes, requiring any customizations to be tested with jQuery v3.4.1. For migration information, see jQuery Core 1.9 Upgrade Guide and jQuery Core 3.0 Upgrade Guide.


Changes Log

Date/release version


January, 2020
New entry added for Improperly formatted error code for Open Banking 3.1 could be returned for requests that contained undefined fields
March, 2020
New entry added for bug fix Uploading license and documentation content was not verified.
July, 2020
Note regarding behavior added to Removed members of a group could still edit the app, SUPPORT-34630.

Version 2019.1.19

Enhancements: 2019.1.19

New configuration option controls how long connections wait to purge data when closing

A new configuration option has been added in the Administration Console to allow the SO_LINGER time to be set for a listener. This controls how long connections will wait to purge all data when closing. The default was previously set to 30 seconds, which could be too long in some scenarios.

The new property is com.soa.platform.jetty > http.incoming.transport.config.linger. The default is set to 10 seconds.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.19

Anti-Virus policy did not correctly secure platform-provided REST services

When the Anti-Virus policy was attached to services in the Policy Manager or the developer portal and files were uploaded using a platform-based REST API service such as BoardAPI, only one attachment was scanned.

Support ticket: No related support tickets.

Deleting an API's version could fail after import to the wrong tenant

If an API was imported to a wrong tenant accidentally, deleting the API version could fail.

Support ticket: SUPPORT-31886, SUPPORT-34397

Policy Manager: Exception error message detail not displayed

Exception error message detail was sometimes missing in the Policy Manager user interface.

Support ticket: SUPPORT-35094, SUPPORT-33222

Enforcement of whitelisted characters now the default setting for new tenants

The use of whitelist characters in certain user input is enforced by default for new tenants, to prevent cross-site scripting (XSS) attacks. Please see More > Admin > Settings > Security from the developer portal for details.

Support ticket: No related support tickets.

User password policy rules enforced by default for new tenants

The default password rules now require strong passwords by default for new tenants. In previous versions, strong passwords requirements was a manual configuration option. See More > Admin > Settings > Password in the developer portal for the password rules.

Support ticket: No related support tickets.

Media types are now restricted in new tenants by default

New tenants in the developer portal are automatically restricted to a default list of allowable media types for file uploads., configurable at More > Admin > Settings > Security These are: text/plain,image/png,image/jpeg,application/pdf,application/zip

These settings can be changed per tenant.

Support ticket: No related support tickets.

A null value in an audit log message could cause a failed request in some cases

When debug mode is enabled in the developer portal or Configure Message Processing is set to "debug" in the Policy Manager, a null value in an audit log's debug message could cause a request to fail.

Support ticket: SUPPORT-34954

Blocked headers could be passed to the client in some situations

A bug in a third-party configuration library could cause blocked headers to be passed through the Gateway to the client.

Support ticket: SUPPORT-34419

Version 2019.1.18

Enhancements: 2019.1.18

Enabling "Audit Transport" on an auditing policy now captures transport headers

Auditing Service policies that have "Audit Transport" enabled now capture transport headers even if message content auditing is not enabled. Previously, only the transport status code and method were captured.

Support ticket: SUPPORT-22109

Bug Fixes: 2019.1.18

This release includes no bug fixes.

Version 2019.1.17

Enhancements: 2019.1.17

New HTTP Headers Injection policy supports improved security

A new HTTP Headers Injection policy allows you to automatically add specific headers on messages processed by the platform and relayed to the client. These headers can be used to enforce security restrictions. See Using the HTTP Headers Injection Policy on the Akana documentation site.

Support ticket: SUPPORT-28645, SUPPORT-3147

New Jetty configuration properties to control low resource connections

Three new properties on the Jetty transport manage connections, allowing finer control over connection lifetime when processing resources are low. These properties are on the com.soa.platform.jetty configuration category:

Property Description
http.incoming.transport.config.maxIdleTime The default maximum number of milliseconds that a connection can remain idle before it is closed.
Default: 200000
http.incoming.transport.config.lowResourceIdleTime The number of milliseconds that a connection can remain idle when server resources are low. A value of -1 disables low resource checking. This is triggered when the number of active connections reaches the limit set by lowResourcesConnections.
Default: -1
http.incoming.transport.config.lowResourceConnections The number of connections that will result in a low resource condition, expressed as a percentage of the listener thread pool size. This is used only when lowResourceIdleTime is > 0.
Default: 100

Support ticket: No related support tickets.

Bug Fixes: 2019.1.17

The OAuth Client Policy could send requests with invalid scopes downstream

If the OAuth Client Policy was configured with an invalid scope, the response came back invalid, but the request was still sent downstream. Now the request is rejected, and an error is returned.

Support ticket: No related support tickets.

Disabling CRL check did not disable certificate checking for HTTP requests in Policy Manager

Disabling the Certificate Revocation List (CRL) check by setting com.soa.crl.enabled to false did not disable X.509 certificate checks.

Support ticket: SUPPORT-33284

Sending SNMP Host alerts could fail when using MongoDB

Simple Network Management Protocol (SNMP) alerts were not being sent when using a MongoDB database. SNMP alerts on MongoDB now work as expected.

Support ticket: SUPPORT-33744

Version 2019.1.16

Enhancements: 2019.1.16

This release includes no enhancements.

Bug Fixes: 2019.1.16

API Consumer Application Security Policy failing with certain characters

The API Consumer Application Security Policy was not working as expected if the message included certain ISO 8859 characters.

This policy now supports a user-configured character set for decoding query parameter values. If a user-configured character set is not provided, the policy uses UTF-8.

Support ticket: SUPPORT-33766

HMAC signature verification failing with empty parameters

The API Consumer Application Security Policy was failing to perform HMAC signature verification if the message included query parameters with no values.

Support ticket: SUPPORT-33765

Version 2019.1.15

Enhancements: 2019.1.15

This release includes no enhancements.

Bug Fixes: 2019.1.15

Incorrect API selected if the context path was the same in both Policy Manager and the developer portal

APIs with the same context path in both Policy Manager and the developer portal were not being correctly targeted. To address this problem, the following properties have been removed from the Akana Administration Console > Configuration page:

Configuration category Removed property
com.soa.binding.http http.in.binding.virtualhost.endpoint.selection.strict
com.soa.binding.soap soap.in.binding.virtualhost.endpoint.selection.strict

Support ticket: SUPPORT-33428

Requesting API access could be delayed or could time out

On the API Access page, retrieving apps to request access could be delayed or could time out, depending on the number of apps available for that user. Performance has now been improved.

Support ticket: SUPPORT-33346, SUPPORT-1164

Version 2019.1.14

Enhancements: 2019.1.14

OAuth Client Policy now logs errors returned from downstream token provider

The OAuth Client Policy has been enhanced to save the error returned by the downstream token provider in the container log.

Support ticket: SUPPORT-24799

New recipe admin-console.json for increased security

A new recipe is now included by default in the recipes directory, admin-console.json, including the following properties:


Support ticket: No related support tickets.

Metrics API enhanced to include the total request and total response size

The metrics API that returns metrics for a specified API version, GET /api/apis/versions/{APIVersionID}/metrics, now returns totalRequestSize and totalResponseSize for the response message, representing the aggregated request and response size.

Support ticket: SUPPORT-22176

The Test Client now supports HTTP Security Policy with Basic Authentication

When a user is testing in Test Client, in the context of the app, the API, or the API documentation, Test Client no longer prompts for authentication credentials.

