Akana API Platform Release Notes 2019.0

Swagger generation validation errors for older schemas

Schemas using an older version of the Swagger standard (Draft03) were causing validation errors during Swagger generation.

Support ticket: SUPPORT-28378

Mongo data usage stats were being reported incorrectly after upgrade

When upgrading to 2019.0.x, Mongo usage stats were being recorded as the size of the zipped file, rather than the unzipped size.

Support ticket: No related support tickets.

Exporting app transaction logs was working incorrectly

App transaction logs were not exporting properly. Now export works as expected.

Support ticket: No related support tickets.

SOAP services with multiple bindings did not retrieve all operations

SOAP services with multiple bindings were retrieving only the operation for the last binding in the WSDL. Now, all operations are retrieved, and compatibility with Akana Intermediary for Microsoft®has been verified.

Support ticket: SUPPORT-22246

Users could access some information outside their own organization

In some cases, users without the necessary privileges could view data of other users in Policy Manager's Configure tab. Now, a "Permission Denied" notice is displayed for these users, and the Configuration Schemas, Interfaces, and Binding tabs are not available, except to System Administrators.

Support ticket: SUPPORT-25824

Automation scripts support for 2-way SSL authentication

Automation scripts have improved support for Secure Socket Layer (SSL) mutual authentication.

Support ticket: No related support tickets.

Updating an OIDC Relying Party domain was not saving correctly

When updating domains of type OpenID Connect Relying Party in the Developer Portal, the updated values were not always saved.

Support ticket: SUPPORT-24622

Creating an API with a Swagger zip file fails after upgrading to 2019.0.2

Bundled schema files in a Swagger zip file were not being handled correctly at upload, resulting in a failure to import documents when creating an API.

Support ticket: SUPPORT-26673

Chart analytics reflected data from a single API only

When all APIs were selected, the App data reflected in the analytics chart (My Apps > app > Analytics > Charts) included data for only a single API, rather than all contracted APIs.

Support ticket: SUPPORT-23414

Improvements in parameter schema handling

The platform has enhanced schema parameter processing for improved Swagger 2.0 support in the API Designer.

Support ticket: No related support tickets.

“Limit forward proxy” feature expanded to validate hosts for Test Client OAuth requests

The platform’s Limit forward proxy security feature (Settings > Site) has been enhanced to include validation of hosts for Test Client OAuth requests against the specified white list of trusted hosts. This feature already validates for file upload and for Test Client messages.

Support ticket: SUPPORT-24997

Export Usage Data performance improvements

Performance improvements have been made to the Export Usage Data process to prevent out of memory errors, specifically when using MongoDB for usage data.

Support ticket: SUPPORT-10644

JOSE Policy v2: Some alert codes missing from database

Some JOSE policy alert codes were missing from the database, causing alerts to be incorrectly logged as unknown. Now, all alert codes related to JOSE are included.

Support ticket: SUPPORT-26100

JSON Web Keys values could be blank before key expiration

JWKS keys could be blank before expiration. JWKS keys are now kept until they expire, and new keys are added when the old keys expire or become deprecated.

Support ticket: SUPPORT-25388

Usage logs now available based on number of days rather than number of records

API and app logs can now be exported for a maximum of 45 days, rather than the previous limit based on the number of records, which was 10,000.

Support ticket: SUPPORT-26085

HTTP Message Validation Policy: regular expressions could not work as expected

Regular expressions used in the HTTP Message Validation Policy could fail to report a match.

Support ticket: SUPPORT-25548

New startup environment variable supports Java options

The script startup.sh now takes a new environment variable AKANA_OPTS as an argument, which can be used to configure the container JVM. For example, it can be used to configure AppDynamics, other agents, Java Management Extensions (JMX), Garbage Collector (GC) options, or to add JVM system properties.

Support ticket: SUPPORT-10961

JOSE Policy v2 for Open Banking 3.1 tan header now validates using policy configuration

A JOSE Policy v2 configured for OB 3.1 now validates the tan header using the value configured in the policy, if one exists. If no value for the tan header is provided in the policy configuration, then the header is validated using the static domain value openbanking.org.uk.

Support ticket: SUPPORT-23407

Additional support for OAuth client validation to address XSS vulnerabilities

Analysis of the code base and subsequent improvements to remove XSS (Cross-site Scripting) vulnerabilities is ongoing. This release includes extra XSS validations for the OAuthClient API.

