Version 2019.0.5
Note: This release requires Akana Platform version 2019.0.4.
Akana 2019.x System Requirements
Upgrading the Akana API Platform from 2018.0.x to 2019.0.x
Date/release version |
Changes |
31 July 2019 2019.0.0 |
New entry added for "Auditing Service Policy can now exclude header visibility from monitoring data" |
9 January 2020 2019.0.0 |
New entry added for bug fix Writing usage data using the REST usage writer could fail. |
Requires Akana Platform version: 2019.0.4
This release includes no enhancements.
Schemas using an older version of the Swagger standard (Draft03) were causing validation errors during Swagger generation.
Support ticket: SUPPORT-28378
Requires Akana Platform version: 2019.0.3
This release includes no enhancements.
SOAP services with multiple bindings were retrieving only the operation for the last binding in the WSDL. Now, all operations are retrieved, and compatibility with Akana Intermediary for Microsoft®has been verified.
Support ticket: SUPPORT-22246
In some cases, users without the necessary privileges could view data of other users in Policy Manager's Configure tab. Now, a "Permission Denied" notice is displayed for these users, and the Configuration Schemas, Interfaces, and Binding tabs are not available, except to System Administrators.
Support ticket: SUPPORT-25824
Requires Akana Platform version: 2019.0.2
For updated requirements information, see System Requirements for Akana Platform 2019.0.x.
As of this release, Mongo 3.2 is no longer supported.
Announcement of future end of support: Akana support for MySQL 5.7 will end in October 2020.
Announcement of future end of support: Support for Oracle 11g will end in December 2020 when Oracle ends its “Extended Support.”
Automation scripts have improved support for Secure Socket Layer (SSL) mutual authentication.
Support ticket: No related support tickets.
When updating domains of type OpenID Connect Relying Party in the Developer Portal, the updated values were not always saved.
Support ticket: SUPPORT-24622
Requires Akana Platform version: 2019.0.1
The platform has enhanced schema parameter processing for improved Swagger 2.0 support in the API Designer.
Support ticket: No related support tickets.
The platform’s Limit forward proxy security feature (Settings > Site) has been enhanced to include validation of hosts for Test Client OAuth requests against the specified white list of trusted hosts. This feature already validates for file upload and for Test Client messages.
Support ticket: SUPPORT-24997
Performance improvements have been made to the Export Usage Data process to prevent out of memory errors, specifically when using MongoDB for usage data.
Support ticket: SUPPORT-10644
Some JOSE policy alert codes were missing from the database, causing alerts to be incorrectly logged as unknown. Now, all alert codes related to JOSE are included.
Support ticket: SUPPORT-26100
JWKS keys could be blank before expiration. JWKS keys are now kept until they expire, and new keys are added when the old keys expire or become deprecated.
Support ticket: SUPPORT-25388
Requires Akana Platform version: 2019.0.1
The script startup.sh now takes a new environment variable AKANA_OPTS as an argument, which can be used to configure the container JVM. For example, it can be used to configure AppDynamics, other agents, Java Management Extensions (JMX), Garbage Collector (GC) options, or to add JVM system properties.
Support ticket: SUPPORT-10961
A JOSE Policy v2 configured for OB 3.1 now validates the tan header using the value configured in the policy, if one exists. If no value for the tan header is provided in the policy configuration, then the header is validated using the static domain value openbanking.org.uk.
Support ticket: SUPPORT-23407
Analysis of the code base and subsequent improvements to remove XSS (Cross-site Scripting) vulnerabilities is ongoing. This release includes extra XSS validations for the OAuthClient API.
Support ticket: SUPPORT-23094
The HTTP Message Validation policy now validates the header value using minLength, maxLength, and pattern requirements, even if the header value is empty.
Support ticket: SUPPORT-23138
The 2FA task payload no longer accepts parameters that are not pre-defined when a client requests a new authentication token. If parameters other than verificationCode and Action are provided, the request is refused and generates an error. In addition, for a generate action, the verificationCode parameter is no longer accepted.