Support ticket: SUPPORT-30657

The JOSE Security Policy v2 now supports Appendix F of the JWS Specification to support UK Open Banking

A new checkbox “Enforce Appendix F” is displayed when choosing Unencoded Detached Payload as the Provider role in the JOSE Security Policy v2. Selecting this checkbox applies Base64 encoding to the payload and removes the Base64 JWS header, as defined in the Appendix F (Detached Content) section of the JWS specification (RFC-7515).

Support ticket: SUPPORT-27722

Developer portal now supports searching extended metadata in Lifecycle Repository APIs, apps, and users

In the developer portal, searching APIs, apps, and users now indexes Lifecycle Repository metadata. To enable metadata search for existing data, delete the indices for APIs, apps, and users and then reindex the objects.

For example, assuming localhost:9200, first delete the indices:

$ curl -XDELETE 'localhost:9200/default_api'
$ curl -XDELETE 'localhost:9200/default_app'
$ curl -XDELETE 'localhost:9200/default_user'
$ curl -XDELETE 'localhost:9200/default_metadata'

Then, run the query:

delete from INDEX_STATUS where OBJECTTYPE in ('api', 'app', 'user');

Support ticket: No related support tickets.

Deprecation Notices: 2019.1.14

Legacy OAuth client functions deprecated

The legacy functions ApplicationAPI#saveAppOAuthClient71Properties and ApplicationAPI#getAppOAuthClient71Properties are deprecated with this release and will be removed from the product in 2020.1.0. Clients should instead use functions ApplicationAPI#saveAppOAuthClientProperties and ApplicationAPI#getAppOAuthClientProperties.

Support ticket: SUPPORT-32433

Bug Fixes: 2019.1.14

The API Access Wizard created a Live connection even when Sandbox was selected

When choosing the implementation for API access, a selection of either Sandbox or Live both resulted in the creation of a live connection. Selecting Sandbox now works as expected.

Support ticket: SUPPORT-33334

Creating API tags with special characters could return a search error

Some special characters in API tags could return errors when conducting a search. For example, using "&" in a tag, then attaching the tag to an API and running a search for that API would return a search error. Special characters are now escaped in tags.

Support ticket: SUPPORT-32890

OAuth Client Policy token caching problem

The OAuth Client Policy could send expired security tokens downstream. This policy now works as expected, and an unused property com.akana.oauth.client.server.config.cacheInvalidateTime has been removed.

Support ticket: SUPPORT-32528

HTTP Message Validation Policy: leading zeros could be stripped

For the HTTP Message Validation Policy, query parameters with leading zeros are now treated as a string if defined as a string in the schema.

Support ticket: SUPPORT-27423

JavaScript issues

Large JavaScript files could return code generation and compiler evaluation errors

Very large JavaScript files could result in evaluation error "generated bytecode for method exceeds 64K limit."

JavaScript issues after upgrading from 8.2

After an upgrade from Akana Platform 8.2, issues could occur when setting downstream request query parameters, as the parameters must be of type String[]. To address this, the configuration properties com.soa.rhino.scriptengine and rhino.java.class.shutter.blacklist now allow access to the class java.lang.reflect.Array.

Support ticket: SUPPORT-33294

The Business Metrics Policy in Envision reports "success" for HTTP response codes less than 300

Any endpoint response with a status code less than 300 is now considered a "Success" rather than an "Error" when the Business Metrics Policy is attached to the API and a dimension that pulls the HTTP Status operational metric. Previously, only 200 response codes were considered "Success."

Support ticket: SUPPORT-31550

New API versions defaulted to public visibility, even for APIs with a "private" visibility setting

When a new version of an API was created, even if the existing API had a visibility setting of “private,” the new version had a default visibility of “public." The appropriate visibility based on the tenant API settings is now used.

Support ticket: SUPPORT-31062

API policy assignments could occur outside of a tenant

API policy assignments could occur across tenants in some cases. To avoid accidental policy assignment outside of a tenant, a policy visibility check has been added to an API before policy assignment.

Support ticket: SUPPORT-30530

Alert emails were not processed correctly in some cases

Alerts were not always sent to all members of a configured email group and could sometimes generate an error.

Support ticket: SUPPORT-32876

Creating a SOAP-based API in the developer portal could fail

Creating a SOAP-based API in the developer portal could fail when an API had been deleted and then recreated. This was caused by a SOAP service's nested aggregate policy configuration that was not being deleted.

Support ticket: SUPPORT-30607

Elasticsearch timeout setting could result in errors

Invalid property keys could result in an incorrect timeout setting in Elasticsearch. The property keys have been updated as follows:

Previous value Updated value
elastic.rest.client.socketTimeout elastic.client.socketTimeout
elastic.rest.client.connectTimeout elastic.client.connectTimeout

Support ticket: No related support tickets.

Business Metrics Policy in Envision did not correctly capture some defined dimension properties

When using the Business Metrics Policy in Envision, creating custom data sets to capture the StatusCode dimension was returning a constant (OPSMAPPING#request.statuscode) value rather than an actual numeric status code, such as 200 or 500. Now, the StatusCode operational dimension correctly returns the numeric HTTP Status Code.

Support ticket: SUPPORT-31450

Version 2019.1.13

Enhancements: 2019.1.13

This release includes no enhancements.

Deprecation Notices: 2019.1.13

Support for the Akana OAuth Provider Agent feature to end in 2020.1.0

The Akana OAuth Provider Agent feature is deprecated as of this release, and will be removed from the product in 2020.1.0.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.13

Notifications in the developer portal displayed only the first 100

When viewing notifications in the developer portal, clicking "See all ... notifications" displayed only the first 100. Now, the UI has an infinite scrollbar to view any number.

Support ticket: SUPPORT-30184

Test Client authorization headers were being stripped

In the Test Client, authorization headers that contained multiple authentication schemes were being stripped, causing downstream APIs to reject the request.

Support ticket: SUPPORT-32731

Uploading large numbers of certificates generated an Oracle error

When uploading more than 1,000 certificates to the platform's trust store, an Oracle error ORA-01795 was returned. Now, uploading a large number of certificates works as expected.

Support ticket: SUPPORT-32524

Group workflow constant variables updated

Some group constants used in the team workflow template were modified to match the values expected by the backend:

Previous value Updated value
<!ENTITY GroupLeaders "role.group.leader" > <!ENTITY GroupLeaders "role.group.leaders" >
<!ENTITY GroupAdmins "role.group.admin" > <!ENTITY GroupAdmins "role.group.admins" >
<!ENTITY GroupMembers "role.group.member" > <!ENTITY GroupMembers "role.group.members" >

Support ticket: SUPPORT-30688

Version 2019.1.12

Enhancements: 2019.1.12

Developer Portal: API endpoints are now searchable

Support has been added for both partial endpoint and complete endpoint search. To search for a complete endpoint, use surrounding double quotes, i.e., "https://example.com/v1".
To enable endpoint searching, delete the indices for "api" and "metadata", then reindex the api objects. For example, using localhost:9200:

 $ curl -XDELETE 'localhost:9200/default_api'
 $ curl -XDELETE 'localhost:9200/default_metadata'
3. Run query 
 "delete from INDEX_STATUS where OBJECTTYPE ='api';"

Support ticket: SUP-16590

Dynamic deployment of internationalized/localized error messages

Messages can now be customized dynamically for internationalization or localization.