Support ticket: SUPPORT-23094

HTTP Message Validation Policy not validating header value in all cases

The HTTP Message Validation policy now validates the header value using minLength, maxLength, and pattern requirements, even if the header value is empty.

Support ticket: SUPPORT-23138

Two-factor authentication (2FA) now accepts only pre-defined fields

The 2FA task payload no longer accepts parameters that are not pre-defined when a client requests a new authentication token. If parameters other than verificationCode and Action are provided, the request is refused and generates an error. In addition, for a generate action, the verificationCode parameter is no longer accepted.

Support ticket: SUPPORT-21386, SUPPORT-22790, SUPPORT-21391

Default access permissions for Site and Business Admins changed to limit access to other Admins' data

A Site or Business Admin can no longer view and/or edit another Admin's notifications, or change the email address of another Site Admin or Business Admin.

Support ticket: SUPPORT-21389

Error when updating a bundle with an automation recipe

When using an automation recipe to update a bundle, the update failed with an error.

Support ticket: SUPPORT-23184

A tenant's Site Admin could edit global workflows

Site Admins were able to access areas of the application for which they were not authorized.

Support ticket: No related support tickets.

Add API now includes the ability to specify implementation and one or more deployment zones

When creating an API, previously the API was automatically created with a Live implementation and deployed to all available deployment zones. Now, on the Add API page in the Advanced Options section, the user can specify the implementation (Live or Sandbox). Check boxes for all valid deployment zones for the specified implementation are displayed, and the user can then choose one or more deployment zones.

Support ticket: SUPPORT-5811, SUPPORT-1131, SUPPORT-1148, SUPPORT-3051, SUP-18426

Multiple service auditing policies may now be applied to a single service

Multiple auditing policies can now be attached to a single service or API, allowing more fine-grained control over auditing configuration. For example, basic auditing can be captured during normal operation, and detailed auditing on failure, helping to reduce the amount of detailed logging.

Support ticket: SUP-19050, SUP-19051, SUPPORT-3672, SUPPORT-3673, SUPPORT-25682, SUP-18965, SUPPORT-3588

HTTP Message Validation Policy: new options controlling headers

Two new options are available for HTTP Message Validation policies:

• Allow all headers: When checked (the default), all headers defined in the schema for the calling operation are allowed. When unchecked, two sub-options "Headers not allowed" and "Strip unallowed headers" allow you to enter which headers to disallow and/or to remove disallowed headers from the call.
  For example, if the admin had unchecked "Allow all headers" and then had added header 1 under "Headers not allowed," header 1 would either be stripped from the call (if "Strip unallowed headers" was checked), or the call would fail (if "Strip unallowed headers" was unchecked).
• Headers excluded from validation: When no headers are specified, all headers are validated. Any identified headers are excluded from validation.
  For example, a user could pass in headers 1, 2, and 3, of which 1 and 2 are defined in the API call's definition, so 1 and 2 would therefore be validated. However, if the admin had added header 1 to the list of headers under "Headers excluded from validation," that specific header would not be validated.

Support ticket: SUPPORT-23016

QoS Policies now displayed at the API organization level on the API Access page

The list of Quality of Service policies displayed on the API Access page now shows policies associated with the API's organization as well as any parent organization policies, if the organization is a sub-organization. Previously, policies at the tenant level were displayed.

Support ticket: SUPPORT-5792

The job to migrate OAuth grants and tokens to MongoDB has been optimized

The job "Migrate OAuth Data to MongoDB" (available from the Akana Administrative Console > Configuration > Actions tab) has been optimized for better performance.

Support ticket: SUPPORT-22457

New automation options for analyzing recipes and retrieving container information

Two new utility functions are provided to help in recipe creation:

• Analyze a recipe
  The akana.recipe module has a new --analyze option which analyzes a recipe and generates a synopsis of the recipe hierarchy, along with all properties used by the recipe and its imports.
• Create a recipe based on a container's configuration
  The akana.recipe module has a new --extract option, which extracts the current configuration of a running instance into a single recipe.

Support ticket: SUPPORT-1103

The JRE shipped with the product now uses OpenJDK

The JRE shipped with Akana has been upgraded to the latest OpenJDK 8 release. Clients using an external JRE need to revert any changes that added Bouncy Castle to the $JAVA_HOME/jre/lib/security/java.security file. For example, remove this line (if it exists): security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider.