Support ticket: SUPPORT-21386, SUPPORT-22790, SUPPORT-21391
A Site or Business Admin can no longer view and/or edit another Admin's notifications, or change the email address of another Site Admin or Business Admin.
Support ticket: SUPPORT-21389
Requires Akana Platform version: 2019.0.0
Note: The key features here are specific to 2019.0.0 and are not available in earlier 2018.0.x update releases. For features and enhancements also available in 2019.0.0 but delivered in previous update releases, see each update version below.
The Developer Portal adds support for OpenAPI 3.0. OpenAPI 3.0, based on the original Swagger 2.0 specification, provides a standard, language-independent interface to RESTful APIs. Support includes an OAS Schema Form Editor, which is a graphical and text editor for authoring and editing Open API Specification v3 documents. The editor supports syntax and semantic validation on save or switch between text and graphical view, as well as code completion and syntax highlighting. The API Designer also supports dynamic switching between OAS 3.0 and Swagger 2.0. See Open API Specification 3.0 Support for details.
Support tickets: SUPPORT-23083, SUPPORT-23101
The new Model Library is a centralized library of model objects in the context of a business on the platform. Highlights include:
The platform supports multiple authentication policies on a single API using the Aggregate Policy. The Aggregate Policy includes a new “Choose Policy Enforcement Requirement” page. Users can select either the logical OR (if the message meets the requirements of any one of the policies included in the Aggregate Policy, the request is successful) or AND (the request must meet the requirements of all policies included in the Aggregate Policy, or it will fail).
Support tickets: SUPPORT-10638, SUPPORT-3244, SUPPORT-5785, SUPPORT-1110, SUP-16299
An OAuth policy can authenticate and authorize requests against multiple, different providers. The API OAuth Details page in Community Manager now allows the assignment of an OAuth provider to multiple endpoints, assuming that the Admin has configured multiple OAuth providers. The provider used for messages to an API depends on the scopes set up for each OAuth Provider. This support includes the addition of a new media type, application/vnd.akana.v2019+json, with the following API enhancements:
For more detail, see How do I configure OAuth Details for my API?
This release expands support for the UK OpenBanking v3.1 standard via the JOSE Policy v2, which now verifies the certificate subject DN in the “http://openbanking.org.uk/iss” header.
Support ticket: SUPPORT-23025
When creating an API, previously the API was automatically created with a Live implementation and deployed to all available deployment zones. Now, on the Add API page in the Advanced Options section, the user can specify the implementation (Live or Sandbox). Check boxes for all valid deployment zones for the specified implementation are displayed, and the user can then choose one or more deployment zones.
Support ticket: SUPPORT-5811, SUPPORT-1131, SUPPORT-1148, SUPPORT-3051, SUP-18426
Multiple auditing policies can now be attached to a single service or API, allowing more fine-grained control over auditing configuration. For example, basic auditing can be captured during normal operation, and detailed auditing on failure, helping to reduce the amount of detailed logging.
Support ticket: SUP-19050, SUP-19051, SUPPORT-3672, SUPPORT-3673, SUPPORT-25682, SUP-18965, SUPPORT-3588
Two new options are available for HTTP Message Validation policies:
Support ticket: SUPPORT-23016
The list of Quality of Service policies displayed on the API Access page now shows policies associated with the API's organization as well as any parent organization policies, if the organization is a sub-organization. Previously, policies at the tenant level were displayed.
Support ticket: SUPPORT-5792
The job "Migrate OAuth Data to MongoDB" (available from the Akana Administrative Console > Configuration > Actions tab) has been optimized for better performance.
Support ticket: SUPPORT-22457
Two new utility functions are provided to help in recipe creation:
Support ticket: SUPPORT-1103
The JRE shipped with Akana has been upgraded to the latest OpenJDK 8 release. Clients using an external JRE need to revert any changes that added Bouncy Castle to the $JAVA_HOME/jre/lib/security/java.security file. For example, remove this line (if it exists): security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider.