Place relevant properties files into the deploy directory of a container named according to the pattern com.akana.messages-<qualifier>.cfg, where <qualifier> is a unique string used to identify this particular file. The file is a normal Java properties file containing <key>=<string> pairs. A special key named "_locale" can be used to specify the locale for the messages.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.12

Network Director: Asynchronous error messages processing could be slow

For batch messages processed asynchronously, reply message processing could experience a slowdown with overhead limit errors. This could occur when configuration limits were reached, which would result in connections being closed. The behavior has been changed to reduce the likelihood that connections will be closed unnecessarily.

Support ticket: No related support tickets.

HTTP Caching Policy generated errors when Hazelcast was disabled

When the Hazelcast framework is disabled (the default), the HTTP Caching Policy resulted in errors "timeToIdle can't be negative" and "MaxEntriesLocalHeap is not compatible with MaxBytesLocalHeap set on cache."

These occurred because, when Hazelcast is disabled, the platform falls back to using EhCache for local node caching, which requires that the TimeToIdle attribute be -1 by default. Now the HTTP Caching Policy works as expected when Hazelcast is disabled.

Support ticket: SUPPORT-32438, SUPPORT-31249

When creating a new user, an error message is returned if AcceptedAgreementID is set

When a Site Admin creates a new user, the admin cannot set the field AcceptedAgreementID; rather, the user accepts the agreement and the value of this property is returned in the response message. If an attempt is made to explicitly set this value during new user creation, an HTTP error message "Status 400 (Bad Request)" is returned.

Support ticket: SUPPORT-32224

Removed members of a group could still edit the app

A removed member of a group could continue to access and modify an app if currently logged on during and after having been removed. Now, an "Unauthorized" error is returned if the removed user tries to modify or delete the app.

Note: When user groups are modified, all the access tokens for the user are invalidated and the portal's API response returned to the client includes header Atmo-Renew-Token: renew. In this case, API REST clients should renew the token using the POST /api/login/renewToken operation.

Support ticket: SUPPORT-22375, SUPPORT-34630

API Designer did not correctly display type form-urlencoded requests for OAS 3.0

For APIs using Open API Specification 3.0, a request body with a Content-type of form-urlencoded did not correctly display in the API Designer, JSON Schema Editor, or the Documentation page of an API.

Support ticket: SUPPORT-29018

API Access Wizard's Select App page now has an autocomplete field for the app name

The API Access Wizard has been redesigned to improve performance. Now, on the Select App tab, the table displaying all apps has been replaced by a text box in which you can enter the app name.

Support ticket: No related support tickets.

APIs with no version now default to "1"

On the API Advanced Options page, the Version ID can be customized. If no value is provided, the Version ID now defaults to 1. Prior to 2019.1.12, it defaulted to v1 or 0.0.0.

Support ticket: No related support tickets.

Version 2019.1.11

Enhancements: 2019.1.11

New security settings allow Site Admin to restrict the characters allowed in platform input fields

Two new settings have been added in the developer portal (Admin > Settings > Security) as a security feature. The first allows the Site Admin to restrict characters that are allowed in certain platform input fields such as app, API, and group Name, Summary, and Description fields and forum discussions and tickets, to help prevent cross-site scripting attacks.

If this setting is enabled, default characters that are always allowed are: alphanumeric characters, comma, period, hyphen, and space. The second field allows the Site Admin to specify additional characters that are allowed.

Support ticket: No related support tickets.

New configuration property to enable / disable cipher suite preference order

A configuration property has been added to enforce strict ordering of cipher suites in HTTPS listeners. This allows the server to dictate the order of cipher suites offered to clients, improving the security profile of these listeners.

The new property, in the com.soa.platform.jetty configuration category, is: http.incoming.transport.config.useCipherSuitesOrder.

Support ticket: SUPPORT-26735

Added ability to prevent Network Director from calling loopback/localhost address

The ability to block outbound traffic to classes of addresses has been added. There are two new configuration properties for this, in the com.soa.http.client.core configuration category:

  • address.validation.enable = true enables the feature.
  • address.validation.blacklist configures the classes of addresses that will be blocked. A comma-separated string that can include the values loopback (to block all loopback addresses), multicast (to block any multicast addresses), and anylocal to block the wildcard ( address.

Support ticket: SUPPORT-31243

New classifier, preserve-existing-policies, in Runtime Configuration

A new classifier, preserve-existing-policies, has been added to Runtime Configuration.

In previous versions, if the run-on-updates classifier was set to true, and there were updates to the API's properties, existing policies were not overwritten. With the new classifier included and set to false, the policies attached to the API are overwritten.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.11

Test Client: error returned when testing resource with PATCH method

Test Client returned an error when testing an API that used the PATCH HTTP method.

Support ticket: SUPPORT-29669

Pages in a theme cloned from Hermosa were throwing errors after deletion of the main Hermosa theme

When a new theme was created based on the out-of-the-box Hermosa theme, deleting the out-of-the-box Hermosa theme caused errors.

Support ticket: No related support tickets.

For a custom theme based on Hermosa theme, URLs in email notifications were incorrect

If a new custom theme was created based on out-of-the-box Hermosa theme, URLs included in notification emails, such as "forgot password" links, were not correct for the theme.

Support ticket: No related support tickets.

In the API Designer, could not change Default Media Type field

In the API Designer, the Default Media Type field has a default of "Any in and out" with a drop-down selection list of media types. If the user chose a different default media type, the change was not saved.

Support ticket: SUPPORT-31701

Verbose error messages

System error messages returned by the platform were modified to be less verbose, for security reasons.

Support ticket: No related support tickets.

Version 2019.1.10

Enhancements: 2019.1.10

This release includes no enhancements.

Bug Fixes: 2019.1.10

Under certain circumstances, an attempt was being made to retrieve a private key from a configured HSM

In 2019.1.8, a regression was introduced affecting external keystores (HSM). As a result, when trying to provision a service with PKI information in the external keystore, an attempt was being made to retrieve the private key, causing an exception and failure to deploy the associated service.

Support ticket: SUPPORT-32189

Version 2019.1.9

Enhancements: 2019.1.9

This release includes no enhancements.

Deprecation Notices: 2019.1.9

Support for the legacy Add/Edit API Wizard to end in 2020.1.0

The legacy Add/Edit API Wizard, deprecated in version 8.0, will be removed from the product with the 2020.1.0 release. This wizard was replaced by the current Add API feature.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.9

Performance improvements to prevent errors when exporting usage data

Errors could occur during the export of usage data filtered for a long duration or interval, resulting in the inability to cancel a pending report. Performance improvements have been made to address this, changing the default values of two config com.soa.reports.export properties in the Administration Console as follows:

Configuration Previous Default Current default
usagelog.export.dao.blockSize 10000 200
usagelog.export.dao.nosql.blockSize 10000 200

Support ticket: SUPPORT-9927, SUPPORT-11041,SUPPORT-23930,SUPPORT-24819

Initial Elasticsearch index creation used default template mappings

When the setting action.auto_create_index is true (the default) for REST-based APIs, Elasticsearch's first-time index creation was using default template mappings rather than the defined mappings. Now, the product checks to see if an index has already been created before indexing any objects, regardless of this auto-creation setting.

Support ticket: No related support tickets.