Support ticket: SUPPORT-21199, SUPPORT-20953, SUPPORT-10756, SUPPORT-17327

Lifecycle Coordinator: Runtime Configuration applied at each API update

When an API is updated, the Runtime Configuration is now reapplied.

Support ticket: No related support tickets.

Rhino JavaScript updated to latest version

The Rhino JavaScript engine has been updated to the latest version, 1.7.10.

Support ticket: SUPPORT-21390

Writing usage data using the REST usage writer could fail

When the REST usage API reported a non-recoverable write error, the batch writer queues were not being purged, resulting in failure. Now the queues are cleared on fatal writer error.

Support ticket: No related support tickets.

Auditing Service Policy can now exclude header visibility from monitoring data

A new configuration option has been added to the auditing policy to allow the exclusion of certain headers from monitoring data. This is available on the Detailed Auditing Policy page under Audit Binding > Transport Headers > Audit Transport > Headers to Exclude.

Support ticket: SUPPORT-23104

OAuth Provider: Incorrect grant types used for Global Setting authentication method

When Global Settings were selected as an app's OAuth Profile authentication method, the app was using predetermined values that might not have matched those that had been selected in the domain configuration. Now, domain configuration-supported Grant Types will be used when the OAuth Profile Authentication method is set to Global Setting.

Support ticket: SUPPORT-24778

Updates to Auditing Message Policy documentation

The documentation for the Auditing Message Policy was clarified to specify that when defining an expression in a policy, users should use XPath for XML content, JSONPath for JSON content, and a Regular Expression for other content types.

Support ticket: SUPPORT-22401

External OAuth domain names with special characters or spaces were not supported

Any external OAuth domains created with a name that included spaces or special characters would return a blank page when users tried to modify them. Now, domain names with special characters or spaces are supported.

Support ticket: No related support tickets.

New Elasticsearch configuration properties controlling timeouts

In the Akana Administration Console, two new properties that control Elasticsearch connection timeouts have been added, under com.akana.es.client.security:

Support ticket: SUP-18936, SUPPORT-3559

New configuration option for HTTP Client to better control authentication

In the Akana Administration Console, a new configuration option has been added to the HTTP client via com.soa.http.client.core: http.client.params.handleAuthentication. When true (the default), NTLM credentials are authenticated by Akana. When false, authentication is forwarded to the API client.

Support ticket: SUPPORT-1145, SUPPORT-21801

The licensereport API is now unavailable to unauthenticated users

The licensereport API in the Community Manager now allows access only to users with Monitor permissions. This is similar to other analytics APIs such as getMetrics and UsageLogs.

Support ticket: SUPPORT-23093

Removal of legacy Windows service scripts

Deprecated Windows files RegisterContainerService.bat and UnRegisterContainerService.bat have been removed from the installer. These were no longer supported and were the legacy files for RegisterContainerServiceYAJWS.bat and UnRegisterContainerServiceYAJWS.bat, which remain in the install.

Support ticket: SUPPORT-20933

Support for adding additional JOSE Policy v2 claim headers

In the Test Client, additional claim headers can now be added to a JOSE Policy v2, using the new "Claim Headers" section in the Test Client JOSE Policy popup dialog.

Support ticket: No related support tickets.

Lifecycle Coordinator Runtime Configuration: topologies can now define API visibility

For Runtime Configurations, the classifier apiVisibility used to determine the visibility of an API can now be set within the topology definition.

Support ticket: No related support tickets.

New custom workflow function to limit apps to a single environment for API access

By default, an app version can request a contract with any available API in any available environment. Now, using custom workflow, the Site Admin can limit apps so that when an app has one contract in a specific environment (Sandbox or Live), it cannot have a contract, either with the same API or with another API, in the other environment. With this custom functionality in place, one app version cannot have contracts in both environments.

This option is not part of the default contract workflow, but is available with custom workflow using the custom function verifyAppAccessLimitedToOnlySandboxOrLiveAPIs.

Support ticket: SUPPORT-2442, SUP-17816

Automation recipe for creating a standalone OAuth container

A new recipe has been added to support the automated creation of a standalone OAuth container. The new recipe is oauth-all.json, located in the <installation>/recipes folder.

Support ticket: No related support tickets.