Support ticket: SUPPORT-21199, SUPPORT-20953, SUPPORT-10756, SUPPORT-17327
When an API is updated, the Runtime Configuration is now reapplied.
Support ticket: No related support tickets.
The Rhino JavaScript engine has been updated to the latest version, 1.7.10.
Support ticket: SUPPORT-21390
When the REST usage API reported a non-recoverable write error, the batch writer queues were not being purged, resulting in failure. Now the queues are cleared on fatal writer error.
Support ticket: No related support tickets.
A new configuration option has been added to the auditing policy to allow the exclusion of certain headers from monitoring data. This is available on the Detailed Auditing Policy page under Audit Binding > Transport Headers > Audit Transport > Headers to Exclude.
Support ticket: SUPPORT-23104
When Global Settings were selected as an app's OAuth Profile authentication method, the app was using predetermined values that might not have matched those that had been selected in the domain configuration. Now, domain configuration-supported Grant Types will be used when the OAuth Profile Authentication method is set to Global Setting.
Support ticket: SUPPORT-24778
The documentation for the Auditing Message Policy was clarified to specify that when defining an expression in a policy, users should use XPath for XML content, JSONPath for JSON content, and a Regular Expression for other content types.
Support ticket: SUPPORT-22401
Any external OAuth domains created with a name that included spaces or special characters would return a blank page when users tried to modify them. Now, domain names with special characters or spaces are supported.
Support ticket: No related support tickets.
In the Akana Administration Console, two new properties that control Elasticsearch connection timeouts have been added, under com.akana.es.client.security:
Property | Default Value |
---|---|
elastic.rest.client.connectTimeout | 1000 ms |
elastic.rest.client.socketTimeout | 30000 ms |
Support ticket: SUP-18936, SUPPORT-3559
In the Akana Administration Console, a new configuration option has been added to the HTTP client via com.soa.http.client.core: http.client.params.handleAuthentication. When true (the default), NTLM credentials are authenticated by Akana. When false, authentication is forwarded to the API client.
Support ticket: SUPPORT-1145, SUPPORT-21801
The licensereport API in the Community Manager now allows access only to users with Monitor permissions. This is similar to other analytics APIs such as getMetrics and UsageLogs.
Support ticket: SUPPORT-23093
Deprecated Windows files RegisterContainerService.bat and UnRegisterContainerService.bat have been removed from the installer. These were no longer supported and were the legacy files for RegisterContainerServiceYAJWS.bat and UnRegisterContainerServiceYAJWS.bat, which remain in the install.
Support ticket: SUPPORT-20933
Requires Akana Platform version: 2018.0.10
For Runtime Configurations, the classifier apiVisibility used to determine the visibility of an API can now be set within the topology definition.
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.9
By default, an app version can request a contract with any available API in any available environment. Now, using custom workflow, the Site Admin can limit apps so that when an app has one contract in a specific environment (Sandbox or Live), it cannot have a contract, either with the same API or with another API, in the other environment. With this custom functionality in place, one app version cannot have contracts in both environments.
This option is not part of the default contract workflow, but is available with custom workflow using the custom function verifyAppAccessLimitedToOnlySandboxOrLiveAPIs.
Support ticket: SUPPORT-2442, SUP-17816
A new recipe has been added to support the automated creation of a standalone OAuth container. The new recipe is oauth-all.json, located in the <installation>/recipes folder.
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.8
This release includes no enhancements.
Requires Akana Platform version: 2018.0.7
Admin Console: Two new properties, com.soa.database.config:trustStorePassword, and com.soa.database.config:trustStore, have been added to enable encrypted MS-SQL connections.
Support ticket: SUPPORT-17327
New automation recipes are now available for users with older Community Manager or Policy Manager instances who need to upgrade to a later version, possibly spanning major or multiple versions. Recipes are available to upgrade from 7.1 through subsequent releases. To learn more, contact your account representative.