Uploading license and documentation content was not verified

Uploaded file types were not restricted in the license and documentation sections of an API. Now uploading files in any area of the platform validates the content type against a whitelist of allowable media types defined under More > Admin > Settings > Security.

Support ticket: SUPPORT-29653

Version 2019.1.8

Enhancements: 2019.1.8

New logging category to record internally generated HTTP request errors

A new logging category has been introduced to capture internally generated HTTP request errors that may occur when matching a request to an operation or service. The default name for the new category is http.request.error.

When this category is set to WARN, the container application log will contain an entry for every generated error in NCSA Common log format. Note that the previous Jetty-specific configuration (com.soa.platform.jetty > default.error.handler.logError) is no longer used.

Support ticket: SUPPORT-25390

Deprecations: 2019.1.8

Support for OpenID domain to end in 2020.1.0

The developer portal migrated from OpenID to OpenID Connect in a much earlier version, 7.2.3. Support of the legacy OpenID Relying Party domain will be completely removed in 2020.1.0. Any existing legacy domains should be migrated appropriately.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.8

For services with multiple HTTPS ports, SNI configuration not always picked up

Services that have multiple ports (access points) can have different connection properties on each one. In a scenario where a service had multiple HTTPS endpoints but only one had the use.service.identity.for.inbound configuration property set, the SNI configuration was not picked up, because the SNI deployer code was only checking the first HTTPS port for the configuration setting.

The platform now deploys SNI information if any port has this configuration set to true.

Support ticket: No related support tickets.

Oracle database error when retrieving monitoring details for 1,000+ organizations

An Oracle IN condition query could return Oracle Database Error ORA-01795. This occurred during requests to access an API or its board, when requesting monitoring details for more than 1,000 organizations.

Support ticket: SUPPORT-30923, SUPPORT-31576

UserName field added to Elasticsearch

A UserName field is now available for Elasticsearch, addressing errors in search logs pertaining to "Cannot search on field [Name] since it is not indexed."

To enable the UserName search and clear the errors in the Elasticsearch logs, delete the indices for user, apiversion, and app-versions, and then reindex the objects. An example of the steps, using localhost:9200, is shown below:

1. $ curl -XDELETE 'localhost:9200/default_user'

2. $ curl -XDELETE 'localhost:9200/default_apiversion'

3. $ curl -XDELETE 'localhost:9200/default_app-version'

4. Run query "delete from INDEX_STATUS where OBJECTTYPE in ('user', 'apiversion', 'app-version');"

Support ticket: No related support tickets.

Support added for complex types when editing non-body parameter data types in the API Designer

When editing a non-body request parameter type (such as a query, header, or path), all defined types, including complex types, are now available from the data type dropdown. Previously, the dropdown displayed only primitive types.

Support ticket: No related support tickets.

Updated tooltip and label in Business Security Settings UI

The tooltip and UI label for "Limit file types allowed for upload" on the site setting's Security Settings page has been updated to clarify that this setting is relevant to all uploaded files, not just those uploaded to Comments.

Support ticket: No related support tickets.

Version 2019.1.7

Enhancements: 2019.1.7

Default timeouts have been increased for long-running tasks

To avoid long-running provisioning tasks from timing out, default timeouts have been increased. This will prevent timeout errors while using various automation scripts.

Support ticket: SUPPORT-30328

Bug Fixes: 2019.1.7

Unauthorized access of some objects' workflows

In some cases, users could access the workflow of an object, even if the user was not authorized to see the object itself. Now, a user can retrieve the workflow document or actions only if that user is authorized to see the object it's associated with.

Support ticket: SUPPORT-25079

Latency issues in the developer portal

Some APIs were experiencing latency in the developer portal. To address these issues, new caching mechanisms and indices have been added to the product, and some redundant calls to the federation support have been removed.

Support ticket: SUPPORT-30524

Regression impacting site admin permissions

Site administrators were unable to view or edit the profiles of other tenant users, a regression introduced in 2019.1.6. Site admins now have proper permissions.

Support ticket: SUPPORT-31774

Stored Cross-site Scripting (XSS) vulnerabilities addressed

Analysis of the code base and subsequent improvements to remove XSS (Cross-site Scripting) vulnerabilities is ongoing. This release includes extra XSS validations to API Implementation updates, either through the direct use of an API or through the UI.

Support ticket: SUPPORT-29654

Version 2019.1.6

Enhancements: 2019.1.6

DevOps Theme now includes Forgot Password flow

A "Forgot Password?" workflow is now supported in the DevOps Theme. The feature follows the standard "forgot password" flow, prompting the user for an email address, sending the user a code, then providing a way for the user to reset the password.

Support ticket: No related support tickets.

Network Director: Existing clusters now supported by recipe that registers a container and creates a cluster

Automatic container registration combined with cluster creation is now supported in the Network Director. Prior to this, using the register.container recipe to register a container and create a cluster could fail if the cluster already existed.

Support ticket: SUPPORT-27439

Hazelcast framework disabled by default

In order to reduce system overhead when not in use, the Hazelcast framework is now disabled by default. To enable Hazelcast, set hazelcast.instance.manager.enable to true in the configuration com.soa.grid.

Support ticket: No related support tickets.

New user workflow reserved action to notify users when an account is activated

When the Site Admin activates user accounts, a new reserved action @UserActivated has been added to send the activated user a notification.

Notifications are not sent by default, however. To take advantage of this action, uncomment line 834 in the default user workflow:

<!-- <common-action id="19" /> -->

For specifics, see http://docs.akana.com/cm/workflow/08_user_wf.htm#user_ra_18.

Support ticket: SUPPORT-29675

Bug Fixes: 2019.1.6

Character set added to the Content-Type header for policy enforcement errors

Error responses generated by policy enforcement violations in the developer portal now include the character set in the response content-type header. In addition, if a matching accept header includes a character set, that character set will be used in the response. If that character set is unsupported, then UTF-8 will be used.

Support ticket: SUPPORT-29960

With auditing enabled for an API operation, detailed auditing could fail to record some data

If Audit is checked in the Process Editor's Invoke Activity dialog and the API is set for detailed auditing, the downstream auditing logic was not properly handling faults. This could cause detailed auditing to fail to record any data for an exchange with a fault response.

Support ticket: SUPPORT-30854, SUPPORT-30943

HTML-encoded HEX and DEC numbers in a Markdown link could result in XSS vulnerability

A cross-site scripting security vulnerability was possible for HTML-encoded hexadecimal and decimal numbers that appeared in a Markdown link.

Now, existing HEX and DEC numbers are no longer converted to clickable Markdown links, and, if edited and saved, will return a validation error.

Validation is performed against the keywords in the "Keywords for cross-site scripting prevention" list in Admin Security Settings.

Support ticket: SUPPORT-24490

Deleting SOAP-based APIs with aggregate policies could fail

Deleting SOAP-based APIs with aggregate policies in the developer portal was failing in certain scenarios.

Support ticket: SUPPORT-30836

Referer headers use UUIDs from randomly generated keys

The universally unique identifiers (UUIDs) in referer headers are all based on randomly generated keys following the UUID, version 4 standard, for improved security. The previous UUID version could leak sensitive information.

Support ticket: SUPPORT-28639

Generated OpenAPI 3.0 documentation was missing some enum values and did not properly support compound keywords

Support was added in 2019.1.5 for API documentation based on OpenAPI 3.0, in addition to Swagger 2.0. OpenAPI 3.0 schemas of type allOf, oneOf, and anyOf were not being handled correctly, in addition to references to primitive types with enums. Now, generated API documentation based on OpenAPI 3.0 works as expected.

Note: The API documentation supports properties specific to the selected version, either OpenAPI 3.0, or Swagger 2.0. Any property not supported in a particular version will also not be supported in that version of the API documentation.

Support ticket: No related support tickets.

Fix for potential XSS security vulnerability

A fix has been added that prevents malicious content included in the request host from being displayed in generated HTML content.

Support ticket: SUPPORT-25658

Some nested scopes were not being displayed

After moving a scope elsewhere in the hierarchy, some nested scopes were not being displayed in the UI.

Support ticket: SUPPORT-2857

Version 2019.1.5

Enhancements: 2019.1.5

Database support: MongoDB 3.6.16

MongoDB 3.6 support has been extended to include 3.6.16.

Support ticket: No related support tickets.

Database support: Oracle 19c

With this release, support has been added for Oracle 19c.

Support ticket: SUPPORT-27807, SUPPORT-29789, SUPPORT-29790, SUPPORT-30531

Generated OpenAPI 3.0 documentation

Generated API documentation can now be based on OpenAPI 3.0, as well as Swagger, with the option to switch between Swagger 2.0 and OpenAPI 3.0.

Support ticket: No related support tickets.

New jetty configuration property to control general errors written to the container log file

A new configuration property, default.error.handler.logError, has been added to com.soa.platform.jetty. A value of true adds general errors to the container log file. The default is false.

Support ticket: SUPPORT-25390

Error messages are uppercased appropriately for UK Open Banking 3.1 specification

To comply with the UK Open Banking 3.1 specification, error message field names are now properly uppercased.

Support ticket: SUPPORT-29912

Trusted CA services enhanced

Trusted CA services have been enhanced to support expiration dates for certificates and to allow their removal.

Support ticket: SUPPORT-1001

Bug Fixes: 2019.1.5

Audit Message Policy did not capture partial messages for basic auditing

Partial message capture using the Audit Message Policy was not appearing in the Policy Manager Console unless detailed auditing was enabled. Partial messages will now be captured for basic auditing as well.

Support ticket: No related support tickets.

Tenant cache refresh could result in portal containers going offline

On refresh of the tenant cache, the portal containers could go offline in certain circumstances. Now, refresh works as expected, and any change to tenant or tenant business properties is immediately reflected.

Support ticket: No related support tickets.

Possible race condition in SNI certificate deployment

A potential race condition in the Server Name Indication (SNI) certificate deployment logic has been resolved. This could result in the container certificate being sent to clients, instead of sending the service certificate.

Support ticket: SUPPORT-30451

Cross-Site Scripting security vulnerability

To address a potential XSS scripting vulnerability, support for X-Frame-Options response headers has been added to requests with /content/ application paths. This is controlled using the xFrameOptions on the XSS configuration, com.soa.admin.console.xss.

Support ticket: SUPPORT-28390

Network Director could process an invalid JSON payload

If extra characters appeared at the end of the JSON payload in the request body, Network Director processed and passed on the message, even though it contained invalid JSON. Now, if there is any extra content after the initial JSON object, an error is returned or the content is ignored, depending on a new setting "Ignore extra JSON in payload" in the HTTP Message Validation Policy. See https://docs.akana.com/ag/policies/policy_op_http_message_validation.htm for details.

Support ticket: SUPPORT-28722

Version 2019.1.4

Enhancements: 2019.1.4

DevOps theme supports external logins using LDAP

The DevOps theme now supports external logins when the Active Directory Identity System is configured to use LDAP.

Support ticket: SUPPORT-29403

All detailed auditing data limited by default to avoid out of memory problems

All detailed logging data from messages/responses, scripts, and processes are limited by the Administration Console configuration setting in com.soa.policy.handler.audit -> audit.maxContentSize. The default is 500,000. This setting helps avoid out of memory problems or exceeding data limits in MongoDB or other databases.

Support ticket: No related support tickets.

Network Director: Support for dynamic scopes at runtime

Network Director can now validate dynamic scopes at runtime. This support allows a single asterisk. The asterisk can be included as a prefix, in the middle, or as a suffix.

Support ticket: SUPPORT-28507

Automation recipes support removing features

Automation recipes now include the ability to remove features using the Feature Administration service API {urn:com.soa.admin.service.features.jaxrs} FeatureService's endpoint DELETE/admin/features/installed/{id}.

Support ticket: No related support tickets.

Http Message Validation Policy: Error codes enhanced to comply with UK Open Banking 3.1 specification

For the Http Message Validation Policy, more specific error codes were added to comply with the UK Open Banking 3.1 specification, when OB 3.1 is selected on the Options page. For example, any field of type "date" that is in error will result in a UK.OBIE.Field.InvalidDate error code. Previously, the policy was returning UK.OBIE.Field.Invalid error code. New error codes were also added to handle JSON parsing errors and invalid account and secondary account ids.

Support ticket: SUPPORT-25653

Bug Fixes: 2019.1.4

Elasticsearch log reported errors regarding unindexed fields

The Elasticsearch log could return the error "Cannot search on field [Name] since it is not indexed." Elasticsearch queries now return results as expected.

Support ticket: SUPPORT-29332

Lifecycle Coordinator: LDAP authentication issue when adding new users

Adding new users to the tenant using LDAP authentication sometimes failed to find a match when searching for a name on the Admin > Users > New dialog. Now, the filtering logic when adding a new user finds matches that start with the entered text rather than contain the entered text.

Support ticket: SUPPORT-29889

HTTP 404 error returned intermittently for OAuth Token Endpoint

For OAuth 2.0, the Token Endpoint intermittently returned an HTTP 404 "Page Not Found" error.

Support ticket: SUPPORT-29636

Swagger 2.0 documents could validate incorrectly when "Allow Empty Value" was set

For Swagger 2.0 documents with operation parameters that contained arrays with the allowEmptyValue attribute set, messages using this parameter would not validate correctly.

Support ticket: SUPPORT-28206

Developer Portal board comments were missing some workflow actions

An API's board comments were not displaying permissible workflow actions for users; for example, there was no "Approve" button for Site Admins.

A new includeCommentActions flag has been added to several board APIs, which, if set to true, will return any available workflow actions for each comment in the response.

Support ticket: SUPPORT-1220

HTTP Message Validation Policy: Error messages for unallowed headers now formatted for UK Open Banking 3.1 specification

When UK Open Banking version 3.1 is selected on the HTTP Message Validation Policy Options page, any error messages regarding unallowed headers now conform to the OB 3.1 specification, with an HTTP status code of 400.

Support ticket: SUPPORT-25439, SUPPORT-28782

Network Director: HTTP operation method cannot be found

In certain cases, in particular when Network Director was under high load and then left idle for a period of time, an error "Cannot find http method for operation" could occur.

Support ticket: SUPPORT-22779, SUPPORT-24784, SUPPORT-27207, SUPPORT-3174, SUPPORT-3442, SUPPORT-22567, SUP-18819, SUP-18551,SUPPORT-22779,SUPPORT-22567

Automation recipes under Windows now restart Akana

Support has been added to automation recipes to restart an Akana instance running on Windows in the background.

New command to stop a Windows Akana instance

A new command bin\shutdown.bat <name> shuts down an Akana instance running on Windows in the background.

Support ticket: No related support tickets.