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.6
A new property, _HTTP result code_, has been added to the following Quality of Services policies: Concurrency Quota Policy, Service Level Enforcement Policy, Throughput Quota Policy, and Timeout Policy.
This property ensures the return of a specific HTTP fault status code for RESTful services.
Support ticket: SUP-15726, SUPPORT-1191
Site admins can now exclude certain keywords from allowable input data, in order to ensure against cross-site scripting attacks. The selected keyword will be disallowed when validating data for the name, description, and tag fields.
Currently, keywords available for exclusion are: onerror, unload, onmouseover, eval, and mouseout. The keywords are set at the tenant level, and will be expanded over time.
Support ticket: SUP-17010
Lifecycle Repository's Runtime Configuration now supports the ability to configure the visibility of APIs that are created. Valid values are Public, Private, and Registered Users. The default is Public, if not specified.
Support ticket: SUPPORT-5575
Requires Akana Platform version: 2018.0.5
Analysis of the code base and subsequent improvements to remove XSS (Cross-site Scripting) vulnerabilities is ongoing.This release includes extra XSS validations to App, API, Organization, Group, Review, Ticket, Discussion, and Alert pages.
Support ticket: SUPPORT-21392
The Akana OAuth/OIDC domain now supports passing a request parameter, a single, self-contained parameter passed as a signed JWT. For Open Banking support, the request JWT consists of two claims, state and openbanking_intent_id.
The request parameter is only applicable to the OAuth 2.0 Authorization Code and Implicit grant types for OAuth providers with UK OB support.
The two claims state and openbanking_intent_id will be included in the JWT Access Token issued by Akana OAuth/OIDC provider.
Support ticket: SUPPORT-21752
The platform's embedded JDK 8 has been updated to the latest publicly available release (1.8 u201), dated Jan. 15, 2019, under the Oracle Binary Code License (BCL).
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.4
The Test Client has added support for OAuth providers that do not support the registration of a redirect_uri containing query parameters, such as Microsoft Azure.
Support ticket: SUPPORT-3713
Requires Akana Platform version: 2018.0.3
For JOSE Policy v2 and HTTP Message Validation policies, a new option on the Policy Options page "UK Open Banking" supports the enforcement of OB-formatted error messages returned to the API client application. For OB 3.1 compliance, check the option, then choose “OB version 3.1.”
If the option is unchecked, or checked and “OB version 3.0 and earlier” is selected, error messages are returned in whatever format the policy used before OB 3.1 was introduced.
Support ticket: SUPPORT-10643
A new setting in the Business Security settings supports the ability to set the Domain attribute on the Set-Cookie header with the complete hostname of the tenant's incoming URL or the X-Forwarded-Host header.
Support ticket: SUPPORT-20608
The JOSE Policy v2 now supports the OB specification 3.1, as well as 3.0 or earlier. The OB rules are enforced based on the version selected in the policy configuration, available on the Policy Options page. If "UK Open Banking" is selected, the version to choose is either 3.1, or 3.0 and earlier.
OB 3.0 and earlier will follow the same rules in terms of crit headers and error messages returned to the API client application.
OB 3.1 enforces:
Support ticket: SUPPORT-20538
Alerts and error log entries are no longer generated by default for authentication challenges, since these are a common part of every Authorization policy. This behavior is supported by two new properties in the Admin Console under the Configuration tab > com.soa.client.subsystems:
Property | Value |
---|---|
alert.config.blockedErrorCodesForAlert | com.soa.jbi.JBIErrorCode.BC_BINDING_ERROR_ENCOUNTERED, com.soa.transport.TransportErrorCode.AUTH_CHALLENGE_REQUIRED |
alert.config.blockedErrorCodesForLogging | com.soa.transport.TransportErrorCode.AUTH_CHALLENGE_REQUIRED |
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.2
The JOSE policy validates that, if a typ claim exists in the JOSE header, that its value is "JOSE," as per the Open Banking 3.x specification. The typ header is optional, so the existence of the claim itself is not enforced.