Improperly formatted error code for Open Banking 3.1 could be returned for requests that contained undefined fields

If a Request payload contains a field that is not defined in the Swagger definition, a "field unexpected" error is now returned according to the proper Open Banking 3.1 format.

Support ticket: SUPPORT-29603

Version 2019.1.3

Enhancements: 2019.1.3

Lifecycle Manager: New automation recipe to synchronize data

A new recipe is available to automate the Synchronize Lifecycle Manager Data configuration task in the Akana Administration Console, which helps support the automation of promotion testing.

Support ticket: No related support tickets.

Bug Fixes: 2019.1.3

OpenID Connect Relying Party domain was not editable in some cases

The OpenID Connect Relying party domain can now be viewed, modified, or deleted, as expected.

Support ticket: SUPPORT-29344

Missing X-Frame-Options in response header could result in a security vulnerability

Calls to resource URLs did not always set the X-Frame-Options header on the HTTP response when XFrameOptions was configured for the atmosphere.console.config.xFrameOptions property in the com.soa.atmosphere.console configuration and the new uif.config.xFrameOption property in the com.soa.uif configuration.

Support ticket: SUPPORT-28390

Swagger API documentation page for a private API displayed operations to users without permissions

When viewing the Swagger documentation for an API, users with limited visibility based on the settings in a private API's licenses and scopes can no longer see operations for which they do not have permission.

Support ticket: SUPPORT-29302

Version 2019.1.2

Enhancements: 2019.1.2

Lifecycle Coordinator: Option to disable Runtime Configuration when editing an API

A new classifier, run-on-updates, provides the ability to disable the Runtime Configuration when modifying an API. This avoids the Runtime Configuration overwriting changes made to an API in the developer portal.

Support ticket: SUPPORT-29126

SimpleDev theme has new confirmation warning before deleting an app

When deleting an app, the SimpleDev theme now prompts the user for confirmation before deletion. Before, the app was immediately deleted without confirmation.

Support ticket: SUPPORT-1084

API Designer now supports examples for model objects

A new column has been added in several locations in the API Designer, for APIs based on Swagger 2.0 or Open API 3.0, to support model object examples. The new column appears after the Schema column in the Models sections, and in the Request and Response sections if a model object is specified.

Support ticket: SUP-16258

The developer portal's Home page redesigned for hermosa and default themes

The Home page for the hermosa and default themes has been redesigned to incorporate embedded videos and updated features.

Support ticket: No related support tickets.

API comments are visible only to users with read access

The API "/api/discussions/{DiscussionID}/comments" now checks that the user has read access to the requested discussion.

Support ticket: SUPPORT-22787

HTTP Message Validation Policy: only top-level validation errors are displayed

For the HTTP Message Validation Policy, only top-level validation errors display. Before, errors could display for each nested element when the error was actually triggered only on the last element.

Support ticket: SUPPORT-25648

Lifecycle Coordinator: OAuth version can be selected in the Runtime Configuration

Users can now select an OAuth version (1.0a, 2.0, or both) in the Runtime Configuration.

Support ticket: No related support tickets.

Users with Monitor permissions can view an API's or app's analytics

A user with Monitor permissions, but without Modify permissions, can view an app's or API's analytics and logs. Previously, only users with Modify permissions on an API or app could view its analytics.

Support ticket: No related support tickets.

Providing an APIVersionID when adding an API version is no longer allowed

The API to add an API version (POST /api/apis/{APIID}/version) now returns an HTTP 400 Bad Request error if an APIVersionID is passed in. Previously, the APIVersionID was accepted as input without throwing an error even though it is not a parameter to the API.

Support ticket: SUP-12292

Swagger-based new APIs will take the API version from the Swagger document, if not defined

New APIs based on Swagger documents will have the same version as the Swagger document if the API has no defined version; otherwise, the APIVersionInfo will be used.

Support ticket: SUP-14958, SUPPORT-1141

Enhanced SearchAPI now returns results changed after a certain date

The SearchAPI (/api/search) supports a new query parameter UpdatedFromDate to retrieve objects added or updated after a certain date, for example:


Support ticket: No related support tickets.

Lifecycle Coordinator: new PromotionProfile property to preseve an existing shared secret at promotion

A new PromotionProfile property, preserve-shared-secret, controls whether the shared secret of existing app in the target environment is retained at promotion.

The default is false, meaning that shared secret of an app in the target environment is overwritten by that in the source environment. For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_preserve_shared_secret.

Support ticket: SUPPORT-29124

Lifecycle Coordinator: new PromotionProfile property to control a consumer app's automatic promotion

A new PromotionProfile property, disable-consumer-app-check, controls the promotion of an API's corresponding consumer app, useful if you are using fanout and want to promote the consumer app to one environment but not another. A value of true prevents the automatic promotion of the corresponding consumer app (if any.)

For detail, see http://docs.akana.com/cm/promotion/promotion_users_guide.htm#props_disable_consumer_app_check.

Support ticket: SUPPORT-22911

Bug Fixes: 2019.1.2

Lifecycle Coordinator: error trying to enforce unique context paths on import

On import, if the target API setting "Validate Unique Hostname/Context Path" is false, the target no longer tries to enforce uniqueness during promotion.

Support ticket: SUPPORT-29123

Lifecycle Coordinator: Promotion for APIs with multiple access points was mishandled in some cases

APIs on the same deployment zone and with multiple endpoints defined for an implementation were not being promoted correctly. Now, promoting APIs with multiple endpoints works as expected.

Support ticket: SUPPORT-29125

After upgrading to 2019.1.1, the Sign Up page would not load when the phone numbers field was enabled

A regression caused by the upgrade to 2019.1.1 resulted in the failure of new user registration on the developer portal when the phone numbers field was enabled on the Sign Up page.

Support ticket: SUPPORT-28584

API URL path variables XSS vulnerability

A Cross-site scripting (XSS) vulnerability in an API URL path's variables has been fixed.

Support ticket: SUPPORT-28390

OAuth configuration: multiple Third Party OAuth Providers for an API was allowed

When configuring an API's OAuth configuration, adding multiple Third Party OAuth providers was mistakenly allowed. Now, the Test Client allows only one Third Party OAuth Provider for an API in the API OAuth configuration.

Support ticket: No related support tickets.

Swagger generation validation errors for older schemas

Schemas using an older version of the Swagger standard (Draft03) were causing validation errors during Swagger generation.

Support ticket: SUPPORT-28378

Lifecycle Coordinator: Usability updates to devops theme

Various updates have been made to the devops theme for improved usability and to address incorrect behavior, including:

  • The Promotion Requests page is launched when a logged-in user clicks the "home" button.
  • The Promotion Requests page's Environment filters display the correct filtered results.
  • The footer has been replaced to be the default footer which displays the copyright and year.
  • The API request Source API link correctly launches the API Details page.

Support ticket: No related support tickets.

Export logs in developer portal missing the App name

The App column has been added to the transaction usage logs export.

Support ticket: SUPPORT-26414, SUPPORT-1190, SUPPORT-24723, SUPPORT-24203

Mongo data usage stats were being reported incorrectly after upgrade

When upgrading to 2019.0.x, Mongo usage stats were being recorded as the size of the zipped content, rather than the unzipped size.

Support ticket: No related support tickets.

Version 2019.1.1

Bug Fixes: 2019.1.1

Exporting app transaction logs was working incorrectly

App transaction logs were not exporting properly. Now export works as expected.

Support ticket: No related support tickets.

Version 2019.1.0

Key Features: 2019.1.0

Note: The key features here are specific to 2019.1.0 and are not available in earlier 2019.0.x update releases. For features and enhancements also available in 2019.1.0 but delivered in previous update releases, see each update version below.

New Open Banking Client Validation policy to support Open Banking MATLS

A new validation policy has been added to support the Open Banking Mutual Authentication TLS (MATLS) specification. This policy, the Open Banking Client Validation Policy, uses MATLS rather than the client secret for authentication. This is required for the Open Banking Dynamic Client Registration for OAuth.

  • Supports validation of headers added by the load balancer
    For the UK Open Banking Client Validation Policy, the Network Director can now perform OAuth client authentication based on headers added by the load balancer, which routes incoming API requests to a load balancer cluster. The load balancer extracts details on client certification and adds them as headers, then routes the request to the Network Director.
  • Uses only certifications with "use" " "tls"
    The UK Open Banking Client Validation Policy with MATLS support uses only certifications with "use" : "tls" from the OB JSON Web Key Sets (JWKS) URL when validating the client certification.

Support tickets: SUPPORT-23129, SUPPORT-3870, SUPPORT-24612, SUPPORT-26843

Hermosa theme UI header redesigned

The Header for the Hermosa theme has been completely redesigned for improved look-and-feel and usability. Elements of the site are more easily accessible, with dropdown menus for the top-level items, among other improvements. 

Note that this change impacts header customizations, which will need to be ported to the new header. For more information, see Community Manager: Customizing the User Interface and Community Manager: Migration Guide.

Support ticket: No related support tickets

Test Client Enhancements

Test Client has been enhanced to support multiple OAuth policies on a single API and the Aggregate policy.

  • The Aggregate Policy
    The Test Client now includes support for testing APIs with an attached Aggregate Policy that includes policies supported by Test Client. Adding an Aggregate Policy to an API allows the API Admin to set up a scenario where multiple policies are combined into one. For more information, see Test Client security settings: Aggregate Policy on the Akana docs site.
  • Multiple OAuth policies
    If the API supports multiple OAuth providers, you can choose the provider you want to test against. See Test Client security settings: OAuth Policy: Multiple OAuth Provider.

Support ticket: No related support tickets

API version workflow now supports an optional, customized workflow

Custom API version workflows now control the options available on the API Details page. This enhancement includes new API states for specified users to control permissions for specified users:
"@ModifyPolicies", "@ModifyDeployments", "@ModifyDebugOptions", "@ModifyOutboundIdentities", "@ModifyExtensionProperties", "@DeleteAPIImplementation", "@ModifyLegals"

Support ticket: No related support tickets

The Charts page within API Analytics has new filters for viewing API and App transactions

The Charts page within API Analytics now includes both charts and logs combined, with filters for viewing both API and App transaction logs and charts. For example, for a specific API, you can filter by all available operations, statuses, and response time. To view transaction log data, use the Load Logs button.
Note: Log information is available only if an auditing policy was attached to the API during the time period.

Support tickets: No related support tickets

Lifecycle Coordinator includes new configuration parameters for the promotion feature

New configuration properties are available in the Akana Administration Console to configure the Lifecycle Coordinator promotion feature. These are:

  • com.soa.promotion: Controls how often Lifecycle Coordinator updates cached policy and organization information for tenants referenced in a topology.
  • com.akana.lifecyclemanager.apiplatform.remote: Controls how often Lifecycle Coordinator updates cached policy and organization information for tenants referenced in a topology.

For detail, see Configuration properties for the Promotion Feature.

Support ticket: No related support tickets

Enhancements: 2019.1.0

Lifecycle Coordinator: Now supports the ability to manage API and app version visibility during promotion

Two new properties now support API and app version visibility when promoting to the target environment. For example, an API's or app's version might be set to Public in the source tenant and Private in the target tenant. These properties are appVersion.visibility and apiVersion.visibility.

Support ticket: No related support tickets.

Lifecycle Coordinator: Runtime Configuration can now specify an OAuth domain for an API

The Runtime Configuration can now select an OAuth domain for use with an API. Then, when an API is created in the developer portal, the OAuth domain will be set on it. Note that OAuth domain scopes cannot be set within the Runtime Configuration.

Support ticket: SUPPORT-5628

Lifecycle Coordinator: Runtime Configuration can now filter by API implementation type

A Runtime Configuration can now filter based on API implementation type, either SOAP or REST.

Support ticket: No related support tickets.

Lifecycle Coordinator: New promotion profile property

A new promotion profile property, preserve-outbound-identities, can be set on a topology to allow saving the existing outbound identities on the target during promotion.

Support ticket: SUP-17125, SUPPORT-1778

The default HTTP 404 error response now considers the Accept header

On a general HTTP 404 "Resource not found" condition, the error response now takes into account the HTTP Accept header from the client, generating a JSON, XML, or HTML (the default) response based on the desired content type. Previously, the error response was always HTML.

Support ticket: SUPPORT-22558, SUPPORT-3903

Akana Administration Console JavaScript library has been updated

The jQuery library used in the Akana Administration Console has been updated to the latest stable and secure version, so that the entire platform now uses jQuery 1.11.3.

Support ticket: SUPPORT-21388

Elasticsearch Scroll API now used, for more effectively returning large numbers of results

The Elasticsearch Scroll API has now been implemented to more effectively return large numbers of results. Previously, the platform iterated through the search results 100 at a time, making it possible to exceed the default index.max_result_window value of 10,000.

Support ticket: SUPPORT-24812, SUPPORT-23905

New optional Business Security setting allows restriction of file types in attachments

The Business Security settings page under Admin > Settings > Security now includes a new option to limit media types allowed for uploading to comments, discussions, tickets, alerts, or reviews. The default allows any media type.

Support ticket: SUPPORT-24292

JOSE Policy v2 with Open Banking 3.1 option now supports adding the charset property to the Accept header

JOSE v2 policies that conform to the Open Banking specification now support adding the character set compatible with the "application/json" in the Accept header, for example: "application/json;charset=utf-8." Previously, adding the character set (charset) to the Accept header resulted in an error.

Support ticket: SUPPORT-26263

Open Banking 3.1 error codes now support enumerated elements in the HTTP Message Validation Policy

Errors generated by an HTTP Message Validation Policy now support enumerated elements, in conformance with Open Banking Implementation Entity (OBIE) requirements.

Now, when a field is defined as an enum in the policy but there is no value for this enumerated field defined in the schema, the policy will return "UK.OBIE.Unsupported.<field_name>" where <field_name> is the supplied enum value that doesn't match the schema's list of valid enum values. Prior to this enhancement, the policy returned "UK.OBIE.Field.Unexpected."

Support ticket: SUPPORT-25161

HTTP Message Validation Policy can now define default behavior for the additionalProperties schema property

The HTTP Message Validation Policy has a new option, "Allow additional properties by default," to control the behavior when an additionalProperties property in a Schema object is not explicitly specified in a Swagger schema. This is useful because the Swagger 2.0 specification is unclear regarding the default value for additionalProperties.

By default, this option is enabled so that all additional properties are allowed.

Support ticket: SUPPORT-25391

HTTP Message Validation Policy: Open Banking 3.1 error response can now be customized

HTTP Message Validation policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.