Support ticket: SUPPORT-20530
For Open Banking, if a tan header exists in the JWS header, JOSE validates the header value and that it is present in the crit headers list; JOSE does not enforce that a tan header be defined, however. For OB 3.x compliance, add the tan claim to the policy's configuration page's IN Message Options under "Private Header."
Support ticket: SUPPORT-20530
A JOSE policy using the JWKS URL option can now retrieve the certificate to verify the iss header from the JWKS rather than requiring the x5c claim to be in the JWS header. When retrieving the certificate, this order is followed:
Support ticket: SUPPORT-20510
When using the Test Client to retrieve an OAuth token, the authentication methods now include either a Private Key JWT or Client Secret JWT.
Support ticket: No related support tickets.
Per the Swagger specification, operations should always contain a response description. In a scenario where an API operation was defined as In Only, errors were generated because the responses property was missing. Now, if the response is not defined, the platform adds a default response.
Support ticket: SUP-18908
A new parameter modifier context_path_safe can be used with context parameters such as catalog_asset.group.name to transform the resolved parameter value as follows:
For example, using the parameter expression
{catalog_asset.group.name.context_path_safe}
|
would transform the group name "Nuestra Compañía #1" to "nuestracompania1".
Support ticket: SUPPORT-10766
Requires Akana Platform version: 2018.0.1
A JWT bearer token can now be signed with either an app's shared secret or a Private Key. A Business Admin can configure the JWT Bearer access token in the developer portal's Admin section under Domains > Add Domains > External OAuth Provider's "Access Token Validation" screen.
Then, in APP OAuth Profile, either a JWT client secret or Private Key can be selected.
Support ticket: SUPPORT-5775
Memory consumption of script policies has been reduced for improved performance. This resulted in the removal of some unused properties in the Admin Console under the configuration com.soa.script.repository and the addition of a new property:
New Property | Description |
---|---|
compiled.script.pool.maxScriptsPerLanguage | Maximum number of compiled scripts that can be held in memory for a script language |
Removed Property | Description |
compiled.script.pool.maxTotalPerLanguage | Maximum number of compiled script engines that can be held in memory for a script language |
compiled.script.pool.minIdlePerLanguage | Minimum number of compiled script engines, unused but available for future compiled script evaluation |
compiled.script.pool.maxIdlePerLanguage | Maximum number of compiled script engines, unused but available for future compiled script evaluation |
Support ticket: No related support tickets.
The Jetty NCSA access log now includes the request processing time by default. This setting is configured in the Admin Console under the Configuration tab. Select the com.soa.platform.jetty category, then the ncsa.access.log.logLatency property. The default value of true includes the request processing time; false omits it from the log.
Support ticket: No related support tickets.
Requires Akana Platform version: 2018.0.0
A new property VersionName has been added to the APIVersionInfo object model so that an API version can be assigned at API creation. If this property is not set, the API is created with the default "v1" version.
Support ticket: No related support tickets.
The use of these APIs with a Business Admin user is deprecated with this release:
PUT HTTP Method
/api/businesses/tenantbusiness.atmosphere/alertsettings
/api/businesses/tenantbusiness.atmosphere/apisettings
/api/businesses/tenantbusiness.atmosphere/appsettings
/api/businesses/tenantbusiness.atmosphere/challenges
/api/businesses/tenantbusiness.atmosphere/commentsettings
/api/businesses/tenantbusiness.atmosphere/connectionsettings
/api/businesses/tenantbusiness.atmosphere/discussionsettings
/api/businesses/tenantbusiness.atmosphere/groupsettings
/api/businesses/tenantbusiness.atmosphere/loginpolicy
/api/businesses/tenantbusiness.atmosphere/passwordpolicy
/api/businesses/tenantbusiness.atmosphere/reviewsettings
/api/businesses/tenantbusiness.atmosphere/securitysettings
/api/businesses/tenantbusiness.atmosphere/ticketsettings
/api/businesses/tenantbusiness.atmosphere/usersettings
/api/businesses/tenantbusiness.atmosphere/twofasettings