For more information, see Creating an HTTP Message Validation Policy on the Akana docs site.

Support ticket: SUPPORT-25156

Akana OAuth/OIDC provider id-token now includes state and openbanking_intent_id claims

The Akana OAuth/OpenID Connect (OIDC) provider now includes the "state" and "openbanking_intent_id" claims in the id_token for the Open Banking consent Hybrid Flow. Prior to this enhancement, these claims were returned only in the access_token.

Support ticket: SUPPORT-25631

JOSE Policy v2: Open Banking 3.1 error response can now be customized

JOSE v2 policies that conform to the Open Banking 3.1 specification can now specify the documentation URL to include with Open Banking-compliant error messages returned by the policy. If not set, the default is: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1000702294/Read+Write+Data+API+Specification+-+v3.1.1.

For detail, see Configuring JOSE Security Policy v2 options on the Akana docs site.

Support ticket: SUPPORT-25156

Automation recipes to perform upgrades have been improved

The recipes provided to automate migration to newer versions now support the ability to skip major versions.

Support ticket: No related support tickets.

Elasticsearch can be configured to save the Jetty access log

The Elasticsearch feature now supports the ability to save the Jetty transport access log to the Elasticsearch index. This is controlled through three new properties in the Administration Console under the configuration com.akana.log.elasticsearch:

Property Description Default Value
requestLog.enabled Enables or disables saving the Jetty log to the Elasticsearch index false
requestDataSaver.elasticHost The host location of the index http://localhost:9200
requestDataSaver.elasticIndex The name of the index request-log

Support ticket: No related support tickets.

Cluster Support plug-in has been removed from the product distribution

The deprecated Cluster Support plug-in (com.soa.feature.cluster) has been removed from the product distribution. Instead, use automation recipes for configuring clusters.

Support ticket: No related support tickets.

API group visibility now available for Runtime Configurations

A new classifier API Group Visibility can be set for Runtime Configurations to invite user groups to view an API. For more detail, see "API Group Visibility" in the Runtime Configuration on the Akana docs site.

Support ticket: SUPPORT-5575

Deprecations: 2019.1.0

Elasticsearch Transport Client option is deprecated

The Elasticsearch Transport Client deployment option is deprecated in version 2019.1.0, and will be removed in version 2020.1.0. It is recommended to use the REST Client which communicates to the Elasticsearch server or cluster by accessing a URL.

The Akana OAuth Provider Agent is deprecated

The Akana OAuth Provider Agent feature is deprecated in version 2019.1.0, and will be removed in version 2020.1.0.

It is recommended that customers have a dedicated OAuth container to manage OAuth tokens, as covered in the diagram of recommended deployment: http://docs.akana.com/sp/deployment/deployment_clustered.htm.

Bug Fixes: 2019.1.0

API tags were not being removed in some cases

When all the tags associated with an API were removed using the UI, the tags were not being removed properly. Now, the UI supports deleting all tags.

Support ticket: SUPPORT-22984, SUPPORT-24248, SUPPORT-24385

New error format for OAuth and AtmosphereApplicationSecurity Policies

The OAuth and AtmosphereApplicationSecurity Policies return the faultcode and faultstring in error responses. For example:

{ "faultcode": "Server", "faultstring": "1012116 - Invalid token." }.

The previous format was:

{ 1012116 - Invalid token. }

Support ticket: SUPPORT-28149

Regression impacted data masking in Audit Message Policy

A regression, caused by the upgrade of a third-party library, caused masking of JSON audit data to fail in the Auditing Message Policy.

Support ticket: No related support tickets.

Error messages and usage logs now suppress some details to avoid security vulnerabilities

Usage log and error messages now display only generic information, in order to avoid potential security vulnerabilities. Specific errors, including detailed URI information, is still written to the log file for the container instance.

Support ticket: SUPPORT-25000

A JOSE policy JSON Web Key Set URL is now validated against the forward proxy list

When a JWKS URL is used for a JOSE policy, the URL is validated against the forward proxy list on the Admin > Settings > Site page.

It is validated when saving a JWKS URL value on the App OAuth Details page, and also at runtime. Any errors returned at validation do not display the URI or any other information that could be used in a malicious way.

Support ticket: SUPPORT-24999

The List Tickets API did not return tickets for private APIs for some authorized users

The API GET /api/tickets did not return tickets for private APIs for non-admin users with read access to the API.

Support ticket: SUPPORT-26404

HTTP Message Validation Policy did not validate enums on required parameters

Single-value enums used in parameters were being incorrectly handled in some cases, resulting in a failure to validate required parameters in the HTTP Message Validation Policy.

Support ticket: SUPPORT-25295

Domain page was not enforcing Modify and Delete permissions in some cases

For users without modify or delete permissions on a domain, the Modify and Delete buttons were accessible, in some cases. Now, they are not displayed for users without write permissions, and a new "View" button has been added for users with read-only permissions.

Support ticket: SUPPORT-24869

X-Forwarded-Host header vulnerability

In applications that incorporate the use of the X-Forwarded-Host header, it was possible for an attacker to manipulate the host header to forward the request to a different URL.

Now, the logic for getting the base URL for various sub-URLs (such as an avatar), checks that the request URL host matches a virtual host set on the tenant. If it does not match a virtual host, the simple request URL (which does not come from the X-Forwarded-host header) is used instead.

Support ticket: SUPPORT-20524

Lifecycle Coordinator: Promoting large APIs could time out

When promoting an API with numerous operations, the process could appear to time out, although the API would be promoted successfully. Now, promotion works as expected.

Support ticket: No related support tickets.

Version 2019.0.4

Requires Akana Platform version: 2019.0.3

Enhancements: 2019.0.4

This release includes no enhancements.

Version 2019.0.3

Requires Akana Platform version: 2019.0.2

Deprecations and Requirements Changes

For updated requirements information, see System Requirements for Akana Platform 2019.0.x.

Mongo 3.2

As of this release, Mongo 3.2 is no longer supported.

MySQL 5.7

Announcement of future end of support: Akana support for MySQL 5.7 will end in October 2020.

Oracle 11g

Announcement of future end of support: Support for Oracle 11g will end in December 2020 when Oracle ends its “Extended Support.”

Enhancements: 2019.0.3

Automation scripts support for 2-way SSL authentication

Automation scripts have improved support for Secure Socket Layer (SSL) mutual authentication.

Support ticket: No related support tickets.

Version 2019.0.2

Requires Akana Platform version: 2019.0.1

Enhancements: 2019.0.2

Improvements in parameter schema handling

The platform has enhanced schema parameter processing for improved Swagger 2.0 support in the API Designer.

Support ticket: No related support tickets.

Version 2019.0.1

Requires Akana Platform version: 2019.0.1

Enhancements: 2019.0.1

New startup environment variable supports Java options

The script startup.sh now takes a new environment variable AKANA_OPTS as an argument, which can be used to configure the container JVM. For example, it can be used to configure AppDynamics, other agents, Java Management Extensions (JMX), Garbage Collector (GC) options, or to add JVM system properties.

Support ticket: SUPPORT-10961

JOSE Policy v2 for Open Banking 3.1 tan header now validates using policy configuration

A JOSE Policy v2 configured for OB 3.1 now validates the tan header using the value configured in the policy, if one exists. If no value for the tan header is provided in the policy configuration, then the header is validated using the static domain value openbanking.org.uk.

Support ticket: SUPPORT-23407